Publishing your Raspberry Pi web server with Dynamic DNS

This is actually for any home web server, but I'm doing my blog mostly for the Pi. I doubt many people have anything else running a web server at home, and I REALLY wouldn't want anyone running a web server on a PC unless you want every security problem there is.

Back to doing it on your Pi. Here's how to have your own domain name, or a host on someone else's, pointing to a web server that's running on a private IP address behind your broadband router. I'm not going into the details of name servers, A/CNAME/@ records here, because if you don't know them then you shouldn't be fiddling with them.

For now, this tutorial just gives you a A name server record for a host. Note, when using other free/shared domain names such as linkto.me then you won't be able to have the hostname www but you can pick something else. If you have your own domain, you can have both www hostname and domain pointing to your dynamic DNS service.

Dynamic DNS

There are a few free dynamic DNS services, just Google for one you like. I personally used www.no-ip.com though I have used others in the past. No-IP have a variety of services, the free and simple DNS hosting is what I went for. You can select from a list of free domains and just add your own host, or you can pay for a domain, or host a domain you already own.

Following the instructions on the no-ip website, it only took a few minutes to set up and choose a hostname. Then select which domain to put it under, either one of their free ones, one of their paid ones, or one of your own.

Note your hostname including the domain name, username, and password you created on no-ip.com

My router has dynamic DNS built in, so it was a simple matter of entering the options on the router. Put your no-ip (or other dynamic DNS service) details into the section on the router, and it will take care of the rest. When the router gets a different IP address, for example if you turn it off and back on, it will update the dynamic DNS servers and your web server will still be published on the net.

Be aware, DNS changes can take between 24-48 hours to propogate through the internet, particularly if you are using a newly registered or transferred domain. Using the no-ip free host and domain was instant though.

Then you need to set port forwarding to your Pi, which is why your Pi should have a static address. Port forwarding on home routers usually comes under the heading of application sharing. Simply forward port 80 (http) to the internal IP address of your Pi, or web server.

You can also forward other ports, like ftp and others - but be aware of the security implications as each port added means another layer of security needed.

If your router doesn't support dynamic DNS then you need to install a client on the web server. Each one is different depending on who's service you use. So you'll need to follow their instructions.

How to install PhpMyAdmin on a Raspberry Pi

A simple to use browser based MySQL database configuration tool for the Raspberry Pi

If you followed my tutorial on building a Pi web server, and also installed MySQL and PHP, then you'll probably want to install phpmyadmin - which is a handy web browser based administration tool for managing your MySQL databases.

Installing phpmyadmin

Login to your pi and download and install the phpmyadmin package:

$ sudo apt-get install phpmyadmin

When prompted to select which dbconfig tool, select lighttpd. Lighttpd was the web server you installed when you followed my tutorial on installing the web server.

When asked if you want to configure with db-config, select Yes. You'll then get asked for the MySQL root password you entered when you built the MySQL server. Enter it when asked, and again to confirm. Note, this is different and separate from your root login password.

Once the installation is complete, you need to make a link in your web root to where the phpmyadmin scripts are.

$ ln -s /usr/share/phpmyadmin phpmyadmin

This creates a folder on your web server called phpmyadmin which calls the scripts installed in /usr/share/phpmyadmin. You could use any name you like for the folder on the web server, but it needs to link to /usr/share/phpmyadmin.

Let's now test it, by pointing your PC's browser to the folder you made on the web server, in this case, the IP address of your Pi followed by /phpmyadmin

You'll be asked for the MySQL login and password you created.

If you get a warning message on the login screen, or any further screens, that mcrypt is not installed or enabled, install it:

$ sudo apt-get install php5-mcrypt

If the error persists, or you get told that it's already installed, you need to fix the PHP config.

Fix the PHP config file for some common problems
$ sudo vi /etc/php5/cgi/php.ini
Uncomment the line:
cgi.fix_pathinfo=1

Now restart the web server again:
$ sudo service lighttpd force-reload

There's more to write yet for this tutorial, including adding some scripts, and creating limited access users for specific tasks. Please keep coming back to see what I've added.

