Now some general but serious recommendations and system administration tasks.
Maintaining the packages
Every Linux distribution comes with package manager. Arch Linux has pacman
and we've already
used that in the previous chapter. This is used for managing for installing virtually all
software you are going to use.
Keep number of installed packages low
Less software usually means less maintenance resources, less space used and lower risk of attack. When you get lost in your folder structure and lost track of installed software (what does what), how can you be sure that you are not a happy user of some Trojan or malware? Programs might also have bugs which might be exploited by attacker to get into your system. It get us to another aspect. What low means? Of course it can be exactly specified and it doesn't depend on your specific usage - the magical number using bleeding edge astrology approaches says...
...262 packages! That's exactly what I have on my system and that is still quite manageable.
Up-to-date system
Maintainers are usually hard working on patching their applications while the security
holes are reported. For that reason is absolutely necessary to use up-to-date software on your system.
On Arch Linux you use pacman -Syu
to keep your system updated.
Also try to know about development of security critical packages. Is a development active? If their github repository shows last commit 5 years ago and number of reported issues is increasing, run!
Managing services
Sometimes referred as daemons, these workhorses are usually running at background. For example in next chapter we will use SSH - it will run at background. Services are (on modern systems) managed by controversial service manager systemd
. systemd
is controlled by systemctl
(besides other, now irrelevant commands). To start some program, which is in this context called service (and we will stick to that), just run systemctl start <unit>
. There are other useful (and that’s 90% of what you need to know about systemctl
) commands (all starts with systemctl and ends with desired_unit
- watch example):
enable
- this allow to run service after boot (but it will not start immediately)disable
- this will make device not to start after bootstart
- this will immediately start a service (but will not enable it - it won’t be run after boot)stop
- stop service immediately (but not disable)status
- this will print out all information in pretty format - you can find if it is enabled, started, if there are any errors etc.
Example
There is service, which takes care about connection to network. We will play with that for a minute now. It’s called systemd-networkd
. Try to start it, enable it, disable it and then stop it and get status to see what every command does by trying these:
$ systemctl start systemd-networkd
$ systemctl status systemd-networkd
$ systemctl enable systemd-networkd
$ systemctl status systemd-networkd
$ systemctl disable systemd-networkd
$ systemctl status systemd-networkd
$ systemctl stop systemd-networkd
Last thing you need to know about systemd
for our guide is where these services has it’s own configuration files. They are stored either in /usr/lib/systemd/system/
or /etc/systemd/system
. For example, I’ve noticed SSH service. Configuration file for this service is in /usr/lib/systemd/system/sshd.service
. You can type systemctl cat sshd
to see what is inside and of course it can be edited.
Keep number of running services low
As in previous part with packages, try to keep number of running services low for the same reasons. It's easier to keep track what is now happening on your server, takes less resources and cannot be used for attacks and forgery. How many is low number? I have 14.
Network settings
For following chapters is essential to have your network connection set up correctly. First of all we have to assure that you are going to have still the same IP address. IP address isn't nothing else then just 4 numbers separated by dot and its purpose is same as the number of your room in your house. Why room of the house and not the address of house itself? Well, your house has also IP which in general differs from the one your computer has inside the house. More about local and public IPs can be read here.
Let's assume you are connected using ethernet connection. After connection RPi to the ethernet port in your router, the connection is usually established automatically and your router assigned your RPi by some pseudorandom IP address.To see what IP you are currently assigned can be done by ip addr
. The output should be something like:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether b8:27:eb:2d:25:18 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.201/24 brd 192.168.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::ba27:ebff:fe2d:2518/64 scope link
valid_lft forever preferred_lft forever
eth0
is ethernet connection and you can notice that my current IP is 192.168.0.201
.
We want to make this IP address static - it won't change if you unplug and plug again your device. And how to choose static address? As you know your router is assigning IP address automatically (it is called DHCP). But not randomly in full range. It has some range of IP addresses which it can assign. Standard IP address of router is usually 192.168.0.1
and then assign addresses from 192.168.0.2
to 192.168.0.254
. Second standard is 10.0.0.138
for router and then it assigns addresses from 10.0.0.139
to 10.0.0.254
. But it can be anything else.
I suggest to set one the address on the end from this range. You can notice, that my eth0
has IP address 192.168.0.201
.
Open or create a file /etc/systemd/network/ethernet_static.network
and paste this:
[Match]
Name=eth0
[Network]
Address=the.static.address.rpi/24
Gateway=your.router.ip.address
my case:
[Match]
Name=eth0
[Network]
Address=192.168.0.111/24
Gateway=192.168.0.1
Now you need to remove old non-static default profile /etc/systemd/network/eth0.network
. Move it to your home folder so you can revert changes if something doesn't work.