Secure access to Pi part 1

reference

Creating a new user

As mentioned, it's a good idea to get rid of the default 'pi' user just to make it harder for anyone who might try to hack you (and there are automated methods that might find you and try it, especially as the Pi itself becomes more popular and the default account details remain the same for each one).

Going into detail on how Linux controls access rights and permissions for users is beyond the scope of this article, but suffice to say it has a concept of "users" and "groups" – users can belong to any number of groups, and groups are used to control permissions and access to files, directories, etc. It's through this system that Linux machines are administered. We want to get a list of groups that the default Pi user belongs to, so that we can create a new user which belongs to all the same groups – and therefor can do everything that the default Pi user can do. Belonging to all the same groups as the 'pi' user is not strictly necessary (and can be a bad idea if you're determined to be as secure as possible), but it can be useful if you want do other stuff with your Pi later. It also keeps this post simpler because being more restrictive would require more knowledge of Linux administration. You can figure that out later if you feel you want to. In the Bash prompt type:

groups

You will see a list output similar to the one below – yours may be different to mine (this article will become old and out of date) so pay attention to your list and not mine!

pi adm dialout cdrom sudo audio video plugdev games users input netdev gpio i2c spi

Now we can create a new user. Type the following into the command prompt but remember to use your list of groups (minus the first 'pi' item) and replace USERNAME with the username you want to create. Make sure you type it all on one line (if you're seeing the line wrap here that's just to make things readable for you).

sudo useradd -m -G  adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi USERNAME

Next we set a password for the new user:

sudo passwd USERNAME

Complete the prompts as they appear. 

Deleting the default 'pi' user

N
Next you need to add the newuser to the "sudoers" file

CODE: SELECT ALL

sudo visudo

Scroll down to the bottom and duplicate the "pi" entry for the new user. Leave the "pi" entry for now.

Next edit the autologin for the desktop, and replace "pi" with the new user.

CODE: SELECT ALL

sudo nano /etc/lightdm/lightdm.conf

Scroll down to the bottom of the file and change the "autologin-user=pi" to the new user. Save and exit.

Now edit the "autologin@.service" file, that where the "pi" processes are coming from, and change it to the new user.

CODE: SELECT ALL

sudo nano /etc/systemd/system/autologin@.service

Scroll down to the line

CODE: SELECT ALL

ExecStart=-/sbin/agetty --autologin pi --noclear %I $TERM

and change the autologin to the new user, save and exit.

Sudo reboot

The Pi will turn itself off. Un-plug the power, plug in the network cable, then plug the power back in. The Pi will boot up and leave you in a Bash shell asking for a login name: Log-in with your newly created user's details (i.e., don't log in as 'pi').

Type:

sudo deluser --remove-all-files pi

There will be a bunch of stuff it couldn't do, but at the end it should say

Removing user `pi' ...

Warning: group `pi' has no more members.

Done.

OK, now you've deleted pi, you can go setup things with your new, safer, username.

Optional step: Setting up Fail2Ban

This application helps to prevent hacking attempts by detecting log-in attempts that use a dictionary attack and banning the offending IP address for a short while. NOTE: If you're using SSH Key Pairs and have disabled SSH Password Authentication then you may not want to bother with this as no-one can hack their way in via a dictionary attack anyway.

sudo apt-get install fail2ban

Wait for this to complete; it should be fine running the default set up so you can stop there, or learn more about customising fail2ban.

zwave reference info

Devices
1 x Leviton RZCPG-0SG - Vizia-RF Basic RF Programmer/Master Remote w/Clock and Base (LEVRZCPG-0SG) 
Intermatic HA02 lamp controller
https://github.com/openhab/openhab/blob/master/bundles/binding/org.openhab.binding.zwave/database/products.xml

Monster ml ld300

Reference for intermatic modules

Be within 6 feet on module

Exclude

Put controller in exclude mode, push program button on module.