How to make your Raspberry Pi more secure

Basic security hardening of a Raspberry Pi

NB: This is just for casual home users and hobbyists who have a Pi at home, behind a domestic broadband router. Further security is needed for any other use, and is not covered by this tutorial. Skip to the further reading at the end of this tutorial for some suggestions on where to go next.

Introduction
The default, or common, configuration on the Raspberry Pi is to allow a login straight to the desktop without a password being asked for, even if one is set or left at the default. Once logged in, root access is then available with the command sudo. This applies to direct access, i.e. using the Pi directly with your tv as a display - which is how most people will be using it.

Remote desktop, ssh, or other remote access will require a login and password. However, the default password might not have been changed. Root access is then available as above with the sudo command. No root password is even asked for. I have a tutorial on this blog for enabling remote desktop access.

This is clearly crazy! So let's fix it.

Make sure everything is uptodate on your Pi

Login to your Pi and go to the Terminal. Run the update process:

$ sudo apt-get update

This may take 5 minutes or more depending on your connection and how much needs to be updated. Did you notice how you just logged into your Pi, and ran a root command probably without any password challenge? We're going to put a stop to that right now.

Change your login password

If you just installed your Pi and didn't change the password for the "pi" login, it will be set at default, probably 'raspberry'. Login to your Pi and go to the LX Terminal. Change your password:

$ passwd

You'll be asked to enter it a second time for confirmation. Make sure it isn't easy to guess, and that only you know it.

Disallow sudo commands for the default 'pi' user

The sudo command allows you to run root commands from a non-root login. The command after sudo is the root command you wish to execute, for example "$ sudo vi /boot/config.txt". sudo access is controlled by a file called /etc/sudoers. You mustn't edit this file with vi, or any other editor, you must edit with the command visudo, which you need to be root for.

Open a terminal, or ssh to the pi. Make a copy of the original sudoers file:

$ su
# cp /etc/sudoers /etc/sudoers.orig

# visudo

Change the line that reads

pi ALL=(ALL) NOPASSWD: ALL
To
pi ALL=(ALL) PASSWD: ALL

Ctrl-x to exit visudo, press y to save, it will ask to save to a temporary file, this is fine, just enter. When it asks "What now?" enter Q to save and exit. The words above in bold underline are simply to show you where to edit.

This means that you can no longer use the sudo command when logged in as pi (the default user). You can only gain root access with the command

$ su

And entering the root password. I have a tutorial on this blog for setting the root password.

NB
Whilst this may be a nuisance for the many instructions that use the command "sudo" you might want to further research the visudo command to enable certain IP addresses to have access without needing the password.

Give yourself a login that can use sudo

You should have a separate login so that you can regularly perform sudo commands without this restriction. Create the login to be used, and set a password.

$ su
# useradd <the login name>
# passwd <the login name>

Now enable <the login name> with visudo as above but allow it without passwords, e.g.

<the login name> ALL=(ALL) NOPASSWD: ALL

Exit and save visudo as you did above. Note, <the login name> is meant to be replaced by the login name you want to use, e.g. mypi or whatever. Some will want to use www-data as the login name for webserver maintenance. The < and > are for illustration only, you don't type them.

Further reading

• Restrict access to sudo to only trusted IP addresses
• Enable ssh key exchange and disallow password login
• iptables
• Restrict remote desktop access by IP address
• Enable remote access via ssh

Document in progress. Please keep coming back to see what's added.

How to set a static IP address on a Raspberry Pi

Note: This is only for wired (eth0) connections. Wifi instructions to follow.

Introduction:
When you first set up your Raspberry Pi, it will have been configured to automatically get an IP address (DHCP). This is fine. But, the address will probably be different each time you switch it on, so to do anything useful with it, like making it a webserver, it will need a static, or fixed known, IP address. That way you will always be able to access it remotely without having to first see what IP address it is using. It also means you'll be able to make your Pi accessible to the internet via port forwarding on your router.

Let's go.

First, make a backup of the current configuration.

