[Networking] Trying to setup a Pi Hole unit with VPN

[eeee]

Hi folks,

I'm new to debian and linux in general.

I have an old touch screen laptop that I recently installed debian on. I followed this tutorial at first as a proof of concept for pi hole and it worked great https://www.youtube.com/watch?v=roYduABVjo8

The main issue is I don't fully understand networking or linux and have some security concerns:

1. Does setting up a DNS server server like this cause any security vulnerabilities for the network? more so than normal operation?

2. If I'm logged in as the main user/leave the PC logged in running all the time, can anyone connect to it and wreak havoc on my network?

3. Is using sudo over su the better way to go for security in this config?

4. Is there a way to totally block remote logins/remote use so only I can control the server at the physical location?

Sorry if these questions are rudimentary, I am just very keen on getting some insight on how linux works.

Kind regards

[pawRoot]

I wonder what’s the point of Pi Hole nowadays?
I mean is it different from using Adguard’s DNS?

Also you can’t block most ads by DNS nowadays anyways.

[steve_v]

Does setting up a DNS server server like this cause any security vulnerabilities for the network?

No, provided it's not listening to DNS requests from the WAN / internet at large or exposing administration interfaces or remote login services to the same. At the least, you'll want to make sure neither ssh nor httpd are reachable from the WAN interface.
Checking those things is your job, because I'm not going to watch and critique a random youtube video - particularly when there is so much non time wasting textual pi-hole information available on docs.pi-hole.net and the pi-hole forum, and an entire manual dedicated to debian security in general.

If I'm logged in as the main user/leave the PC logged in running all the time, can anyone connect to it and wreak havoc on my network?

Local logins and network logins are different things.

Is using sudo over su the better way to go for security in this config?

Depends on how you configure sudo.

Is there a way to totally block remote logins/remote use so only I can control the server at the physical location?

Of course. Configure services that provide remote logins to listen only on trusted networks, firewall them, or just don't run them to begin with.

Further reading here. While not updated to reflect the move to systemd, the concepts are all still relevant.

what’s the point of Pi Hole

LAN-wide ad blocking and DNS filtering with no additional client configuration or browser extensions, among other things.

is it different from using Adguard’s DNS?

Yes.

you can’t block most ads by DNS nowadays anyways.

Thousands of users (as well as an applied elementary understanding of how the internet works) would disagree with you.

Did you have anything constructive to add?

[pawRoot]

Thousands of users (as well as an applied elementary understanding of how the internet works) would disagree with you.

Did you have anything constructive to add?

Show me how you and thousands of users block Youtube ads for instance with your pihole.

[steve_v]

Show me how you and thousands of users block Youtube ads

Sure, just as soon as you explain in which universe youtube contitutes "most ads", as opposed to "google ads served on sites owned by google". Outside alphabet-soup most websites still serve ads from third-party domains, for which a DNS blackhole is a simple, low-overhead solution.

[pawRoot]

Show me how you and thousands of users block Youtube ads

Sure, just as soon as you explain in which universe youtube contitutes "most ads", as opposed to "google ads served on sites owned by google". Outside alphabet-soup most websites still serve ads from third-party domains, for which a DNS blackhole is a simple, low-overhead solution.

Most people use Youtube daily, so after you end up all the hassle with setting up pihole, you'll still end up watching ads on YouTube and some other websites.

So you will have to install some adblock on top anyway, and if you do that then why bother with pihole in the first place?

[steve_v]

Most people use Youtube daily

Speak for yourself. Also youtube-dl exists, as do several other frontends and alternative services, if you really must consoom random-junk video every day.

you will have to install some adblock on top anyway, and if you do that then why bother with pihole in the first place?

Because it also works for things that are not web-browsers, and web-browsers that cannot run extensions (such as those built into smart-trash). As an example, it can block the majority of ads in "ad supported" android applications, without modifications to the device beyond disabling DOH "private dns" google's previous attempt to kill adblocking.

[pawRoot]

Speak for yourself.

What do you mean speak for yourself? I've stated a fact lmao.

Do you know many people who aren't using YT? Unless your friends are 70 or living in a cave, but even then they still probably use it.

Youtube has 2 billion people logged in every month.

[steve_v]

"daily"
I know many people who can go multiple days, sometimes even weeks at a time.

I any case, holding up youtube as a reason not to set up dns filtering is a largely irrelevant strawman, and off-topic (which is "how do I secure", not "should I bother" BTW) to boot.

[eeee]

Does setting up a DNS server server like this cause any security vulnerabilities for the network?
No, provided it's not listening to DNS requests from the WAN / internet at large or exposing administration interfaces or remote login services to the same. At the least, you'll want to make sure neither ssh nor httpd are reachable from the WAN interface.
Checking those things is your job, because I'm not going to watch and critique a random youtube video - particularly when there is so much non time wasting textual pi-hole information available on docs.pi-hole.net and the pi-hole forum, and an entire manual dedicated to debian security in general.

I'm not sure what you mean by "provided it's not listening to DNS requests from the WAN / internet at large or exposing administration interfaces or remote login services to the same".

If I'm logged in as the main user/leave the PC logged in running all the time, can anyone connect to it and wreak havoc on my network?
Local logins and network logins are different things.

what do you mean by network logins? ssh?

Is using sudo over su the better way to go for security in this config?
Depends on how you configure sudo.

How would you configure sudo for a server with network security in mind?


Thanks for the reply.

[steve_v]

I'm not sure what you mean by "provided it's not listening to DNS requests from the WAN / internet at large or exposing administration interfaces or remote login services to the same".

Don't set it up to reply to DNS requests from outside your network, and don't enable any kind of remote administration from outside your network. Really not sure how I can put that any more simply, the fewer internet accessible services you run, the smaller your attack surface.
I'd especially steer clear of exposing web based admin panels to the internet... That's how the vast majority of routers and IoT junk get pwned. Things like webmin or some other other shiny webui might be convenient for you, but they're just as convenient for anyone looking for ways into your system. If you must run such things, at least put them behind a VPN or SSH tunnel.

what do you mean by network logins? ssh?

I mean logins that are available over the network, obviously. SSH is one, and there are several others. If you do allow SSH from the internet, be sure to disable root login and use a decently strong password for any account that has SSH logins enabled. You might also consider an IP whitelist, preshared-keys instead of (or as well as) passwords, or a login-failure monitoring script like fail2ban. The first thing any botnet does is hammer any open SSH ports it finds with simplistic brute-force attacks.

Leaving your user logged in to the local system is largely irrelevant to network security, unless you're running some kind of service that allows remote access to it (e.g. VNC)... which is, IMO, an exceedingly bad idea without using a VPN or tunnel.
Leaving a local user logged in and running X / a DE, and allowing SSH access for that same user, and that user account getting pwned over SSH might allow for easier escalation to root (much larger attack surface)... But then I honestly have no idea why anyone would run a graphical desktop on a server to begin with.

How would you configure sudo for a server with network security in mind?

How long is a piece of string? How you set up privilege elevation on a server depends on what it's for and who needs to do what with it.
Personally, I wouldn't bother with sudo at all unless I needed to delegate limited root access.