diff options
Diffstat (limited to 'articles')
| -rw-r--r-- | articles/.DS_Store | bin | 6148 -> 0 bytes | |||
| -rw-r--r-- | articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.15.13 PM.png | bin | 17415 -> 0 bytes | |||
| -rw-r--r-- | articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.18.39 PM.png | bin | 21318 -> 0 bytes | |||
| -rw-r--r-- | articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.23.20 PM.png | bin | 70360 -> 0 bytes | |||
| -rw-r--r-- | articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.56.21 PM.png | bin | 79823 -> 0 bytes | |||
| -rw-r--r-- | articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.58.29 PM.png | bin | 66928 -> 0 bytes | |||
| -rwxr-xr-x | articles/RpiRockyLinuxServer/index.html | 192 | ||||
| -rw-r--r-- | articles/RpiRockyLinuxServer/rpi4rockylinuxwebserver.md | 303 | ||||
| -rw-r--r-- | articles/articleMaker.tar | bin | 4096 -> 0 bytes | |||
| -rw-r--r-- | articles/index.html | 26 | ||||
| -rw-r--r-- | articles/rss.xml | 204 |
11 files changed, 0 insertions, 725 deletions
diff --git a/articles/.DS_Store b/articles/.DS_Store Binary files differdeleted file mode 100644 index a5b33a5..0000000 --- a/articles/.DS_Store +++ /dev/null diff --git a/articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.15.13 PM.png b/articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.15.13 PM.png Binary files differdeleted file mode 100644 index 34b57f4..0000000 --- a/articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.15.13 PM.png +++ /dev/null diff --git a/articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.18.39 PM.png b/articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.18.39 PM.png Binary files differdeleted file mode 100644 index 6ef28ff..0000000 --- a/articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.18.39 PM.png +++ /dev/null diff --git a/articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.23.20 PM.png b/articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.23.20 PM.png Binary files differdeleted file mode 100644 index cbc9b47..0000000 --- a/articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.23.20 PM.png +++ /dev/null diff --git a/articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.56.21 PM.png b/articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.56.21 PM.png Binary files differdeleted file mode 100644 index 2482da0..0000000 --- a/articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.56.21 PM.png +++ /dev/null diff --git a/articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.58.29 PM.png b/articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.58.29 PM.png Binary files differdeleted file mode 100644 index c952586..0000000 --- a/articles/RpiRockyLinuxServer/img/Screen Shot 2022-02-19 at 2.58.29 PM.png +++ /dev/null diff --git a/articles/RpiRockyLinuxServer/index.html b/articles/RpiRockyLinuxServer/index.html deleted file mode 100755 index edf6b5b..0000000 --- a/articles/RpiRockyLinuxServer/index.html +++ /dev/null @@ -1,192 +0,0 @@ -<!DOCTYPE html> -<html lang="en"> - <head> - <meta charset="UTF-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - <title>Raspberry Pi Rocky Linux Webserver</title> - <link href="../../CSS/main.css" rel="stylesheet" type="text/css"> - <link href="favicon.ico" rel="icon" sizes="any"> - <meta name="description" content="A tutorial on setting up a webserver on a Raspberry Pi with Rocky Linux 8"/> - <meta name="author" content="Jacob McDonnell"/> - <meta name="keywords" content="rocky,rocky linux,linux,raspberry pi,webserver,nginx,certbot,website"/> - </head> - <body> - <ul class="topBar"> - <li class="topLink"><a href="https://jacobmcdonnell.com/">home</a></li> - <li class="topLink"><a href="https://jacobmcdonnell.com/articles">articles</a></li> - <li class="topLink"><a href="https://jacobmcdonnell.com/articles/rss.xml">rss feed</a></li> - </ul> - <div class="main"> - <p> </p> - <h1 id='hosting-a-website-on-the-raspberry-pi-with-rocky-linux'>Hosting a Website on the Raspberry Pi with Rocky Linux</h1> - <a href="rpi4rockylinuxwebserver.md">Markdown File Download</a> - <p>First Download Rocky Linux for the Raspberry Pi 3 & 4 from <a href='https://rockylinux.org/alternative-images'>their website</a>.