SSH to your Pi, or login via the desktop and run Terminal.

$ sudo cp /etc/network/interfaces /etc/network/interfaces.orig

Let's now see what IP address it  has already got.

$ ifconfig -a

eth0      Link encap:Ethernet
          inet addr:192.168.1.74  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

The bits in bold above are the ones we need to know. In this case, our IP address is 192.168.1.74 The rest doesn't matter. We might as well use the same address, but make sure it's permanent (static IP) and doesn't change each time we switch the Pi on.

Next, let's find the IP address of our router (gateway):

$ route -n

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0

Here, it's 192.168.1.254

Note that, in this example, your IP address, and that of the gateway (router) both start with 192.168.1

We'll go ahead and make the IP address static, why not stick with the address we've been given this time, to make things simple. In this case, it's 192.168.1.74 and the gateway is 192.168.1.254

So, edit the file:

$ sudo vi /etc/network/interfaces

Change the line that says:

iface eth0 inet dhcp

To

iface eth0 inet static

And add the following lines after it:

address 192.168.1.74

netmask 255.255.255.0

gateway 192.168.1.254

Save the file. Restart networking:

$ sudo service networking restart

Once you have your command prompt back, let's check the IP address has been set ok.

$ sudo ifconfig -a

We're looking for, in this example, eth0 to be 192.168.1.74

$ route -n

We're looking for, in this example, gateway 192.168.1.254

If you're cynical like me, reboot the Pi and check the above 2 commands again to make sure it's been set. 

$ ifconfig -a

and

$ route -n

You have now given your Pi a static (fixed) IP address of (in this example) 192.168.1.74 and a gateway of 192.168.1.254

Netmask, or subnet mask, or why all the IP addresses above begin with 192.168.1 is another tutorial. Shout me if you want it,

How to set the root password on a Raspberry Pi

To do anything useful on your Raspberry Pi you'll need root access.

NB: Please read and follow the blog tutorial on how to perform basic security hardening on your Pi, otherwise setting a route password is pointless. Because, the default configuration allows root commands to be executed with or without a root password.

A lot of the commands will get you to do "sudo ...and then a command that needs root access"

E.g.
$ sudo ifconfig -a

Which means, run the command "ifconfig -a" as root - su, superuser. But eventually you'll get tired of using sudo when you want to do a load of root commands. You'll want to become su (root) and then run the commands as they are, i.e. without having to put sudo in front of each one.

But, you'll need a root password. Without one, you're leaving your machine wide open to anyone being able to do anything to it,

So, set a root password:

$ sudo passwd
(enter a password to use, and enter it again to confirm it when asked)

That's all you do.

Try it:

$ su
(put in the root password you set, when asked for the password)

# (now you have root access)

Press <ctrl-d> to exit from # (root commands) to $ (non-root commands)

Male sure your root password is not easily guessable, and don't tell it to anyone who doesn't need it. Also, make sure YOU can remember it. Once it's set, you won't be able to gain root access without it.

How to build a Raspberry Pi webserver

Building a Raspberry Pi web server

Prepare your Pi for being a web server

You should follow the following tutorials from this blog before turning your Pi into a web server.

1. Set a root password
2. Assign a static IP address
3. Perform some basic security updates

We'll assume that you've done that, and that you created a www-data user account as per the security tutorial. If not, do that now. Login to your Pi and:

$ sudo useradd www-data
$ sudo passwd www-data

You might also want to follow the tutorial on this blog for overclocking your Pi, but be aware of the risks of overheating.

Install the web server software

We're going to use Lighttp as a web server. You could use Apache but your Pi isn't really powerful enough for that. Lighttp is a lightweight web server.

Login to your Pi as www-data, then:

$ sudo apt-get install lighttpd

Change the directory owner and group:
$ sudo chown www-data:www-data /var/www

Allow the group to write to the directory$ sudo chmod 775 /var/www


Logout and back in again to pick up the new permissions. Now let's test the web server. Point your PC's browser to the ip address of your Pi. You should get a default placeholder page saying something like "The owner of this web site has not put up any web pages yet. Please come back later". This is fine, it tells us that the web server is installed and running.

