├── 1-Installation.md ├── 2-Configuration.md ├── 2-appendix-PiHole-allowlists.md ├── 2-appendix-PiHole-blocklists.md ├── 3-Hardening.md ├── 3-appendix-TCP-UDP-Protocols-and-Ports.md ├── 4-Maintenance.md ├── 4-appendix-crontab.md ├── 5-Skipped.md ├── 6-Common-issues.md ├── LICENSE ├── README.md └── scripts ├── pi-audit.sh ├── pi-cleaner.sh ├── pi-security-scan.sh ├── pi-update.sh ├── pop-ip4tables.sh └── pop-ip6tables.sh /1-Installation.md: -------------------------------------------------------------------------------- 1 | **Table of Contents** 2 | - [Introduction](https://github.com/teusink/Home-Security-by-Pi/blob/master/README.md) 3 | - 1 - Installation 4 | - [1.1 - Raspberry Pi](#raspberry-pi) 5 | - [1.2 - Pi-hole](#pi-hole) 6 | - [1.3 - PiVPN (OpenVPN)](#pivpn-openvpn) 7 | - [2 - Configuration](https://github.com/teusink/Home-Security-by-Pi/blob/master/2-Configuration.md) 8 | - [3 - Hardening](https://github.com/teusink/Home-Security-by-Pi/blob/master/3-Hardening.md) 9 | - [4 - Maintenance](https://github.com/teusink/Home-Security-by-Pi/blob/master/4-Maintenance.md) 10 | - [5 - Skipped](https://github.com/teusink/Home-Security-by-Pi/blob/master/5-Skipped.md) 11 | - [6 - Common issues](https://github.com/teusink/Home-Security-by-Pi/blob/master/6-Common-issues.md) 12 | 13 | # Installation 14 | In this chapter I will explain the basics I undertook in order to install all the software required. In the chapters Configuration and Hardening I will go more indepth on what has been changed after the installation. 15 | 16 | ## Installation Sources 17 | Below is a list of sources online I used in order to come to this repo. Thanks for the contributers! 18 | - Raspberry Pi: https://www.raspberrypi.org/downloads/raspbian/ 19 | - Pi-hole: https://pi-hole.net/ - `sudo curl -sSL https://install.pi-hole.net | bash` 20 | - PiVPN (OpenVPN): http://www.pivpn.io/ - `sudo curl -L https://install.pivpn.io | bash` 21 | 22 | ## Information Sources 23 | - Raspberry Pi NOOBS: https://github.com/raspberrypi/noobs 24 | - Pi-hole Wiki: https://github.com/pi-hole/pi-hole/wiki 25 | - Pi-hole OpenVPN-server Wiki: https://github.com/pi-hole/pi-hole/wiki/Pi-hole---OpenVPN-server 26 | - Headless Pi Configuration: https://hackernoon.com/raspberry-pi-headless-install-462ccabd75d0 27 | 28 | ## Raspberry Pi 29 | - In regard to the base image, I choose that of Raspbian Stretch with Pixel. I am rather tech-savvy, but re-entering the Linux world with shell-only was a bit to much :). 30 | - Concerning the installation itself, I followed the already online and well documented installation guide: https://www.raspberrypi.org/documentation/installation/installing-images/README.md 31 | - When doing a headless configuration, make sure to create the file `ssh` in the `/boot` partition of your Pi from your Windows, Linux or macOS system. When booting, check your DHCP server for the Pi's IP-address and move on from there with SSH. 32 | 33 | ### Update it after install 34 | Updating is important, but you might want to consider removing non-neccesarry packages first to save download and update time. 35 | - If you want to remove packages first, look for here: https://github.com/teusink/Home-Security-by-Pi/blob/master/3-Hardening.md#removing-software-and-games 36 | - After installation, execute an update first using: `sudo apt-get update && sudo apt-get upgrade -y` 37 | 38 | ## Pi-hole 39 | - Install Pi-hole with the command: `sudo curl -sSL https://install.pi-hole.net | bash` 40 | - Follow instructions for installation here: https://github.com/pi-hole/pi-hole/#one-step-automated-install 41 | 42 | ## PiVPN (OpenVPN) 43 | - Install PiVPN server with the command: `sudo curl -L https://install.pivpn.io | bash` 44 | - Follow instructions for installation here: https://www.sitepoint.com/setting-up-a-home-vpn-using-your-raspberry-pi/ 45 | 46 | # Done 47 | - This part is done now, so do a reboot now: `sudo reboot` 48 | -------------------------------------------------------------------------------- /2-Configuration.md: -------------------------------------------------------------------------------- 1 | **Table of Contents** 2 | - [Introduction](https://github.com/teusink/Home-Security-by-Pi/blob/master/README.md) 3 | - [1 - Installation](https://github.com/teusink/Home-Security-by-Pi/blob/master/1-Installation.md) 4 | - 2 - Configuration 5 | - [2.1 - Raspberry Pi](#raspberry-pi) 6 | - [2.2 - Pi-hole](#pi-hole) 7 | - [2.3 - Cloudflared](#cloudflared-dns-over-https) 8 | - [2.4 - PiVPN (OpenVPN)](#pivpn-openvpn) 9 | - [2.5 - DNS-server](#dns-server) 10 | - [2.6 - Random Number Generator](#random-number-generator) 11 | - [3 - Hardening](https://github.com/teusink/Home-Security-by-Pi/blob/master/3-Hardening.md) 12 | - [4 - Maintenance](https://github.com/teusink/Home-Security-by-Pi/blob/master/4-Maintenance.md) 13 | - [5 - Skipped](https://github.com/teusink/Home-Security-by-Pi/blob/master/5-Skipped.md) 14 | - [6 - Common issues](https://github.com/teusink/Home-Security-by-Pi/blob/master/6-Common-issues.md) 15 | 16 | # Configuration 17 | This part is about the basic configuration of your installment. It has parts of hardening, but it is primarly aimed at configuring or removing installed software and hardware. 18 | 19 | >Important note: everywhere xxx is mentioned in an IP-address and everywhere where an example email-address is mentioned, use your own details! 20 | 21 | ## Information Sources 22 | Below is a list of sources online I used in order to come to this repo. Thanks for the contributers! 23 | - See my PiHole enabled OpenVPN Server: https://discourse.pi-hole.net/t/see-my-pihole-enabled-openvpn-server/111/2 24 | - Commonly Allowlisted Domains: https://discourse.pi-hole.net/t/commonly-whitelisted-domains/212 25 | - Quad9 Secure DNS Resolvers: https://www.quad9.net/#/faq 26 | - Timeserver: https://wiki.archlinux.org/index.php/systemd-timesyncd 27 | - DNS-server Capability: https://discourse.pi-hole.net/t/howto-using-pi-hole-as-lan-dns-server/533/6 28 | - DNS-over-HTTPS: https://docs.pi-hole.net/guides/dns-over-https/ 29 | - DNS-over-HTTPS (IPv6 lookup): https://bendews.com/posts/implement-dns-over-https/ 30 | 31 | ## Raspberry Pi 32 | This part is about the basic configuration of your Raspberry Pi. 33 | 34 | - Make sure you set/change the following default configurations using `sudo raspi-config` 35 | - Change password of the user `pi` 36 | - Change the hostname 37 | - Advanced Options: Expand Filesystem 38 | - Set other settings you like to set. 39 | - Make sure you set/change the following default configurations using Jessie Raspberry Pi Configuration 40 | - Interface: Only enable the services you need (for instance SSH and VNC) 41 | - Set other settings you like to set. 42 | - It is nice to have a fixed IP-address for your Pi, so let's change that. 43 | - Option for Stretch: use the desktop for now 44 | - Option avaiable after installation of OpenVPN: `sudo nano /etc/dhcpcd.conf` 45 | 46 | Change the lines below to your proper internal IP-addresses. 47 | ``` 48 | interface eth0 49 | static ip_address=192.168.xxx.xxx 50 | static routers=192.168.xxx.xxx 51 | static domain_name_servers=192.168.xxx.xxx 52 | static domain_search=local 53 | static ip6_address= 54 | ``` 55 | - Because I live in Europe, I like to use a timeserver that resides in Europe, so edit the file: `sudo nano /etc/systemd/timesyncd.conf` 56 | 57 | Change / add the lines below: 58 | ``` 59 | [Time] 60 | NTP=0.europe.pool.ntp.org 1.europe.pool.ntp.org 2.europe.pool.ntp.org 3.europe.pool.ntp.org 61 | #FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org 62 | ``` 63 | - Uncomment the following lines in the file sysctl.conf to enhance network security: `sudo nano /etc/sysctl.conf` 64 | ```net.ipv4.conf.default.rp_filter=1 65 | net.ipv4.conf.all.rp_filter=1 66 | net.ipv4.conf.all.accept_redirects = 0 67 | net.ipv6.conf.all.accept_redirects = 0 68 | net.ipv4.conf.all.send_redirects = 0 69 | net.ipv4.conf.all.accept_source_route = 0 70 | net.ipv6.conf.all.accept_source_route = 0 71 | ``` 72 | 73 | ## Pi-hole 74 | I did some additional configuration to get the Pi-hole up-and-running in a secure way. My focus here is to replace as many features (apart from routing and firewalling!) on my router with the Pi as possible. Therefore, the Pi-hole takes over all DNS requests and serves as a DHCP-server. 75 | 76 | - Go to your admin panel of Pi-hole: `http://192.168.xxx.xxx/admin/` 77 | 78 | - Go to Settings. 79 | - Enable DHCP and under Advanced DHCP settings, enable IPv6 DHCP. 80 | - Under Upstream DNS Servers and then Advanced DNS settings enable DNSSEC. This requires a modern DNS resolver by the way. 81 | - Select preferred upstream DNS servers for both IPv4 and IPv6 (such as Quad9, Cloudflare or Google). When using Cloudflared (see further down below) you will change the DNS upstream to the local resolver. 82 | - Make sure you update your [allowlists](https://github.com/teusink/Home-Security-by-Pi/blob/master/2-appendix-PiHole-allowlists.md) (if you want/need). 83 | - Make sure you update your [blocklists](https://github.com/teusink/Home-Security-by-Pi/blob/master/2-appendix-PiHole-blocklists.md) (if you want/need). 84 | - Change the short random generated password with a longer random generated one: `sudo pihole -a -p`. 85 | - Create the file `pihole-FTL.conf` with `sudo touch /etc/pihole/pihole-FTL.conf` to suppress a daily cron-error in your email (see the commit here to permanently fix it: https://github.com/pi-hole/pi-hole/commit/82d5afe9961a7964bc22e70f44ec8fdd504fa855) 86 | 87 | ## Cloudflared DNS-over-HTTPS 88 | It is possible to encrypt DNS-look-ups upstream using DNS-over-HTTPS. The 'downside' of this is that it requires Cloudflare DNS (https://1.1.1.1/). It is private and secure, but does not block malicious domains like Quad9 does. So it is a choice you have to make, whether or not you want to trust Cloudflare. 89 | 90 | - Execute the following commands to install Cloudflared: 91 | - `wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz` 92 | - `tar -xvzf cloudflared-stable-linux-arm.tgz` 93 | - `sudo cp ./cloudflared /usr/local/bin` 94 | - `sudo chmod +x /usr/local/bin/cloudflared` 95 | - `sudo cloudflared -v` 96 | - Create a cloudflared user for running the daemon: `sudo useradd -s /usr/sbin/nologin -r -M cloudflared`. 97 | - Create the configuration file with `sudo nano /etc/default/cloudflared` and add the contents below. 98 | ```# Commandline args for cloudflared 99 | CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query --upstream https://2606:4700:4700::1111/dns-query --upstream https://2606:4700:4700::1001/dns-query 100 | ``` 101 | - Permissions needs updating with the cloudflared user: 102 | - `sudo chown cloudflared:cloudflared /etc/default/cloudflared` 103 | - `sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared` 104 | - Create the systemd file with `sudo nano /lib/systemd/system/cloudflared.service` and add the contents below. 