Skynet Software Wiki:Setup Pi
Revision as of 11:39, 17 June 2021 by Mlloyd (talk | contribs) (→Securing SSH and setting up the UFW firewall)
Contents
- 1 Setting up a Raspberry Pi
- 2 Setting up a new internal user
- 3 Securing SSH and setting up the UFW firewall
- 4 Setting up fail2ban for SSH
- 5 Make the Raspberry Pi Static
- 6 Setup CUPS
- 7 Add printer to CUPS - Zebra GK420d
- 8 Customer Firewall Setup
- 9 Add Printer to Spitfire (Recon)
- 10 Setting up Pi as a Kiosk
- 11 After Testing
Setting up a Raspberry Pi
- Put the Pi together.
- Connect to WiFi / Cable.
- Select "Raspberry Pi OS Lite"
- user pi, password raspberry
- Note the IP address
- sudo apt-get purge wolfram-engine scratch scratch2 nuscratch sonic-pi idle3 -y
- sudo apt-get purge smartsim java-common minecraft-pi libreoffice* -y
- sudo apt-get clean
- sudo apt-get autoremove -y
- sudo apt-get update
- sudo apt-get upgrade
- sudo apt-get dist-upgrade
- sudo apt-get install xdotool unclutter sed
- sudo raspi-config - Only change the following options:
- 1 System Options
- S3 Password - Change the password for the user "pi" - and keep track of it.
- S4 Hostname - Change the hostname to something - and keep track of it.
- S5 Boot / Auto Login - Choose "B1 Console" - NOT B2, B3 or B4.
- S6 Network at Book - Set to "Yes".
- S7 Splash Screen - Set to "No".
- 3 Interface Options
- P2 - Set to "Yes"
- P1, P3, P4, P5, P7, P8 - Set all to "No".
- P6 - Set to "No" then "No" again.
- 5 Localisation Options
- Timezone - Set to "Europe" then "London".
- WLAN Country - Set to "GB".
- Locale - Scroll down to "en_GB.UTF-8 UTF-8" and hit Space to add a *. Do not remove the * from en_US.UTF-8 UTF-8. Then select en_GB.UTF-8.
- 6 Advanced Options
- A1 Expand Filesystem - Run this.
- 1 System Options
It will then ask if you want to reboot - Choose yes.
Setting up a new internal user
- sudo adduser skynet - note the new password.
- It will ask for a Full Name - set this as "Spitfire Support" - for the other options just press Enter
- sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi skynet
- "sudo su - skynet" - double check this works fine.
- Logout of SSH and re-login as skynet.
- sudo pkill -u pi
Securing SSH and setting up the UFW firewall
For further reference, see CUPS UFW Firewall page
- sudo nano /etc/ssh/sshd_config
- Add "AllowUsers skynet"
- sudo systemctl restart ssh
- sudo apt install ufw -y
- sudo ufw allow ssh
- sudo ufw allow 631
- sudo ufw allow 5353
- sudo ufw allow 53
- sudo ufw enable
- sudo ufw limit ssh/tcp (This will block attackers who have connected more than 5 times in 30 seconds)
- sudo ufw allow from 84.92.64.163 to any port 22 (Plusnet)
- sudo ufw allow from 212.140.134.122 to any port 22 (Lea House)
- sudo ufw allow from 217.182.136.107 to any port 22 (Recon)
- sudo ufw allow from 192.168.0.0/16 to any port 22
- sudo ufw allow from 84.92.64.163 to any port 631
- sudo ufw allow from 212.140.134.122 to any port 631
- sudo ufw allow from 217.182.136.107 to any port 631
- sudo ufw allow from 192.168.0.0/16 to any port 631
- sudo ufw allow from 84.92.64.163 to any port 5353
- sudo ufw allow from 212.140.134.122 to any port 5353
- sudo ufw allow from 217.182.136.107 to any port 5353
- sudo ufw allow from 192.168.0.0/16 to any port 5353
- sudo ufw allow from 84.92.64.163 to any port 53
- sudo ufw allow from 212.140.134.122 to any port 53
- sudo ufw allow from 217.182.136.107 to any port 53
- sudo ufw allow from 192.168.0.0/16 to any port 53
- sudo ufw allow from Customer's IP Address to any port 22
- sudo ufw allow from Customer's IP Address to any port 631
- sudo ufw allow from Customer's IP Address to any port 5353
- sudo ufw allow from Customer's IP Address to any port 53
Setting up fail2ban for SSH
- sudo apt install fail2ban -y
- sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
- sudo nano /etc/fail2ban/jail.local - and add the following:
[ssh] enabled = true port = ssh filter = sshd logpath = /var/log/auth.log maxretry = 3 bantime = -1
Make the Raspberry Pi Static
- sudo nano /etc/dhcpcd.conf
interface wlan0 (or eth0 if ethernet) static ip_address=192.168.1.155/24 (or as required) static routers=192.168.1.254 (or as required) static domain_name_servers=192.168.1.254 (or as required)
Setup CUPS
- sudo apt install cups -y
- sudo usermod -a -G lpadmin pi
- sudo usermod -a -G lpadmin skynet
- sudo cupsctl --remote-any
- https://{internal_ip}:631 -> "Edit Configuration" and add this line to the bottom:
MaxJobs 0
- Location "Location /" and "Location /admin" and replace the content with:
Order allow,deny Allow from localhost Allow from 84.92.64.163 Allow from 212.140.134.122 Allow from 217.182.136.107 Allow from 192.168.1.* Allow from <Customers' IP Address>
- Once saved, make sure "Allow printing from the internet" is ticked.
