Is your network secure?
Probably all of you – let’s say everyone – is using Internet at home. So we have at home network. Network which is connected to Internet.
If your network has access to Internet – then potentially there is a chance that something could happened. Should you rise a question how secure is your network? I think you should….
Probably you have antivirus software on your computer, on your mobile… I guess yes…. But are those toys the only one connected to your network? What about your smart TV, what about your home automation system? In my situation I have around 50 network “toys” connected. All of those have access to Internet… so all of those are in risk. Can we in easy and not very expensive way secure those? The answer is YES.
I have decided to create a new category – Home network – and show you some easy (but reliable) solutions – which would allow you to increase your network security. In the first post – this one – I would give you some tips how to secure your home DNS server and why it is so important…
First of all – what is DNS server… lest go to www.wikipedia.org
To say this in easy way – it something like Telephone Book in your phone… or the one printed. It is translating our names, pages into numbers… IP addresses. So typing just www.google com browser and your computer knows where to “call” to get results. That is in very easy way.
It’s mean that when I visit commercial page together with information which I have requested – I would get probably quite a big extra gift – advertisements, extra tracking links, maybe malware…. or if I click on fake link in my e-mail it could be that my personal details to my bank would be stolen. For scam we are partially protected by AV software. But we are not really protected against advertisements. Very often the text which we have requested is very short – and the amount of data – gift data – is extreme – a few time more data than what we needed. If you have a limit on your transfer – then it would cost you extra….
What we can do to protect ourselves….? I think you see the idea… we can use own address book – own DNS server – which would block everything. So we would get only what we really requested….
Is it complicated? I do not think so… it is not and actually it is as well very cheap …. lets say 10 Euros + 4GB MicroSD card + maybe a small donation for authors (not me).
This solution is not very new…. but as this is very good solution I think it worth to repeat and present again…. and again…. so please spread this around. It would potentially add extra layer of security to your current system – protecting you against malware, scam, advertisements. Let’s go and look….
What we need….
- One SoC board – so small computer – yes – you need a computer as you need to run a server. Server which would work for your local network – so it could be:
- of course Raspberry PI – costs – from 30 to 50 Euros
- or… one of the Odroid Boards (like C1 – around 40 Euros) from Hardkernel
- or… Soc which costs just 10 Euros with sending – Orange Pi (this is what I’m using for small projects) – which you can order here
- or any other new SoC which you would find – it should support Debian. I would focus on Orange Pi (I have as well other SoC computers like Raspbery Pi, Odroid U3, Ordoid C1 and C1+ – but those are used for other projects)
- + you need one good SD card Class 10 (!) – minimum 4GB.
- 5V 1A-2A power supply (please note – Orange Pi is not using MicroUSB as power source – but USB cable with your SoC) – which probably you have…
- Debian distribution for your computer
- for Orange Pi I would suggest two very good distributions
- Rufus software – to create bootable disk.
- Download selected distribution
- Extract all files – image for DietPi would be with .img extension, for Armbian with .raw
- Download Rufus and put this to folder with images.
- Insert your SD card
- Start RUFUS and choose image to be used like below.
- Write image to your card.
- Put the card to your OrangePi compute, connect to your switch and power up.
- Wait a few minutes for startup
- Check your router to find new device and IP. Or use Angry IP Scanner to find your Armbian computer.
- Use Putty – to connect to SSH – just use IP which you have found and default username and password (Armbian: root and password: 1234)
- Follow the steps to finish configuration – here is more
- And you have probably working server. Now we can prepare our DNS server….
PiHole DNS filtering server!!!
It is looking that author did some changes to the scripts. Very good changes!
- Now you can install whole system directly
curl -L https://install.pi-hole.net | bash
2. And finally – before it was necessary to edit config file manually to modify whitelist or blacklist. Now it is a part of the web interface!!!! That is great. That is as well why we should support open source community guys. So just donate… visit author site at https://pi-hole.net/
Yes – there is something very nice and good… PiHole server – which can protect your network… just install this.
I do not want to repeat the installation steps – which are actually very well described on the website – I would just include some commands….
- Install all updates for your system
1apt-get update && apt-get upgrade
- Be sure you have curl installed – if not run
1apt-get install curl
- Now you are ready to use automated script to install PiHole
1curl -L https://install.pi-hole.net | bash
- Follow all script questions – set up fixed IP address – that is something you need. Use as primary DNS server which your Service Provider is using or just select Google DNS servers.
- After installation – check if there was no error reported… if you have any – let me know – I can help you. Then test the filter:
- You should get no answer…. site blocked.
- Generally your server is ready. If all went well try to go to http://IP_OF_YOUR_PiHole/admin and check if you have a nice page like this….
- If your website is not working – just install this again…. like this…. (as root you do not need to use sudo)
Shell1234567891011apt-get -y install php5-common php5-cgi php5 nanolighty-enable-mod fastcgi fastcgi-phpwget https://github.com/jacobsalmela/AdminLTE/archive/master.zip -O /var/www/master.zipunzip /var/www/master.zip -d /var/www/unzip /var/www/master.zip -d /var/www/html/lighttpd -vmv /var/www/AdminLTE-master /var/www/html/adminrm /var/www/master.zip 2>/dev/nulltouch /var/log/pihole.logchmod 644 /var/log/pihole.logchown dnsmasq:root /var/log/pihole.log
- Now the server should be installed… we need just to set up lighttpd
and check if you have those entries (based on author pages):
and restart whole server with restart – or just the web server with
1service lighttpd restart
- Now the last to do is to set up our internal DNS server. So your small micro computer has now fixed internal IP. Define this IP as primary DNS server and from now… it should be distributed to all computers connected to your local network. You should notice no advertisements, no dangerous pages – instead of that you are getting blank page from your server. If you want any small image or message that this is blocked – not just empty page – modify index.html in /var/www/pinhole/ folder.
- If you think that PiHole is too restrictive – blocking too much domains – just go to /etc/pihole and modify adlists.default
This is the main configuration file which is guiding PiHole what sources we should use for filtering. Just comment or un-comment links which you think are causing issues. That should solve your problems.
- Adding new domain to blacklist? No problem:
and add domain to the list.
- Adding domain to whitelist? The same, but as you probably guess this time we are using whitelist.txt file. I hope in the next version there would be web editor to edit both lists – so it would be easy to add or remove domains from list.
To summarise – this is very cheap and good solution. Very basic setup, easy, allowing us to control which domains are for example affected by phishing or malware. I think generally even if you clock on fake link in e-mail – you have a big chance that nothing would happened to your money – as you would see just white page. Idea of that system in brilliant – it is just replacing suspected address with IP and blank page on your small SoC.
And the most important – I know how much even the small projects are taking – so if you like this product – please donate author (not me – I’m here just to collect good and easy ideas and to share with you).
More information about PiHole system at this address: https://pi-hole.net/
In the next article I would try to show you how you can for free (almost- not counting hardware) protect whole network with UTM solution – so firewall/router with build in Anti Virus system, incident detection, malware detection and attacks detection. I would just mention that during one week of test I had more than 300 attacks recorded on my network. Personally – we are now depending from Internet, we use Internet for banking, shopping, health care, tax calculations – that is why we should protect OUR HOME NETWORK as much as possible…. I did that last days and I had a chance to test 3 main UTM systems which are free – ClearOS, Sophost Firewall XG and Sophos UTM. Only those 3 – as I had some targets which were important for me. But about this in next article…
I hope that this one would be useful for some people…