Skip to content

Instantly share code, notes, and snippets.

@satori99

satori99/pi3-dlna-setup.md

Last active March 21, 2018 08:14
Show Gist options
  • Save satori99/0ef4418c68424c448c318f49415413f6 to your computer and use it in GitHub Desktop.
Save satori99/0ef4418c68424c448c318f49415413f6 to your computer and use it in GitHub Desktop.
Download ZIP
Raspberry Pi 3 DLNA Server
Raw
pi3-dlna-setup.md

Raspberry Pi 3 DLNA Server

These are my install notes to configure a Raspberry Pi with an External USB hard drive as super lightweight media server for smart TV's.

Create a Base Image

I have started off with Raspbian-lite Stretch

user@local: ~$ wget http://director.downloads.raspberrypi.org/raspbian_lite/images/raspbian_lite-2018-03-14/2018-03-13-raspbian-stretch-lite.zip
user@local: ~$ unzip raspbian_lite-2018-03-14/2018-03-13-raspbian-stretch-lite.zip

Now burn the image to an SDCard using whatever sw is appropriate for your operating system. On Windows I use Win32 Disk Imager

After the image is written, mount the boot (fat) partition and edit /config.txt as follows:

# /boot/config.txt for Pi DLNA Server

# CPU Frequency
arm_freq=1200

# minimize memory reserved for GPU
gpu_mem=64

# disable interfaces we don't need
dtparam=i2c_arm=off
dtparam=i2s=off
dtparam=spi=off
dtparam=audio=off

# disable wifi and bluetooth radios
dtoverlay=pi3-disable-wifi
dtoverlay=pi3-disable-bt

# turn off display, instead of blank screen
hdmi_blanking=1

disable_splash=1

Finally, create an empty file named ssh on the boot partition to enable an ssh daemon, then eject it, pop it in the Pi, and boot it up.

Connect to the Pi and Make It Ours

Now connect to the Pi via SSH

Note: The IP will be assigned by your router

user@local: ~$ ssh pi@192.168.0.14
pi@192.168.0.14's password: raspberry
Linux raspberrypi 4.9.80-v7+ #1098 SMP Fri Mar 9 19:11:42 GMT 2018 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Mar 21 04:36:43 2018 from 192.168.0.8

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

Configure DHCP to use Google DNS (no country-level DNS blocking)

pi@raspberrypi:~ $ echo "static domain_name_servers=8.8.8.8 8.8.4.4" | sudo tee -a /etc/dhcpcd.conf

Now we can change the hostname from the default 'raspberrypi' to 'media'

pi@raspberrypi:~ $ echo "media" | sudo tee /etc/hostname
media

Then edit the /etc/hosts file to look like this:

pi@raspberrypi:~ $ sudo nano /etc/hosts
127.0.0.1       localhost
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

127.0.1.1       media

Configure the locale

pi@raspberrypi:~ $ sudo nano /etc/locale.gen

Uncomment only en_US.UTF-8 UTF-8 (everything else should be commented), the re-generate:

pi@raspberrypi:~ $ sudo /usr/sbin/locale-gen

Create a new user admin with the same permissions as the default pi user

pi@raspberrypi:~ $ sudo adduser admin
Adding user `admin' ...
Adding new group `admin' (1001) ...
Adding new user `admin' (1001) with group `admin' ...
Creating home directory `/home/admin' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for admin
Enter the new value, or press ENTER for the default
        Full Name []: Media Admin
        Room Number []:
        Work Phone []:
        Home Phone []:
        Other []:
Is the information correct? [Y/n] y
pi@raspberrypi:~ $  for GROUP in adm dialout cdrom sudo audio video plugdev games users netdev input spi i2c gpio; do sudo adduser admin $GROUP; done
Adding user `admin' to group `adm' ...
Adding user admin to group adm
Done.
Adding user `admin' to group `dialout' ...
Adding user admin to group dialout
Done.
Adding user `admin' to group `cdrom' ...
Adding user admin to group cdrom
Done.
Adding user `admin' to group `sudo' ...
Adding user admin to group sudo
Done.
Adding user `admin' to group `audio' ...
Adding user admin to group audio
Done.
Adding user `admin' to group `video' ...
Adding user admin to group video
Done.
Adding user `admin' to group `plugdev' ...
Adding user admin to group plugdev
Done.
Adding user `admin' to group `games' ...
Adding user admin to group games
Done.
Adding user `admin' to group `users' ...
Adding user admin to group users
Done.
Adding user `admin' to group `netdev' ...
Adding user admin to group netdev
Done.
Adding user `admin' to group `input' ...
Adding user admin to group input
Done.
Adding user `admin' to group `spi' ...
Adding user admin to group spi
Done.
Adding user `admin' to group `i2c' ...
Adding user admin to group i2c
Done.
Adding user `admin' to group `gpio' ...
Adding user admin to group gpio
Done.

Create an .authorized keys file for the admin user.

pi@raspberrypi:~ $ sudo -u admin mkdir /home/admin/.ssh
pi@raspberrypi:~ $ sudo -u admin touch /home/admin/.ssh/authorized_keys
pi@raspberrypi:~ $ sudo -u admin chmod 700 /home/admin/.ssh/
pi@raspberrypi:~ $ sudo -u admin chmod 700 /home/admin/.ssh/authorized_keys

Reboot the Pi to make our hostname change stick

pi@raspberrypi:~ $ sudo reboot
[sudo] password for pi: raspberry
Connection to 192.168.0.14 closed by remote host.
Connection to 192.168.0.14 closed.

Wait for it restart, then copy our exiting public key to the admin user for easier ssh logins

user@local@:~ $ cat ~/.ssh/id_rsa.pub | ssh admin@192.168.0.14 'cat > .ssh/authorized_keys'
admin@192.168.0.14's password: password

Now we can login without having to type a password

user@local@:~ $ ssh admin@192.168.0.14
Linux media 4.9.80-v7+ #1098 SMP Fri Mar 9 19:11:42 GMT 2018 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Mar 21 05:35:56 2018 from 192.168.0.8

SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.

Delete the pi user

admin@media:~ $ sudo deluser --remove-home pi
Looking for files to backup/remove ...
Removing files ...
Removing user `pi' ...
Warning: group `pi' has no more members.
Done.

Now, tighten up the OpenSSH configuration a bit

admin@media:~ $ sudo nano /etc/ssh/sshd_config

Make sure the follow lines are not commented

LoginGraceTime 120
PermitRootLogin  no
StrictModes  yes
PasswordAuthentication  yes
PubkeyAuthentication  yes
AuthorizedKeysFile  %h/.ssh/authorized_keys
ChallengeResponseAuthentication  no
UsePAM   no

restart the ssh daemon

admin@media:~ $ sudo service ssh restart

Finally we can set setup our firewall

admin@media:~ $ sudo apt-get install iptables iptables-persistent -y
admin@media:~ $ nano /etc/iptables/rules.v4

Add the following text to create some iptables rules:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allow SSH connections, the -dport number should be the same port number you set in sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

# Allow ping
-A INPUT -p icmp -j ACCEPT

# Log iptables dropped packets
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables dropped: " --log-level 7

# Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment