Category Archives: Security

Building a Privacy Box (with a Raspberry Pi)

Privacy for you Internet access plus a monitor for your devices, a Wi-Fi/LAN intruder detector and a VPN Server for remote access with a Raspberry Pi + Bonus Track: a Password Manager

Building a Privacy Box with a Raspberry Pi © 2022 by Daniel Alomar is licensed under CC BY-NC-SA 4.0. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/

You can dowload a PDF of this article here: BuildingPrivacyBox

Changelog

  • 20230103 – Added Netdata as a monitoring solution recommended instead RPi-monitor

Index

  1. Introduction
  2. Objective
  3. Requirements
  4. Setup of the Privacy Box
  5. Installing WireGuard (light, secure and fast VPN)
  6. Installing Pi.Alert, a Wi-Fi/LAN intruder detector (optional)
  7. Installing a monitoring tool (optional)
  8. Securing the Raspberry
  9. Backup and restore
  10. Bonus track. Password manager: Vaultwarden
  11. Bibliography

Introduction

Background

In these uncertainty and strange times we are living – it seems to be – forever, we should take care of our privacy. The saying “if you are not paying for it, then you are the product”1,2 it is absolutely true.

We have not been trained at school in the use of Information and Communications Technologies (ICT). Most of us are not digital natives, and even if we were, the evolution of technology is faster than the speed of adaptation of training. Those of us who are lucky enough to like technology and to be early adapters of it, we have ‘somewhat less difficult’, like an intuition, to manage ICT, but that does not mean we are safe from the dangers of exposing our lives to the Internet, where different companies are on the lookout to collect our data in order to create the most reliable profile they can from us, a detailed description of our tastes, our preferences, our habits… they know us much better than we know ourselves, and that is not a cliché, it is a reality.

This data is collected by companies called Data Brokers3 through multiple techniques. The data is used to create profile of us to different purposes, like marketing and advertising, risk-mitigation, people-search services4,5, etc…. Regarding marketing and advertising, while this could sound nice for someone who wants to have personalizing advertisements, we have to know some side effect, such as the price not being the same for everyone, and other worse effects. Since companies have a wide information from us, better than us, they will know also our risks and the potential collateral effects from our habits. All this information let us calculate, with a high accuracy, prices for the services or products we want to acquired or advertisements we see. For example, the price for a health insurance will not the same if the company knows, through the information from us acquired from the Data Brokers. The same apply to the advertisements we see in our devices. Here you have an example from Signal: https://signal.org/blog/the-instagram-ads-you-will-never-see/

It is common to hear someone say: “I do not care about privacy concerns. I do not have nothing to hide”… The quick answer you could provide, with a smile on your face: “If you do not have nothing to hide, then you can give me your email password…”. For sure he/she will not, so EVERYONE have some information to protect.

What is a Privacy Box

What I call Privacy Box is a device that will provide privacy to your Internet access. Various tools are installed and configured within this device. It will block advertisements, through the pi-hole application, to all your network and for all kind of devices without to have to install software on each one. With unbound we are going to have a validating, recursive, and caching DNS resolver locally. This means that our Internet Service Providers (ISP) will not see what we are searching for, the Domain Name Resolution will be locale, and even faster, within our Raspberry Pi. Along with the previous tools we will also add WireGuard, a VPN Server that will alow us a remote and secure connection to our network and continue provide privacy when we are outside our local network.

All this functionalities are going to be installed inside a Raspberry Pi device in order to have it running 24×7 at low cost.

The main characteristics of the privacy box are:

  • Blocking unwanted contend to all devices connected, without installing any client-side software (Pi-hole)
  • Network-wide protection (Pi-hole)
  • Improve network performance (Pi-hole)
  • Secure open-source recursive DNS server for local resolution (unbound)
  • Network intrude detector (Pi.Alert)
  • Device monitoring (RPI-Monitor)
  • Secure and remote access through a VPN (WireGuard)

As a bonus track I have added a tutorial to setup a raspberry pi to host a password manager and how to access it from Internet. I have choose Vaultwarden, based on the well know solution Bitwarden. Due to technical reasons, it is easier to run this server on another raspberry pi. You can try to setup on the same device where you have Pi-hole, but I will not recommend you.

