Building the Community Computer Lab – File Server

Raspberry-Pi sales slide

The Raspberry Pi Intro https://youtu.be/sajBySPeYH0

CAVEAT: The information provided herein is most likely exactly correct, HOWEVER use it at your own risk: we assume no risk or liability. Do your own evaluation and make your own choices.

In previous articles we have shared how we decided on the design of our public computer lab, selected and assembled the parts, installed the GNU/Linux and Microsoft operating systems, and configured the computers for security and some automatic things to make our lab fairly pain free to manage and maintain.

A large part of this automation is an amazingly inexpensive and easily configured device, the Raspberry Pi computer. We will share how we selected this tiny $35 computer instead of a $750 PC server, and how we made and programmed all the simple but very helpful things that it does to keep our lab looking snazzy, high tech, and mostly sparing us much effort in keeping it all running.

Selection

WikiPedia describes the RPi in this way:

OLPC in Nepal. For the story see http://one.laptop.org/

The Raspberry Pi (/p/) is a series of small single-board computers developed in the United Kingdom by the Raspberry Pi Foundation to promote teaching of basic computer science in schools and in developing countries.[13][14][15] The original model became far more popular than anticipated,[16] selling outside its target market for uses such as robotics. It is now widely used even in research projects, such as for weather monitoring[17] because of its low cost and portability. It does not include peripherals (such as keyboards and mice) or cases. However, some accessories have been included in several official and unofficial bundles.[16]

OLPC in Nagorno Karabakh and Armenia http://one.laptop.org/

Preparing the way for the RPi was the One Laptop Per Child (OLPC) project, which was intended “to enable a $100 laptop, which would enable constructionist learning, would revolutionize education, and would bring the world’s knowledge to all children”. OLPC developed a way to create a very affordable and child-rugged laptop computer so well thought out and constructed that it would remain reliably in service even in remote villages possibly with no Internet and no electricity.

The Arduino Uno – a very popular SBC (single board computer) using the ARM chipset

OLPC was deemed a failure by the project team because its goal was a laptop cost of $100 and they did not achieve that: the final cost was a few dollars more, yet the reverberations of the design shattered the $1,500 – $2,000USD retail price then common for laptop and notebook computers. Today we can find notebooks on sale starting for around $350USD, and Chrome Books or OLPC notebooks for around $200USD at some retailers. Knowledge is power, and in my opinion OLPC was a success, because it demonstrated that we can do better, and it inspired us to so do.

The Arduino and The Raspberry Pi (RPi) project came soon after OLPC. The Arduino Project started in 2005 and has a price point around $25USD, however it’s use is rather technical, and it is not intended to be powerful enough to serve as a desktop computer but rather as an aid in Performing Arts. In year 2012, a group developed the RPi for use in teaching school students the rudiments of computer programming and (I think) to inspire them to pursue careers in Science, Technology, Engineering, and Math (STEM). The price point was low for a desktop computer. The Arduino does not have an O/S suitable for non-technical users, while the RPi O/Ses – there are many – provide a very familiar look and feel from GNU/Linux to Windows 10.

Our decision to try the RPi was based upon its long running popularity and technical capacity that  intersect with our social goals as a public charity dedicated to improving the life of our community, including our global community . RPi’s are available today from many retailers, starting at about $35USD for the board alone, or more for kits containing the RPi board plus some additional parts needed to actually use it. We purchased a kit assembled by Vilros, the Vilros Raspberry Pi 4 Complete Kit with Clear Transparent Fan Cooled Case (4GB), for which we paid $99.99USD  at Newegg.com. Vilros looks to be a big vendor with many products, but there are many other vendors available. We decided on the RPi 4B with 4GB of RAM.

UnBoxing, Assembly, and Desktop Setup

Setup instructions are available from the Raspberry Pi organization at https://projects.raspberrypi.org/en/projects/raspberry-pi-setting-up.

Please see “Setting up your Raspberry Pi” at https://projects.raspberrypi.org/en/projects/raspberry-pi-setting-up for help setting up your RPi.

If you unbox your RPi and it is not immediately clear to you exactly how it fits together, you can always look at the pictures in the book. The circuit board fits into the plastic case only one way, the heat sinks stick to the top of the chips (see the picture in the book to know which chips), the HDMI cable plugs into your screen and the first HDMI port (beside the power port), the power plugs into the power port and the wall outlet, the provided micro SD chip plugs into the micro SD slot, your keyboard and mouse into the USB slots. When first you turn it on the RPi New Out Of the Box Software, hereafter NOOBS, will prepare the SD chip, then ask you several questions about how you want to use your RPi. After you type in your time zone and such you’re ready to use it as a desktop. Just like that.

