tags: - raspberry pi - setup categories: - informational comments: true

date: 2021-12-25 00:00:00

DESCRIPTION

Configuration changes to make on new raspberry pi - raspbian systems.

ERRORS

VERIFICATION

COMMANDS

System changes

• Disable unused services that are enable by default

  systemctl disable hciuart.service
  systemctl disable bluealsa.service
  systemctl disable bluetooth.service

• Add to section [all] in /boot/config.txt

• dtoverlay=disable-bt

  grep disable-bt /boot/overlays/README
  Name:   disable-bt
  Load:   dtoverlay=disable-bt
  Name:   pi3-disable-bt
  Info:   This overlay has been renamed disable-bt, keeping pi3-disable-bt as an

• disable wifi

• Add to section [all] in /boot/config.txt

• dtoverlay=disable-wifi

  grep disable-wifi /boot/overlays/README
  Name:   disable-wifi
  Load:   dtoverlay=disable-wifi
  Name:   pi3-disable-wifi
  Info:   This overlay has been renamed disable-wifi, keeping pi3-disable-wifi as

  systemctl disable avahi-daemon.service
  systemctl stop avahi-daemon.service

FIXME:

systemctl disable wpa_supplicant

• Had to move hook to disable wpa_supplicant process on reboots

  mv /lib/dhcpcd/dhcpcd-hooks/10-wpa_supplicant /root

• Ignore recommends/suggests when installing software

• /etc/apt/apt.conf

  APT::Install-Recommends "0";
  APT::Install-Suggests "0";
  Dpkg::Options {
  "--force-confdef";
  "--force-confold";
  }

• System Update and upgrade

  apt update
  apt dist-upgrade

• sysctl settings

• /etc/sysctl.d/90-vm-disable-oom-killer.conf

  # Disable OOM killer
  vm.overcommit_memory=2
  vm.overcommit_ratio=90

• /etc/sysctl.d/90-disable-perf-event.conf

  # -1: Allow use of (almost) all events by all users
  # >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
  # >=1: Disallow CPU event access by users without CAP_SYS_ADMIN
  # >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
  # >=3: Disallow all event access by users without CAP_SYS_ADMIN
  #
  # https://lwn.net/Articles/696216/
  #
  kernel.perf_event_paranoid=3

• /etc/sysctl.d/90-coredumps-restricted-directory.conf

  kernel.core_pattern = /var/core/core_%h_%e_%u_%g_%t_%p

  mkdir /var/core

• Default profile

export EDITOR=vi
set -o vi
export TMOUT=900
readonly TMOUT

• /etc/hosts

  127.0.0.1       localhost
  ::1             localhost ip6-localhost ip6-loopback
  ff02::1         ip6-allnodes
  ff02::2         ip6-allrouters
  127.0.0.1       nsa02

• Install editor

  apt install vim-nox

• vim for root

set syntax=on

• Install autoupdates for patch management

  apt install unattended-upgrades
  dpkg-reconfigure unattended-upgrades

• change in /etc/apt/apt.conf.d/50unattended-upgrades

  uncomment
    "origin=Debian,codename=${distro_codename}-updates";
  Unattended-Upgrade::MinimalSteps "true";
  Unattended-Upgrade::Automatic-Reboot "true";

systemctl status unattended-upgrades systemctl enable unattended-upgrades

user management

• Remove user pi

  userdel pi
  rm -rf /home/pi

• Change sudoer to allow users in sudo group to change role without passwords

• change in /etc/sudoer

  %sudo   ALL=(ALL:ALL) NOPASSWD: ALL

• Add password for root user

  passwd root
  ~~~~
  * Remove passwords from users

passwd -d ubuntu

* Disable dsa key in sshd and remove dsa keys

``` comment in /etc/ssh/sshd_config
# HostKey /etc/ssh/ssh_host_dsa_key
```

```
rm /etc/ssh/ssh_host_dsa_key*
```

* Disable depreciated setting and disable forwarding

``` add/change in /etc/ssh/sshd_config
# UsePrivilegeSeparation yes
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts no
X11Forwarding yes
```

* Check sshd configuration

/usr/sbin/sshd -t

## Network primary - /etc/network/interfaces.d/eth01 

* /etc/network/interfaces.d/eth0

```
auto eth0
iface eth0 inet static
address x.x.x.x
netmask 255.255.255.0
gateway x.x.x.x
```

* disable dhcpcd client

```
systemctl disable  dhcpcd.service
```

* ntp

```
/etc/systemd/timesyncd.conf:NTP=x.x.x.x y.y.y.y
```

systemctl status systemd-timesyncd.service

* rng

```
systemctl status rng-tools.service
```

## Monitoring (not done)

install and enable logcheck? logwatch?

~~~ /etc/motd

• troubleshooting tools ~~~ apt install tcpdump lsof ~~~

System: Move heavy writes to USB drive (to save sdcard)

• Use blkid and find UUID for USB drive patition

• Create single partion ext4 on USB drive

  blkid
  fdisk /dev/sda
  mkfs.ext4 /dev/sda1

• Add to /etc/fstab: Example:

  PARTUUID=7e60cada-01 /data      ext4    defaults,noatime,errors=remount-ro  0       2

  mkdir /data
  mkdir -p /data/var/cache /data/var/spool
  mv /var/log /data/var
  ln -sf /data/var/log /var/log
  mv /var/cache/apt /data/var/cache/
  ln -s /data/var/cache/apt /var/cache/
  mv /var/spool/postfix /data/var/spool/
  ln -s /data/var/spool/postfix /var/spool/
  reboot

• disable journal

• change to ‘volatile’ and restart

  grep Storage /etc/systemd/journald.conf 
  Storage=volatile
  systemctl restart systemd-journald.service