Include

Plug a lamp into the module, make sure lamp is on

Push Program button on module until lamp comes on, and led blinks

Put controller into include mode

Leviton Switch
1 x Leviton RZI10-1LX - Vizia-RF 1000W Dimmer for Single Pole/3-Way (LEVRZI10-1LX)
1 x Leviton RZCZ4-1LX - Vizia-RF 4-Zone In-Wall Controller (LEVRZCZ4-1LX)

Exclude

Put controller in exclude mode

With Leviton controller, Menu, system setup, advanced settings, network

press "center button"

Include

Put controller in include mode

With Leviton controller, Menu, system setup, advanced settings, network

turn on dimmer switch (press main push pad)

ACT dimmer

ACTZDW120W

Samba

Setup Samba

Install Samba

Next, we’ll install Samba and share the configuration and user folders – this will make it easier to install add-ons and change the sitemap remotely.

sudo nano /etc/samba/smb.conf

Change the workgroup name if needed, but otherwise enable WINS support:

wins support = yes

(you’ll need to uncomment the line, and change no to yes)

then add the following to the share definitions section (scroll all the way down to the bottom of the long file):

[OpenHAB Home]
 comment= OpenHAB Home
 path=/usr/share/openhab

 browseable=Yes
 writeable=Yes
 only guest=no
 create mask=0777
 directory mask=0777
 public=no
[OpenHAB Config]
 comment= OpenHAB Site Config
 path=/opt/openhab
 browseable=Yes
 writeable=Yes
 only guest=no
 create mask=0777
 directory mask=0777
 public=no

I also commented out the Printers section. I’ve made two shares, since the configuration files are actually stored separately to the add-ons.

Save and exit. We finally need to set a Samba password for the openhab user:

sudo smbpasswd -a openhab

I’d suggest “openhab” as the password just for ease of use, but it doesn’t really matter.

Thanks to reader David L – it appears the method of restarting Samba has changed in the latest Raspian. Here’s the updated instructions:

sudo update-rc.d smbd enable

sudo update-rc.d nmbd enable

sudo service smbd restart

After restarting Samba (older installs use sudo service samba restart), test you can access the shared drive.
It might not be auto-discovered on a Mac; but you can use the
Finder -> Go -> Connect to Server and the address

smb://openhab@raspberrypi.local

Or, try address smb://openhab@192.168.1.80

Authenticate with username openhab and your chosen password, then open up both your shares to have a look around.  Select OpenHAB Config and OpenHAB Home.  It should open windows for both directories

02 Raspbery Pi Setup

Pi Setup

Intro

Credits
I stole/copied/plagarized from these people
Make use of
Home Automation for Geeks

Links
Raspbian Image OS for the Raspberry Pi, pick "Raspbian Jessie" I download the zip file.
I used Raspian Jessie based on Debian Jessie Release Date 2016-02-26 Kernel Version 4.1
Win32 Disk Imager  Use to copy Raspbian OS to a SD card.  Also used to make SD backups.
MobaXterm  Terminal program to use to control the Pi


Main stuff to buy
Raspberry pi.  I started with the original pi, but I bought a pi3 soon after starting this project.
     a)  SD Card.  I used a 8gb because I had a spare one, but it turned out to be the right size.  The image is around 4gb after unzipping, so an 8gb card gives plenty of space to add the stuff you need.  You can use a 16gb card, but to backup you need to backup the image, so the larger the card the larger your backups will be.
     b)  USB Keyboard for pi (I already had one to use.  You only need it for the initial setup, takes a couple hours at most)
     c)  Monitor  (again you can use one you have.  The Pi needs a HDMI connector, again just for initial setup)
     d)  USB Mouse  (had one, initial setup)
     e)  USB power adapter with a micro USB cable for power.  Had some, I used a 2 amp power adapter.
     f)  Ethernet connection or wifi module for Pi.  I started using ethernet until I got a Pi3, with built in wifi.

Setup the SD card

I did this on a PC.
I did try to do it on a MAC, with these instructions to make the SD card, but it failed, so I moved to my PC.
I downloaded Raspbian Jessie zip file, full version not the lite one.  Takes a while because it was 1.3 Gb.  Upzip it, to get the image file.
Downloaded Win32 Disk Imager
With that utility, I was able to make a SD card with the Raspbian OS on it.

In the beginning, I plugged a USB keyboard, USB mouse, and my PC monitor into the Pi to bring it up.  I used a 2A USB power plug with a micro usb cable to provide power.  Also plugged in an ethernet cable to my router.
Plugged in my new SD card, and powered on.

After a minute or two, it came up.

If you're asked for a login, the default is "pi" with password "raspberry".
Select the menu icon in the top left corner, Preferences, Raspberry Pi Configuration
Select System, Expand Filesystem.  Change the password, change hostname if you want.
Boot to CLI (command line)
Select the localization tab, and setup Locale, timezone, keyboard and wifi country.
Select OK, and the select reboot



Network Connection
You will need to connect your Pi to your home network
Stole instructions from here, but I added to them a little.

Hardwired Ethernet Setup

By default, your router will assign a random IP address to the Pi. We want to change this to a fixed addressso you can always find your Pi. For this we need to edit the network configuration file.  