One could deploy these instead of desktop PCs, for example in a public housing setting dedicated to improving the economic sustainability and self sufficiency of the patrons by teaching computer job skills and facilitating access to on-line job searches and communications: 1) they are cheap enough to buy several even on a limited budget, 2) they make for a contemporary modern atmosphere to inspire job seekers through having them use something nice to look for work, and 3) they are small enough to be easily collected and stored for the night should there be concerns. A better option for this need is the Chrome Book notebook PC, which grew out of the OLPC project: 1) Chrome Books are one piece and very non-technical staff will have almost no learning setting them up, and 2) ChromeBooks sell in a ready-to-use configuration out of the box starting at $179 from Google Store, while an RPi at $99.99 still needs a monitor, a keyboard, and a mouse.

As an internal file server, the RPi works very well, and once programmed it has no need for a monitor, keyboard, or mouse. The RPi was designed for lab learning and it has the GPIO bus exposed where students can easily connect their inventions to the RPi and experiment. In an environment where the computer lab may also be used for S.T.E.M. youth classes, the RPi would be a better choice than the Chrome Book.

Getting your hands dirty

Creating new user accounts and installing software packages using GNU/Linux command line instructions (CLI) might feel a bit new if you are using Raspbian, because it involves typing commands instead of clicking things, but it is very do-able. If you are only using the RPi as a desktop replacement, you won’t need to bother with such details. Stop here.

If you purpose to build your own file or web servers you probably already are comfortable with the GNU/Linux command line instructions. The GNU/Linux type server is the most common server on the planetary World Wide Web, and Debian is a very popular flavor of GNU/Linux, and Raspbian is a flavor of Debian, as are Ubuntu and Mint.

If you are familiar with any kind of Debian GNU/Linux servers you will immediately grasp configuring the RPi. Even most of the software packages go by the same name, the one exception that I encountered during setup of the web server was MySQL which is called MariaDB under Raspbien. SSH, UFW, GUFW, fail2ban, iptables, php, curl, wget, apache2, make, apt, apt-get — they are all there with the same look and feel, in the same locations and works the same way it always has in bigger hardware. Yes, they also have systemctl but at least you are allowed to choose between using classic understandable “eth0” and the “new and better predictable enp2s0” for ethernet port names.

I was very impressed.

File server setup

I’m anticipating at this point that if you are intending to make a File Server or a Web Server that you either already have done this in different computers or you are technically inclined enough that you have no issue with learning a bit about Debian Linux using web searches. Online documentation is readily available.

If you haven’t purchased or made your NOOBS SD chip yet, make your chip. Select a Micro SD chip large enough (16GB -> 2TB is fine, 8GB will actually work but it’s a bit tight) for your file server disk, preferably a class 10 or faster. The Raspberry Pi organization recommends that first time users use their Raspberry Pi Imager.

We recommend that beginners start with Raspberry Pi Imager, an easy way to install Raspberry Pi OS and other operating systems to an SD card ready to use with your Raspberry Pi.

If you want to do it yourself then stick the micro SD into your GNU/Linux PC, create a MSDOS file system on the chip, then create a FAT-32 (ext) partition using the whole chip. NOOBS will re-size this partition and create others while you watch. GParted is what I use but it doesn’t matter how you do it, you can use fdisk or something else.

Download the NOOBS file archive from the RaspberryPI project at https://www.raspberrypi.org/downloads/noobs/. Follow the Windows, Mac, or GNU/Linux instructions on the Raspberri Pi Org web site to prepare the chip, or extract the archive to the fixed disk then copy the NOOBS files to the SD chip you formated with the FAT-32 partition. Un-mount / “eject” the SD chip, put it into the SD slot on the RPi, connect the RPI to your screen etc, and power up the RPI.

Raspbien Install

When the RPi is powered up for the first time with this SD chip, NOOBS proceeds to arrange things to its liking. Eventually the device is ready for initial configuration. The screens I see immediately after clicking Next ask for details, such as the location.

Enter the country, such as United States, language, and time zone. When you click next there should be a pause as the RPi fetches time data and you should see the clock in the upper right of the screen update to the correct time.

Enter a new password for the default ‘pi’ user account.  Write it down until you are done.

If you will be using the wireless network interface, select the correct SSID from the list and fill in the appropriate credentials. Wireless should connect when you click next.

System software will now be checked for available updates. This didn’t work the first time I did it but it has always worked subsequent times, on various RPi’s. I have deduced that 2:00PM EDT is optimal for updating from the RPi repo as evenings the repo throws errors. This may be a good time to take a personal break while the RPi is busy. Eventually you should see a box that says “System is up to date” and click OK.

The next screen should say that installation is complete and you may restart now or later. Restart now and we can proceed with setting up the server aspects of our little RPi. In theory you could clone the SD chip at this point to make several “clean” chips ready to put into however many RPi’s.

Desktop Orientation

The task bar is across the top. If you want it across the bottom, right click the task bar and on the pop up menu click Panel Settings. Under the first group which is named Edge, see the Radio Button “Top” is selected, click Bottom. Changes are immediate. You can put it back the same way.

