Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 


705 posts

Ultimate Geek
+1 received by user: 144


  Reply # 1530392 12-Apr-2016 07:16
Send private message

@michaelmurfy thanks for pi-hole suggestion. I had to read it 3 times before I finally understood it all. And that's not a dig at your articulation.

I do appreciate all your posts, so informative and practical too.

So in the physical network configuration, would the raspberry-pi be connected to a LAN port of the router? (Our UFB connection only requires setting up the router as a DHCP client, with VLAN tagging set to 10.)

Meow
7281 posts

Uber Geek
+1 received by user: 3482

Moderator
Trusted
Lifetime subscriber

  Reply # 1530432 12-Apr-2016 08:22
Send private message

Kiwifruta: @michaelmurfy thanks for pi-hole suggestion. I had to read it 3 times before I finally understood it all. And that's not a dig at your articulation.

I do appreciate all your posts, so informative and practical too.

So in the physical network configuration, would the raspberry-pi be connected to a LAN port of the router? (Our UFB connection only requires setting up the router as a DHCP client, with VLAN tagging set to 10.)

 

Sure is - essentially set the DHCP server on your router to hand out the address of your Pi-Hole installation. I've currently got it running on a Raspberry Pi (Primary DNS) as well as a Debian server (Secondary DNS) with some sync scripts keeping all the configuration in check (screenshot). Both instances are running dnscrypt for security.





 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software
1493 posts

Uber Geek
+1 received by user: 131

Trusted

  Reply # 1530433 12-Apr-2016 08:29
Send private message

Pi-hole will stop sky go from working.. Haven't found the right hosts to white list yet




CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

Want to be with an awesome ISP? Want $20 credit too? Use this link to sign up to BigPipe.


Meow
7281 posts

Uber Geek
+1 received by user: 3482

Moderator
Trusted
Lifetime subscriber

  Reply # 1530614 12-Apr-2016 12:01
Send private message

mentalinc: Pi-hole will stop sky go from working.. Haven't found the right hosts to white list yet

 

Appears to be working with me? But I don't have Sky so can't sign in to fully test.





1493 posts

Uber Geek
+1 received by user: 131

Trusted

  Reply # 1530987 12-Apr-2016 18:25
Send private message

It fails to start the stream from playing, you can login it's just once it should start playing nothing happens then you get an error message.





CPU: Intel 3770k| RAM: F3-2400C10D-16GTX G.Skill Trident X |MB:  Gigabyte Z77X-UD5H-WB | GFX: GV-N660OC-2GD gv-n660oc-2gd GeForce GTX 660 | Monitor: Qnix 27" 2560x1440

 

Want to be with an awesome ISP? Want $20 credit too? Use this link to sign up to BigPipe.




705 posts

Ultimate Geek
+1 received by user: 144


  Reply # 1532814 14-Apr-2016 00:10
Send private message

Looks like I'll stay with OpenWrt for now and add pi-hole support later on.
What are your recommendations for
i) securing a home network
ii) keeping the kids safe, besides teaching them, which we already do


Meow
7281 posts

Uber Geek
+1 received by user: 3482

Moderator
Trusted
Lifetime subscriber

  Reply # 1532817 14-Apr-2016 02:25
Send private message

Kiwifruta: Looks like I'll stay with OpenWrt for now and add pi-hole support later on.
What are your recommendations for
i) securing a home network
ii) keeping the kids safe, besides teaching them, which we already do

 

Sorry what I was getting at was this:

 

 

So, with a pi-hole you can add custom lists (including massive ones to block adult sites), but also you're able to put a file in your /etc/dnsmasq.d/ directory to enforce Google Safesearch:

 

#/etc/dnsmasq.d/safesearch.conf
cname=google.co.nz/forcesafesearch.google.com
cname=google.com/forcesafesearch.google.com
cname=google.com.au/forcesafesearch.google.com

 

When you redirect your DNS to your pi-hole it'll force all DNS queries to get filtered before passing over to OpenDNS family shield - this will in-term add an extra layer of protection. This doesn't stop a tech-savvy kid from doing something like using a proxy server to access the internet however will filter most queries.