</p> - <center><img class="imgs" src="img/Screen Shot 2022-02-19 at 2.15.13 PM.png" referrerpolicy="no-referrer" alt="Screen Shot 2022-02-19 at 2.15.13 PM"></center> - <p>Next you want to burn this image to the sd card that you are going to use. Now start up the Raspberry Pi and login with the default user <code>rocky</code> and the password is <code>rockylinux</code>. </p> - <p>To make the image take up the whole drive, run:</p> - <pre><code class='language-shell'>sudo rootfs-expand - </code></pre> - <p>Now, you should create a new user:</p> - <pre><code class='language-shell'>sudo useradd -m -g users -G wheel userName -sudo passwd username - </code></pre> - <p>Next, we should delete the default user so logout and login to your new user:</p> - <pre><code class='language-shell'>sudo userdel rocky - </code></pre> - <p> </p> - <hr /> - <h2 id='setting-a-static-ip-address'>Setting a static IP address </h2> - <p>The easiest way is to run:</p> - <pre><code class='language-shell'>sudo nmtui - </code></pre> - <center><img class="imgs" src="img/Screen Shot 2022-02-19 at 2.18.39 PM.png" referrerpolicy="no-referrer" alt="Screen Shot 2022-02-19 at 2.18.39 PM"></center> - <p>Select <strong>Edit</strong> a connection and select your network interface. </p> - <center><img class="imgs" src="img/Screen Shot 2022-02-19 at 2.23.20 PM.png" referrerpolicy="no-referrer" alt="Screen Shot 2022-02-19 at 2.23.20 PM"></center> - <p>Select <strong>Show</strong> for <strong>IPv4 CONFIGURATION</strong> and enter the IP you want to set. Then select <strong>OK</strong> at the bottom, and quit the program.</p> - <h2 id='securing-the-pi'>Securing the PI</h2> - <h3 id='ssh-key-authorization'>SSH Key Authorization</h3> - <p>The best way to secure the pi is to use an SSH key to login instead of a password. First you want to generate an SSH key by running on your computer:</p> - <pre><code class='language-shell'>ssh-keygen -t rsa - </code></pre> - <p>Next, to copy your SSH key to your server, run:</p> - <pre><code class='language-shell'>ssh-copy-id -i ~/.ssh/mykey user@host - </code></pre> - <p>To test that it works, run:</p> - <pre><code class='language-shell'>ssh -i ~/.ssh/mykey user@host - </code></pre> - <p>If it worked, you should be able to connect without needing a password.</p> - <p>To force an SSH key to login, edit <code>/etc/ssh/sshd_config</code> using nano or vim.</p> - <p>Change <code>PermitRootLogin yes</code> to <code>PermitRootLogin no</code> and <code>PasswordAuthentication yes</code> to <code>PasswordAuthentication no</code>.</p> - <h3 id='setting-up-fail2ban'>Setting up fail2ban</h3> - <p>First start and enable firewalld to run at boot:</p> - <pre><code class='language-shell'>sudo systemctl start firewalld -sudo systemctl enable firewalld - </code></pre> - <p>Now, enable the EPEL repository for Rocky Linux and install fail2ban:</p> - <pre><code class='language-shell'>sudo dnf install epel-release -y -sudo dnf install fail2ban fail2ban-firewalld -y - </code></pre> - <p>Start and enable fail2ban to run at boot:</p> - <pre><code class='language-shell'>sudo systemctl start fail2ban -sudo systemctl enable fail2ban - </code></pre> - <p>Now, we have to make fail2ban work with firewalld, run:</p> - <pre><code class='language-shell'>sudo mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local -sudo systemctl restart fail2ban - </code></pre> - <p>To create an SSH jail, edit the ssh config file with vim or nano:</p> - <pre><code class='language-shell'>sudo nano /etc/fail2ban/jail.d/sshd.local - </code></pre> - <p>Paste the following into the file and change the values as you see fit:</p> - <pre><code>[sshd] -enabled = true -bantime = 1d -maxretry = 3 - </code></pre> - <p>Save and close the file and restart