[SOLVED] FTL says its active, interface says it isnt

#1

Hey guys!

Expected Behaviour:

Green light on the pihole web interface.

Actual Behaviour:

Red light on the pihole web interface.

Debug Token:

https://tricorder.pi-hole.net/xvvcq8us3w!

uname -a 
Linux odroid 4.14.107-157 #1 SMP PREEMPT Thu Mar 21 09:59:50 -03 2019 armv7l armv7l armv7l GNU/Linux

its the ARM Ubuntu minimal version for ODROID (please dont shoot me)
systemctl status pihole-FTL

● pihole-FTL.service - LSB: pihole-FTL daemon
   Loaded: loaded (/etc/init.d/pihole-FTL; generated)
   Active: active (exited) since Sat 2019-04-13 01:51:45 UTC; 13min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 3623 ExecStop=/etc/init.d/pihole-FTL stop (code=exited, status=0/SUCCESS)
  Process: 3658 ExecStart=/etc/init.d/pihole-FTL start (code=exited, status=0/SUCCESS)

  Apr 13 01:51:44 odroid systemd[1]: Starting LSB: pihole-FTL daemon...
  Apr 13 01:51:44 odroid pihole-FTL[3658]: Not running
  Apr 13 01:51:45 odroid su[3700]: Successful su for pihole by root
  Apr 13 01:51:45 odroid su[3700]: + ??? root:pihole
  Apr 13 01:51:45 odroid su[3700]: pam_unix(su:session): session opened for user pihole by   (uid=0)
  Apr 13 01:51:45 odroid pihole-FTL[3658]: FTL started!
  Apr 13 01:51:45 odroid su[3700]: pam_unix(su:session): session closed for user pihole
  Apr 13 01:51:45 odroid systemd[1]: Started LSB: pihole-FTL daemon.

sudo lsof -i -n -P

COMMAND    PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dhcpcd     531     root   11u  IPv4  15782      0t0  UDP *:68
sshd       558     root    3u  IPv4    847      0t0  TCP *:9512 (LISTEN)
sshd       558     root    4u  IPv6    849      0t0  TCP *:9512 (LISTEN)
lighttpd  3475 www-data    4u  IPv4  37616      0t0  TCP *:80 (LISTEN)
lighttpd  3475 www-data    5u  IPv6  37617      0t0  TCP *:80 (LISTEN)
lighttpd  3475 www-data   11u  IPv4  45804      0t0  TCP 192.168.1.100:80->192.168.1.145:44812 (ESTABLISHED)
pihole-FT 3716   pihole    4u  IPv4  39949      0t0  UDP *:67
pihole-FT 3716   pihole    6u  IPv4  39952      0t0  UDP 192.168.1.100:53
pihole-FT 3716   pihole    7u  IPv4  39953      0t0  TCP 192.168.1.100:53 (LISTEN)
pihole-FT 3716   pihole    8u  IPv4  39954      0t0  UDP 127.0.0.1:53
pihole-FT 3716   pihole    9u  IPv4  39955      0t0  TCP 127.0.0.1:53 (LISTEN)
pihole-FT 3716   pihole   10u  IPv6  39956      0t0  UDP [fe80::21e:6ff:fe36:38b3]:53
pihole-FT 3716   pihole   11u  IPv6  39957      0t0  TCP [fe80::21e:6ff:fe36:38b3]:53 (LISTEN)
pihole-FT 3716   pihole   12u  IPv6  39958      0t0  UDP [::1]:53
pihole-FT 3716   pihole   13u  IPv6  39959      0t0  TCP [::1]:53 (LISTEN)
pihole-FT 3716   pihole   16u  IPv4  26803      0t0  TCP 127.0.0.1:4711 (LISTEN)
pihole-FT 3716   pihole   17u  IPv6  26805      0t0  TCP [::1]:4711 (LISTEN)
sshd      4610     root    3u  IPv4  43147      0t0  TCP 192.168.1.100:9512->192.168.1.145:42142 (ESTABLISHED)
sshd      4656    cunha    3u  IPv4  43147      0t0  TCP 192.168.1.100:9512->192.168.1.145:42142 (ESTABLISHED)

sudo systemctl status ufw

● ufw.service - Uncomplicated firewall
   Loaded: loaded (/lib/systemd/system/ufw.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:ufw(8)

also i know i have to portfoward
TCP 53 --> any
UDP 53 --> any
but do i need to:
TCP 4711 --> any
UDP 4711 --> any
this part is answered i was fording on the WAN router, already disabled that stuff.

thanks!

