6.Raspberry Pi OSの基本設定

Raspberry Pi OSの最新化と、SSHのセキュリティな設定を行い万全な環境を作ります。

Raspberry Pi OSアップデート
1. パッケージのアップデート
2. Linuxカーネルのアップデート
SSHのセキュリティ強度アップと整備

Raspberry Pi OSアップデート

パッケージのアップデート

インストールパッケージをアップデート。

$ sudo apt-get -y update
Hit:1 http://deb.debian.org/debian trixie InRelease
Get:2 http://deb.debian.org/debian trixie-updates InRelease [47.3 kB]
Hit:3 http://deb.debian.org/debian-security trixie-security InRelease
Hit:4 http://archive.raspberrypi.com/debian trixie InRelease
Fetched 47.3 kB in 1s (86.1 kB/s)

$ sudo apt-get -y dist-upgrade
Reading package lists... Done
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  libngtcp2-16 libngtcp2-crypto-gnutls8 libntfs-3g89t64 ntfs-3g
4 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 678 kB of archives.
After this operation, 0 B of additional disk space will be used.
Get:1 http://deb.debian.org/debian-security trixie-security/main arm64 libngtcp2-16 arm64 1.11.0-1+deb13u1 [121 kB]
Get:2 http://deb.debian.org/debian-security trixie-security/main arm64 libngtcp2-crypto-gnutls8 arm64 1.11.0-1+deb13u1 [28.4 kB]
Get:3 http://deb.debian.org/debian-security trixie-security/main arm64 ntfs-3g arm64 1:2022.10.3-5+deb13u1 [377 kB]
Get:4 http://deb.debian.org/debian-security trixie-security/main arm64 libntfs-3g89t64 arm64 1:2022.10.3-5+deb13u1 [151 kB]
Fetched 678 kB in 0s (7,359 kB/s)
apt-listchanges: Reading changelogs...
(Reading database ... 68766 files and directories currently installed.)
Preparing to unpack .../libngtcp2-16_1.11.0-1+deb13u1_arm64.deb ...
Unpacking libngtcp2-16:arm64 (1.11.0-1+deb13u1) over (1.11.0-1) ...
Preparing to unpack .../libngtcp2-crypto-gnutls8_1.11.0-1+deb13u1_arm64.deb ...
Unpacking libngtcp2-crypto-gnutls8:arm64 (1.11.0-1+deb13u1) over (1.11.0-1) ...
Preparing to unpack .../ntfs-3g_1%3a2022.10.3-5+deb13u1_arm64.deb ...
Unpacking ntfs-3g (1:2022.10.3-5+deb13u1) over (1:2022.10.3-5) ...
Preparing to unpack .../libntfs-3g89t64_1%3a2022.10.3-5+deb13u1_arm64.deb ...
Adding 'diversion of /lib/aarch64-linux-gnu/libntfs-3g.so.89 to /lib/aarch64-linux-gnu/libntfs-3g.so.89.usr-is-merged by libntfs-3g89t64'
Adding 'diversion of /lib/aarch64-linux-gnu/libntfs-3g.so.89.0.0 to /lib/aarch64-linux-gnu/libntfs-3g.so.89.0.0.usr-is-merged by libntfs-3g89t64'
Unpacking libntfs-3g89t64:arm64 (1:2022.10.3-5+deb13u1) over (1:2022.10.3-5) ...
Setting up libntfs-3g89t64:arm64 (1:2022.10.3-5+deb13u1) ...
Removing 'diversion of /lib/aarch64-linux-gnu/libntfs-3g.so.89 to /lib/aarch64-linux-gnu/libntfs-3g.so.89.usr-is-merged by libntfs-3g89t64'
Removing 'diversion of /lib/aarch64-linux-gnu/libntfs-3g.so.89.0.0 to /lib/aarch64-linux-gnu/libntfs-3g.so.89.0.0.usr-is-merged by libntfs-3g89t64'
Setting up ntfs-3g (1:2022.10.3-5+deb13u1) ...
Setting up libngtcp2-16:arm64 (1.11.0-1+deb13u1) ...
Setting up libngtcp2-crypto-gnutls8:arm64 (1.11.0-1+deb13u1) ...
Processing triggers for libc-bin (2.41-12+rpt1+deb13u2) ...
Processing triggers for man-db (2.13.1-1) ...
Processing triggers for initramfs-tools (0.148.3+rpt2) ...
update-initramfs: Generating /boot/initrd.img-6.12.75+rpt-rpi-v8
'/boot/initrd.img-6.12.75+rpt-rpi-v8' -> '/boot/firmware/initramfs8'
update-initramfs: Generating /boot/initrd.img-6.12.75+rpt-rpi-2712
'/boot/initrd.img-6.12.75+rpt-rpi-2712' -> '/boot/firmware/initramfs_2712'

$ sudo apt-get -y autoremove
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

$ sudo apt-get autoclean
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done

Linuxカーネルのアップデート

途中”y”の入力が必要なので注意ください。

$ sudo rpi-update
 *** Raspberry Pi firmware updater by Hexxeh, enhanced by AndrewS and Dom
 *** Performing self-update
 *** Relaunching after update
 *** Raspberry Pi firmware updater by Hexxeh, enhanced by AndrewS and Dom
FW_REV:f8bb3ca912435b6b4f8e310379a80761a3748058
BOOTLOADER_REV:1249dd937d06bbff58da60e8c69985a403be04ec
 *** We're running for the first time
 *** Backing up files (this will take a few minutes)
 *** Backing up firmware
 *** Backing up modules 6.12.75+rpt-rpi-2712
WANT_32BIT:0 WANT_64BIT:1 WANT_64BIT_RT:0 WANT_PI4:1 WANT_PI5:1

