SSH is convenient to use for monitoring Pi-Hole from a different computer, but is it worth having to poke a hole in my firewall? Unfortunately, I'm not good with logs or iptables and want to keep my setup simple. Advice I've read indicates constant monitoring of logs to check for intrusions. Am I missing out on something good because I'm too lazy to take a few monitoring steps?
How do you update OS ?
How do you update Pi-Hole ?
How do you troubleshoot if things get mixed-up ?
If your talking local use only then the only firewall you would poke a hole in would be the Raspberry Pi / server pihole is running on ( provided its running one at all ). Nothing need be done to the router at all.
If your worried about security you can look at setting up ssh keys. You can also find tutorials to install / setup fail2ban on the server ( locks attempts from an IP after x attempts ).
1 Like
It might be worth looking at Raspberry Pi Connect & Raspberry Pi Connect Lite if you are using a raspberry pi .
https://www.raspberrypi.com/documentation/services/connect.html
Edit: I have just installed rpi-connect-lite on a couple of Pis, created a Raspberry Pi ID, linked my Pis to my newly created account, enabled user-lingering on my Pis. It took around 10 minutes.
I now have a link in my browser that allows me to make a secure connection to my Pis for updating and rebooting without making any changes to any firewall.
I can review the history of connections with: journalctl --user --follow --unit rpi-connect --unit rpi-connect-wayvnc
1 Like
Disregard.
Interesting. Can you explain your point a little further, please?
It isn't so much the needing to set up keys - that's easy enough. It's punching a hole then having to monitor it for exploits.
Is that for when I'm away from the RPi/Pihole to ensure it's working properly? For my particular case that may not be necessary - the only thing Pi-Hole is connected to is the TV and if I'm not here it won't be on. Is there another reason, perhaps?
It saves having a keyboard and screen connected to your Pi. My Pis are headless and without keyboard. I usually connect to them in the same room with ssh so there are no firewall issues. When I am out and about I could use Pi Connect to connect to those Pis but realistically I have no need.
As CallMeCurious said, you don't need to port forward if you're just using SSH locally, and access to the Pi-hole terminal can be very useful (OS and Pi-hole updates, etc), so it's worth enabling for your local network, assuming the only people and devices on it are trusted.
If you do port forwarding and expose SSH to the Internet, you now have to ensure it's kept up to date and use a firewall and keep that up to date too, as well the OS, etc. I'd honestly advise against it and use one of the safer offerings below. There is also the option of a VPN, such as WireGuard. This does require opening a port, but now you're opening a VPN port instead of a SSH service port, and I think the VPN is a bit safer.
Moto mentioned Pi Connect (full desktop) and Pi Connect Lite (terminal only) which may be perfect for your needs. I've not used it but it sounds reliable and simple to set up and appears to not need any port forwarding set up for access externally – only you and your browser can access it. Bear in mind it's in beta at the moment.
Another option is what I use which is the RealVNC server pre-installed in Pi OS. That takes a bit of work but the advantage is RealVNC has a great smartphone app which makes navigating your desktop from a tiny phone screen very nice indeed. I find it useful to be able to jump onto my network via the Pi-hole desktop from anywhere with just my phone. Once on the desktop you can of course launch a terminal. This answer also does not need any port forwarding. If you or anyone wants details to set up with a current Pi OS let me know and I'll list the steps.
Based on what you've said I'd give Moto's suggestions a go, it sounds like that will meet your needs.
Ah, right. i use a cheap USB switch (about $18 at the time) that saves having to switch out keyboard and mouse. Keyboard and mouse plug into the switch, then one cable to my desktop and the other to the RPi handles both keyboard and mouse. Then push a button for either the RPi or my desktop. I still have to manually swap the monitor's HDMI cable from the desktop to the RPi, but when I was buying the cheapest KVM switch was $75, and that seemed like overkill for a then-$35 Raspberry Pi. KVM's are cheaper now and RPi's more expensive.
I don't know whether I was doing that or not. IIRC, the RPi instructions at the time (~2020) said I was opening port 22 when I created the ssh. You don't have to do that while inside the local WiFi range?
An ISP typically gives you a single IP address and a router which has a "WAN" side facing the Internet, and a "LAN" side for your private home network. The single IP is attached to the WAN side, and on the LAN side you have the usual 192.168.x.x type addresses.
If you run a SSH server (eg on your Pi-hole) on your LAN, then you can only access that when on the LAN. So if you're all on the same wifi at home, you don't need to port forward.
Port forwarding is a way of exposing that SSH server through the router to the WAN side of things, so it can be reached from the Internet. That can be useful but it also means that anyone else can also try to access it and mess with it. That's why it needs to be kept up to date and secure and ideally with a firewall which only allows you to reach it.
So instead of having to do that, the other solutions mentioned (Pi Connect, RealVNC) don't need port forwarding because you and they end up connecting to an external server, under the hood, which then connects you together, so they're a lot safer for this kind of thing.
So you can enable SSH just for when on your home network, and use one of those other solutions for remote access when away from home.
1 Like
Excellent rundown. Thank you.
1 Like
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.