Raspberry Pi OSの最新化と、SSHのセキュリティな設定を行い万全な環境を作ります。
Raspberry Pi OSアップデート
パッケージのアップデート
インストールパッケージをアップデート。
$ sudo apt-get -y update
Hit:1 http://deb.debian.org/debian bookworm InRelease
Get:2 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:3 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:4 http://deb.debian.org/debian-security bookworm-security/main arm64 Packages [254 kB]
Get:5 http://deb.debian.org/debian-security bookworm-security/main armhf Packages [240 kB]
Get:6 http://archive.raspberrypi.com/debian bookworm InRelease [54.8 kB]
Get:7 http://archive.raspberrypi.com/debian bookworm/main armhf Packages [539 kB]
Get:8 http://archive.raspberrypi.com/debian bookworm/main arm64 Packages [537 kB]
Fetched 1,728 kB in 4s (490 kB/s)
Reading package lists... Done$ sudo apt-get -y dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
initramfs-tools initramfs-tools-core libssl3 openssl rpi-eeprom
5 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 6,898 kB of archives.
After this operation, 7,417 kB of additional disk space will be used.
Get:1 http://archive.raspberrypi.com/debian bookworm/main arm64 initramfs-tools all 0.142+rpt3+deb12u3 [17.4 kB]
Get:2 http://archive.raspberrypi.com/debian bookworm/main arm64 initramfs-tools-core all 0.142+rpt3+deb12u3 [53.5 kB]
Get:3 http://archive.raspberrypi.com/debian bookworm/main arm64 libssl3 arm64 3.0.16-1~deb12u1+rpt1 [2,365 kB]
Get:4 http://archive.raspberrypi.com/debian bookworm/main arm64 openssl arm64 3.0.16-1~deb12u1+rpt1 [1,497 kB]
Get:5 http://archive.raspberrypi.com/debian bookworm/main arm64 rpi-eeprom all 27.8-1 [2,965 kB]
Fetched 6,898 kB in 3s (2,015 kB/s)
apt-listchanges: Reading changelogs...
(Reading database ... 58259 files and directories currently installed.)
Preparing to unpack .../initramfs-tools_0.142+rpt3+deb12u3_all.deb ...
Unpacking initramfs-tools (0.142+rpt3+deb12u3) over (0.142+rpt3+deb12u1) ...
Preparing to unpack .../initramfs-tools-core_0.142+rpt3+deb12u3_all.deb ...
Unpacking initramfs-tools-core (0.142+rpt3+deb12u3) over (0.142+rpt3+deb12u1) ...
Preparing to unpack .../libssl3_3.0.16-1~deb12u1+rpt1_arm64.deb ...
Unpacking libssl3:arm64 (3.0.16-1~deb12u1+rpt1) over (3.0.15-1~deb12u1+rpt1) ...
Preparing to unpack .../openssl_3.0.16-1~deb12u1+rpt1_arm64.deb ...
Unpacking openssl (3.0.16-1~deb12u1+rpt1) over (3.0.15-1~deb12u1+rpt1) ...
Preparing to unpack .../rpi-eeprom_27.8-1_all.deb ...
Unpacking rpi-eeprom (27.8-1) over (27.6-1) ...
Setting up libssl3:arm64 (3.0.16-1~deb12u1+rpt1) ...
Setting up rpi-eeprom (27.8-1) ...
Setting up initramfs-tools-core (0.142+rpt3+deb12u3) ...
Setting up openssl (3.0.16-1~deb12u1+rpt1) ...
Setting up initramfs-tools (0.142+rpt3+deb12u3) ...
update-initramfs: deferring update (trigger activated)
Processing triggers for man-db (2.11.2-2) ...
Processing triggers for libc-bin (2.36-9+rpt2+deb12u10) ...
Processing triggers for initramfs-tools (0.142+rpt3+deb12u3) ...
update-initramfs: Generating /boot/initrd.img-6.12.25+rpt-rpi-v8
'/boot/initrd.img-6.12.25+rpt-rpi-v8' -> '/boot/firmware/initramfs8'
update-initramfs: Generating /boot/initrd.img-6.12.25+rpt-rpi-2712
'/boot/initrd.img-6.12.25+rpt-rpi-2712' -> '/boot/firmware/initramfs_2712'$ sudo apt-get -y autoremove
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.$ sudo apt-get autoclean
Reading package lists... Done
Building dependency tree... Done
Reading state information... DoneLinuxカーネルのアップデート
途中”y”の入力が必要なので注意ください。
$ sudo rpi-update
*** Raspberry Pi firmware updater by Hexxeh, enhanced by AndrewS and Dom
*** Performing self-update
*** Relaunching after update
*** Raspberry Pi firmware updater by Hexxeh, enhanced by AndrewS and Dom
FW_REV:f54e67fef6e726725d3a8f56d232194497bd247c
BOOTLOADER_REV:cd4048df1d55be89bf84879754a4acf9c92e1f7a
*** We're running for the first time
*** Backing up files (this will take a few minutes)
*** Backing up firmware
*** Backing up modules 6.12.25+rpt-rpi-v8
WANT_32BIT:0 WANT_64BIT:1 WANT_64BIT_RT:0 WANT_PI4:1 WANT_PI5:1
##############################################################
WARNING: This update bumps to rpi-6.12.y linux tree
See discussions at:
https://forums.raspberrypi.com/viewtopic.php?t=379745
##############################################################
Would you like to proceed? (y/N) <== yを入力
Downloading bootloader tools
Downloading bootloader images
*** Downloading specific firmware revision (this will take a few minutes)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 152M 100 152M 0 0 10.2M 0 0:00:14 0:00:14 --:--:-- 10.6M
*** PREPARING EEPROM UPDATES ***
BOOTLOADER: update available
CURRENT: Tue 11 Feb 17:00:13 UTC 2025 (1739293213)
LATEST: Thu 8 May 15:21:35 UTC 2025 (1746717695)
RELEASE: latest (/usr/lib/firmware/raspberrypi/bootloader-2711/latest)
Use raspi-config to change the release.
VL805_FW: Dedicated VL805 EEPROM
VL805: up to date
CURRENT: 000138c0
LATEST: 000138c0
CURRENT: Tue 11 Feb 17:00:13 UTC 2025 (1739293213)
UPDATE: Thu 8 May 15:21:35 UTC 2025 (1746717695)
BOOTFS: /boot/firmware
'/tmp/tmp.EQboa5WjXe' -> '/boot/firmware/pieeprom.upd'
Copying recovery.bin to /boot/firmware for EEPROM update
EEPROM updates pending. Please reboot to apply the update.
To cancel a pending update run "sudo rpi-eeprom-update -r".
*** Updating firmware
*** Updating kernel modules
*** depmod 6.12.27-v8+
*** depmod 6.12.27-v8-16k+
*** Updating VideoCore libraries
*** Running ldconfig
*** Storing current firmware revision
*** Deleting downloaded files
*** Syncing changes to disk
*** If no errors appeared, your firmware was successfully updated to f54e67fef6e726725d3a8f56d232194497bd247c
*** A reboot is needed to activate the new firmwareシステムの再起動をしましょう。
$ sudo reboot更新されたOSのバージョン確認は、
$ vcgencmd version
Apr 30 2025 13:33:39
Copyright (c) 2012 Broadcom
version 5560078dcc8591a00f57b9068d13e5544aeef3aa (clean) (release) (start)SSHのセキュリティ強度アップと整備
SSHのホスト鍵の更新
$ sudo rm -v /etc/ssh/ssh_host*
removed '/etc/ssh/ssh_host_ecdsa_key'
removed '/etc/ssh/ssh_host_ecdsa_key.pub'
removed '/etc/ssh/ssh_host_ed25519_key'
removed '/etc/ssh/ssh_host_ed25519_key.pub'
removed '/etc/ssh/ssh_host_rsa_key'
removed '/etc/ssh/ssh_host_rsa_key.pub'$ sudo dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
3072 SHA256:cwRGQfrrHzzn6Xas321YKQP6xPXvNp+3hA9ffAYH6PY root@raspberrypi (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:qoUIfraTob89H0f2yuA0OUC4UCJn/BBiui6Ro84JJ74 root@raspberrypi (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:P8XNrLR+Koa2+dUpCkhupKKVd9McKM+Xz8p84sQTGp4 root@raspberrypi (ED25519)
rescue-ssh.target is a disabled or a static unit not running, not starting it.
ssh.socket is a disabled or a static unit not running, not starting it.SSHの設定変更
設定ファイルを開いて各種設定を変更する。
$ sudo vi /etc/ssh/sshd_config
ももぶろ
viの超簡単な使い方は、ここを見てね
既に定義されている行は内容の変更を、無い時は行を追加してください。
#が行頭に入っている行はコメントなので、追加しなくても大丈夫です。
####################
# ログインの高速化
####################
#IP V4に特定
AddressFamily inet
#hostがあればコメントに変更
#host *
#GSSAPIAuthenticationを未使用
GSSAPIAuthentication no
#########################
# SSHのセキュリティ設定
#########################
#sshでrootにlogin出来なくする
PermitRootLogin no
#セッションを張ってからログインするまでの猶予時間を長めに
LoginGraceTime 30
#リトライ回数設定して、一旦切断
MaxAuthTries 3
#SSHバージョン2のみ利用を許可します。
Protocol 2
#########################
# 接続を許可するユーザがある時は追加
#########################
#AllowUsers newuserももぶろ
接続を許可するユーザは、先程新しく作ったユーザを指定してね。
設定した内容が正しいか確認
下記のコマンドで設定した内容が正しいか確認。
$ sudo sshd -t <=正しいと何も表示されません。SSHのサービスを再起動
下記のコマンドで、SSHのサービスを再起動します。
$ sudo systemctl restart sshd.service <=正しく実行されると何も表示されません。後は、SSH(Teraterm)でログインできれば、問題なし。
ももぶろ
サーバ単体のセキュリティはこれで大丈夫
