tags: - raspberry pi - setup categories: - informational comments: true

date: 2021-12-25 00:00:00

DESCRIPTION

Configuration changes to make on new raspberry pi - raspbian systems.

ERRORS

VERIFICATION

COMMANDS

System changes

• Disable unused services that are enable by default

systemctl disable hciuart.service
systemctl disable bluealsa.service
systemctl disable bluetooth.service

• Add to section [all] in /boot/config.txt
• dtoverlay=disable-bt

grep disable-bt /boot/overlays/README
Name:   disable-bt
Load:   dtoverlay=disable-bt
Name:   pi3-disable-bt
Info:   This overlay has been renamed disable-bt, keeping pi3-disable-bt as an

• disable wifi
• Add to section [all] in /boot/config.txt
• dtoverlay=disable-wifi

grep disable-wifi /boot/overlays/README
Name:   disable-wifi
Load:   dtoverlay=disable-wifi
Name:   pi3-disable-wifi
Info:   This overlay has been renamed disable-wifi, keeping pi3-disable-wifi as

systemctl disable avahi-daemon.service
systemctl stop avahi-daemon.service

FIXME:

systemctl disable wpa_supplicant

• Had to move hook to disable wpa_supplicant process on reboots

mv /lib/dhcpcd/dhcpcd-hooks/10-wpa_supplicant /root

• Ignore recommends/suggests when installing software

• /etc/apt/apt.conf

APT::Install-Recommends "0";
APT::Install-Suggests "0";
Dpkg::Options {
    "--force-confdef";
    "--force-confold";
}

• System Update and upgrade

apt update
apt dist-upgrade

• sysctl settings

• /etc/sysctl.d/90-vm-disable-oom-killer.conf

# Disable OOM killer
vm.overcommit_memory=2
vm.overcommit_ratio=90

• /etc/sysctl.d/90-disable-perf-event.conf

# -1: Allow use of (almost) all events by all users
# >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
# >=1: Disallow CPU event access by users without CAP_SYS_ADMIN
# >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
# >=3: Disallow all event access by users without CAP_SYS_ADMIN
#
# https://lwn.net/Articles/696216/
#
kernel.perf_event_paranoid=3

• /etc/sysctl.d/90-coredumps-restricted-directory.conf

kernel.core_pattern = /var/core/core_%h_%e_%u_%g_%t_%p

mkdir /var/core

• Default profile

• /etc/profile.d/login.sh

export EDITOR=vi
set -o vi
export TMOUT=900
readonly TMOUT

• /etc/hosts

127.0.0.1       localhost
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

• Install editor

apt install vim-nox

• vim for root

• root/.vimrc

syntax on

• Install autoupdates for patch management

apt install unattended-upgrades
dpkg-reconfigure unattended-upgrades

• change in /etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Origins-Pattern {
        "origin=Debian,codename=${distro_codename},label=debian";
        "origin=Debian,codename=${distro_codename},label=Debian-Security";

        "origin=Raspbian,codename=${distro_codename},label=Raspbian";
        "origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";
};

Unattended-Upgrade::Package-Blacklist {
};

Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::InstallOnShutdown "false";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

systemctl status unattended-upgrades systemctl enable unattended-upgrades

user management

• Remove user pi

userdel pi
rm -rf /home/pi

• Change sudoer to allow users in sudo group to change role without passwords

• change in /etc/sudoer

%sudo   ALL=(ALL:ALL) NOPASSWD: ALL

• Add password for root user

passwd root

• Remove passwords from users

passwd -d ubuntu

• Disable dsa key in sshd and remove dsa keys

• comment in /etc/ssh/sshd_config

# HostKey /etc/ssh/ssh_host_dsa_key

rm /etc/ssh/ssh_host_dsa_key*

• Disable depreciated setting and disable forwarding

• add/change in /etc/ssh/sshd_config

# UsePrivilegeSeparation yes
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts no
X11Forwarding yes

• Check sshd configuration

/usr/sbin/sshd -t

Network primary - /etc/network/interfaces.d/eth01

• /etc/network/interfaces.d/eth0

auto eth0
iface eth0 inet static
address x.x.x.x
netmask 255.255.255.0
gateway x.x.x.x

• disable dhcpcd client

systemctl disable  dhcpcd.service

• ntp

/etc/systemd/timesyncd.conf:NTP=x.x.x.x y.y.y.y

systemctl status systemd-timesyncd.service

• rng

systemctl status rng-tools.service

Monitoring (not done)

install and enable logcheck? logwatch?

• /etc/motd

### WARNING ###
...
...

• troubleshooting tools

apt install tcpdump lsof

System: Move heavy writes to USB drive (to save sdcard)

• Use blkid and find UUID for USB drive patition
• Create single partion ext4 on USB drive

blkid
fdisk /dev/sda
mkfs.ext4 /dev/sda1

• Add to /etc/fstab: Example:

PARTUUID=7e60cada-01 /data      ext4    defaults,noatime,errors=remount-ro  0       2

mkdir /data
mkdir -p /data/var/cache /data/var/spool
mv /var/log /data/var
ln -sf /data/var/log /var/log
mv /var/cache/apt /data/var/cache/
ln -s /data/var/cache/apt /var/cache/
mv /var/spool/postfix /data/var/spool/
ln -s /data/var/spool/postfix /var/spool/
reboot

• disable journal

• change to ‘volatile’ and restart

grep Storage /etc/systemd/journald.conf 
Storage=volatile

systemctl restart systemd-journald.service