fail2ban:</p> - <pre><code class='language-shell'>sudo systemctl restart fail2ban - </code></pre> - <h2 id='setting-up-dynamic-dns-with-google-domains'>Setting up Dynamic DNS with Google Domains</h2> - <h3 id='configuring-google-domains'>Configuring Google Domains</h3> - <p>First, on <a href='https://domains.google.com/'>Domains.google.com</a> go the DNS page for your domain. Scroll down and click on <strong>Show advanced settings</strong>, Click <strong>Manage dynamic DNS</strong>, and then click <strong>Create new record</strong>. Enter your subdomain or leave it black for the domain itself. Finally, click Save.</p> - <h3 id='installing-ddclient'>Installing ddclient</h3> - <p>To install ddclient you need to enable the PowerTools Repo for the perl dependency.</p> - <p>First, install <code>dnf-plugins-core</code>:</p> - <pre><code class='language-shell'>sudo dnf -y install dnf-plugins-core -sudo dnf upgrade - </code></pre> - <p>Next, enable PowerTools:</p> - <pre><code class='language-shell'>sudo dnf config-manager --set-enabled powertools - </code></pre> - <p>Then, you can install ddclient:</p> - <pre><code class='language-shell'>sudo dnf install ddclient - </code></pre> - <p>Now, we want to edit the config file for ddclient:</p> - <pre><code class='language-shell'>sudo nano /etc/ddclient.conf - </code></pre> - <p>You'll want to look for where it says <code>protocol=dyndns2</code>, and enter your information:</p> - <pre><code>## -## nsupdate.info IPV4(https://www.nsupdate.info) -## -protocol=dyndns2 -use=web, web=http://ipv4.nsupdate.info/myip -server=domains.google.com -login=username -password=password -domain.tld - </code></pre> - <p>Wait about 5 minutes and on the Google Domains website, under Dynamic DNS you should see your IP address under <strong>Data</strong>.</p> - <h2 id='setting-up-nginx-and-lets-encrypt'>Setting up NGINX and Let's Encrypt</h2> - <h3 id='installing-nginx'>Installing NGINX</h3> - <p>First, install nginx Webserver:</p> - <pre><code class='language-shell'>sudo dnf install nginx - </code></pre> - <p>Next, start and enable nginx to run at boot:</p> - <pre><code class='language-shell'>sudo systemctl start nginx -sudo systemctl enable nginx - </code></pre> - <p>Then, check the status to see if it is running:</p> - <pre><code class='language-shell'>sudo systemctl status nginx - </code></pre> - <center><img class="imgs" src="img/Screen Shot 2022-02-19 at 2.56.21 PM.png" referrerpolicy="no-referrer" alt="Screen Shot 2022-02-19 at 2.56.21 PM"></center> - <p>Now, we have to allow HTTP traffic through the firewall:</p> - <pre><code class='language-shell'>sudo firewall-cmd --add-service=http --permanent -sudo firewall-cmd --add-service=https --permanent -sudo firewall-cmd --reload - </code></pre> - <p>In a web browser, go to the local ip of the server and you should see the nginx welcome page.</p> - <center><img class="imgs" src="img/Screen Shot 2022-02-19 at 2.58.29 PM.png" referrerpolicy="no-referrer" alt="Screen Shot 2022-02-19 at 2.58.29 PM"></center> - <h3 id='configuring-nginx'>Configuring NGINX</h3> - <p>First, make your folder for the website, this is where your website will live:</p> - <pre><code class='language-shell'>sudo mkdir -p /var/www/websiteName - </code></pre> - <p>Next, we need to set the proper permissions to make sure everything works:</p> - <pre><code class='language-shell'>sudo chown -R nginx /var/www/websiteName -sudo chmod -R 755 /var/www/websiteName - </code></pre> - <p>Now, we will create the config file for website:</p> - <pre><code class='language-shell'>sudo nano /etc/nginx/conf.d/websiteName.conf - </code></pre> - <p>and paste the following into the file:</p> - <pre><code>server { - listen 80; - server_name domain.tld www.domain.tld; - root /var/www/websiteName; - index index.php index.html index.htm; - access_log /var/log/nginx/websiteName.access.log; - error_log /var/log/nginx/websiteName.error.log; -} - </code></pre> - <p>Now, confirm that the nginx configuration is ok:</p> - <pre><code