0 Likes

#2

Your debug log shows that pihole-FTL is running and DNS queries are properly processed:

*** [ DIAGNOSING ]: Ports in use
....
[192.168.1.100:53] is in use by pihole-FTL
[127.0.0.1:53] is in use by pihole-FTL
[[fe80::21e:6ff:fe36:38b3]:53] is in use by pihole-FTL
[[::1]:53] is in use by pihole-FTL
[127.0.0.1:4711] is in use by pihole-FTL
[[::1]:4711] is in use by pihole-FTL

*** [ DIAGNOSING ]: Name resolution (IPv4) using a random blocked domain and a known ad-serving domain
[✓] www.eboatstampa.com is 0.0.0.0 via localhost (127.0.0.1)
[✓] www.eboatstampa.com is 0.0.0.0 via Pi-hole (192.168.1.100)
[✓] doubleclick.com is 216.58.211.206 via a remote, public DNS server (8.8.8.8)

What word appears to the right of the light - active?

0 Likes

#3

Hello!
thank you for the extremely quick reply! that has to be a record!

web interface:
FTL offline

but since the logs says its working i dont rly mind the red thing.
was just scratching my head for 1 hours trying to fix it.

already did a bunch of googling and:
pihole -r

0 Likes

#4

Perhaps one of the developers will have some thoughts.

0 Likes

#6

Where are you forwarding these ports? Internally or out to the WAN?

0 Likes

#7

WAN, on the ISP router page.

right now the odroid has everything open (ufw disabled), its kinda of a fresh install, only thing i did was secure sshd, get the keys in, TCP hardening (maybe the problem?), and fail2ban

TCP HARDENING
on /etc/sysctl.d/50-ip-sec.conf

# Disable Source Routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0 
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Disable acceptance of all ICMP redirected packets on all interfaces
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0 
net.ipv6.conf.default.accept_redirects = 0

# Disable send IPv4 redirect packets
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Set Reverse Path Forwarding to strict mode as defined in RFC 3704
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Block pings
net.ipv4.icmp_echo_ignore_all = 1

# Syn flood help
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_syn_retries = 5

# Log suspicious martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians=1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Disable IPv6 auto config
net.ipv6.conf.default.accept_ra=0
net.ipv6.conf.default.autoconf=0
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.eth0.accept_ra=0
net.ipv6.conf.eth0.autoconf=0
0 Likes

#8

Why are your forwarding port 53 traffic to WAN? That is not required (nor desired) for Pi-Hole to operate. You are setting yourself up for problems here.

0 Likes

#9

oh thanks! thought i had to do it in order for the pihole to be able to query… i’m not that smart when it comes to portforwaring.
thanks for the tip!

totally my fault, i should read up on it and stop winging it as i go

0 Likes

#10

With a Pi-Hole installed on a device in your network only the ports on the Pi-Hole host need to be open to your LAN. That is handled with the Pi-Hole installer. You don’t need (nor want) to open any ports on your router for Pi-Hole to work properly. Opening ports can cause a host of problems, most commonly an open resolver that will quickly be found on the internet and put to no good use.

Pi-Hole gets its DNS queries from clients on the LAN, and you want to block all traffic from the WAN.

0 Likes

#11

What is the output of these commands?

pihole status
pihole status web
0 Likes

#12
pihole status

  [✓] DNS service is running
  [✓] Pi-hole blocking is Enabled

pihole status web

1

edit:
new debug token
https://tricorder.pi-hole.net/i0ojggcs98!

0 Likes

#14

What is the output of

sudo -u www-data pihole status
sudo -u www-data pihole status web
0 Likes

#15

couldnt find out what the www-data user password was, tried everything so i just changed it. (i hope thats alright)

anyway i think you are on to something!

sudo -u www-data pihole status
Sorry, user www-data is not allowed to execute '/bin/bash /usr/local/bin/pihole status' as root on odroid.


sudo -u www-data pihole status web
Sorry, user www-data is not allowed to execute '/bin/bash /usr/local/bin/pihole status web' as root on odroid.

edit:
/etc/sudoers file

#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults        env_reset
Defaults        mail_badpass
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sb
in:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d


0 Likes

#16

Also check for a Pi-hole specific sudoers file (/etc/sudoers.d/pihole), see this line as reference:

0 Likes

#17

thanks, was kinda lost, the script helped it.

ls /etc/sudoers.d/
pihole  README

sudo cat /etc/sudoers.d/pihole

# Pi-hole: A black hole for Internet advertisements
# (c) 2017 Pi-hole, LLC (https://pi-hole.net)
# Network-wide ad blocking via your own hardware.
#
# Allows the WebUI to use Pi-hole commands
#
# This file is copyright under the latest version of the EUPL.
# Please see LICENSE file for your rights under this license.
#
www-data ALL=NOPASSWD: /usr/local/bin/pihole


edit: hmmm?, aw ok, just saw the chmod 0440


ls -l /etc/sudoers.d/pihole

-r--r----- 1 root root 367 Apr 13 01:51 /etc/sudoers.d/pihole

edit edit!
just taking a guess here.

but it seems the defaults secure_path IF, didnt worked.

# If the Web server user is lighttpd,
if [[ "$LIGHTTPD_USER" == "lighttpd" ]]; then
    # Allow executing pihole via sudo with Fedora
    # Usually /usr/local/bin is not permitted as directory for sudoable programs
    echo "Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin" >> /etc/sudoers.d/pihole
fi

as i said just a guess, i know i’m using lighttpd, as i said before, this is an fresh odroid-minimal-ubuntu install and i did the pihole install “by the book”, so theres no reasoning for not be using lightppd.

EDIT EDIT EDIT!!!
never mind, after reading the full script, i see what the IF is there for.

0 Likes

#18

I’m not exactly sure what is happening then. You have the file and it looks okay, still, your sudo is complaining that you cannot execute the command.

Maybe the content of your /etc/sudoers.d is not sourced somewhere?..

0 Likes

#19

What is the output of this command? This will show if the web server is executing the status command successfully.

journalctl -u lighttpd
0 Likes

#20
journalctl -u lighttpd

Hint: You are currently not seeing messages from other users and the system.
      Users in groups 'adm', 'systemd-journal' can see all messages.
      Pass -q to turn off this notice.
-- Logs begin at Fri 2019-04-12 23:50:00 UTC, end at Sun 2019-04-14 21:04:21 UTC.
-- No entries --

sudo systemctl status lighttpd

● lighttpd.service - Lighttpd Daemon
   Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; vendor preset: e
   Active: active (running) since Sun 2019-04-14 18:20:43 UTC; 2h 45min ago
  Process: 508 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf
 Main PID: 533 (lighttpd)
   CGroup: /system.slice/lighttpd.service
           ├─533 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
           ├─548 /usr/bin/php-cgi
           ├─556 /usr/bin/php-cgi
           ├─557 /usr/bin/php-cgi
           ├─558 /usr/bin/php-cgi
           └─559 /usr/bin/php-cgi

Apr 14 18:20:43 nether systemd[1]: Started Lighttpd Daemon.
Apr 14 18:25:58 nether sudo[642]: www-data : TTY=unknown ; PWD=/var/www/html/admin
Apr 14 18:25:58 nether sudo[642]: pam_unix(sudo:session): session opened for user
Apr 14 18:25:58 nether sudo[642]: pam_unix(sudo:session): session closed for user
Apr 14 19:11:38 nether sudo[4224]: www-data : unable to resolve host nether
Apr 14 19:11:38 nether sudo[4224]: www-data : problem with defaults entries ; TTY=
Apr 14 19:11:38 nether lighttpd[533]: sudo: unable to resolve host nether
Apr 14 19:11:38 nether sudo[4224]: www-data : TTY=unknown ; PWD=/var/www/html/admi
Apr 14 19:11:38 nether sudo[4224]: pam_unix(sudo:session): session opened for user
Apr 14 19:11:38 nether sudo[4224]: pam_unix(sudo:session): session closed for user

journalctl --user -u lighttpd
-- Logs begin at Fri 2019-04-12 23:50:00 UTC, end at Sun 2019-04-14 21:04:21 UTC.
-- No entries --

ok now i’m rly lost…

0 Likes

#21

What is the output of sudo journalctl -u lighttpd?

0 Likes

#22

oh lol, my bad.

it was rather big, so i piped it to 0x0.st (hopes thats ok)

https://0x0.st/zNOf.txt

relevant info after the last reboot here anyway:

Apr 14 18:20:43 nether systemd[1]: Starting Lighttpd Daemon...
Apr 14 18:20:43 nether systemd[1]: Started Lighttpd Daemon.
Apr 14 18:25:58 nether sudo[642]: www-data : TTY=unknown ; PWD=/var/www/html/admin ; USER=root ; COMMAND=/usr/local/bin/pihole status web
Apr 14 18:25:58 nether sudo[642]: pam_unix(sudo:session): session opened for user root by (uid=0)
Apr 14 18:25:58 nether sudo[642]: pam_unix(sudo:session): session closed for user root
Apr 14 19:11:38 nether sudo[4224]: www-data : unable to resolve host nether
Apr 14 19:11:38 nether sudo[4224]: www-data : problem with defaults entries ; TTY=unknown ; PWD=/var/www/html/admin ; USER=root ;
Apr 14 19:11:38 nether lighttpd[533]: sudo: unable to resolve host nether
Apr 14 19:11:38 nether sudo[4224]: www-data : TTY=unknown ; PWD=/var/www/html/admin ; USER=root ; COMMAND=/usr/local/bin/pihole status web
Apr 14 19:11:38 nether sudo[4224]: pam_unix(sudo:session): session opened for user root by (uid=0)
Apr 14 19:11:38 nether sudo[4224]: pam_unix(sudo:session): session closed for user root
Apr 14 19:11:38 nether lighttpd[533]: sudo: unable to resolve host nether

probly because i changed the hostname from odroid --> nether , just today

EDIT RELEVANT PLEASE READ
so i went ahead and asked for help too in the odroid forums.
https://forum.odroid.com/viewtopic.php?f=95&t=34558

here one answer:

your /etc/sudoers.d/pihole file allows www-data to run a command with root permissions without asking for a password.

Normally www-data does not have root permission, means it can't run any application that requires root.
But with that file, it allows www-data to run one single command to run with sudo commad "/usr/local/bin/pihole"

So you're command would actually have to look like this: 
sudo -u www-data sudo pihole status

Which is quite hilarious considering that you ARE root, make yourself to "www-data" and then run a command as "root" :D

Simply running pihole status should work if you are connected as root via ssh.

btw: pihole was probably made with Debian in mind instead of Ubuntu and it might run better if you actually install it on a Debian instead of Ubuntu.

so, doing the command:

sudo -u www-data sudo pihole status

sudo: unable to resolve host nether
sudo: unable to resolve host nether
  [✓] DNS service is running
  [✓] Pi-hole blocking is Enabled

 sudo -u www-data sudo pihole status web

sudo: unable to resolve host nether
sudo: unable to resolve host nether
1

edit edit:

as far as the nether thing goes, found the problem!
i forgot to edit /etc/hosts
the /etc/host 127.0.0.1 was poiting to odroid.
fixed, rebooting the thing now

0 Likes