Home > Hacking, IT, Raspberry Pi > Raspberry Pi SSH server

Raspberry Pi SSH server

Wednesday, May 22nd, 2013

In this post, I’ll describe my Rpi SSH server configuration. The media center Rpi is also interesting, but I didn’t have to customize many things since OpenELEC is more like an appliance and apart from installing extensions and tweaking the system settings, there’s not so much one needs to do to get up and running (which is good!).

RPi SSH server

I use my Rpi SSH server as a gateway to reach home when I’m outside (on the train over 3G or on some Wi-Fi network). It basically allows me to access anything on my personal network in a secure fashion (more over this after the setup details).

The configuration is built on top of ArchLinux and uses OpenSSH (who would’ve guessed ^^).

I’ve chosen ArchLinux mainly because I’m already familiar with it, I could also have installed the Debian distribution, I don’t think it would’ve prevented me from doing any of the following..

For the basic setup of ArchLinux, I’ve followed this guide: http://elinux.org/ArchLinux_Install_Guide

After booting it up for the first time, I still had a few things to configure.. :)

  • First things first: changing the password
    passwd
  • Updating everything
    pacman-key --init (init pacman)
    pacman -Syy (update the packages db)
    pacman -Syu (full update)
    pacman -Syu (just because I'm a tad crazy)
  • Modifying the timezone
    nano /etc/timezone
  • Modifying the hostname
    hostnamectl set-hostname rpissh
  • Setting a static IP
    actually not done yet, I rely on a DHCP reservation for now..
  • Modifying the keymap
    localectl list-keymaps
    localectl set-keymap be-latin1
  • Updating the hosts file in order to easily access my home machines
    nano /etc/hosts
    ...
  • Resizing the root partition (because it sucks to use only a part of the available space on the SD card)
    fdisk /dev/mmcblk0
    
    Welcome to fdisk (util-linux 2.22.1).
    Changes will remain in memory only, until you decide to write them.
    Be careful before using the write command.
    Command (m for help): d
    Partition number (1-4): 2
    Partition 2 is deleted
    Command (m for help): n
    Partition type:
    p primary (1 primary, 0 extended, 3 free)
    e extended
    Select (default p): p
    Partition number (1-4, default 2): 2
    First sector (194560-31512575, default 194560):
    Using default value 194560
    Last sector, +sectors or +size{K,M,G} (194560-31512575, default 31512575):
    Using default value 31512575
    Partition 2 of type Linux and of size 15 GiB is set
    Command (m for help): w
    The partition table has been altered!
    Calling ioctl() to re-read partition table.
    WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
    The kernel still uses the old table. The new table will be used at
    the next reboot or after you run partprobe(8) or kpartx(8)
    Syncing disks.
    
    After a reboot:
    
    We’re deleting the rootfs partition, and creating a new one. Since there is no space between the boot and the root partition in the first place, the new partition will start at the exact same position as the just deleted partition. This means, we’ve got a bigger partition, with a smaller filesystem in there.
    We also observe the re-reading of the partition failed, since the partition is currently in use. Therefore we have to reboot in order for the new partition table to be known to the kernel. After reboot we can perform the resizing of the file system itself
    
    And finally, I could resize the partition:
    
    resize2fs /dev/mmcblk0p2
    
    resize2fs 1.42.6 (21-Sep-2012)
    Filesystem at /dev/mmcblk0p2 is mounted on /; on-line resizing required
    old_desc_blocks = 1, new_desc_blocks = 1
    Performing an on-line resize of /dev/mmcblk0p2 to 3914752 (4k) blocks.
    The filesystem on /dev/mmcblk0p2 is now 3914752 blocks long.
  • Adding a user (which will be the only one allowed to log on via SSH)
    useradd -m -g users -s /bin/bash johndoe
        -m: create home folder
        -g: default group
        -s: shell
    passwd johndoe
    
    The same can apparently be done using:
    pacman -S adduser
    adduser
    > johndoe
  • Configuring/Hardening the SSH daemon
    Reference: https://wiki.archlinux.org/index.php/Secure_Shell
    
    nano /etc/ssh/sshd_config
    
    ...
    Port xxxxx # because the default port (22) is too dangerous to expose since it is targeted by all script kiddies & bots
    ServerKeyBits 4096 # because I'm paranoid even though it doesn't have huge security benefits :p
    LoginGraceTime 30 # 30 seconds to log on, after which the client is disconnected
    PermitRootLogin no # root cannot log in, even though I only allow public key authentication (again, doesn't protect me that much more, but still)
    PasswordAuthentication no # I don't allow password authentication, only public key auth
    ChallengeResponseAuthentication no # ...
    PrintMotd no # the less people know, the better I feel :)
    PrintLastLog no # same logic
    UsePrivilegeSeparation sandbox      # Default for new installations.
    AllowUsers johndoe # only user allowed to authenticate
    MaxStartups 10:30:100 # limit the number of connections -> http://stackoverflow.com/questions/4812134/in-sshd-configuration-what-is-maxstartups-103060-means

    I can probably do more than this, but for now I’m ok with that. See my todo list below for more around this

  • Generating & importing my private keys
    ...

Finally, since my plan was also to be able to wake up computers at home in case I need them, In installed the wol package which allows to send magic packets. All you need to use it is the mac address of the device you want to send a wake up call towards ;-)

pacman -S wol
su johndoe
cd ~
touch wol-pc1.sh
chmod +x wol-pc1.sh
nano wol-pc1.sh
> wol aa:bb:cc:dd:ee:ff

With that in place, I can now create a secure tunnel from anywhere towards my Raspberry Pi at home and feel “pretty” secure. It may not be so (I’m no security expert), but at least I’ve taken the necessary steps to ensure that only a motivated attacker will be able get in (using that channel that is :p).

Once the SSH tunnel is established, I can (for example) use the Raspberry Pi as a socks proxy to surf the Web more securely (e.g., if I’m on a public Wi-Fi hotspot).

I can also access any machine within my home network (router, NAS, PCs, etc) and wake them up if they’re not up and running. This means that when I leave home, I can shut down everything and just leave the Raspberry up (3W ain’t gonna kill me :p) and use it to wake up the device(s) I need. I can also transfer files over SFTP, etc.

What I also do from time to time is establish a Remote Desktop session towards one of my Windows PCs using port forwarding and it works surprisingly well..

My todo list for this project

  • install/configure fail2ban
  • configure and automate backups of the configuration
  • install/configure logwatch and send mail notifications once in a while (just in case)
If you enjoyed this post, make sure you subscribe to my RSS feed!

1 Comment »

  1. […] my last posts, I’ve explained what I cur­rently do with the two Rasp­berry Pi I own. In this post, I’ll […]



    Pingback by Raspberry Pi project – Car Audio improvement | Midnight Light — 2013-05-22 @ 23:30

RSS feed for comments on this post. TrackBack URL

Leave a comment