Raspberry Pi as Server

The Raspberry Pi is the great device to set up a small server at home to be used for almost any purpose. It’s cheap, small, has a low power consumption footprint and there is a great community for it to get help from. There are tons of things to do with such a mini-server. However, the very first step always will be to get the system up and running.

The best Linux to install on the Raspberry Pi is probably Raspbian which is a Debian flavor (effectively, just Debian adopted for the Raspberry Pi). Raspbian is the most stable and best supported operating system for the Raspberry with lots of helpful support. The Raspbian Linux comes in two flavors – a full system with almost everything included and a reduced, ‚lite‘ version without the graphical desktop which is the perfect choice to run the Raspberry as a server. Below is a description how to bring up the Raspberry with Raspbian-Lite and do some fine-tuning so it is a solid basis to use it as a server.

Install Linux (Raspbian-Lite)

Download the Raspbian Lite zip package to your computer from www.raspberrypi.org/downloads/raspbian/. You should ensure the integrity of the download by checking the SHA-256 checksum provided on the download page. For Linux you can use the sha256sum  shell command (typcially already installed and available). A useful open source tool for Windows can be found here: github.com/gurnec/HashCheck.

First format the SD-card: it must be FAT, not exFAT. Next, flash the SD-card with the downloaded linux zip-package using etcher which is available from etcher.io (for Linux and Windows). There is no need to unzip the Rasbian file to burn the SD-card. After Etcher is finished and no errors are reported don’t remove the SD-card yet.

Copy an empty file simply called „ssh“ (no file extension like .txt) to the home folder, the boot partion, of the SD-card. This will enable remote ssh access to the Raspberry right on the first boot.

If you want the Raspberry to connect to an existing WLAN right on first boot, create a file called wpa_supplicant.conf in the boot directory (where e.g. the file kernel.img is). On first boot Raspbian will use this file to configure and connect to the WLAN. The file itself should contain at least the following information on the WLAN (and change the country-code to your needs):

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
country=us

network={
    scan_ssid=1
    ssid="testing"
    psk="testingPassword"
}

Once done, insert the SD card in the Raspberry, connect it to the router (your internet gateway) with a LAN cable and power on the Raspberry.

Now you need to find out the IP address of the Raspberry (this very much depends on the internet router used; it might also help to assign a static IP to the Raspberry). Then connect to the Raspberry via ssh (e.g. using putty on Windows or ssh on Linux) and confirm the new certificate that you’re asked for. The username is „pi“ and the initial password is „raspberry“. If it doesn’t work try „raspberrz“ as password (due to a wrong keyboard layout) and check you’re on the same LAN as the Raspberry.

Once logged in on the terminal (command line) the first thing is to update the whole system – for this just type in:

sudo apt update
sudo apt upgrade -y

A reboot might be required. The next step is to change the basic configuration of the server via the special config-tool for the Raspberry. To start it, simply enter and confirm with the password:

sudo raspi-config

Change the following things within this configuration application:

  • Change password for the default user (option 1)
  • Change hostname (option 2, N1)
  • Enable old, standard interface names (option 2, N3 – select „No“!)
  • Change localisation (option 4) – Locale: space and tab to select (UTF-8 preferred), select your timezone, and your wifi-country.
  • Expand filesystem (option 7, A1)
  • Change GPU memory to the minimum 16 (option 7, A3)

Upon „Finish“ you’re asked to reboot; do so and then log into the Raspberry once again (with the new password just set).

Now you have a running system you can start using already. All the following steps are only optional and might or might not be helpful depending on what you want to achieve.

Some Improvements and Hardening

Change user to ‚admin‘

Change pi user to admin (not required, but much nicer that way). First create a new user (probably use your nickname and replace <username> with it):

sudo adduser <username>
sudo usermod --append --groups sudo <username>

Logout and login as the new user just created, then:

sudo usermod --login admin --home /home/admin --move-home pi
sudo groupmod --new-name admin pi

Logout and login as admin.

New ssh keys

Remove the standard ssh keys on the new Raspberry Pi server and generate new ones:

sudo rm /etc/ssh/ssh_host*
sudo dpkg-reconfigure openssh-server

Logout and login (confirming the new certificate once).

SSH login without password

You can use keys instead of entering a password each time you log into the new server. If you’re coming from a Linux machine, them simply enter the following once on that Linux device (if this is the first time you do this, then you might first need to generate the keys by entering ssh-keygen and simply press enter on the questions):

ssh-copy-id admin@my-new-server

Confirm once with the password – afterwards you will log into the new server without being asked for a password anymore (you identify yourself with the key on the machine your coming from).

You can even improve the ssh login process even more by creating a configuration file for ssh on the server that you’re coming from:

nano ~/.ssh/config

and enter something like the following (adjust to your needs):

Host my-server1 my-server1.mydomain
    Hostname my-server1.mydomain
    User admin

Host raspberry raspberry.lan
    Hostname raspberry.lan
    User alice

Then you can simply type ssh raspberry  and you’re logged into raspberry.lan as user alice right away. This alias configuration even works with scp as well.

Automatic security updates

One should also ensure that important security updates are installed automatically, i.e. unattended – this can be achieved with the following tool:

sudo apt install -y unattended-upgrades

and configure and enable it with (just confirm what is suggested):

sudo dpkg-reconfigure unattended-upgrades

Any updates are logged in the file /var/log/unattended-upgrades/unattended-upgrades.log.

Disable WLAN and/or Bluetooth

Most often the Bluetooth interface of the Raspberry Pi will not be used at all. Therefore, it’s a good security measure to simply disable it completely (just remember this):

sudo rfkill block bluetooth

and check it was sucessfull with:

sudo rfkill list

The same can be done with WLAN – if you’re setup and use case doesn’t require the WLAN at all just use the following:

sudo rfkill block wlan

and check the status like for Bluetooth above.

Swap Space

The so-called swap-space is not the best thing to be used on SD-cards – it is quite slow and the SD-Card only allows for a limited number of write operations before it will die. So swapping with lots of writing to the SD-card will break it rather sooner than later – therefore one might want to lower the use of the swap on a Raspberry Pi with e.g.:

sysctl vm.swappiness
sudo sysctl --write vm.swappiness=10

A lower swappiness number means less swapping to the SD-card.

One can easily check the swap status with:

free -h

Shell behaviour

Something useful and a nice-to-have are a few shortcuts for shell commands often used. This can be easily achieved by

nano .bash_aliases

and then define aliases as wanted along these examples

alias l='ls -CF'
alias la='ls -A'
alias ll='ls -lF'
alias lla='ls -AlF'

alias check='curl https://check.torproject.org/api/ip ; echo'

To enable them just run (alternatively, just log out and back in):

source .bash_aliases

Last but not least it proved quite useful to change the prompt so it looks different for each server (this helps mixing up different machines). You can change the prompt in the file .bashrc; look for the variable PS1 and change it to your needs (there’s enough detailed information on the internet about the details).

What to do with the Raspberry Server

There are lot’s of things that could be done with the Raspberry Pi server just enabled. Just A few ideas are:

  • Tor WLAN Gateway
  • VPN (Calling Home when you’re travelling)
  • Nextcloud server (your own cloud at home)
  • Host a Tor Relay (help the Tor network by sharing some bandwidth)
  • OpenMediaVault (NAS)

or simply search the internet for tons of other ideas. Fave fun!