class='language-shell'>sudo nginx -t - </code></pre> - <p>Restart nginx:</p> - <pre><code class='language-shell'>sudo systemctl restart nginx -sudo systemctl status nginx - </code></pre> - <p>Next, set SELinux to permissive mode:</p> - <pre><code class='language-shell'>sudo setenforce permissive -sudo getenforce - </code></pre> - <p>Now, we will need to set SELinux to permissive mode permanently:</p> - <pre><code class='language-shell'>sudo sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux - </code></pre> - <h3 id='installing-and-running-certbot'>Installing and Running Certbot</h3> - <p>To install Certbot run:</p> - <pre><code class='language-shell'>sudo dnf install certbot python3-certbot-nginx - </code></pre> - <p>To get SSL certificates for your websites run:</p> - <pre><code class='language-shell'>sudo certbot --nginx - </code></pre> - <p>Answer the prompts that show up on screen as you wish.</p> - <p>To configure auto renewal of the SSL certificate run:</p> - <pre><code class='language-shell'>crontab -e - </code></pre> - <p>and add the following line:</p> - <pre><code>0 12 * * * /usr/bin/certbot renew --quiet - </code></pre> - <p>This will check everyday at noon to see if the certificate will expire in the next month, if so it will renew the certificate.</p> - <p>Now your website should be operational. </p><br> - </div> - </body> -</html> diff --git a/articles/RpiRockyLinuxServer/rpi4rockylinuxwebserver.md b/articles/RpiRockyLinuxServer/rpi4rockylinuxwebserver.md deleted file mode 100644 index fa93505..0000000 --- a/articles/RpiRockyLinuxServer/rpi4rockylinuxwebserver.md +++ /dev/null @@ -1,303 +0,0 @@ -# Hosting a Website on the Raspberry Pi with Rocky Linux - -First Download Rocky Linux for the Raspberry Pi 3 & 4 from [their website](https://rockylinux.org/alternative-images). - -Next you want to burn this image to the sd card that you are going to use. Now start up the Raspberry Pi and login with the default user `rocky` and the password is `rockylinux`. - -To make the image take up the whole drive, run: - -```sh -sudo rootfs-expand -``` - -Now, you should create a new user: - -```sh -sudo useradd -m -g users -G wheel userName -sudo passwd username -``` - -Next, we should delete the default user so logout and login to your new user: - -```sh -sudo userdel rocky -``` - - - -*** - -## Setting a static IP address - -The easiest way is to run: - -```shell -sudo nmtui -``` - - - -Select **Edit** a connection and select your network interface. - - - -Select **Show** for **IPv4 CONFIGURATION** and enter the IP you want to set. Then select **OK** at the bottom, and quit the program. - -## Securing the PI - -### SSH Key Authorization - -The best way to secure the pi is to use an SSH key to login instead of a password. First you want to generate an SSH key by running on your computer: - -```sh -ssh-keygen -t rsa -``` - -Next, to copy your SSH key to your server, run: - -```sh -ssh-copy-id -i ~/.ssh/mykey user@host -``` - -To test that it works, run: - -```sh -ssh -i ~/.ssh/mykey user@host -``` - -If it worked, you should be able to connect without needing a password. - -To force an SSH key to login, edit `/etc/ssh/sshd_config` using nano or vim. - -Change `PermitRootLogin yes` to `PermitRootLogin no` and `PasswordAuthentication yes` to `PasswordAuthentication no`. - -### Setting up fail2ban - -First start and enable firewalld to run at boot: - -```sh -sudo systemctl start firewalld -sudo systemctl enable firewalld -``` - -Now, enable the EPEL repository for Rocky Linux and install fail2ban: - -```sh -sudo dnf install epel-release -y -sudo dnf install fail2ban fail2ban-firewalld -y -``` - -Start and enable fail2ban to run at boot: - -```sh -sudo systemctl start fail2ban -sudo systemctl enable fail2ban -``` - -Now, we have to make fail2ban work with firewalld, run: - -```sh -sudo mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local -sudo systemctl restart fail2ban -``` - -To create an SSH jail, edit the ssh config file with