Raspberry Pi OSの最新化と、SSHのセキュリティな設定を行い万全な環境を作ります。
Raspberry Pi OSアップデート
パッケージのアップデート
インストールパッケージをアップデート。
$ sudo apt-get -y update
Hit:1 http://deb.debian.org/debian trixie InRelease
Get:2 http://deb.debian.org/debian trixie-updates InRelease [47.3 kB]
Get:3 http://deb.debian.org/debian-security trixie-security InRelease [43.4 kB]
Get:4 http://deb.debian.org/debian-security trixie-security/main armhf Packages [51.8 kB]
Get:5 http://deb.debian.org/debian-security trixie-security/main arm64 Packages [54.5 kB]
Get:6 http://deb.debian.org/debian-security trixie-security/main Translation-en [35.9 kB]
Get:7 http://archive.raspberrypi.com/debian trixie InRelease [54.7 kB]
Get:8 http://archive.raspberrypi.com/debian trixie/main arm64 Packages [351 kB]
Get:9 http://archive.raspberrypi.com/debian trixie/main armhf Packages [351 kB]
Fetched 989 kB in 3s (335 kB/s)
Reading package lists... Done$ sudo apt-get -y dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following package was automatically installed and is no longer required:
libyuv0
Use 'sudo apt autoremove' to remove it.
The following packages will be upgraded:
bluez-firmware libcamera-ipa libcamera0.5 libdtovl0 libgpiolib0 libpisp-common libpisp1 librpicam-app1 libssl3t64 libtiff6 openssl openssl-provider-legacy raspberrypi-sys-mods raspi-utils raspi-utils-core raspi-utils-dt
raspi-utils-eeprom raspi-utils-otp raspinfo rpi-loop-utils rpi-swap rpicam-apps-core rpicam-apps-lite userconf-pi
24 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 8,464 kB of archives.
After this operation, 327 kB disk space will be freed.
Get:1 http://deb.debian.org/debian-security trixie-security/main arm64 libtiff6 arm64 4.7.0-3+deb13u1 [325 kB]
Get:2 http://archive.raspberrypi.com/debian trixie/main arm64 openssl-provider-legacy arm64 3.5.1-1+deb13u1+rpt1 [315 kB]
Get:3 http://archive.raspberrypi.com/debian trixie/main arm64 libssl3t64 arm64 3.5.1-1+deb13u1+rpt1 [3,424 kB]
Get:4 http://archive.raspberrypi.com/debian trixie/main arm64 bluez-firmware all 1.2-13+rpt2 [295 kB]
Get:5 http://archive.raspberrypi.com/debian trixie/main arm64 libpisp1 arm64 1.3.0-1 [219 kB]
Get:6 http://archive.raspberrypi.com/debian trixie/main arm64 libpisp-common all 1.3.0-1 [8,072 B]
Get:7 http://archive.raspberrypi.com/debian trixie/main arm64 libcamera0.5 arm64 0.5.2+rpt20250903-1+b1 [715 kB]
Get:8 http://archive.raspberrypi.com/debian trixie/main arm64 libcamera-ipa arm64 0.5.2+rpt20250903-1+b1 [997 kB]
Get:9 http://archive.raspberrypi.com/debian trixie/main arm64 libdtovl0 arm64 20251002-1 [28.4 kB]
Get:10 http://archive.raspberrypi.com/debian trixie/main arm64 libgpiolib0 arm64 20251002-1 [39.4 kB]
Get:11 http://archive.raspberrypi.com/debian trixie/main arm64 librpicam-app1 arm64 1.9.1-1 [208 kB]
Get:12 http://archive.raspberrypi.com/debian trixie/main arm64 openssl arm64 3.5.1-1+deb13u1+rpt1 [1,556 kB]
Get:13 http://archive.raspberrypi.com/debian trixie/main arm64 raspberrypi-sys-mods arm64 1:20251014 [18.6 kB]
Get:14 http://archive.raspberrypi.com/debian trixie/main arm64 raspi-utils-core arm64 20251002-1 [39.9 kB]
Get:15 http://archive.raspberrypi.com/debian trixie/main arm64 raspinfo all 20251002-1 [8,466 B]
Get:16 http://archive.raspberrypi.com/debian trixie/main arm64 raspi-utils-otp all 20251002-1 [8,790 B]
Get:17 http://archive.raspberrypi.com/debian trixie/main arm64 raspi-utils-eeprom arm64 20251002-1 [26.1 kB]
Get:18 http://archive.raspberrypi.com/debian trixie/main arm64 raspi-utils-dt arm64 20251002-1 [52.1 kB]