On your Pi remove the default index page that gave this default page:

$ rm /var/www/index.lighttpd.html

If all you want is a basic web server for some home photos, or to play around with learning HTML then you don't need to do anything else. Your web server is running. It's only visible to other computers on your home network though. To make it visible on the internet you'll need the tutorial on publishing your Pi onto the internet. I'm going to write that soon.

If, you want to create or use dynamic database driven web pages - perhaps your own Word Press server, or anything requiring logins - perhaps a shopping cart? Then you'll need MySQL for the database(s), and PHP for the server side (clever) stuff.

Install the MySQL database (optional)

$ sudo apt-get install mysql-server

During this process it will ask you to set a password for the MySQL root user. This is different and separate from your root login account to the Pi. The installation will take about 5-10 minutes.

Install PHP (optional)

$ sudo apt-get install php5-common php5-cgi php5

If you installed MySQL above then also:

$ sudo apt-get install php5-mysql
This will also take about 5-10 minutes.

Fix the PHP config file for some common problems
$ sudo vi /etc/php5/cgi/php.ini
Uncomment the line cgi.fix_pathinfo=1

Now restart the web server again:
$ sudo service lighttpd force-reload

Testing the PHP installation:
Create a file /var/www/index.php

With the following code:

<?php
  print <<< EOT
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Test successful</title>
</head>
<body>
<h1>Test successful</h1>
<p>Congratulations.</p>
<p>Your webserver and PHP are working.</p>
</body>
</html>
EOT;

?>

Point your PC's browser to the IP address of your Pi. You should see a screen showing your PHP installation is working.

Error 403 - Forbidden?
If you get error 403 - Forbidden then you also need to enable PHP-cgi. Get a root login and:

# cp /etc/lighttpd/conf-available/10-fastcgi.conf /etc/lighttpd/conf-enabled/
# cp /etc/lighttpd/conf-available/15-fastcgi-php.conf /etc/lighttpd/conf-enabled/
# service lighttpd restart

Try again with your PC pointing to the Pi's IP address. You should now have the installation working screen.

Now let's make really sure it's working. Create a file /var/www/test.php

And in it, put:

<?php

phpinfo();

?>

Save it, and point your browser to it's IP address/test.php You will now see your PHP configuration file if everything has worked.

If you installed both MySQL and PHP, then in the next tutorial, we'll set up phpmyadmin which is a browser based MySQL configuration and admin tool.

Overclocking a Raspberry Pi

Overclocking a Raspberry Pi

It's very simple to overclock a Raspberry Pi, i.e make the processor run faster. There are probably many settings you can alter, but all I do is edit /boot/config.txt:

$ sudo vi /boot/config.txt

And edit the line

arm_freq=700 to
arm_freq=1024

Uncomment arm_freq if it is commented (if the line begins with # or !, remove the # or the !)
Save the file, and reboot.

I have both my Raspberry Pis running with arm_freq=1024

They are both stable, and don't overheat. One is in a case which does have venting for heat. The other just sits on top of my tv with no case or venting.

I can't vouch for your Pi, and don't come running to me if yours doesn't work. I'm simply saying here how I overclock mine. Try small steps at a time until you're happy it's stable. E.g. try 800 then 900, etc.

Be aware, any overclocking can brick your machine, overheat it, and/or invalidate your warranty. As far as I'm aware, you can overclock a Pi to 1024 without invalidating the warranty - but please don't quote me on that. It's just something I've read. Both mine are on 1024 and working fine, but yours might not be able to.

Raspberry Pi - remote connection from Windows. A simple(ish) guide

Remote desktop connection

From a Windows PC to a Raspberry Pi

The simple way

An introduction.
Hopefully, I have written this for an average Pi, or Linux, tinkerer who is comfortable with command line stuff, and networking. It's been the hardest project that I've had for a long time. Setting up a web server has been easy, setting up security - easy. Setting up remote webcam viewing? Easy. Setting up Minecraft? Easy. In this blog I'll be writing documents on all of those. In my sleep, compared to this one.