If you do not have enough technological knowledge to follow this guide and build this Privacy Box for yourself, ask a friend with more knowledge in technology (maybe a geek) to help you to setup it. Those of us who are techies love to help others. My will has been to create a very simple tutorial, with step-by-step instructions, explaining the reason for each step so that we can understand what we are doing.

Before starting, I will like to thanks Mr.Smashy (@THESMASHY) who wrote a guide6, origin and source of inspiration of this one.

Note 1: Commands are identified using a different text style framed within a grey box like this:

$ls -l

The command will start with a $ or # symbol. That means the command is executed without administrator privileges ($ symbol) or with administrator privileges (# symbol). To elevate privileges (from $ to #) we must run ‘sudo -s’ command or start the command with sudo. In both cases you will need the administrator password. Examples:

$sudo -s
#

Running ls command with elevated privileges

$sudo ls -l

Objective

As I mention in the previous section, I am going to show also how to set up a password manager. This tool it will installed on another Raspberry Pi device.

Requirements

This is the list of requirements:

  • Raspberry Pi 3 Model B (or higher)
  • Computer to write the image and connect to the Raspberry to configure it
  • SD Card or USB memory stick (capacity: 16 GB or higher)
  • Internet connection
  • Basic knowledge of computers or have a geek friend on hand
  • Power supply
  • Curiosity
  • Time

Note 1: Regarding the computer, I have used my laptop with GNU/Linux (Manjaro flavour) to write the image and connect to the Raspberry, so the commands you will see belongs to the GNU/Linux operating system. The remaining instructions are independent of the operating system you use. If you are a Windows or Mac user, you will find several alternatives easily on Internet to write the image to the SD Card or USB stick and connect to the Raspberry.

Note 2: Whether to choose SD Card or USB memory stick? People says the lifetime of a SD Card is shorter than the USB memory stick, so many people boot from SD Card and use the USB memory stick (or even a SSD hard drive) to run the operating system. From Raspberry Pi 3 and up the operating system can be booted and run directly from the USB. In this manual I have added some tools to decrease the write cycles to the disk using the RAM memory. Which one to choose? There is not a right answer.. well, yes.. MAKE REGULAR BACKUPS to ensure you have a plan B for any incident related the device.

Setup of the Privacy Box

This section will explain how to setup Pi-hole and unbound plus another optional and recommended tools.

Why I choose Debian instead Raspbian or RaspberryPi OS

There are several reasons why I choose a Debian image instead Raspbian or RaspberryPi OS. The main reason is freedom. Debian is a full GNU/Linux flavour, with no commercial nor propietary software.

A second reason is the incident related with the internal repository files modification without notification Raspbian did in February 20217,8,9. A Microsoft repositoy pointing to a Microsoft server was added secreatly without any notification. The reason was to provide Visual Studio Code for some scenarios. This modification wihout consent crossed the boundaries of (my) trust and make me decide to move to a full open source distribution like Debian. If they changed this without notification, what could they do next time?

Identifying the device

First we have to check which raspberry model we have. If using visual inspection we are not sure, we can do a «logical inspection», asking the device throught a command.

Run the command below will be the first option. The output will be the Raspberry Pi Model

$cat /proc/device-tree/model


In case we have installed Raspbian as operating system, we can run the following command to check the model. It will returns us information from our device:

$rev=$(awk '/^Revision/ { print $3 }' /proc/cpuinfo) && curl -L perturb.org/rpi?rev=$rev

Download and flash an image

Debian image for raspberry pi can be downloader from: https://raspi.debian.net/. For a production environment I would recommend to use a Tested image

Choose the (xz-compressed) image according the hardware you have

Locate where the file was donwloaded and open a console session into that folder. Decompress the image downloaded using the following unxz command:

$unxz 20210823_raspi_3_bullseye.img.xz

You will get a img file. In my case 20210823_raspi_3_bullseye.img

Plug a SD card or USB memory stick into your laptop and flash the image to the device with the following command (sdb is how the SD Card or USB has been identified. Check the partition in your case)

$sudo dd bs=4M if=20210823_raspi_3_bullseye.img of=/dev/sdb conv=fdatasync status=progress

If you have choose to boot and run the operating system from the USB stick, you have to configure the device in order to boot from USB. Setting the boot from USB can be found at Raspberry site10

If you have a RaspberryPi 2 version 1.1 or lower your can only boot from SD but then you switch to the USB.

