WordPressのサーバ専用に、不要なハードおよびサービスの削除を行い、軽量化とセキュリティの強化をはかります。
Raspberry Pi OSアップデート
パッケージのアップデート
インストールパッケージをアップデート。
$ sudo apt-get -y update
Hit:1 http://deb.debian.org/debian bookworm InRelease
Get:2 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:3 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB]
Get:4 http://archive.raspberrypi.com/debian bookworm InRelease [23.6 kB]
Get:5 http://deb.debian.org/debian-security bookworm-security/main arm64 Packages [93.4 kB]
Get:6 http://deb.debian.org/debian-security bookworm-security/main armhf Packages [91.1 kB]
Get:7 http://deb.debian.org/debian-security bookworm-security/main Translation-en [54.7 kB]
Get:8 http://deb.debian.org/debian-security bookworm-security/contrib Translation-en [372 B]
Get:9 http://archive.raspberrypi.com/debian bookworm/main armhf Packages [344 kB]
Get:10 http://archive.raspberrypi.com/debian bookworm/main arm64 Packages [337 kB]
Fetched 1,044 kB in 4s (253 kB/s)
Reading package lists... Done
N: Repository 'http://archive.raspberrypi.com/debian bookworm InRelease' changed its 'Suite' value from 'testing' to 'stable'$ sudo apt-get -y dist-upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
curl libcurl3-gnutls libcurl4 libpam-chksshpwd libpam-modules libpam-modules-bin libpam-runtime libpam0g libraspberrypi-bin libraspberrypi-dev libraspberrypi-doc libraspberrypi0 libssl3 libwbclient0 openssl
raspberrypi-net-mods raspi-config raspi-utils rpi-eeprom
19 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 8,461 kB of archives.
After this operation, 4,255 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian-security bookworm-security/main arm64 libssl3 arm64 3.0.11-1~deb12u2 [1,803 kB]
Get:2 http://deb.debian.org/debian-security bookworm-security/main arm64 curl arm64 7.88.1-10+deb12u4 [308 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security/main arm64 libcurl4 arm64 7.88.1-10+deb12u4 [366 kB]
Get:4 http://deb.debian.org/debian-security bookworm-security/main arm64 libcurl3-gnutls arm64 7.88.1-10+deb12u4 [361 kB]
Get:5 http://deb.debian.org/debian-security bookworm-security/main arm64 libwbclient0 arm64 2:4.17.12+dfsg-0+deb12u1 [52.8 kB]
Get:6 http://deb.debian.org/debian-security bookworm-security/main arm64 openssl arm64 3.0.11-1~deb12u2 [1,385 kB]
Get:7 http://archive.raspberrypi.com/debian bookworm/main arm64 libpam0g arm64 1.5.2-6+rpt2+deb12u1 [90.7 kB]
Get:8 http://archive.raspberrypi.com/debian bookworm/main arm64 libpam-modules-bin arm64 1.5.2-6+rpt2+deb12u1 [75.0 kB]
Get:9 http://archive.raspberrypi.com/debian bookworm/main arm64 libpam-modules arm64 1.5.2-6+rpt2+deb12u1 [286 kB]
Get:10 http://archive.raspberrypi.com/debian bookworm/main arm64 libpam-runtime all 1.5.2-6+rpt2+deb12u1 [161 kB]
Get:11 http://archive.raspberrypi.com/debian bookworm/main arm64 libpam-chksshpwd arm64 1.5.2-6+rpt2+deb12u1 [46.4 kB]
Get:12 http://archive.raspberrypi.com/debian bookworm/main arm64 libraspberrypi-bin arm64 1:2+git20231018~131943+3c97f76-1 [49.6 kB]
Get:13 http://archive.raspberrypi.com/debian bookworm/main arm64 raspi-utils arm64 20231017-1 [65.9 kB]
Get:14 http://archive.raspberrypi.com/debian bookworm/main arm64 libraspberrypi-dev arm64 1:2+git20231018~131943+3c97f76-1 [130 kB]
Get:15 http://archive.raspberrypi.com/debian bookworm/main arm64 libraspberrypi0 arm64 1:2+git20231018~131943+3c97f76-1 [78.6 kB]
Get:16 http://archive.raspberrypi.com/debian bookworm/main arm64 libraspberrypi-doc all 1:2+git20231018~131943+3c97f76-1 [2,392 B]
Get:17 http://archive.raspberrypi.com/debian bookworm/main arm64 raspi-config all 20231018 [29.7 kB]
Get:18 http://archive.raspberrypi.com/debian bookworm/main arm64 raspberrypi-net-mods all 1.4.0 [2,160 B]
Get:19 http://archive.raspberrypi.com/debian bookworm/main arm64 rpi-eeprom all 20.0-2 [3,167 kB]
Fetched 8,461 kB in 5s (1,738 kB/s)
apt-listchanges: Reading changelogs...
Preconfiguring packages ...
・
・
・$ sudo apt-get -y autoremove
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.$ sudo apt-get autoclean
Reading package lists... Done
Building dependency tree... Done
Reading state information... DoneLinuxカーネルのアップデート
途中”y”の入力が必要なので注意ください。
$ sudo rpi-update
*** Raspberry Pi firmware updater by Hexxeh, enhanced by AndrewS and Dom
*** Performing self-update
*** Relaunching after update
*** Raspberry Pi firmware updater by Hexxeh, enhanced by AndrewS and Dom
FW_REV:7ca14294c4bf09fda8d138f9987cd031ced61f7c
BOOTLOADER_REV:72cedfe5eea64bb8509b7d0fec68f5df5dd22f9e
*** We're running for the first time
*** Backing up files (this will take a few minutes)
*** Backing up firmware
*** Backing up modules 6.1.0-rpi7-rpi-v8
WANT_32BIT:0 WANT_64BIT:1 WANT_PI4:1 WANT_PI5:1
#############################################################
WARNING: This update bumps to rpi-6.1.y linux tree
See: https://forums.raspberrypi.com/viewtopic.php?t=344246
'rpi-update' should only be used if there is a specific
reason to do so - for example, a request by a Raspberry Pi
engineer or if you want to help the testing effort
and are comfortable with restoring if there are regressions.
