Raspberry Pi Firewall Command Line Configuration Step-by-Step

Raspberry Pi Firewall Command Line Configuration Step-by-Step #homelab #selfhosted #rapsberrypi #RaspberryPifirewallguide #UFWsetuponRaspberryPi #SecureRaspberryPinetworking #RaspberryPiUFWconfigurations #TroubleshootingUFWissues #RaspberryPifirewall

Raspberry Pi OS is an extremely popular self-hosting platform many use for running services. Let’s set the tone for Raspberry Pi firewall configuration via the command line and see what we will learn. Raspberry pi os What: A step-by-step how-to guide for UFW (Uncomplicated Firewall) on your Raspberry Pi Where: You can use this on native Raspberry Pi devices or other platforms like virtual…

View On WordPress

Raspberry Pi Kiosk with Security and Backup

Needs on for the Computer and Raspberry Pi

-Belena Etcher - https://www.balena.io/etcher/

-Raspbian Buster Lite - https://downloads.raspberrypi.org/raspbian_lite_latest

-Micro SD Card reader/writer

-Wired keyboard

Installing OS on Micro SD card

After downloading Raspbian Lite and Belena Etcher on your Windows machine, Select the Raspbian Lite img file. If it is still in the original zip file, please make sure you unzip or extract all the files so that Etcher can access the image file.

Select the Micro SD card, and Flash the Micro SD card.

Once the flash is complete, then you will plug in the Micro SD card to the Raspberry Pi and let it boot. You should see the following screen.

You should see the default Raspberry Login: 

Username: pi

Password: raspberry

Configuring the Raspberry Pi

Change the default username and password for the raspberry pi:

Type: Sudo raspi-config

Select option 2 and follow the instructions to change the password to something else for security.

Select the language/region option specifically for the keyboard. You will have to change to keyboard to be an English - US keyboard NOT English – GB (Great Britain) keyboard. If you do not set this up correctly, you will not be able to type commands properly.

We will also need updates

sudo apt-get update

sudo apt-get upgrade (This may take a while)

sudo apt-get install unattended-upgrade

Reboot the device by typing:

sudo reboot

Login to pi

Now we will plug our raspberry pi into the network and configure our localized options with:

sudo raspi-config

Go to the main screen and go to option 3 and select option 1 and select B2.

Now we will install the kiosk software:

sudo apt-get install –no-install-recommends xserver-xorg x11-xserver-utils xinit openbox

This will take 5 minutes. After it installs, then we will be using chromium browser in incognito mode to configure the webpage.

Set this for Kiosk mode:

Sudo apt-get install –no-install-recommends chromium-browser

Type y

This will take 10 minutes to install.

Now we will setup autostart.

sudo nano /etc/xdg/openbox/autostart

You will see the following:

Note: If you do not see the screen above, you may have to troubleshoot. Troubleshooting steps: run the following:

sudo apt-get clean

sudo apt-get autoremove

sudo apt-get remove --auto-remove --purge 'libx11-.*'

sudo apt-get autoremove --purge

Now, go back and re-install the kiosk software and the chromium browser.

Once, get the screen above, leave everything as is. Move to the bottom of the screen where there is no text. Type:

xset s off

xset s noblank

xset –dpms

chromium-browser --disable-infobars --kiosk --incognito ‘http://www.DavidAlanGarza.com’

Once you have that set, type Cntl-X type y Click Enter

Now to disable the mouse cursor:

Type: startx -- -nocursor -incognito

This will display the webpage or should. If it did not, you will need to see what needs correcting on the code above.

