Headless Raspberry Pi 3 SSH WIFI setup [MacOS]

Most of my projects involve some level of data capturing and processing, which would require a either a micro-controller, or a computer.

The Raspberry Pi is a computer that is small, cheap and versatile. It also has a great community.

The objective of this guide is to provide a minimalist recipe for setting up a Raspberry Pi. I will be using a model 3 that I bought some time ago. We are going to set it up headless: you will not need to plug it to a screen, mouse and keyboard. Instead, you will access it from another computer through SSH over a WIFI network.

What's needed

1. Burn the Raspberry Pi OS image

Download the Raspberry Pi Imager corresponding to your OS from the official website.

Using the adapter, insert the MicroSD card into your computer SD card reader.

Open the Rasberry Pi Imager and click "CHOOSE OS", select "Rapberry Pi OS (other)" then "Raspberry Pi OS Lite (32-bit)". Click "CHOOSE SD CARD" and select your MicroSD card. Then hit "WRITE" to burn the image to your card. This should take a few minutes, wait for it to finish before moving on to the next section.

2. Setup the Pi for WIFI

Open a terminal and enter the following commands:

Create a ssh file

touch /Volumes/root/ssh

Create a wpa_supplicant.conf file

touch /Volumes/root/wpa_supplicant.conf

Open wpa_supplicant.conf with a text editor and copy paste the following inside (adjust the country code, network name and password), then save it:

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev


3. Connect over SSH

Eject the card adapter safely and insert the MicroSD card into your Pi.

Power it on by simply plugging it (better use a 5V 3A power cord). It will now automatically boot. Allow it at least 2 minutes before moving on.

Open a terminal and enter the following:

ssh-keygen -R raspberrypi.local

If this command triggers a "Host not found", just ignore it.


ssh pi@raspberrypi.local

Answer "yes" to the prompt, then enter the preset default password "raspberry". You should now see a prompt close to this:

ssh pi@raspberrypi.local

If yes, congratulations, the Pi is now up and running!

4. Secure the Pi

Your Pi is now accessible over the network, with default settings, name and password, and no protection at all, which makes it vulnerable to attackers.

We are going to change this:

All the following commands are to be entered when SSH-connected to the Raspberry Pi.

sudo raspi-config

A menu should appear in your terminal. It'll allow to configure various settings of your Pi.

We start by expanding the filesystem: it allows to use all the space available on the MicroSD card. Go to Advanced Options (6) then expand the filesystem (A1).

Change name and password

Go to System Options (1). Change name (S4) then password (S3)

Get out of the config pannel, and select the option to re-boot your Pi. You can also re-boot from the terminal with the following command:

sudo reboot -h now

This should have closed your connexion and you are back to your computer terminal. After 1 minute, SSH back into the Pi using your new name and password.

ssh pi@<your_new_pi_name>.local

Setup a basic firewall and install fail2ban

Start with updating your Pi's packages by running:

sudo apt-get update && sudo apt-get upgrade

We are going to install the Uncomplicated FireWall.

sudo apt-get install ufw
sudo ufw allow 22
sudo ufw enable

From now on, your Pi will only accept connexions on port 22 (SSH).

Then install fail2ban: it blocks the IPs of sources that repeatedly fail at connecting to you Pi (could be bots trying to guess your usename and password, etc.)

sudo apt-get install fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
sudo service fail2ban restart

Next steps

Congratulation, you have now a Pi that is up-and-running, and a bit more secure.

The end of this article is largely inspired by this page from the RaspberryPi fondation website dedicated to security. You'll find there more in-depth material and specifics adapted to the type of your project (e.g passwordless login, etc.)