Raspberry Pi — Headless Configuration

Photo by Harrison Broadbent on Unsplash

In this article we will find out how to configure the Raspberry Pi 4 without having an external monitor, keyboards and mouse available. It will allow you to log into your RPi (Raspberry Pi) via SSH and connect it to your WiFi.

The Raspberry Pi is a Single Board Computer (SBC) and is a small PC and Laptop, so we will first install the Operating System and then activate all the various useful services.

Using the Raspberry Pi in headless mode may be recommended when creating a web server, media server, NAS or in any case those services where interaction with a keyboard and screen is not necessary.

The essentials things we will need:

  • Laptop or Personal Computer
  • Raspberry Pi
  • Micro SD

The operations we will perform are:

  • Installation of Operating System
  • Enable SSH Service
  • WiFi configuration
  • Operating System Update and Upgrade
  • New User Creation
  • Increase the security of the Raspberry Pi server (Firewall, Ban)
  • Setup 2-factor authentication on SSH connections

Installation Raspberry Pi OS

The operating system we are going to install is the recommended by the vendor, and adapted for this type of micro-computer, the name is Raspberry Pi OS.

To install the operating system we can go to the official website of the OS releases (link) and download the Raspberry Pi Imager Tool.

Once the tool has been downloaded and opened, we will find the following screen:

Raspberry Pi Imager
Raspberry Pi Imager

We choose our “Operating System”, we have chosen the Raspberry Pi OS Lite version (but you can choose any one, as long as it is Raspberry Pi OS); select our SD Card and click the WRITE button.

The process will last a few minutes and at the end we will have our Operating System installed on the Micro SD and ready to use.

Raspberry Pi Headless Configuration

The minimum configuration for its startup includes:

  • The configuration for connecting to WiFi
  • Enabling the SSH service.

WiFi Configuration

The file needed to provide the Raspberry Pi OS with an indication of which WiFi to use for the connection is specified in the “wpa_supplicant.conf” file, that we are going to create.

The content of the “wpa_supplicant.conf” file is as follows:

country=ITctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
ssid="WIFI NAME"

Enabling SSH Service

To enable the service, simply create an empty file called ssh inside our Micro SD where our Raspberry Pi OS is installed.

So at the end of this procedure we will have the following two files under the main boot directory of our Micro SD:

  • wpa_supplicant.conf
  • ssh

Now we can proceed to insert the Micro SD into our Raspberry Pi and start it!

OS Configuration

Once our Raspberry Pi is started, it will connect to our WiFi network.

To connect to our small server we will use the SSH protocol, with the help of a tool like PuTTy or using our favorite SSH Client.

We will use the hostname of our server which is raspberrypi, and the default credentials of the OS which are:

  • username= pi
  • password= raspberry

Running the command:

ssh pi@raspberrypi

and by entering the password, we will be magically connected to our Raspberry Pi.

Now we can proceed to update the Operating System, with the latest security fixes by launching this command:

sudo apt update
sudo apt upgrade

Exapdn Filesystem

sudo raspi-config

In the newly opened window we go to “Advanced Options”

raspi-config > Advanced Options
raspi-config > Advanced Options

and the click on “Expand Filesystem”.

raspi-config > Advanced Options > Expand Filesystem
raspi-config > Advanced Options > Expand Filesystem

Assign a Static IP to the Raspberry Pi

To assign a static IP on our Router to the Raspberry Pi we need to edit the “/etc/dhcpcd.conf” file.

Assigning a static IP is always useful also for the router side configurations that we are going to carry out.

Let’s open our file being edited with the command:

sudo nano /etc/dhcpcd.conf

And we will insert the following text:

interface wlan0
static ip_address=
static routers=
static domain_name_servers=

As you can see we have set the following values:

  • Static IP = (it will be that of our Raspberry Pi)
  • Router IP =
  • DNS = (We will use Google DNS)

Create a new Users

Now we can proceed to create our user on the machine and disable the default user pi to avoid unpleasant surprises from malicious people.

As the name of the new user we will use andrea. To create the new user we can execute the commands:

sudo adduser andreasudo usermod -a -G users,sudo andrea

The first command will create the user and ask us what password to set, while the second will make it a sudoers user (same root rights).