The Desktop background may be set in the usual way, right click the desktop, choose Desktop Preferences, and configure. NOTE If you insert a USB stick to copy pictures, the UnMount control is by the clock as in Microsoft Windows – there is no right click unmount on the desktop icon or in the file browser.

Network

Network and WiFi are visible next to the clock on the task bar. Right click the WiFi fly swatter for a pop up menu. To select a WiFi SSID click it and enter any relevant credentials. To turn off Wifi click the top item, “Turn Off WiFi”. Turning off WiFi replaces the fly swatter with the Up Down arrows to indicate a hardwired Ethernet LAN. Right clicking either the fly swatter or up down arrows opens the pop up menu with “Wireless & Wired Network Settings”, which allows you to assign auto, DHCP, or static IP information to either or both interfaces and disable IPv6.

Preferences, Raspberry Pi Configuration

The Start Button (Raspberry icon) has an entry Logout which brings up a dialog box with choices Shut Down, Reboot, and Logout. The other thing of note on the start menu is the Preferences entry, which leads to Raspberry Pi Configuration and some other useful things.

The first tab on the Raspberry Pi Configuration dialog box is System. Change the Hostname to something different from RaspberryPi. Un-check the Login as Pi box.

The third tab is Interfaces. Turn on SSH by clicking the enable next to it. Click OK, and SSH is now on. We will configure it more, later.

Not Server Pro

Server Pros, please GOTO Server Pros .

RPi Setup Documentation

The RaspberryPi organization provides good documentation on how to set up your RPi for various jobs. Before you proceed you should read through https://www.raspberrypi.org/documentation/ and learn directly from the Raspberry Pi Documentation.

What follows are in depth instructions.

Quickly finding how to use Command Line Instructions (CLI)

Moving forward you can use the man command to learn what parameters a CLI needs and you can use apropos to figure out what CLI you want to use. Type man followed by the CLI you wish to know more about.

pi@raspberrypi:~ $ man passwd
PASSWD(1) User Commands PASSWD(1)

NAME
passwd - change user password

SYNOPSIS
passwd [options] [LOGIN]

DESCRIPTION
The passwd command changes passwords for user accounts. A normal user may only change the password for his/her
own account, while the superuser may change the password for any account. passwd also changes the account or
associated password validity period.

Password Changes
The user is first prompted for his/her old password, if one is present. 

This password Manual page passwd(1) line 1 (press h for help or q to quit)

You can scroll up and down with PgUp and PgDn and the arrow keys. Pressing Space Bar will also PgDn. Pressing Q will quit and return to the CLI.

Apropos is similar: you type apropos followed by what you are trying to figure out – kind of a primitive search.

pi@raspberrypi:~ $ apropos groups
cgroups (7) - Linux control groups
getgrouplist (3) - get list of groups to which a user belongs
getgroups (2) - get/set list of supplementary group IDs
getgroups32 (2) - get/set list of supplementary group IDs
groups (1) - print the groups a user is in
grpconv (8) - convert to and from shadow passwords and groups
grpunconv (8) - convert to and from shadow passwords and groups
initgroups (3) - initialize the supplementary group access list
make (1) - GNU make utility to maintain groups of programs
pwconv (8) - convert to and from shadow passwords and groups
pwunconv (8) - convert to and from shadow passwords and groups
setgroups (2) - get/set list of supplementary group IDs
setgroups32 (2) - get/set list of supplementary group IDs
systemd-cgtop (1) - Show top control groups by their resource usage
systemd-sysusers (8) - Allocate system users and groups
systemd-sysusers.service (8) - Allocate system users and groups
sysusers.d (5) - Declarative allocation of system users and groups
pi@raspberrypi:~ $ 

Now we are ready to set up the user accounts that we intend to use in the RPi.

User Accounts and Permits

GNU/Linux uses one administrator account, root. Everyone logs in with their “normal” user account. When administration is needed one “shells up” to root with the su – command. But we need to know the password for root to shell to root, and we must be root to add users.

On your RPi, using terminal create a password for root that you know. Since we have no idea what the password, if any, is for root right out of the box, and as such we cannot shell up to root with su –, we will use the sudo command to set the password for root to something that we do know. Thereafter this will not impede us from getting work done. Note: passwords do not echo at the command line in GNU/Linux – as you type nothing seems to happen until you press ENTER.

pi@raspberrypi:~$ sudo passwd root
New password: (type the new password here - nothing will echo)
Retype new password: (type the new password here again)
passwd: password updated successfully
pi@raspberrypi:~$ su -
Password:
root@raspberrypi:~#

User Accounts

The password for the default ‘pi’ account you already changed during installation. We still need this account for now, but will remove it later. We will add accounts for Manager and Walk Up User. One thing I have not found on the RPi out-of-the-box is user management. Adding / deleting / changing accounts is done from the command line. We will use adduser in this post.

