Securing pihole

FAQs Community How-to's
7

Well this is my notes for a secure *nix system.

Install and config:

sudo apt-get install fail2ban ufw

-----------

Protect su by limiting access only to admin group.

sudo groupadd admin
sudo usermod -a -G admin <YOUR ADMIN USERNAME>
sudo dpkg-statoverride --update --add root admin 4750 /bin/su

-----------

Harden network with sysctl settings.

1.
sudo nano /etc/sysctl.conf

2. Change / add this:

# IP Spoofing protection
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Disable source packet routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0 
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Ignore send redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Block SYN attacks
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log Martians
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0 
net.ipv6.conf.default.accept_redirects = 0

# Ignore Directed pings
net.ipv4.icmp_echo_ignore_all = 1

3.
Reload:
sudo sysctl -p

-----------

Prevent IP Spoofing.

1.
sudo nano /etc/host.conf

2. add / change
order bind,hosts
nospoof on

-----------

Fix SSH security

1.
sudo nano /etc/ssh/sshd_config

2. Add /change
Port <CHANGE PORTNUMBER!>
Protocol 2
PermitRootLogin no
DebianBanner no
AllowUsers *@<YOUR IP>

3. Restart service
sudo service ssh restart

-----------

And here is my fail2ban config for the Pi-Hole, change the SSH port to whatever you use.

1.
sudo nano /etc/fail2ban/jail.local

2. Write:

[DEFAULT]

bantime = 3600
findtime = 600
maxretry = 3
action = %(action_)s

[sshd]

enabled = true
port = 2324
filter = sshd
logpath = /var/log/auth.log

[sshd-ddos]

enabled = true
port = 2324
filter = sshd-ddos
logpath = /var/log/auth.log


[lighttpd-auth]

enabled = true
port    = 80,443
filter = lighttpd-auth
logpath = %(lighttpd_error_log)s
3 Likes