Now we will go back into

Nano .bash_profile

Now type the following very very carefully:

[[ -z $DSIPLAY && $XDG_VTNR –eq 1 ]] && startx -- -nocursor

Type CNTL-X to save and type y

Improve Security:

We will deny sshd by typing

sudo nano /etc/ssh/sshd_config

allowUsers pi

Now we will install a firewall by typing the following:

sudo apt install ufw

sudo ufw enable

Now we will install an fail2ban which scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc). Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

Type: sudo apt install fail2ban

Installing Automatic Updates:

By default your Pi won’t be rebooted if required, so if you want it to (and want to set the time) you can do that like this:

First install Unattended-upgrade

sudo apt-get install unattended-upgrade 

sudo sed -i 's/^\/\/Unattended-Upgrade::Automatic-Reboot "false";/Unattended-Upgrade::Automatic-Reboot "true";/g' /etc/apt/apt.conf.d/50unattended-upgrades

 sudo sed -i 's/^\/\/Unattended-Upgrade::Automatic-Reboot-Time "02:00";/Unattended-Upgrade::Automatic-Reboot-Time "02:00";/g' /etc/apt/apt.conf.d/50unattended-upgrades

 And if you want unused packages to be removed (like when you run apt-get autoremove):

 sudo sed -i 's/^\/\/Unattended-Upgrade::Remove-Unused-Dependencies "false";/Unattended-Upgrade::Remove-Unused-Dependencies "true";/g' /etc/apt/apt.conf.d/50unattended-upgrades

 Next we must create the /etc/apt/apt.conf.d/20auto-upgrades file to instruct the updater what to do:

 sudo tee /etc/apt/apt.conf.d/20auto-upgrades > /dev/null <<EOF

APT::Periodic::Update-Package-Lists "1";

APT::Periodic::Unattended-Upgrade "1";

EOF

 And that’s all there is to it! Every day your Pi will now check for updates

Cloning Micro SD

Download Win32 Disk Imager onto your computer. https://sourceforge.net/projects/win32diskimager/

If you have a micro sd card you want to image, plug it into the computer.

You will see the following window:

In the image file type in where you want to save an img file. You can create an empty text file and rename it to be a .img file and write over it if you want to create an image.

Select Write to write over the image file. Select Read to erase and image the Micro SD card with whatever is on the .img file.

Last Note:

If you are noticing that something is not working right while you are building this kiosk. You may want to completely restart from scratch and re-install the OS. On of the main things about this Raspbian and these Raspberry Pi’s is that if one thing gets slightly corrupt, then the whole system can be corrupted. So with this project, be patient, and take your time. The majority of the code is Case Sensitive. It can be tedious, but I know you can do it! I hope you have fun setting up the kiosk.

Hidden Wifi:

I found out these would not connect to the hidden Wireless. It would even attempt to access. 

You must open text editor to:

sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

and change the following:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev update_config=1 country=US

network={        ssid="Your Hidden SSID"        scan_ssid=1         key_mgmt=WPA-PSK         psk="Your SSID's Password"

}

Midterm Documentation

Introduction

This write up is for my midterm project. The goal of this project was to create interactive art using an "air piano" and computers.

"Air piano" is similar to an "air guitar", in the sense that users will be playing keys in the air to create sound. This is established by using a Pi and a laser range finder (LRF). The LRF can determine the distance from the source to the object, which act as the range for determining which key is pressed. For example, if the set maximum range is 1000, and there are 10 keys, a measured distance of 50 will result in the first key being "pressed". This is because the bins range from 0 to 1000, in intervals of 100. Each bin corresponds to a key. The distance will fall in one of the bins, which can then activate the key.

The second part is audience interactivity. Since only one person can use the LRF, it is difficult for the whole audience to participate. This can be fixed by allowing participants to use their personal computers to interact with the piece. A webserver is used to show the pressed keys, and allows others to use their keyboards and also create music. Their keystrokes are shared among all users, so everybody can create sound together.

The rest of the this writeup will discuss how I setup all of the components. Any mistakes that I have made will be explained at the end.

Components

Raspberry Pi

Electronics Starter Kit

Parallax Laser Range Finder

Private Webserver

Setting up the Webserver

The first step is purchasing private server. This is necessary because interactivity can be established by allowing all clients to interact with a central host, which is my webserver.

I personally bought the cheapest droplet because this project does not need a lot of computing power. I selected Ubuntu with NodeJS as the system image, so that less setup is required. Then, I selected the SF location server because it is the closest one to me, which will result in lower latency.

Next, I had to login to my private server.

There were a few of methods I used to login. I used ssh, the online console. Both methods are nearly identical, but I prefer using ssh. I also used PuTTY on my Windows machine to ssh in. On my Macbook, I used console/terminal to ssh.

I entered the following commands to setup the extreme basics of Nginx (webserver). Pm2 is an easy to use process manager, which will be useful for forking processes.

sudo apt update sudo apt install nginx sudo ufw allow 'Nginx HTTP' sudo npm install pm2 -g

After that, I organized my webserver because organization is always very important!

cd /var/www/html mkdir public

This will create a new folder called public, where I stored client sided files. That means that vistors will be shown the files inside public.

Now, I modified the configuration of Nginx so that it knows what to display.

nano /etc/nginx/sites-available/default

I changed the line containg root /var/www/html; to root /var/www/html/public;. This basically changes which directory is the root or public directory of the website. Anything in the public directory can be displayed or found by visitors.

Setting up the Server

As a side note, this whole section is a mistake that I will explain at the end of this write up. After navigating to /var/www/html, I created a new file called server.js and installed some necessary libraries.

cd /var/www/html npm install express npm install socket.io nano server.js

I'm using Express to create the server because it requires very little setup. The following code block will load in the necessary libraries and initialze Express.

const http = require('http'); const express = require('express'); var app = express();

The following block initializes the server on localhost port 8080. Any connections to that port will establish a connection between the client and server. It includes a callback function that includes callbacks whenever data is transmitted from the client to server and when the client disconnects. When it recieves a signal post, it broadcasts the casted data to everybody that is connected. The client will handle the incoming data.

var server = app.listen(8080); var io = require('socket.io')(server); io.sockets.on('connection', function (socket) { console.log("We have a new client: " + socket.id); socket.on('post', function(data) { io.sockets.emit('post', parseInt(data)); } ); socket.on('disconnect', function() { console.log("Client has disconnected"); }); } );

This next block basically creates another server on port 3000 that handle POST requests.

var restServer = http.createServer((req, res) => { if (req.method === 'POST') { var body = ''; req.on('data', function (data) { body += data; }); req.on('end', function () { io.sockets.emit('post', parseInt(body)); }); res.writeHead(200, {'Content-Type': 'text/html'}); res.end('POST received'); } else { response.end('Not POST'); } }); restServer.listen(3000);

I saved the file and started it as a background process using pm2.

pm2 start server.js

This will start server.js as a process in the background, so it will be able to listen on ports 8080 and 3000.

Setting up the Client

I created a new folder in /var/www/html/public called assets to store my piano sounds. Next, I made a new file called sketch.js, which holds the client code.

const naturalKeyNames = ['A', 'B', 'C', 'D', 'E', 'F', 'G']; // Keep track of our socket1 connection var socket1; var keys = {1: keyA, 2: keyB, 3: keyC, 4: keyD, 5: keyE, 6: keyF, 7: keyG}; var sounds = []; //5x3 letters var currentRow = 0; var currentColumn = 0; var w; var columns; var rows; var board; var next; function preload() { for (let i = 0; i < naturalKeyNames.length; i++) { sounds.push(loadSound(String('assets/reg-' + naturalKeyNames[i] + '.mp3'))); } console.log(sounds) } function setup() { createCanvas(1872, 1024); frameRate(30); w = 20; // Calculate columns and rows columns = floor(width/w); rows = floor(height/w); // Wacky way to make a 2D array is JS board = new Array(columns); for (var i = 0; i < columns; i++) { board[i] = new Array(rows); } // Going to use multiple 2D arrays and swap them next = new Array(columns); for (i = 0; i < columns; i++) { next[i] = new Array(rows); } socket1 = io.connect('http://178.128.70.190:8080'); socket1.on('post', function(data) { console.log(currentColumn, currentRow); keys[data](currentColumn, currentRow, 255); currentColumn += 4; if (currentColumn + 3 > columns) { currentRow += 6; currentColumn = 0; } if (currentRow + 5 > rows) { currentRow = 0; currentColumn = 0; } sounds[data - 1].play(); } ); console.log(columns, rows); }

This block of code splits the canvas into blocks, depending on the set width and height and connects to the websocket. It also contains a function that handles socket packets. Whenever the server sends a packet with a key 'post', this function will run. It basically sets the row and column of where the next letter will be placed and also plays the corresponding sound.

