Raspberry Pi OSの最新化と、SSHのセキュリティな設定を行い万全な環境を作ります。
Raspberry Pi OSアップデート
パッケージのアップデート
インストールパッケージをアップデート。
$ sudo apt-get -y update
Hit:1 http://deb.debian.org/debian bookworm InRelease
Get:2 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:3 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:4 http://deb.debian.org/debian-security bookworm-security/main armhf Packages [215 kB]
Get:5 http://deb.debian.org/debian-security bookworm-security/main arm64 Packages [212 kB]
Get:6 http://deb.debian.org/debian-security bookworm-security/main Translation-en [130 kB]
Get:7 http://deb.debian.org/debian bookworm-updates/main armhf Packages [8,292 B]
Get:8 http://deb.debian.org/debian bookworm-updates/main arm64 Packages [8,844 B]
Get:9 http://deb.debian.org/debian bookworm-updates/main Translation-en [8,248 B]
Get:10 http://archive.raspberrypi.com/debian bookworm InRelease [39.3 kB]
Get:11 http://archive.raspberrypi.com/debian bookworm/main arm64 Packages [518 kB]
Get:12 http://archive.raspberrypi.com/debian bookworm/main armhf Packages [547 kB]
Fetched 1,790 kB in 3s (532 kB/s)
Reading package lists... Done$ sudo apt-get -y dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following NEW packages will be installed:
linux-headers-6.6.62+rpt-common-rpi linux-headers-6.6.62+rpt-rpi-2712 linux-headers-6.6.62+rpt-rpi-v8 linux-image-6.6.62+rpt-rpi-2712
linux-image-6.6.62+rpt-rpi-v8 linux-kbuild-6.6.62+rpt
The following packages will be upgraded:
initramfs-tools initramfs-tools-core libcamera-ipa libcamera0.3 linux-headers-rpi-2712 linux-headers-rpi-v8 linux-image-rpi-2712 linux-image-rpi-v8
linux-libc-dev raspberrypi-net-mods raspberrypi-sys-mods raspi-config raspi-firmware rpi-eeprom rpicam-apps-lite tzdata
16 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 95.0 MB of archives.
After this operation, 114 MB of additional disk space will be used.
Get:1 http://deb.debian.org/debian bookworm-updates/main arm64 tzdata all 2024b-0+deb12u1 [298 kB]
Get:2 http://archive.raspberrypi.com/debian bookworm/main arm64 raspi-firmware all 1:1.20241126-1 [12.8 MB]
Get:3 http://archive.raspberrypi.com/debian bookworm/main arm64 initramfs-tools all 0.142+rpt2+deb12u1 [17.1 kB]
Get:4 http://archive.raspberrypi.com/debian bookworm/main arm64 initramfs-tools-core all 0.142+rpt2+deb12u1 [53.1 kB]
Get:5 http://archive.raspberrypi.com/debian bookworm/main arm64 libcamera0.3 arm64 0.3.2+rpt20241119-1 [815 kB]
Get:6 http://archive.raspberrypi.com/debian bookworm/main arm64 libcamera-ipa arm64 0.3.2+rpt20241119-1 [1,071 kB]
Get:7 http://archive.raspberrypi.com/debian bookworm/main arm64 linux-headers-6.6.62+rpt-common-rpi all 1:6.6.62-1+rpt1 [8,236 kB]
Get:8 http://archive.raspberrypi.com/debian bookworm/main arm64 linux-image-6.6.62+rpt-rpi-2712 arm64 1:6.6.62-1+rpt1 [29.7 MB]
Get:9 http://archive.raspberrypi.com/debian bookworm/main arm64 linux-kbuild-6.6.62+rpt arm64 1:6.6.62-1+rpt1 [1,013 kB]
Get:10 http://archive.raspberrypi.com/debian bookworm/main arm64 linux-headers-6.6.62+rpt-rpi-2712 arm64 1:6.6.62-1+rpt1 [1,130 kB]
Get:11 http://archive.raspberrypi.com/debian bookworm/main arm64 linux-image-6.6.62+rpt-rpi-v8 arm64 1:6.6.62-1+rpt1 [29.7 MB]
Get:12 http://archive.raspberrypi.com/debian bookworm/main arm64 linux-headers-6.6.62+rpt-rpi-v8 arm64 1:6.6.62-1+rpt1 [1,130 kB]
Get:13 http://archive.raspberrypi.com/debian bookworm/main arm64 linux-headers-rpi-2712 arm64 1:6.6.62-1+rpt1 [1,160 B]