We must be root to create or change accounts, so we shell to root. Type su – and enter the root password when prompted. Note there is a dash after the su.

pi@raspberrypi:~ $ su -
Password: 
root@raspberrypi:~#

When you are in your normal user account the prompt is a dollar sign ($) but when you are shelled to root the prompt is a pound sign (#). When you are shelled to root the RPi will do exactly what you tell it to do, whether that is what you intended or not. Type carefully, grasshopper. To drop back down to your normal account you type exit, but we will stay shelled to root to do some work here.

Now we can create accounts for Manager, which will be what we use to maintain the RPi, and Walk Up User which is for other people who are not administrators, if any.

pi@raspberrypi:~ $ su -
Password: 
root@raspberrypi:~# adduser manager
Adding user `manager' ...
Adding new group `manager' (1001) ...
Adding new user `manager' (1001) with group `manager' ...
Creating home directory `/home/manager' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for manager
Enter the new value, or press ENTER for the default
Full Name []: Manager
Room Number []: 
Work Phone []: 260.432.0014 x128
Home Phone []: 
Other []: 
Is the information correct? [Y/n] Y
root@raspberrypi:~# adduser usr
Adding user `usr' ...
Adding new group `usr' (1002) ...
Adding new user `usr' (1002) with group `usr' ...
Creating home directory `/home/usr' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for usr
Enter the new value, or press ENTER for the default
Full Name []: Walk Up User
Room Number []: 
Work Phone []: 
Home Phone []: 
Other []: 
Is the information correct? [Y/n] Y
root@raspberrypi:~# 

Now we log out as “pi” and log back in over SSH as “manager”. I am not neglecting to add Manager to the wheel or sudo group as it is unnecessary in Raspian.

root@raspberrypi:~# exit
logout
pi@raspberrypi:~ $ exit
logout
Connection to 192.168.1.107 closed.
mylogin@my-desktop:~$ ssh manager@192.168.1.107

manager@192.168.1.107's password:
Linux raspberrypi 5.4.51-v7l+ #1333 SMP Mon Aug 10 16:51:40 BST 2020 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
manager@raspberrypi:~ $

We will not delete the “pi” user here, but Iznogood1 gives the exact steps to remove it without causing a problem. See https://www.raspberrypi.org/forums/viewtopic.php?t=202618#p1429428 and page down to the answer by Iznogood1 .

Secure Shell (SSH)

Most RPi configurations that follow can be more easily handled from your personal workstation than sitting at the RPi. They can be done in terminal from your workstation, whether your workstation is GNU/Linux, Mac, or Windows 10. To open Terminal in Windows 10, in the search box type cmd and press enter; on Mac in the search box in Finder type Terminal; on GNU/Linux press CTRL-ALT-T or click the Terminal Icon on your task bar.

Open Terminal on the RPi, by pressing CTRL-ALT-T and on your desktop. We will connect to the RPi from your desktop and use the command line instructions (CLI) to configure the RPi.

Enable SSH on the RPi following instructions on the RPi web site at https://www.raspberrypi.org/documentation/remote-access/ssh/.

Determine the RPi’s IP Address

In Terminal on the RPi, enter the command ifconfig and press enter. Note the IP address for LAN interface eth0 or WiFi interface wlan0, whichever you wish to use.

pi@raspberrypi:~ $ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.107 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::77b4:7e1e:593d:8f6b prefixlen 64 scopeid 0x20<link>
ether dc:a6:32:5e:b3:f0 txqueuelen 1000 (Ethernet)
RX packets 4981 bytes 385342 (376.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 123 bytes 16290 (15.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.100 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::449f:caa8:798b:f852 prefixlen 64 scopeid 0x20<link>
ether dc:a6:32:5e:b3:f1 txqueuelen 1000 (Ethernet)
RX packets 397 bytes 76729 (74.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 67 bytes 11115 (10.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

pi@raspberrypi:~

Connect to the RPi from your desktop

In Terminal on your desktop type ssh pi@<ip address> where <ip address> is the IP address you noted. Say yes if asked if you want to continue connecting – this adds the RPi to your list of known systems and it won’t ask the next time. Enter the new password that you chose for ‘pi’ during installation. Note: passwords do not echo at the command line in GNU/Linux – as you type, nothing seems to happen, until you press ENTER.

mylogin@my-desktop:~$ ssh pi@192.168.1.107
The authenticity of host '192.168.1.107 (192.168.1.107)' can't be established.
ECDSA key fingerprint is SHA256:kwzNgavpzNyYoGkBwYoxFqieC33LDpBcKZXjfmfbU50.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.107' (ECDSA) to the list of known hosts.
pi@192.168.1.107's password: 
Linux raspberrypi 5.4.51-v7l+ #1333 SMP Mon Aug 10 16:51:40 BST 2020 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Aug 22 15:20:13 2020
pi@raspberrypi:~ $

Now you are literally working inside the RPi. SSH provides a fully encrypted connection across the room or across the globe. We will configure many more things concerning SSH in a few minutes, but this will do for now.

