(**) Translated with www.DeepL.com/Translator
[ LEVEL ] Beginner
This procedure allows the installation of a Linux DEBIAN system on a Raspberry PI or Rock64 unit.
It is possible to use other distributions, not covered by this documentation ( - Debian for ever:) - ).
Prerequisites
To perform this operation you must:
- have an Internet connection
- have a computer with a Linux operating system (the use of Windows or Macos is not covered in this documentation)
- have an SD card reader
- have a Raspberry Pi or Rock64 unit
- know how to execute a command in a Linux console
- be connected “root” to the console, for sudo users: type
sudo bash
Downloading the bootable image
You will need to choose official bootable images, maintained by the Debian organization or the RaspberryPI foundation. An “unofficial” image can carry backdoors, viruses of all kinds.
The official website for Debian is here, the RaspberryPI Foundation website here
From a console use the “wget” command to download the iso image:
wget[Url of the iso image]
Raspberry PI
Download a minimal image that will only implement what is necessary to start a unit.
Raspberry PI - RaspberryPI Foundation
Go to the page. Download the LITE version.
Raspberry PI - DEBIAN Organization
Official documentation: follow the procedure
Rock64
I use the Armbian distribution, go to the page. Download the “Buster Server” version
Manipulation after downloading
The downloaded files are generally compressed so they are not usable.
The downloaded file ends with “img”
Nothing to do
The downloaded file ends with “iso”
Nothing to do
The downloaded file ends with “zip”
Install the “unzip” package
apt-get - install unzip on it
Unzip the archive
unzip -d[name of the downloaded file]
The downloaded file ends with “7z”
Install the “p7zip” package
apt-get -y install p7zip
Unzip the archive
p7zip -d[name of the downloaded file]
The downloaded file ends with “tar.gz”
Install the “tar gzip” packages
apt-get -y install tar gzip
Unzip the archive
tar xvf[name of the downloaded file]
The downloaded file ends with".gz"
Install the “gzip” package
apt-get -y install gzip
Unzip the archive
gzip -d[name of the downloaded file]
After decompression
It is quite possible that the decompression operation has created a new directory, which contains an “img” or “iso” file. In this case, move to this directory:
cd[name of the new directory]
Copy of the ISO image on the SD card
Insert an SD card of at least 16GB, in order to have some space to work.
CAUTION: If this card contains data, after this operation, the data will be permanently lost.
To easily retrieve the destination of this “device” use the command dmesg :
# Open a command window (terminal)
# Insert the SD card
# type:
dmesg
131875.354612] mmc0: new SD card at address 0001
131875.355265] mmcblk0: mmc0:0001 16GB 16 GiB
In my case it is the device “mmcblk0”, accessible through the file “/dev/mmcblk0”.
# in the directory of the downloaded image, type :
ls
# lists the files in this directory, locate the image file previously downloaded
# copy of the image on the SD card - use of the dd command
# dd if=[name of the downloaded image file] of=/dev/[device SD card obtained with dmesg] bs=4096 status=progress
# dd : command
# if : source
# of : destination
# bs : number of bits read and written at once
# status=progress: allows you to display the progress of the copy
# Example: the file contained in the downloaded archive is named Armbian_5.98_Rock64_Debian_buster_default_4.4.192_minimal.img
# my device SD card : /dev/mmcblk0
dd if=Armbian_5.98_Rock64_Debian_buster_default_4.4.192_minimal.img of=/dev/mmcblk0 bs=4096 status=progress
System startup
Insert the SD card into the unit, if you have a display, connect it to the unit and the keyboard. Feed, let’s go… If you do not have a display or keyboard, you must connect the unit to the network (RJ45 cable). The unit will start, obtain a network address and will be reachable by means of the “ssh” command.
System connection
If you have a screen/keyboard, no problem the screen displays “login:”.
For network use, you must know the IP address assigned to the system. I don’t have a miracle solution, you can use a network scanner (nmap), you connect to the router that offers DHCP service. This service is responsible for distributing IP addresses over the network and has traces.
