Convert Your Old Laptop Into a Security Monitoring & URL Filtering Server (Part 2)
Pi-hole & Prometheus Configuration
In Part 1, we discussed about the basic design and setup our VMs. At this point, you should have 2 virtual machines running the latest version of Ubuntu with static IP addresses accessible via SSH on your home network.
Let’s start by installing Pi-hole on our first VM.
Installing & configuring Pi-hole
SSH to the first VM and run the below command to start up the Pi-hole installer and let it run -
curl -sSL https://install.pi-hole.net | bash
Select the default domain list for now, we will be adding more lists later.
Select recommended options and continue, select show everything to log all queries on your network.
Once the installation is complete, check if Pi-hole is running using command pihole status. If everything looks good and the DNS service is listening, the VM IP can now be added to the DHCP config as your primary DNS to be pushed out to the devices on your home network.
Run pihole -a -p to set a new password for the web interface. Logon to the web interface using http://<IP>/admin
Pihole is up and running with the default ad blocking domain list at this point. Go ahead and login using the password we set earlier and navigate to Group Management > Adlists. This is where we will be adding our domain lists for URL filtering.
The default list that comes with Pi-hole is here. As you can notice, all the ad related domains have been assigned 0.0.0.0 as the IP address in the list and won’t reach the internet. The IP returned for blocked URLs depends on the list under which it is blocked. Now, we’ll add more lists to utilize the full potential of Pi-hole and block malicious URLs. A great resource to get block lists is firebog.
Let’s go ahead and add this list here to blacklist more domains.
Paste the list URL and hit add, then navigate to http://<IP>/admin/gravity.php and hit update
Notice on the Dashboard that the Domains on Blocklist have increased.
The more domains and blocklists we add, higher will be the chances of encountering false positives and unintended domains getting blocked on our network. Refer to this list of commonly whitelisted domains on the Pi-hole forum for some common web services, to avoid false positives if you use any of them.
To whitelist a domain — pihole -w <domain>
To blacklist a domain - pihole -b <domain>All queries are logged and can be checked from the Query Log section on the Pi-hole admin console.
Local DNS entries for the home network can also be added from the Local DNS section.
You can explore Pi-hole and tweak settings as per your requirements. We will now proceed to install and set up our monitoring tools.
Before proceeding to setup Prometheus, we need to install an exporter for Pi-hole, to send metrics to our Prometheus instance.
A Prometheus Exporter extracts data from another non-Prometheus system and converts that data into Prometheus metrics and starts a web server on a port on that server with a /metrics URL, and this URL displays the exported system metrics. There is a custom exporter available for Pi-hole and we will be installing that on our Pi-hole VM to send statistics to Prometheus. Pi-hole exporter requires Golang to run.
First let’s install go by running —
sudo apt install golang-goOnce go has been installed, run -
go get -u github.com/eko/pihole-exporterNavigate to pihole-exporter and build the tool -
cd pihole-exporter/
go build -o pihole_exporterRun pihole_exporter as a background process -
./pihole_exporter -pihole_password *password* > /dev/null 2>&1 &
You can go to http://<PiholeVM-IP>:9617/metrics to view that the metrics are being collected successfully.(By default, the port used is 9617, this can be changed if needed in the config/configuration.go file)
Prometheus — Installation & setup
SSH to the second VM we created for our monitoring tools in Part 1.
To install Prometheus, head over to https://prometheus.io/download/ and grab the link for the latest Linux release.
Download the tar file using the link— wget linkExtract the downloaded tar.gz file-
tar xvzf prometheus-2.30.0.linux-amd64.tar.gz
mv prometheus-2.30.0.linux-amd64 prometheus (rename folder)We will now add our Pi-hole exporter as a target on Prometheus to collect metrics. Navigate to the prometheus.yml file, and in the scrape_configs section, add the Pi-hole VM IP with port 9617 in the targets-
targets: [“localhost:9090”,”<Pi-hole IP>:9617"]Navigate to the extracted folder and run prometheus as a background process -
cd prometheus/
./prometheus > /dev/null 2>&1 &Check running jobs -
jobs -l
Prometheus should now be up and running. By default, Prometheus web console runs on port 9090. To change to a different port,
./prometheus --web.listen-address=”:8080" > /dev/null 2>&1 &Head over to http://<VM-IP>:9090/targets, there should be two targets, both with state as up.
We will conclude our setup in Part 3, where we’ll be installing Grafana and talk about some enhancements and final thoughts.
