Raspberry Pi
Introduction
Raspberry Pi's are cool little computers and I have a few I use in my adventures. I don't have an original though. :-(
I also have a Banana Pi BPI-R1, which was my home router, then a media server, then, well I'm not really using it now.
Please read the "First Steps" section below. It has lots of good info for first time linux/RPi users. Also, I have this script that I use after those "First Steps".
Anyways, enough rambling about cool little computing devices.
Table of Contents
First Steps Philosophy
Philosophy
As of April 4th, 2022, the folks at Raspberry Pi finally removed the default user & password. This is awesome! Security should not be an afterthought. I still think learning about security along the process is a very effective use of the process. ;-) Others may disagree, and that's okay. There are still some concepts and reasoning as well as steps that I think should be performed. So read on to make your own informed decision.
The environment in which you use your Raspberry Pi matters. The first question to ask is do you trust that there won't be any bad actors getting to your Raspberry Pi? It can be as simple a question as how much you trust your siblings/schoolmates (you will probably be on the same network)? If you can't or aren't sure how to answer that question, ask someone (parent/teacher/Google).
And honestly, it isn't hard to stay safe(er); please read on.
After Raspberry Pi OS
This is for the Raspberry Pi OS & Raspberry Pi OS Lite (both 64-bit) as of 10/22/2023. There are two ways to approach creating the bootable media to have more secure system. One is to create a user/password when making the boot media. The other is setting the user/password at the first boot. Both are okay, because the RPi is not vulnerable to remote attacks at that first boot.
One quick note/reminder; if you have other Linux machines (including Raspberry Pis) think about UIDs. I've found it helpful to keep them the same across systems.
DO NOT plug the Raspberry Pi into the network yet; just the monitor/keyboard/mouse.
During the first boot process, set the username and password.
When done, log in (if RPi OS Lite) or log in and open the terminal.
In the terminal, and sudo rm /etc/sudoers.d/010_pi-nopasswd. The file has one line, which is some variation of: <username> ALL=(ALL) NOPASSWORD: ALL. It may be different if you did setup options in the Raspberry Pi Imager. With this file, you do not have to type in your password for sudo commands. I think this is less secure, think about those annoying siblings/classmates who might want to do something when you walk away for a bit.
Now connect the Raspberry Pi to the network & update! Sometimes software updates screw things up, especially if you are using development versions. But in general, it is best to update because it fixes bugs, and any bug can cause/help security issues.
In terminal: sudo apt --fix-broken install && sudo apt-get update && sudo apt-get -y dist-upgrade.
Next, type in the terminal sudo raspi-config. Don't mess with firmware, the latest distributions include necessary firmware in kernel updates. Familiarize yourself with options & make sure you finish localization to be your country (don't forget wifi is in the System Options).
I strongly suggest you also turn off Auto-Login. Same reason why the pi and/or the new user should not have sudo rights without a password.
I suggest you do not enable SSH until after a reboot (which happens next). This may be a pain, but do you trust your siblings? :-P
Next screen: Reboot!
Reasoning
An easy way to introduce yourself to the idea of security is to think about "fences". This might not be a common view. I'll explain my thoughts. There will always be errors, whether bugs, misconfigurations, whatever. The general analogy of fences is that an attacker does not have just one fence to jump over to get to what should be protected.
I do this professionally, making as many fences as feasible to maintain. It goes along with the idea that there is not just one "silver bullet" in security.
Let's look at the fences I like when working on RPis:
Removing pi user: Attackers do not know what user to use. Thank you, Raspberry Pi Foundation for making this change!
Not allowing passwordless sudo: Attackers can't trick you into running scripts that automatically get root privileges.
Update frequently: Attackers know the holes in your fences before you do and it is harder for you to keep track. Trust the developers upstream!
There are more things, but those are the most accessible for most readers at this point. And as deep as I want to write at this point. In the end, you have to decide what are acceptable risks. This is what good Linux administration is about. :-)
General Maintenance
I should say more, but for now, I've created this bash script to help updates in the future.
Here is a command to see if you're RPi is possibly using a low-voltage power source:
vcgencmd get_throttled
There are codes I should link or copy here. There are some folks who report that writes to SD cards can be missed. I'm not sure that is write with how the linux kernel works. But I find it hard to come up with a good reason to run a RPi with a low-voltage power supply. If the board is having troubles, peripherals will likely have trouble. There will be lots of retries on anything from read/write to RAM to NICs to storage to much of anything else connected.
Pironman 5 Case
For a Raspberry Pi 5 that I have, I'm so glad I got the Pironman 5 case for Christmas. With it, and a few other things, I've made the RPi 5 8GB model into a nice little dual display desktop. More on that experience later. For now, some hints/tips.
Power: As usual, any old power supply isn't the best on RPis; especially if you have anything plugged in. The usual 3A power supply isn't bad for the case. But if you plug any peripheral, including USB drives, you will need something a bit more powerful. I got the Raspberry Pi 5 Official 27W USB Type-C Power Supply, also from Sunfounder.
Installation: A lot of information is here. It has assembly instructions for physical installation. And there is software installation instructions.
Fan Control: Please look at their docs link for full information. Cause I'm lazy and don't know if the docs will disappear., he short of it is two commands:
sudo pironman5 -gm #
sudo systemctl restart pironman5.service
Change the # to be one of:
4: Quiet: The RGB fans will activate at 70°C.
3: Balanced: The RGB fans will activate at 67.5°C.
2: Cool: The RGB fans will activate at 60°C.
1: Performance: The RGB fans will activate at 50°C.
0: Always On: The RGB fans will always on.
My home office tends to run a bit hot. I've been working fine with #4 and the fan rarely comes on.
Oh, and because I'm the paranoid type, I cloned both of Sunfounder's related repos: software, docs. I will try to pull changes as I can. No gaurentees.