Sunday, 15 September 2013

Publishing your Raspberry Pi web server with Dynamic DNS

This is actually for any home web server, but I'm doing my blog mostly for the Pi. I doubt many people have anything else running a web server at home, and I REALLY wouldn't want anyone running a web server on a PC unless you want every security problem there is.

Back to doing it on your Pi. Here's how to have your own domain name, or a host on someone else's, pointing to a web server that's running on a private IP address behind your broadband router. I'm not going into the details of name servers, A/CNAME/@ records here, because if you don't know them then you shouldn't be fiddling with them.

For now, this tutorial just gives you a A name server record for a host. Note, when using other free/shared domain names such as linkto.me then you won't be able to have the hostname www but you can pick something else. If you have your own domain, you can have both www hostname and domain pointing to your dynamic DNS service.

Dynamic DNS


There are a few free dynamic DNS services, just Google for one you like. I personally used www.no-ip.com though I have used others in the past. No-IP have a variety of services, the free and simple DNS hosting is what I went for. You can select from a list of free domains and just add your own host, or you can pay for a domain, or host a domain you already own.

Following the instructions on the no-ip website, it only took a few minutes to set up and choose a hostname. Then select which domain to put it under, either one of their free ones, one of their paid ones, or one of your own.

Note your hostname including the domain name, username, and password you created on no-ip.com

My router has dynamic DNS built in, so it was a simple matter of entering the options on the router. Put your no-ip (or other dynamic DNS service) details into the section on the router, and it will take care of the rest. When the router gets a different IP address, for example if you turn it off and back on, it will update the dynamic DNS servers and your web server will still be published on the net.

Be aware, DNS changes can take between 24-48 hours to propogate through the internet, particularly if you are using a newly registered or transferred domain. Using the no-ip free host and domain was instant though.

Then you need to set port forwarding to your Pi, which is why your Pi should have a static address. Port forwarding on home routers usually comes under the heading of application sharing. Simply forward port 80 (http) to the internal IP address of your Pi, or web server.

You can also forward other ports, like ftp and others - but be aware of the security implications as each port added means another layer of security needed.

If your router doesn't support dynamic DNS then you need to install a client on the web server. Each one is different depending on who's service you use. So you'll need to follow their instructions.

Saturday, 14 September 2013

How to install PhpMyAdmin on a Raspberry Pi

A simple to use browser based MySQL database configuration tool for the Raspberry Pi

If you followed my tutorial on building a Pi web server, and also installed MySQL and PHP, then you'll probably want to install phpmyadmin - which is a handy web browser based administration tool for managing your MySQL databases.

Installing phpmyadmin


Login to your pi and download and install the phpmyadmin package:

$ sudo apt-get install phpmyadmin

When prompted to select which dbconfig tool, select lighttpd. Lighttpd was the web server you installed when you followed my tutorial on installing the web server.

When asked if you want to configure with db-config, select Yes. You'll then get asked for the MySQL root password you entered when you built the MySQL server. Enter it when asked, and again to confirm. Note, this is different and separate from your root login password.

Once the installation is complete, you need to make a link in your web root to where the phpmyadmin scripts are.

$ ln -s /usr/share/phpmyadmin phpmyadmin

This creates a folder on your web server called phpmyadmin which calls the scripts installed in /usr/share/phpmyadmin. You could use any name you like for the folder on the web server, but it needs to link to /usr/share/phpmyadmin.

Let's now test it, by pointing your PC's browser to the folder you made on the web server, in this case, the IP address of your Pi followed by /phpmyadmin

You'll be asked for the MySQL login and password you created.

If you get a warning message on the login screen, or any further screens, that mcrypt is not installed or enabled, install it:

$ sudo apt-get install php5-mcrypt

If the error persists, or you get told that it's already installed, you need to fix the PHP config.

Fix the PHP config file for some common problems
$ sudo vi /etc/php5/cgi/php.ini
Uncomment the line:
cgi.fix_pathinfo=1

Now restart the web server again:
$ sudo service lighttpd force-reload

There's more to write yet for this tutorial, including adding some scripts, and creating limited access users for specific tasks. Please keep coming back to see what I've added.

Wednesday, 11 September 2013

How to make your Raspberry Pi more secure

Basic security hardening of a Raspberry Pi

NB: This is just for casual home users and hobbyists who have a Pi at home, behind a domestic broadband router. Further security is needed for any other use, and is not covered by this tutorial. Skip to the further reading at the end of this tutorial for some suggestions on where to go next.

Introduction
The default, or common, configuration on the Raspberry Pi is to allow a login straight to the desktop without a password being asked for, even if one is set or left at the default. Once logged in, root access is then available with the command sudo. This applies to direct access, i.e. using the Pi directly with your tv as a display - which is how most people will be using it.

Remote desktop, ssh, or other remote access will require a login and password. However, the default password might not have been changed. Root access is then available as above with the sudo command. No root password is even asked for. I have a tutorial on this blog for enabling remote desktop access.

This is clearly crazy! So let's fix it.

Make sure everything is uptodate on your Pi

Login to your Pi and go to the Terminal. Run the update process:

$ sudo apt-get update

This may take 5 minutes or more depending on your connection and how much needs to be updated. Did you notice how you just logged into your Pi, and ran a root command probably without any password challenge? We're going to put a stop to that right now.

Change your login password

If you just installed your Pi and didn't change the password for the "pi" login, it will be set at default, probably 'raspberry'. Login to your Pi and go to the LX Terminal. Change your password:

$ passwd

You'll be asked to enter it a second time for confirmation. Make sure it isn't easy to guess, and that only you know it.

Disallow sudo commands for the default 'pi' user

The sudo command allows you to run root commands from a non-root login. The command after sudo is the root command you wish to execute, for example "$ sudo vi /boot/config.txt". sudo access is controlled by a file called /etc/sudoers. You mustn't edit this file with vi, or any other editor, you must edit with the command visudo, which you need to be root for.

Open a terminal, or ssh to the pi. Make a copy of the original sudoers file:

$ su
# cp /etc/sudoers /etc/sudoers.orig

# visudo

Change the line that reads

pi ALL=(ALL) NOPASSWD: ALL
To
pi ALL=(ALL) PASSWD: ALL

Ctrl-x to exit visudo, press y to save, it will ask to save to a temporary file, this is fine, just enter. When it asks "What now?" enter Q to save and exit. The words above in bold underline are simply to show you where to edit.

This means that you can no longer use the sudo command when logged in as pi (the default user). You can only gain root access with the command

$ su

And entering the root password. I have a tutorial on this blog for setting the root password.

NB
Whilst this may be a nuisance for the many instructions that use the command "sudo" you might want to further research the visudo command to enable certain IP addresses to have access without needing the password.

Give yourself a login that can use sudo

You should have a separate login so that you can regularly perform sudo commands without this restriction. Create the login to be used, and set a password.

$ su
# useradd <the login name>
# passwd <the login name>

Now enable <the login name> with visudo as above but allow it without passwords, e.g.

<the login name> ALL=(ALL) NOPASSWD: ALL

Exit and save visudo as you did above. Note, <the login name> is meant to be replaced by the login name you want to use, e.g. mypi or whatever. Some will want to use www-data as the login name for webserver maintenance. The < and > are for illustration only, you don't type them.

Further reading


  • Restrict access to sudo to only trusted IP addresses
  • Enable ssh key exchange and disallow password login
  • iptables
  • Restrict remote desktop access by IP address
  • Enable remote access via ssh


Document in progress. Please keep coming back to see what's added.

How to set a static IP address on a Raspberry Pi

Note: This is only for wired (eth0) connections. Wifi instructions to follow.