Configuring remote access with SSH

The secure way to connect to your Raspberry Pi is through a SSH connection. This can be done in two ways:

  1. Using a login and password we set. This will let connect to the device anyone who knows the user and password from anyplace

  2. Using a SSH key, which are more secure. Our public key is stored on the remote machine and a private key is stored on our machine. The two SSH keys are required to make a secure connection

In this guide I will show you how to set the second one.

Enable SSH on Raspberry Pi in headless mode without keys (easy way)

First we have to enable the SSH connection, disabled by default for security reasons.

  1. Turn off the device and remove the card or USB stick

  2. Put the microSD card in the card reader or USB stick into the computer

  3. Create an empty file inside boot partition called SSH

Pre-configuration and enabling ssh remote connection using SSH key

We are going to generate ssh keys on our computer and copy the public key inside sysconf.txt (raspifirm partition)

$ssh-keygen -t rsa


Edit sysconf.txt, uncomment the “root_authorized_key” entry and paste the public key generated in previous step (located at id_rsa.pub file). We can also modify the hostname of the Raspberry (I have chosen Anuk)


Go to the RASPIROOT partition (has this name) and set an static IP address modifying the eth0 file located at the following path: /etc/network/interfaces.d/eth0. Set the IP address you want and the IP of the router gateway (192.168.1.1 in my case). As a DNS we are going to set the cloudflare one (1.1.1.1):

iface eth0 inet static
        address 192.168.1.10
        netmask 255.255.255.0
        gateway 192.168.1.1
        dns-nameservers 1.1.1.1

Create the file /etc/resolv.conf with the content:

nameserver 1.1.1.1

Put the SD Card or USB stick back to the Raspberry Pi and boot it.

Now we can try to connect to the Raspberry using the username root and IP we set.

$ssh root@192.168.1.10

Basic configurations

Setting the host name

Set the hostname at the file /etc/hostname

#nano /etc/hostname

and add a hostname entry to the hosts file (Anuk in my case)

#nano /etc/hosts

In case you are using Raspbian, you can set hostname through raspi-config application

Updating the system

Let’s going to update the system to grab the latest uptades

#apt update && apt-get upgrade -y

Install some additional software stuff we will need

#apt install sudo dnsutils gnupg wget curl git

Adding a non root user

Add a non root user and set a password for it

#adduser daniel


Add user to sudo and video groups

#adduser daniel video
#adduser daniel sudo

Attention: In case we are using a Raspbian OS, the default user is ‘pi’. I will recommend to create another user and remove the default one once you have created the new one with the following command:

$sudo pkill -u pi $sudo deluser -remove-home pi

Lock down the SSH service

Edit the SSH config file. We recommend to use the ssh keys generated previously and disable password access

$nano /etc/ssh/sshd_config

Uncomment the lines of the following image that are in white

and copy-paste the pub key we have generated previously.

$mkdir -p ~/.ssh 
$nano ~/.ssh/authorized_keys

Save changes and exit the editor. Restart SSH:

$sudo service ssh restart

Restart the service We are going to be disconnected in case we were connected through ssh.

$sudo service networking restart

In case you have assigned previously this IP address, you will get this message

Just delete the entry in your know hosts data base:

$nano ~/.ssh/known_hosts

Logout root & login as the new user (daniel in my case)

$ssh daniel@192.168.1.10

Check IP configuration (static IP and DNS configuration)

Seting the time zone

Let’s gone set our time zone. We can check all the timezones listed with the command:

$timedatectl list-timezones

Choose the one that fits you best. In my case I choose Europe/Madrid

$sudo timedatectl set-timezone Europe/Madrid

Once set, I can retrieve the status with the following command:

$timedatectl status

We are going to set the time automatically, using the NTP protocol who help us to change and synchronize periodically the date and time.

$sudo nano /etc/systemd/timesyncd.conf

set NTP to “time.cloudflare.com” and uncomment the FallbackNTP and PollIntervalMaxSec lines

Installing unattended upgrades package (recommended)

To have unattended upgrades, we need to install an additional package

$sudo apt install unattended-upgrades

The configuration of unnattended upgrades is set inside this file:

$sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

You may want to update some settings, I recommend uncomment and change “Unattended-Upgrade::Remove-Unused-Dependencies” to “true”. Exit and save the file.