DO NOT use 'rpi-update' as part of a regular update process.
##############################################################
Would you like to proceed? (y/N) <== yを入力
Downloading bootloader tools
Downloading bootloader images
*** Downloading specific firmware revision (this will take a few minutes)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 144M 100 144M 0 0 16.4M 0 0:00:08 0:00:08 --:--:-- 16.7M
*** PREPARING EEPROM UPDATES ***
BOOTLOADER: update available
CURRENT: Tue 25 Jan 14:30:41 UTC 2022 (1643121041)
LATEST: Thu 11 May 06:26:03 UTC 2023 (1683786363)
RELEASE: latest (/lib/firmware/raspberrypi/bootloader-2711/latest)
Use raspi-config to change the release.
VL805_FW: Dedicated VL805 EEPROM
VL805: up to date
CURRENT: 000138c0
LATEST: 000138c0
CURRENT: Tue 25 Jan 14:30:41 UTC 2022 (1643121041)
UPDATE: Thu 11 May 06:26:03 UTC 2023 (1683786363)
BOOTFS: /boot/firmware
'/tmp/tmp.ptaEvT6pwP' -> '/boot/firmware/pieeprom.upd'
Copying recovery.bin to /boot/firmware for EEPROM update
EEPROM updates pending. Please reboot to apply the update.
To cancel a pending update run "sudo rpi-eeprom-update -r".
*** Updating firmware
*** Updating kernel modules
*** depmod 6.1.69-v8-16k+
*** depmod 6.1.69-v8+
*** Updating VideoCore libraries
*** Using SoftFP libraries
*** Updating SDK
*** Running ldconfig
*** Storing current firmware revision
*** Deleting downloaded files
*** Syncing changes to disk
*** If no errors appeared, your firmware was successfully updated to 7ca14294c4bf09fda8d138f9987cd031ced61f7c
*** A reboot is needed to activate the new firmware現在のOSのバージョンは
$ vcgencmd version
Oct 17 2023 15:39:16
Copyright (c) 2012 Broadcom
version 30f0c5e4d076da3ab4f341d88e7d505760b93ad7 (clean) (release) (start)システムの再起動をしましょう。
$ sudo reboot更新されたOSのバージョン確認は、
$ vcgencmd version
Oct 17 2023 15:42:39
Copyright (c) 2012 Broadcom
version 30f0c5e4d076da3ab4f341d88e7d505760b93ad7 (clean) (release) (start)SSHのセキュリティ強度アップと整備
SSHのホスト鍵の更新
$ sudo rm -v /etc/ssh/ssh_host*
removed '/etc/ssh/ssh_host_ecdsa_key'
removed '/etc/ssh/ssh_host_ecdsa_key.pub'
removed '/etc/ssh/ssh_host_ed25519_key'
removed '/etc/ssh/ssh_host_ed25519_key.pub'
removed '/etc/ssh/ssh_host_rsa_key'
removed '/etc/ssh/ssh_host_rsa_key.pub'$ sudo dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
3072 SHA256:pJ2VM485Fh/NSnirID6BAs1wvwTKu1DQYzq84D1hv2s root@raspberrypi (RSA)
Creating SSH2 ECDSA key; this may take some time ...
256 SHA256:TNvnvH+Lqp7r7XgLmTxsJYBa1mzvSUg70jHZoZRhbSA root@raspberrypi (ECDSA)
Creating SSH2 ED25519 key; this may take some time ...
256 SHA256:WkvcR2dmSZIGY/1Bm7/E5ORSarj8yx4uV3kYBIRL4OY root@raspberrypi (ED25519)
rescue-ssh.target is a disabled or a static unit not running, not starting it.
ssh.socket is a disabled or a static unit not running, not starting it.SSHの設定変更
設定ファイルを開いて各種設定を変更する。
$ sudo vi /etc/ssh/sshd_config
ももぶろ
viの超簡単な使い方は、ここを見てね
既に定義されている行は内容の変更を、無い時は行を追加してください。
#が行頭に入っている行はコメントなので、追加しなくても大丈夫です。
####################
# ログインの高速化
####################
#IP V4に特定
AddressFamily inet
#hostがあればコメントに変更
#host *
#GSSAPIAuthenticationを未使用
GSSAPIAuthentication no
#########################
# SSHのセキュリティ設定
#########################
#sshでrootにlogin出来なくする
PermitRootLogin no
#セッションを張ってからログインするまでの猶予時間を長めに
LoginGraceTime 30
#リトライ回数設定して、一旦切断
MaxAuthTries 3
#SSHバージョン2のみ利用を許可します。
Protocol 2
#########################
# 接続を許可するユーザがある時は追加
#########################
#AllowUsers newuserももぶろ
接続を許可するユーザは、先程新しく作ったユーザを指定してね。
設定した内容が正しいか確認
下記のコマンドで設定した内容が正しいか確認。
$ sudo sshd -t <=正しいと何も表示されません。SSHのサービスを再起動
下記のコマンドで、SSHのサービスを再起動します。
$ sudo systemctl restart sshd.service <=正しく実行されると何も表示されません。後は、SSH(Teraterm)でログインできれば、問題なし。
ももぶろ
サーバ単体のセキュリティはこれで大丈夫
