I belong to the school saying that only necessary software should be installed on a server, if only for security reasons. This counts much more so when your box has limited performance, as is the case for the RasPi. Fortunately, that sort of need is not unique, and somebody has made available a minimal RaspBian (Debian GNU/Linux for the Raspberry Pi) image, called MINIBIAN.
You may download it from SourceForge, unzip it and put it on your SD card using dd. In my case:
unzip 2013-09-25-wheezy-raspbian.zip sudo dd bs=4M if=2013-10-13-wheezy-minibian.img of=/dev/sdk
Depending on your setup, you may want to mount the main partition immediately and edit the network settings, so as to be able to entirely skip the “hook-up-a-screen-and-keyboard” part, indeed an OpenSSH server is included out of the box.
So you may edit the /etc/network/interfaces file and include something like:
auto eth0 allow-hotplug eth0 iface eth0 inet static address 192.168.1.253 netmask 255.255.255.0 gateway 192.168.1.1
Don't forget the auto eth0 line, otherwise the interface won't be activated at boot!
Also, put in your resolvers into /etc/resolv.conf, e.g.:
nameserver 192.168.1.1 # your router # add your ISPs nameservers here nameserver 8.8.4.4 # Google DNS, for backup nameserver 8.8.8.8 # Google DNS, for backup
Don't forget this, otherwise your RasPi won't be able to resolve names to IPs!
Put the SD card in your RasPi model B, hook up the ethernet cable, and turn it on by plugging in the microUSB cable.
If all goes well, you should see some lights turning on, including the networking part, and be able to ping the RasPi at the configured IP. You can now also ssh in:
ssh root@192.168.1.253
The default password is raspberry, you'll obviously want to change that immediately. It probably won't hurt to to an update immediately, too:
aptitude update aptitude safe-upgrade
So far, the MINIBIAN install by far doesn't use the entire SD card. This can easily be changed via the raspi-config utility, which is *not* part of the MINIBIAN install. It is thus a good idea to add it now:
aptitude install raspi-config
If you now call that utility, the very first option provides you with the possibility of expanding the filesystem. Select it, it will do its magic, and tell you the root filesystem will be enlarged at the next reboot. Go to “finish”, and opt for rebooting immediately. It may take a little while to become accessible again via SSH, don't panic!
You can now log back in, have a look around and see what packages are installed, which services are already running etc.
Instead of working with the root account, you should define your own user(s), and disable at least root access by SSH. To define your user and set a password:
useradd -c "Firstname Lastname" -m -s /bin/bash username passwd username
To disable root access via ssh, edit /etc/ssh/sshd_config and change the setting for PermitRootLogin from yes to no. Restart the ssh daemon:
/etc/init.d/ssh restart
Don't worry, you won't lose your current ssh session. You can in parallel open another session with your newly created username. To then become root, use
su -
You may want to install sudo:
aptitude install sudo
and give sudo rights to your normal account (as is default in Ubuntu). In /etc/sudoers, you may define that users belonging to the admin group may do anything as root:
%admin ALL=(ALL) ALL
Of course, you'll have to add a group admin and add your normal account to that group:
groupadd admin adduser youruser admin
Verify the result in /etc/group and try using sudo from “youruser”.
Note: by default, sudoers already defines such an admin group with name “sudo”, which also is defined in /etc/group. Thus, it suffices to add your user to the “sudo” group.
Also, to mitigate systematic attacks against your SSH server, install fail2ban (and optionally denyhosts):
aptitude install fail2ban denyhosts