Server Pros

Users

Set up any needed user accounts via adduser for admin and normal users, then edit /etc/group and add the admin account on every group to which the account “pi” is added. The admin account for this missive is “manager”. If there are other accounts that will have access to the file server, in example for file storage, set up an user account on the server for each of those accounts also.

Determine the RPi’s IP Address

In Terminal on the RPi, use ifconfig learn the IP address for LAN interface eth0 or WiFi interface wlan0, whichever you wish to use.

SSH

In the manager account on one workstation, generate a set of ssh keys with ssh-keygen and then write the public key to the server with ssh-copy-id. You can use ed25519 keys. In example if 192.168.1.123 is the IP of the server:

ssh-keygen -t ed25519 -f .ssh/id_ed25519
ssh-copy-id -i .ssh/id_ed25519 manager@192.168.1.123

REMEMBER PERMITS on the .ssh folder must be 0700 and the private files in it (including authorized_keys and known_hosts) must be 0600 and the .pub files 0644. SSH doesn’t give sensible error messages such as “I don’t like the permits on your .ssh folder” it just says it can’t connect, which sounds as if the server was rejecting the key.

cd /home/manager/.ssh
chmod 0600 *
chmod 0644 *.pub

Shell into the server with ssh and verify you did not get asked for a password. Edit /etc/ssh/sshd_config to change the ssh port to something in-obvious.

nano /etc/ssh/sshd_config

then test again:

ssh -p1234 manager@192.168.1.123

where 192.168.1.123 is the file server’s static IP and 1234 is what you changed the ssh port to be. Remember for changes to /etc/ssh/sshd_config to take effect each time you may or may not need to systemctl restart ssh.

NOW MAKE YOUR LIFE A BIT SIMPLER AND YOUR SSH BUSINESS A BIT MORE SECURE

You could do the rsync over ssh typing in all the command line stuff in the script file. If that script file gets read by someone who shouldn’t be prying into your business then you may have a problem. The easy way to simplify what you must type on the command line and at the same time reduce your exposure is to use the config file available to ssh. SSH using port 1234 would look like this:

ssh -p 1234 -i ~/.ssh/id_ed25519 manager@192.168.1.123

Or an rsync using ssh over port 1234 could look like this:

rsync -arvz -e 'ssh -p 1234' --quiet manager@192.168.1.123:wwraw.xml wwraw.xml

At a minimum you have revealed which port you are using for ssh. A simple way around this is to create a file named config in your .ssh folder, read/write only by the owner. The text file content is like this where the server is at 192.168.1.123, the login is “manager” and the ssh port is 1234:

Host RPi
	HostName 192.168.1.123
	Port 1234
	User manager
	IdentityFile ~/.ssh/id_ed25519

Using the name you designated for Host (here RPi) in the ssh command implies all the other information from the ~/.ssh/config file. More ssh options can be placed in config. All you need for your ssh command is:

ssh RPi

and for your rsync something like:

rsync --rsh=ssh --checksum --quiet RPi:wwraw.xml wwraw.xml
rsync --rsh=ssh --checksum --quiet RPi:walerts.xml walerts.xml

Once you can shell into one workstation from your desktop, and that workstation can shell into your file server, simply copy the contents of that one working workstation’s .ssh folder to all the other workstations, pay attention to the permits to be sure they are right, and in one move you have configured all your workstations.

Verify that you can connect to each workstation from your desktop and while you are connected to the workstation verify that it can connect to the file server without prompting for password. When it all is working then edit /etc/ssh/sshd_config on each computer to disable password authentication.

root@raspberrypi:~# nano /etc/ssh/sshd_config
#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

#Port 22
Port 1234
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
...
#PermitRootLogin prohibit-password
#PermitRootLogin prohibit-password
PermitRootLogin no
...
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
PasswordAuthentication no
PermitEmptyPasswords no

Brute force (trying login and password combinations one after another in hopes of finding a combination that works) is the most popular approach to hacking in, and ssh is the most popular protocol, so by removing password authentication you greatly reduced your attack surface even before you have programmed the UFW firewall or installed fail2ban, with the added bonus that you don’t need to bother entering passwords – you can just click in your file browser (or on a Windows desktop in WinSCP or FileZilla or on Windows 10 just type ssh at the command line) and you’re in.