105 | ```[Unit] 106 | Description=cloudflared DNS over HTTPS proxy 107 | After=syslog.target network-online.target 108 | 109 | [Service] 110 | Type=simple 111 | User=cloudflared 112 | EnvironmentFile=/etc/default/cloudflared 113 | ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS 114 | Restart=on-failure 115 | RestartSec=10 116 | KillMode=process 117 | 118 | [Install] 119 | WantedBy=multi-user.target 120 | ``` 121 | - Enable the systemd service to run on startup and validate if its working: 122 | - `sudo systemctl enable cloudflared` 123 | - `sudo systemctl start cloudflared` 124 | - `sudo systemctl status cloudflared` 125 | - Run two tests and see if it gives a response: 126 | - `dig @127.0.0.1 -p 5053 google.com A` 127 | - `dig @127.0.0.1 -p 5053 google.com AAAA` 128 | - Now change the Upstream DNS Servers in the Pi-Hole admin-panel. Only select IPv4 and fill in `127.0.0.1#5053` 129 | 130 | ## PiVPN (OpenVPN) 131 | Now we need to do some stuff to configure PiVPN (so make sure it is installed) in such a way that it uses the Pi-hole as a DNS-resolver, and therefore utilizing the Pi-hole capabilities. 132 | 133 | - Create new file: `sudo nano /etc/dnsmasq.d/02-addint.conf` 134 | - Add line: `interface=tun0`, save and exit 135 | - Edit the file: `sudo nano /etc/openvpn/server.conf` 136 | - Add line: `dev tun` at te top 137 | - Add the following lines after the `push "route` lines: 138 | 139 | ``` 140 | push "dhcp-option DNS 192.168.xxx.xxx" 141 | push "redirect-gateway def1" 142 | ``` 143 | - Save and exit 144 | - Add a new client with: `pivpn add` 145 | 146 | - Enter an username 147 | - Enter a password 148 | - Open the generated `.ovpn` 149 | - Add the following lines: `block-outside-dns` and `auth-nocache` before the `` tag. 150 | - Copy the file from your Pi to your device on which you want to have VPN 151 | - Use it in combination with the password 152 | - Make sure to disable compression, and to always use TLS 1.2 153 | 154 | ## DNS-server 155 | This part is about setting up a DNS-server on the Pi, so you can have your own internal DNS-server. This prevent leaning on hosts-files on individual computers in your lan. 156 | - First, create a second dnsmasq file with: `echo "addn-hosts=/etc/pihole/lan.list" | sudo tee /etc/dnsmasq.d/02-lan.conf`. 157 | - Then create the list of IPs with domain-names to resolve: `sudo nano /etc/pihole/lan.list`. 158 | 159 | Add in that file the following lines in the format: `IPv4/IPv6 dns-name hostname` 160 | ``` 161 | 192.168.xxx.xxx dnsname.domain.tld hostname 162 | 2001:0DB8:1337:1337:1337:1337:1337 dnsname.domain.tld hostname 163 | ``` 164 | Note: replace domain.tld with your own imagined domain-name! 165 | - Make sure you have added your own `domain.tld` in the search list with: `sudo nano /etc/dhcpcd.conf` 166 | - And check for the line `static domain_search=local` and make sure that `local` matches your own choosen `domain.tld`. 167 | - For better privacy, add the line below to prevent DNS-look-ups going upstream with: `sudo nano /etc/dnsmasq.d/02-lan.conf`. 168 | - Add the line: `local=/domain.tld/` 169 | 170 | ## Random Number Generator 171 | The rngd daemon acts as a bridge between a Hardware TRNG (true random number generator) such as the ones in some Intel/AMD/VIA chipsets, and the kernel's PRNG (pseudo-random number generator) used in (for instance) encryption algoritms. Also according to Jacob Salmela it can help prevent weird erros in your logs. 172 | - Install it with this command: `sudo apt-get install rng-tools` 173 | - Edit the configuration file: `sudo nano /etc/default/rng-tools` 174 | - Add make sure the the lines below are in it the file: 175 | 176 | ``` 177 | #HRNGDEVICE=/dev/hwrng 178 | #HRNGDEVICE=/dev/null 179 | HRNGDEVICE=/dev/urandom 180 | ``` 181 | 182 | # Done 183 | - This part is done now, so do a reboot now: `sudo reboot` 184 | -------------------------------------------------------------------------------- /2-appendix-PiHole-allowlists.md: -------------------------------------------------------------------------------- 1 | # Pi-Hole allowlists 2 | 3 | This is a list with potential urls you might want to allowlist. Think about the blocklists itself, but also the Pi repositories, CDNs and indeed some ads and tracking sources. Choice is up to you! 4 | 5 | ## Safe to do 6 | 7 | Allowlist the Blocklists-sources: 8 | - ransomwaretracker.abuse.ch 9 | - zeustracker.abuse.ch 10 | - www.malwaredomainlist.com 11 | - mirror1.malwaredomains.com 12 | - isc.sans.edu 13 | - hosts-file.net 14 | - sysctl.org 15 | - s3.amazonaws.com 16 | 17 | Allowlist the repositories: 18 | - archive.raspberrypi.org 19 | - raspbian.raspberrypi.org 20 | - downloads.raspberrypi.org 21 | - mirrordirector.raspbian.org 22 | - raspbian.org 23 | 24 | ## Optional, if you need it 25 | 26 | Allowlist CDN-sources: 27 | - cdn.optimizely.com 28 | 29 | Allowlist to enable Google, Youtube & Facebook ads: 30 | - ad.doubleclick.net 31 | - clickserve.dartsearch.net 32 | - connect.facebook.net 33 | - googleads.g.doubleclick.net 34 | - pubads.g.doubleclick.net 35 | - s.youtube.com 36 | - www.googleadservices.com 37 | - www.googletagmanager.com 38 | - www.googletagservices.com -------------------------------------------------------------------------------- /2-appendix-PiHole-blocklists.md: -------------------------------------------------------------------------------- 1 | # Pi-Hole blocklists 2 | 3 | This is a list with urls in order to block malware, phishing and spam domains. I also included the ad and tracking blocklists. 4 | 5 | Malware, Ransomware & Botnets: 6 | - https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt 7 | - https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist 8 | - http://www.malwaredomainlist.com/hostslist/hosts.txt 9 | - http://mirror1.malwaredomains.com/files/justdomains 10 | - https://hosts-file.net/emd.txt 11 | - https://hosts-file.net/exp.txt 12 | 13 | Phishing & Fraud: 14 | - https://hosts-file.net/fsa.txt 15 | - https://hosts-file.net/psh.txt 16 | 17 | Hijacked: 18 | - https://hosts-file.net/hjk.txt 19 | 20 | Spam: 21 | - https://hosts-file.net/grm.txt 22 | - https://hosts-file.net/hfs.txt 23 | 24 | Unwanted & Illegal Ads/Content: 25 | - https://hosts-file.net/pup.txt 26 | - https://hosts-file.net/wrz.txt 27 | - https://hosts-file.net/pha.txt 28 | - https://hosts-file.net/mmt.txt 29 | 30 | Legal Ads & Tracking: 31 | - http://sysctl.org/cameleon/hosts 32 | - https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt 33 | - https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt 34 | - https://hosts-file.net/ad_servers.txt 35 | 36 | General lists: 37 | - Low Sensitivity: https://isc.sans.edu/feeds/suspiciousdomains_Low.txt 38 | - Medium Sensitivity: https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt 39 | - High Sensitivity: https://isc.sans.edu/feeds/suspiciousdomains_High.txt 40 | 41 | Sources: 42 | - https://isc.sans.edu/suspicious_domains.html 43 | - http://handlers.sans.edu/gbruneau/pihole.htm 44 | - https://zeltser.com/malicious-ip-blocklists/ 45 | - https://hosts-file.net/?s=Download 46 | -------------------------------------------------------------------------------- /3-Hardening.md: -------------------------------------------------------------------------------- 1 | **Table of Contents** 2 | - [Introduction](https://github.com/teusink/Home-Security-by-Pi/blob/master/README.md) 3 | - [1 - Installation](https://github.com/teusink/Home-Security-by-Pi/blob/master/1-Installation.md) 4 | - [2 - Configuration](https://github.com/teusink/Home-Security-by-Pi/blob/master/2-Configuration.md) 5 | - 3 - Hardening 6 | - [3.1 - Disabling hardware](#disabling-hardware) 7 | - [3.2 - Removing Software and Games](#removing-software-and-games) 8 | - [3.3 - Screenlock protection with xscreensaver](#screenlock-protection-with-xscreensaver) 9 | - [3.4 - PAM sessions tempory files with libpam-tmpdir](#pam-sessions-tempory-files-with-libpam-tmpdir) 10 | - [3.5 - E-mail capabilities](#e-mail-capabilities) 11 | - [3.6 - Brute-force protection with fail2ban](#brute-force-protection-with-fail2ban) 12 | - [3.7 - Firewalling with iptables & ip6tables](#firewalling-with-iptables--ip6tables) 13 | - [3.8 - Hardening of OpenSSH](#hardening-of-openssh) 14 | - [3.9 - Anti-exploit & -rootkit solutions](#anti-exploit---rootkit-solutions) 15 | - [4 - Maintenance](https://github.com/teusink/Home-Security-by-Pi/blob/master/4-Maintenance.md) 16 | - [5 - Skipped](https://github.com/teusink/Home-Security-by-Pi/blob/master/5-Skipped.md) 17 | - [6 - Common issues](https://github.com/teusink/Home-Security-by-Pi/blob/master/6-Common-issues.md) 18 | 19 | # Hardening 20 | Hardening is the process of disabling or uninstalling application, services and hardware which are not used. To be fair, if you really want hardening, use the minimum image without Jessie, but apart from that, you can get it safe enough. So, while you are busy with some configuration work, harden your Pi also. 21 | 22 | >Important note: everywhere xxx is mentioned in an IP-address and everywhere where an example email-address is mentioned, use your own details! 23 | 24 | ## Information Sources 25 | Below is a list of sources online I used in order to come to this repo. Thanks for the contributers! 26 | - Tips for accessing your pi-hole remotely: https://pi-hole.net/2016/09/15/tips-for-accessing-your-pi-hole-remotely/ 27 | - Block Ads Network-wide with A Raspberry Pi-hole (PDF): http://users.telenet.be/MySQLplaylist/pi-hole.pdf 28 | - fail2ban documentation: https://www.fail2ban.org/wiki/index.php/HOWTO_fail2ban_with_OpenVPN 29 | - Firewall configuration: https://github.com/pi-hole/pi-hole/wiki/OpenVPN-server:-Firewall-configuration-(using-iptables) 30 | - fail2ban VNC: https://github.com/fail2ban/fail2ban/issues/1008 31 | - How do I remove 'Python Games' from Raspbian?: https://raspberrypi.stackexchange.com/questions/50247/how-do-i-remove-python-games-from-raspbian 32 | - Remove Libreoffice Completely: https://www.raspberrypi.org/forums/viewtopic.php?f=91&t=126274 33 | - Remove software (Full Guide): http://www.howtoptec.com/2016/08/delete-pre-installed-applications-on.html 34 | - Bogon IPv4 and IPv6 addresses: https://6session.wordpress.com/2009/04/08/ipv6-martian-and-bogon-filters/ 35 | - Rootkit Hunter update issues: http://cybersec.linuxhorizon.ro/2017/09/the-rkhunter-142-update-issue.html 36 | - Rkhunter resources: https://raspberrytips.nl/raspberry-pi-virus-malware-scanner/ 37 | - Slimming down Raspbian Pi: https://blog.samat.org/2015/02/05/slimming-an-existing-raspbian-install/ 38 | - Package libpam-tmpdir: https://packages.debian.org/sid/libpam-tmpdir 39 | 40 | ## Disabling hardware 41 | - Wifi and Bluetooth are two hardware components that I do not use and which could allow remote access. Therefore, I disabled both. 42 | 43 | - Add the lines below in the config.txt file: `sudo nano /boot/config.txt` 44 | ``` 45 | # Uncomment this to disable WiFi and Bluetooth 46 | dtoverlay=pi3-disable-wifi 47 | dtoverlay=pi3-disable-bt 48 | ``` 49 | - Add the lines below in the raspi-blacklist.conf file: `sudo nano /etc/modprobe.d/raspi-blacklist.conf` 50 | ``` 51 | # disable WLAN 52 | blacklist brcmfmac 53 | blacklist brcmutil 54 | blacklist cfg80211 55 | blacklist rfkill 56 | 57 | # disable Bluetooth 58 | blacklist btbcm 59 | blacklist hci_uart 60 | ``` 61 | - Then execute this command to process the blocklist: `sudo update-initramfs -u` 62 | - In case you want to use WiFi, harden wpasupplicant by only using TLS 1.2 and strong ciphers. Little warning here, your WiFi network must support this! Add the lines below in the wpa_supplicant.conf file: `sudo nano /etc/wpa_supplicant/wpa_supplicant.conf`. 63 | ``` 64 | network={ 65 | ssid="your_wifi_ssid_name" 66 | psk="your_wifi_psk_passphrase" 67 | phase1="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1" # <-- add this line 68 | phase2="tls_disable_tlsv1_0=1 tls_disable_tlsv1_1=1" # <-- add this line 69 | } 70 | 71 | openssl_ciphers=DEFAULT@SECLEVEL=2 # <-- add this line 72 | ``` 73 | - By default, WiFi passwords are stored as clear text in `/etc/wpa_supplicant/wpa_supplicant.conf`, and the problem is that this file has chmod of 0644, which means it can be read by anyone. Either `sudo chmod 0600 /etc/wpa_supplicant/wpa_supplicant.conf`, or generate WPA PSK using `wpa_passphrase [ ssid ] [ passphrase ]`, the output should look like this: 74 | ``` 75 | network={ 76 | ssid="your_wifi_ssid_name" 77 | #psk="your_wifi_psk_passphrase" 78 | psk=59e0d07fa4c7741797a4e394f38a5c321e3bed51d54ad5fcbd3f84bc7415d73d 79 | } 80 | ``` 81 | - Then replace the line `psk="your_wifi_psk_passphrase"` with `psk=59e0d07fa4c7741797a4e394f38a5c321e3bed51d54ad5fcbd3f84bc7415d73d` in your `/etc/wpa_supplicant/wpa_supplicant.conf`, beware of the `"`. 82 | 83 | ## Removing Software and Games 84 | - Now it is time to remove some unneeded software and games from Pi. 85 | 86 | - The software that is going to be removed: Integrated Development Editors, Internet Browsers, LibreOffice, Mail clients, PDF-Viewer, Emulators, Samba-protocol and all the Games. 87 | - Remove stuff not needed on a server: 88 | 89 | ``` 90 | sudo apt-get remove --purge bluej claws-mail claws-mail-i18n dillo epiphany-browser geany greenfoot libreoffice* minecraft-pi netsurf-gtk nodered nuscratch python-pygame python3-pygame python-sense-emu python3-sense-emu python-sense-emu-doc sense-emu-tools scratch scratch2 sonic-pi timidity wolfram-engine idle-python2.7 idle-python3.5 python3-thonny python3-jedi cups-bsd cups-client gsfonts gsfonts-x11 libcupsfilters1 libcupsimage2 libmotif-common libpoppler64 libxm4 poppler-data poppler-utils xpdf qpdfview samba-common chromium-browser smartsim 91 | ``` 92 | - Remove Python Games: `rm -rf ~/python_games` 93 | - And finish it up with: `sudo apt-get autoremove --purge` and `sudo apt-get clean` 94 | 95 | ## Screenlock protection with xscreensaver 96 | Automatically locking is an important feature to prevent access by means of the GUI (i.e. when using VNC). I used xscreensaver for this. 97 | - Install it using: `sudo apt-get install xscreensaver` 98 | - Than configure it using `xscreensaver-command -prefs` and enable on the tab `Display` the setting `Lock Screen After` and set it to 5 minutes. 99 | 100 | ## PAM sessions tempory files with libpam-tmpdir 101 | Many programs use $TMPDIR for storing temporary files. Not all of them are good at securing the permissions of those files. libpam-tmpdir sets $TMPDIR and $TMP for PAM sessions and sets the permissions quite tight. This helps system security by having an extra layer of security, making such symlink attacks and other /tmp based attacks harder or impossible. 102 | - Install it using: `sudo apt-get install libpam-tmpdir` 103 | 104 | ## E-mail capabilities 105 | - Time to install mail-services to make sure that an email after important events can be sent. Important for the detection and response part of the Security. 106 | 107 | - Install mail-services: `sudo apt-get -y install ssmtp mailutils mpack` 108 | - Edit the ssmtp.conf file: `sudo nano /etc/ssmtp/ssmtp.conf` and add/edit the lines below 109 | ``` 110 | root=dummy@example.com 111 | mailhub=smtp.domain.tld:587 # or :465, or :25 (insecure) 112 | hostname= 113 | AuthUser=dummy@example.com 114 | AuthPass= 115 | useTLS=YES 116 | useSTARTTLS=YES 117 | FromLineOverride=NO 118 | ``` 119 | 120 | - Edit the aliases: `sudo nano /etc/ssmtp/revaliases` 121 | ``` 122 | # Port 587 for STARTTLS 123 | # Port 465 for TLS 124 | root:dummy@example.com:smtp.example.com:587 125 | ``` 126 | 127 | - DEPRECATED! Change the default email-address (add the line below) used by Cron: `sudo nano /etc/default/cron` 128 | ``` 129 | MAILTO=dummy@example.com 130 | ``` 131 | - Change the email-address (add the line below) used by the user Root: `sudo crontab -u root -e` 132 | ``` 133 | MAILTO=dummy@example.com 134 | ``` 135 | - Now change the permissions of ssmtp.conf to a more secure setting with `sudo chmod 0640 /etc/ssmtp/ssmtp.conf`. This is needed to protect the plain-text password in the config file! 136 | 137 | ## Brute-force protection with fail2ban 138 | - Now install fail2ban to add some security to SSH and OpenVPN by blocking brute-force password guesses. 139 | 140 | - Install it with: `sudo apt-get install fail2ban` 141 | - Create the jail.local file: `sudo nano /etc/fail2ban/jail.local` and add the lines below 142 | ``` 143 | # Custom settings for jail.conf 144 | 145 | [DEFAULT] 146 | ignoreip = 127.0.0.1/8 192.168.xxx.0/24 147 | destemail = dummy@example.com 148 | sender = dummy@example.com 149 | ``` 150 | 151 | ### fail2ban for PiVPN (OpenVPN) 152 | - Create the openvpn.local file: `sudo nano /etc/fail2ban/filter.d/openvpn.local` and add the lines below 153 | ``` 154 | # Fail2Ban filter for selected OpenVPN rejections 155 | # 156 | # 157 | 158 | [Definition] 159 | 160 | # Example messages (other matched messages not seen in the testing server's logs): 161 | # Fri Sep 23 11:55:36 2016 TLS Error: incoming packet authentication failed from [AF_INET]59.90.146.160:51223 162 | # Thu Aug 25 09:36:02 2016 117.207.115.143:58922 TLS Error: TLS handshake failed 163 | 164 | failregex = ^ TLS Error: incoming packet authentication failed from \[AF_INET\]:\d+$ 165 | ^ :\d+ Connection reset, restarting 166 | ^ :\d+ TLS Auth Error 167 | ^ :\d+ TLS Error: TLS handshake failed$ 168 | ^ :\d+ VERIFY ERROR 169 | 170 | ignoreregex = 171 | ``` 172 | - Create the openvpn.local file: `sudo nano /etc/fail2ban/jail.d/openvpn.local` and add the lines below 173 | ``` 174 | # Fail2Ban configuration fragment for OpenVPN 175 | 176 | [openvpn] 177 | enabled = true 178 | port = 1194 179 | protocol = udp 180 | filter = openvpn 181 | logpath = /var/log/openvpn.log 182 | maxretry = 3 183 | ``` 184 | ### fail2ban for VNC 185 | - Create the vnc.local file: `sudo nano /etc/fail2ban/filter.d/vnc.local` and add the lines below 186 | ``` 187 | # Fail2Ban filter for vnc or screensharingd 188 | # 189 | 190 | [INCLUDES] 191 | before = common.conf 192 | 193 | [Definition] 194 | _daemon = (?:screensharingd|vnc) 195 | 196 | failregex = ^%(__prefix_line)sAuthentication: FAILED :: User Name: .*? :: Viewer Address: :: Type: (?:DH|.*?)$ 197 | 198 | ignoreregex = 199 | 200 | # Author: Peter Franzén, 2015 201 | ``` 202 | - Create the vnc.local file: `sudo nano /etc/fail2ban/jail.d/vnc.local` and add the lines below 203 | ``` 204 | # Fail2Ban configuration fragment for VNC 205 | 206 | [vnc] 207 | enabled = true 208 | port = 5900 209 | filter = vnc 210 | logpath = /var/log/auth.log 211 | maxretry = 3 212 | ``` 213 | 214 | ### fail2ban for SSH 215 | - SSH is enabled by default :). 216 | 217 | ## Firewalling with iptables & ip6tables 218 | Hardening is not complete without proper local firewalling. On Linux this can be done using iptables for IPv4 and ip6tables for IPv6. 219 | 220 | I have created two scripts: 221 | - Populate [IPv4 tables](https://github.com/teusink/Home-Security-by-Pi/blob/master/scripts/pop-ip4tables.sh) 222 | - Populate [IPv6 tables](https://github.com/teusink/Home-Security-by-Pi/blob/master/scripts/pop-ip6tables.sh) 223 | 224 | The file can be created in your homefolder and run with the following commands: 225 | - `sudo bash ./pop-ip4tables.sh` 226 | - `sudo bash ./pop-ip6tables.sh` 227 | 228 | It is important to test what has been set. Obviously I tested it also and are using it now. When it does not work, you can reboot to gain access or restore functionality again. If you are certainly that it works, you can execute the following command to make the firewall rules persistent after reboot: `sudo netfilter-persistent save`. 229 | 230 | Things I considered with building these firewall rules: 231 | - Default drop on all incoming, outgoing and forwarded traffic. 232 | - Default allowing all connections that already have been setup (for performance reasons!). 233 | - Drop packets from most Bogon-address-types. 234 | - Drop all invalid packets. 235 | - Forward all VPN traffic on tun0 interface. 236 | - Allow all local loopback traffic. 237 | - Allow ICMP-traffic to go in and out. 238 | - Block all incoming https advertisement assets. 239 | - Allow incoming and outgoing DHCP traffic. 240 | - Allow incoming and outgoing DNS traffic. 241 | - Allow outgoing NTP traffic. 242 | - Allow incoming and outgoing HTTP traffic. 243 | - Allow incoming and outgoing VNC traffic. 244 | - Allow incoming and outgoing SSH traffic. 245 | - Allow incoming and outgoing OpenVPN traffic. 246 | - Allow outgoing SMTP-over-TLS (for email). 247 | - Allow outgoing HTTPS. 248 | - Do not allow Dynamic ports (also called private ports) that range from 49152 to 65535. A random port is being used by the avahi-daemon (DNS services), but due to it not being a reserved port number, it is disabled for now. 249 | - See a list of [Well-known TCP-UDP Protocols and Port-numbers](https://github.com/teusink/Home-Security-by-Pi/blob/master/3-appendix-TCP-UDP-Protocols-and-Ports.md) 250 | 251 | ## Hardening of OpenSSH 252 | To disallow root-login and the use of old SSH-protocol versions, do the steps below. 253 | - Edit the config file of ssh using `sudo nano /etc/ssh/sshd_config`. 254 | - Add/uncomment (and change) the lines: 255 | 256 | ``` 257 | PermitRootLogin no 258 | Protocol 2 259 | AllowAgentForwarding no 260 | AllowTcpForwarding no 261 | X11Forwarding no 262 | ClientAliveCountMax 2 263 | Compression no 264 | LogLevel VERBOSE 265 | MaxAuthTries 1 266 | MaxSessions 2 267 | ``` 268 | - Edit the other config file of ssh using `sudo nano /etc/ssh/ssh_config`. 269 | - Uncomment the lines: 270 | 271 | ``` 272 | Protocol 2 273 | ``` 274 | ## Anti-exploit & -rootkit solutions 275 | In order to protect yourself from an attack, or in order to prevent infection from spreading to other vulnerable systems, it is key to utilize solutions against malicious software. Classic anti-virus is skipped, because file-sharing is not done on this system. And in order to fight off rootkits and other nasty things, RootKit Hunter and chkrootkit is going to be used. 276 | 277 | - Install chkrootkit using: `sudo apt-get install chkrootkit`. 278 | - Install Rootkit Hunter using: `sudo apt-get install rkhunter` 279 | - Create a local config file of rkhunter using `sudo nano /etc/rkhunter.conf.local` 280 | 281 | - Add the lines below: 282 | ``` 283 | UPDATE_MIRRORS=1 284 | MIRRORS_MODE=0 285 | WEB_CMD="" 286 | PKGMGR=NONE 287 | SCRIPTWHITELIST=/usr/bin/lwp-request 288 | ALLOWHIDDENFILE=/etc/.fstab 289 | SHARED_LIB_WHITELIST=/usr/lib/arm-linux-gnueabihf/libarmmem.so 290 | ALLOWHIDDENDIR=/etc/.java 291 | ALLOWHIDDENDIR=/etc/.pihole 292 | ALLOWHIDDENDIR=/etc/.pivpn 293 | PORT_PATH_WHITELIST="/usr/sbin/openvpn" 294 | PORT_PATH_WHITELIST="/usr/sbin/dnsmasq" 295 | PORT_PATH_WHITELIST="/sbin/dhcpcd5" 296 | PORT_PATH_WHITELIST="/usr/sbin/avahi-daemon" 297 | PORT_PATH_WHITELIST="/usr/bin/vncagent" 298 | ``` 299 | - Create a script called [pi-security-scan.sh](https://github.com/teusink/Secure-my-Pi/blob/master/scripts/pi-security-scan.sh) and place it in the Pi's scripts folder in the home-directory. Also create the folder `scripts` and `logs` in the home-directory if they don't exists yet. 300 | - Configure a daily scans using crontab: `sudo crontab -u root -e` 301 | - Add this line: `0 3 * * * sudo bash /home/pi/scripts/pi-security-scan.sh >/home/pi/logs/pi-security-scan.log 2>&1`. This line means that it will do an update of the definition files and scan the entire Pi every night at 3 am and it outputs it logs (including errors!) to a log file. 302 | - Add this line: `0 7 * * * sudo /usr/sbin/ssmtp dummy@example.com < /home/pi/logs/pi-security-scan.log`. This line means that the log-file created in the work above will be emailed to you every morning at 7 am. 303 | 304 | Note: the script pi-security-scan.sh has one option (parameter): 305 | - `no-scan`: To prevent the script from executing the rather long-taking scan. It just updates the security tools. 306 | - Example: `sudo bash /home/pi/pi-security-scan.sh no-scan` 307 | 308 | # Done 309 | - This part is done now, so do a reboot now: `sudo reboot` 310 | -------------------------------------------------------------------------------- /3-appendix-TCP-UDP-Protocols-and-Ports.md: -------------------------------------------------------------------------------- 1 | # Well-known TCP-UDP Protocols and Port-numbers 2 | The list of the TCP and UDP protocols and their port-numbers listed below are aimed at home and small-office use. It is likely that in larger networks other services (such as databases and the like) are present which might, or might not, impact the list below. 3 | 4 | The ports should only be opened from the client perspective to the outside world. The other way around should always be blocked, unless needed for a specific service. 5 | 6 | ## Network Services 7 | - DNS: 53 (TCP/UDP) 8 | - DHCP: 67 (UDP), 68 (UDP) 9 | - NTP: 123 (UDP) 10 | - DHCPv6: 546 (TCP/UDP), 547 (TCP/UDP) 11 | - DNS-over-TLS: 853 (TCP) 12 | 13 | ## Internet Services 14 | - FTP: 21 (TCP) 15 | - SSH: 22 (TCP/UDP) 16 | - SMTP: 25 (TCP/UDP) 17 | - HTTP: 80 (TCP) 18 | - POP3: 110 (TCP) 19 | - NNTP: 119 (TCP/UDP) 20 | - NTP: 123 (UDP) 21 | - IMAP4: 143 (TCP/UDP) 22 | - HTTPS: 443 (TCP) 23 | - SMTP-using-STARTLS: 465 (TCP) 24 | - NNTP-over-TLS: 563 (TCP/UDP) 25 | - SMTP-over-TLS: 587 (TCP) 26 | - FTP-data-over-TLS: 989 (TCP/UDP) 27 | - FTP-control-over-TLS: 990 (TCP/UDP) 28 | - IMAP4-over-SSL: 993 (TCP) 29 | - POP3-over-SSL: 995 (TCP) 30 | - Session Initiation Protocol (SIP): 5060 (TCP/UDP) 31 | - Session Initiation Protocol (SIP) over TLS: 5061 (TCP) 32 | - HTTP-alternative: 8080 (TCP), 8880 (TCP) 33 | - HTTPS-alternative: 8443 (TCP) 34 | 35 | ## VPN Services 36 | - IPsec-tunnel: 50 (TCP/UDP), 51 (TCP/UDP), 500 (TCP/UDP), 1293 (TCP/UDP) 4500 (TCP/UDP) 37 | - SSTP-tunnel: 443 (TCP) 38 | - OpenVPN-tunnel: 1194 (TCP/UDP) 39 | - L2TP-tunnel: 1701 (TCP) 40 | - PPTP-tunnel: 1723 (TCP/UDP) 41 | 42 | ## TCP-block-list 43 | List of TCP port-numbers to block (on the LAN-Internet interface) when opening the services mentioned above. 44 | 45 | 1-20 46 | 23-24 47 | 26-49 48 | 52-79 49 | 81-109 50 | 111-118 51 | 120-142 52 | 144-442 53 | 444-464 54 | 466-499 55 | 501-545 56 | 548-562 57 | 564-586 58 | 588-852 59 | 854-988 60 | 991-992 61 | 994 62 | 996-1193 63 | 1195-1292 64 | 1294-1700 65 | 1702-1722 66 | 1724-4499 67 | 4501-5059 68 | 5062-8079 69 | 8081-8442 70 | 8444-8879 71 | 8881-65535 72 | 73 | ## UDP-block-list 74 | List of UDP port-numbers to block (on the LAN-Internet interface) when opening the services mentioned above. 75 | 76 | 1-21 77 | 23-24 78 | 26-49 79 | 52-118 80 | 120-122 81 | 124-142 82 | 144-499 83 | 501-545 84 | 548-562 85 | 564-988 86 | 991-1193 87 | 1195-1292 88 | 1294-1722 89 | 1724-4499 90 | 4501-5059 91 | 5061-65535 92 | 93 | ## Information Sources 94 | - List of TCP and UDP port numbers (Wikipedia): https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers 95 | - List of Well-Known TCP Port Numbers (Webopedia): https://www.webopedia.com/quick_ref/portnumbers.asp 96 | - TCP/IP Ports and Protocols (Pearsons): http://www.pearsonitcertification.com/articles/article.aspx?p=1868080 97 | - Ports Database (Speed Guide): https://www.speedguide.net/ports.php 98 | 99 | # Well-known TCP-UDP Protocols and Port-numbers that really needs to be blocked 100 | The list of ports below are often vulnerable to attack due to vulnerable services behind them. Make sure that you really block or do not allow them, unless really explicitly needed. 101 | 102 | The ports should at least be blocked to the client from the outside world. It should really only be opened unless its needed for a specific service. Some services outbound (such as SMTP and NTP) can safely be done. 103 | 104 | ## Dangerous ports 105 | - Reserved Port: 0 (TCP/UDP) - often abused by malicious software 106 | - Chargen: 19 (TCP/UDP) - used as amplifier in DoS-attacks 107 | - Telnet: 23 (TCP/UDP) - often vulnerable services 108 | - SMTP: 25 (TCP/UDP) - often vulnerable services and misuse for spam propagation 109 | - NTP: 123 (UDP) - often vulnerable services 110 | - Microsoft NetBIOS: 135-139 (TCP/UDP) - potential data-leakages due to file and print sharing 111 | - SNMP: 161-162 (TCP/UDP) - often vulnerable services 112 | - SMB: 445 (TCP/UDP) - potential data-leakages due to file and print sharing and spreading malware 113 | - RIP: 520 (UDP) - vulnerable to DoS-attacks and backdoors 114 | - SOCKS: 1080 (TCP) - potential spam relay point 115 | - Microsoft SQL Server: 1433-1434 (TCP/UDP) - vulnerable to DoS-attacks and malware infections 116 | - SSDP & UPnP: 1900 (TCP/UDP) - vulnerable to DoS-attacks 117 | - DNS-Multicast, Zeroconfig, Bonjour: 5353 (TCP/UDP) - vulnerable to DoS-attacks 118 | 119 | ## Information Sources 120 | - Networking, Firewall, Vulnerable Networking Ports Blocked - https://answers.uillinois.edu/illinois/page.php?id=47646 121 | - XS4ALL poort beveiliging - https://www.xs4all.nl/service/diensten/beveiliging-en-veiligheid/installeren/hoe-zet-ik-poortbeveiliging-aan.htm -------------------------------------------------------------------------------- /4-Maintenance.md: -------------------------------------------------------------------------------- 1 | **Table of Contents** 2 | - [Introduction](https://github.com/teusink/Home-Security-by-Pi/blob/master/README.md) 3 | - [1 - Installation](https://github.com/teusink/Home-Security-by-Pi/blob/master/1-Installation.md) 4 | - [2 - Configuration](https://github.com/teusink/Home-Security-by-Pi/blob/master/2-Configuration.md) 5 | - [3 - Hardening](https://github.com/teusink/Home-Security-by-Pi/blob/master/3-Hardening.md) 6 | - 4 - Maintenance 7 | - [4.1 - Monitoring](#monitoring) 8 | - [4.2 - Security Auditing](#security-auditing) 9 | - [4.3 - Patch management](#patch-management) 10 | - [4.4 - Keep disk-usage in control](#keep-disk-usage-in-control) 11 | - [4.5 - Back-up the SD-card](#back-up-the-sd-card) 12 | - [5 - Skipped](https://github.com/teusink/Home-Security-by-Pi/blob/master/5-Skipped.md) 13 | - [6 - Common issues](https://github.com/teusink/Home-Security-by-Pi/blob/master/6-Common-issues.md) 14 | 15 | # Maintenance 16 | Ultimately, the core practice of Security is just to install all (security) updates. This is not different from your Pi. Below I will explain how I did that. 17 | 18 | >Important note: everywhere xxx is mentioned in an IP-address and everywhere where an example email-address is mentioned, use your own details! 19 | 20 | And here you can see the entire contents of the crontab file that is used: [crontab](https://github.com/teusink/Home-Security-by-Pi/blob/master/4-appendix-crontab.md). 21 | 22 | Please not with the crontab above, it is expanded with putting log-files in different folders and an additional command to create the daily folder for the logs. My advice is to follow this practice and disable emailing the logs (put the # comment before the email command in cron). This prevents deleting emails you don't read anyway, but keeping the log-files in case of issues. The Pi-Cleaner scripts cleans out the logs-folder of anything older than 30 days, so don't worry on a growing set of logs. 23 | 24 | ## Information Sources 25 | - Logwatch: https://www.digitalocean.com/community/tutorials/how-to-install-and-use-logwatch-log-analyzer-and-reporter-on-a-vps 26 | - Lynis: https://cisofy.com/documentation/lynis/ 27 | - Debsecan: https://packages.debian.org/stretch/debsecan 28 | - Force firmware update Pi: https://www.raspberrypi.org/forums/viewtopic.php?f=66&t=84887 29 | - tmpreaper package: https://www.thegeekstuff.com/2013/10/tmpreaper-examples/ 30 | 31 | ## Monitoring 32 | Maintenance starts with monitoring, so install Logwatch to do just that. You will get notified daily with what has happened on your Pi. 33 | 34 | - Install Logwatch using: `sudo apt-get install logwatch`. 35 | - Edit the Config file of Logwatch with the lines below to enable emailing (rest stays default): `sudo nano /usr/share/logwatch/default.conf/logwatch.conf` 36 | 37 | ``` 38 | MailTo dummy@example.com 39 | MailFrom dummy@example.com 40 | ``` 41 | 42 | ## Security Auditing 43 | You can also audit your own setup against some security best-practices and known vulnerabilities. There are two tools for that. One is Lynis (configuration and best-practices analyzer), and the other is Debsecan (known vulnerabilities scan in packages). 44 | - To install Lynis: `sudo apt-get install lynis`. 45 | - To install Debsecan `sudo apt-get install debsecan`. 46 | - Configure Debsecan with `sudo dpkg-reconfigure debsecan`, select `stretch` as the distro and disable email notifications (we do that ourselves). 47 | 48 | ### Manual audit 49 | - To run a Lynis audit: `sudo lynis audit system`. 50 | - To run a Debsecan audit: `sudo debsecan`. 51 | 52 | I have created two tickets based on the scans per 2017/12/25. 53 | - Lynis: https://github.com/teusink/Home-Security-by-Pi/issues/23 54 | - Debsecan: https://github.com/teusink/Home-Security-by-Pi/issues/28 55 | 56 | ### Automated audit weekly after patching 57 | To really stay on par with new found weaknesses on your Pi, create a weekly audit on your system. 58 | - Create a script called [pi-audit.sh](https://github.com/teusink/Secure-my-Pi/blob/master/scripts/pi-audit.sh) and place it in the Pi's scripts folder in the home-directory. Also create the folder `scripts` and `logs` in the home-directory if they don't exists yet. 59 | - Edit your crontab to plan a regular execution of the script using `sudo crontab -u root -e`. 60 | - Add this line: `0 5 * * MON sudo bash /home/pi/scripts/pi-audit.sh >/home/pi/logs/pi-audit.log 2>&1`. This line means that it will do an audit every Monday at 5 am and it outputs it logs (including errors!) to a log file. 61 | - If you want an email of the log, add this line: `0 7 * * MON sudo /usr/sbin/ssmtp dummy@example.com < /home/pi/logs/pi-audit.log `. This line means that the log-file created in the update above will be emailed to you every Monday at 7 am. 62 | 63 | ## Patch management 64 | This part is all about patching your Raspberry Pi system. 65 | 66 | ### Automated Patching 67 | The following packages are included in this automation script: Raspberry Pi OS, Raspberry Pi Firmware, Pi-hole, Cloudflared. OpenVPN (PiVPN) has unattended upgrades and it upgrades itself. Therefore, this is not included in the script. 68 | 69 | - Create a script called [pi-update.sh](https://github.com/teusink/Secure-my-Pi/blob/master/scripts/pi-update.sh) and place it in the Pi's scripts folder in the home-directory. Also create the folder `scripts` and `logs` in the home-directory if they don't exists yet. 70 | - Edit your crontab to plan a regular execution of the script using `sudo crontab -u root -e`. 71 | - Add this line: `0 5 * * SUN sudo bash /home/pi/scripts/pi-update.sh >/home/pi/logs/pi-update.log 2>&1`. This line means that it will do an update every Sunday at 5 am and it outputs it logs (including errors!) to a log file. 72 | - Add this line: `0 7 * * SUN sudo /usr/sbin/ssmtp dummy@example.com < /home/pi/logs/pi-update.log`. This line means that the log-file created in the update above will be emailed to you every Sunday at 7 am. 73 | 74 | ### Manual Patching 75 | Note: the script pi-update.sh has two options (parameters): 76 | - `no-reboot`: To prevent the reboot from happening. It might come in handy if you want to do rebooting in another way. 77 | - `dist-upgrade`: Instead of doing `apt-get upgrade` it does `apt-get dist-upgrade`. The difference is that dist-upgrade also removes packages, which might be dangerous to your setup. 78 | - Example: `sudo sudo bash /home/pi/pi-update.sh no-reboot` 79 | 80 | ### Force Firmware Update 81 | If you replaced your hardware, but not your SD-card, you might want to redo the firmware update. The same applies if you cloned the SD-card for a new Pi-unit. 82 | - First, change the hash value of the current installment (just change one character): `sudo nano /boot/.firmware_revision`. 83 | - Then execute the firmware update again: `sudo rpi-update`. 84 | - And then do a reboot: `sudo reboot`. 85 | 86 | ## Keep disk-usage in control 87 | Just as any other system, the Pi accumalates temporary and log data. This part is about keeping control of the disk-usage of the SD-card. 88 | - Install the app tmpreaper to do this: `sudo apt-get tmpreaper`. 89 | - Then edit the configuration file: `sudo nano /etc/tmpreaper.conf`. 90 | - And comment (add the `#`) the following line: `SHOWWARNING=true`. 91 | - Create a script called [pi-cleaner.sh](https://github.com/teusink/Secure-my-Pi/blob/master/scripts/pi-cleaner.sh) and place it in the Pi's scripts folder in the home-directory. Also create the folder `scripts` and `logs` in the home-directory if they don't exists yet. 92 | - Edit your crontab to plan a regular execution of the script using `sudo crontab -u root -e`. 93 | - Add this line: `0 4 * * * sudo bash /home/pi/scripts/pi-cleaner.sh >/home/pi/logs/pi-cleaner.log 2>&1`. This line means that it will do an update every night at 4 am and it outputs it logs (including errors!) to a log file. 94 | - If you want an email of the log, add this line: `0 7 * * SUN sudo /usr/sbin/ssmtp dummy@example.com < /home/pi/logs/pi-cleaner.log`. This line means that the log-file created in the update above will be emailed to you every Sunday at 7 am. 95 | 96 | This script also includes a daily reboot. Sometimes the DNS-services get cluttered somehow, and a reboot just fixes that. 97 | 98 | ## Back-up the SD-card 99 | Once in a while backing up your SD-card might be smart. Especially when you have the tendency to tinker with it :). The steps below here can help you do this. 100 | 101 | - Download, install and start Win32DiskImager: https://sourceforge.net/projects/win32diskimager/ 102 | - Insert the SD-card in your computer, and remember, you might need a SD-card adapter for that. 103 | - At `Image File`, browse to your desired localtion and give it a name, in example: `yyyy-mm-dd Backup Pi.img`. 104 | - At `Device`: Select the drive which holds the SD-card. 105 | - Press the button `Read`. 106 | 107 | When you need to restore it, you can reverse the process. Select the `yyyy-mm-dd Backup Pi.img` file, the SD-card as the destination and press `Write`. 108 | 109 | # Done 110 | - This part is done now, so do a reboot now: `sudo reboot` 111 | -------------------------------------------------------------------------------- /4-appendix-crontab.md: -------------------------------------------------------------------------------- 1 | ``` 2 | MAILTO=dummy@example.com 3 | # 4 | # m h dom mon dow command 5 | # 6 | # Create Pi Daily Log Folder (daily) 7 | 0 1 * * * sudo mkdir /home/pi/logs/`date +\%Y-\%m-\%d` 8 | # 9 | # Pi Security Scan (daily) 10 | 0 3 * * * sudo bash /home/pi/scripts/pi-security-scan.sh >/home/pi/logs/`date +\%Y-\%m-\%d`/pi-security-scan.log 2>&1 11 | 0 7 * * * sudo /usr/sbin/ssmtp dummy@example.com < /home/pi/logs/`date +\%Y-\%m-\%d`/pi-security-scan.log 12 | # 13 | # Pi Cleaner (daily) 14 | 0 4 * * * sudo bash /home/pi/scripts/pi-cleaner.sh >/home/pi/logs/`date +\%Y-\%m-\%d`/pi-cleaner.log 2>&1 15 | 0 7 * * * sudo /usr/sbin/ssmtp dummy@example.com < /home/pi/logs/`date +\%Y-\%m-\%d`/pi-cleaner.log 16 | # 17 | # Pi Update (weekly) 18 | 0 5 * * SUN sudo bash /home/pi/scripts/pi-update.sh >/home/pi/logs/`date +\%Y-\%m-\%d`/pi-update.log 2>&1 19 | 0 7 * * SUN sudo /usr/sbin/ssmtp dummy@example.com < /home/pi/logs/`date +\%Y-\%m-\%d`/pi-update.log 20 | # 21 | # Pi Audit (weekly) 22 | 0 5 * * MON sudo bash /home/pi/scripts/pi-audit.sh >/home/pi/logs/`date +\%Y-\%m-\%d`/pi-audit.log 2>&1 23 | 0 7 * * MON sudo /usr/sbin/ssmtp dummy@example.com < /home/pi/logs/`date +\%Y-\%m-\%d`/pi-audit.log 24 | ``` 25 | -------------------------------------------------------------------------------- /5-Skipped.md: -------------------------------------------------------------------------------- 1 | **Table of Contents** 2 | - [Introduction](https://github.com/teusink/Home-Security-by-Pi/blob/master/README.md) 3 | - [1 - Installation](https://github.com/teusink/Home-Security-by-Pi/blob/master/1-Installation.md) 4 | - [2 - Configuration](https://github.com/teusink/Home-Security-by-Pi/blob/master/2-Configuration.md) 5 | - [3 - Hardening](https://github.com/teusink/Home-Security-by-Pi/blob/master/3-Hardening.md) 6 | - [4 - Maintenance](https://github.com/teusink/Home-Security-by-Pi/blob/master/4-Maintenance.md) 7 | - 5- Skipped 8 | - [6 - Common issues](https://github.com/teusink/Home-Security-by-Pi/blob/master/6-Common-issues.md) 9 | 10 | # Skipped 11 | There were also security configurations suggested by others on the web that I skipped. I will try to be as complete as possible on which I did not include and why. If you feel it should be included, please open an issue [here](https://github.com/teusink/Home-Security-by-Pi/issues). 12 | 13 | | Did not include | Why not? | Source for: Why not | Source for: Why it should | 14 | | --- | --- | --- | --- | 15 | | Add `sudo dist-upgrade` in unattended patching | The command `sudo dist-upgrade` might add or, even worse, remove packages you don't want to be added or removed. I made it an option in the shell-script for updates `sudo bash ./pi-update.sh dist-upgrade` | [askubuntu.com](https://askubuntu.com/questions/601/the-following-packages-have-been-kept-back-why-and-how-do-i-solve-it) | [raspberrypi.org](https://www.raspberrypi.org/documentation/raspbian/updating.md) 16 | | SSH keys with remote manaagement | Generating SSH keys was a step to far in the trade-off for usability, in the context that this Pi is never ever meant to be directly connected to the Internet, other than through VPN. I would say username and password with fail2ban is good enough considering the use-case. | N/A | [Jacob Salmela, PDF](http://users.telenet.be/MySQLplaylist/pi-hole.pdf) | 17 | | Tripwire, Host-based IDS | Although Tripwire and similar tools are cool, there are a bit to steep for the use-case of this Pi. It is not directly connected to Internet (apart from OpenVPN) and therefore the risk is not as great when it is connected to the Internet | N/A | N/A | 18 | | Using non-default TCP/UDP-ports for services | Although it is often advised, I keep using default ports (like 22 for SSH and 1194 for OpenVPN). There is no Security through Obscurity. It makes the live of a malicious hacker more difficult with non-default-ports, but that is for like 30 seconds or so. | N/A | N/A | 19 | | Harden SSH configuration: TCPKeepAlive (YES --> NO) | By setting it to no active user sessions may occur, while they are not active. To clean up the resources automatically I choose to keep it to Yes | [SSH manual](https://www.ssh.com/ssh/config/) | [Lynis system audit](https://cisofy.com/controls/SSH-7408/) | 20 | | Install libpam-usb to enable multi-factor authentication for PAM sessions | Due to this being MFA with physical USB-key, it is not a convient one, because you either need to put it in permanently (which in essence disables the purpose) or suffer from lack of remote management. So I did not include it. | [Debian package info](https://packages.debian.org/sid/libpam-usb) | Lynis system audit | 21 | | Use a PAE enabled kernel when possible to gain native No eXecute/eXecute Disable support | I'd rather leave any and all kernel management to Raspbian themselves :) | N/A | [Lynis system audit](https://cisofy.com/controls/KRNL-5677/) | 22 | | Link /vmlinuz is missing. Consider manually re-linking. | I'd rather leave any and all kernel management to Raspbian themselves :) | N/A | [Lynis system audit](https://cisofy.com/controls/KRNL-5788/) | 23 | | Lynis advises several package manager tools, such as critical bug reports, checksum checker, and more. | Although such tools come in handy, in general, this Pi has a fixed state and in addition, packages are updated automatically and reboots always happen. There is not so much added value with these tools. | N/A | [debian-goodies](https://packages.debian.org/wheezy/debian-goodies) & [apt-listsbugs](https://packages.debian.org/sid/apt-listbugs) & [debsums](https://packages.debian.org/stretch/debsums) | 24 | | Install a PAM module for password strength testing like pam_cracklib or pam_passwdqc | There is only one account and you can use a tool online/offline to generate that random strong password. With multiple accounts it is really wise to do this, but as it is a headless unit offering some network-services this is overkill. | N/A | [Lynis system audit](https://cisofy.com/controls/AUTH-9262/) | 25 | | Configure a minimum and maximum password age in /etc/login.defs | Password aging is old advise and the world has changed. A password must be unique and long (preferably a passphrase or random generated). Changing them regularly, while using brute-force limiters, doesn't do any good other than creating work. | [The man who put us through password hell regrets everything](https://www.engadget.com/2017/08/08/nist-new-password-guidelines/) | [Lynis system audit](https://cisofy.com/controls/AUTH-9286/) | 26 | | Add a legal banner to /etc/issue and /etc/issue.net, to warn unauthorized users | I am going to skip this. Logging into the system is only possible when on the LAN (either directly or through VPN). And as I am the only admin of this device, putting up a legal-banner is kinda silly. And any malicous hacker is going to ignore it anyway. | N/A | Lynis system audit [1](https://cisofy.com/controls/BANN-7126/) & [2](https://cisofy.com/controls/BANN-7130/) | 27 | | Default umask in /etc/login.defs could be more strict like 027 | Default umask is now 0022 (default Debian Stretch for Raspbian I presume). The advisory states that a more strict umask is important on multi-user servers, to make sure that accidental traversing directories and reading files won't happen. This is a device with a single user and without file-server usages. So I leave it as it is to prevent unintended failures with software specifically for the Raspberry Pi. | N/A | [Lynis system audit](https://cisofy.com/controls/AUTH-9328/) | 28 | | Use ClamAV to fight of virusses | It was included first in this guide, but later on removed. The ClamAV service uses much memory (500+ MB out of the 1GB!). In order to compensate for the (slightly) higher risk, some other software packages and Samba were removed. | [Issue 29](https://github.com/teusink/Home-Security-by-Pi/issues/29) | N/A | 29 | | Use different partitions for /var, /home and /tmp | I looked into this and also observed the disk-usage in these directories on my long(er) running Pi. And while partition these directory is really a good practice, it does not come by default with the standard Raspbian. And I did not want to interfere to much into the defaults. And since there is a script to clean-up the Pi, this is not an issue. | N/A | [Lynis system audit](https://cisofy.com/controls/FILE-6310/) | 30 | | Disable USB-storage drivers | USB is a key factor that often comes into play with hacking attacks. Especially on user-endpoints. I consider this Pi not as an end-point and, in the case of the Pi, I can come up with a multitude of uses that would require USB. Think of extra storage if you want to do more. A mitigating factor already in place is the Rootkit Hunter and the fact that you need physical access. So I keep them enabled. | N/A | [Lynis system audit](https://cisofy.com/controls/STRG-1840/) | 31 | -------------------------------------------------------------------------------- /6-Common-issues.md: -------------------------------------------------------------------------------- 1 | **Table of Contents** 2 | - [Introduction](https://github.com/teusink/Home-Security-by-Pi/blob/master/README.md) 3 | - [1 - Installation](https://github.com/teusink/Home-Security-by-Pi/blob/master/1-Installation.md) 4 | - [2 - Configuration](https://github.com/teusink/Home-Security-by-Pi/blob/master/2-Configuration.md) 5 | - [3 - Hardening](https://github.com/teusink/Home-Security-by-Pi/blob/master/3-Hardening.md) 6 | - [4 - Maintenance](https://github.com/teusink/Home-Security-by-Pi/blob/master/4-Maintenance.md) 7 | - [5 - Skipped](https://github.com/teusink/Home-Security-by-Pi/blob/master/5-Skipped.md) 8 | - 6 - Common issues 9 | - [6.1 - Repair Pi-hole](#repair-pi-hole) 10 | - [6.2 - Removed packages not purged yet](#removed-packages-not-purged-yet) 11 | - [6.3 - Package kept back](#package-kept-back) 12 | - [6.4 - Package integrity issues](#package-integrity-issues) 13 | - [6.5 - VPN CRL expired](#vpn-crl-expired) 14 | - [6.6 - Pi-greeter config file modified](#pi-greeter-config-file-modified) 15 | - [6.7 - DNS does not resolve](#dns-does-not-resolve) 16 | 17 | # Common issues 18 | In this part of the guide there are common issues (and solutions) mentioned you might run in to. 19 | 20 | ## Information Sources 21 | - Regenerate CRL for VPN: https://github.com/pivpn/pivpn/issues/343 22 | 23 | ## Repair Pi-hole 24 | If for some reason your Pi-hole gives errors (for instance with updating) try repairing first. 25 | - If you use Cloudflared: Change the nameserver to `1.1.1.1` as the resolver with `sudo nano /etc/resolv.conf`. 26 | - Execute repair with `sudo pihole -r`. 27 | - If you use Cloudflared: Change the nameserver back to `127.0.0.1` as the resolver with `sudo nano /etc/resolv.conf`. 28 | - And then do a reboot: `sudo reboot`. 29 | 30 | ## Removed packages not purged yet 31 | Sometimes (dependency) packages can be left behind when removed. You still can purge them. 32 | - Check with this if there are any packages needed to be purged: `dpkg --get-selections | grep deinstall`. 33 | 34 | - You can remove the listed packages with: `sudo apt-get purge `. 35 | - After following this guide, it is likely that a good set of packages can be purged. Do that automated with the following command: 36 | 37 | ``` 38 | sudo apt-get purge -y $(dpkg -l | grep '^rc' | awk '{print $2}') 39 | ``` 40 | 41 | ## Package kept back 42 | Sometimes you will see in your log that a package has been kepted back with the command `sudo apt-get upgrade`. Best is to manually fix this with the following command: 43 | - `sudo apt-get install ` 44 | 45 | This could be automated with `sudo dist-upgrade`, but read it [here](https://github.com/teusink/Home-Security-by-Pi/blob/master/5-Skipped.md) why I did not opt-in for that (it is an option in the pi-update.sh script though). 46 | 47 | ## Package integrity issues 48 | I faced some package integrity issues after an upgrade. You can fix thos with the following command: 49 | - `sudo apt-get install --reinstall ` 50 | 51 | That way the package are reinstalled, no matter you have the latest version or not. 52 | 53 | ## VPN CRL expired 54 | It is possible that you face connection issues with your VPN after an upgrade of your system. Execute the steps below in your terminal to fix that. 55 | - Check service status: `sudo systemctl status openvpn@server.service` 56 | - Verify following error: `VERIFY ERROR: depth=0, error=CRL has expired: CN=xxx` 57 | - Go to directory: `cd /etc/openvpn/easy-rsa` 58 | - Generate new CRL: `sudo ./easyrsa gen-crl` 59 | - Verify that folder is correct (`/etc/openvpn/crl.pem`): `sudo cat ../server.conf | grep "crl-verify"` 60 | - Copy new CRL to directory: `sudo cp /etc/openvpn/easy-rsa/pki/crl.pem ../crl.pem ` 61 | - Reboot service: `sudo systemctl restart openvpn@server.service` 62 | 63 | New VPN-connections can be initiated again. 64 | 65 | ## Pi-greeter config file modified 66 | An update to the system might give this message when using apt-get: 67 | 68 | ``` 69 | Setting up pi-greeter (0.9) ... 70 | 71 | Configuration file '/etc/lightdm/pi-greeter.conf' 72 | ==> Modified (by you or by a script) since installation. 73 | ==> Package distributor has shipped an updated version. 74 | What would you like to do about it ? Your options are: 75 | Y or I : install the package maintainer's version 76 | N or O : keep your currently-installed version 77 | D : show the differences between the versions 78 | Z : start a shell to examine the situation 79 | The default action is to keep your current version. 80 | *** pi-greeter.conf (Y/I/N/O/D/Z) [default=N] ? 81 | ``` 82 | 83 | In this case it was about the wallpaper that has been changed. Either keeping your own or the maintainer's would suffice. 84 | 85 | ## DNS does not resolve 86 | This might be the cause to the system time being out-of-sync, due to ,for instance, it being switched off for some time. And when that happens, the DNS to the time-servers also doesn't work. This can be done by doing the following in CLI: `sudo date --set '2018-12-31 23:59:00` (obviously change the date and time with your present date and time). Then reboot after `sudo reboot`. 87 | 88 | Resolving should work now again. 89 | 90 | # Done 91 | - This part is done. 92 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2017 Joram Teusink 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Home-Security-by-Pi 2 | Description on how I configured the installation and Security of Raspberry Pi and how I keep it fit for use and purpose. 3 | 4 | **Table of Contents** 5 | - Introduction 6 | - [The Scope](#the-scope) 7 | - [The Hardware](#the-hardware) 8 | - [The Software](#the-software) 9 | - [Steps to take](#steps-to-take) 10 | - [1 - Installation](https://github.com/teusink/Home-Security-by-Pi/blob/master/1-Installation.md) 11 | - [2 - Configuration](https://github.com/teusink/Home-Security-by-Pi/blob/master/2-Configuration.md) 12 | - [3 - Hardening](https://github.com/teusink/Home-Security-by-Pi/blob/master/3-Hardening.md) 13 | - [4 - Maintenance](https://github.com/teusink/Home-Security-by-Pi/blob/master/4-Maintenance.md) 14 | - [5 - Skipped](https://github.com/teusink/Home-Security-by-Pi/blob/master/5-Skipped.md) 15 | - [6 - Common issues](https://github.com/teusink/Home-Security-by-Pi/blob/master/6-Common-issues.md) 16 | 17 | # Introduction 18 | The goal of this project is to make a secure (or at least secure within a reasonable amount of effort) Raspberry Pi with the following network-features: Pi-Hole DNS-resolver, DNSSEC, DNS-over-HTTPS, DHCP, and OpenVPN-server. It is possible that by gaining new insights features are either removed or added. 19 | 20 | My other goal is to gain a good understanding on DNS, Hardening and other Security-related aspects concerning Network Security. I think that as an Information Security Officer and Director of the Cybersecurity Company [MITE3 Cybersecurity](https://www.mite3.nl/en/) it is important to upkeep (general) knowledge about Technology and it's Security. 21 | 22 | ## The Scope 23 | Scope is an important part for this project. Otherwise you can endlessly install security tools and solutions which in the end have a trade-off. This might be resources and performance, but also your own precious time to keep it running :). 24 | 25 | The constraints are: 26 | - Apart from OpenVPN, there is nothing that can be reached from the outside world. In this guide I assume that there is a network-firewall present between the Internet, and the actual Pi. 27 | - The networking-services this device delivers are meant to enhance security of other network-connected devices in a non-intrusive manner. 28 | - And although this device delivers services in a (reasonable) secure way, it is not meant to be a device that delivers security services by it self, such as network-scanning and vulnerability scans. 29 | - It is meant for home or small-office use. Larger companies or institutions should look at other solutions to protect their people. 