nano or vim: - -```sh -sudo nano /etc/fail2ban/jail.d/sshd.local -``` - -Paste the following into the file and change the values as you see fit: - -``` -[sshd] -enabled = true -bantime = 1d -maxretry = 3 -``` - -Save and close the file and restart fail2ban: - -```sh -sudo systemctl restart fail2ban -``` - -## Setting up Dynamic DNS with Google Domains - -### Configuring Google Domains - -First, on [Domains.google.com](https://domains.google.com/) go the DNS page for your domain. Scroll down and click on **Show advanced settings**, Click **Manage dynamic DNS**, and then click **Create new record**. Enter your subdomain or leave it black for the domain itself. Finally, click Save. - -### Installing ddclient - -To install ddclient you need to enable the PowerTools Repo for the perl dependency. - -First, install `dnf-plugins-core`: - -```sh -sudo dnf -y install dnf-plugins-core -sudo dnf upgrade -``` - -Next, enable PowerTools: - -```sh -sudo dnf config-manager --set-enabled powertools -``` - -Then, you can install ddclient: - -```sh -sudo dnf install ddclient -``` - -Now, we want to edit the config file for ddclient: - -```sh -sudo nano /etc/ddclient.conf -``` - -You'll want to look for where it says `protocol=dyndns2`, and enter your information: - -``` -## -## nsupdate.info IPV4(https://www.nsupdate.info) -## -protocol=dyndns2 -use=web, web=http://ipv4.nsupdate.info/myip -server=domains.google.com -login=username -password=password -domain.tld -``` - -Wait about 5 minutes and on the Google Domains website, under Dynamic DNS you should see your IP address under **Data**. - -## Setting up NGINX and Let's Encrypt - -### Installing NGINX - -First, install nginx Webserver: - -```sh -sudo dnf install nginx -``` - -Next, start and enable nginx to run at boot: - -```sh -sudo systemctl start nginx -sudo systemctl enable nginx -``` - -Then, check the status to see if it is running: - -```sh -sudo systemctl status nginx -``` - - - -Now, we have to allow HTTP traffic through the firewall: - -```sh -sudo firewall-cmd --add-service=http --permanent -sudo firewall-cmd --add-service=https --permanent -sudo firewall-cmd --reload -``` - -In a web browser, go to the local ip of the server and you should see the nginx welcome page. - - - -### Configuring NGINX - -First, make your folder for the website, this is where your website will live: - -```sh -sudo mkdir -p /var/www/websiteName -``` - -Next, we need to set the proper permissions to make sure everything works: - -```sh -sudo chown -R nginx /var/www/websiteName -sudo chmod -R 755 /var/www/websiteName -``` - -Now, we will create the config file for website: - -```sh -sudo nano /etc/nginx/conf.d/websiteName.conf -``` - -and paste the following into the file: - -``` -server { - listen 80; - server_name domain.tld www.domain.tld; - root /var/www/websiteName; - index index.php index.html index.htm; - access_log /var/log/nginx/websiteName.access.log; - error_log /var/log/nginx/websiteName.error.log; -} -``` - -Now, confirm that the nginx configuration is ok: - -```sh -sudo nginx -t -``` - -Restart nginx: - -```sh -sudo systemctl restart nginx -sudo systemctl status nginx -``` - -Next, set SELinux to permissive mode: - -```sh -sudo setenforce permissive -sudo getenforce -``` - -Now, we will need to set SELinux to permissive mode permanently: - -```sh -sudo sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux -``` - -### Installing and Running Certbot - -To install Certbot run: - -```sh -sudo dnf install certbot python3-certbot-nginx -``` - -To get SSL certificates for your websites run: - -```sh -sudo certbot --nginx -``` - -Answer the prompts that show up on screen as you wish. - -To configure auto renewal of the SSL certificate run: - -```sh -crontab -e -``` - -and add the following line: - -``` -0 12 * * * /usr/bin/certbot renew --quiet -``` - -This will check everyday at noon to see if the certificate will expire in the next month, if so it will renew the certificate. - -Now your website should be