Weather Data & Nightly Maintenance Scripts

If you are going to collect weather data once an hour as I do from weather.gov,  and transfer the resulting files to the workstations and other accounts on the file server itself, then AS ROOT create the weather files in /home/manager folder on the server and on each workstation.  Set the permits so that the owner “manager” can read/write but group and other can only read (0644). Create a link to each /home/manager/  .xml file in /home/usr. You are doing this as root so that your lab patrons can’t change it later. Do the same thing for the .conkyrc file. You’ll fill in the conky file later but here is a sample .conkyrc and there are many other examples on the Conky web sites. A How To article for Conky under Ubuntu is at https://itsfoss.com/conky-gui-ubuntu-1304/ and official docs at http://conky.sourceforge.net/documentation.html.

root@raspberrypi:~# touch /home/manager/walert.xml
root@raspberrypi:~# touch /home/manager/wwraw.xml
root@raspberrypi:~# chown manager:usr /home/manager/*.xml
root@raspberrypi:~# chmod 0644 /home/manager/*.xml

root@raspberrypi:~# touch /home/manager/.conkyrc
root@raspberrypi:~# chown manager:usr /home/manager/.conkyrc
root@raspberrypi:~# chmod 0644 /home/manager/.conkyrc

root@raspberrypi:~# ln -s /home/manager/walert.xml /home/usr/walert.xml
root@raspberrypi:~# ln -s /home/manager/wwraw.xml /home/usr/wwraw.xml
root@raspberrypi:~# ln -s /home/manager/.conkyrc /home/usr/.conkyrc

In this way Conky running in the “usr” account can read the weather files in that account’s home folder and the manager account will update those files when it brings in new data from weather.gov. Likewise, you can update all the workstation’s .conkyrc by merely editing the one copy on the server. However the patron logged in as usr on the workstation cannot change those files.

The cron jobs in each workstation will periodically check the file server at whatever interval you decide with rsync using ssh to sync their weather files with the file server, and the cron job on the file server will download new weather files once an hour at the recommended time from weather.gov. Please respect weather.gov and not download those file more frequently. For me in Fort Wayne, Indiana USA the two lines of script which actually download from weather.gov to the file server are:

wget -q --output-document="wwraw.xml" http://w1.weather.gov/xml/current_obs/KFWA.xml
wget -q --output-document="walerts.xml" http://alerts.weather.gov/cap/wwaatmget.php?x=INC003&y=0

The whole script can been reviewed here. The KFWA and INC003 will change to be whatever is needed for your geographic location. The technical details are super hard to find with search HOWEVER they are at  NWS Public Alerts in XML/CAP and ATOM Formats, https://alerts.weather.gov/. More information than you’ll want to digest. Please be very respectful of this important public asset and do not download more than once an hour.

The nightly maintenance scrip, nightly.sh, sits in the manager’s home folder and is writable/readable by manager. Each workstation syncs the nightly.sh at the same time they sync the weather files. This allows me to make changes to the nightly run one place, the file server manager’s account, and it is automatically updated on all running workstations. The workstations use rsync to shell in via ssh as “manager” so special permits are not needed. SSH keys are used everywhere so no passwords are involved.

crontab

There are many tutorials on how to use Cron to schedule jobs. One article is https://opensource.com/article/17/11/how-use-cron-linux. Or if you skip the first part about being root and installing cron (it is already installed) https://vitux.com/how-to-setup-a-cron-job-in-debian-10/.

On the remote workstations I make one entry in manager’s crontab, to run weather-fetch.sh every two (2) minutes. Edit crontab by entering:

manager@raspberrypi:~$ crontab -e
*/2 * * * * ~/weather-fetch.sh

On the file server I make the same entry, but call the weather update script once per hour instead of every two minutes:

15 * * * * ~/weather-fetch.sh

On each remote I have a weather-fetch.sh script like the one below. Note that I used soft links instead of files in /home/usr so I wouldn’t need to copy weather data from the /home/manager to /home/usr.

At the same time as weather is checked for updates, the nightly maintenance scripts and the Conky configuration are checked for updates. Conky is a lightweight free system monitor GNU/Linux desktop app that allows you to display many operational stats on your desktop, and also can look cool. A sample Conky configuration file, .conkyrc, is here. I simply have cron run weather-fetch.sh every few minutes: if I want to update scripts I can change one file, the one on the server, and once I save my changes the new file will be downloaded to every workstation in short order.

#!/bin/bash
#weather-process.sh
#author: John D. Nash, Jr. API LLC
#last_update: 20200915 JDN
#comments: updates weather .xml files and maintenance scripts on workstations
# pulled by workstations from rpi server
#
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
DEBIAN_FRONTEND=noninteractive

#grab current weather status if it is changed from what I already have
rsync --rsh=ssh --checksum --quiet RPi:wwraw.xml wwraw.xml

#grab weather alerts if it is changed from what I already have
rsync --rsh=ssh --checksum --quiet RPi:walerts.xml walerts.xml

#Mark Execution Time
touch weather-fetch-time.txt

#grab .conkyrc & maint scripts IF any is changed from what I already have
rsync --rsh=ssh --checksum --quiet RPi:\.conkyrc \.conkyrc
rsync --rsh=ssh --checksum --quiet RPi:nightly.sh nightly.sh
rsync --rsh=ssh --checksum --quiet RPi:weather-fetch.sh weather-fetch.sh

exit

The weather script on the file server only downloads the walerts.xml and wwraw.xml from the government server at NOAA (weather.gov) and won’t bother NOAA again if it is too soon to have new weather available for download. A sample Weather script is here. I can force a download by adding the command line option –force, but by default this script waits at least 22 minutes between downloads. I also use this on my personal desktop, and download weather at login, so this helps prevent unintentional abuse. The wgets are all that is needed to download the data.

