Skip to main content

[How-To] Configure the Day 1 Checklist for Raspberry Pi

Purpose

This guide walks through the recommended "day 1" tasks to bring a fresh Raspberry Pi (Raspberry Pi OS / Debian-based) into a secure, reliable, and manageable state before you install services. It covers updates, timezone/locale, hostname, networking (static IP), SSH hardening, useful tools, firewall, and optional extras.

Prerequisites

  • Raspberry Pi hardware with microSD card and power cable

  • microSD card reader for your computer

  • Internet connection

  • (Optional) Ethernet cable for wired setup

Instructions

Follow these steps in order. Many commands require sudo or root.

Step 1 — Update & Upgrade the System

sudo apt update && sudo apt full-upgrade -y
sudo apt autoremove --purge -y
sudo apt clean

Why: Applies security patches and bug fixes so you start from an up-to-date base.

Step 2 — Configure Hostname, Timezone & Locale

Use raspi-config for an interactive setup:

sudo raspi-config

In the menu, set:

  • System Options → Hostname — give the Pi a descriptive name

  • Localisation Options

    • L1 Locale — select your locale (e.g. en_US.UTF-8)

    • L2 Timezone — set your timezone

    • L3 Keyboard Layout — if needed

    • L4 Wi‑Fi Country — if you will use Wi‑Fi

Reboot if prompted.

Why: Correct time and locale are required for logs, certificates and scheduled jobs.

Step 3 — Configure a Static IP (Optional but recommended for servers)

Edit dhcpcd.conf to set a static address for eth0 (or wlan0):

sudo nano /etc/dhcpcd.conf

Append example config (adjust addresses to match your network):

interface eth0
static ip_address=192.168.1.50/24
static routers=192.168.1.1
static domain_name_servers=1.1.1.1 8.8.8.8

Restart the DHCP client service:

sudo systemctl restart dhcpcd

Why: Makes remote access predictable and avoids DHCP address changes breaking scripts.

Step 4 — Change the Default User Password

If the default user is present, change its password immediately:

passwd

Why: Default credentials are well-known and must be changed on any network-connected device.

Step 5 — Enable & Harden SSH

Enable SSH and then harden the server to use keys only:

sudo systemctl enable --now ssh

Generate an SSH key on your admin workstation (if you don’t already have one):

ssh-keygen -t ed25519
ssh-copy-id pi@<raspberry-ip>

On the Pi, edit SSH config to disable password logins and root login:

sudo nano /etc/ssh/sshd_config

Set or change these lines:

PermitRootLogin no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes

Restart SSH:

sudo systemctl restart ssh

Why: SSH keys are far stronger than passwords and prevent brute-force attacks.

Step 6 — Verify /etc/hosts and Hostname

Ensure /etc/hosts has an entry so system utilities resolve the hostname locally:

sudo nano /etc/hosts

Example:

127.0.0.1   localhost
127.0.1.1   my-pi-hostname

Replace my-pi-hostname with the hostname you chose.

Step 7 — Enable Useful Services

Consider enabling services that make the Pi easier to use on a LAN or for time sync:

sudo apt install -y avahi-daemon chrony
sudo systemctl enable --now avahi-daemon chrony

  • avahi-daemon provides .local name resolution on the LAN (mynamelocal).

  • chrony is a robust NTP client for accurate clock sync.

Step 8 — Install Common Utilities

Install tools you will use frequently for management and troubleshooting:

sudo apt install -y vim htop git curl wget net-tools nmap fail2ban ufw

Why: These make diagnostics, editing and securing the Pi much easier.

Step 9 — Configure a Basic Firewall

Using UFW for a simple host firewall:

sudo apt install -y ufw
sudo ufw allow OpenSSH
sudo ufw enable
sudo ufw status verbose

If you use a custom SSH port, allow that port instead of OpenSSH.

Step 10 — Expand Filesystem (if needed)

If your SD card image didn’t auto-expand, grow the filesystem to use the full card:

sudo raspi-config

Go to Advanced Options → Expand Filesystem, then reboot.

Step 11 — Optional: Increase USB Current (Pi 3 only)

If you need extra USB current (e.g., to power small devices) add to /boot/config.txt:

sudo nano /boot/config.txt

Add:

max_usb_current=1

Warning: This increases current available on the Pi’s USB ports but is not a substitute for external power for spinning HDDs. Prefer a powered USB hub for external drives.

Step 12 — Optional: Create a Base Backup Image of the SD Card

Create an image of your configured SD card so you can re-flash identical systems quickly:

sudo dd if=/dev/mmcblk0 of=~/pi-base-$(date +%F).img bs=4M status=progress

Compress the image before storing off the Pi:

xz -z ~/pi-base-YYYY-MM-DD.img

Notes & Best Practices

  • Use a powered USB hub for external spinning HDDs — Pi USB ports aren’t reliable power sources for multiple drives.

  • Use SSH keys + disable passwords for secure automated connections (rsync, backups, etc.).

  • Automate routine tasks with systemd timers or cron jobs (e.g., backups, log rotations).

  • Keep the system minimal: install only the services you need to reduce attack surface.

One‑line setup script (example)

Below is an example bootstrap script that performs many of the above steps automatically. Inspect and edit before running on any production device.

#!/bin/bash
set -e
sudo apt update && sudo apt full-upgrade -y
sudo apt autoremove --purge -y
sudo apt install -y vim htop git curl wget net-tools nmap fail2ban ufw avahi-daemon chrony
sudo systemctl enable --now ssh avahi-daemon chrony
sudo ufw allow OpenSSH
sudo ufw --force enable
# note: static IP and SSH key installation must be handled interactively or by configuration management

 

No Comments
Back to top