Weekend Project: Part 3 – Installing Pi-hole

As Sunday draws to a close we can finish up this weekend project by installing Pi-hole. What is Pi-hole I hear your ask? Well copied and pasted straight from the Pi-hole website, “The Pi-hole® is a DNS sinkhole that protects your devices from unwanted content, without installing any client-side software.”

Previouly I wrote the first 2 parts of this guide on my Macbook Air, but this final post I have written on my PC, please excuse any formatting of commands between Terminal & Putty.

To begin installing Pi-hole run the below command on you rPi;

paz@raspberrypi:~ $ wget -O basic-install.sh https://install.pi-hole.net
paz@raspberrypi:~ $ sudo bash basic-install.sh

The installer is very handsoff, it preforms a bunch of checks and then installs the whole process was done in a couple of minutes. One of the questions asked by Pi-hole installer is which DNS provider you would wish to use. You can choose any at this time as we will change it to Cloudflared (DNS over HTTPS) later on. The installer also asks if you would like to install a webGUI, this is optional I choose to have the GUI as over the initial weeks I intend to see how everything is going, so having a GUI is nice rather than trawling through endless logs. Once the installer is completed take note of your Pi-hole GUI web address and admin password as we will need this to login.

Installing Cloudflared

What is DNS over HTTPS, again copied directly from the Pi-hole website to save me having to type out my own explantaion.

DNS-Over-HTTPS is a protocol for performing DNS lookups via the same protocol you use to browse the web securely: HTTPS.

With standard DNS, requests are sent in plain-text, with no method to detect tampering or misbehaviour. This means that not only can a malicous actor look at all the DNS requests you are making (and therefore what websites you are visiting), they can also tamper with the response and redirect your device to resources in their control (such as a fake login page for internet banking).

DNS-Over-HTTPS prevents this by using standard HTTPS requests to retrieve DNS information. This means that the connection from the device to the DNS server is secure and can not easily be snooped, monitored, tampered with or blocked. It is worth noting however, that the upstream DNS-Over-HTTPS provider will still have this ability.

To start installing Cloudflared we need to pull down the Cloudflared files with wget

wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
tar -zxf cloudflared-stable-linux-arm.tgz
sudo cp ./cloudflared /usr/local/bin
sudo chmod +x /usr/local/bin/cloudflared

Next we will create a cloudflared user to have the cloudflared service running sepratly from our VPN on our Pi, This user will be for cloudflared only and will not have a SHELL or any login password to prevent other utalising the account.

sudo useradd -s /usr/sbin/nologin -r -M cloudflared

Next create a file in /etc/default/cloudflared and paste the below into the file;

Commandline args for cloudflared
CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
CLOUDFLARED_OPTS=--port 5054 --upstream https://9.9.9.9/dns-query

Change ownership of the cloudflared files to the cloudflared user

paz@raspberrypi:/etc/default $ sudo chown cloudflared:cloudflared /etc/default/cloudflared
paz@raspberrypi:/etc/default $ sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared

Create the below file in /etc/systemd/system/cloudflared.service to allow automatic startup of the cloudflared service.

[Unit]
Description=cloudflared DNS over HTTPS proxy
After=syslog.target network-online.target

[Service]
Type=simple
User=cloudflared
EnvironmentFile=/etc/default/cloudflared
ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
Restart=on-failure
RestartSec=10
KillMode=process

[Install]
WantedBy=multi-user.target

Once the file has been created as per above, enable cloudflared in systemctl

paz@raspberrypi:/etc/default $ sudo systemctl enable cloudflared
Created symlink /etc/systemd/system/multi-user.target.wants/cloudflared.service → /etc/systemd/system/cloudflared.service.
paz@raspberrypi:/etc/default $ sudo systemctl start cloudflared
paz@raspberrypi:/etc/default $ sudo systemctl status cloudflared
● cloudflared.service - cloudflared DNS over HTTPS proxy
Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-01-26 09:34:51 GMT; 3s ago

Test the service is functioning as expected, you should recieve a response from bbc.co.uk similar to the below;

paz@raspberrypi:/etc/default $ dig @127.0.0.1 -p 5053 bbc.co.uk

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> @127.0.0.1 -p 5053 bbc.co.uk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12841
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452

; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ("………………….")
;; QUESTION SECTION:
;bbc.co.uk. IN A

;; ANSWER SECTION:
bbc.co.uk. 226 IN A 151.101.64.81
bbc.co.uk. 226 IN A 151.101.128.81
bbc.co.uk. 226 IN A 151.101.192.81
bbc.co.uk. 226 IN A 151.101.0.81

;; Query time: 26 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Sun Jan 26 09:36:56 GMT 2020
;; MSG SIZE rcvd: 164

Now that we have configured Cloudflared its time to head over to the Pi-hole GUI to remove Google DNS and point to Cloudflared DNS servers. Login to your Pi-hole GUI using the username and password provided before. Once you login you should see something similar to this;

Head down to Settings then choose the DNS Tab, un-check Google DNS, add 127.0.0.1#5053 & 127.0.0.1#5054 to the Upstream DNS servers section and finally check ‘Listen on all interfaces’

Everything should now be working, you can use your Pi-hole dashboard to see hosts connected to Pi-hole, see how much has been blocked. You can test if you are using DNS-over-HTTPS here!

This brings me to the end of this weekend project, I could have rattled through all the comands myself in an afternoon, but writing these blog post added extra time. Until next time, happy surfing!

