Convert Your Old Laptop Into a Security Monitoring & URL Filtering Server (Part 3)
Setting up Grafana & Enhancements
In Part 2, we successfully configured Pi-hole and Prometheus and also setup our exporter to feed metrics to Prometheus. In this final part, we’ll get our dashboard ready and talk about some enhancements as well as some disadvantages of Pi-hole and how to further harden security.
Grafana — Installation & setup
Now that we have our Pi-hole metrics being scraped by Prometheus, we can install and setup Grafana and add Prometheus as our data source to build dashboards.
To install grafana, get the download link for the latest version Linux binaries from here.
Download and extract the tar files -
wget https://dl.grafana.com/enterprise/release/grafana-enterprise-8.1.5.linux-amd64.tar.gztar xvzf grafana-enterprise-8.1.5.linux-amd64.tar.gz
mv grafana-8.1.5 grafana (rename folder)Run as background process -
cd grafana/bin
./grafana-server > /dev/null 2>&1 &
By default, grafana web console runs on port 3000 (To change to another port if required, you can edit the value of the http_port parameter located in the grafana/conf/defaults.ini file)
Go to the Grafana web interface http://<VM-IP>:3000/ and login using the default credentials admin/admin. Change to a new password when prompted.
We now have Grafana up and running. Next, let’s add Prometheus as a data source. Click on the settings icon on the left and go to data sources. Click on Add data source and select Prometheus.
Since Grafana and Prometheus are installed on the same server, in the URL column, enter http://localhost:9090 and leave the rest of the settings as default. Hit save & test.
Grafana has an option to import pre-built dashboards which we can use with our metrics. Pi-hole exporter has a custom Grafana dashboard which we can utilize to quickly set up a dashboard. The dashboard can be found here. Click the + icon on the left and go to Import. We will use the dashboard ID to import it to our Grafana instance.
After importing the dashboard, we can now see all our Pi-hole exporter metrics being plotted on our dashboard which we can use for realtime as well as historical monitoring.
In case you encounter the below error related to the piechart panels, hit the arrow next to the panel title and select the Pie chart plugin from the top right corner and save and apply the changes.
We now have a dashboard to monitor all our outbound web traffic going through Pi-hole!
You can further explore Grafana and learn to build dashboards from scratch by writing your own queries to represent this data as per your requirements.
Enhancements
Setting up a script to start services at boot
Pi-hole is by default, already setup to be started automatically on startup.
However, to automatically start our Pi-hole exporter, Prometheus and Grafana services, in case of an unexpected reboot or downtime of our servers, we can add a cron job to be executed on startup.
Create a simple script to run the services in the background —
Grafana & Prometheus
On the Monitoring VM -startsvcs.shcd prometheus
./prometheus > /dev/null 2>&1 &
cd
cd grafana/bin
./grafana-server > /dev/null 2>&1 &crontab -eAdd below to the file-
@reboot ./startsvcs.sh
Pi-hole exporter
On the Pi-hole VM -startsvcs.shcd pihole-exporter
./pihole_exporter -pihole_password *password* > /dev/null 2>&1 &crontab -eAdd below to the file-
@reboot ./startsvcs.sh
To run a quick check if the services are running on the ports—
lsof -i | grep LISTEN | grep -e 9090 -e 3000
Final Thoughts
As with most security products, there are disadvantages associated with Pi-hole as well. For instance, if an endpoint on your network, hardcodes it’s DNS settings and ignores the config sent by DHCP, the DNS resolution won’t happen through Pi-hole and it will be bypassed completely. This is not a problem in case of most end user devices for home use such as smartphones and laptops which we primarily use to browse the internet, as they will be in our control and we can always point to Pi-hole to secure our devices. This limitation of Pi-hole, can be fixed by using an additional firewall on our network to force all traffic to go through Pi-hole. It is always a good idea to implement layers of security, by using different products in combination with each other to address loopholes. You can find an excellent write up here, that talks about these limitations and how to fix them by using a firewall along with Pi-hole on your network.
Documentation
I have left room to explore each tool in depth and just gone over the basic configurations to get everything up and running, the best way to learn and further enhance your setup is by getting your hands dirty!
I hope this was interesting and easy to understand! Please feel free to reach out to me in case of any questions or to provide any feedback.
