You probably know already the concept of the Pi-hole. If not: It’s a (forwarding) DNS server that you can install on your private network at home. All your clients, incl. every single smartphone, tablet, laptop, and IoT devices such as smart TVs or light bulb bridges, can use this Pi-hole service as their DNS server. Now here’s the point: it not only caches DNS entries, but blocks certain queries for hostnames that are used for ads, tracking, or even malware. That is: You don’t have to use an ad- or track-blocker on your devices (which is not feasible on smart TVs or smartphone apps, etc.), but you’re blocking this kind of sites entirely. Nice approach!
Yes, there are already some setup tutorials for the Pi-hole out there. However, it’s not only about installing the mere Pi-hole, but setting it up with your own recursive DNS server (since the default installation forwards to public DNS servers), using DNSSEC, and adding some more adlists. That’s why I am listing my installation procedure here as well. However, it’s not a complete beginners guide. You’ll need some basic Linux know-how.
Continue reading Pi-hole Installation Guide
This is a guest blogpost by Martin Langer, Ph.D. student for “Secured Time Synchronization Using Packet-Based Time Protocols” at Ostfalia University of Applied Sciences, Germany.
In the previous posts, I already introduced the Network Time Security (NTS) protocol and described the most important features. Although the specification process has not been completed, there are already some independent NTS implementations and public time servers (IETF106). NTPsec is one of the important representatives of this series and already offers an advanced NTS solution. In this post, I’ll give you a short guide to setting up an NTS-secured NTP client/server with NTPsec.
Continue reading Setting up NTS-Secured NTP with NTPsec
This is a guest blogpost by Jasper Bongertz. His own blog is at blog.packet-foo.com.
Running your own NTP server(s) is usually a good idea. Even better if you know that they’re working correctly and serve their answers efficiently and without a significant delay, even under load. This is how you can use Wireshark to analyze the NTP delta time for NTP servers:
Continue reading NTP Server’s Delta Time
My lab rack of 2019 consists of multiple Cisco routers and switches, as well as Juniper ScreenOS firewalls for routing purposes, a Palo Alto Networks firewall, a Juniper SRX firewall, a server for virtualization and some Raspberry Pis. That is: This rack can be used for basic Cisco courses such as CCNA or CCNP, or for even bigger BGP/OSPF or IPsec VPN scenarios since those ScreenOS firewalls are perfect routers as well. Of course, everything is IPv6 capable. Having some PoE-powered Raspberry Pis you can simulate basic client-server connections. A Juniper SA-2500 (aka Pulse Connect Secure) for remote accessing the Lab rounds things up.
I am just writing down a few thoughts on why I have “designed” the rack in that way. It’s basically a reminder for myself. ;)
Continue reading My IPv6/Routing/Cisco Lab Rack (2019)
As always when you’re running your own services you should update them regularly to have all known bugs fixed and security issues thwarted. Same for NTP servers based on Linux, as in my case running on Raspberry Pis. Especially when you’re actively joining the NTP pool project with your NTP servers you have to update them to the latest version of ntp since you might be misused for well-known DDoS attacks or other security-related bugs.
So, what’s this all about? You can simply do an “apt upgrade”, don’t you? Well, unluckily the ntp packages within the Linux distributions are not always updated to the latest versions. Hence you need to compile the ntp software by yourself to have the latest release running. Still not that hard, though it requires a bit more attention.
Continue reading Updating NTP Servers
This post shows how to use a GPS receiver with a Raspberry Pi to build a stratum 1 NTP server. I am showing how to solder and use the GPS module (especially with its PPS pin) and listing all Linux commands to set up and check the receiver and its NTP part, which is IPv6-only in my case. Some more hints to increase the performance of the server round things off. In summary, this is a nice “do it yourself” project with a working stratum 1 NTP server at really low costs. Great. However, keep in mind that you should not rely on such projects in enterprise environments that are more focused on reliability and availability (which is not the case on self soldered modules and many config file edits).
Continue reading NTP Server via GPS on a Raspberry Pi
In this tutorial, I will show how to set up a Raspberry Pi with a DCF77 receiver as an NTP server. Since the external radio clock via DCF77 is a stratum 0 source, the NTP server itself is stratum 1. I am showing how to connect the DCF77 module and I am listing all relevant commands as a step by step guide to install the NTP things. With this tutorial, you will be able to operate your own stratum 1 NTP server. Nice DIY project. ;) However, keep in mind that you should only use it on a private playground and not on an enterprise network that should consist of high reliable NTP servers rather than DIY Raspberry Pis. Anyway, let’s go:
Continue reading NTP Server via DCF77 on a Raspberry Pi
… since we all can use
pool.ntp.org ? Easy answer: Many modern (security) techniques rely on accurate time. Certificate validation, two-factor authentication, backup auto-deletion, logs generation, and many more. Meanwhile, we use an unauthenticated protocol (via stateless UDP) from unauthenticated sources (NTP pool) to rely on! Really?
