Could install headless, but I wanted to use gui at first instance to ensure everything working!
Connect to wifi through GUI.
Change hostname and ensure SSH enabled in raspberrypi config GUI
change password with passwd .
Taken from here, add the following to the bottom of sudo nano /etc/dhcpcd.conf, changing ip addresses where appropriate
interface wlan0
static ip_address=192.168.0.10/24
static routers=192.168.0.1
static domain_name_servers=192.168.0.1
Changing default port reduces number of script kiddies knocking at your door. From here.
Using sudo nano /etc/ssh/sshd_config, change Port = 22 to something else, and change PermitRootLogin=no. Then restart service with sudo service ssh restart
Now time for first long upgrade and update sudo apt-get update && sudo apt-get dist-upgrade -y && sudo apt-get upgrade -y
Install dataplicity for easy remote SSH, log in and generate code to run in terminal from here.
Install liquidprompt here for terminal prettiness.
cd
git clone https://github.com/nojhan/liquidprompt.git
source liquidprompt/liquidprompt
Add the following to the .bashrc
# Only load Liquid Prompt in interactive shells, not from a script or from scp
[[ $- = *i* ]] && source ~/liquidprompt/liquidprompt
install better task manager
sudo apt-get install htop
install vnc
sudo apt-get install tightvncserver
vncserver :1
after choose a password, not set a readonly one
Reduce GPU RAM usage, VNC doesnt use this anyway
sudo raspi-config change memory split to 16 under advanced options.
further reduce connections from outside. install sudo apt-get install fail2ban, defaults are probably fine but if you edit sudo nano /etc/fail2ban/jail.local and add the following to increase ban time and for all ports:
[ssh]
banaction = iptables-allports
bantime = 3600
restart after sudo service fail2ban restart, and you can check those added to list with sudo iptables -L -n --line and failed ssh connections with sudo cat /var/log/auth.log | egrep 'sshd.*fail|sshd.*invalid'
Based on this guide here.
install sudo apt-get install exim4.
configure sudo dpkg-reconfigure exim4-config using the following:
The first screen asks you what type of mail server you need. Select the second option: "mail sent by smarthost; received via SMTP or fetchmail"
The next question asks for the system mail name: Set to same as hostname (raspberrypi or TugboatSyncMini###)
Now it asks you what IP addresses should be allowed to use the server. Leave as is (127.0.0.1 ; ::1)
Other destinations for which mail is accepted: raspberrypi
Machines to relay mail for: Leave blank.
IP address or host name of outgoing smarthost: Enter: smtp.gmail.com::587
Hide local mail name in outgoing mail: Select: No
Keep number of DNS-queries minimal: Select: No
Delivery method for local mail: Select: "Maildir format in home directory"
Split configuration into small files: Select: No
add the following lines to /etc/exim4/passwd.client
gmail-smtp.l.google.com:[email protected]:PASSWORD
*.google.com:[email protected]:PASSWORD
smtp.gmail.com:[email protected]:PASSWORD
update conf and restart
sudo update-exim4.conf
sudo /etc/init.d/exim4 restart
then add these lines at end of /etc/aliases
root: pi
pi: [email protected]
then update sudo newaliases. then give full name for user to avoid confusion in emails sudo chfn -f "pi @ tugboatmini###" pi
install mail agent using sudo apt-get install heirloom-mailx.
Test using mail -s "Testing email. I love you." root@localhost then type some stuff, ending with a line with only .
Clamav guide here.
Install clamav apt-get update && apt-get install clamav clamav-freshclam
create a script nano /home/pi/clamscan_daily.sh and add the following, changing the Pi name and the email addresses.
#!/bin/bash
LOGFILE="/var/log/clamav/clamav-$(date +'%Y-%m-%d').log";
EMAIL_MSG="Please see the log file attached.";
EMAIL_FROM="[email protected]";
EMAIL_TO="[email protected]";
DIRTOSCAN="/home";
for S in ${DIRTOSCAN}; do
DIRSIZE=$(du -sh "$S" 2>/dev/null | cut -f1);
echo "Starting a daily scan of "$S" directory of Rpi0####.
Amount of data to be scanned is "$DIRSIZE".";
clamscan -ri "$S" >> "$LOGFILE";
# get the value of "Infected lines"
MALWARE=$(tail "$LOGFILE"|grep Infected|cut -d" " -f3);
# if the value is not equal to zero, send an email with the log file attached
if [ "$MALWARE" -ne "0" ];then
# using heirloom-mailx below
echo "$EMAIL_MSG"|mail -a "$LOGFILE" -s "Malware Found on Rpi0######" -r "$EMAIL_FROM" "$EMAIL_TO";
fi
done
exit 0
Make it executable chmod 0755 /home/pi/clamscan_daily.sh.
make hard link sudo ln /home/pi/clamscan_daily.sh /etc/cron.daily/clamscan_daily, check it worked with ls -li /etc/cron.daily/clamscan_daily. run the script to check the output.
Largely based on this guides here and here .
install sudo apt-get install unattended-upgrades (i once had to use -f install flag. not sure why)
edit the conf file sudo nano /etc/apt/apt.conf.d/50unattended-upgrades. To use the stable release "o=Raspbian,a=stable"; and to allow for emails on errors uncomment the lines Unattended-Upgrade::Mail "root"; and Unattended-Upgrade::MailOnlyOnError "true";
Set the time it runs stuff sudo nano /etc/apt/apt.conf.d/10periodic
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
check it runs ok sudo unattended-upgrade --debug --dry-run, and logs are stored in cat /var/log/unattended-upgrades/unattended-upgrades.log
great guide to this here.
unmount sudo umount /dev/sda1.
make ext4 sudo mkfs.ext4 /dev/sda1 -L TugboatSyncStick2.
make dir sudo mkdir /mnt/usb.
mount sudo mount /dev/sda1 /mnt/usb/.
automount, open sudo nano -Bw /etc/fstab, add /dev/sda1 /mnt/usb auto defaults,user 0 1 at end
#5 Samba Great guide here.
install sudo apt-get install samba samba-common-bin -y
sudo mkdir /mnt/usb/TugboatRoot
sudo chown -R pi:pi /mnt/usb
sudo cp /etc/samba/smb.conf /etc/samba/smb.bak
sudo nano /etc/samba/smb.conf
change # wins support = no to wins support = yes. then add:
[TugboatSyncShare] #This is the name of the share it will show up as when you browse
comment = Family sync folder, network access
path = /mnt/usb/TugboatRoot
create mask = 0775
directory mask = 0775
read only = no
browseable = yes
public = yes
force user = pi
#force user = root
only guest = no
restart service
sudo service smbd restart
sudo service nmbd restart
#6 BTSync After checking loads of other ways, I have finally got it working with a fresh raspian install based on this guide here. Its easier to extract from tarball as you know what it is doing then. I had to update the links to a newer location, and change the file in init.d to use the config file
Make a new folder
mkdir ~/.btsync && cd ~/.btsync
wget https://download-cdn.getsync.com/stable/linux-arm/BitTorrent-Sync_arm.tar.gz
tar -xvf BitTorrent-Sync_arm.tar.gz
Great guide here We have to be a bit careful about how we setup the folder access and stuff, so sort that out now. These commands add the current user (pi) to the group which can access and change the files, but keep ownership as root.
sudo chown root:btsync /mnt/usb/TugboatRoot/
sudo chmod 2775 /mnt/usb/TugboatRoot/
sudo usermod -a -G btsync pi
RUN THE GUI ONE TIME I DONT KNOW WHY YOU NEED TO DO THIS! Something obviously isnt set correctly in the .sync folder if you dont do this. Chosen admin and no password on first prompt. Then pi on second. Set manual connection in the GUI and use the secret key.
Get a default config to fiddle with ./btsync --dump-sample-config > btsync.conf. Edit the file with nano btsync.conf. Change the device_name to something meaningful (although this doesnt seem to work).
Change the storage_path to "storage_path" : "/home/pi/.btsync/.sync", then change the secret and dir under shared folders
"secret" : "#########",`
"dir" : "/mnt/usb/TugboatRoot",
Check it runs sudo ./btsync --config btsync.conf and that it is connected ok - verify on GUI on another PC.
Create a script in init.d
sudo nano /etc/init.d/btsync . if you have been messing around with other installs, this may contain stuff, so delete it.
#! /bin/sh
# /etc/init.d/btsync
#
# Carry out specific functions when asked to by the system
case "$1" in
start)
/home/pi/.btsync/btsync --config /home/pi/.btsync/btsync.conf
;;
stop)
killall btsync
;;
*)
echo "Usage: /etc/init.d/btsync {start|stop}"
exit 1
;;
esac
exit 0
Check this code works, again verifying on the GUI on a different PC
sudo chmod 755 /etc/init.d/btsync
sudo /etc/init.d/btsync start # test that the script starts
sudo /etc/init.d/btsync stop # test that the script stops
sudo update-rc.d btsync defaults
for some reason on a non fresh install (and one where i did the gui wrong one time). I had to add the line sudo /etc/init.d/btsync start to /etc/rc.local and edit init.d/btsync to cd to directory of btsync
cd /home/pi/.btsync/
/home/pi/.btsync/btsync --config /home/pi/.btsync/btsync.conf
Dunno why!
http://www.jeffgeerling.com/blogs/jeff-geerling/raspberry-pi-zero-conserve-energy http://www.earth.org.uk/note-on-Raspberry-Pi-setup.html http://raspi.tv/2016/how-to-free-up-some-space-on-your-raspbian-sd-card-remove-wolfram-libreoffice
sudo apt-get update && sudo apt-get dist-upgrade -y && sudo apt-get upgrade -y
sudo apt-get install htop tightvncserver fail2ban unattended-upgrades exim4 heirloom-mailx clamav clamav-freshclam samba samba-common-bin
What does this do? I could not ascertain from the readme file. What does it sync? Thanks. I'm looking for some sync software for my Pi