This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
internet:security:pihole [2019/08/04 19:01] gcooper |
internet:security:pihole [2023/02/03 11:00] (current) gcooper |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== Pi-Hole DNS Sinkhole and Ad Blocker ====== | ====== Pi-Hole DNS Sinkhole and Ad Blocker ====== | ||
+ | |||
+ | <note tip>It may just be easier to use free AdGuard DNS servers... | ||
+ | |||
+ | https:// | ||
+ | </ | ||
https:// | https:// | ||
Line 12: | Line 17: | ||
https:// | https:// | ||
+ | |||
+ | **CLI**: https:// | ||
+ | |||
+ | **Blocklist List**: https:// | ||
+ | |||
+ | ===== Flush DNS Cache ===== | ||
+ | |||
+ | < | ||
+ | pihole restartdns reload-lists | ||
+ | </ | ||
===== Update ===== | ===== Update ===== | ||
Line 37: | Line 52: | ||
Pi-Hole seems to work fine with only **port 53 (TCP and UDP)** exposed publicly. | Pi-Hole seems to work fine with only **port 53 (TCP and UDP)** exposed publicly. | ||
- | Port 80 needs to be open for the web administration. | + | Port 80 needs to be open for the web administration, and probably SSH as well. |
- | We use CSF firewall | + | In the CSF firewall, **we do not globally open these ports**, we only open them up to the US using: |
- | ==== Attack ==== | + | < |
+ | CC_ALLOW_PORTS | ||
+ | CC_ALLOW_PORTS_TCP | ||
+ | CC_ALLOW_PORTS_UDP | ||
+ | </ | ||
- | Create an IP list from the last two days: | + | ==== Botnet Attack ==== |
+ | |||
+ | === IP Address List === | ||
+ | |||
+ | :!: You can use this with Mikrotik routers and other devices. | ||
+ | |||
+ | Create an IP list from the last two days using '' | ||
< | < | ||
- | cat / | + | cat / |
- | cat / | + | cat / |
</ | </ | ||
- | RegEx to find ELDERJUSTICE.GOV: | + | === CSF === |
+ | |||
+ | We use CSF firewall for bastion hosts. | ||
+ | |||
+ | :!: '' | ||
+ | |||
+ | RegEx to find IP of attacker of ELDERJUSTICE.GOV: | ||
< | < | ||
Line 60: | Line 91: | ||
</ | </ | ||
- | Insert: | + | Inserting this will temporarily block the attacker for one week (604800 seconds): |
< | < | ||
Line 69: | Line 100: | ||
</ | </ | ||
- | Reboot needed? | + | < |
+ | vim / | ||
+ | </ | ||
+ | Change: | ||
+ | |||
+ | < | ||
+ | CUSTOM1_LOG = "/ | ||
+ | </ | ||
+ | |||
+ | Restart CSF: | ||
+ | |||
+ | < | ||
+ | csf -ra | ||
+ | </ | ||
+ | |||
+ | ===== Recursive DNS ===== | ||
+ | |||
+ | <note important> | ||
+ | |||
+ | https:// | ||
+ | |||
+ | The default Pi-Hole is a **forwarding** DNS server. | ||
+ | |||
+ | The All Around DNS Solution adds **recursion**. | ||
+ | |||
+ | ===== Exclude Some Clients ===== | ||
+ | |||
+ | :!: Use the **firewall** to block abusive external (recursive) clients. | ||
+ | |||
+ | https:// | ||
+ | |||
+ | ===== Troubleshooting ===== | ||
+ | |||
+ | If the admin web interface gets wonky, try this as a temporary fix: | ||
+ | |||
+ | < | ||
+ | pihole -f | ||
+ | </ | ||
+ | |||
+ | Also try giving PHP more RAM. The default is 128M, but you can give a lot more depending on your server' | ||
+ | |||
+ | < | ||
+ | vim / | ||
+ | |||
+ | memory_limit = 1024M | ||
+ | </ |