Skip to content

Instantly share code, notes, and snippets.

@dblueman

dblueman/rpi-setup.md

Last active June 22, 2025 08:51
Show Gist options
  • Save dblueman/e8556d11a7b16a5026df78b79661a7a9 to your computer and use it in GitHub Desktop.
Save dblueman/e8556d11a7b16a5026df78b79661a7a9 to your computer and use it in GitHub Desktop.
Download ZIP
Raspberry Pi secure server setup guide
Raw
rpi-setup.md

Bootloader factory reset (optional)

  1. Connect microSD card or NVMe drive to laptop
  2. Install Raspberry Pi Imager from https://www.raspberrypi.com/software/ or Linux repos
  3. Select CHOOSE OS > Misc utility images > Bootloader (Pi x family) > SD Card Boot

or if booted to OS from https://github.com/raspberrypi/rpi-eeprom/tree/master/firmware-2712/default

wget path/pieeprom.bin
rpi-eeprom-update -df pieeprom.bin

Deploy OS image (from laptop/desktop)

  1. Connect microSD card or M.2 drive
  2. Install Raspberry Pi Imager from https://www.raspberrypi.com/software/ or Linux repos
  3. Select CHOOSE OS > Other general-purpose OS > Ubuntu > Ubuntu Server 24.04.x LTS (64-bit)
  4. Select EDIT SETTINGS
    1. Under GENERAL, set hostname, username, password
    2. Under SERVICES, enable SSH with password authentication

Setup Pi for first use

  1. Config ethernet addressing, editing /etc/systemd/network/eth0.network
[Match]
Name=eth0

[Network]
DHCP=yes
# Address=192.168.1.20/24
# Gateway=192.168.1.1
# DNS=1.0.0.1
# DNS=1.1.1.1
  1. Enlarge root filesystem (to avoid out of space on first update)
apt update
apt install -y raspi-config
raspi-config

Select "6 Advanced Options" > "A1 Expand Filesystem" and reboot

  1. Update OS
apt upgrade
  1. Install useful packages (needed later)
apt install debsums f2fs-tools fish iptables-persistent nvme-cli stress-ng tmux
  1. Add other users
useradd -m -G sudo -s /bin/bash daniel
passed daniel

Security hardening

  1. Disable wireless interfaces and GPU, editing /boot/firmware/config.txt
# dtparam=audio=on
# dtoverlay=vc4-kms-v3d
dtparam=cooling_fan=on

[pi4]
dtoverlay=disable-bt
dtoverlay=disable-wifi

[pi5]
dtoverlay=disable-bt-pi5
dtoverlay=disable-wifi-pi5
dtparam=pciex1_gen=3
  1. Configure NTP, editing /etc/systemd/timesyncd.conf
[Time]
FallbackNTP=time.cloudflare.com
  1. Activate daily package updates and proxy, creating /etc/apt/apt.conf.d/90local
# Acquire::http::Proxy "";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
        "${distro_id}:${distro_codename}-updates";
        "${distro_id}:${distro_codename}-backports";
};
Unattended-Upgrade::MailOnlyOnError "false";
Unattended-Upgrade::MinimalSteps "false";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
  1. Disable redundant automatic update shutdown inhibition service
sudo systemctl disable unattended-upgrades.service
  1. Setup application IPv4 firewall (adjust as neeeded), creating /etc/iptables/rules.v4 and /etc/iptables/rules.v6
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m hashlimit --hashlimit-name ratelimit --hashlimit-mode srcip --hashlimit-above 3/second --hashlimit-burst 3 --hashlimit-htable-expire 30000 -j DROP
-A INPUT -p tcp -m multiport --dports 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
COMMIT

Performance tuning

  1. Add network tuning, creating /etc/sysctl.d/90-local.conf
net.ipv4.tcp_congestion_control=bbr
net.ipv4.tcp_slow_start_after_idle=0
net.ipv4.tcp_ecn=1
  1. Remove baggage
apt purge --auto-remove alsa-utils avahi-daemon cloud-initramfs-copymods cloud-initramfs-dyn-netconf git landscape-common lvm2 lxd-agent-loader lxd-installer mdadm modemmanager motd-news-config multipath-tools open-iscsi open-vm-tools pollinate rsyslog snapd sosreport udisks2
  1. Find and remove additional baggage
apt install deborphan
deborphan --guess-all --ignore-suggests --ignore-recommends | xargs apt purge --auto-remove

Verification

  1. Check automatic updates are enabled
systemctl status apt-daily.timer apt-daily-upgrade.timer
  1. Check there is no package corruption or binary modification (hacked)
apt install debsums
debsums -c
  1. Check storage speed is expected (adjust to mmcblk0 as needed)
dd if=/dev/nvme0n1 of=/dev/null bs=8M count=10 iflag=fullblock,direct
  1. Check NTP is synchronised
timedatectl timesync-status
  1. Check automatic updates work, see older logs in /var/log/unattended-upgrades/
unattended-upgrades --debug
  1. Check stability under load
apt intall stress-ng
stress-ng --vm -1 --vm-bytes 88% --vm-keep --verify --thermalstat 30 --timeout 24h
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment