Pre-heating the Pi - Part 2- 3 mins
As is inevitable with any project involving a Raspberry Pi, at some point you need to restart again from fresh. The reason in this case was because I had the wrong OS variant installed. . . but this didn’t become apparent until the fancy features of the photo library were switched on. Unfortunately, this was the VERY LAST THING for the project. Or so I thought.
During the second setup I added some extra steps into the process. The original post has been updated with the changes below.
Use the 64bit OS
If you haven’t already, go back and install the 64-bit OS variant onto your SD card rather than the 32-bit option. As soon as you need anything machine learning related (i.e. tagging faces in photos), you’ll wish you did.
Change the default username and password
Default usernames and passwords are never, ever a good idea. Here’s how to change your default user credentials if it still exists.
Update UFW rules
We’ll set up our firewall to have sensible, secure defaults before layering application-specific rules on top.
sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw limit ssh sudo ufw allow HTTP sudo ufw allow https sudo ufw logging on
Fail2ban complements UFW almost as an extension of its
limit rules. Fail2Ban “scans log files and bans IPs showing potentially malicious behaviour, e.g. too many password failures, seeking exploits and similar”. It comes with sensible defaults, although I opted to decrease the number of failed attempts before a ban and increase the length of the ban.
You’ll find the instructions here.
Buried in the Raspberry Pi system config are settings that enhance security at a relatively low level. Switching this filtering on improves the robustness of the Pi to attack and is one of the simplest ways to enhance the network security of the device.
To enable this functionality, open up the
sysctl conf file:
sudo nano /etc/sysctl.conf
and uncomment the following lines in the file:
net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0
Reduce writes to the SD card
SD cards are not designed for the intensity of usage generated by a Raspberry Pi setup. With this configuration intended to run day in and day out, anything above a year’s use from a decent SD card is gifted time. Longer term, the plan is to boot from a small-capacity SSD. In the meantime, we can reduce the number of writes to the card by logging to RAM rather than directly to the SD card, writing out a few times a day rather than every few seconds.
The instructions are straight forward and available here.
European time server
As a European, I like to get my time from somewhere in Europe. By default, it’s only a tiny transatlantic request, but it does not need to be made. Plus, we get dates right on this side of the pond.
Open up the relevant config file:
sudo nano /etc/systemd/timesyncd.conf
Change (or add) the lines below:
[Time] NTP=0.europe.pool.ntp.org 1.europe.pool.ntp.org 2.europe.pool.ntp.org 3.europe.pool.ntp.org #FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org