Updating a system with initramfs configured is not supported by rpi-update.
If your system relies on drivers provided by the initramfs (e.g. custom filesystem options)
it may not boot without regenerating the initramfs.
If you are unsure, test if your system boots with initramfs options disabled from config.txt

Would you like to proceed? (y/N)　　　　　<= y入力
##############################################################
WARNING: This update bumps to rpi-6.18.y linux tree
This update will install from the 'next' firmware branch.
See discussions at:
https://forums.raspberrypi.com/viewtopic.php?t=394580
##############################################################
Would you like to proceed? (y/N)　　　　　<= y入力
Downloading bootloader tools
Downloading bootloader images
 *** Downloading specific firmware revision (this will take a few minutes)
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
100  166M    0  166M    0     0  21.1M      0 --:--:--  0:00:07 --:--:-- 20.4M
*** PREPARING EEPROM UPDATES ***

BOOTLOADER: update available
   CURRENT: Mon 23 Feb 10:01:39 UTC 2026 (1771840899)
    LATEST: Thu 30 Apr 12:21:23 UTC 2026 (1777551683)
   RELEASE: latest (/usr/lib/firmware/raspberrypi/bootloader-2712/latest)
            Use raspi-config to change the release.
   CURRENT: Mon 23 Feb 10:01:39 UTC 2026 (1771840899)
    UPDATE: Thu 30 Apr 12:21:23 UTC 2026 (1777551683)
    BOOTFS: /boot/firmware
'/tmp/tmp.nDEu4RWjzg' -> '/boot/firmware/pieeprom.upd'

UPDATING bootloader. This could take up to a minute. Please wait

*** Do not disconnect the power until the update is complete ***

If a problem occurs then the Raspberry Pi Imager may be used to create
a bootloader rescue SD card image which restores the default bootloader image.

flashrom -p linux_spi:dev=/dev/spidev10.0,spispeed=16000 -w /boot/firmware/pieeprom.upd
Verifying update
VERIFY: SUCCESS
UPDATE SUCCESSFUL
 *** Updating firmware
 *** Updating kernel modules
 *** depmod 6.18.26-v8-rt+
 *** depmod 6.18.26-v8-16k+
 *** depmod 6.18.26-v8+
 *** Updating VideoCore libraries
 *** Running ldconfig
 *** Storing current firmware revision
 *** Deleting downloaded files
 *** Syncing changes to disk
 *** If no errors appeared, your firmware was successfully updated to f8bb3ca912435b6b4f8e310379a80761a3748058
 *** A reboot is needed to activate the new firmware

システムの再起動をしましょう。

$ sudo reboot

更新されたOSのバージョン確認は、

$ vcgencmd version
2026/04/30 13:21:23
Copyright (c) 2012 Broadcom
version 1a17f6cb (release) (embedded)

SSHのセキュリティ強度アップと整備

SSHのホスト鍵の更新

$ sudo rm -v /etc/ssh/ssh_host*
removed '/etc/ssh/ssh_host_ecdsa_key'
removed '/etc/ssh/ssh_host_ecdsa_key.pub'
removed '/etc/ssh/ssh_host_ed25519_key'
removed '/etc/ssh/ssh_host_ed25519_key.pub'
removed '/etc/ssh/ssh_host_rsa_key'
removed '/etc/ssh/ssh_host_rsa_key.pub'

$ sudo dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
3072 SHA256:wxOCpArjng3j344eRqQ6crJ3moPYgBX41iCR/yiPiC8 root@raspberrypi5 (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:UmhCFfB4Vv0NVREJHfx7D3O+PY9b7TdD5XCoogkL7pM root@raspberrypi5 (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:jZlsqxRpWNCUi7g3iVpXNgx4RQ4zd1iZVhUg8djuqKg root@raspberrypi5 (ED25519)
ssh.socket is a disabled or a static unit not running, not starting it.

SSHの設定変更

設定ファイルを開いて各種設定を変更する。

$ sudo vi /etc/ssh/sshd_config

ももぶろ

viの超簡単な使い方は、ここを見てね

既に定義されている行は内容の変更を、無い時は行を追加してください。

#が行頭に入っている行はコメントなので、追加しなくても大丈夫です。

####################
# ログインの高速化
####################
#IP V4に特定
AddressFamily inet
#hostがあればコメントに変更
#host *
#GSSAPIAuthenticationを未使用
GSSAPIAuthentication no

#########################
# SSHのセキュリティ設定
#########################
#sshでrootにlogin出来なくする
PermitRootLogin no
#セッションを張ってからログインするまでの猶予時間を長めに
LoginGraceTime 30
#リトライ回数設定して、一旦切断
MaxAuthTries 3
#SSHバージョン２のみ利用を許可します。
Protocol 2
#########################
# 接続を許可するユーザがある時は追加
#########################
#AllowUsers newuser

ももぶろ

接続を許可するユーザは、先程新しく作ったユーザを指定してね。

設定した内容が正しいか確認

下記のコマンドで設定した内容が正しいか確認。

$ sudo sshd -t   <=正しいと何も表示されません。

SSHのサービスを再起動

下記のコマンドで、SSHのサービスを再起動します。

$ sudo systemctl restart sshd.service  <=正しく実行されると何も表示されません。

後は、SSH(Teraterm)でログインできれば、問題なし。

ももぶろ

サーバ単体のセキュリティはこれで大丈夫