Get:19 http://archive.raspberrypi.com/debian trixie/main arm64 raspi-utils all 20251002-1 [6,322 B]
Get:20 http://archive.raspberrypi.com/debian trixie/main arm64 rpi-loop-utils all 1.2.1 [7,728 B]
Get:21 http://archive.raspberrypi.com/debian trixie/main arm64 rpi-swap all 1.2.1 [16.2 kB]
Get:22 http://archive.raspberrypi.com/debian trixie/main arm64 rpicam-apps-core arm64 1.9.1-1 [140 kB]
Get:23 http://archive.raspberrypi.com/debian trixie/main arm64 rpicam-apps-lite all 1.9.1-1 [3,852 B]
Get:24 http://archive.raspberrypi.com/debian trixie/main arm64 userconf-pi all 0.15 [7,308 B]
Fetched 8,464 kB in 4s (2,074 kB/s)
apt-listchanges: Reading changelogs...
(Reading database ... 68428 files and directories currently installed.)
Preparing to unpack .../openssl-provider-legacy_3.5.1-1+deb13u1+rpt1_arm64.deb ...
Unpacking openssl-provider-legacy (3.5.1-1+deb13u1+rpt1) over (3.5.1-1+~rpt1) ...
Setting up openssl-provider-legacy (3.5.1-1+deb13u1+rpt1) ...
(Reading database ... 68428 files and directories currently installed.)
Preparing to unpack .../libssl3t64_3.5.1-1+deb13u1+rpt1_arm64.deb ...
Unpacking libssl3t64:arm64 (3.5.1-1+deb13u1+rpt1) over (3.5.1-1+~rpt1) ...
・
・
・$ sudo apt-get -y autoremove
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages will be REMOVED:
libyuv0
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 610 kB disk space will be freed.
(Reading database ... 68424 files and directories currently installed.)
Removing libyuv0:arm64 (0.0.1904.20250204-1) ...
Processing triggers for libc-bin (2.41-12+rpt1) ...$ sudo apt-get autoclean
Reading package lists... Done
Building dependency tree... Done
Reading state information... DoneLinuxカーネルのアップデート
途中”y”の入力が必要なので注意ください。
$ sudo rpi-update
*** Raspberry Pi firmware updater by Hexxeh, enhanced by AndrewS and Dom
*** Performing self-update
*** Relaunching after update
*** Raspberry Pi firmware updater by Hexxeh, enhanced by AndrewS and Dom
FW_REV:e354226dea03d0e5733bfcccc1949afba2580897
BOOTLOADER_REV:229347e811989a03b4d977eff62eef480fd57099
*** We're running for the first time
*** Backing up files (this will take a few minutes)
*** Backing up firmware
*** Backing up modules 6.12.47+rpt-rpi-2712
WANT_32BIT:0 WANT_64BIT:1 WANT_64BIT_RT:0 WANT_PI4:1 WANT_PI5:1
Updating a system with initramfs configured is not supported by rpi-update.
If your system relies on drivers provided by the initramfs (e.g. custom filesystem options)
it may not boot without regenerating the initramfs.
If you are unsure, test if your system boots with initramfs options disabled from config.txt
Would you like to proceed? (y/N) <== yを入力
##############################################################
WARNING: This update bumps to rpi-6.12.y linux tree
See discussions at:
https://forums.raspberrypi.com/viewtopic.php?t=379745
##############################################################
Would you like to proceed? (y/N) <== yを入力
Downloading bootloader tools
Downloading bootloader images
*** Downloading specific firmware revision (this will take a few minutes)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 185M 100 185M 0 0 10.8M 0 0:00:17 0:00:17 --:--:-- 11.0M
*** PREPARING EEPROM UPDATES ***
BOOTLOADER: update available
CURRENT: Thu 25 Sep 19:38:34 UTC 2025 (1758829114)
LATEST: Wed 8 Oct 16:19:18 UTC 2025 (1759940358)
RELEASE: latest (/usr/lib/firmware/raspberrypi/bootloader-2712/latest)
Use raspi-config to change the release.