Introduction:
When you first set up your Raspberry Pi, it will have been configured to automatically get an IP address (DHCP). This is fine. But, the address will probably be different each time you switch it on, so to do anything useful with it, like making it a webserver, it will need a static, or fixed known, IP address. That way you will always be able to access it remotely without having to first see what IP address it is using. It also means you'll be able to make your Pi accessible to the internet via port forwarding on your router.

Let's go.

First, make a backup of the current configuration.

SSH to your Pi, or login via the desktop and run Terminal.

$ sudo cp /etc/network/interfaces /etc/network/interfaces.orig

Let's now see what IP address it  has already got.

$ ifconfig -a

eth0      Link encap:Ethernet
          inet addr:192.168.1.74  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

The bits in bold above are the ones we need to know. In this case, our IP address is 192.168.1.74 The rest doesn't matter. We might as well use the same address, but make sure it's permanent (static IP) and doesn't change each time we switch the Pi on.

Next, let's find the IP address of our router (gateway):

$ route -n

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth0

Here, it's 192.168.1.254

Note that, in this example, your IP address, and that of the gateway (router) both start with 192.168.1

We'll go ahead and make the IP address static, why not stick with the address we've been given this time, to make things simple. In this case, it's 192.168.1.74 and the gateway is 192.168.1.254

So, edit the file:

$ sudo vi /etc/network/interfaces

Change the line that says:
iface eth0 inet dhcp

To
iface eth0 inet static

And add the following lines after it:

address 192.168.1.74
netmask 255.255.255.0
gateway 192.168.1.254

Save the file. Restart networking:
$ sudo service networking restart

Once you have your command prompt back, let's check the IP address has been set ok.
$ sudo ifconfig -a
We're looking for, in this example, eth0 to be 192.168.1.74

$ route -n
We're looking for, in this example, gateway 192.168.1.254

If you're cynical like me, reboot the Pi and check the above 2 commands again to make sure it's been set. 
$ ifconfig -a
and
$ route -n

You have now given your Pi a static (fixed) IP address of (in this example) 192.168.1.74 and a gateway of 192.168.1.254

Netmask, or subnet mask, or why all the IP addresses above begin with 192.168.1 is another tutorial. Shout me if you want it,


Monday, 9 September 2013

How to set the root password on a Raspberry Pi

To do anything useful on your Raspberry Pi you'll need root access.

NB: Please read and follow the blog tutorial on how to perform basic security hardening on your Pi, otherwise setting a route password is pointless. Because, the default configuration allows root commands to be executed with or without a root password.

A lot of the commands will get you to do "sudo ...and then a command that needs root access"

E.g.
$ sudo ifconfig -a

Which means, run the command "ifconfig -a" as root - su, superuser. But eventually you'll get tired of using sudo when you want to do a load of root commands. You'll want to become su (root) and then run the commands as they are, i.e. without having to put sudo in front of each one.

But, you'll need a root password. Without one, you're leaving your machine wide open to anyone being able to do anything to it,

So, set a root password:

$ sudo passwd
(enter a password to use, and enter it again to confirm it when asked)

That's all you do.

Try it:

$ su
(put in the root password you set, when asked for the password)

# (now you have root access)

Press <ctrl-d> to exit from # (root commands) to $ (non-root commands)

Male sure your root password is not easily guessable, and don't tell it to anyone who doesn't need it. Also, make sure YOU can remember it. Once it's set, you won't be able to gain root access without it.

How to build a Raspberry Pi webserver

Building a Raspberry Pi web server

Prepare your Pi for being a web server

You should follow the following tutorials from this blog before turning your Pi into a web server.

  1. Set a root password
  2. Assign a static IP address
  3. Perform some basic security updates
We'll assume that you've done that, and that you created a www-data user account as per the security tutorial. If not, do that now. Login to your Pi and:

$ sudo useradd www-data
$ sudo passwd www-data

You might also want to follow the tutorial on this blog for overclocking your Pi, but be aware of the risks of overheating.

Install the web server software

We're going to use Lighttp as a web server. You could use Apache but your Pi isn't really powerful enough for that. Lighttp is a lightweight web server.

