Sign in Subscribe

Raspberry Pi

How to run a headles, savely and fast debian OS on your Pi

Requirements

  • Raspberry Pi Bord (amazon link coming soon)
  • Powersupply (5V, min 2.5A), (amazon link coming soon)
  • mSATA SSD adaptor to USB 3.0 (amazon link coming soon)
  • M.2-SSD (amazon link coming soon)
  • Imager
  • SSH-Client
  • a cup of coffee

Prepair the Guest OS and USB-SSD

  • Download and install the imager
  • plugin the USB-SSD
  • open a shell with command or powershell as admin and type the following commands:
    (start diskpart within the shell and list all known disks on the computer)
diskpart
list disk

remember the number on your USB-SSD disk, in this example we use no. 10
make shure you type the right disk number on this command:

select disk 10

in five steps you prepair the writable partition

clean
create partition primary
sel par 1
format fs=fat32 label=F32 quick
assign

leave diskpart

exit

PI OS-Installation

  • Open the imager and select the RASPBERRY PI OS (32-BIT) on the left Button
  • select on the right button your USB-SSD
  • don't make changes on the options an write the image to our disk

PI prepair and boot

  • open a fileexplorer to the USB-SSD root and create a file named "ssh" (without a fileexentsion!)
  • close the fileexplorer, unmount the USB-SSD from the computer
  • plugin the USB-SSD to the USB3 port on the rasbperry pi
  • connect the lan port on the pi within our local network, like a switch or router (we doesn't use wifi)
  • plugin the powersupply to start the pi

PI fist contact

  • the pi is up and running, you can control the leds from the pi and the USB-Adaptor
  • in regular cases, the hostname from the pi is raspberry
  • you can control the hostname or get the right ipv4 adress from your router
  • open SSH Client or use this command line/link to connect the pi
  • in case of error, use the ipv4 adress as the hostname
YourPathToPutty\PUTTY.EXE -ssh pi@raspberry -P 22 -pw raspberry
YourPathToPutty\PUTTY.EXE -ssh pi@ipv4adress -P 22 -pw raspberry

PI harden up

  • change the password for user root and user pi, remember the command sudo
  • it's recommanded to use 24 signs that contains
    A-Za-z0-9!"#$%&'()*+,-./:;<=>?@[]^_`{|}~
sudo passwd root
sudo passwd pi
  • update the pi OS within two commands in ones, this can be take a time...
sudo apt-get update && sudo apt-get -y upgrade
  • it's recommanded to set a fixed ipv4 adress and disable ipv6
    (edit the /etc/dhcpcd.conf)
sudo nano /etc/dhcpcd.conf
  • go to the # block and edit the following lines, remember #static ip6_address
    (for example the router ip is 192.168.1.1 the pi ip will be 192.168.1.100)
# Example static IP configuration:
interface eth0
static ip_address=192.168.1.100/24
#static ip6_address=abcd:1234:......
static routers=192.168.1.1
static domain_name_servers=192.168.1.1
  • save and exit the file within the following keystokes:
    str+o ENTER (save the file), str+x (close nano)
  • reboot the PI
sudo reboot
  • change the ssh config, edit /etc/ssh/sshd_config
    (it's recommanded to set a hiport like 1231 in this case or your choice but less than 65535)
sudo nano /etc/ssh/sshd_config
  • go to the line that begin with Port.. and change 22 to your choice
    further some settings to run ssh more safely
Port 1231
Protocol 2
PermitEmptyPasswords no
PermitRootLogin no
# Compression is optional
Compression yes
  • save and exit the file within the following keystokes:
    str+o ENTER (save the file), str+x (close nano)
  • reboot the PI
sudo reboot
  • last step to harden the pi, install fail2ban to watch ssh access
    (reconnect the pi per ssh on 1231 or your port)
YourPathToPutty\PUTTY.EXE -ssh pi@raspberry -P 1231 -pw raspberry
YourPathToPutty\PUTTY.EXE -ssh pi@ipv4adress -P 1231 -pw raspberry

sudo apt install fail2ban
  • generate and edit a own config file
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo nano /etc/fail2ban/jail.local
  • add the following settings (thomas-krenn.com)
ignoreip = 127.0.0.1/8
ignorecommand =
bantime  = 3600
findtime  = 600
maxretry = 3
  • reboot the PI
sudo reboot

SSH Access per key based login

  • install/Update SSL Client
  • make shure, that PuTTYgen.exe was installed or download directly from the homepage
  • start PuTTYgen.exe and follow the short steps as code
ToDo: PuTTYgen.exe start
Set: Number of bits in a generated key: 4096 (recommended in 2023)
Set: Type of key to generate: RSA (check over Menu/Key/SSH-2 RSA Key)
ToDo: Press Generate, move the mouse inside the window until the keys are ready
Set: Key Comment: use a unique name of the device, eg. RaspberryPI
Set: Key Passphrase: [Password]
Set: Confirm Passphrase: [Passwort]
ToDo: Save: Public Key: pubkey.ppk
ToDo: Save: Private Key: privkey.ppk
ToDo: Leave the window open, we need the public key to paste on the RPi
  • open SSH to the RPI and save the Public-Key
CMD: create dir: mkdir /home/pi/.ssh
CMD: set rights: sudo chmod 700 /home/pi/.ssh
CMD: create authorized_keys: nano /home/pi/.ssh/authorized_keys
DoDo: copy PuttyGen-Window: "Public ey for pasting…" to clippboard
!.ssh will be deletet!
sudo rm -r /home/pi/.ssh && mkdir /home/pi/.ssh && sudo chmod 700 /home/pi/.ssh && nano /home/pi/.ssh/authorized_keys
ToDo: paste clippboard authorized_keys: "I" "rechte Maustaste", Datei speichern und beenden: "ESCAPE" ":wq" "ENTER"
siehe KeePass/Putty SSH rpi/rpi* Notiz/authorized_keys
CMD: set rights: chmod 600 /home/pi/.ssh/authorized_keys

PI stable overclock

  • edit the PI4 config to improve the perfomance within a long stable runtime
sudo nano /boot/config.txt

[all]
arm_freq=2000             # CPU Frequency
core_freq=500             # GPU Frequency
sdram_freq=500            # RAM Frequency
over_voltage=5            # Electric power sent to CPU / GPU (4 = 1.35V)
#gpu_freq=750             # nicht notwendig
gpu_mem=16                # GPU reduzieren, da nur für boot benötigt
#program_usb_boot_mode=1  # USB für Boot auf USB anwenden
start_x=0                 # kein x server starten
disable_splash=1          # Disables the display of the electric alert screen
  • check the new power/mem settings with following commands
lscpu
vcgencmd get_mem arm;vcgencmd get_mem gpu
  • disable WiFi and Bluetooth
sudo nano /etc/modprobe.d/raspi-blacklist.conf

# WiFi disable
blacklist brcmfmac
blacklist brcmutil
# Bluetooth disable
blacklist btbcm
blacklist hci_uart
  • disable HDMI
sudo /opt/vc/bin/tvservice -o
  • reboot the pi after the changes and check the running services
sudo service --status-all | grep " + "