Wilson Mar bio photo

Wilson Mar

Hello!

Calendar YouTube Github

LinkedIn

Firewalls

Filter out ads and malware sites on your home network using PiHole.

US (English)   Norsk (Norwegian)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   Napali   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean

Overview

Why Pi-Hole?

https://www.wikiwand.com/en/Pi-hole

https://en.wikipedia.org/wiki/DNS_Sinkhole protects devices on a subnet from unwanted content, without installing any client-side software.

The Pi-hole® impliments a DNS sinkhole https://pi-hole.net/

PiHot optionally functions as a DHCP server, ensuring all your devices are protected automatically

over both IPv4 and IPv6

  • https://crosstalksolutions.com/raspberry-pi-4-boot-with-usb
  • https://www.youtube.com/watch?v=xtMFcVx3cHU by TechHut
  • https://www.youtube.com/watch?v=roYduABVjo8 by CoreElectronics

Get a Raspberry Pi hardware

VIDEO: https://www.crosstalksolutions.com/the-worlds-greatest-pi-hole-and-unbound-tutorial-2023/ has a RPilocator.com which notifies you when one comes into stock.

Alternately, you can run Pi-hole within a Docker container.

VIDEO: Raspberry Pi 4 Getting Started</a> by Crosstalk Solutions

Install PiHole from macOS

  1. See my article about setting up the Raspberry Pi.

  2. Navigate to a folder where you want the new repo downloaded.

  3. Deploy the software directly to a supported operating system via our automated installer:

    git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole
cd "Pi-hole/automated install/"
sudo bash basic-install.sh

  4. Type your laptop’s OS password requested by the sudo command. The Pi logo should appear.

      [✓] Root user check

    .;;,.
    .ccccc:,.
     :cccclll:.      ..,,
      :ccccclll.   ;ooodc
       'ccll:;ll .oooodc
         .;cll.;;looo:.
             .. ','.
            .',,,,,,'.
          .',,,,,,,,,,.
        .',,,,,,,,,,,,....
      ....''',,,,,,,'.......
    .........  ....  .........
    ..........      ..........
    ..........      ..........
    .........  ....  .........
      ........,,,,,,,'......
        ....',,,,,,,,,,,,.
           .',,,,,,,,,'.
            .',,,,,,'.
              ..'''.

    If you see this, verify you have a working connection to the Pi.

    [i] SELinux not detected
[✗] No supported package manager found

  5. Block ads everywhere, even on the go. By pairing your Pi-hole with a VPN, you can have ad blocking on your cellular devices, helping with limited bandwidth data plans.

    https://docs.pi-hole.net/guides/vpn/overview

    Set Pi-hole Admin Password

    Log into the Pi-hole

    Pi-hole Dashboard and Menus

    Add Pi-hole Block Lists

  6. Configure your router’s DHCP options to force clients to use Pi-hole as their DNS server, or manually configure each device​ to use the Pi-hole as their DNS server.

    https://docs.pi-hole.net/main/post-install

    More Pi-hole Menu Settings

    Pi-hole Settings

  7. Set a static IP address within your subnet for the PiHole. 8:58

    sudo nano -w /etc/dhcpcd.conf

    Un-comment under # Example static IP configuration and specify your subnet:

    interface eth0
static ip_address=192.168.200.52/24
static routers=192.168.200.1
static domain_name_servers=192.168.200.1 1.1.1.1

    sudo reboot

  8. On the new IP address:

    Configure DNS server

    Some internet service providers (ISPs) return ads instead of 404.

    Don’t have to use Unbound.

    1.1.1.3 & 1.0.0.3 blocks phising/malware/adult content filtering.

    8.8.8.8 from Google was rated as the quickest, probably because it doesn’t block as comprehensively.

    Add blocklist from Firebog

  9. Into Pi-Hole’s Adlist Group Management, add URLs of sites that Firebog knows to be suspicious, advertising, tracking & telemetry, malicious, etc.

  10. Click “Update Gravity”.

    Temporarily Disable Pi-hole 23:45

  11. Create a shell file to call to obtain password cache:

    cat /etc/pihole/setupVars.conf | grep WEBPASSWORD

  12. Bookmark this URL on your browser or Stream Deck to temporarily disable Pi-Hole by authenticating with the hashed value of WEBPASSWORD.

    http://192.168.200.52/admin/api.php?disable=300&auth=PWHASH

    for 300 seconds

    Configure other devices to use Pi-hole as DNS

  13. In Settings, Interface settings, uncheck default “Allow only local requests”.

  14. Check “Respond only on interface eth0”.

  15. Instead of changing each device (laptop), set the DNS to the Pi-Hole DNS, set the DHCP: DNS 1 and DNS 2.

    Audit log

  16. Click the “Audit Log” menu item.

    Backup

  17. In Tools, click “Backup”.
  18. Copy the backed up file to a USB drive and/or cloud.

  19. If you’re running 2 Pi-Holes, install the backup onto the 2nd Pi-Hole. Sync using:

    https://github.com/vmstan/gravity-sync

    Install Unbound DNS route proxy

  20. Install Unbound service to make DNS queries anonymously:

    sudo apt install unbound -y

  21. Download the text

    ??? pi-hole.conf

  22. Edit wall of text:

    sudo nano -w /etc/unbound/unbound.conf.d/pi-hole.conf

  23. Start Unbound service:

    sudo service unbound start

  24. View Unbound service status (active?):

    sudo service unbound status

  25. Test DNS lookup:

    dig crosstalksolutions.com @127.0.0.1 -p 5335

  26. 30:36 Setup firewall rules to ignore DNS queries to the DNS set on individual devices.

