DIY-IOT: How to construct a device, that turns on/off other devices via the Internet – Part 2/4: Installation and preparation of Raspberry Pi

IMPORTANT: READ THIS, before deciding to build something like this device. This device is connected directly to the mains power, which is potentially lethal to mess around with! I am not kidding you – the best scenario when subjected to electrical shock is that it hurts like h*ll, worst case scenario is that you DIE. You should not mess with mains power without a minimum of knowledge.

Last article was about specifying the gizmo that we’re going to build. Before we start making the hardware and software, the Raspberry must be configured to suit our purpose. This article describes the configuration, and the next two articles will be about the hardware, and finally the software.

This article assume that we start with a Raspberry Pi with a fresh install of Raspbian. If you need help installing the OS on the Raspberry Pi, look here: https://www.raspberrypi.org/learning/noobs-install/

There is a new version of Raspbian available, “Jessie”, and I have chosen the LITE version, since we’re not going to use the desktop for anything.

Do not connect the Raspberry Pi to any network until we have some basic security measures implemented. Instead connect a keyboard and a monitor, and power-up the device. Once boot is completed, login using “pi” as username and “raspberry” as password.

Le’s start by setting up some standard stuff:

sudo raspi-config

del3_raspiconfig

Choose ”Expand filesystem”, so we’re certain that the entire SD card is available for the filesystem.

Advanced options → Hostname
I choose ”skarpline-iot”. Choose whatever suits you, but keep in mind that special characters are not supported.

Advanced options → SSH
SSH must be enabled.

Advanced options → Memory Split
Memory is shared between system and graphic adaptor. Since we’re not going to use grathics, leave as much as possible for the system, by choosing the lowest possible value (16).

Internationalisation Options → Change Timezone
– Timezone: Copenhagen in my case.

Choose ’Finish’, and reboot the Raspberry Pi. Once booted, login as ’pi’ like before.

Now we must change the default username and password. This must be done before the Raspberry even smell an Internet connection.

The new user should enjoy the same rights as the old one, so let’s start by examining the groups that the user ‘pi’ is a member of:

pi@skarpline-iot:~ $ groups
pi adm dialout cdrom sudo audio video plugdev games users input netdev gpio i2c spi

Except ‘pi’ that will be deleted, we will assign these groups to our new user. Take the list, remove ‘pi’ and add commas between the names (no whitespaces). My new user is ‘rpi_admin’:

pi@skarpline-iot:~ $ sudo useradd -m -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi rpi_admin

Now assign a password for the new user (and don’t use 1234. That’s mine!):

pi@skarpline-iot:~ $ sudo passwd rpi_admin
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

Reboot the Raspberry Pi:

pi@skarpline-iot ~ $ sudo reboot

Login using the new username, and delete the ‘pi’ user:

rpi_admin@skarpline-iot ~ $ sudo deluser --remove-all-files pi

Now we can try connecting to our Raspberry Pi via a network connection. Connect the Raspberry Pi to your network using an Ethernet cable, and try connecting via SSH:

Once the cable is connected, verify that an IP address have been assigned to the Raspberry Pi:

rpi_admin@skarpline-iot ~ $ ifconfig
eth0 Link encap:Ethernet HWaddr b8:27:eb:aa:d8:af
inet addr:192.168.1.40 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1236 errors:0 dropped:0 overruns:0 frame:0
TX packets:770 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:165094 (161.2 KiB) TX bytes:128214 (125.2 KiB)

My Raspberry Pi evidently have been assigned the IP address 192.168.1.40. If your device fail to connect to your LAN, you must debug the issue before proceeding. The remaining article assumes a working Internet connection.

Now that the Internet connection is up’n’running the keyboard and monitor can be disconnected. From now on it’s all happening via the SSH connection. On Linux or OSX open a termainal and type:

ssh rpi_admin@192.168.1.40

If you’re using Windows I recommend downloading Putty: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.

Next we ensure, that all software on the Raspberry Pi is upgraded – This might take a while:

sudo apt-get update && sudo apt-get upgrade

IT security is much like a war, and as the general in the war must ensure that no flanks are open for attach, we must block any connections attempts to network ports that we do not intend to use. An open port is an invitation to attackers, which is why we install a firewall and create rules that block all ports, except 22/SSH, 80/HTTP and 443/HTTPS. Once SSL is working I recommend that we also block 80/HTTP. The firewall inside the Raspberry Pi is iptables, which is a nightmare to configure, and understand. Therefore let’s install UFW (Uncomplicated Firewall), providing an easy-to-use shell on top of iptables.

rpi_admin@skarpline-iot:~ $ sudo apt-get install ufw

To check if the firewall is correctly configures, I recommend using nmap. To verify the state of ports on the Raspberry Pi (Note: nmap must be run form a PC connected to the LAN. Nmap is a linux/OSX tool, but windows version is available here: https://nmap.org/book/inst-windows.html):

sudo nmap –sA 192.168.1.40
… All 1000 scanned ports on 192.168.1.40 are unfiltered …

All ports are open (= unfiltered), so let’s enable UFW and add the rules for ports 22, 80 and 443:

rpi_admin@skarpline-iot:~ $ sudo ufw enable
rpi_admin@skarpline-iot:~ $ sudo ufw allow 22/tcp
rpi_admin@skarpline-iot:~ $ sudo ufw allow 80/tcp
rpi_admin@skarpline-iot:~ $ sudo ufw allow 443/tcp

Retry the portscan:

sudo nmap –sA 192.168.1.40

Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp unfiltered ssh
80/tcp unfiltered http
443/tcp unfiltered https

Much better! Now all ports are closed (filtered), except 22, 80 and 443.
One more security measure – Install fail2ban, protecting against unauthorized login attempts:

rpi_admin@skarpline-iot:sudo apt-get install fail2ban

Obviously we need a webserver, and php. I choose apache2 as webserver:

rpi_admin@skarpline-iot:~ $ sudo apt-get install apache2
rpi_admin@skarpline-iot:~ $ sudo apt-get install php5

Let’s see if the Raspberry Pi now is reachable on http. In a browser type
http://192.168.1.40, where 192.168.1.40 is swapped with the IP address of your Raspberry Pi..

del3_apache2loadHttp

Beautiful!