Login to your Pi as www-data, then:

$ sudo apt-get install lighttpd

Change the directory owner and group:
$ sudo chown www-data:www-data /var/www

Allow the group to write to the directory$ sudo chmod 775 /var/www


Logout and back in again to pick up the new permissions. Now let's test the web server. Point your PC's browser to the ip address of your Pi. You should get a default placeholder page saying something like "The owner of this web site has not put up any web pages yet. Please come back later". This is fine, it tells us that the web server is installed and running.

On your Pi remove the default index page that gave this default page:

$ rm /var/www/index.lighttpd.html

If all you want is a basic web server for some home photos, or to play around with learning HTML then you don't need to do anything else. Your web server is running. It's only visible to other computers on your home network though. To make it visible on the internet you'll need the tutorial on publishing your Pi onto the internet. I'm going to write that soon.

If, you want to create or use dynamic database driven web pages - perhaps your own Word Press server, or anything requiring logins - perhaps a shopping cart? Then you'll need MySQL for the database(s), and PHP for the server side (clever) stuff.

Install the MySQL database (optional)

$ sudo apt-get install mysql-server

During this process it will ask you to set a password for the MySQL root user. This is different and separate from your root login account to the Pi. The installation will take about 5-10 minutes.

Install PHP (optional)

$ sudo apt-get install php5-common php5-cgi php5

If you installed MySQL above then also:

$ sudo apt-get install php5-mysql
This will also take about 5-10 minutes.

Fix the PHP config file for some common problems
$ sudo vi /etc/php5/cgi/php.ini
Uncomment the line cgi.fix_pathinfo=1

Now restart the web server again:
$ sudo service lighttpd force-reload

Testing the PHP installation:
Create a file /var/www/index.php

With the following code:

<?php
  print <<< EOT
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Test successful</title>
</head>
<body>
<h1>Test successful</h1>
<p>Congratulations.</p>
<p>Your webserver and PHP are working.</p>
</body>
</html>
EOT;

?>

Point your PC's browser to the IP address of your Pi. You should see a screen showing your PHP installation is working.

Error 403 - Forbidden?
If you get error 403 - Forbidden then you also need to enable PHP-cgi. Get a root login and:

# cp /etc/lighttpd/conf-available/10-fastcgi.conf /etc/lighttpd/conf-enabled/
# cp /etc/lighttpd/conf-available/15-fastcgi-php.conf /etc/lighttpd/conf-enabled/
# service lighttpd restart

Try again with your PC pointing to the Pi's IP address. You should now have the installation working screen.

Now let's make really sure it's working. Create a file /var/www/test.php

And in it, put:

<?php
phpinfo();
?>

Save it, and point your browser to it's IP address/test.php You will now see your PHP configuration file if everything has worked.

If you installed both MySQL and PHP, then in the next tutorial, we'll set up phpmyadmin which is a browser based MySQL configuration and admin tool.

Overclocking a Raspberry Pi

Overclocking a Raspberry Pi

It's very simple to overclock a Raspberry Pi, i.e make the processor run faster. There are probably many settings you can alter, but all I do is edit /boot/config.txt:

$ sudo vi /boot/config.txt

And edit the line

arm_freq=700 to
arm_freq=1024

Uncomment arm_freq if it is commented (if the line begins with # or !, remove the # or the !)
Save the file, and reboot.

I have both my Raspberry Pis running with arm_freq=1024

They are both stable, and don't overheat. One is in a case which does have venting for heat. The other just sits on top of my tv with no case or venting.

I can't vouch for your Pi, and don't come running to me if yours doesn't work. I'm simply saying here how I overclock mine. Try small steps at a time until you're happy it's stable. E.g. try 800 then 900, etc.

Be aware, any overclocking can brick your machine, overheat it, and/or invalidate your warranty. As far as I'm aware, you can overclock a Pi to 1024 without invalidating the warranty - but please don't quote me on that. It's just something I've read. Both mine are on 1024 and working fine, but yours might not be able to.