Remote desktop set-up? Rocket science. But, wait, here is a guide on how to do it. I've pulled together all the information I've found THAT WORKS and dismissed several pages of stuff that is either too hard to follow, or just doesn't work without knowledge of other things.

If you want the answer on how to do it in one sentence: Install xdm with xaccess permissions on the pi and then run an x-server on the pc. Easy, no.

Why is it so hard?
What the hell is X-11, and X-11 forwarding? And what is xdm, or tunneling, or ssh, or PuTTY?? Why isn't the Pi the server? Why doesn't it just work? Why do you run the commands on the server to get the client to work, and why is the Pi the client but you don't type the commands on it? And why doesn't installing an x-server just work?

Simple answer? Don't ask. Read this, and you will get it working. If I can do it, anyone who understands a command line can. And that's with my 15 years experience doing everything else with Linux, Unix, Solaris, and many other quite hard to do things.

Unless you have a very patient and friendly expert friend in sysadmin, and, you have a lot of hair to pull out, a lot of time to read website after website after website to try and figure it out for your own setup. And, then, you have enough time to try all the different instruction pages there are - all of which have vital bits missing - like HOW TO MAKE IT WORK!!!! Lots of tekky folk will try and make it sound simple, and show you on THEIR machines how simple it is.

Lastly, virtually every X server out there seems to require a detailed understanding of how X-11 works. Almost all the documentation is written in double Dutch to even the most technical user, and even for me, with too many years experience than I care to say, could not fathom it out.

Launching the Space Shuttle is ALSO simple. When you know how.

I know I'm writing these instruction sheets pretty much backwards, but there's a simple reason. So far, I've been able to set up everything I've needed on my Pi without much extra help, so I just went ahead and did it. But this, remote desktop connections, has been a REAL PAIN for me to work out. And I class myself pretty technical, so I thought I'd write this in case it helps someone else.

Ok, cut the crap, show me how to do it.

You'll need:

1. A Raspberry Pi installed with Raspian Wheezy (Debian)
2. SSH server running on the Pi
3. PuTTY installed on your Windows PC
4. A network connection from your PC to your Pi. Wifi or cable, doesn't matter so long as it works

Steps involved.

1. Configure PuTTY on your PC for X-11 forwarding
2. Configure your Pi for remote desktop access (xdm)
3. Choose and set up an X-11 server on your PC
4. Configure your X-11 server to connect to your Pi. THIS IS THE HARDEST PART TO FIGURE OUT
5. View your Pi desktop on your PC

Step 1. Configure Putty for X-11 forwarding

This is necessary for the two computers to be able to connect to each other over an SSH connection and display remote desktops using X-11 and xdm. You what? Don't worry, just follow this. You need it. SSH standards for Secure Shell. It means your access is encrypted. Nobody but the NSA or GCHQ can read what's being done.

In your PuTTY settings on your PC, make sure that under Connection, SSH, X11, that X11 forwarding is ticked. Save the settings for your Pi connection. I'll write a separate page for this soon.

Edit: On testing, it doesn't seem like SSH is needed, or even enabled. So things aren't encrypted  I'll have to work on this one and try and figure it out for you.

Step 2. Configure the Pi for remote desktop access (X11/xdm)

Use PuTTY to open an SSH connection from your Windows PC to your Pi. 

Become SuperUser (root): 
$ su

Now we'll install the xdm package(s) which we need for X-11 and xdm remote desktop connections.
# apt-get install xdm
When the box comes up asking you if you want lightdm or xdm, choose xdm.

Go to the /etc/X11/xdm directory to edit 2 config files
# cd /etc/X11/xdm

Using vi, or your favourite text editor, edit the file xdm-config
# vi xdm-config

Comment out the line DisplayManager.requestPort:     0
!DisplayManager.requestPort:     0

Save and exit.

