uname -a
Linux odroid 4.14.107-157 #1 SMP PREEMPT Thu Mar 21 09:59:50 -03 2019 armv7l armv7l armv7l GNU/Linux
its the ARM Ubuntu minimal version for ODROID (please dont shoot me)
systemctl status pihole-FTL
● pihole-FTL.service - LSB: pihole-FTL daemon
Loaded: loaded (/etc/init.d/pihole-FTL; generated)
Active: active (exited) since Sat 2019-04-13 01:51:45 UTC; 13min ago
Docs: man:systemd-sysv-generator(8)
Process: 3623 ExecStop=/etc/init.d/pihole-FTL stop (code=exited, status=0/SUCCESS)
Process: 3658 ExecStart=/etc/init.d/pihole-FTL start (code=exited, status=0/SUCCESS)
Apr 13 01:51:44 odroid systemd[1]: Starting LSB: pihole-FTL daemon...
Apr 13 01:51:44 odroid pihole-FTL[3658]: Not running
Apr 13 01:51:45 odroid su[3700]: Successful su for pihole by root
Apr 13 01:51:45 odroid su[3700]: + ??? root:pihole
Apr 13 01:51:45 odroid su[3700]: pam_unix(su:session): session opened for user pihole by (uid=0)
Apr 13 01:51:45 odroid pihole-FTL[3658]: FTL started!
Apr 13 01:51:45 odroid su[3700]: pam_unix(su:session): session closed for user pihole
Apr 13 01:51:45 odroid systemd[1]: Started LSB: pihole-FTL daemon.
also i know i have to portfoward
TCP 53 --> any
UDP 53 --> any
but do i need to:
TCP 4711 --> any
UDP 4711 --> any
this part is answered i was fording on the WAN router, already disabled that stuff.
Your debug log shows that pihole-FTL is running and DNS queries are properly processed:
*** [ DIAGNOSING ]: Ports in use
....
[192.168.1.100:53] is in use by pihole-FTL
[127.0.0.1:53] is in use by pihole-FTL
[[fe80::21e:6ff:fe36:38b3]:53] is in use by pihole-FTL
[[::1]:53] is in use by pihole-FTL
[127.0.0.1:4711] is in use by pihole-FTL
[[::1]:4711] is in use by pihole-FTL
*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] www.eboatstampa.com is 0.0.0.0 via localhost (127.0.0.1)
[✓] www.eboatstampa.com is 0.0.0.0 via Pi-hole (192.168.1.100)
[✓] doubleclick.com is 216.58.211.206 via a remote, public DNS server (8.8.8.8)
What word appears to the right of the light - active?
right now the odroid has everything open (ufw disabled), its kinda of a fresh install, only thing i did was secure sshd, get the keys in, TCP hardening (maybe the problem?), and fail2ban
TCP HARDENING
on /etc/sysctl.d/50-ip-sec.conf
# Disable Source Routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Disable acceptance of all ICMP redirected packets on all interfaces
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Disable send IPv4 redirect packets
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Set Reverse Path Forwarding to strict mode as defined in RFC 3704
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Block pings
net.ipv4.icmp_echo_ignore_all = 1
# Syn flood help
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5
# Log suspicious martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians=1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Disable IPv6 auto config
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.eth0.accept_ra=0
net.ipv6.conf.eth0.autoconf=0
Why are your forwarding port 53 traffic to WAN? That is not required (nor desired) for Pi-Hole to operate. You are setting yourself up for problems here.
oh thanks! thought i had to do it in order for the pihole to be able to query... i'm not that smart when it comes to portforwaring.
thanks for the tip!
totally my fault, i should read up on it and stop winging it as i go
With a Pi-Hole installed on a device in your network only the ports on the Pi-Hole host need to be open to your LAN. That is handled with the Pi-Hole installer. You don't need (nor want) to open any ports on your router for Pi-Hole to work properly. Opening ports can cause a host of problems, most commonly an open resolver that will quickly be found on the internet and put to no good use.
Pi-Hole gets its DNS queries from clients on the LAN, and you want to block all traffic from the WAN.
couldnt find out what the www-data user password was, tried everything so i just changed it. (i hope thats alright)
anyway i think you are on to something!
sudo -u www-data pihole status
Sorry, user www-data is not allowed to execute '/bin/bash /usr/local/bin/pihole status' as root on odroid.
sudo -u www-data pihole status web
Sorry, user www-data is not allowed to execute '/bin/bash /usr/local/bin/pihole status web' as root on odroid.
edit:
/etc/sudoers file
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sb
in:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d
sudo cat /etc/sudoers.d/pihole
# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Allows the WebUI to use Pi-hole commands
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.
#
www-data ALL=NOPASSWD: /usr/local/bin/pihole
but it seems the defaults secure_path IF, didnt worked.
# If the Web server user is lighttpd,
if [[ "$LIGHTTPD_USER" == "lighttpd" ]]; then
# Allow executing pihole via sudo with Fedora
# Usually /usr/local/bin is not permitted as directory for sudoable programs
echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" >> /etc/sudoers.d/pihole
fi
as i said just a guess, i know i'm using lighttpd, as i said before, this is an fresh odroid-minimal-ubuntu install and i did the pihole install "by the book", so theres no reasoning for not be using lightppd.
EDIT EDIT EDIT!!!
never mind, after reading the full script, i see what the IF is there for.
journalctl -u lighttpd
Hint: You are currently not seeing messages from other users and the system.
Users in groups 'adm', 'systemd-journal' can see all messages.
Pass -q to turn off this notice.
-- Logs begin at Fri 2019-04-12 23:50:00 UTC, end at Sun 2019-04-14 21:04:21 UTC.
-- No entries --
sudo systemctl status lighttpd
● lighttpd.service - Lighttpd Daemon
Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; vendor preset: e
Active: active (running) since Sun 2019-04-14 18:20:43 UTC; 2h 45min ago
Process: 508 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
Main PID: 533 (lighttpd)
CGroup: /system.slice/lighttpd.service
├─533 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
├─548 /usr/bin/php-cgi
├─556 /usr/bin/php-cgi
├─557 /usr/bin/php-cgi
├─558 /usr/bin/php-cgi
└─559 /usr/bin/php-cgi
Apr 14 18:20:43 nether systemd[1]: Started Lighttpd Daemon.
Apr 14 18:25:58 nether sudo[642]: www-data : TTY=unknown ; PWD=/var/www/html/admin
Apr 14 18:25:58 nether sudo[642]: pam_unix(sudo:session): session opened for user
Apr 14 18:25:58 nether sudo[642]: pam_unix(sudo:session): session closed for user
Apr 14 19:11:38 nether sudo[4224]: www-data : unable to resolve host nether
Apr 14 19:11:38 nether sudo[4224]: www-data : problem with defaults entries ; TTY=
Apr 14 19:11:38 nether lighttpd[533]: sudo: unable to resolve host nether
Apr 14 19:11:38 nether sudo[4224]: www-data : TTY=unknown ; PWD=/var/www/html/admi
Apr 14 19:11:38 nether sudo[4224]: pam_unix(sudo:session): session opened for user
Apr 14 19:11:38 nether sudo[4224]: pam_unix(sudo:session): session closed for user
journalctl --user -u lighttpd
-- Logs begin at Fri 2019-04-12 23:50:00 UTC, end at Sun 2019-04-14 21:04:21 UTC.
-- No entries --
your /etc/sudoers.d/pihole file allows www-data to run a command with root permissions without asking for a password.
Normally www-data does not have root permission, means it can't run any application that requires root.
But with that file, it allows www-data to run one single command to run with sudo commad "/usr/local/bin/pihole"
So you're command would actually have to look like this:
sudo -u www-data sudo pihole status
Which is quite hilarious considering that you ARE root, make yourself to "www-data" and then run a command as "root" :D
Simply running pihole status should work if you are connected as root via ssh.
btw: pihole was probably made with Debian in mind instead of Ubuntu and it might run better if you actually install it on a Debian instead of Ubuntu.
so, doing the command:
sudo -u www-data sudo pihole status
sudo: unable to resolve host nether
sudo: unable to resolve host nether
[✓] DNS service is running
[✓] Pi-hole blocking is Enabled
sudo -u www-data sudo pihole status web
sudo: unable to resolve host nether
sudo: unable to resolve host nether
1
edit edit:
as far as the nether thing goes, found the problem!
i forgot to edit /etc/hosts
the /etc/host 127.0.0.1 was poiting to odroid.
fixed, rebooting the thing now