Saturday, 18 August 2012

Raspberry Pi Initial Setup

Long time, no update.  I now have my hands on a Raspberry Pi.  Well, had it for about a month now.   I have stuffed it up a few times and had to re-image from scratch.  Below are the steps I use to setup my Pi once I've stuffed it up and re-imaged the SD card.

Start GUI At Boot

By default, the Debian install boots to a command prompt and you need to manually start the GUI.  Follow the steps outlined below to set the GUI to start automatically at boot.

1.         Login to the Pi and type startx [ENTER]
2.         Login again if required
3.         Select "Start" ==> "Accessories" ==> "LX Terminal"
4.         At the command prompt, type sudo leafpad /etc/inittab [ENTER]
a.         Change the line id:2:initdefault to id:5:initdefault
5.         Save the changes and exit
6.         Reboot the Pi and you should be shown a graphical logon window

 

Auto-Login

If you want, you can set the Pi to automatically log in when it starts up for you.  Note that you will need to have set a root password before completing these steps.

1.         Log into the graphical user interface
2.         "Start" ==> "Preferences" ==> "Login Window"
3.         Enter the root for your Pi
4.         Click the "Security" tab
5.         Check the "Enable Automatic Logon" tick box
6.         Select the user from the dropdown list
7.         Click the "Close" button
8.         Reboot.  You should be automatically logged in when the Pi starts up.

Change the Keyboard Mapping

By default, the Raspberry Pi comes with a UK keyboard map.  This can make life difficult if you want to use, for example, the # symbol as this is not where you would expect it to be.  When selecting the options, use the arrow key to move around and the [ENTER] key to confirm the selection and move on to the next step.
Source: http://elinux.org/RPi_Beginners#Keyboard_layout

1.         If in LXDE, start a LX Terminal
2.         Type sudo dkpg-reconfigure keyboard-configuration [ENTER]
3.         Select “Generic 105-key (Intl) PC”
4.         Select “USA” as the keyboard layout
5.         Select “No AltGR key” unless your keyboard has one
6.         Select “No compose key” unless you keyboard ahs one
7.         Select “Yes” to use “Ctl+Alt+Backspace” to terminate the X Server
a.         This is the same as using Ctl+Alt+Del in Windows
8.         And you’re done!

Setting the Timezone

When selecting the options, use the arrow key to move around and the [ENTER] key to confirm the selection and move on to the next step.
Source: http://elinux.org/RPi_Beginners#Timezone

1.         If in LXDE, start a LX Terminal
2.         Type sudo dpkg-reconfigure tzdata [ENTER]
3.         Select your geographic area from the list
4.         If there are sub-areas, select the are nearest you in the next window
5.         The time automatically updates

Set a root password

The Debian Pi image does not have a root password assigned.  This can cause some frustration when certain parts of the system expect there to be one.

1.         If in LXDE, start a LX Terminal
2.         Type sudo passwd root [ENTER]
a.         Follow the prompts to enter your new root password

Increase Available Space

If you’re using the Debian release on an SD card ordered from RS or Alliance, there is 2GB sitting there unused.  This is because the Debian image is configured for a 2GB SD card.  You can use a graphical utility to resize the partitions, or follow the steps outlined below directly on the Pi.

WARNING:  As with any time you fiddle with partition tables and resizing partitions, make sure you have a backup.  No responsibility taken for any loss of data!
Source: http://elinux.org/RPi_Resize_Flash_Partitions

1.         If in LXDE, start a LX Terminal
2.         Type sudo fdisk -cu /dev/mmcblk0
3.         Type p [ENTER]
a.         Look for the second partition, in particular the number under the “Start” column.  You’ll need this later.
4.         Type d [ENTER]
a.         Enter 3 to delete the unused swap partition
5.         Type d [ENTER]
a.         Enter 2 to delete the main partition.  Note that this doesn’t erase the data.
6.         Type n [ENTER] to create a new partition
7.         Type p [ENTER] to create a new primary partition
a.         Enter 2 to indicate this is the second partition
b.         Enter the number you noted earlier as the “First Sector” value and press [ENTER]
c.          Press [ENTER] – this will use up all available space on the card
8.         Type w [ENTER] to save the partition table
9.         You now need to reboot the Pi for the new partition table to take effect.
a.         Type sudo reboot [ENTER]
10.       Once the Pi has rebooted, you now need to expand the main drive to fill the new partition
a.         If in LXDE, start a LX Terminal
b.         Type sudo resize2fs /dev/mmcblk0p2 [ENTER]
c.          Wait while this expands the drive
11.       Once the resize has completed, check the new size by typing df-h [ENTER].
a.         You should now have a lot more useable space!

Add a New User With Sudo Privileges

The default user account that comes with the Raspberry Pi image is just that – a default.  Anybody can look up the username and password online.  If they have access to your Pi, they know how to log in. 
Source: http://elinux.org/RPi_Beginners#Create_a_new_user_with_sudo-privileges

1.         Log into your Pi using the default username and password of pi/raspberry
2.         If in LXDE, open a LX Terminal
3.         Type sudo adduser <username> sudo [ENTER] where <username>is your chosen login
a.         Follow the steps to setup your new user
b.         Note that the password is the only required option.  If you don’t want to enter any of the other data, just press [ENTER]
c.          PLEASE choose a secure password!

Configuring SSH

SSH allows you to access the console, or even most GUI applications, from a remote computer.  However, in it’s default configuration SSH can be insecure.  Before using SSH, follow the steps outlined below to increase SSH security.  For all steps, you will need to start a LX Terminal.

Remove SSH Server

Not going to be using remote console access?  The most effective way of securing it is to remove it completely!

1.         Type sudo apt-get remove openssh-server [ENTER]
2.         Done.  You don’t need to complete any of the remaining steps.
Regenerate the SSH Keys
If you are planning on use remote access, follow through the remainder of the processes to improve SSH security.  By default, all Raspberry Pi images use the same SSH keys.  We need to remove these and generate some new ones.
Source: http://elinux.org/RPi_Beginners#Remote_Access

1.         Type rm /etc/ssh/ssh_host_* && dpkg-reconfigure openssh-server [ENTER]

Only Allow SSH 2 Connections

SSH 2 introduced improved security measures.  You want to be using them, and blocking all other connections.

1.         Type sudo leafpad /etc/ssh/sshd_conf [ENTER]
2.         Ensure there is a line that says “Protocol 2”
a.         If it says anything else, change it.
b.         If it is missing, add it just after the “ListenAddress” line
3.         Note that if you had to change or add this line, it is a good idea to regenerate the SSH keys as detailed above.
4.         Save the changes, but don’t close the file just yet.

Block or Allow Specified Users

SSH can either allow a set of defined users, or block a set of defined users.

1.         To allow only a defined set of users to access the system using ssh, add a line along the example below.
a.         AllowUsers root pi will allow the users root and pi access to the system
2.         To allow all users except the defined users to access the system, add a line along the example below:
a.         DenyUsers root pi will allow all users EXCEPT root and pi to connect via ssh

To stop malicious users from being able to create their own user accounts and login, it would be best to use the AllowUsers option with accounts that you have specified.

It is strongly recommended that you do not allow the root user to connect via ssh.  While you can define this using the DenyUsers line, there is another way that still allows you to use the AllowUsers setting.

1.         Change “PermitRootLogin” from ‘Yes’ to ‘No’

Log Users Out After A Period of Inactivity
If a user is not active at their keyboard, you may want to log them out.  Just in case they have left their computer unlocked and someone happens by.

1.         Add the line, if it does not already exist ClientAliveInterval 300
a.         Here, we are setting a time out of 300 seconds (5 minutes)
2.         Also add ClientAliveCountMax 0

Change SSH Port

SSH defaults to port 22.  Almost every script kiddie, hacker and automated port scanner looks for services listening on port 22.  You want to use a port they would not be expecting.  Theoretically, you can use any number other than 22 however there are other ports that are used by other services.  For example, http works on port 80, POP3 on 110.

To be on the safe side, pick a number between 21,000 and 40,000.

1.         Change the line Port 22 to Port <number>, where <number> if the number between 21,000 and 40,000
2.         When you restart the ssh daemon, you will need to tell your ssh client not to use the default port but to instead use this special port.  See your software’s instructions on how to do this.
a.         If you want access from the internet, you will also need to setup port forwarding on you router.  Consult your user guide for help.

Save and Apply Changes

This is not all you can do to secure SSH however it will go some way to increasing the level of security offered.

1.         Save the changes to the sshd_conf file and exit leafpad
2.         At a LX Terminal, type sudo /etc/init.d/ssh restart [ENTER]
3.         The SSH daemon should restart and you should be able to connect over the new port specified.

Keep The Time Up To Date

To save on costs, the Raspberry Pi does not include a real time clock.  This means, whenever the Pi is powered down, it forgets what time it is.  Luckily, there is a network service to ensure the time is reasonably accurate.

For some reason, whenever I log on it asks me to enter my password (for sudo) twice and then says it can’t set the time correctly.  Your results may vary.

1.         If in LXDE, start a LX Terminal
2.         Type sudo nano /etc/rc.conf [ENTER]
3.         This will be a new file, so it will be blank.  Enter the following:

# /etc/rc.conf
DAEMONS=(!hwclock ntpd ntpdate)

4.         Press [CTRL]+x
a.         Press y
b.         Press [ENTER] to confirm the save

Nice Directory Listings

If you use the terminal a lot, you may find that adding a dash of colour is nice.  You can also have a detailed listing rather than just the default.

1.         If in LXDE, start a LX Terminal
2.         Type nano ~/.bash_profile [ENTER]
3.         This will be a new file, so it will be blank
4.         Enter alias ls=’ls –la –color’ into the file
5.         Press [CTRL]+x
a.         Press y
b.         Press [ENTER] to confirm the save

Alias is a pretty handy command.  As you can see above, instead of typing ls –la –color every time we want a nice detailed color listing, we can now just type ls and it will replace this with whatever is after the = sign.  Google this command for some more handy uses.

Update Raspberry Pi Firmware

The Raspberry Foundation may release updates to the firmware that drives the Pi from time to time.  These updates may add features, improve performance or stability or fix bugs in the existing firmware.  While it is possible to manually download, build and install these updates, someone has already done the work for us.  Follow these steps to ensure you have an easy way to check for and update your firmware.  Note that you may want to have expanded your storage to fill the SD card, or moved the entire file system onto an external HDD.
Source: https://github.com/Hexxeh/rpi-update/

1.         If in LXDE, start a LX Terminal
2.         Type sudo apt-get install ca-certificates [ENTER]
3.         Type sudo apt-get install git-core [ENTER]
4.         Type sudo wget http://goo.gl/1BOfJ -O /usr/bin/rpi-update && sudo chmod +x /usr/bin/rpi-update [ENTER]
5.         Type sudo /usr/bin/rpi-update [ENTER]
a.         By default, the Pi shares the RAM between the CPU and the GPU in the ratio of 192/64 MB.  You can change this by running the command rpi-update <cpuMemoryInMB> [ENTER]

Setting Up VNC Server

While you can open application remotely using SSH and X window, you can also setup VNC to give yourself the full desktop experience over a network.  The steps below will ensure the VNC Server will start on boot.  If you want to start the server manually, simply type in the command instead of adding it to the rc.local file.
Source: http://mitchtech.net/vnc-setup-on-raspberry-pi-from-ubuntu/

1.         If in LXDE, start a LX Terminal
2.         Type sudo apt-get install tightvncserver [ENTER]
3.         Type sudo nano /etc/rc.local [ENTER]
4.         Add the following line anywhere between the lines #!/bin/sh -e  and exit 0

vncserver :1 -geometry 1024x600 -depth 16 -pixelformat rgb565

5.         Press [CTRL]+x
a.         Press y
b.         Press [ENTER] to confirm the save

Use an External HDD

While you can expand the root file partition to utilize the entire SD card, you can gain much more storage space and performance using an external HDD.  You can also use this external HDD for swap space.  Due to the high number read/write operations, it is recommended to use a traditional (i.e. non-SSD) HDD for swap storage.  Most of the time, the Pi will not require swap space, indeed the default OS shipped with the Pi has it disabled entirely.  Having just provides a bit of a backup in case physical memory gets maxed out.  This guide will create two partitions on the external drive.  The first for the user home directories, and the second for swap space.

Note:  You will need a blank external HDD for this procedure – delete all partitions on the disk prior to starting.

1.         In LXDE, start a LX Terminal
2.         Type sudo gparted [ENTER]
3.         From the File menu select Devices <Your USB HDD>
4.         Click on the empty drive space
5.         Select Partition Create Partition
6.         Create a primary ext4 partition on the drive.
a.         Do not format the ext4 partition from within gparted, it seems to fail consistently.
7.         Type sudo mkfs.ext4 /dev/sda1 [ENTER]
8.         Type sudo mkdir /media/usb-hdd [ENTER]
9.         Type sudo mount /dev/sda1 /media/usb-hdd –t ext4 [ENTER]
10.       Type rsync –avh /home/ /media/usb-hdd [ENTER]
11.       If there were no errors, and you’re feeling brave, type sudo rm-rf /home [ENTER] to remove the home directories from the SD card.
a.         Note that the home directories will not be available until you reboot the Pi!
12.       Type sudo /etc/fstab [ENTER]
a.         Add the following lines at the end of the file.
b.         Note that your USB drive and partitions may appear as something other than sda, sda1 and sda2.  Make a note of these from gparted and replace as appropriate.