That being done, your internal file server is up and running, albeit without firewall, fail2ban, and so forth. Those are added as in other Debian GNU/Linux file servers. Use apt install fail2ban ufw gufw and then configure them. Remember to allow your non-standard ssh port number from the local net in UFW. Those packages are discussed further below.

Software Packages and Configurations

Many possible projects for the RPi have very readable instructions at the Projects page on the Raspberry Pi organization web site at https://projects.raspberrypi.org/en/projects.

If your file server is inside your network and never exposed to the outside you might choose to stop now. You already have the basics of what you need: cron  maintenance scripts, and a working fully encrypted connection from all your workstations to the file server via ssh. If someone connects a virus laden laptop via your wireless so it hacks your lab PCs, you might decide to go the extra yard and install a firewall.

If you want to harden your file server (and workstations) against problems that arise within your inside LAN, you can add a firewall with UFW and the more user friendly graphical version GUFW, and a program that temporarily blocks attempts to connect without the proper ssh security key, fail2ban.  If your file server can be reached from the Internet then you need these programs – don’t connect it to the Internet until they are in place.

Protection

You already changed the default password for the default user account that comes on the RPi. Other important security steps for your RPi can be found on the Raspberry Pi organization’s web site under Securing your Raspberry Pi at https://www.raspberrypi.org/documentation/configuration/security.md.

In this list of optional security steps is included the instructions to install and configure ufw, the “uncomplicated firewall”. The part you want to do is install ufw: all the command line things to allow or deny access are better handled with the graphical user interface for ufw, gufw, which we will install below.

root@raspberrypi:~# apt install ufw
ufw and gufw

Install ufw as above, then install gufw in the same manner

root@raspberrypi:~# apt install gufw

The GUFW firewall is one of the easiest firewalls in the world. Gufw is created with the goal of being an intuitive and a simple user-friend application. If you changed the ssh port from the default port number, 22, then remember to open the ssh port number that you used, not the default number. A good video on using GUFW by Sean Mancini is on YouTube.com at https://youtu.be/FdPppKJhJws. The GUFW web site is at http://gufw.org/. It is very intuitive to use.

fail2ban

The most common method for hackers getting into a computer system involves not some high level knowledge but trying over and over to guess account names and passwords. You have already changed your RPi’s ssh configuration so that it will reject password authentication and must have a working ssh key pair, however there is no reason to allow someone’s automated hacking script to try over and over, many times a second, to hack into your systems.

fail2ban is a program that deals with exactly that scenario – if someone tried and fails to gain access via ssh then fail2ban will program iptables in the computer to temporarily ignore any more attempts from that IP address. A good walk through for novices to get started can be read at https://www.a2hosting.com/kb/security/hardening-a-server-with-fail2ban, and it was also discussed in the Raspberry Pi organizations web page on Securing your pi at https://www.raspberrypi.org/documentation/configuration/security.md .

Install fail2ban with

root@raspberrypi:~# apt install fail2ban

then configure it following the steps in https://www.raspberrypi.org/documentation/configuration/security.md. If you changed the ssh port to something other than 22, then remember to use the port number you chose, not 22 in the steps.

Apache2, MySQL, and PHP

You don’t need your RPi to be a web server for it to serve as a File Server – all you need is SSH for that. If you are now thinking of ascending higher, your little RPi is quite capable of serving up the most popular web site system these days, WordPress, and there are resources to help!

Almost all web servers on the Internet are L.A.M.P. systems. The acronym LAMP stands for Linux Apache MySQL and PHP. You already have the Linux part of that since the RPi runs on Debian Linux, (Raspbien). Either Linux or Unix are normally used as the operating system with additional packages apache2, mysql, and php installed.

Good documentation on setting up your RPi as a web server can be read on the Raspberry Pi organization website Setting up an Apache Web Server on a Raspberry Pi at https://www.raspberrypi.org/documentation/remote-access/web-server/apache.md. To have a modern website that serves dynamic web pages, for example with WordPress, you also need the programming language php and the database program MySQL (pronounced “Mia S. Q. L.” not “my sea-quill”). From WikiPedia:

MySQL (/ˌmˌɛsˌkjuːˈɛl/ “My S-Q-L”)[5] is an open-source relational database management system (RDBMS).[5][6] Its name is a combination of “My”, the name of co-founder Michael Widenius‘s daughter,[7] and “SQL“, the abbreviation for Structured Query Language.

