Setting up a Raspberry Pi 3B plus from scratch

Here I will show you basically all of the steps that are needed for installing a Raspberry Pi and setting up a new user on it. I will set it up to have a user called emaus and hostname as emaus-pi3, but you can modify that to whatever you want and follow along.

>>SD card

1. Write an image to the SD card with Balena etcher on Windows or dd on Linux.
2. Add a file called ssh to the root of the boot partition to enable SSH directly after boot.

You can also set up a WiFi by adding a file called wpa_supplicant.conf to the root of the boot partition to make it connect to a WiFi after boot (this file will then be moved to the root file system under /etc/wpa_supplicant/wpa_supplicant.conf). The file should contain the following (see the Raspberry Pi page on headless setup for more info]):

  ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
  country=<Two letter ISO 3166-1 country code, like: SE, GB, US>
  update_config=1

  network={
     ssid="<SSID of the access point>"
     psk="<Password of the access point>"
  }

If you’re setting up the SD card on a Linux computer, you can also set the hostname before booting the Pi by editing files in the root file system:

• Set the hostname of the pi by replacing “raspberrypi” in /etc/hostname and /etc/hosts:

  cd /mountpoint/of/rpi/rfs
  sed 's/raspberrypi/emaus-pi3/' -i etc/hostname etc/hosts
  

>>Raspberry Pi config

1. SSH into pi with default user and password:

    emaus@pc:~ $ ssh -X pi@raspberrypi.local
   

2. Start to set up the pi through the config:

    pi@raspberrypi:~ $ raspi-config
   

   • Set hostname to something better
   • Expand filesystem
   • Set locale
3. Check that the date is set appropriately with date and set it if it is not.
4. Reboot so that our changes become effective (hostname, filestystem, etc.):

    pi@raspberrypi:~ $ sudo reboot now
   

5. SSH into pi with new hostname:

    emaus@pc:~ $ ssh -X pi@emaus-pi3.local
   

6. Update it:

    pi@emaus-pi3:~ $ sudo apt update
    pi@emaus-pi3:~ $ sudo apt upgrade -y
   

>>New user

1. Add a new user with all groups that pi has (but not the pi group since we will remove that user):

    pi@emaus-pi3:~ $ groups
    pi adm dialout cdrom sudo audio video plugdev games users input netdev gpio i2c spi
    pi@emaus-pi3:~ $ sudo useradd -m -s /bin/bash -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi <username>
   

2. Set password of the new user:

   pi@emaus-pi3:~ $ sudo passwd emaus
   New password:
   Retype new password:
   passwd: password updated successfully
   

3. Log out of the session as pi and enter as the new user:

   pi@emaus-pi3:~ $ logout
   Connection to emaus-pi3.local closed.
                                                                                                 ✔
   ───────────────────────────────────────────────────────────────────────────────────────────────
   [2020-04-06 20:31.58]  ~
   [Emanu.Emaus-XPS] ➤ ssh -X emaus@emaus-pi3.local
   

4. Remove the pi user (all sessions with that user must first be logged out, including GUI if using regular Raspbian):

   emaus@emaus-pi3:~ $ sudo userdel -r pi
   [sudo] password for emaus:
   userdel: pi mail spool (/var/mail/pi) not found
   

>>SSH security

1. Copy your public SSH keys to the file .ssh/authorized_keys:

   emaus@emaus-pi4:~ $ ssh-copy-id -i .ssh/id_rsa emaus@emaus-pi3.local
   

2. Make sure that SSH password authentication is disabled by editing the configuration file /etc/ssh/sshd_config:

   PermitRootLogin no
   MaxAuthTries 1
   PubkeyAuthentication yes
   
   # [...]
   
   # To disable tunneled clear text passwords, change to no here!
   PasswordAuthentication no
   

3. Restart the SSH daemon:

   emaus@emaus-pi3:~ $ sudo systemctl restart sshd
   

>>Setting up additional security (fail2ban)

1. Install fail2ban:

   emaus@emaus-pi3:~ $ sudo apt install fail2ban
   emaus@emaus-pi3:~ $ sudo fail2ban-client status
   Status
   |- Number of jail:      1
   `- Jail list:   sshd
   emaus@emaus-pi3:~ $ sudo fail2ban-client status sshd
   Status for the jail: sshd
   |- Filter
   |  |- Currently failed: 0
   |  |- Total failed:     0
   |  `- File list:        /var/log/auth.log
   `- Actions
      |- Currently banned: 0
      |- Total banned:     0
      `- Banned IP list:
   

2. Configure ssh filter by editing the file /etc/fail2ban/jail.d/defaults-debian.conf:

   [sshd]
   enabled = true
   bantime = -1
   findtime = 600
   maxretry = 3
   ignoreip = 192.168.0.0/24
   

>>Restoring files from an old Pi’s SD card

By attaching the old SD card to another Pi, through an USB to SD card reader, I can copy old files to my new Pi.

1. Mount the partition that corresponds to the old root filesystem on the SD card as read-only (see also previous post):

   emaus@emaus-pi4:~ $ lsblk
   NAME        MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
   sda           8:0    1 14.5G  0 disk
   ├─sda1        8:1    1   63M  0 part
   └─sda2        8:2    1 14.4G  0 part
   mmcblk0     179:0    0 29.4G  0 disk
   ├─mmcblk0p1 179:1    0  256M  0 part /boot
   └─mmcblk0p2 179:2    0 29.2G  0 part /
   emaus@emaus-pi4:~ $ mkdir mounttest
   emaus@emaus-pi4:~ $ sudo mount -o ro /dev/sda2 mounttest/
   

2. SCP files from the computer with the card reader (emaus-pi4) to the new pi (emaus-pi3):

   emaus@emaus-pi4:~/mounttest/home/emaus $ cd mounttest/home/emaus
   emaus@emaus-pi4:~/mounttest/home/emaus $ scp -r .ssh emaus@emaus-pi3.local:/home/emaus/.ssh
   

   Note that you might have to change priveliges on the .ssh folder to be able to copy it (or run command as sudo).