Type:          
sudo nano /etc/network/interfaces

The example below is for a network that uses the 192.168.1.x range. 
In the example, the Pi will have address 192.168.1.80 and the router is at 192.168.1.1. 
I don't know if it matters, but for security I would pick something other than ".80" for the last number, it has to be something you are not using, the numbers usually get filled up by the computers/phones/other wifi gadgets in your house starting  at 02.  It also has to be within the allowed range of your router, which is what is probably assigning these addresses to your various gadgets.
If your local network uses a different IP range, make sure to follow that instead.

auto lo
iface lo inet loopback
auto eth0

iface eth0 inet static
address 192.168.1.80  
netmask 255.255.255.0
gateway 192.168.1.1

When you're done modifying the contents of the file you press CTRL+X to exit. The program will ask if you want to save so you press Y for Yes and Enter to confirm the file name.

WIFI Setup

Like most house guests, your Pi wants to know how to connect to your wifi. We also want your router to assign a fixed IP address to the Pi so we can always find it. There are two configuration files we need to edit for this. First:

sudo nano /etc/network/interfaces

The example below is for a network that uses the 192.168.1.x range. In the example, the Pi will have address 192.168.1.80 and the router is at 192.168.1.1. If your local network uses a different IP range, make sure to follow that instead.

auto lo
iface lo inet loopback
allow-hotplug wlan0
auto wlan0

iface wlan0 inet static
address 192.168.1.80
netmask 255.255.255.0
gateway 192.168.1.1
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

When you're done modifying the contents of the file you press CTRL+X to exit. The program will ask if you want to save so you press Y for Yes and Enter to confirm the file name.

Now in the second configuration file you enter your wifi details:

sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

This file might be empty. Add the text below and replace "wifiname" and "wifipassword" with your network's details.

network={
ssid="wifiname"
psk="wifipassword"
key_mgmt=WPA-PSK
}

If your wifi network is more complicated, you can find online guides by googling "wpa_supplicant raspberry pi". When you're done, again exit with CTRL+X, Y, Enter.

Check Internet & Unplug

After you change settings it's usually a good idea to reboot your Pi and see if she understood you:

sudo reboot

When it's back up you can ping Google to see if you have Internet access:

ping www.google.com

If Google is replying, you're good. Exit "ping" using CTRL+C.

If ping is timing out (and you can access it fine from your other computers), double-check for typos in the configuration files. If that doesn't help, find help online or use your google-fu for clues.

Now that the Pi has Internet access and a fixed IP address, we no longer need to be connected to it. Before you unplug you should shut down your Pi:

sudo halt

Wait about half a minute for it to finish shutdown and then unplug screen, keyboard and mouse. You'll no longer need them. Then unplug & replug the Pi's power to boot it back up.

If you use a Windows PC, you can connect to the Pi using MobaXterm (or whatever SSH terminal program you like) on your computer, so you can open that program now. Give your Pi a minute to boot up and then start a session by clicking the session icon in the top left corner. Then enter you Pi's address and "pi" as the username.

You will see the window below.  You need to put in the Pi's address, the one from this line
address 192.168.1.80
Put in whatever address you entered in the remote host box.
Select OK.

Connecting to your Pi via MobaXterm.

You should get a new window, where its asks for you password.  Enter the password and you should get a command prompt.

Time to update the software on your Pi to the latest versions. This is like running Windows Update, but for your Pi. First run update, then upgrade:


Do this all as one line, but it will take a while.

sudo apt-get update
sudo apt-get dist-upgrade



After this, make a backup of the SD card.

Why? While playing around and testing things you might mess things up beyond repair. If you have a backup from this point in time, you'll save yourself a lot of frustration (and time) if you can go back to a point where you have a clean image all ready to go.

Before you can take out the SD card you need to shut down your Pi:

sudo halt

When it's powered down take out the SD card, plug it in your Windows computer and use Win32 Disk Imager to read from the SD card to an image file you save somewhere on your computer. 
Give it a file name that will tell you what it is, like raspbian_updated_20160311.img.

In WinDiskImager, type the file name as "e:\raspbian_updated_20160311"
This is with an external drive at e:.  If you used c:, it would write it to your root drive, which is fine too, you can just copy it to where you want it.

Then select read, and let it copy the image of the SD card.

Now you can put the SD card back in your Pi, boot it up, and not worry too much about making mistakes.

Now I changed my username, for security.  Harder for someone to break into your system if they don't know your username

See my other blog about changing the username.

I would make another backup after changing username.