    Test Pi-hole Ad Blocking

  27. Test Ad-Blocking

Docker

curl -sSL https://get.docker.com | sh

  1. Add user pi to docker group:

    sudo usermod -aG docker pi

  2. Setup portainer.io to manage Docker containers on default port 9000:

    sudo docker run --restart always -d -p 9000:9000 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v portainer_data:/data portainer/portainer-ce:linux-arm

NAS drive on Raspberry Pi

https://www.youtube.com/watch?v=gyMpI8csWis

Chron jobs

Update the Pi-hole

Run a chron (crontab) job to Once a week or month to apply updates (if one becomes available):

  1. Edit in /etc/cron.d/pihole

    30 2 * * 1   root    /usr/bin/curl -sSl https://raw.githubusercontent.com/mmotti/pihole-regex/master/install.py | /usr/bin/python3  >> /var/log/piholeupdate 2>&1
 
30 2 * * 1   root    cd /usr/local/src/whitelist/scripts && git pull&& ./whitelist.sh >> /var/log/piholeupdate 2>&1

    Do regular speedtests

  2. Every hour run:

    VIDEO: openspeedtest.com server run within a Docker image downloaded.

    sudo docker run --restart=unless-stopped \
 --name=openspeedtest -d -p 80:8080 openspeedtest/latest

    Change the port to something other than 8080 if your prefer.

  3. Display

    https://github.com/Brandawg93/Pi-Hole-Monitoring

  4. Run on browser at URL http://192.168.200.122

    Record to a file.

    Instead of a chip, get an SSD drive.

  5. View analysis: Are evenings more overloaded?

UniFi Dream Machine

VIDEO: UniFi Dream Machine Pro (UDM-Pro)</a> by Crosstalk Solutions

References

https://docs.pi-hole.net/

https://www.reddit.com/r/pihole/

https://www.youtube.com/watch?v=jlHWnKVpygw

More on DevOps

This is one of a series on DevOps:

  1. DevOps_2.0
  2. ci-cd (Continuous Integration and Continuous Delivery)
  3. User Stories for DevOps

  4. Enterprise Software)

  5. Git and GitHub vs File Archival
  6. Git Commands and Statuses
  7. Git Commit, Tag, Push
  8. Git Utilities
  9. Data Security GitHub
  10. GitHub API

  11. TFS vs. GitHub

  12. Choices for DevOps Technologies
  13. Pulumi Infrastructure as Code (IaC)
  14. Java DevOps Workflow

  15. Okta for SSO & MFA

  16. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
  17. AWS server deployment options

  18. AWS Load Balancers

  19. Cloud services comparisons (across vendors)
  20. Cloud regions (across vendors)

  21. AWS Virtual Private Cloud

  22. Azure Cloud Onramp (Subscriptions, Portal GUI, CLI)
  23. Azure Certifications

  24. Azure Cloud

  25. Azure Cloud Powershell
  26. Bash Windows using Microsoft’s WSL (Windows Subsystem for Linux)

  27. Azure KSQL (Kusto Query Language) for Azure Monitor, etc.

  28. Azure Networking
  29. Azure Storage
  30. Azure Compute

  31. Azure Monitoring

  32. Digital Ocean

  33. Cloud Foundry

  34. Packer automation to build Vagrant images
  35. Terraform multi-cloud provisioning automation

  36. Hashicorp Vault and Consul to generate and hold secrets

  37. Powershell Ecosystem
  38. Powershell on MacOS

  39. Powershell Desired System Configuration

  40. Jenkins Server Setup
  41. Jenkins Plug-ins
  42. Jenkins Freestyle jobs

  43. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

  44. Docker (Glossary, Ecosystem, Certification)
  45. Make Makefile for Docker
  46. Docker Setup and run Bash shell script
  47. Bash coding
  48. Docker Setup
  49. Dockerize apps

  50. Docker Registry

  51. Maven on MacOSX

  52. Ansible
  53. Kubernetes Operators

  54. OPA (Open Policy Agent) in Rego language

  55. MySQL Setup

  56. Threat Modeling

  57. SonarQube & SonarSource static code scan

  58. API Management Microsoft

  59. API Management Amazon

  60. Scenarios for load
  61. Chaos Engineering

More on Security

This is one of a series on Security:

  1. Security actions for teamwork and SLSA

  2. DevSecOps

  3. Code Signing on macOS

  4. Transport Layer Security

  5. Git Signing
  6. GitHub Data Security

  7. Encrypt all the things

  8. Azure Security-focus Cloud Onramp

  9. Azure Networking

  10. AWS Onboarding
  11. AWS Security (certification exam)
  12. AWS IAM (Identity and Access Management)

  13. AWS Networking

  14. SIEM (Security Information and Event Management)
  15. Intrusion Detection Systems (Goolge/Palo Alto)

  16. Chaos Engineering

  17. SOC2
  18. FedRAMP

  19. CAIQ (Consensus Assessment Initiative Questionnaire) by cloud vendors

  20. AKeyless cloud vault
  21. Hashicorp Vault
  22. Hashicorp Terraform

  23. OPA (Open Policy Agent)

  24. SonarQube
  25. WebGoat known insecure PHP app and vulnerability scanners

  26. Test for OWASP using ZAP on the Broken Web App

  27. Security certifications

  28. Details about Cyber Security

  29. Quantum Supremecy can break encryption in minutes
  30. Pen Testing

  31. Kali Linux

  32. Threat Modeling
  33. WebGoat (deliberately insecure Java app)

Firewalls was published on .