Now let’s proceed to block and disable the default pi user:

sudo su andreasudo passwd --lock pi

Now we’re going to tell the SSH service which user we can expect connections from. We will enable the new user andrea and disable the old user pi.

Let’s edit the /etc/ssh/sshd_config file with

sudo nano /etc/ssh/sshd_config

And we’re going to add the following content to the end of the file:

AllowUsers andrea
DenyUsers pi

Now we can reboot our Raspberry Pi from the command line:

sudo reboot

And we can now connect with our new user:

ssh andrea@raspberrypi

or use the static IP that we have set:

ssh andrea@

Increase the security of our Raspberry Pi

To limit and block unwanted access to our Raspberr Pi server we will increase the level of protection and security of our operating system, by installing:

  • UFW → Uncomplicated Firewall
  • Fail2Ban → Tool to prevent brute-force attacks
  • Google Authenticator → Library to increase the complexity of accessing the server

UFW Firewall — Installation

To install and enable the Firewall service we run the following commands:

sudo apt install ufwsudo ufw enable

and add the rule to enable SSH connections (Port 22):

sudo ufw allow 22

Fail2Ban Installation

Now let’s install the fail2ban tool to prevent brute-force attacks on our system, so as to intercept the IPs of the attackers and insert them in a temporary (configurable) blacklist of IPs.

sudo apt install fail2bansudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

The first command installs the necessary packages, the second sets the component’s default configuration.

If we want to set the bantime and maxretry parameters to configure our security policy:

  • bantime → BAN time for an IP
  • maxretry → After how many unsuccessful login attempts the BAN is triggered

I personally use these values:

fail2ban configuration
fail2ban configuration

Google Authenticator — 2FA (2 Factor Authentication)

To increase the protection we will install the component for the 2-factor authentication of Google Authenticator for SSH access, so at the attempt to connect SSH over the password we will have to enter a verification code auto-generated by our mobile application of Google Authenticator .

SSH ChallangeResponse

Enable the challenge-response mode on the SSH service:

sudo nano /etc/ssh/sshd_config

and change the string ChallengeResponseAuthentication from no to yes.


and restart the SSH service:

sudo systemctl restart ssh

Google Authenticator Installation

Let’s install the Google module with the command:

sudo apt install libpam-google-authenticator

and open it for configuration:


Once the questions have been answered from the terminal, a QR Code will appear that we will have to enter on the Google Authenticator application on our Smartphone.

The Google Authenticator application for Smartphone is as follows:

Scanned the QR Code with our smartphone the application will show the following screen (obviously with different names/codes):

Google Authenticator
Google Authenticator

2 Factor Authentication (2FA)

Let’s enable 2-factor authentication with the use of the Pluggable Authentication Modules (PAM).

To configure PAM we open the file:

sudo nano /etc/pam.d/sshd

and enter the string

auth required pam_google_authenticator.so

immediately after @inclue common-auth

The beginning of the file must thus be:

PAM Google Authenticator
PAM Google Authenticator

Let’s finish the configuration with the restart of the SSH service:

sudo systemctl restart ssh

Now at the next SSH login, after the password, a Verification Code will be requested which will be present on the Google Authenticator application.




Digital Software Architecture

Recommended from Medium

WWDC 2017: A developer’s wish list

Run Native Julia Code WITH PYTHON!

Python for Beginners: The 7 Basic Concepts You Need to Know — Easy and Efficient!

2017 Document Management Software Comparison: eFileCabinet vs Pinpoint

Expand Bootstrap spacing classes with Sass

Writing a high-quality data pipeline for master data with Apache Spark — Part 2

Using SQL Server Temporal Tables with Hibernate

Why Business Owners Should Care About Code Quality

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Andrea Scanzani

Andrea Scanzani

IT Solution Architect and Project Leader (PMI-ACP®, PRINCE2®, TOGAF®, PSM®, ITIL®, IBM® ACE).

More from Medium

How to install GEOS for PHP 8.1 on an Apple Silicon Mac

Setting up SSH Authentication in Remote Server

How to connect your pc to Gitlab with ssh

Harden Your Website With Traefik And Security Headers

Photo by Peter Conrad on Unsplash