Securing pihole

Any tips to make pihole more secure when combined with a VPN service?

pihole -a -p YourPasswordHere

That will add a password to your web admin if you haven't already!

I have already added a password for pihole dashboard. And I have changed default login credentials on the router. But port forwarding doesn't cause any issue?

VPN is very secure after you set it up. If you only forward the port(s) needed for VPN you will be fine.

Hmm, okay. Forwarded only one port which is used by pi

You can secure your VPN by doing a couple of things.

  1. Use a good encryption. Please, use at least a 2048 bit encryption.

  2. Use a long and complex password. Don't use anything that someone who knows you can guess.

  3. Use a long and complex password for every user on your pi.

  4. Be careful with you .ovpn files. For extra security you can encrypt these too.

  5. Be careful who has access to your pi. Someone who can access your pi locally can compromise you VPN.

  6. Secure your ssh access, especially if it's open to the internet.

  7. Use unattended-upgrades on your pi to close new security holes fast.

  8. Change the standart ports your pi is using. If you set ssh to port 34729 it's harder to find out that you use ssh. But remember, don't use any ports between 1 - 1023 because these are standardized ports.

3 Likes

Well this is my notes for a secure *nix system.

Install and config:

sudo apt-get install fail2ban ufw

-----------

Protect su by limiting access only to admin group.

sudo groupadd admin
sudo usermod -a -G admin <YOUR ADMIN USERNAME>
sudo dpkg-statoverride --update --add root admin 4750 /bin/su

-----------

Harden network with sysctl settings.

1.
sudo nano /etc/sysctl.conf

2. Change / add this:

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0 
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0 
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1

3.
Reload:
sudo sysctl -p

-----------

Prevent IP Spoofing.

1.
sudo nano /etc/host.conf

2. add / change
order bind,hosts
nospoof on

-----------

Fix SSH security

1.
sudo nano /etc/ssh/sshd_config

2. Add /change
Port <CHANGE PORTNUMBER!>
Protocol 2
PermitRootLogin no
DebianBanner no
AllowUsers *@<YOUR IP>

3. Restart service
sudo service ssh restart

-----------

And here is my fail2ban config for the Pi-Hole, change the SSH port to whatever you use.

1.
sudo nano /etc/fail2ban/jail.local

2. Write:

[DEFAULT]

bantime = 3600
findtime = 600
maxretry = 3
action = %(action_)s

[sshd]

enabled = true
port = 2324
filter = sshd
logpath = /var/log/auth.log

[sshd-ddos]

enabled = true
port = 2324
filter = sshd-ddos
logpath = /var/log/auth.log


[lighttpd-auth]

enabled = true
port    = 80,443
filter = lighttpd-auth
logpath = %(lighttpd_error_log)s
3 Likes

You can also run the web management portion through a reverse proxy. Just be sure to keep everything on the SSL-VPN side (port 443).

This guide is for an old version of Fedora now, but works on the current 29.