 

There is no solution that is 100% effective - trust me. SNUP (Network4learning) has this constant problem and yes I've seen kids find ways to get around that to pr0n or obscene imagery - now, the network4learning is a pretty aggressive proxy solution designed for schools. But, with running your own DNS server it means you're able to monitor the DNS queries coming from your families devices and if you don't like it - just add it to the /etc/pihole/blacklist.conf file and run pihole -g to update your lists.

 

This is the reason I recommended it - it gives you flexibility, is a cheap solution and works really well - plus, enables you to use OpenDNS over dnscrypt.

 

Lastly, if you really wanted to enforce your actions adding firewall rules on your OpenWRT router to block anything but Port 80 / 443 (and maybe 25565 if they're into Minecraft like most kids) will ensure products like Tunnelbear etc should fail to connect however even such products are savvy at getting past even the most strict firewall solutions.

 

tl;dr: did work for schools, no solution is going to be 100% but the above will get 99% sorted.







705 posts

Ultimate Geek
+1 received by user: 144


  Reply # 1532972 14-Apr-2016 12:13
Send private message

michaelmurfy:

Kiwifruta: Looks like I'll stay with OpenWrt for now and add pi-hole support later on.
What are your recommendations for
i) securing a home network
ii) keeping the kids safe, besides teaching them, which we already do


Sorry what I was getting at was this:



So, with a pi-hole you can add custom lists (including massive ones to block adult sites), but also you're able to put a file in your /etc/dnsmasq.d/ directory to enforce Google Safesearch:


#/etc/dnsmasq.d/safesearch.conf
cname=google.co.nz/forcesafesearch.google.com
cname=google.com/forcesafesearch.google.com
cname=google.com.au/forcesafesearch.google.com

When you redirect your DNS to your pi-hole it'll force all DNS queries to get filtered before passing over to OpenDNS family shield - this will in-term add an extra layer of protection. This doesn't stop a tech-savvy kid from doing something like using a proxy server to access the internet however will filter most queries.


There is no solution that is 100% effective - trust me. SNUP (Network4learning) has this constant problem and yes I've seen kids find ways to get around that to pr0n or obscene imagery - now, the network4learning is a pretty aggressive proxy solution designed for schools. But, with running your own DNS server it means you're able to monitor the DNS queries coming from your families devices and if you don't like it - just add it to the /etc/pihole/blacklist.conf file and run pihole -g to update your lists.


This is the reason I recommended it - it gives you flexibility, is a cheap solution and works really well - plus, enables you to use OpenDNS over dnscrypt.


Lastly, if you really wanted to enforce your actions adding firewall rules on your OpenWRT router to block anything but Port 80 / 443 (and maybe 25565 if they're into Minecraft like most kids) will ensure products like Tunnelbear etc should fail to connect however even such products are savvy at getting past even the most strict firewall solutions.


tl;dr: did work for schools, no solution is going to be 100% but the above will get 99% sorted.



Thanks Michael. My name is Dwayne by the way.

My cousin fell victim to ransomware, by clicking on a .zip file purportedly from her ISP. She didn't pay up but reinstalled her OS and lost her files from her studies as a consequence.

I said I'd help her set up her computer (and hopefully router too if it's up to the task) to prevent that and other things happening again. I've googled around and read a few things about securing a home network, most of the key ones I knew already, but I knew there was still more I didn't know. This prompted my starting this thread. I was wondering if pfSense (or OpenWrt) could be used to filter out dodgy emails or email attachments. I imagine the blacklist (or algorithms) for filtering dodgy email attachments would be huge and beyond the hardware capabilities of a non-x86 OpenWrt consumer router, and more suited to router firmware installed on an x86 device. However, maybe a raspberry pi could do this too.

Best practice, obviously, is to not set up users with administrator rights and never open such attachments in the first place. But not everyone knows that, or would even know how to implement it. So I began thinking is there a solution that can be set up on router (or a replacement to the ISP provided modem/router) at home to guard the home network? With IoT here, home networks need to be even more secure.

Putting anti-virus etc software on a PC, smart device etc, impacts the devices' performances and can become expensive when there are many devices, and if a visitor logs on to a friend's wifi network and there is some sort of malware on their device it can still do some damage on the host's network. So a solution located at the gateway would be much more cost effective and a set up once and work forever solution.

Thanks for pointing out the google forced strict search on the router.












725 posts

Ultimate Geek
+1 received by user: 130


  Reply # 1533867 16-Apr-2016 08:45
Send private message

I tried serching for "Pi-hole", but my pfSense's filtering (pfBlockerNG and custom host files) censored the term.

 

You have to admit that "Pi-hole" sounds just too dodgy.


Meow
7281 posts

Uber Geek
+1 received by user: 3482

Moderator
Trusted
Lifetime subscriber

  Reply # 1533878 16-Apr-2016 10:14
Send private message

In that case: https://goo.gl/PW3KUS (had to shorten that link because of the company being "Foolish IT" and if you put those words together you get a word that GZ doesn't like.

 

I've got some ransomware samples so will run them on a VM to see if it gets owned.





725 posts

Ultimate Geek
+1 received by user: 130


  Reply # 1533880 16-Apr-2016 10:30
Send private message

I should have added a smiley to the pi-hole post above ;)



705 posts

Ultimate Geek
+1 received by user: 144


  Reply # 1542220 26-Apr-2016 14:28
Send private message

Kiwifruta:
michaelmurfy:

Kiwifruta: Looks like I'll stay with OpenWrt for now and add pi-hole support later on.
What are your recommendations for
i) securing a home network
ii) keeping the kids safe, besides teaching them, which we already do


Sorry what I was getting at was this:



So, with a pi-hole you can add custom lists (including massive ones to block adult sites), but also you're able to put a file in your /etc/dnsmasq.d/ directory to enforce Google Safesearch:


#/etc/dnsmasq.d/safesearch.conf
cname=google.co.nz/forcesafesearch.google.com
cname=google.com/forcesafesearch.google.com
cname=google.com.au/forcesafesearch.google.com

When you redirect your DNS to your pi-hole it'll force all DNS queries to get filtered before passing over to OpenDNS family shield - this will in-term add an extra layer of protection. This doesn't stop a tech-savvy kid from doing something like using a proxy server to access the internet however will filter most queries.


There is no solution that is 100% effective - trust me. SNUP (Network4learning) has this constant problem and yes I've seen kids find ways to get around that to pr0n or obscene imagery - now, the network4learning is a pretty aggressive proxy solution designed for schools. But, with running your own DNS server it means you're able to monitor the DNS queries coming from your families devices and if you don't like it - just add it to the /etc/pihole/blacklist.conf file and run pihole -g to update your lists.


This is the reason I recommended it - it gives you flexibility, is a cheap solution and works really well - plus, enables you to use OpenDNS over dnscrypt.


Lastly, if you really wanted to enforce your actions adding firewall rules on your OpenWRT router to block anything but Port 80 / 443 (and maybe 25565 if they're into Minecraft like most kids) will ensure products like Tunnelbear etc should fail to connect however even such products are savvy at getting past even the most strict firewall solutions.


tl;dr: did work for schools, no solution is going to be 100% but the above will get 99% sorted.



Thanks Michael. My name is Dwayne by the way.

My cousin fell victim to ransomware, by clicking on a .zip file purportedly from her ISP. She didn't pay up but reinstalled her OS and lost her files from her studies as a consequence.

I said I'd help her set up her computer (and hopefully router too if it's up to the task) to prevent that and other things happening again. I've googled around and read a few things about securing a home network, most of the key ones I knew already, but I knew there was still more I didn't know. This prompted my starting this thread. I was wondering if pfSense (or OpenWrt) could be used to filter out dodgy emails or email attachments. I imagine the blacklist (or algorithms) for filtering dodgy email attachments would be huge and beyond the hardware capabilities of a non-x86 OpenWrt consumer router, and more suited to router firmware installed on an x86 device. However, maybe a raspberry pi could do this too.

Best practice, obviously, is to not set up users with administrator rights and never open such attachments in the first place. But not everyone knows that, or would even know how to implement it. So I began thinking is there a solution that can be set up on router (or a replacement to the ISP provided modem/router) at home to guard the home network? With IoT here, home networks need to be even more secure.

Putting anti-virus etc software on a PC, smart device etc, impacts the devices' performances and can become expensive when there are many devices, and if a visitor logs on to a friend's wifi network and there is some sort of malware on their device it can still do some damage on the host's network. So a solution located at the gateway would be much more cost effective and a set up once and work forever solution.

Thanks for pointing out the google forced strict search on the router.













Two questions for @MichaelMurfy
1) How do I set up dnscrypt (OpenDNS Family Shield) on OpenWrt and use dnsmasq (using a modified version of your hosts file unblocking tutorial) with dns4me?

No need to write specific commands but the general jist/description of what needs to be done should be enough.

I've tried a few times but lost the internet connection. I think I had forgotten to update the gateway address (in the configuration) from 192.168.1.1 to my router's IP address. My router is back now at home and in use, so I cannot risk stuffing it up if I try again, and wipe out internet access for the rest of the family.

I also had in the firewall your iptables command to redirect port 53 traffic to the router and the OpenDNS Family Shield was entered on the WAN side.

2) How do I force google safe search on OpenWrt?
Again I tried and stuffed something up and lost internet connectivity.

Cheers

If it's all too much bother, then tell me.

Meow
7281 posts

Uber Geek
+1 received by user: 3482

Moderator
Trusted
Lifetime subscriber

  Reply # 1542510 27-Apr-2016 02:19
Send private message

@Kiwifruta

 

1) Setting up dnscrypt on OpenWRT is pretty straight-forward however my only experience was on an alternative firmware (Tomato Shibby or Advanced Tomato) which has the dnscrypt client built in. By following the guide on the OpenWRT Wiki you should be able to set it up in a snap - https://wiki.openwrt.org/inbox/dnscrypt and for OpenDNS Family Shield use "cisco-familyshield" instead of Cisco in that guide (is in the file /usr/share/dnscrypt-proxy/dnscrypt-resolvers.csv).

 

2) Safesearch on OpenWRT should be pretty straight-forward. A way of doing it would be to add a new file in /etc/dnsmasq.d/safesearch.conf with:

#/etc/dnsmasq.d/safesearch.conf
cname=google.co.nz/forcesafesearch.google.com
cname=google.com/forcesafesearch.google.com
cname=google.com.au/forcesafesearch.google.com

 

I don't have an OpenWRT router so not 100% sure on this one sorry.





1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Opera launches new mobile browser: Opera Touch
Posted 25-Apr-2018 20:45


TCF and Telcos Toughen Up on Scam Callers
Posted 23-Apr-2018 09:39


Amazon launches the International Shopping Experience in the Amazon Shopping App
Posted 19-Apr-2018 08:38


Spark New Zealand and TVNZ to bring coverage of Rugby World Cup 2019
Posted 16-Apr-2018 06:55


How Google can seize Microsoft Office crown
Posted 14-Apr-2018 11:08


How back office transformation drives IRD efficiency
Posted 12-Apr-2018 21:15


iPod laws in a smartphone world: will we ever get copyright right?
Posted 12-Apr-2018 21:13


Lightbox service using big data and analytics to learn more about customers
Posted 9-Apr-2018 12:11


111 mobile caller location extended to iOS
Posted 6-Apr-2018 13:50


Huawei announces the HUAWEI P20 series
Posted 29-Mar-2018 11:41


Symantec Internet Security Threat Report shows increased endpoint technology risks
Posted 26-Mar-2018 18:29


Spark switches on long-range IoT network across New Zealand
Posted 26-Mar-2018 18:22


Stuff Pix enters streaming video market
Posted 21-Mar-2018 09:18


Windows no longer Microsoft’s main focus
Posted 13-Mar-2018 07:47


Why phone makers are obsessed with cameras
Posted 11-Mar-2018 12:25



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.