[Networking] Trying to setup a Pi Hole unit with VPN
[Networking] Trying to setup a Pi Hole unit with VPN
Hi folks,
I'm new to debian and linux in general.
I have an old touch screen laptop that I recently installed debian on. I followed this tutorial at first as a proof of concept for pi hole and it worked great https://www.youtube.com/watch?v=roYduABVjo8
The main issue is I don't fully understand networking or linux and have some security concerns:
1. Does setting up a DNS server server like this cause any security vulnerabilities for the network? more so than normal operation?
2. If I'm logged in as the main user/leave the PC logged in running all the time, can anyone connect to it and wreak havoc on my network?
3. Is using sudo over su the better way to go for security in this config?
4. Is there a way to totally block remote logins/remote use so only I can control the server at the physical location?
Sorry if these questions are rudimentary, I am just very keen on getting some insight on how linux works.
Kind regards
I'm new to debian and linux in general.
I have an old touch screen laptop that I recently installed debian on. I followed this tutorial at first as a proof of concept for pi hole and it worked great https://www.youtube.com/watch?v=roYduABVjo8
The main issue is I don't fully understand networking or linux and have some security concerns:
1. Does setting up a DNS server server like this cause any security vulnerabilities for the network? more so than normal operation?
2. If I'm logged in as the main user/leave the PC logged in running all the time, can anyone connect to it and wreak havoc on my network?
3. Is using sudo over su the better way to go for security in this config?
4. Is there a way to totally block remote logins/remote use so only I can control the server at the physical location?
Sorry if these questions are rudimentary, I am just very keen on getting some insight on how linux works.
Kind regards
-
- df -h | grep > 20TiB
- Posts: 1463
- Joined: 2012-10-06 05:31
- Location: /dev/chair
- Has thanked: 94 times
- Been thanked: 227 times
Re: [Networking] Trying to setup a Pi Hole unit with VPN
No, provided it's not listening to DNS requests from the WAN / internet at large or exposing administration interfaces or remote login services to the same. At the least, you'll want to make sure neither ssh nor httpd are reachable from the WAN interface.
Checking those things is your job, because I'm not going to watch and critique a random youtube video - particularly when there is so much non time wasting textual pi-hole information available on docs.pi-hole.net and the pi-hole forum, and an entire manual dedicated to debian security in general.
Local logins and network logins are different things.
Depends on how you configure sudo.
Of course. Configure services that provide remote logins to listen only on trusted networks, firewall them, or just don't run them to begin with.
Further reading here. While not updated to reflect the move to systemd, the concepts are all still relevant.
LAN-wide ad blocking and DNS filtering with no additional client configuration or browser extensions, among other things.
Yes.
Thousands of users (as well as an applied elementary understanding of how the internet works) would disagree with you.
Did you have anything constructive to add?
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.
Re: [Networking] Trying to setup a Pi Hole unit with VPN
Show me how you and thousands of users block Youtube ads for instance with your pihole.Thousands of users (as well as an applied elementary understanding of how the internet works) would disagree with you.
Did you have anything constructive to add?
-
- df -h | grep > 20TiB
- Posts: 1463
- Joined: 2012-10-06 05:31
- Location: /dev/chair
- Has thanked: 94 times
- Been thanked: 227 times
Re: [Networking] Trying to setup a Pi Hole unit with VPN
Sure, just as soon as you explain in which universe youtube contitutes "most ads", as opposed to "google ads served on sites owned by google". Outside alphabet-soup most websites still serve ads from third-party domains, for which a DNS blackhole is a simple, low-overhead solution.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.
Re: [Networking] Trying to setup a Pi Hole unit with VPN
Most people use Youtube daily, so after you end up all the hassle with setting up pihole, you'll still end up watching ads on YouTube and some other websites.steve_v wrote: ↑2024-01-02 12:00Sure, just as soon as you explain in which universe youtube contitutes "most ads", as opposed to "google ads served on sites owned by google". Outside alphabet-soup most websites still serve ads from third-party domains, for which a DNS blackhole is a simple, low-overhead solution.
So you will have to install some adblock on top anyway, and if you do that then why bother with pihole in the first place?
-
- df -h | grep > 20TiB
- Posts: 1463
- Joined: 2012-10-06 05:31
- Location: /dev/chair
- Has thanked: 94 times
- Been thanked: 227 times
Re: [Networking] Trying to setup a Pi Hole unit with VPN
Speak for yourself. Also youtube-dl exists, as do several other frontends and alternative services, if you really must consoom random-junk video every day.
Because it also works for things that are not web-browsers, and web-browsers that cannot run extensions (such as those built into smart-trash). As an example, it can block the majority of ads in "ad supported" android applications, without modifications to the device beyond disabling DOH "private dns" google's previous attempt to kill adblocking.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.
Re: [Networking] Trying to setup a Pi Hole unit with VPN
What do you mean speak for yourself? I've stated a fact lmao.
Do you know many people who aren't using YT? Unless your friends are 70 or living in a cave, but even then they still probably use it.
Youtube has 2 billion people logged in every month.
-
- df -h | grep > 20TiB
- Posts: 1463
- Joined: 2012-10-06 05:31
- Location: /dev/chair
- Has thanked: 94 times
- Been thanked: 227 times
Re: [Networking] Trying to setup a Pi Hole unit with VPN
"daily"
I know many people who can go multiple days, sometimes even weeks at a time.
I any case, holding up youtube as a reason not to set up dns filtering is a largely irrelevant strawman, and off-topic (which is "how do I secure", not "should I bother" BTW) to boot.
I know many people who can go multiple days, sometimes even weeks at a time.
I any case, holding up youtube as a reason not to set up dns filtering is a largely irrelevant strawman, and off-topic (which is "how do I secure", not "should I bother" BTW) to boot.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.
Re: [Networking] Trying to setup a Pi Hole unit with VPN
I'm not sure what you mean by "provided it's not listening to DNS requests from the WAN / internet at large or exposing administration interfaces or remote login services to the same".eeee wrote: ↑2023-12-30 14:04Does setting up a DNS server server like this cause any security vulnerabilities for the network?
No, provided it's not listening to DNS requests from the WAN / internet at large or exposing administration interfaces or remote login services to the same. At the least, you'll want to make sure neither ssh nor httpd are reachable from the WAN interface.
Checking those things is your job, because I'm not going to watch and critique a random youtube video - particularly when there is so much non time wasting textual pi-hole information available on docs.pi-hole.net and the pi-hole forum, and an entire manual dedicated to debian security in general.
what do you mean by network logins? ssh?
How would you configure sudo for a server with network security in mind?
Thanks for the reply.
-
- df -h | grep > 20TiB
- Posts: 1463
- Joined: 2012-10-06 05:31
- Location: /dev/chair
- Has thanked: 94 times
- Been thanked: 227 times
Re: [Networking] Trying to setup a Pi Hole unit with VPN
Don't set it up to reply to DNS requests from outside your network, and don't enable any kind of remote administration from outside your network. Really not sure how I can put that any more simply, the fewer internet accessible services you run, the smaller your attack surface.
I'd especially steer clear of exposing web based admin panels to the internet... That's how the vast majority of routers and IoT junk get pwned. Things like webmin or some other other shiny webui might be convenient for you, but they're just as convenient for anyone looking for ways into your system. If you must run such things, at least put them behind a VPN or SSH tunnel.
I mean logins that are available over the network, obviously. SSH is one, and there are several others. If you do allow SSH from the internet, be sure to disable root login and use a decently strong password for any account that has SSH logins enabled. You might also consider an IP whitelist, preshared-keys instead of (or as well as) passwords, or a login-failure monitoring script like fail2ban. The first thing any botnet does is hammer any open SSH ports it finds with simplistic brute-force attacks.
Leaving your user logged in to the local system is largely irrelevant to network security, unless you're running some kind of service that allows remote access to it (e.g. VNC)... which is, IMO, an exceedingly bad idea without using a VPN or tunnel.
Leaving a local user logged in and running X / a DE, and allowing SSH access for that same user, and that user account getting pwned over SSH might allow for easier escalation to root (much larger attack surface)... But then I honestly have no idea why anyone would run a graphical desktop on a server to begin with.
How long is a piece of string? How you set up privilege elevation on a server depends on what it's for and who needs to do what with it.
Personally, I wouldn't bother with sudo at all unless I needed to delegate limited root access.
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy.