Last active
December 11, 2021 23:09
-
-
Save mrimp/47c11026e28c5150fa934c26477f6cec to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# update,upgrade,depends | |
sudo apt-get update && sudo apt-get upgrade -y | |
sudo apt install dnsutils git qemu-guest-agent | |
# set static ip | |
sudo nano /etc/dhcpcd.conf | |
sudo dpkg-reconfigure --priority=low unattended-upgrades | |
# Verify unattended upgrades configuration file in your text editor of choice | |
nano /etc/apt/apt.conf.d/20auto-upgrades | |
# To disable automatic reboots by the automatic upgrades configuration edit the following file: | |
nano /etc/apt/apt.conf.d/50unattended-upgrades | |
# and uncomment the following line by removing the leading slashes: | |
//Unattended-Upgrade::Automatic-Reboot "false" | |
# debug | |
sudo unattended-upgrades -d | |
# Change time zone: | |
sudo timedatectl set-timezone | |
# add user | |
sudo adduser <username> | |
# add to sudoers | |
sudo usermod -aG sudo someuser | |
sudo adduser <username> video | |
sudo nano /etc/ssh/sshd_config | |
# uncomment this line: "PermitRootLogin prohibit-password" | |
# Save and exit. Restart SSH: | |
sudo service ssh restart | |
# Install Fail2Ban. | |
sudo apt install fail2ban | |
sudo nano /etc/fail2ban/jail.conf | |
# if you make any config changes, restart the service via: | |
sudo service fail2ban restart | |
# Install a firewall. Caution, don’t lock yourself out of your server. | |
# Install the package: | |
sudo apt install ufw | |
# Create your access list: | |
sudo ufw allow 80 | |
sudo ufw allow 443 | |
sudo ufw allow 53 | |
sudo ufw allow 8888 | |
sudo ufw allow 22 | |
sudo ufw allow from xxx.xxx.xxx.xxx port 22 | |
# Enable the firewall: | |
sudo ufw enable | |
# To show rules once the firewall is enabled, run the following command: | |
sudo ufw status verbose | |
# Install log2ram | |
sudo apt update && sudo apt full-upgrade && wget https://github.com/azlux/log2ram/archive/master.tar.gz -O log2ram.tar.gz && tar xf log2ram.tar.gz && cd /home/pi/log2ram-master && sudo ./install.sh && sudo reboot | |
# Configure log2ram: | |
sudo nano /etc/log2ram.conf | |
# Increase the size to 100MB and the LOG_DISK_SIZE to 200M. Exit and save. Restart log2ram. | |
sudo service log2ram restart | |
# install RPi-Monitor | |
sudo apt-get install dirmngr && sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 2C0D3C0F && sudo wget http://goo.gl/vewCLL -O /etc/apt/sources.list.d/rpimonitor.list && sudo apt-get update | |
sudo apt-get install rpimonitor | |
# Configure RPi-Monitor to show network statistics: | |
sudo nano /etc/rpimonitor/template/network.conf | |
# Uncomment the first two sections that start with “dynamic.10” and “dynamic.11”. Comment out the third, fourth and fifth lines in the next section that start with “web.status.1” and uncomment the last one. Uncomment the next section that starts with “web.statistics.1”. Exit and save. | |
# Restart RPi-Monitor. | |
sudo service rpimonitor restart | |
# Update RPi-Monitor package status: | |
sudo /etc/init.d/rpimonitor update | |
# Check the RPi-Monitor web page at http://<IPAddress>:8888 | |
# Install and Configure PiHole | |
sudo curl -sSL https://install.pi-hole.net | bash | |
# change the web admin password | |
pihole -a -p | |
# Install Unbound. | |
sudo apt install unbound | |
# Get root hints: | |
wget https://www.internic.net/domain/named.root -qO- | sudo tee /var/lib/unbound/root.hints | |
# Create the configuration for PiHole: | |
sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf | |
<code> | |
server: | |
# If no logfile is specified, syslog is used | |
# logfile: "/var/log/unbound/unbound.log" | |
verbosity: 0 | |
interface: 127.0.0.1 | |
port: 5335 | |
do-ip4: yes | |
do-udp: yes | |
do-tcp: yes | |
# May be set to yes if you have IPv6 connectivity | |
do-ip6: no | |
# You want to leave this to no unless you have *native* IPv6. With 6to4 and | |
# Terredo tunnels your web browser should favor IPv4 for the same reasons | |
prefer-ip6: no | |
# Use this only when you downloaded the list of primary root servers! | |
# If you use the default dns-root-data package, unbound will find it automatically | |
root-hints: "/var/lib/unbound/root.hints" | |
# Trust glue only if it is within the server's authority | |
harden-glue: yes | |
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS | |
harden-dnssec-stripped: yes | |
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes | |
# see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details | |
use-caps-for-id: no | |
# Reduce EDNS reassembly buffer size. | |
# Suggested by the unbound man page to reduce fragmentation reassembly problems | |
edns-buffer-size: 1472 | |
# Perform prefetching of close to expired message cache entries | |
# This only applies to domains that have been frequently queried | |
prefetch: yes | |
cache-min-ttl: 0 | |
serve-expired: yes | |
msg-cache-size: 128m | |
rrset-cache-size: 256m | |
# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1. | |
num-threads: 1 | |
# Ensure kernel buffer is large enough to not lose messages in traffic spikes | |
so-rcvbuf: 1m | |
# Ensure privacy of local IP ranges | |
private-address: 192.168.0.0/16 | |
private-address: 169.254.0.0/16 | |
private-address: 172.16.0.0/12 | |
private-address: 10.0.0.0/8 | |
private-address: fd00::/8 | |
private-address: fe80::/10 | |
</code> | |
# Restart Unbound: | |
sudo service unbound restart | |
# Test Unbound | |
dig pi-hole.net @127.0.0.1 -p 5335 | |
sudo crontab –e | |
# Paste the following: | |
30 2 * * SUN pihole -up | |
05 01 15 */3 * wget -O /var/lib/unbound/root.hints https://www.internic.net/domain/named.root | |
# Exit and save. | |
# Login to your PiHole admin page at http://pi.hole/admin and use the password you saved from the install. Navigate to Settings, and click on the DNS tab. Uncheck Google and check custom and enter 127.0.0.1#5335. Click Save at the bottom. | |
# A good resource for block lists is https://firebog.net/ which has several categories of block lists |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment