Pre-heating the Pi- 7 mins
To host all of the FOSS things, this little Pi is going to be sitting quietly in the corner of the living room for the foreseeable. To do that, we need to tinker with getting the software setup.
The following setup is working well on a Pi 4 well as a foundation for an internal network facing server with an internet connection. Be sure to do a full update, backup and cross your fingers before starting. This is also a good moment to check the settings on your router. Be sure your firewall is switched on. Many would recommend switching off UPnP to make your network a tad bit more secure, however prepare for the potential inconvenience.
Use the 64bit OS
If you haven’t already, go back and install the 64-bit OS variant onto your SD card rather than the 32-bit option. As soon as you need anything machine learning related (i.e. tagging faces in photos), you’ll wish you did.
Change the default username and password
Default usernames and passwords are never, ever a good idea. Here’s how to change your default user credentials if it still exists after setup.
Boot into the command line.
For this project, my preference is to do as much as possible via the command line. Changing a few settings in the boot config will make device launch directly into the command line.
You can always run the command
startx to load the GUI interface.
Disable bluetooth and wifi
You might want to skip this one. For our setup, WiFi and Bluetooth aren’t used and disabling them will reduce power draw by ~45mA. Disabling LAN would save double that, but not having the extra radio waves bouncing around can’t be a bad idea.
In the terminal, run
sudo nano /boot/config.txt
and add the following to the bottom of the file.
##turn on/ off bluetooth dtoverlay=disable-bt ##turn on/off wifi dtoverlay=disable-wifi
While you’re there, you might as well turn off the onboard LEDs.
# Turn off onboard LED's dtparam=act_led_trigger=none dtparam=act_led_activelow=on
Overclock the processor
The processor is going to be idling a lot of the time, but a snappy response would be nice in the heat of the moment. Because the Argon ONE case both actively and passively cools the CPU, a healthy dose of overclocking is achievable.
sudo nano /boot/config
and add the following lines.
#uncomment to overclock the arm. 700 MHz is the default. arm_freq=2000 over_voltage=6
This gives a noticeable 30% boost in peek processing power, without pushing too far and compromising stability. If your Pi is not properly cooled, do not overclock. You can easily brick your device.
Reduce writes to the SD card
SD cards are not designed for the intensity of usage generated by a Raspberry Pi setup. With this configuration intended to run day in and day out, anything above a year’s use from a decent SD card is gifted time. Longer term, the plan is to boot from a small-capacity SSD.
In the meantime, we can reduce the number of writes to the card by logging to RAM rather than directly to the SD card, dumping to disk a few times a day rather than every few seconds.
The instructions are straight forward and available here.
Auto mount the hard drive
By default, external hard drives aren’t automatically mounted when using the Pi OS. Controlling mounting will allow our docker containers (more on that in future posts) to reach our filesystem to find media. Here’s some instructions.
Set a static IP for the Pi
This will make so many things so much easier by allowing you to always find the server at the same IP address. Here’s the instructions.
Setup the Firewall
If your device is connected to the internet, you’ll need a firewall. [UFW] is a straightforward option, but there are plenty of others. Install it via
sudo apt install ufw
Let’s set up our firewall to have sensible, secure defaults to begin with.
sudo ufw default deny incoming sudo ufw default allow outgoing sudo ufw limit ssh sudo ufw allow HTTP sudo ufw allow https sudo ufw logging on
We can then layer application specific rules on top. If you want to access the web, you’ll probably want to allow a couple of ports.
sudo ufw allow 80 sudo ufw allow 443
There is some duplication in the rules above, but UFW will sort that out. Then we can enable the application
sudo ufw enable
We’ll add some more shas we setup other software, but there’s plenty of options to play with in the docs if you want to get ahead of class.
Fail2ban complements UFW almost as an extension of its
limit rules. Fail2Ban “scans log files and bans IPs showing potentially malicious behaviour, e.g. too many password failures, seeking exploits and similar”. It comes with sensible defaults, although I opted to decrease the number of failed attempts before a ban is implemented and increase the length of the ban.
You’ll find the instructions here.
Buried in the Raspberry Pi system config are settings that enhance security at a relatively low level. Switching on this filtering improves the robustness of the Pi to attack and is one of the simplest ways to enhance the network security of the device.
To enable this functionality, open up the `sysctl.conf file:
sudo nano /etc/sysctl.conf
and uncomment the following lines in the file:
net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0
For the moment, the intention is to keep this as an internal facing service. This means SSH access can be limited to the home network. Edit / create a local ssh config file via:
sudo nano /etc/ssh/sshd_config.d/local_network_only.conf
The separate file to the rest of the config prevents conflicts when upgrading your Pi. If you’re on a fresh installation, it will likely be a new file. Add the following to the file.
# Disable all auth by default PasswordAuthentication no PubkeyAuthentication no # Allow auth from local network Match Address 192.168.1.* PubkeyAuthentication yes PasswordAuthentication yes AllowUsers tony
This disables authentication completely, then re-enabling it for a specific user on the internal network only. Note that the password authentication will get switched off totally once the server is operating as intended.
We should now grant access to SSH to specific IP addresses.
sudo ufw allow from 192.168.1.71 to any port 22
You’ll need to repeat this with any device / app you want to SSH in via, once you’ve enabled SSH.
sudo systemctl enable ssh sudo systemctl start ssh
Terminal is perfectly adequate from a Mac, and Termius is a nice option for Android.
Use a European time server
As a European, I like to get my time from somewhere in Europe. By default, it’s only a tiny transatlantic request, but it does not need to be made. Plus, we get dates right on this side of the pond.
Open up the relevant config file:
sudo nano /etc/systemd/timesyncd.conf
Change (or add) the lines below:
[Time] NTP=0.europe.pool.ntp.org 1.europe.pool.ntp.org 2.europe.pool.ntp.org 3.europe.pool.ntp.org #FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org
This post contains affiliate links. If you click one and buy something, Tony may earn a small commission at no cost to you. Think of it as your way of supporting independent publishing. Thank you 🤗