TL;DR: If you want to operate a secure environment you should use your own on-site stratum 1 NTP servers along with authentication. This is the only way to eliminate time spoofing attacks from the outside. Don’t reduce your overall security to a stateless and unauthenticated (read: easy-to-spoof) network protocol!
If you are using a couple of different NTP sources it might be not that easy for an attacker to spoof your time – though not unfeasible at all. And think about small routers with VPN endpoints and DNSSEC resolving enabled, or IoT devices such as cameras or door openers – they don’t even have a real-time clock with battery inside. They fully rely on NTP.
This is what this blogpost series is all about. Let’s dig into it. ;)
Continue reading Why should I run own NTP Servers?
In my previous blogpost I talked about the true random number generator (TRNG) within the Raspberry Pi. Now I am using it for a small online pre-shared key (PSK) generator at https://random.weberlab.de (IPv6-only) that you can use e.g. for site-to-site VPNs. Here are some details how I am reading the binary random data and how I built this small website.
Continue reading True Random PSK Generator on a Raspi
Unpredictable random numbers are mandatory for cryptographic operations in many cases (ref). There are cryptographically secure pseudorandom number generators (CSPRNG) but the usage of a hardware random number generator (TRNG) is something I am especially interested in since many years. While there are many proprietary TRNGs (list) with different prices, I had a look at two cheap solutions: the Raspberry Pi’s hardware random number generator as well as an application that uses a DVB-T/RTL/SDR stick for gathering some noise.
I have tested both of them with various options and ran them against the dieharder test suite. In this post I am listing the CLI commands to get the random data from those source and I am listing the results of the tests.
Continue reading Playing with Randomness
If you’re running your own DNS resolver you’re probably interested in some benchmark tests against it, such as: how fast does my own server (read: Raspberry Pi) answer to common DNS queries compared to 22.214.171.124.
In this blogpost I am showing how to use two tools for testing/benchmarking DNS resolvers: namebench & dnseval. I am listing the defaults, giving some hints about them and showing examples in which I tested some private and public DNS resolvers: a Fritzbox router, a Raspberry Pi with Unbound, Quad9, OpenDNS, and Google Public DNS.
Continue reading Benchmarking DNS: namebench & dnseval
Genau das Richtige für mich: Viele Statistiken bzgl. des ADS-B Empfangs. Konkret laufen diese dump1090-tools lokal auf dem Raspberry Pi und werten das Log von dump1090-mutability aus. (Siehe meinem letzten Post zur Installation von dump1090.) Vorallem die Statistiken über die Anzahl der empfangenen Flugzeuge sowie den Empfangsbereich sind einfach zu verstehen und sehr interessant.
Die Installation dieser Tools ist ebenfalls sehr einfach – nur wenige Befehle. (Auch wenn ein alter Raspberry Pi 1 B dann über 30 Minuten zum Ausführen braucht.) Ziemlich out-of-the-box werden dann im 5 Minuten Takt neue RRDtool Grafiken erzeugt. Los geht’s:
Continue reading Dump1090 ADS-B Stats
Bereits seit einigen Jahren setze ich einen DVB-T Stick zum Empfang von ADS-B Daten an einem Raspberry Pi ein. Damals habe ich erklärt, wie man die Linux Software dump1090 dafür verwendet. Der seit dem von mir verwendete Fork auf GitHub von MalcolmRobb wird allerdings seit Jahren nicht mehr weiterentwickelt. Nach einiger Recherche bin ich auf den Fork dump1090-mutability gestoßen, welcher sich von MalcolmRobbs ableitet. “It adds new functionality and is designed to be built as a Debian/Raspbian package.”
Tatsächlich lässt sich dieses Tool sehr einfach installieren, was ich nachfolgend gerne erläutern möchte. Die erweiterten Funktionlitäten sind z.B: die Logging-Möglichkeiten, mit denen sich Statistiken erzeugen lassen. Hierüber wird es einen extra Blogpost geben.
Continue reading ADS-B am Raspberry Pi: dump1090-mutability
To overcome the chicken-or-egg problem for DNSSEC (“I don’t need a DNSSEC validating resolver if there are no signed zones”), let’s install the DNS server Unbound on a Raspberry Pi for home usage. Up then, domain names are DNSSEC validated. I am listing the commands to install Unbound on a Raspberry Pi as well as some further commands to test and troubleshoot it. Finally I am showing a few Wireshark screenshots from a sample iterative DNS capture. Here we go:
Continue reading DNSSEC Validation with Unbound on a Raspberry
Sometimes you want to reinstall your Raspberry Pi without switching the SD-card or via remote since it is located on another physical location. Here is a solution to reinstall the operating system remotely.
Continue reading Reinstall your Raspberry over the Network