Maybe php works as well?

Create a php-file in the web folder:

pi_admin@skarpline-iot:~ $ cd /var/www/html/
rpi_admin@skarpline-iot:/var/www/html $ sudo touch test.php
rpi_admin@skarpline-iot:/var/www/html $ sudo nano test.php

Write the small script below to the files (save by typing ctrl+x)

<!--?php echo phpinfo(); ?-->

Now type http://192.168.1.40/test.php

del3_phpLoadHttp

We’re getting there, but we’re not done yet. Now enable SSL:

rpi_admin@skarpline-iot:/var/www/html $ sudo a2enmod ssl
rpi_admin@skarpline-iot:/var/www/html $ sudo service apache2 restart
rpi_admin@skarpline-iot:/var/www/html $ sudo a2ensite default-ssl

Now type https://192.168.1.40/test.php

del3_phpLoadHttps

 

Fantastic – now we’re talking! If this were hardware, now would be the time to lift your hands and slowly step away from the table.

Why the warning in the browser? It’s merely the browser telling you, that the certificate is not an official certificate and therefore not trusted. You will always get this error when accessing an IP address, since the certificate is bound to the FQDN of the site. In our case even using the FQDN you’d still get the error, since we’re using a locally signed (self signed) certificate.

If you get this kind of warning when using net banking, I recommend that you stop what you’re doing!

I choose to don’t care, since for our purpose it’s fine. A commercial product is of course another matter. You can get free certificates many places, e.g. here: : https://www.sslshopper.com/article-free-ssl-certificates-from-a-free-certificate-authority.html

We accept the risc in the browser, and are now able to access the webpage via HTTPS:

del3_phpLoadHttpsWarn

Last thing to configure is the wifi.
First make sure that the wifi dongle is functioning correctly – it ought to work automagically when connected to USB.

rpi_admin@skarpline-iot:~ $ sudo iwlist wlan0 scan
wlan0 Scan completed :
…
Cell 03 - Address: 12:34:56:78:98:76
ESSID:"No_I_dont_want_to_share_my_ssid "
Protocol:IEEE 802.11bgn
Mode:Master
Frequency:2.472 GHz (Channel 13)
Encryption key:on
Bit Rates:144 Mb/s
Extra:rsn_ie=30140100000fac040100000fac040100000fac020c00
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : CCMP
Pairwise Ciphers (1) : CCMP
Authentication Suites (1) : PSK
IE: Unknown: DD8C0050F204104A0001101044000102103B0001031047001092C81F59E93B13E0061B4916F8D00DBE102100055A7958454C1023000C564D47383932342D423130411024000C564D47383932342D4231304110420007393633363847571054000800060050F20400011011000C564D47383932342D4231304110080002200C103C0001031049000600372A000120
Quality=48/100 Signal level=100/100

rpi_admin@skarpline-iot:~ $

Excellent, my wifi is detected. Now we configure the settings in the Raspberry Pi, which is done by editing the wpa_supplicant.conf file:

rpi_admin@skarpline-iot:~ $ sudo nano /etc/wpa_supplicant/wpa_supplicant.conf

And aff the wifi ssid and wpa key to the file (Your ssid/wpa key, not mine!):

network={
ssid=" No_I_dont_want_to_share_my_ssid "
psk=" No_I_definately_dont_want_to_share_my_wpa_key"
}

Reboot the Raspberry Pi, and remember to disconnect the LAN cable. After copmpleting booting the Raspberry Pi will not connect automatically to the wifi (it might take a minute or two).

Last thing, before you’re off the hook: We must install a suitable library for communicating with the GPIO pins of the Raspberry Pi. I choose wiringPi, which must be installed from github. First install git:

rpi_admin@skarpline-iot: $ sudo apt-get install git-core

Next retrieve wiringPi:

rpi_admin@skarpline-iot:~ $ git clone git://git.drogon.net/wiringPi
Cloning into 'wiringPi'...
remote: Counting objects: 944, done.
remote: Compressing objects: 100% (770/770), done.
remote: Total 944 (delta 671), reused 217 (delta 142)
Receiving objects: 100% (944/944), 290.40 KiB | 306.00 KiB/s, done.
Resolving deltas: 100% (671/671), done.
Checking connectivity... done.
rpi_admin@skarpline-iot:~ $

Now install wiringPi:

rpi_admin@skarpline-iot:~ $ cd wiringPi/
rpi_admin@skarpline-iot:~/wiringPi $ ./build

Wonder if it works?

pi_admin@skarpline-iot:~/wiringPi $ gpio -v
gpio version: 2.31
Copyright (c) 2012-2015 Gordon Henderson
This is free software with ABSOLUTELY NO WARRANTY.
For details type: gpio -warranty

Awesome!

Now we’re done-. If you made it this far, well done. This part was a bit boring, I admit. But next article will be on creating the hardware. There is a good chance of electrical shocks and solder iron burns. Stay tuned…

Leave a Reply

Your email address will not be published. Required fields are marked *