CURRENT: Thu 25 Sep 19:38:34 UTC 2025 (1758829114)
UPDATE: Wed 8 Oct 16:19:18 UTC 2025 (1759940358)
BOOTFS: /boot/firmware
'/tmp/tmp.BAJXt6H1XW' -> '/boot/firmware/pieeprom.upd'
UPDATING bootloader. This could take up to a minute. Please wait
*** Do not disconnect the power until the update is complete ***
If a problem occurs then the Raspberry Pi Imager may be used to create
a bootloader rescue SD card image which restores the default bootloader image.
flashrom -p linux_spi:dev=/dev/spidev10.0,spispeed=16000 -w /boot/firmware/pieeprom.upd
Verifying update
VERIFY: SUCCESS
UPDATE SUCCESSFUL
*** Updating firmware
*** Updating kernel modules
*** depmod 6.12.51-v8-rt+
*** depmod 6.12.51-v8-16k+
*** depmod 6.12.51-v8+
*** Updating VideoCore libraries
*** Running ldconfig
*** Storing current firmware revision
*** Deleting downloaded files
*** Syncing changes to disk
*** If no errors appeared, your firmware was successfully updated to e354226dea03d0e5733bfcccc1949afba2580897
*** A reboot is needed to activate the new firmwareシステムの再起動をしましょう。
$ sudo reboot更新されたOSのバージョン確認は、
$ vcgencmd version
2025/10/08 17:19:18
Copyright (c) 2012 Broadcom
version a06c733f (release) (embedded)SSHのセキュリティ強度アップと整備
SSHのホスト鍵の更新
$ sudo rm -v /etc/ssh/ssh_host*
removed '/etc/ssh/ssh_host_ecdsa_key'
removed '/etc/ssh/ssh_host_ecdsa_key.pub'
removed '/etc/ssh/ssh_host_ed25519_key'
removed '/etc/ssh/ssh_host_ed25519_key.pub'
removed '/etc/ssh/ssh_host_rsa_key'
removed '/etc/ssh/ssh_host_rsa_key.pub'$ sudo dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
3072 SHA256:W4BwP59rStOp0qWvlQKQP6M8MBkMLZK/nb2T2sWEOms root@raspberrypi5 (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:gkBFgzOFpe1nczn7OBVx6qT1GKpBNSNGMxeJF4rLt1I root@raspberrypi5 (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:SxlVMIb80boZTdiBbHvCXu0Szdy9PX2xxgZF2EV86dE root@raspberrypi5 (ED25519)
ssh.socket is a disabled or a static unit not running, not starting it.SSHの設定変更
設定ファイルを開いて各種設定を変更する。
$ sudo vi /etc/ssh/sshd_config
ももぶろ
viの超簡単な使い方は、ここを見てね
既に定義されている行は内容の変更を、無い時は行を追加してください。
#が行頭に入っている行はコメントなので、追加しなくても大丈夫です。
####################
# ログインの高速化
####################
#IP V4に特定
AddressFamily inet
#hostがあればコメントに変更
#host *
#GSSAPIAuthenticationを未使用
GSSAPIAuthentication no
#########################
# SSHのセキュリティ設定
#########################
#sshでrootにlogin出来なくする
PermitRootLogin no
#セッションを張ってからログインするまでの猶予時間を長めに
LoginGraceTime 30
#リトライ回数設定して、一旦切断
MaxAuthTries 3
#SSHバージョン2のみ利用を許可します。
Protocol 2
#########################
# 接続を許可するユーザがある時は追加
#########################
#AllowUsers newuserももぶろ
接続を許可するユーザは、先程新しく作ったユーザを指定してね。
設定した内容が正しいか確認
下記のコマンドで設定した内容が正しいか確認。
$ sudo sshd -t <=正しいと何も表示されません。SSHのサービスを再起動
下記のコマンドで、SSHのサービスを再起動します。
$ sudo systemctl restart sshd.service <=正しく実行されると何も表示されません。後は、SSH(Teraterm)でログインできれば、問題なし。
ももぶろ
サーバ単体のセキュリティはこれで大丈夫