30 | 31 | ## The Hardware 32 | The hardware I use exists of the following components: 33 | - Raspberry Pi 3 Model B 1GB 34 | - SDHC card Class 10 - 16GB 35 | 36 | The costs: ~ € 70,- 37 | 38 | ## The Software 39 | The base image that is used to build this guide is the following: 40 | - Image with desktop based on Debian Stretch 41 | - Version: November 2017 42 | - Release date: 2017-11-29 43 | - Kernel version: 4.9 44 | 45 | Note: there are no indications that newer versions of Debian Stretch cause glitches with this guide. But if so, please let me know! 46 | 47 | # Word of thanks 48 | A special word of thanks goes to Jacob Salmela with his up-to-date [manual](http://users.telenet.be/MySQLplaylist/pi-hole.pdf) (PDF). This guide is inspired on his, although I go a step further in terms of features. Nevertheless, his contribution to (not only) this guide is worth my sincere gratitude. Thanks! 49 | 50 | # Licensing 51 | All the licensing and copyrights of any of the code and applications belong to their respective owners. All other coding falls under the MIT-license: https://github.com/teusink/Home-Security-by-Pi/blob/master/LICENSE 52 | 53 | Feel free to remake, reshape and reuse whatever you like or need. 54 | -------------------------------------------------------------------------------- /scripts/pi-audit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo To: dummy@example.com 3 | echo From: dummy@example.com 4 | echo "Subject: Raspberry Pi [$HOSTNAME] - Audit-log: $(date)" 5 | echo 6 | echo "Raspberry Pi [$HOSTNAME] - Audit-log: $(date)" 7 | echo 8 | echo 9 | echo ✓ Initiating packages update........... 10 | echo --------------------------------------- 11 | nice -n 19 sudo apt-get update 12 | sudo apt-get install -y --only-upgrade lynis debsecan 13 | echo --------------------------------------- 14 | echo 15 | echo ✓ Lynis Audit.......................... 16 | echo --------------------------------------- 17 | nice -n 19 sudo lynis audit system --pentest --nocolors 18 | echo --------------------------------------- 19 | echo 20 | echo ✓ Debsecan Audit....................... 21 | echo --------------------------------------- 22 | nice -n 19 sudo debsecan --only-fixed --suite sid --format detail 23 | echo --------------------------------------- 24 | -------------------------------------------------------------------------------- /scripts/pi-cleaner.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo To: dummy@example.com 3 | echo From: dummy@example.com 4 | echo "Subject: Raspberry Pi [$HOSTNAME] - Cleaning-log: $(date)" 5 | echo 6 | echo "Raspberry Pi [$HOSTNAME] - Cleaning-log: $(date)" 7 | echo 8 | echo 9 | echo ✓ Clean dead.letter email file......... 10 | echo --------------------------------------- 11 | nice -n 19 sudo rm /home/pi/dead.letter 12 | echo --------------------------------------- 13 | echo 14 | echo ✓ Clean 7 days old downloaded files.... 15 | echo --------------------------------------- 16 | nice -n 19 sudo tmpreaper 7d /home/pi/Downloads --showdeleted 17 | echo --------------------------------------- 18 | echo 19 | echo ✓ Clean 30 days old config files....... 20 | echo --------------------------------------- 21 | nice -n 19 sudo tmpreaper 30d /home/pi/oldconffiles --showdeleted 22 | echo --------------------------------------- 23 | echo 24 | echo ✓ Clean 1 day old /tmp files..... 25 | echo --------------------------------------- 26 | nice -n 19 sudo tmpreaper 1d /tmp --showdeleted 27 | echo --------------------------------------- 28 | echo 29 | echo ✓ Clean 30 days old /home/pi/logs/ files..... 30 | echo --------------------------------------- 31 | nice -n 19 sudo tmpreaper 30d /home/pi/logs/ --showdeleted 32 | echo --------------------------------------- 33 | echo 34 | echo ✓ Clean 30 days old /var/tmp files..... 35 | #### WARNING: /tmp gets cleaned upon reboot, but /var/tmp needs to be more persistent! 36 | echo --------------------------------------- 37 | nice -n 19 sudo tmpreaper 30d /var/tmp --showdeleted 38 | echo --------------------------------------- 39 | echo 40 | if [ `date +%d` == "01" ] 41 | then 42 | echo ✓ Monthly clean-up old package files... 43 | echo --------------------------------------- 44 | sudo apt-get clean 45 | sudo apt-get purge -y $(dpkg -l | grep '^rc' | awk '{print $2}') 46 | echo --------------------------------------- 47 | echo 48 | echo ✓ Monthly clean-up of /boot.bak, remnent from upgrade 49 | echo --------------------------------------- 50 | if [ -d /boot.bak ] 51 | then 52 | nice -n 19 sudo rm /boot.bak -r -d -v 53 | else 54 | echo ✗ Directory /boot.bak does not exists 55 | fi 56 | echo --------------------------------------- 57 | else 58 | echo "✗ Monthly clean-up of files not needed, it is day `date +%d`" 59 | fi 60 | echo 61 | if [ "$1" = "no-reboot" ] 62 | then 63 | echo "✗ Skipping reboot @ $(date)" 64 | else 65 | echo "✓ Initiating reboot @ $(date)" 66 | sudo reboot 67 | fi -------------------------------------------------------------------------------- /scripts/pi-security-scan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo To: dummy@example.com 3 | echo From: dummy@example.com 4 | echo "Subject: Raspberry Pi [$HOSTNAME] - Rootkit-detection-log: $(date)" 5 | echo 6 | echo "Raspberry Pi [$HOSTNAME] - Rootkit-detection-log: $(date)" 7 | echo 8 | echo 9 | echo ✓ Initiating packages update........... 10 | echo --------------------------------------- 11 | nice -n 19 sudo apt-get update 12 | sudo apt-get install -y --only-upgrade chkrootkit rkhunter 13 | echo --------------------------------------- 14 | echo 15 | echo ✓ Initiating rkhunter database refresh. 16 | echo --------------------------------------- 17 | nice -n 19 sudo rkhunter --propupd --nocolors 18 | echo --------------------------------------- 19 | echo 20 | echo ✓ Initiating rkhunter database update.. 21 | echo --------------------------------------- 22 | nice -n 19 sudo rkhunter --update --nocolors 23 | echo --------------------------------------- 24 | echo 25 | if [ "$1" = "no-scan" ] 26 | then 27 | echo "✗ Skipping scans @ $(date)" 28 | else 29 | echo "✓ Initiating Rootkit Hunter scan @ $(date)" 30 | echo --------------------------------------- 31 | nice -n 19 sudo rkhunter --check --sk --rwo --enable all --nocolors 32 | echo --------------------------------------- 33 | echo 34 | echo "✓ Initiating chkrootkit scan @ $(date)" 35 | echo --------------------------------------- 36 | nice -n 19 sudo chkrootkit -q 37 | echo --------------------------------------- 38 | fi 39 | -------------------------------------------------------------------------------- /scripts/pi-update.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | echo To: dummy@example.com 3 | echo From: dummy@example.com 4 | echo "Subject: Raspberry Pi [$HOSTNAME] - Update-log: $(date)" 5 | echo 6 | echo "Raspberry Pi [$HOSTNAME] - Update-log: $(date)" 7 | echo 8 | echo 9 | echo ✓ Initiating packages-list update...... 10 | echo --------------------------------------- 11 | nice -n 19 sudo apt-get update 12 | echo --------------------------------------- 13 | echo 14 | if [ "$1" = "dist-upgrade" ] || [ "$2" = "dist-upgrade" ] || [ "$3" = "dist-upgrade" ] 15 | then 16 | echo ⚠ Initiating distribution upgrade...... 17 | echo --------------------------------------- 18 | sudo apt-get dist-upgrade -y 19 | echo --------------------------------------- 20 | else 21 | echo ✓ Initiating packages upgrade.......... 22 | echo --------------------------------------- 23 | sudo apt-get upgrade -y 24 | echo --------------------------------------- 25 | fi 26 | echo 27 | if [ "$1" = "rpi-update" ] || [ "$2" = "rpi-update" ] || [ "$3" = "rpi-update" ] 28 | then 29 | echo ⚠ Initiating Pi Firmware update........ 30 | echo --------------------------------------- 31 | sudo PRUNE_MODULES=1 rpi-update 32 | echo --------------------------------------- 33 | else 34 | echo ✓ Skipping Pi Fireware update....... 35 | fi 36 | echo 37 | echo ✓ Initiating packages autoremove....... 38 | echo --------------------------------------- 39 | sudo apt-get autoremove -y --purge 40 | echo --------------------------------------- 41 | echo 42 | echo ✓ Initiating packages autoclean........ 43 | echo --------------------------------------- 44 | sudo apt-get autoclean -y 45 | echo --------------------------------------- 46 | echo 47 | echo ✓ Initiating Pi-hole update............ 48 | echo --------------------------------------- 49 | sudo pihole -up -g 50 | echo --------------------------------------- 51 | echo 52 | echo ✓ Initiating Cloudflared update........ 53 | echo --------------------------------------- 54 | sudo cloudflared update 55 | echo --------------------------------------- 56 | echo 57 | if [ "$1" = "no-reboot" ] || [ "$2" = "no-reboot" ] || [ "$3" = "no-reboot" ] 58 | then 59 | echo "✗ Skipping reboot @ $(date)" 60 | else 61 | echo "✓ Initiating reboot @ $(date)" 62 | sudo reboot 63 | fi -------------------------------------------------------------------------------- /scripts/pop-ip4tables.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ### IPv4 Firewall Rules### 3 | 4 | ## tun0: OpenVPN 5 | ## Eth0: LAN 6 | 7 | # This scripts needs to be executed with `sudo` 8 | 9 | # Flush all current rules (comment this to disable it) 10 | iptables -F 11 | iptables -X 12 | 13 | ## DEFAULT MODUS OPERANDI 14 | 15 | # Drop everything (we are going for allowlisting) 16 | iptables -P INPUT DROP 17 | iptables -P OUTPUT DROP 18 | iptables -P FORWARD DROP 19 | 20 | # Drop Invalid Packets 21 | iptables -A INPUT -m conntrack --ctstate INVALID -j DROP 22 | iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP 23 | 24 | # Drop all ANY queries to DNS server to prevent DDOS DNS amplification attack 25 | iptables -A INPUT -p udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery 26 | iptables -A INPUT -p udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 1 -j DROP 27 | iptables -A INPUT -p udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -j DROP 28 | 29 | # Drop all Guest-network packages - WARNING: Change this to your quest-network-range 30 | iptables -A INPUT -s 192.168.1.0/24 -j DROP 31 | 32 | # Accept all already established connections 33 | iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 34 | iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 35 | 36 | # Drop everything that comes from Bogon-addresses - WARNING: THIS CAN SLOW DOWN FIREWALL SIGNIFICANTLY 37 | #iptables -A INPUT -s 0.0.0.0/0 -j DROP # Default (can be advertised in BGP if desired) 38 | #iptables -A INPUT -s 0.0.0.0/8 -j DROP # Self identification (RFC 1700) 39 | #iptables -A INPUT -s 0.0.0.0/32 -j DROP # Broadcast 40 | #iptables -A INPUT -s 10.0.0.0/8 -j DROP # Private Networks (RFC 1918) 41 | #iptables -A INPUT -s 39.0.0.0/8 -j DROP # IANA Reserved (RFC 3330) 42 | #iptables -A INPUT -s 127.0.0.0/8 -j DROP # Loopback (RFC 1700) 43 | #iptables -A INPUT -s 128.0.0.0/16 -j DROP # IANA Reserved (RFC 3330) 44 | #iptables -A INPUT -s 169.254.0.0/16 -j DROP # Local (RFC 3330) 45 | #iptables -A INPUT -s 172.16.0.0/12 -j DROP # Private Networks (RFC 1918) 46 | #iptables -A INPUT -s 191.255.0.0/16 -j DROP # IANA Reserved (RFC 3330) 47 | #iptables -A INPUT -s 192.0.0.0/24 -j DROP # IANA Reserved (RFC 3330) 48 | #iptables -A INPUT -s 192.0.2.0/24 -j DROP # Test-Net (RFC 3330) 49 | #iptables -A INPUT -s 192.168.0.0/16 -j DROP # Private Networks (RFC 1918) 50 | #iptables -A INPUT -s 198.18.0.0/15 -j DROP # Network Interconnect Device Benchmark Testing (RFC 2544) 51 | #iptables -A INPUT -s 223.255.255.0/24 -j DROP # IANA Reserved (RFC 3330) 52 | #iptables -A INPUT -s 224.0.0.0/4 -j DROP # Multicast (RFC 3171) 53 | #iptables -A INPUT -s 240.0.0.0/4 -j DROP # IANA Reserved (RFC 3330) 54 | 55 | # Block incoming HTTPS requests which Pi-hole can't handle (anywhere) 56 | iptables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset 57 | 58 | ## REQUIRED FOR SYSTEM 59 | 60 | # Forward VPN Traffic 61 | iptables -A FORWARD -i tun0 -j ACCEPT 62 | iptables -A FORWARD -o tun0 -j ACCEPT 63 | 64 | # Allow loopback traffic 65 | iptables -A INPUT -i lo -j ACCEPT 66 | iptables -A OUTPUT -o lo -j ACCEPT 67 | 68 | # Allow ICMP 69 | iptables -A INPUT -p icmp -j ACCEPT 70 | iptables -A OUTPUT -p icmp -j ACCEPT 71 | 72 | ## REQUIRED FOR SERVICES DELIVERED BY PI 73 | 74 | # Allow DNS & DNS-over-TLS - incoming & outgoing 75 | iptables -A INPUT -p tcp --match multiport --dports 53,853 -j ACCEPT 76 | iptables -A INPUT -p udp --dport 53 -j ACCEPT 77 | iptables -A OUTPUT -p tcp --match multiport --dports 53,853 -j ACCEPT 78 | iptables -A OUTPUT -p udp --dport 53 -j ACCEPT 79 | 80 | # Allow DHCP & DHCPv6 - incoming & outgoing 81 | iptables -A INPUT -p udp --match multiport --dports 67,68,546,547 -j ACCEPT 82 | iptables -A INPUT -p tcp --match multiport --dports 546,547 -j ACCEPT 83 | iptables -A OUTPUT -p udp --match multiport --dports 67,68,546,547 -j ACCEPT 84 | iptables -A OUTPUT -p tcp --match multiport --dports 546,547 -j ACCEPT 85 | 86 | # Allow NTP - outgoing 87 | iptables -A OUTPUT -p udp --dport 123 -j ACCEPT 88 | 89 | # Allow OpenVPN - incoming & outgoing 90 | iptables -A INPUT -p tcp --dport 1194 -j ACCEPT 91 | iptables -A INPUT -p udp --dport 1194 -j ACCEPT 92 | iptables -A OUTPUT -p tcp --dport 1194 -j ACCEPT 93 | iptables -A OUTPUT -p udp --dport 1194 -j ACCEPT 94 | 95 | # Allow HTTP - incoming 96 | iptables -A INPUT -p tcp --dport 80 -j ACCEPT 97 | 98 | # Allow HTTPS - incoming - WARNING: By default Pi-hole GUI does not utilize https 99 | #iptables -A INPUT -p tcp --dport 443 -j ACCEPT 100 | 101 | # Allow VNC - incoming & outgoing 102 | iptables -A INPUT -p tcp --match multiport --dports 5900:5903 -j ACCEPT 103 | iptables -A OUTPUT -p tcp --match multiport --dports 5900:5903 -j ACCEPT 104 | 105 | # Allow SSH - incoming & outgoing 106 | iptables -A INPUT -p tcp --dport 22 -j ACCEPT 107 | iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT 108 | 109 | ## REQUIRED FOR SERVICES NEEDED BY PI 110 | 111 | # Allow HTTP (LAN) - outgoing 112 | iptables -A OUTPUT -o eth0 -p tcp --match multiport --dports 80,8080,8880 -j ACCEPT 113 | 114 | # Allow HTTPS (LAN) - outgoing 115 | iptables -A OUTPUT -o eth0 -p tcp --match multiport --dports 443,8443 -j ACCEPT 116 | 117 | # Allow SMTP-over-TLS (LAN) - outgoing 118 | iptables -A OUTPUT -o eth0 -p tcp --match multiport --dports 465,587 -j ACCEPT 119 | 120 | # Allow (s)FTP(S) (LAN) - outgoing 121 | #iptables -A OUTPUT -o eth0 -p tcp --match multiport --dports 21,22,989,990 -j ACCEPT 122 | #iptables -A OUTPUT -o eth0 -p udp --match multiport --dports 989,990 -j ACCEPT 123 | 124 | ## TEST FASE 125 | 126 | echo New iptables rule-set is: 127 | echo ------------------------- 128 | iptables -L --line-numbers 129 | echo ------------------------- 130 | echo 131 | echo Now test the functionality of your Pi-Hole yourself! 132 | echo - If anything is faulty, just restart your Pi. 133 | echo - If all looks well, run [sudo netfilter-persistent save] to make it persit through reboot. 134 | -------------------------------------------------------------------------------- /scripts/pop-ip6tables.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | ### IPv6 Firewall Rules### 3 | 4 | ## tun0: OpenVPN 5 | ## Eth0: LAN 6 | 7 | # This scripts needs to be executed with `sudo` 8 | 9 | # Flush all current rules (comment this to disable it) 10 | ip6tables -F 11 | ip6tables -X 12 | 13 | ## DEFAULT MODUS OPERANDI 14 | 15 | # Drop everything (we are going for allowlisting) 16 | ip6tables -P INPUT DROP 17 | ip6tables -P OUTPUT DROP 18 | ip6tables -P FORWARD DROP 19 | 20 | # Drop Invalid Packets 21 | ip6tables -A INPUT -m conntrack --ctstate INVALID -j DROP 22 | ip6tables -A OUTPUT -m conntrack --ctstate INVALID -j DROP 23 | 24 | # Drop all ANY queries to DNS server to prevent DDOS DNS amplification attack 25 | ip6tables -A INPUT -p udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --set --name dnsanyquery 26 | ip6tables -A INPUT -p udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -m recent --name dnsanyquery --rcheck --seconds 60 --hitcount 1 -j DROP 27 | ip6tables -A INPUT -p udp --dport 53 -m string --from 50 --algo bm --hex-string '|0000FF0001|' -j DROP 28 | 29 | # Drop all Guest-network packages - WARNING: Change this to your quest-network-range 30 | #ip6tables -A INPUT -s 2001:DB8::/32 -j DROP 31 | 32 | # Accept all already established connections 33 | ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 34 | ip6tables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 35 | 36 | # Drop everything that comes from Bogon-addresses - WARNING: THIS CAN SLOW DOWN FIREWALL SIGNIFICANTLY 37 | #ip6tables -A INPUT -s ::/0 -j DROP # Default (can be advertised as a route in BGP to peers if desired) 38 | #ip6tables -A INPUT -s ::/96 -j DROP # IPv4-compatible IPv6 address – deprecated by RFC4291 39 | #ip6tables -A INPUT -s ::/128 -j DROP # Unspecified address 40 | #ip6tables -A INPUT -s ::1/128 -j DROP # Local host loopback address 41 | #ip6tables -A INPUT -s ::ffff:0.0.0.0/96 -j DROP # IPv4-mapped addresses 42 | #ip6tables -A INPUT -s ::224.0.0.0/100 -j DROP # Compatible address (IPv4 format) 43 | #ip6tables -A INPUT -s ::127.0.0.0/104 -j DROP # Compatible address (IPv4 format) 44 | #ip6tables -A INPUT -s ::0.0.0.0/104 -j DROP # Compatible address (IPv4 format) 45 | #ip6tables -A INPUT -s ::255.0.0.0/104 -j DROP # Compatible address (IPv4 format) 46 | #ip6tables -A INPUT -s 0000::/8 -j DROP # Pool used for unspecified, loopback and embedded IPv4 addresses 47 | #ip6tables -A INPUT -s 0200::/7 -j DROP # OSI NSAP-mapped prefix set (RFC4548) – deprecated by RFC4048 48 | #ip6tables -A INPUT -s 3ffe::/16 -j DROP # Former 6bone, now decommissioned 49 | #ip6tables -A INPUT -s 2001:db8::/32 -j DROP # Reserved by IANA for special purposes and documentation 50 | #ip6tables -A INPUT -s 2002:e000::/20 -j DROP # Invalid 6to4 packets (IPv4 multicast) 51 | #ip6tables -A INPUT -s 2002:7f00::/24 -j DROP # Invalid 6to4 packets (IPv4 loopback) 52 | #ip6tables -A INPUT -s 2002:0000::/24 -j DROP # Invalid 6to4 packets (IPv4 default) 53 | #ip6tables -A INPUT -s 2002:ff00::/24 -j DROP # Invalid 6to4 packets 54 | #ip6tables -A INPUT -s 2002:0a00::/24 -j DROP # Invalid 6to4 packets (IPv4 private 10.0.0.0/8 network) 55 | #ip6tables -A INPUT -s 2002:ac10::/28 -j DROP # Invalid 6to4 packets (IPv4 private 172.16.0.0/12 network) 56 | #ip6tables -A INPUT -s 2002:c0a8::/32 -j DROP # Invalid 6to4 packets (IPv4 private 192.168.0.0/16 network) 57 | #ip6tables -A INPUT -s fc00::/7 -j DROP # Unicast Unique Local Addresses (ULA) – RFC 4193 58 | #ip6tables -A INPUT -s fe80::/10 -j DROP # Link-local Unicast 59 | #ip6tables -A INPUT -s fec0::/10 -j DROP # Site-local Unicast – deprecated by RFC 3879 (replaced by ULA) 60 | #ip6tables -A INPUT -s ff00::/8 -j DROP # Multicast 61 | 62 | # Block incoming HTTPS requests which Pi-hole can't handle (anywhere) 63 | ip6tables -A INPUT -p tcp --dport 443 -j REJECT --reject-with tcp-reset 64 | 65 | ## REQUIRED FOR SYSTEM 66 | 67 | # Forward VPN Traffic 68 | ip6tables -A FORWARD -i tun0 -j ACCEPT 69 | ip6tables -A FORWARD -o tun0 -j ACCEPT 70 | 71 | # Allow loopback traffic 72 | ip6tables -A INPUT -i lo -j ACCEPT 73 | ip6tables -A OUTPUT -o lo -j ACCEPT 74 | 75 | # Allow ICMP 76 | ip6tables -A INPUT -p ipv6-icmp -j ACCEPT 77 | ip6tables -A OUTPUT -p ipv6-icmp -j ACCEPT 78 | 79 | ## REQUIRED FOR SERVICES DELIVERED BY PI 80 | 81 | # Allow DNS & DNS-over-TLS - incoming & outgoing 82 | ip6tables -A INPUT -p tcp --match multiport --dports 53,853 -j ACCEPT 83 | ip6tables -A INPUT -p udp --dport 53 -j ACCEPT 84 | ip6tables -A OUTPUT -p tcp --match multiport --dports 53,853 -j ACCEPT 85 | ip6tables -A OUTPUT -p udp --dport 53 -j ACCEPT 86 | 87 | # Allow DHCP & DHCPv6 - incoming & outgoing 88 | ip6tables -A INPUT -p udp --match multiport --dports 67,68,546,547 -j ACCEPT 89 | ip6tables -A INPUT -p tcp --match multiport --dports 546,547 -j ACCEPT 90 | ip6tables -A OUTPUT -p udp --match multiport --dports 67,68,546,547 -j ACCEPT 91 | ip6tables -A OUTPUT -p tcp --match multiport --dports 546,547 -j ACCEPT 92 | 93 | # Allow NTP - outgoing 94 | ip6tables -A OUTPUT -p udp --dport 123 -j ACCEPT 95 | 96 | # Allow OpenVPN - incoming & outgoing 97 | ip6tables -A INPUT -p tcp --dport 1194 -j ACCEPT 98 | ip6tables -A INPUT -p udp --dport 1194 -j ACCEPT 99 | ip6tables -A OUTPUT -p tcp --dport 1194 -j ACCEPT 100 | ip6tables -A OUTPUT -p udp --dport 1194 -j ACCEPT 101 | 102 | # Allow HTTP - incoming 103 | ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT 104 | 105 | # Allow HTTPS - incoming - WARNING: By default Pi-hole GUI does not utilize https 106 | #ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT 107 | 108 | # Allow VNC - incoming & outgoing 109 | ip6tables -A INPUT -p tcp --match multiport --dports 5900:5903 -j ACCEPT 110 | ip6tables -A OUTPUT -p tcp --match multiport --dports 5900:5903 -j ACCEPT 111 | 112 | # Allow SSH - incoming & outgoing 113 | ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT 114 | ip6tables -A OUTPUT -p tcp --dport 22 -j ACCEPT 115 | 116 | ## REQUIRED FOR SERVICES NEEDED BY PI 117 | 118 | # Allow HTTP (LAN) - outgoing 119 | ip6tables -A OUTPUT -o eth0 -p tcp --match multiport --dports 80,8080,8880 -j ACCEPT 120 | 121 | # Allow HTTPS (LAN) - outgoing 122 | ip6tables -A OUTPUT -o eth0 -p tcp --match multiport --dports 443,8443 -j ACCEPT 123 | 124 | # Allow SMTP-over-TLS (LAN) - outgoing 125 | ip6tables -A OUTPUT -o eth0 -p tcp --match multiport --dports 465,587 -j ACCEPT 126 | 127 | # Allow (s)FTP(S) (LAN) - outgoing 128 | #ip6tables -A OUTPUT -o eth0 -p tcp --match multiport --dports 21,22,989,990 -j ACCEPT 129 | #ip6tables -A OUTPUT -o eth0 -p udp --match multiport --dports 989,990 -j ACCEPT 130 | 131 | ## TEST FASE 132 | 133 | echo New ip6tables rule-set is: 134 | echo ------------------------- 135 | ip6tables -L --line-numbers 136 | echo ------------------------- 137 | echo 138 | echo Now test the functionality of your Pi-Hole yourself! 139 | echo - If anything is faulty, just restart your Pi. 140 | echo - If all looks well, run [sudo netfilter-persistent save] to make it persit through reboot. 141 | --------------------------------------------------------------------------------