Any tips to make pihole more secure when combined with a VPN service?
pihole -a -p YourPasswordHere
That will add a password to your web admin if you haven't already!
I have already added a password for pihole dashboard. And I have changed default login credentials on the router. But port forwarding doesn't cause any issue?
VPN is very secure after you set it up. If you only forward the port(s) needed for VPN you will be fine.
Hmm, okay. Forwarded only one port which is used by pi
You can secure your VPN by doing a couple of things.
Use a good encryption. Please, use at least a 2048 bit encryption.
Use a long and complex password. Don't use anything that someone who knows you can guess.
Use a long and complex password for every user on your pi.
Be careful with you .ovpn files. For extra security you can encrypt these too.
Be careful who has access to your pi. Someone who can access your pi locally can compromise you VPN.
Secure your ssh access, especially if it's open to the internet.
Use unattended-upgrades on your pi to close new security holes fast.
Change the standart ports your pi is using. If you set ssh to port 34729 it's harder to find out that you use ssh. But remember, don't use any ports between 1 - 1023 because these are standardized ports.
Well this is my notes for a secure *nix system.
Install and config: sudo apt-get install fail2ban ufw ----------- Protect su by limiting access only to admin group. sudo groupadd admin sudo usermod -a -G admin <YOUR ADMIN USERNAME> sudo dpkg-statoverride --update --add root admin 4750 /bin/su ----------- Harden network with sysctl settings. 1. sudo nano /etc/sysctl.conf 2. Change / add this: # IP Spoofing protection net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Ignore ICMP broadcast requests net.ipv4.icmp_echo_ignore_broadcasts = 1 # Disable source packet routing net.ipv4.conf.all.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # Ignore send redirects net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Block SYN attacks net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_max_syn_backlog = 2048 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_syn_retries = 5 # Log Martians net.ipv4.conf.all.log_martians = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 # Ignore ICMP redirects net.ipv4.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # Ignore Directed pings net.ipv4.icmp_echo_ignore_all = 1 3. Reload: sudo sysctl -p ----------- Prevent IP Spoofing. 1. sudo nano /etc/host.conf 2. add / change order bind,hosts nospoof on ----------- Fix SSH security 1. sudo nano /etc/ssh/sshd_config 2. Add /change Port <CHANGE PORTNUMBER!> Protocol 2 PermitRootLogin no DebianBanner no AllowUsers *@<YOUR IP> 3. Restart service sudo service ssh restart -----------
And here is my fail2ban config for the Pi-Hole, change the SSH port to whatever you use.
1. sudo nano /etc/fail2ban/jail.local 2. Write: [DEFAULT] bantime = 3600 findtime = 600 maxretry = 3 action = %(action_)s [sshd] enabled = true port = 2324 filter = sshd logpath = /var/log/auth.log [sshd-ddos] enabled = true port = 2324 filter = sshd-ddos logpath = /var/log/auth.log [lighttpd-auth] enabled = true port = 80,443 filter = lighttpd-auth logpath = %(lighttpd_error_log)s
You can also run the web management portion through a reverse proxy. Just be sure to keep everything on the SSL-VPN side (port 443).
This guide is for an old version of Fedora now, but works on the current 29.