DIY-IOT: How to construct a device, that turns on/off other devices via the Internet — Part 2/4: Installation and preparation of Raspberry Pi
IMPORTANT: READ THIS, before deciding to build something like this device. This device is connected directly to the mains power, which is potentially lethal to mess around with! I am not kidding you — the best scenario when subjected to electrical shock is that it hurts like h*ll, worst case scenario is that you DIE. You should not mess with mains power without a minimum of knowledge.
Last article was about specifying the gizmo that we’re going to build. Before we start making the hardware and software, the Raspberry must be configured to suit our purpose. This article describes the configuration, and the next two articles will be about the hardware, and finally the software.
Warning: This article might be perceived as boring, but the stuff is a prerequisite for the subsequent articles, and I choose to describe the process in a sufficient detail-level to enable first-timers to have a real chance of implementing the device.
This article assume that we start with a Raspberry Pi with a fresh install of Raspbian. If you need help installing the OS on the Raspberry Pi, look here: https://www.raspberrypi.org/learning/noobs-install/
There is a new version of Raspbian available, “Jessie”, and I have chosen the LITE version, since we’re not going to use the desktop for anything.
Do not connect the Raspberry Pi to any network until we have some basic security measures implemented. Instead connect a keyboard and a monitor, and power-up the device. Once boot is completed, login using “pi” as username and “raspberry” as password.
Le’s start by setting up some standard stuff:
sudo raspi-config
Choose ”Expand filesystem”, so we’re certain that the entire SD card is available for the filesystem.
Advanced options →Hostname
I choose ”skarpline-iot”. Choose whatever suits you, but keep in mind that special characters are not supported.
Advanced options →SSH
SSH must be enabled.
Advanced options →Memory Split
Memory is shared between system and graphic adaptor. Since we’re not going to use grathics, leave as much as possible for the system, by choosing the lowest possible value (16).
Internationalisation Options →Change Timezone
- Timezone: Copenhagen in my case.
Choose ’Finish’, and reboot the Raspberry Pi. Once booted, login as ’pi’ like before.
Now we must change the default username and password. This must be done before the Raspberry even smell an Internet connection.
The new user should enjoy the same rights as the old one, so let’s start by examining the groups that the user ‘pi’ is a member of:
pi@skarpline-iot:~ $ groupspi adm dialout cdrom sudo audio video plugdev games users input netdev gpio i2c spi
Except ‘pi’ that will be deleted, we will assign these groups to our new user. Take the list, remove ‘pi’ and add commas between the names (no whitespaces). My new user is ‘rpi_admin’:
pi@skarpline-iot:~ $ sudo useradd -m -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi rpi_adminNow assign a password for the new user (and don’t use 1234. That’s mine!):
pi@skarpline-iot:~ $ sudo passwd rpi_adminEnter new UNIX password:Retype new UNIX password:passwd: password updated successfully
Reboot the Raspberry Pi:
pi@skarpline-iot ~ $ sudo rebootLogin using the new username, and delete the ‘pi’ user:
rpi_admin@skarpline-iot ~ $ sudo deluser — remove-all-files piNow we can try connecting to our Raspberry Pi via a network connection. Connect the Raspberry Pi to your network using an Ethernet cable, and try connecting via SSH:
Once the cable is connected, verify that an IP address have been assigned to the Raspberry Pi:
rpi_admin@skarpline-iot ~ $ ifconfigeth0 Link encap:Ethernet HWaddr b8:27:eb:aa:d8:afinet addr:192.168.1.40 Bcast:192.168.1.255 Mask:255.255.255.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:1236 errors:0 dropped:0 overruns:0 frame:0TX packets:770 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:165094 (161.2 KiB) TX bytes:128214 (125.2 KiB)
My Raspberry Pi evidently have been assigned the IP address 192.168.1.40. If your device fail to connect to your LAN, you must debug the issue before proceeding. The remaining article assumes a working Internet connection.
Now that the Internet connection is up’n’running the keyboard and monitor can be disconnected. From now on it’s all happening via the SSH connection. On Linux or OSX open a termainal and type:
ssh rpi_admin@192.168.1.40If you’re using Windows I recommend downloading Putty: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.
Next we ensure, that all software on the Raspberry Pi is upgraded — This might take a while:
sudo apt-get update && sudo apt-get upgradeIT security is much like a war, and as the general in the war must ensure that no flanks are open for attach, we must block any connections attempts to network ports that we do not intend to use. An open port is an invitation to attackers, which is why we install a firewall and create rules that block all ports, except 22/SSH, 80/HTTP and 443/HTTPS. Once SSL is working I recommend that we also block 80/HTTP. The firewall inside the Raspberry Pi is iptables, which is a nightmare to configure, and understand. Therefore let’s install UFW (Uncomplicated Firewall), providing an easy-to-use shell on top of iptables.
rpi_admin@skarpline-iot:~ $ sudo apt-get install ufwTo check if the firewall is correctly configures, I recommend using nmap. To verify the state of ports on the Raspberry Pi (Note: nmap must be run form a PC connected to the LAN. Nmap is a linux/OSX tool, but windows version is available here: https://nmap.org/book/inst-windows.html):
sudo nmap –sA 192.168.1.40… All 1000 scanned ports on 192.168.1.40 are unfiltered …
All ports are open (= unfiltered), so let’s enable UFW and add the rules for ports 22, 80 and 443:
rpi_admin@skarpline-iot:~ $ sudo ufw enablerpi_admin@skarpline-iot:~ $ sudo ufw allow 22/tcprpi_admin@skarpline-iot:~ $ sudo ufw allow 80/tcprpi_admin@skarpline-iot:~ $ sudo ufw allow 443/tcp
Retry the portscan:
sudo nmap –sA 192.168.1.40Not shown: 997 filtered portsPORT STATE SERVICE22/tcp unfiltered ssh80/tcp unfiltered http443/tcp unfiltered https
Much better! Now all ports are closed (filtered), except 22, 80 and 443.
