1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
|
# Hosting a Website on the Raspberry Pi with Rocky Linux
First Download Rocky Linux for the Raspberry Pi 3 & 4 from [their website](https://rockylinux.org/alternative-images).
Next you want to burn this image to the sd card that you are going to use. Now start up the Raspberry Pi and login with the default user `rocky` and the password is `rockylinux`.
To make the image take up the whole drive, run:
```sh
sudo rootfs-expand
```
Now, you should create a new user:
```sh
sudo useradd -m -g users -G wheel userName
sudo passwd username
```
Next, we should delete the default user so logout and login to your new user:
```sh
sudo userdel rocky
```
***
## Setting a static IP address
The easiest way is to run:
```shell
sudo nmtui
```
Select **Edit** a connection and select your network interface.
Select **Show** for **IPv4 CONFIGURATION** and enter the IP you want to set. Then select **OK** at the bottom, and quit the program.
## Securing the PI
### SSH Key Authorization
The best way to secure the pi is to use an SSH key to login instead of a password. First you want to generate an SSH key by running on your computer:
```sh
ssh-keygen -t rsa
```
Next, to copy your SSH key to your server, run:
```sh
ssh-copy-id -i ~/.ssh/mykey user@host
```
To test that it works, run:
```sh
ssh -i ~/.ssh/mykey user@host
```
If it worked, you should be able to connect without needing a password.
To force an SSH key to login, edit `/etc/ssh/sshd_config` using nano or vim.
Change `PermitRootLogin yes` to `PermitRootLogin no` and `PasswordAuthentication yes` to `PasswordAuthentication no`.
### Setting up fail2ban
First start and enable firewalld to run at boot:
```sh
sudo systemctl start firewalld
sudo systemctl enable firewalld
```
Now, enable the EPEL repository for Rocky Linux and install fail2ban:
```sh
sudo dnf install epel-release -y
sudo dnf install fail2ban fail2ban-firewalld -y
```
Start and enable fail2ban to run at boot:
```sh
sudo systemctl start fail2ban
sudo systemctl enable fail2ban
```
Now, we have to make fail2ban work with firewalld, run:
```sh
sudo mv /etc/fail2ban/jail.d/00-firewalld.conf /etc/fail2ban/jail.d/00-firewalld.local
sudo systemctl restart fail2ban
```
To create an SSH jail, edit the ssh config file with nano or vim:
```sh
sudo nano /etc/fail2ban/jail.d/sshd.local
```
Paste the following into the file and change the values as you see fit:
```
[sshd]
enabled = true
bantime = 1d
maxretry = 3
```
Save and close the file and restart fail2ban:
```sh
sudo systemctl restart fail2ban
```
## Setting up Dynamic DNS with Google Domains
### Configuring Google Domains
First, on [Domains.google.com](https://domains.google.com/) go the DNS page for your domain. Scroll down and click on **Show advanced settings**, Click **Manage dynamic DNS**, and then click **Create new record**. Enter your subdomain or leave it black for the domain itself. Finally, click Save.
### Installing ddclient
To install ddclient you need to enable the PowerTools Repo for the perl dependency.
First, install `dnf-plugins-core`:
```sh
sudo dnf -y install dnf-plugins-core
sudo dnf upgrade
```
Next, enable PowerTools:
```sh
sudo dnf config-manager --set-enabled powertools
```
Then, you can install ddclient:
```sh
sudo dnf install ddclient
```
Now, we want to edit the config file for ddclient:
```sh
sudo nano /etc/ddclient.conf
```
You'll want to look for where it says `protocol=dyndns2`, and enter your information:
```
##
## nsupdate.info IPV4(https://www.nsupdate.info)
##
protocol=dyndns2
use=web, web=http://ipv4.nsupdate.info/myip
server=domains.google.com
login=username
password=password
domain.tld
```
Wait about 5 minutes and on the Google Domains website, under Dynamic DNS you should see your IP address under **Data**.
## Setting up NGINX and Let's Encrypt
### Installing NGINX
First, install nginx Webserver:
```sh
sudo dnf install nginx
```
Next, start and enable nginx to run at boot:
```sh
sudo systemctl start nginx
sudo systemctl enable nginx
```
Then, check the status to see if it is running:
```sh
sudo systemctl status nginx
```
Now, we have to allow HTTP traffic through the firewall:
```sh
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload
```
In a web browser, go to the local ip of the server and you should see the nginx welcome page.
### Configuring NGINX
First, make your folder for the website, this is where your website will live:
```sh
sudo mkdir -p /var/www/websiteName
```
Next, we need to set the proper permissions to make sure everything works:
```sh
sudo chown -R nginx /var/www/websiteName
sudo chmod -R 755 /var/www/websiteName
```
Now, we will create the config file for website:
```sh
sudo nano /etc/nginx/conf.d/websiteName.conf
```
and paste the following into the file:
```
server {
listen 80;
server_name domain.tld www.domain.tld;
root /var/www/websiteName;
index index.php index.html index.htm;
access_log /var/log/nginx/websiteName.access.log;
error_log /var/log/nginx/websiteName.error.log;
}
```
Now, confirm that the nginx configuration is ok:
```sh
sudo nginx -t
```
Restart nginx:
```sh
sudo systemctl restart nginx
sudo systemctl status nginx
```
Next, set SELinux to permissive mode:
```sh
sudo setenforce permissive
sudo getenforce
```
Now, we will need to set SELinux to permissive mode permanently:
```sh
sudo sed -i --follow-symlinks 's/SELINUX=enforcing/SELINUX=permissive/g' /etc/sysconfig/selinux
```
### Installing and Running Certbot
To install Certbot run:
```sh
sudo dnf install certbot python3-certbot-nginx
```
To get SSL certificates for your websites run:
```sh
sudo certbot --nginx
```
Answer the prompts that show up on screen as you wish.
To configure auto renewal of the SSL certificate run:
```sh
crontab -e
```
and add the following line:
```
0 12 * * * /usr/bin/certbot renew --quiet
```
This will check everyday at noon to see if the certificate will expire in the next month, if so it will renew the certificate.
Now your website should be operational.
|