Add printer to CUPS - Zebra GK420d
USB
- https://{internal_ip}:631 (change IP as required, user/pass is the skynet one)
- Click "Administration" then "Add Printer".
- Select "Zebra Technologies ZTC GK420d (Zebra Technologies ZTC GK420d)" from the "Local Printers" list then click "Continue".
- Change "Name" to something simple - e.g. customer01, Description/Location as required and tick "Share This Printer" then click "Continue".
- Model - Select "Zebra ZPL Label Printer (en)" then click "Add Printer".
- Administration" -> "Manage Printers" -> click the new printer -> "Administration" -> "Set Default Options".
- Media Size -> "4.00x6.00" -> "Set Default Options".
Ethernet
- https://{internal_ip}:631 (change IP as required, user/pass is the skynet one)
- Click "Administration" then "Add Printer".
- Select "AppSocket/HP JetDirect" from the "Other Network Printers:" list then click Continue.
- Put "socket://<IP Address of printer> into the "Connection:" box then click "Continue".
- Change "Name" to something simple - e.g. customer01, Description/Location as required, tick "Share This Printer" then click "Continue".
- Model - Select "Zebra ZPL Label Printer (en)" and click "Add Printer".
- Administration" -> "Manage Printers" -> click the new printer -> "Administration" -> "Set Default Options".
- Media Size -> "4.00x6.00" -> "Set Default Options".
Customer Firewall Setup
Now make sure the following ports are forwarded to the printer from the external firewall (change as required) - if any of these are changed, you will need to change the above steps as well.
- 631 for cups
- 22 for ssh
Add Printer to Spitfire (Recon)
Now add the printer via Recon:
- https://recon.spitfire-ams.co.uk:631/
- "Administration" -> "Add Printer" -> "Internet Printing Protocol (ipp)"
- ipp://skynet:{password}@{public_ip_address}:631/printers/{name}
- "Administration" -> "Manage Printers" -> click the new printer -> "Administration" -> "Set Default Options"
- Resolution to 300 dpi
- Override A4 with Letter to "No"
- "Set Default Options"
Setting up Pi as a Kiosk
- sudo nano /home/pi/kiosk.sh
#!/bin/bash export DISPLAY=:0 xset s noblank xset s off xset -dpms unclutter -idle 0.5 -root & sed -i 's/"exited_cleanly":false/"exited_cleanly":true/' /home/pi/.config/chromium/Default/Preferences sed -i 's/"exit_type":"Crashed"/"exit_type":"Normal"/' /home/pi/.config/chromium/Default/Preferences /usr/bin/chromium-browser --noerrdialogs --disable-infobars --kiosk http://sams.spitfire-ams.co.uk/tablet_scan.php &
- sudo nano /lib/systemd/system/kiosk.service
[Unit] Description=Chromium Kiosk Wants=graphical.target After=graphical.target
[Service] Environment=DISPLAY=:0.0 Environment=XAUTHORITY=/home/pi/.Xauthority Type=simple ExecStart=/bin/bash /home/pi/kiosk.sh Restart=on-abort User=pi Group=pi
[Install] WantedBy=graphical.target
- sudo systemctl enable kiosk.service
- sudo systemctl start kiosk.service
- sudo nano /home/pi/.config/autostart/kiosk.desktop
[Desktop Entry] Type=Application Name=Kiosk Exec=/home/pi/kiosk.sh X-GNOME-Autostart-enabled=true
- sudo chmod 755 kiosk.sh
- sudo chown pi:pi kiosk.sh
After Testing
Once all of the above has been completed, you can test a print locally. Before sending it off to the customer, make sure to comment out the settings from "/etc/dhcpcd.conf" under "Make the Raspberry Pi Static" are commented out, as then it'll be easier to locate it on the customers network and repeat any firewall steps.