Weekend Project: Part 1 – Securing a Raspberry Pi

Recently I dug out the old Raspberry Pi with the aim of using it as a VPN and a DNS backhole. I have always hand a handle on my privacy online but since looking up a new office chair online last week Facebook has provided me with an onslaught of ads for various office chairs, normally I brush this off tracking cookies never really bother me to much but, for some reason this got me triggered. So this weekend I will be turning my Raspberry Pi into a VPN and DNS black hole. The Raspberry Pi will sit on my home network, any devices phone’s, laptops, PC’s etc can be configured to send traffic through the Pi and then out to the internet fully encrpted.

First things first is down download the latest version of Raspbian, you can find it here : https://www.raspberrypi.org/downloads/raspbian/

I am pretty well versed in a Linux/Unix command line and am comfertable in my Linux knowlage to know the various tools, where they are and if they are not present where to get them so, I went for the Raspian Lite image just to keep things as lean as possible.

Tip: If you plan to run your Pi as a headless server, after writing the Raspbian image to an SD Card create a file called ‘ssh’ (file can be empty) on the card to enable ssh on first boot. This used to be enabled by default but a recent change due to worries of attackers high jacking un-secure Raspberry Pi’s prompted the folks over an Pi HQ to turn SSH as default. This tip saves you having to connect a monitor, keyboard & mouse to your Pi just to turn on SSH.

First Things First

At this point I assume you have your Raspberry Pi powered on, to find you Pi’s IP address you can look up your router to see whats connected or try to ping raspberrypi.local. Once you have the IP you can ssh using Putty or Terminal with the following command;

ssh -l pi 192.168.1.141

Defualt password for pi user is raspberry

Change pi users password

At the end of this guide we will delete the pi user from the system but first things first lets change that default password. Just type the below;

pi@raspberrypi:~ $ passwd
Changing password for pi.
Current password:
New password:
Retype new password:
passwd: password updated successfully

Now that the password has been changed we will update the Pi so we are running the latest and greatest. The example below shows the command to run, although my Pi is already updated so it shows as no updates, expect this to take 10-15min download and install updates on your Pi.

pi@raspberrypi:~ $ sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get dist-upgrade
Hit:1 http://raspbian.raspberrypi.org/raspbian buster InRelease
Hit:2 http://archive.raspberrypi.org/debian buster InRelease
Reading package lists… Done
Reading package lists… Done
Building dependency tree
Reading state information… Done
Calculating upgrade… Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists… Done
Building dependency tree
Reading state information… Done
Calculating upgrade… Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Now we have an up-to-date system lets create a new user and remove the default pi user. A new user can be created with the useradd comand. We will set a password for the new user.

pi@raspberrypi:~ $ sudo useradd paz
pi@raspberrypi:~ $ sudo usermod -a -G adm,dialout,cdrom,sudo,audio,video,plugdev,games,users,input,netdev,gpio,i2c,spi paz

pi@raspberrypi:~ $ sudo passwd paz
New password:
Retype new password:
passwd: password updated successfully
pi@raspberrypi:~ $
pi@raspberrypi:~ $ exit
logout
Connection to 192.168.1.141 closed.

Lets disconnect as the pi user and connect as our new user, in my case ‘paz’.
pazy@Andrews-Air Downloads % ssh -l paz 192.168.1.141
paz@192.168.1.141's password:
Linux raspberrypi 4.19.75-v7+ #1270 SMP Tue Sep 24 18:45:11 BST 2019 armv7l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
paz@raspberrypi:~ $

Finally we can delete the pi user from our Raspberry Pi;

paz@raspberrypi:~ $ sudo deluser pi
Removing user pi' ... Warning: grouppi' has no more members.
Done.

paz@raspberrypi:~ $ sudo rm -rf /home/pi

We now have an up-to-date Pi and new user different to the default to connect with. To many this is enough but if your intent to connect your Pi to face the internet then you should be performing further steps to prevent attacks. On th next section we will guide you though this.

The Next Level

To secure your Raspberry Pi further we will insall fail2ban and change the defauly SSH port from 22 to something of your choosing.

Changing SSH port is simple just edit the file /etc/ssh/ssd_config, where you see the entry #Port remove the # and change the port number from the default 22 to something of your choosing. In my case I use 2222.

Once you update /etc/ssh/ssd_config you will need to restart the ssh service using the below command;

paz@raspberrypi:~ $ sudo service ssh restart

If we exit our session on our Pi and try and re-connect you will see our connection fails as we no longer have ssh running on port 22, we must use -p option to specify port at 2222.

pazy@Andrews-Air Downloads % ssh -l paz 192.168.1.141 -p 22
ssh: connect to host 192.168.1.141 port 22: Connection refused
pazy@Andrews-Air Downloads %
pazy@Andrews-Air Downloads %
pazy@Andrews-Air Downloads % ssh -l paz 192.168.1.141 -p 2222

Next we will install fail2ban. fail2ban analyses system logs for failed attempts to login to you Pi, should X number of attempts result in a fail that IP address is then banned from accessing the host. This provided pretty good protection from anyone trying to brute force thier way onto your Pi.

To install fail2ban do the following;

paz@raspberrypi:~ $ sudo apt-get install fail2ban

With fail2ban you much copy the .config file to .local as per below;

paz@raspberrypi:~ $ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

If you wish to edit configuration for example the number of bad attempts allowed before a ban edit the jail.local file.

While the article does seem pretty long it will only take 15min or so to run through the commands. Next I will write about setting up a VPN and Pi-hole on your Pi.