Get:14 http://archive.raspberrypi.com/debian bookworm/main arm64 linux-headers-rpi-v8 arm64 1:6.6.62-1+rpt1 [1,156 B]
Get:15 http://archive.raspberrypi.com/debian bookworm/main arm64 linux-image-rpi-2712 arm64 1:6.6.62-1+rpt1 [1,420 B]
Get:16 http://archive.raspberrypi.com/debian bookworm/main arm64 linux-image-rpi-v8 arm64 1:6.6.62-1+rpt1 [1,424 B]
Get:17 http://archive.raspberrypi.com/debian bookworm/main arm64 linux-libc-dev all 1:6.6.62-1+rpt1 [2,057 kB]
Get:18 http://archive.raspberrypi.com/debian bookworm/main arm64 raspi-config all 20241202 [35.5 kB]
Get:19 http://archive.raspberrypi.com/debian bookworm/main arm64 raspberrypi-net-mods all 1.4.3 [2,272 B]
Get:20 http://archive.raspberrypi.com/debian bookworm/main arm64 raspberrypi-sys-mods arm64 20241202 [22.0 kB]
Get:21 http://archive.raspberrypi.com/debian bookworm/main arm64 rpi-eeprom all 26.5-1 [6,454 kB]
Get:22 http://archive.raspberrypi.com/debian bookworm/main arm64 rpicam-apps-lite arm64 1.5.3-1 [490 kB]
Fetched 95.0 MB in 14s (6,841 kB/s)
apt-listchanges: Reading changelogs...
Preconfiguring packages ...
(Reading database ... 58491 files and directories currently installed.)
Preparing to unpack .../00-raspi-firmware_1%3a1.20241126-1_all.deb ...
Unpacking raspi-firmware (1:1.20241126-1) over (1:1.20240924-2) ...
Preparing to unpack .../01-tzdata_2024b-0+deb12u1_all.deb ...
Unpacking tzdata (2024b-0+deb12u1) over (2024a-0+deb12u1) ...
Preparing to unpack .../02-initramfs-tools_0.142+rpt2+deb12u1_all.deb ...
Unpacking initramfs-tools (0.142+rpt2+deb12u1) over (0.142+rpt1+deb12u1) ...
Preparing to unpack .../03-initramfs-tools-core_0.142+rpt2+deb12u1_all.deb ...
Unpacking initramfs-tools-core (0.142+rpt2+deb12u1) over (0.142+rpt1+deb12u1) ...
Preparing to unpack .../04-libcamera0.3_0.3.2+rpt20241119-1_arm64.deb ...
・
・
・$ sudo apt-get -y autoremove
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.$ sudo apt-get autoclean
Reading package lists... Done
Building dependency tree... Done
Reading state information... DoneLinuxカーネルのアップデート
途中”y”の入力が必要なので注意ください。
$ sudo rpi-update
*** Raspberry Pi firmware updater by Hexxeh, enhanced by AndrewS and Dom
*** Performing self-update
*** Relaunching after update
*** Raspberry Pi firmware updater by Hexxeh, enhanced by AndrewS and Dom
FW_REV:e4c86cd7b1a1291368ac0d2aaa3534a1d6beb3d5
BOOTLOADER_REV:f02f0eaf4e681a618fad55e5cc09d4306a82ac47
WANT_32BIT:0 WANT_64BIT:1 WANT_PI4:1 WANT_PI5:1
##############################################################
WARNING: This update bumps to rpi-6.6.y linux tree
See: https://forums.raspberrypi.com/viewtopic.php?p=2191175
'rpi-update' should only be used if there is a specific
reason to do so - for example, a request by a Raspberry Pi
engineer or if you want to help the testing effort
and are comfortable with restoring if there are regressions.
DO NOT use 'rpi-update' as part of a regular update process.
##############################################################
Would you like to proceed? (y/N) <== yを入力
Downloading bootloader tools
Downloading bootloader images
*** Downloading specific firmware revision (this will take a few minutes)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 145M 0 145M 0 0 10.6M 0 --:--:-- 0:00:13 --:--:-- 11.0M
*** PREPARING EEPROM UPDATES ***
BOOTLOADER: update available
CURRENT: Sat 7 Dec 12:42:23 UTC 2024 (1733575343)
LATEST: Thu 19 Dec 11:57:13 UTC 2024 (1734609433)
RELEASE: latest (/lib/firmware/raspberrypi/bootloader-2712/latest)
Use raspi-config to change the release.