To additionally set up WordPress, you can read the WordPress pages at https://projects.raspberrypi.org/en/projects/lamp-web-server-with-wordpress.

You will install and test apache2 with

root@raspberrypi:~# apt install apache2

You will install php with

root@raspberrypi:~# apt install php

You will install MySQL with

root@raspberrypi:~# apt install mariadb-server php-mysql

and then install and test WordPress with several steps. Note on the RPi MySQL is called MariaDB.

if you want to perform database backups in your nightly maintenance script, see https://stackoverflow.com/questions/9293042/how-to-perform-a-mysqldump-without-a-password-prompt to understand how to create a .my.cnf file so the script does not need to prompt for password and the password cannot be read by others. Typically you would run the nightly maintenance as root. Simply make a text file like this in the home folder of the account that will be doing the database backup, and save the file with the name “.my.cnf” (note is starts with a dot – that matters).

[mysqldump]
user=root
password=root password

If you would like free SSL certificates that automatically install and maintain themselves for you, there is much information on the website for the Let’s Encrypt project, https://letsencrypt.org/. Let’s Encrypt is a nonprofit Certificate Authority providing TLS certificates to 225 million websites.

Maintenance and Cron Jobs

There are two steps in automating maintenance of your RPi. First you write a bash script to perform the work, and then you use crontab-e to add a line to run the script at some day and time of your choosing. Teaching you to program in BASH is beyond the scope of this document, however good documentation is available on-line, for example the Raspberry Pi organization web pages on Linux Usage at https://www.raspberrypi.org/documentation/linux/usage/ and on Shell scripts at https://www.raspberrypi.org/documentation/linux/usage/scripting.md, and a more complete look into BASH at Get started with Bash programming at https://opensource.com/article/20/4/bash-programming-guide.

Before you can write the maintenance script you need to decide what you want done for maintenance. If you maintain your RPi from the command line then you have an idea – just type those commands into a text file, and name the text file ending in “.sh”. Enable the file to be “executed” by setting its execute permit with:

root@raspberrypi:~# chmod +x my-file.sh

where “my-file.sh” is what you named the text file. Now test the script by running it from the command line and watch for any error messages that appear:

root@raspberrypi:~# ./my-file.sh

Once you are satisfied that your script file works as you intend, you can schedule it to run on its own at some time you choose, for example every night. To run that file automatically at some specific time, you add a line to the “crontab”, using the command line instruction:

root@raspberrypi:~# crontab -e

You can likely understand how to add the line in crontab just by looking at the instructions in the text file that opens when you type crontab -e, however cron can also be very powerful and as such maybe a wee bit obtuse. The tutorials I mentioned in this article are a good start. Another good step by step tutorial is on the Raspberry Pi organization web site page at https://www.raspberrypi.org/documentation/linux/usage/cron.md.

Citations

https://www.raspberrypi.org/ Raspberry Pi 4
Your tiny, dual-display, desktop computer … and robot brains, smart home hub, media centre, networked AI core, factory controller, and much more.

https://www.raspberrypi.org/downloads/ Download page for Raspberry Pi. Use Raspberry Pi Imager for an easy way to install Raspberry Pi OS and other operating systems to an SD card ready to use with your Raspberry Pi or use the provided links to download OS images which can be manually copied to an SD card.

https://www.raspberrypi.org/documentation/ Raspberry Pi Documentation. This is the official documentation for the Raspberry Pi, written by the Raspberry Pi Foundation with community contributions.

https://www.openssh.com/ OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.

https://launchpad.net/ufw Ufw stands for Uncomplicated Firewall, and is program for managing a netfilter firewall. It provides a command line interface and aims to be uncomplicated and easy to use.

http://gufw.org/ GUFW is the graphical interface to work with UFW, One of the easiest firewalls in the world! Gufw is created with the goal of being an intuitive and a simple user-friend application!

https://www.fail2ban.org  Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc.  Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time.

https://www.apache.org/ Apache is arguably the most frequently used web server package on the Internet. $20B+ worth of Apache Open Source software products are made available to the public-at-large at 100% no cost, and benefit billions of users around the world.

https://mariadb.org/ MariaDB Server is one of the most popular database servers in the world. It’s made by the original developers of MySQL and guaranteed to stay open source. Notable users include Wikipedia, WordPress.com and Google.

https://www.php.net/ PHP is a popular general-purpose scripting language that is especially suited to web development. Fast, flexible and pragmatic, PHP powers everything from your blog to the most popular websites in the world.

https://letsencrypt.org/ A nonprofit Certificate Authority providing TLS certificates to 225 million websites.

https://letsencrypt-for-cpanel.com/ FleetSSL cPanel (formerly Let’s Encrypt for cPanel) is an unofficial cPanel/WHM plugin for the Let’s Encrypt™ service, which provides your end-users with the ability to instantly issue free trusted SSL certificates (including wildcards) for all of their hosted domains.

Comments are closed