In part one we set up port forwarding, SSH server and install the web server with all his security stuff.
Now everything is set up to continue with the installation of the other services
Pi-hole
I use some privacy extensions on my browser, such as Privacy Badger, HTTPS Everywhere,Facebook container (that is kind of cool to separate your websites and it's build by default on Firefox), Pure URL and finally uBlock.
I'm a big fan of this last one, because as we know there are many advertisements on pages we visited (yeah yeah I know that many pages are mantained because of ads and clicks) but many times they are annoying.
But these are addons that I installed on my browser PC, what about my local network devices? such as my smarphone, the smartphone of my parents, brother or a guest, I know there are apps that I can installed and have this, but I'm not going to do this with every guest coming to my house.
For this purpose is a service called Pi-hole "A black hole for Internet advertisements".
This service is going to help us to block ads in all our local network devices.
In the official site is all the step by step installation.
Two web servers living together
As we mention before, we are using Apache as our default web server, but to install Pi-hole, we are going to install another web server called Lighttpd. Pi-hole have a web interface dashboard to view the stats, change settings and configure some aspects of our Pi-hole.
This service is not going to be exposed, this service is only going to serve in our local network, but to see the web interface dashboard, we need to change the default port of Lighttp because it is going to have issues with Apache that servers on port 80.
When we install Lighttp, automatically the service is up so we are going to stop apache before we install Pi-hole just doing
# systemctl stop apache
Once you install Pi-hole you need to change Lighttp port at /etc/lighttpd/lighttpd.conf changing the server.port line putting your prefer port
after doing this you need to restart the service and if everything goes ok, you will be able to see your Pi-hole dashboard in the port you specify.
In my case it was port 8080, the local ip of my Raspberry is 192.168.1.110 so your dashboard should look like this.
Setting up the service on your home router
To use this service as it should be, is necessary to make a change in the DNS addresses of our router as shown below.
You need to add the local address of the Raspberry and so, any device that connects to your network will have the benefits of Pi-hole.
Summarizing:
- Stop Apache service.
- Install Pi-hole and Lighttpd.
- Change Lighttpd port.
- Set Raspberry IP address as DNS in your home router.
Your private cloud
I'm not kind of paranoid, but I thing that having your own stuff and infrastructure is cool.
In this section I'm going to show how I install ownCloud a file sharing server that puts the control and security of your own data back into your hands.
I know there are other services such as NextCloud, but this time I'm goig to use this service.
Installation
The installation is very easy, we just need to download a compress package and decompress it in our web server folder.
I had some issues starting ownCloud because the server needed some php modules that were not installed, but it was very easy to install them just doing apt search <php-module> to search the module you need.
After install all the packages, your ownCloud it will be ready.
Note: I follow the recommended configuration of owncloud documentation setting up ownCloud outside of the document root
After doing this, we are already be able to upload all the things we want even through our cellphone using the ownCloud app.
Summarizing:
- Download the compress package of ownCloud and extract it
- Install the necessary php modules
- Configure Apache
- Downlod the phone app (optional)
Your own VPN service
Maybe your are going to say that there are many services running on my tiny little Rasp, but watching the performance is everything ok.
The final thing I got on the Raspi is my VPN service. I really like this service because is an awesome tool when I'm outside and connected to some public WiFi (obviously checking log in requirements of public WiFi).
Again, this is very easy to install using pivpn.
Note: I know that this install method is automatic and everything is easy and fast. One time I set manually a VPN and for me it was hard, configuring security, keys etc, but at the end this things work you learn a lot doing that stuff. This pivpn method simplified many things and steps.
The next step will be open a new port in our home router to have access in the outside, we need to open you specify in the installation.
After install pivpn you need to add clients and generate the private key and the ovpn file that is are going to use to connect to the VPN.
Now we can use OpenVPN aplication in our PC or the app in our phone to connect to our VPN and this is going to be very useful when we want to preserve privacy when we were connect in some public space.
Summarizing:
- Follow the guide of pivpn
- Open the port in our home router
- Generate the keys and the profile
- Copy them to our phone or pc
- Connect to our VPN using the OpenVPN aplication
Fail2ban
At this point you will have a device that is exposed to the Internet, maybe in one day if not less you will see a lot of login attempts in your secure logs, that's other reason why I have exposed the Raspi, to learn more about secure, read logs, configure things, etc.
I install a service call fail2ban that is use to mitigate the brute force attacks by users and bots.
Final thoughts
The first service I put on the Rasp was a middle Tor relay, I took it off because I didn't see that it had a lot of traffic, but also using Tor with a raspberry is a great option.
Also I would like to use the rasp as a honeypot to keep learning more about security.
As I said at the beginning I dared to write this, first because I believe in share the knowledge is awesome, I like a lot the free software filosophy and I think that the set of services that I'm running, they seem useful to me and maybe for you.
Thanks a lot to read and any constructive criticism is welcome.
Latest comments (0)