mrimp/RaspberryPi-Pihole

## RaspberryPi-Pihole
# update,upgrade,depends
sudo apt-get update && sudo apt-get upgrade -y
sudo apt install dnsutils git qemu-guest-agent
# set static ip
sudo nano /etc/dhcpcd.conf
sudo dpkg-reconfigure --priority=low unattended-upgrades
# Verify unattended upgrades configuration file in your text editor of choice
nano /etc/apt/apt.conf.d/20auto-upgrades
# To disable automatic reboots by the automatic upgrades configuration edit the following file:
nano /etc/apt/apt.conf.d/50unattended-upgrades
# and uncomment the following line by removing the leading slashes:
//Unattended-Upgrade::Automatic-Reboot "false"
# debug
sudo unattended-upgrades -d
# Change time zone:
sudo timedatectl set-timezone
# add user
sudo adduser <username>
# add to sudoers
sudo usermod -aG sudo someuser
sudo adduser <username> video
sudo nano /etc/ssh/sshd_config
# uncomment this line: "PermitRootLogin prohibit-password"
# Save and exit. Restart SSH:
sudo service ssh restart
# Install Fail2Ban.
sudo apt install fail2ban
sudo nano /etc/fail2ban/jail.conf
# if you make any config changes, restart the service via:
sudo service fail2ban restart
# Install a firewall. Caution, don’t lock yourself out of your server.
# Install the package:
sudo apt install ufw
# Create your access list:
sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow 53
sudo ufw allow 8888
sudo ufw allow 22
sudo ufw allow from xxx.xxx.xxx.xxx port 22
# Enable the firewall:
sudo ufw enable
# To show rules once the firewall is enabled, run the following command:
sudo ufw status verbose
# Install log2ram
sudo apt update && sudo apt full-upgrade && wget https://github.com/azlux/log2ram/archive/master.tar.gz -O log2ram.tar.gz && tar xf log2ram.tar.gz && cd /home/pi/log2ram-master && sudo ./install.sh && sudo reboot
# Configure log2ram:
sudo nano /etc/log2ram.conf
# Increase the size to 100MB and the LOG_DISK_SIZE to 200M. Exit and save. Restart log2ram.
sudo service log2ram restart
# install RPi-Monitor
sudo apt-get install dirmngr && sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 2C0D3C0F && sudo wget http://goo.gl/vewCLL -O /etc/apt/sources.list.d/rpimonitor.list && sudo apt-get update
sudo apt-get install rpimonitor
# Configure RPi-Monitor to show network statistics:
sudo nano /etc/rpimonitor/template/network.conf
# Uncomment the first two sections that start with “dynamic.10” and “dynamic.11”. Comment out the third, fourth and fifth lines in the next section that start with “web.status.1” and uncomment the last one. Uncomment the next section that starts with “web.statistics.1”. Exit and save.
# Restart RPi-Monitor.
sudo service rpimonitor restart
# Update RPi-Monitor package status:
sudo /etc/init.d/rpimonitor update
# Check the RPi-Monitor web page at http://<IPAddress>:8888
# Install and Configure PiHole
sudo curl -sSL https://install.pi-hole.net | bash
# change the web admin password
pihole -a -p
# Install Unbound.
sudo apt install unbound
# Get root hints:
wget https://www.internic.net/domain/named.root -qO- | sudo tee /var/lib/unbound/root.hints
# Create the configuration for PiHole:
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

<code>
server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0
interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes
# May be set to yes if you have IPv6 connectivity
    do-ip6: no
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no
# Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    root-hints: "/var/lib/unbound/root.hints"
# Trust glue only if it is within the server's authority
    harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no
# Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472
# Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes
    cache-min-ttl: 0
    serve-expired: yes
    msg-cache-size: 128m
    rrset-cache-size: 256m
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m
# Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10
</code>

# Restart Unbound:
sudo service unbound restart
# Test Unbound
dig pi-hole.net @127.0.0.1 -p 5335
sudo crontab –e
# Paste the following:
30 2 * * SUN  pihole -up
05 01 15 */3 * wget -O /var/lib/unbound/root.hints https://www.internic.net/domain/named.root
# Exit and save.
# Login to your PiHole admin page at http://pi.hole/admin and use the password you saved from the install. Navigate to Settings, and click on the DNS tab. Uncheck Google and check custom and enter 127.0.0.1#5335. Click Save at the bottom.
# A good resource for block lists is https://firebog.net/ which has several categories of block lists
	# update,upgrade,depends
	sudo apt-get update && sudo apt-get upgrade -y
	sudo apt install dnsutils git qemu-guest-agent
	# set static ip
	sudo nano /etc/dhcpcd.conf
	sudo dpkg-reconfigure --priority=low unattended-upgrades
	# Verify unattended upgrades configuration file in your text editor of choice
	nano /etc/apt/apt.conf.d/20auto-upgrades
	# To disable automatic reboots by the automatic upgrades configuration edit the following file:
	nano /etc/apt/apt.conf.d/50unattended-upgrades
	# and uncomment the following line by removing the leading slashes:
	//Unattended-Upgrade::Automatic-Reboot "false"
	# debug
	sudo unattended-upgrades -d
	# Change time zone:
	sudo timedatectl set-timezone
	# add user
	sudo adduser <username>
	# add to sudoers
	sudo usermod -aG sudo someuser
	sudo adduser <username> video
	sudo nano /etc/ssh/sshd_config
	# uncomment this line: "PermitRootLogin prohibit-password"
	# Save and exit. Restart SSH:
	sudo service ssh restart
	# Install Fail2Ban.
	sudo apt install fail2ban
	sudo nano /etc/fail2ban/jail.conf
	# if you make any config changes, restart the service via:
	sudo service fail2ban restart
	# Install a firewall. Caution, don’t lock yourself out of your server.
	# Install the package:
	sudo apt install ufw
	# Create your access list:
	sudo ufw allow 80
	sudo ufw allow 443
	sudo ufw allow 53
	sudo ufw allow 8888
	sudo ufw allow 22
	sudo ufw allow from xxx.xxx.xxx.xxx port 22
	# Enable the firewall:
	sudo ufw enable
	# To show rules once the firewall is enabled, run the following command:
	sudo ufw status verbose
	# Install log2ram
	sudo apt update && sudo apt full-upgrade && wget https://github.com/azlux/log2ram/archive/master.tar.gz -O log2ram.tar.gz && tar xf log2ram.tar.gz && cd /home/pi/log2ram-master && sudo ./install.sh && sudo reboot
	# Configure log2ram:
	sudo nano /etc/log2ram.conf
	# Increase the size to 100MB and the LOG_DISK_SIZE to 200M. Exit and save. Restart log2ram.
	sudo service log2ram restart
	# install RPi-Monitor
	sudo apt-get install dirmngr && sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 2C0D3C0F && sudo wget http://goo.gl/vewCLL -O /etc/apt/sources.list.d/rpimonitor.list && sudo apt-get update
	sudo apt-get install rpimonitor
	# Configure RPi-Monitor to show network statistics:
	sudo nano /etc/rpimonitor/template/network.conf
	# Uncomment the first two sections that start with “dynamic.10” and “dynamic.11”. Comment out the third, fourth and fifth lines in the next section that start with “web.status.1” and uncomment the last one. Uncomment the next section that starts with “web.statistics.1”. Exit and save.
	# Restart RPi-Monitor.
	sudo service rpimonitor restart
	# Update RPi-Monitor package status:
	sudo /etc/init.d/rpimonitor update
	# Check the RPi-Monitor web page at http://<IPAddress>:8888
	# Install and Configure PiHole
	sudo curl -sSL https://install.pi-hole.net \| bash
	# change the web admin password
	pihole -a -p
	# Install Unbound.
	sudo apt install unbound
	# Get root hints:
	wget https://www.internic.net/domain/named.root -qO- \| sudo tee /var/lib/unbound/root.hints
	# Create the configuration for PiHole:
	sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

	<code>
	server:
	# If no logfile is specified, syslog is used
	# logfile: "/var/log/unbound/unbound.log"
	verbosity: 0
	interface: 127.0.0.1
	port: 5335
	do-ip4: yes
	do-udp: yes
	do-tcp: yes
	# May be set to yes if you have IPv6 connectivity
	do-ip6: no
	# You want to leave this to no unless you have native IPv6. With 6to4 and
	# Terredo tunnels your web browser should favor IPv4 for the same reasons
	prefer-ip6: no
	# Use this only when you downloaded the list of primary root servers!
	# If you use the default dns-root-data package, unbound will find it automatically
	root-hints: "/var/lib/unbound/root.hints"
	# Trust glue only if it is within the server's authority
	harden-glue: yes
	# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
	harden-dnssec-stripped: yes
	# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
	# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
	use-caps-for-id: no
	# Reduce EDNS reassembly buffer size.
	# Suggested by the unbound man page to reduce fragmentation reassembly problems
	edns-buffer-size: 1472
	# Perform prefetching of close to expired message cache entries
	# This only applies to domains that have been frequently queried
	prefetch: yes
	cache-min-ttl: 0
	serve-expired: yes
	msg-cache-size: 128m
	rrset-cache-size: 256m
	# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
	num-threads: 1
	# Ensure kernel buffer is large enough to not lose messages in traffic spikes
	so-rcvbuf: 1m
	# Ensure privacy of local IP ranges
	private-address: 192.168.0.0/16
	private-address: 169.254.0.0/16
	private-address: 172.16.0.0/12
	private-address: 10.0.0.0/8
	private-address: fd00::/8
	private-address: fe80::/10
	</code>

	# Restart Unbound:
	sudo service unbound restart
	# Test Unbound
	dig pi-hole.net @127.0.0.1 -p 5335
	sudo crontab –e
	# Paste the following:
	30 2 * * SUN pihole -up
	05 01 15 /3 wget -O /var/lib/unbound/root.hints https://www.internic.net/domain/named.root
	# Exit and save.
	# Login to your PiHole admin page at http://pi.hole/admin and use the password you saved from the install. Navigate to Settings, and click on the DNS tab. Uncheck Google and check custom and enter 127.0.0.1#5335. Click Save at the bottom.
	# A good resource for block lists is https://firebog.net/ which has several categories of block lists