operational. diff --git a/articles/articleMaker.tar b/articles/articleMaker.tar Binary files differdeleted file mode 100644 index 6ad885d..0000000 --- a/articles/articleMaker.tar +++ /dev/null diff --git a/articles/index.html b/articles/index.html deleted file mode 100644 index 3d1abc7..0000000 --- a/articles/index.html +++ /dev/null @@ -1,26 +0,0 @@ -<!DOCTYPE html> -<html lang="en"> - <head> - <meta charset="UTF-8"> - <meta name="viewport" content="width=device-width, initial-scale=1"> - <title>Jacob McDonnell</title> - <meta name="description" content="This is the page where I host my articles."/> - <link href="../CSS/main.css" rel="stylesheet" type="text/css"> - <link href="favicon.ico" rel="icon" sizes="any"> - </head> - <body> - <ul class="topBar"> - <li class="topLink"><a href="https://jacobmcdonnell.com/">home</a></li> - <li class="topLink"><a href="https://jacobmcdonnell.com/articles">articles</a></li> - <li class="topLink"><a href="https://jacobmcdonnell.com/articles/rss.xml">rss feed</a></li> - </ul> - <div class="main"> - <div class="article"> - <a href="RpiRockyLinuxServer"> - <h2>Hosting a Website on the Raspberry Pi with Rocky Linux</h2> - <p>2/19/22<br>A tutorial on setting up a webserver on a Raspberry Pi with Rocky Linux 8</p> - </a> - </div> - </div> - </body> -</html> diff --git a/articles/rss.xml b/articles/rss.xml deleted file mode 100644 index e280062..0000000 --- a/articles/rss.xml +++ /dev/null @@ -1,204 +0,0 @@ -<?xml version="1.0" encoding="utf-8"?> -<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"> - -<channel> -<title>Jacob McDonnell</title> -<description>Articles from Jacob McDonnell.</description> -<language>en-us</language> -<link>https://jacobmcdonnell.com/rss.xml</link> -<atom:link href="https://jacobmcdonnell.com/rss.xml" rel="self" type="application/rss+xml" /> -<image> -<title>Jacob McDonnell</title> -<url>https://jacobmcdonnell.com/favicon.ico</url> -<link>https://jacobmcdonnell.com/rss.xml</link> -</image> - -<!-- LB --> - - - - - - - -<item> -<title>Hosting a Website on the Raspberry Pi with Rocky Linux</title> -<guid>https://jacobmcdonnell.com/articles/RpiRockyLinuxServer/</guid> -<link>https://jacobmcdonnell.com/articles/RpiRockyLinuxServer/</link> -<pubDate>Sun, 19 Feb 2022 15:00:00 -0500</pubDate> -<description><![CDATA[ - <p>First Download Rocky Linux for the Raspberry Pi 3 & 4 from <a href='https://rockylinux.org/alternative-images'>their website</a>.</p> - <center><img class="imgs" src="img/Screen Shot 2022-02-19 at 2.15.13 PM.png" referrerpolicy="no-referrer" alt="Screen Shot 2022-02-19 at 2.15.13 PM"></center> - <p>Next you want to burn this image to the sd card that you are going to use. Now start up the Raspberry Pi and login with the default user <code>rocky</code> and the password is <code>rockylinux</code>. </p> - <p>To make the image take up the whole drive, run:</p> - <pre><code class='language-shell' lang='shell'>sudo rootfs-expand - </code></pre> - <p>Now, you should create a new user:</p> - <pre><code class='language-shell' lang='shell'>sudo useradd -m -g users -G wheel userName -sudo passwd username - </code></pre> - <p>Next, we should delete the default user so logout and login to your new user:</p> - <pre><code class='language-shell' lang='shell'>sudo userdel rocky - </code></pre> - <p> </p> - <hr /> - <h2 id='setting-a-static-ip-address'>Setting a static IP address </h2> - <p>The easiest way is to run:</p> - <pre><code class='language-shell' lang='shell'>sudo nmtui - </code></pre> - <center><img class="imgs" src="img/Screen Shot 2022-02-19 at 2.18.39 PM.png" referrerpolicy="no-referrer" alt="Screen Shot 2022-02-19 at 2.18.39 PM"></center> - <p>Select <strong>Edit</strong> a connection and select your network interface. </p> - <center><img class="imgs" src="img/Screen Shot 2022-02-19 at 2.23.20 PM.png" referrerpolicy="no-referrer" alt="Screen Shot 2022-02-19 at 2.23.20 PM"></center> - <p>Select <strong>Show</strong> for <strong>IPv4 CONFIGURATION</strong> and enter the IP you want to set. Then select <strong>OK</strong> at the bottom, and quit the program.