CURRENT: Sat 7 Dec 12:42:23 UTC 2024 (1733575343)
UPDATE: Thu 19 Dec 11:57:13 UTC 2024 (1734609433)
BOOTFS: /boot/firmware
'/tmp/tmp.TovvHSTE3Y' -> '/boot/firmware/pieeprom.upd'
UPDATING bootloader. This could take up to a minute. Please wait
*** Do not disconnect the power until the update is complete ***
If a problem occurs then the Raspberry Pi Imager may be used to create
a bootloader rescue SD card image which restores the default bootloader image.
flashrom -p linux_spi:dev=/dev/spidev10.0,spispeed=16000 -w /boot/firmware/pieeprom.upd
Verifying update
VERIFY: SUCCESS
UPDATE SUCCESSFUL
*** Updating firmware
*** Updating kernel modules
*** depmod 6.6.69-v8-16k+
*** depmod 6.6.69-v8+
*** Updating VideoCore libraries
*** Running ldconfig
*** Storing current firmware revision
*** Deleting downloaded files
*** Syncing changes to disk
*** If no errors appeared, your firmware was successfully updated to e4c86cd7b1a1291368ac0d2aaa3534a1d6beb3d5
*** A reboot is needed to activate the new firmwareシステムの再起動をしましょう。
$ sudo reboot更新されたOSのバージョン確認は、
$ vcgencmd version
2024/12/07 12:42:23
Copyright (c) 2012 Broadcom
version 3858f977 (release) (embedded)SSHのセキュリティ強度アップと整備
SSHのホスト鍵の更新
$ sudo rm -v /etc/ssh/ssh_host*
removed '/etc/ssh/ssh_host_ecdsa_key'
removed '/etc/ssh/ssh_host_ecdsa_key.pub'
removed '/etc/ssh/ssh_host_ed25519_key'
removed '/etc/ssh/ssh_host_ed25519_key.pub'
removed '/etc/ssh/ssh_host_rsa_key'
removed '/etc/ssh/ssh_host_rsa_key.pub'$ sudo dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
3072 SHA256:cwRGQfrrHzzn6Xas321YKQP6xPXvNp+3hA9ffAYH6PY root@raspberrypi (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:qoUIfraTob89H0f2yuA0OUC4UCJn/BBiui6Ro84JJ74 root@raspberrypi (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:P8XNrLR+Koa2+dUpCkhupKKVd9McKM+Xz8p84sQTGp4 root@raspberrypi (ED25519)
rescue-ssh.target is a disabled or a static unit not running, not starting it.
ssh.socket is a disabled or a static unit not running, not starting it.SSHの設定変更
設定ファイルを開いて各種設定を変更する。
$ sudo vi /etc/ssh/sshd_config
ももぶろ
viの超簡単な使い方は、ここを見てね
既に定義されている行は内容の変更を、無い時は行を追加してください。
#が行頭に入っている行はコメントなので、追加しなくても大丈夫です。
####################
# ログインの高速化
####################
#IP V4に特定
AddressFamily inet
#hostがあればコメントに変更
#host *
#GSSAPIAuthenticationを未使用
GSSAPIAuthentication no
#########################
# SSHのセキュリティ設定
#########################
#sshでrootにlogin出来なくする
PermitRootLogin no
#セッションを張ってからログインするまでの猶予時間を長めに
LoginGraceTime 30
#リトライ回数設定して、一旦切断
MaxAuthTries 3
#SSHバージョン2のみ利用を許可します。
Protocol 2
#########################
# 接続を許可するユーザがある時は追加
#########################
#AllowUsers newuserももぶろ
接続を許可するユーザは、先程新しく作ったユーザを指定してね。
設定した内容が正しいか確認
下記のコマンドで設定した内容が正しいか確認。
$ sudo sshd -t <=正しいと何も表示されません。SSHのサービスを再起動
下記のコマンドで、SSHのサービスを再起動します。
$ sudo systemctl restart sshd.service <=正しく実行されると何も表示されません。後は、SSH(Teraterm)でログインできれば、問題なし。
ももぶろ
サーバ単体のセキュリティはこれで大丈夫