The next block of code allows limited keyboard input.

function keyPressed() { if (key <= '7' && key !== '0') { socket1.emit('post', key); } }

Basically, whenever a key number key from 0 to 7 is pressed, it sends a packet to the server with the key number as its data. The server will transmit the data recieved from the client to all clients, so everybody else can see what is played.

This next part contains functions that draw the letters. Based on the current row and column, it sets the block the color white. The getValue function is not needed, but was there because of an idea that I wanted but decided it would not be in the final version. There are also functions between keyA and keyG, but most of the code is the same, and to save space, I'm not including it here.

function draw() { background(255); for ( var i = 0; i < columns;i++) { for ( var j = 0; j < rows;j++) { if (!isNaN(board[i][j])) { board[i][j] -= 1.5; fill(board[i][j]); } else { fill(0); } stroke(0); rect(i*w, j*w, w-1, w-1); } } } function getValue(mode) { if (mode === true) { return floor(random(2)); } return mode; } // TODO: Modularize this function keyA(x=0, y=0, value=false) { board[0 + x][0 + y] = getValue(value); board[0 + x][1 + y] = getValue(value); board[0 + x][2 + y] = getValue(value); board[0 + x][3 + y] = getValue(value); board[0 + x][4 + y] = getValue(value); board[2 + x][0 + y] = getValue(value); board[2 + x][1 + y] = getValue(value); board[2 + x][2 + y] = getValue(value); board[2 + x][3 + y] = getValue(value); board[2 + x][4 + y] = getValue(value); board[1 + x][0 + y] = getValue(value); board[1 + x][2 + y] = getValue(value); } ... function keyG(x=0, y=0, value=false) { board[0 + x][0 + y] = getValue(value); board[0 + x][1 + y] = getValue(value); board[0 + x][2 + y] = getValue(value); board[0 + x][3 + y] = getValue(value); board[0 + x][4 + y] = getValue(value); board[1 + x][0 + y] = getValue(value); board[1 + x][2 + y] = getValue(value); board[1 + x][4 + y] = getValue(value); board[2 + x][0 + y] = getValue(value); board[2 + x][2 + y] = getValue(value); board[2 + x][3 + y] = getValue(value); board[2 + x][4 + y] = getValue(value); }

After coding all of that, I ran sudo systemctl restart nginx to restart the webserver. Going to my website now loads the sketch.

The Raspberry Pi and LRF

This section will be completed in the following days.

Mistakes

So, the main mistake is that this whole project is not the correct way to setup a webserver. Due to a lack of sleep, I misunderstood some documentation, which confused my view on a webserver.

The fix for this mistake is to just use ExpressJS for the whole thing. The whole public file system and pm2 is not necessary because Express can serve static files. Instead of having pm2 host server.js in the background, and Nginx serving index.html, sketch.js, and assets/, Nginx can just serve one javascript file that contains code that uses Express to deliver sketch.js and handle websockets.

The code might something like this:

var express = require('express') , routes = require('./routes') , http = require('http'); var app = express(); var server = app.listen(3000); var io = require('socket.io').listen(server); // this tells socket.io to use our express server app.configure(function(){ app.set('views', __dirname + '/views'); app.set('view engine', 'jade'); app.use(express.favicon()); app.use(express.logger('dev')); app.use(express.static(__dirname + '/public')); app.use(express.bodyParser()); app.use(express.methodOverride()); app.use(app.router); }); app.configure('development', function(){ app.use(express.errorHandler()); }); app.get('/', routes.index);

This allows Express to handle everything. When going to the default webaddress, the public files will be served. It also starts a websocket, so clients can connect.

A short summary is that I basically complicated my delivery of files by using pm2 with Nginx, while the whole server can be hosted just using Nginx. In other words, I was using pm2 to host the server and Nginx to deliver the client. In reality, Nginx should have hosted the server and client using Express.