</p> - <h2 id='securing-the-pi'>Securing the PI</h2> - <h3 id='ssh-key-authorization'>SSH Key Authorization</h3> - <p>The best way to secure the pi is to use an SSH key to login instead of a password. First you want to generate an SSH key by running on your computer:</p> - <pre><code class='language-shell' lang='shell'>ssh-keygen -t rsa - </code></pre> - <p>Next, to copy your SSH key to your server, run:</p> - <pre><code class='language-shell' lang='shell'>ssh-copy-id -i ~/.ssh/mykey user@host - </code></pre> - <p>To test that it works, run:</p> - <pre><code class='language-shell' lang='shell'>ssh -i ~/.ssh/mykey user@host - </code></pre> - <p>If it worked, you should be able to connect without needing a password.</p> - <p>To force an SSH key to login, edit <code>/etc/ssh/sshd_config</code> using nano or vim.</p> - <p>Change <code>PermitRootLogin yes</code> to <code>PermitRootLogin no</code> and <code>PasswordAuthentication yes</code> to <code>PasswordAuthentication no</code>.</p> - <h3 id='setting-up-fail2ban'>Setting up fail2ban</h3> - <p>First start and enable firewalld to run at boot:</p> - <pre><code class='language-shell' lang='shell'>sudo systemctl start firewalld -sudo systemctl enable firewalld - </code></pre> - <p>Now, enable the EPEL repository for Rocky Linux and install fail2ban:</p> - <pre><code class='language-shell' lang='shell'>sudo dnf install epel-release -y -sudo dnf install fail2ban fail2ban-firewalld -y - </code></pre> - <p>Start and enable fail2ban to run at boot:</p> - <pre><code class='language-shell' lang='shell'>sudo systemctl start fail2ban -sudo systemctl enable fail2ban - </code></pre> - <p>Now, we have to make fail2ban work with firewalld, run:</p> - <pre><code class='language-shell' lang='shell'>sudo mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local -sudo systemctl restart fail2ban - </code></pre> - <p>To create an SSH jail, edit the ssh config file with vim or nano:</p> - <pre><code class='language-shell' lang='shell'>sudo nano /etc/fail2ban/jail.d/sshd.local - </code></pre> - <p>Paste the following into the file and change the values as you see fit:</p> - <pre><code>[sshd] -enabled = true -bantime = 1d -maxretry = 3 - </code></pre> - <p>Save and close the file and restart fail2ban:</p> - <pre><code class='language-shell' lang='shell'>sudo systemctl restart fail2ban - </code></pre> - <h2 id='setting-up-dynamic-dns-with-google-domains'>Setting up Dynamic DNS with Google Domains</h2> - <h3 id='configuring-google-domains'>Configuring Google Domains</h3> - <p>First, on <a href='https://domains.google.com/'>Domains.google.com</a> go the DNS page for your domain. Scroll down and click on <strong>Show advanced settings</strong>, Click <strong>Manage dynamic DNS</strong>, and then click <strong>Create new record</strong>. Enter your subdomain or leave it black for the domain itself. Finally, click Save.</p> - <h3 id='installing-ddclient'>Installing ddclient</h3> - <p>To install ddclient you need to enable the PowerTools Repo for the perl dependency.</p> - <p>First, install <code>dnf-plugins-core</code>:</p> - <pre><code class='language-shell' lang='shell'>sudo dnf -y install dnf-plugins-core -sudo dnf upgrade - </code></pre> - <p>Next, enable PowerTools:</p> - <pre><code class='language-shell' lang='shell'>sudo dnf config-manager --set-enabled powertools - </code></pre> - <p>Then, you can install ddclient:</p> - <pre><code class='language-shell' lang='shell'>sudo dnf install ddclient - </code></pre> - <p>Now, we want to edit the config file for ddclient:</p> - <pre><code class='language-shell' lang='shell'>sudo nano /etc/ddclient.conf - </code></pre> - <p>You'll want to look for where it says <code>protocol=dyndns2</code>, and enter your information:</p> - <pre><code>## -## nsupdate.info IPV4(https://www.nsupdate.info) -## -protocol=dyndns2 -use=web, web=http://ipv4.nsupdate.info/myip -server=domains.google.com -login=username -password=password -domain.tld - </code></pre> - <p>Wait about 5 minutes and on the Google Domains website, under Dynamic DNS you should see your IP address under <strong>Data</strong>.