# vi Xaccess

Uncomment the line: #*                                      #any host can get a login window

*                                       #any host can get a login window

Save and exit

NB: network security isn't covered here, for now we're just allowing anyone to access the desktop, provided they have the login and password details. Your router should be stopping anyone from the internet accessing it, and your Windows firewall will probably block the first attempt from your PC anyway, you'll need to allow it when the time comes. 

Start the xdm service and install some extra apps.

# service xdm start

# apt-get install x11-apps

Exit su (logout from root) and add a file in your home directory to enable colour desktops.

# <ctrl-d>

$ cd

$ vi .Xdefaults (note the dot before the filename, this is important)

*customization:-color

Save and exit vi.

Repeat this for the root login by editing /.Xdefaults and adding the same line. You'll need su again to do this. Exit su once you've done that.


Let's check if XDMCP is listening - that the Pi is ready to accept your connection.

$ sudo netstat -ulnp | grep 177

You should see:

udp        0      0 0.0.0.0:177             0.0.0.0:*                          3772/xdm

The above bits in bold and underline are the important ones. The other information will vary on your setup. So long as you see udp, 177, and xdm, you're good.

Step 3 Choose and install an X-11 server on your PC

After MANY MANY failed attempts, I finally got something working and (sort of) easy to configure,

I chose the Xming X-11 server in the end. Download it and install it on your PC. DO NOT expect it to work straight away, there's a few things we still need to do. Here comes the hard part - at least it was for me, anyway. Ignore web pages that just suggest you run Xlaunch, or something else simple. They don't work.

Step 4. Configure your X-11 server on your PC

This is the hardest bit to understand and to get working. Why is it SO damn hard? First, the "server" is your PC, not your Pi. Pardon? Yes, the Pi is the CLIENT. Why? Don't ask me! Also, the X-11 needs a "tunnel" to connect, this is where we use PuTTY. Again, don't ask me! Just follow the steps and it should work. It's fiendishly complicated, and has taken me a LOT of hair pulling, which is why I've written this guide.

You installed Ximg, which is your X-11 server. Now let's get it working.

When you installed Ximg, it probably didn't update the system $PATH settinngs to enable to to ACTUALLY run the damn thing from the command line, which you NEED. On your PC do Start and "My Computer", right-click Properties, click "Advanced system settings", click "Environment variables", find PATH, and edit. Add where Ximg is installed. On my computer the PATH should have c:\Program Files <x86>\Xming. There should be a ";" before it after the other PATHs. E.g.

C:\Program Files\Common Files\Microsoft Shared\Windows Live;C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Windows Live\Shared;c:\Android\platform-tools;c:\Program Files <x86>\Xming

We're nearly there! Ignore any documentation on "just" run Xming, Xming launch, or anything like that. It doesn't work.

You need to know the ip address of your Pi. If you forgot, ssh to it, login, and run:

$ ifconfig -a

And look for: inet addr: xxx.xxx.xxx.xxx for the interface you're using - probably eth0. In my case, the IP address of the Pi is 192.168.1.74. On yours it will be different, but it will probably be 192.168.something.something.

Ready? Let's go.

On your PC, press Start and type "cmd" without the quotes. You'll get a DOS command line something along the lines of "C:\".

Enter this command (with the IP address of your Pi)

Xming :1 -query 192.168.1.74 (that being the address of your Pi, as above that's the IP address of my Pi, yours probably isn't 192.168.1.74)

If it worked, within a few seconds (give it time) you'll get a login prompt for your Pi. The password won't show what you're typing, but type it anyway. Give it another few seconds and you'll have

A remote desktop on your Pi from your Windows PC

If windows says the command Xming isn't recognised, then you need to research your PATH settings to make sure they include the directory where Xming is installed. If that doesn't work, it's a Windows problem and I can't help you there.

Windows command error?
Try:
Click: Start
In "Search programs and files": Enter cmd and press Enter. DOS command line comes up,
C:\(whatever)>cd  "c:\Program Files <x86>\Xming"
Then c:\Program Files <x86>Xming>Xming :1 -query 192.168.1.74

(with 192,168,1,74 being the IP address of my Pi, not yours)