One more security measure — Install fail2ban, protecting against unauthorized login attempts:
rpi_admin@skarpline-iot:sudo apt-get install fail2banObviously we need a webserver, and php. I choose apache2 as webserver:
rpi_admin@skarpline-iot:~ $ sudo apt-get install apache2rpi_admin@skarpline-iot:~ $ sudo apt-get install php5
Let’s see if the Raspberry Pi now is reachable on http. In a browser type
http://192.168.1.40, where 192.168.1.40 is swapped with the IP address of your Raspberry Pi..
Beautiful!
Maybe php works as well?
Create a php-file in the web folder:
pi_admin@skarpline-iot:~ $ cd /var/www/html/rpi_admin@skarpline-iot:/var/www/html $ sudo touch test.phprpi_admin@skarpline-iot:/var/www/html $ sudo nano test.php
Write the small script below to the files (save by typing ctrl+x)
<?phpecho phpinfo();?>
Now type http://192.168.1.40/test.php
We’re getting there, but we’re not done yet. Now enable SSL:
rpi_admin@skarpline-iot:/var/www/html $ sudo a2enmod sslrpi_admin@skarpline-iot:/var/www/html $ sudo service apache2 restartrpi_admin@skarpline-iot:/var/www/html $ sudo a2ensite default-ssl
Now type https://192.168.1.40/test.php
Fantastic — now we’re talking! If this were hardware, now would be the time to lift your hands and slowly step away from the table.
Why the warning in the browser? It’s merely the browser telling you, that the certificate is not an official certificate and therefore not trusted. You will always get this error when accessing an IP address, since the certificate is bound to the FQDN of the site. In our case even using the FQDN you’d still get the error, since we’re using a locally signed (self signed) certificate.
If you get this kind of warning when using net banking, I recommend that you stop what you’re doing!
I choose to don’t care, since for our purpose it’s fine. A commercial product is of course another matter. You can get free certificates many places, e.g. here: : https://www.sslshopper.com/article-free-ssl-certificates-from-a-free-certificate-authority.html
We accept the risc in the browser, and are now able to access the webpage via HTTPS:
Last thing to configure is the wifi.
First make sure that the wifi dongle is functioning correctly — it ought to work automagically when connected to USB.
rpi_admin@skarpline-iot:~ $ sudo iwlist wlan0 scanwlan0 Scan completed :…Cell 03 — Address: 12:34:56:78:98:76ESSID:”No_I_dont_want_to_share_my_ssid “Protocol:IEEE 802.11bgnMode:MasterFrequency:2.472 GHz (Channel 13)Encryption key:onBit Rates:144 Mb/sExtra:rsn_ie=30140100000fac040100000fac040100000fac020c00IE: IEEE 802.11i/WPA2 Version 1Group Cipher : CCMPPairwise Ciphers (1) : CCMPAuthentication Suites (1) : PSKIE: Unknown: DD8C0050F204104A0001101044000102103B0001031047001092C81F59E93B13E0061B4916F8D00DBE102100055A7958454C1023000C564D47383932342D423130411024000C564D47383932342D4231304110420007393633363847571054000800060050F20400011011000C564D47383932342D4231304110080002200C103C0001031049000600372A000120Quality=48/100 Signal level=100/100rpi_admin@skarpline-iot:~ $
Excellent, my wifi is detected. Now we configure the settings in the Raspberry Pi, which is done by editing the wpa_supplicant.conf file:
rpi_admin@skarpline-iot:~ $ sudo nano /etc/wpa_supplicant/wpa_supplicant.confAnd add the wifi ssid and wpa key to the file (Your ssid/wpa key, not mine!):
network={ssid=” No_I_dont_want_to_share_my_ssid “psk=” No_I_definately_dont_want_to_share_my_wpa_key”}
Reboot the Raspberry Pi, and remember to disconnect the LAN cable. After copmpleting booting the Raspberry Pi will not connect automatically to the wifi (it might take a minute or two).
Last thing, before you’re off the hook: We must install a suitable library for communicating with the GPIO pins of the Raspberry Pi. I choose wiringPi, which must be installed from github. First install git:
rpi_admin@skarpline-iot: $ sudo apt-get install git-coreNext retrieve wiringPi:
rpi_admin@skarpline-iot:~ $ git clone git://git.drogon.net/wiringPiCloning into ‘wiringPi’…remote: Counting objects: 944, done.remote: Compressing objects: 100% (770/770), done.remote: Total 944 (delta 671), reused 217 (delta 142)Receiving objects: 100% (944/944), 290.40 KiB | 306.00 KiB/s, done.Resolving deltas: 100% (671/671), done.Checking connectivity… done.rpi_admin@skarpline-iot:~ $
Now install wiringPi:
rpi_admin@skarpline-iot:~ $ cd wiringPi/rpi_admin@skarpline-iot:~/wiringPi $ ./build
Wonder if it works?
pi_admin@skarpline-iot:~/wiringPi $ gpio -vgpio version: 2.31Copyright (c) 2012–2015 Gordon HendersonThis is free software with ABSOLUTELY NO WARRANTY.For details type: gpio -warranty
Awesome!
Now we’re done. If you made it this far, well done. This part was a bit boring, I admit. But next article will be on creating the hardware. There is a good chance of electrical shocks and solder iron burns. Stay tuned…
—
Read more on my blog: http://www.geekoholic.net