To detect the machine by network scanner, from your PC connected to the local network, install the “nmap” packet
apt-get -y install nmap
Detect the network on which you are connected:
ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00:00:00:00 brd 00:00:00:00:00:00:00
inet 127.0.0.0.1.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether b9:ca:cf:fd:0b:3f brd ff:ff:ff:ff:ff:ff:ff
inet 192.168.10.124/24 brd 192.168.10.255 scope global dynamic scope dynamic noprefixroute eth0
valid_lft 72589sec preferred_lft 72589sec
My network card is eth0 and connected, it has the IP address 192.168.10.124 with a mask 24 (255.255.255.255.0), by superimposing the mask, my network is 192.168.10.0, I will scan the port 22 (ssh) of this network, replacing the last 0 by “*” and with the command nmap :
nmap -p 22 192.168.10.*
Nmap scan report for 192.168.10.126
Host is up (0.00049s latency).
PORT STATE SERVICE
22/tcp open ssh
MAC Address: b3:0d:f8:e0:18:18:18 (Raspberry Pi Foundation)
The scanner has found a Raspberry Pi unit).
Example for a rock64, nmap does not recognize the type
Nmap scan report for 192.168.10.126
Host is up (0.00073s latency).
PORT STATE SERVICE
22/tcp open ssh
MAC Address: b3:0d:f8:e0:18:18:18 (Unknown)
Authentication
By default, downloaded images have an account and password set by default. For Raspbian (Raspberry PI) the account is “pi” and the password is “rasbperry”. For the Armbian distribution (Rock64) the account is “root” and the password is “1234”.
With a screen/keyboard
Type in the account, enter and then the password, enter.
Through the network
Use the “ssh[IP Address]” command, example :
ssh 192.168.10.126
# Accept the fingerprint and use the default account/password
Post-connexion
The first thing to do is to change the login password, “pi” for Raspberry, “root” for rock64. Use the “apg” password generator:
apt-get -y install apg
apg
QuanhaverOv0 (SEMICOLON-Quan-hav-er-Ov-ZERO)
5Gryptaphod| (FIVE-Grypt-aph-od-VERTICAL_BAR)
Be=slyes5 (Be-EQUAL_SIGN-slyes-FIVE)
AkCawf\OsOc6 (Ak-Cawf-BACKSLASH-Os-Os-Oc-SIX)
CribMiph5od] (Crib-Miph-FIVE-od-od-RIGHT_BRACKET)
orth5Ov4og[ (orth-FIVE-Ov-FOUR-og-LEFT_BRACKET)
Choose and remember one of the proposed passwords and execute the “passwd” command:
passwd[enter]
Enter new UNIX password:[type password enter]
Retype new UNIX password:[type password enter]
passwd: password updated successfully
You can check accounts that have a password:
cat /etc/shadows
root:$6$gHcL4KU]xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.n9bALxIHOU2ND.:18183:0:99999:7:::
daemon:*:18183:0:99999:7::::
bin:*:18183:0:99999:7::::
sys:*:18183:0:99999:7::::
sync:*:18183:0:99999:7::::
games:*:18183:0:99999:7::::
man:*:18183:0:99999:7::::
lp:*:18183:0:99999:7::::
mail:*:18183:0:99999:7::::
news:*:18183:0:99999:7::::
uucp:*:18183:0:99999:7::::
Here, only the “root” account has a password, so only “root” can connect to this system. It is impossible to connect to a DEBIAN server, with an account that does not have a password.
Installation of packages
Your system has the minimum, you can practice using commands, list the contents of a directory, create files, etc. This documentation does not cover this learning. For the uninitiated, I advise reading the Debian administrator’s notebook
Retention of the downloaded image
If the system starts normally, keep the downloaded image carefully. We will see that this image may be necessary, in the case of a complete restoration of the system from BackupPC backup software (see the data security section). This image can also be used in the future for a security audit, some backdoors, viruses are sometimes detected very long after their commissioning. This will allow you to know more quickly how long your system has been compromised, and to better assess the impact of this indident.
And we will also see the utility of keeping this image, for the implementation of the process of automated server installations, with network startup.