Raspberry Pi — Headless Configuration
In this article we will find out how to configure the Raspberry Pi 4 without having an external monitor, keyboards and mouse available. It will allow you to log into your RPi (Raspberry Pi) via SSH and connect it to your WiFi.
The Raspberry Pi is a Single Board Computer (SBC) and is a small PC and Laptop, so we will first install the Operating System and then activate all the various useful services.
Using the Raspberry Pi in headless mode may be recommended when creating a web server, media server, NAS or in any case those services where interaction with a keyboard and screen is not necessary.
The essentials things we will need:
- Laptop or Personal Computer
- Raspberry Pi
- Micro SD
The operations we will perform are:
- Installation of Operating System
- Enable SSH Service
- WiFi configuration
- Operating System Update and Upgrade
- New User Creation
- Increase the security of the Raspberry Pi server (Firewall, Ban)
- Setup 2-factor authentication on SSH connections
Installation Raspberry Pi OS
The operating system we are going to install is the recommended by the vendor, and adapted for this type of micro-computer, the name is Raspberry Pi OS.
To install the operating system we can go to the official website of the OS releases (link) and download the Raspberry Pi Imager Tool.
Once the tool has been downloaded and opened, we will find the following screen:
We choose our “Operating System”, we have chosen the Raspberry Pi OS Lite version (but you can choose any one, as long as it is Raspberry Pi OS); select our SD Card and click the WRITE button.
The process will last a few minutes and at the end we will have our Operating System installed on the Micro SD and ready to use.
Raspberry Pi Headless Configuration
The minimum configuration for its startup includes:
- The configuration for connecting to WiFi
- Enabling the SSH service.
WiFi Configuration
The file needed to provide the Raspberry Pi OS with an indication of which WiFi to use for the connection is specified in the “wpa_supplicant.conf” file, that we are going to create.
The content of the “wpa_supplicant.conf” file is as follows:
country=ITctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1network={
ssid="WIFI NAME"
psk="WIFI PASSWORD"
}
—
Enabling SSH Service
To enable the service, simply create an empty file called ssh inside our Micro SD where our Raspberry Pi OS is installed.
—
So at the end of this procedure we will have the following two files under the main boot directory of our Micro SD:
- wpa_supplicant.conf
- ssh
Now we can proceed to insert the Micro SD into our Raspberry Pi and start it!
OS Configuration
Once our Raspberry Pi is started, it will connect to our WiFi network.
To connect to our small server we will use the SSH protocol, with the help of a tool like PuTTy or using our favorite SSH Client.
We will use the hostname of our server which is raspberrypi, and the default credentials of the OS which are:
- username= pi
- password= raspberry
Running the command:
ssh pi@raspberrypi
and by entering the password, we will be magically connected to our Raspberry Pi.
Now we can proceed to update the Operating System, with the latest security fixes by launching this command:
sudo apt update
sudo apt upgrade
Exapdn Filesystem
sudo raspi-config
In the newly opened window we go to “Advanced Options”
and the click on “Expand Filesystem”.
Assign a Static IP to the Raspberry Pi
To assign a static IP on our Router to the Raspberry Pi we need to edit the “/etc/dhcpcd.conf” file.
Assigning a static IP is always useful also for the router side configurations that we are going to carry out.
Let’s open our file being edited with the command:
sudo nano /etc/dhcpcd.conf
And we will insert the following text:
interface wlan0
static ip_address=192.168.1.100/24
static routers=192.168.1.1
static domain_name_servers=8.8.8.8
As you can see we have set the following values:
- Static IP = 192.168.1.100 (it will be that of our Raspberry Pi)
- Router IP = 192.168.1.1
- DNS = 8.8.8.8 (We will use Google DNS)
Create a new Users
Now we can proceed to create our user on the machine and disable the default user pi to avoid unpleasant surprises from malicious people.
As the name of the new user we will use andrea. To create the new user we can execute the commands:
sudo adduser andreasudo usermod -a -G users,sudo andrea
The first command will create the user and ask us what password to set, while the second will make it a sudoers user (same root rights).
Now let’s proceed to block and disable the default pi user:
sudo su andreasudo passwd --lock pi
Now we’re going to tell the SSH service which user we can expect connections from. We will enable the new user andrea and disable the old user pi.
Let’s edit the /etc/ssh/sshd_config file with
sudo nano /etc/ssh/sshd_config
And we’re going to add the following content to the end of the file:
AllowUsers andrea
DenyUsers pi
Now we can reboot our Raspberry Pi from the command line:
sudo reboot
And we can now connect with our new user:
ssh andrea@raspberrypi
or use the static IP that we have set:
ssh andrea@192.168.1.100
Increase the security of our Raspberry Pi
To limit and block unwanted access to our Raspberr Pi server we will increase the level of protection and security of our operating system, by installing:
- UFW → Uncomplicated Firewall
- Fail2Ban → Tool to prevent brute-force attacks
- Google Authenticator → Library to increase the complexity of accessing the server
UFW Firewall — Installation
To install and enable the Firewall service we run the following commands:
sudo apt install ufwsudo ufw enable
and add the rule to enable SSH connections (Port 22):
sudo ufw allow 22
Fail2Ban Installation
Now let’s install the fail2ban tool to prevent brute-force attacks on our system, so as to intercept the IPs of the attackers and insert them in a temporary (configurable) blacklist of IPs.
sudo apt install fail2bansudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
The first command installs the necessary packages, the second sets the component’s default configuration.
If we want to set the bantime and maxretry parameters to configure our security policy:
- bantime → BAN time for an IP
- maxretry → After how many unsuccessful login attempts the BAN is triggered
I personally use these values:
Google Authenticator — 2FA (2 Factor Authentication)
To increase the protection we will install the component for the 2-factor authentication of Google Authenticator for SSH access, so at the attempt to connect SSH over the password we will have to enter a verification code auto-generated by our mobile application of Google Authenticator .
SSH ChallangeResponse
Enable the challenge-response mode on the SSH service:
sudo nano /etc/ssh/sshd_config
and change the string ChallengeResponseAuthentication from no to yes.
and restart the SSH service:
sudo systemctl restart ssh
Google Authenticator Installation
Let’s install the Google module with the command:
sudo apt install libpam-google-authenticator
and open it for configuration:
google-authenticator
Once the questions have been answered from the terminal, a QR Code will appear that we will have to enter on the Google Authenticator application on our Smartphone.
The Google Authenticator application for Smartphone is as follows:
Scanned the QR Code with our smartphone the application will show the following screen (obviously with different names/codes):
2 Factor Authentication (2FA)
Let’s enable 2-factor authentication with the use of the Pluggable Authentication Modules (PAM).
To configure PAM we open the file:
sudo nano /etc/pam.d/sshd
and enter the string
auth required pam_google_authenticator.so
immediately after @inclue common-auth
The beginning of the file must thus be:
Let’s finish the configuration with the restart of the SSH service:
sudo systemctl restart ssh
Now at the next SSH login, after the password, a Verification Code will be requested which will be present on the Google Authenticator application.