tags: - raspberry pi - setup categories: - informational comments: true
Configuration changes to make on new raspberry pi - raspbian systems.
Ensure rfkill is disabled
vi /etc/profile.d/wifi-check.sh
exit 0
systemctl disable hciuart.service
systemctl disable bluealsa.service
systemctl disable bluetooth.service
grep disable-bt /boot/overlays/README
Name: disable-bt
Load: dtoverlay=disable-bt
Name: pi3-disable-bt
Info: This overlay has been renamed disable-bt, keeping pi3-disable-bt as an
grep disable-wifi /boot/overlays/README
Name: disable-wifi
Load: dtoverlay=disable-wifi
Name: pi3-disable-wifi
Info: This overlay has been renamed disable-wifi, keeping pi3-disable-wifi as
systemctl disable avahi-daemon.service
systemctl stop avahi-daemon.service
FIXME:
systemctl disable wpa_supplicant
wpa_supplicant
process on rebootsmv /lib/dhcpcd/dhcpcd-hooks/10-wpa_supplicant /root
Ignore recommends/suggests when installing software
/etc/apt/apt.conf
APT::Install-Recommends "0";
APT::Install-Suggests "0";
Dpkg::Options {
"--force-confdef";
"--force-confold";
}
apt update
apt dist-upgrade
sysctl settings
/etc/sysctl.d/90-vm-disable-oom-killer.conf
# Disable OOM killer
vm.overcommit_memory=2
vm.overcommit_ratio=90
# -1: Allow use of (almost) all events by all users
# >=0: Disallow raw tracepoint access by users without CAP_IOC_LOCK
# >=1: Disallow CPU event access by users without CAP_SYS_ADMIN
# >=2: Disallow kernel profiling by users without CAP_SYS_ADMIN
# >=3: Disallow all event access by users without CAP_SYS_ADMIN
#
# https://lwn.net/Articles/696216/
#
kernel.perf_event_paranoid=3
kernel.core_pattern = /var/core/core_%h_%e_%u_%g_%t_%p
mkdir /var/core
export EDITOR=vi
set -o vi
export TMOUT=900
readonly TMOUT
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 nsa02
apt install vim-nox
set syntax=on
apt install unattended-upgrades
dpkg-reconfigure unattended-upgrades
uncomment
"origin=Debian,codename=${distro_codename}-updates";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Automatic-Reboot "true";
systemctl status unattended-upgrades systemctl enable unattended-upgrades
userdel pi
rm -rf /home/pi
Change sudoer to allow users in sudo group to change role without passwords
change in /etc/sudoer
%sudo ALL=(ALL:ALL) NOPASSWD: ALL
passwd root
~~~~
* Remove passwords from users
passwd -d ubuntu
* Disable dsa key in sshd and remove dsa keys
``` comment in /etc/ssh/sshd_config
# HostKey /etc/ssh/ssh_host_dsa_key
```
```
rm /etc/ssh/ssh_host_dsa_key*
```
* Disable depreciated setting and disable forwarding
``` add/change in /etc/ssh/sshd_config
# UsePrivilegeSeparation yes
AllowAgentForwarding yes
AllowTcpForwarding yes
GatewayPorts no
X11Forwarding yes
```
* Check sshd configuration
/usr/sbin/sshd -t
## Network primary - /etc/network/interfaces.d/eth01
* /etc/network/interfaces.d/eth0
```
auto eth0
iface eth0 inet static
address x.x.x.x
netmask 255.255.255.0
gateway x.x.x.x
```
* disable dhcpcd client
```
systemctl disable dhcpcd.service
```
* ntp
```
/etc/systemd/timesyncd.conf:NTP=x.x.x.x y.y.y.y
```
systemctl status systemd-timesyncd.service
* rng
```
systemctl status rng-tools.service
```
## Monitoring (not done)
install and enable logcheck? logwatch?
~~~ /etc/motd
apt install tcpdump lsof
blkid
fdisk /dev/sda
mkfs.ext4 /dev/sda1
PARTUUID=7e60cada-01 /data ext4 defaults,noatime,errors=remount-ro 0 2
mkdir /data
mkdir -p /data/var/cache /data/var/spool
mv /var/log /data/var
ln -sf /data/var/log /var/log
mv /var/cache/apt /data/var/cache/
ln -s /data/var/cache/apt /var/cache/
mv /var/spool/postfix /data/var/spool/
ln -s /data/var/spool/postfix /var/spool/
reboot
disable journal
change to ‘volatile’ and restart
grep Storage /etc/systemd/journald.conf
Storage=volatile
systemctl restart systemd-journald.service