/dev/sda2    none         swap   sw         0       0
/dev/sda1    /home        ext4   relatime   0       2

13.       Press [CTRL]+x
a.         Press y
b.         Press [ENTER] to confirm the save
14.       Reboot the Pi
15.       Once you log in, start a LX Terminal if in LXDE
a.         Type df –h [ENTER].  You should see something like the following line.

/dev/sda1 146G  191M  143G   1% /home

b.         Type swapon –s [ENTER].  You should see something like the following line.

Filename                    Type               Size        Used Priority
/dev/sda2      partition        1047548 0       -1

Setup Raspcontrol

Raspontrol is a web-based portal for managing your Pi and provides some feedback on the status of various parts such as disk space.  You will need to download and install a web server and a programming language called PHP.

Note: Before proceeding, review the install instructions in the README file downloaded with the source for any changes in installation, or prerequisites.
Source: https://github.com/Bioshox/Raspcontrol

1.         If in LXDE, start a LX Terminal
2.         Type sudo apt-get install php5 apache2 [ENTER]
3.         Wait for the packages to download and install
a.         Apache may fail to start with an error “bad group name www-data”.  If so:
i.          Type sudo groupadd www-data [ENTER]
ii.         Type sudo /etc/init.d/apache2 start [ENTER]
4.         Type sudo mkdir /var/www/raspcontrol [ENTER]
5.         Download the source files. 
a.         Type wget https://github.com/Bioshox/Raspcontrol/tarball/master [ENTER]
6.         Extract the source files
a.         Type tar –zxvf master [ENTER]
b.         This will extract them into a folder in the current directory
7.         Copy the source files into the Apache server directory
a.         Type sudo cp –r <sourceFileDirectory>/* /var/www/raspcontrol [ENTER]
8.         Type sudo leafpad /etc/sudoers [ENTER]
a.         Beneath the line <user> ALL=(ALL) ALL, enter www-data ALL=(ALL) NOPASSWD: ALL
b.         Save and exit
9.         From a computer, browse to http://<raspberryPi_IP_Address>/raspcontrol/setup.php
a.         Enter a Username and Password
b.         Click the “Create User” button
10.       For security purposes, return the Pi and type sudo rm /var/www/raspcontrol/setup.php [ENTER]
11.       You can now browse to http://<raspberryPi_IP_Address>/raspcontrol and log in with that username and password to manage your Pi.



Wednesday, 11 January 2012

Does Anybody Read This?

Welcome back peeps.  Another waste of time, storage and bandwidth.  So, what's been happening?

Private Project

Well, this project is moving ahead.  Got a deposit paid - which helped pay for a new set of tyres for the car.  It also means we are committed to finalising development.  This little project has taught me so much that I can use in my day job it's unbelievable.  Using Access 207 as a front-end with a MySQL 5 back-end is, well interesting.  As many queries as possible have been moved into Stored Procedures that are simply called from Access.  This has a few benefits:
  1. Any changes that are made can be applied to all clients at the same time - update, test and move into production and changes to the stored procedures and BAM!  All clients have a copy of the stored procedure (well, they call the SP on the server, but you get the idea).
  2. Routines that manipulate a lot of data run much quicker on the server than on the client.  
    1. For starters, you don't need to download the entire recordset onto the client for processing, then upload the changes.  
    2. The server also has more grunt to carry out this kind of work anyway.  
    3. And lastly, although Access does carry out some basic optimisation for saved queries, I think the MySQL server does a better job of mapping out stored procedure flow and optimising a lot better.
  3. Gives me a chance to learn MySQL and SQL better

We are looking at a February installation and running alongside the existing platform.  This is dependent on client giving go-ahead and final sign-off on the contract.  All up, should be a nice yearly bonus.  My regular tax return will more than cover the small income earned through this endeavor. 

iOS Development

Has been put on hold.  I'm currently working on learning PHP and advancing my skill set in BlackBerry/Java development. The BlackBerries now need to talk to the database server to obtain a list of clients in the users region.  Hence the PHP - I need to be able to write a web service to handle the communication.  Luckily I can be a bit 'sloppy' with this and not worry about authentication as the web service will not be made available on the internet.  Only devices on the LAN will have access and quite frankly, if there is a compromised machine on the LAN then it really doesn't make one bit of difference if I secure this web service or not.  Unsurprisingly, IIS is being a bitch and refusing to run PHP.  I did manage to get it running at some stage however something has broken and it isn't loading the PHP DLL when a PHP page is called.  Oh well, download and install WAMP on an unused desktop that doesn't get turned off and all is looking good!

Anyway, I'm going to stop there.  Nobody reads this anyway.