</p> - <h2 id='setting-up-nginx-and-lets-encrypt'>Setting up NGINX and Let's Encrypt</h2> - <h3 id='installing-nginx'>Installing NGINX</h3> - <p>First, install nginx Webserver:</p> - <pre><code class='language-shell' lang='shell'>sudo dnf install nginx - </code></pre> - <p>Next, start and enable nginx to run at boot:</p> - <pre><code class='language-shell' lang='shell'>sudo systemctl start nginx -sudo systemctl enable nginx - </code></pre> - <p>Then, check the status to see if it is running:</p> - <pre><code class='language-shell' lang='shell'>sudo systemctl status nginx - </code></pre> - <center><img class="imgs" src="img/Screen Shot 2022-02-19 at 2.56.21 PM.png" referrerpolicy="no-referrer" alt="Screen Shot 2022-02-19 at 2.56.21 PM"></center> - <p>Now, we have to allow HTTP traffic through the firewall:</p> - <pre><code class='language-shell' lang='shell'>sudo firewall-cmd --add-service=http --permanent -sudo firewall-cmd --add-service=https --permanent -sudo firewall-cmd --reload - </code></pre> - <p>In a web browser, go to the local ip of the server and you should see the nginx welcome page.</p> - <center><img class="imgs" src="img/Screen Shot 2022-02-19 at 2.58.29 PM.png" referrerpolicy="no-referrer" alt="Screen Shot 2022-02-19 at 2.58.29 PM"></center> - <h3 id='configuring-nginx'>Configuring NGINX</h3> - <p>First, make your folder for the website, this is where your website will live:</p> - <pre><code class='language-shell' lang='shell'>sudo mkdir -p /var/www/websiteName - </code></pre> - <p>Next, we need to set the proper permissions to make sure everything works:</p> - <pre><code class='language-shell' lang='shell'>sudo chown -R nginx /var/www/websiteName -sudo chmod -R 755 /var/www/websiteName - </code></pre> - <p>Now, we will create the config file for website:</p> - <pre><code class='language-shell' lang='shell'>sudo nano /etc/nginx/conf.d/websiteName.conf - </code></pre> - <p>and paste the following into the file:</p> - <pre><code>server { - listen 80; - server_name domain.tld www.domain.tld; - root /var/www/websiteName; - index index.php index.html index.htm; - access_log /var/log/nginx/websiteName.access.log; - error_log /var/log/nginx/websiteName.error.log; -} - </code></pre> - <p>Now, confirm that the nginx configuration is ok:</p> - <pre><code class='language-shell' lang='shell'>sudo nginx -t - </code></pre> - <p>Restart nginx:</p> - <pre><code class='language-shell' lang='shell'>sudo systemctl restart nginx -sudo systemctl status nginx - </code></pre> - <p>Next, set SELinux to permissive mode:</p> - <pre><code class='language-shell' lang='shell'>sudo setenforce permissive -sudo getenforce - </code></pre> - <p>Now, we will need to set SELinux to permissive mode permanently:</p> - <pre><code class='language-shell' lang='shell'>sudo sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux - </code></pre> - <h3 id='installing-and-running-certbot'>Installing and Running Certbot</h3> - <p>To install Certbot run:</p> - <pre><code class='language-shell' lang='shell'>sudo dnf install certbot python3-certbot-nginx - </code></pre> - <p>To get SSL certificates for your websites run:</p> - <pre><code class='language-shell' lang='shell'>sudo certbot --nginx - </code></pre> - <p>Answer the prompts that show up on screen as you wish.</p> - <p>To configure auto renewal of the SSL certificate run:</p> - <pre><code class='language-shell' lang='shell'>crontab -e - </code></pre> - <p>and add the following line:</p> - <pre><code>0 12 * * * /usr/bin/certbot renew --quiet - </code></pre> - <p>This will check everyday at noon to see if the certificate will expire in the next month, if so it will renew the certificate.</p> - <p>Now your website should be operational. </p><br> -]]></description> -</item> - - - -</channel> - -</rss> |