Basically, we commented out those type of upgrade we want to apply. The second last line allows the system to email us the status. We must install mailutils or mailx first in Raspbian for the email notification to be effective. The last line allow the system to reboot automatically. Please also make sure that update-notifier-common has been installed.

There are more option that we can set such as reboot time and log file in the configuration file. Uncomment any option when necessary.

Create a periodic upgrade file with the following command:

$sudo nano /etc/apt/apt.conf.d/02periodic

And the following content:

// Control parameters for cron jobs by /etc/cron.daily/apt-compat //

// Enable the update/upgrade script (0=disable)
APT::Periodic::Enable "1";

// Do "apt-get update" automatically every n-days (0=disable)
APT::Periodic::Update-Package-Lists "1";

// Do "apt-get upgrade --download-only" every n-days (0=disable)
APT::Periodic::Download-Upgradeable-Packages "1";

// Run the "unattended-upgrade" security upgrade script
// every n-days (0=disabled)
// Requires the package "unattended-upgrades" and will write
// a log in /var/log/unattended-upgrades
APT::Periodic::Unattended-Upgrade "1";

// Do "apt-get autoclean" every n-days (0=disable)
APT::Periodic::AutocleanInterval "7";

// Send report mail to root
// 0: no report (or null string)
// 1: progress report (actually any string)
// 2: + command outputs (remove -qq, remove 2>/dev/null, add -d)
// 3: + trace on
APT::Periodic::Verbose "2";

Check your unattended upgrades by running this command to debug
your configuration:

$sudo unattended-upgrades -d

Installing Fail2Ban (optional)

Fail2ban is an instrusion prevention software designed to prevent against brute-force attacks. Firtst we need to install the package

$sudo apt install fail2ban -y

Fail2ban will block attackers IP if they fail to login after 5 failures for 10 minutes.

Note: Fail2Ban installed from the repository will only provide security on IPv4 protocol. If you want Fail2Ban to support IPv6, please look at this guide.

The configuration of fail2ban is set in the following file:

/etc/fail2ban/jail.conf

If you make any config changes, restart the service via:

sudo service fail2ban restart

If you make any config changes, restart the service via:

sudo service fail2ban restart

In order to recover acces

$ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@your.vps.ip

Installing a firewall (optional)

Install the packages

$sudo apt install ufw

Configuring the firewall

Create your access list to the ports you need

$sudo ufw allow 80
$sudo ufw allow 443
$sudo ufw allow 53
$sudo ufw allow 8888
$sudo ufw allow 22

You can even be more restrictive with extended parameters on the rules, like SSH for example. You can only allow access on port 22 from your computer’s IP address:

$sudo ufw allow from 192.168.1.120 port 22

Enabling the firewall

$sudo ufw enable

To show rules once the firewall is enabled, run the following command:

sudo ufw status verbose

Installing log2ram to expand SSD life (recommended)

SSD Disks, SD Cards and USB sticks have a SSD inside, have a life span determined by the write cycles mainly (times we write something to the disk). To reduce the times we write to the SSD memory, we can derive the writing of the system logs to RAM memory using log2ram. To do that we have to install the log2ram application.

First we need to force a log reduction before to start to use log2ram

$sudo journalctl --vacuum-size=16M

Let’s gonna add the repository where we are going to install the application and his key. Please check the Debian flavour you are using (bullseye in my case)

$sudo echo "deb http://packages.azlux.fr/debian/ bullseye main" | sudo tee /etc/apt/sources.list.d/azlux.list $sudo wget -qO - https://azlux.fr/repo.gpg.key | sudo apt-key add -

Let’s gonna update the system database and install the application.

$sudo apt-get update
$sudo apt install log2ram -y

Once installed we need a reboot

$sudo reboot

Configuring log2ram

We need to configure log2ram to increase the size

$sudo nano /etc/log2ram.conf

Increase the SIZE parameter to 128MB, disable the mail notification and increase the LOG_DISK_SIZE to 200M. Exit and save.


Restart log2ram

$sudo service log2ram restart

And check that log2ram is running.

$df -h

Installing a DDNS service (in case you do not have a static IP address)

To access to your network from outside through a VPN (WireGuard) you will need to know the public IP address of your local network (or a domain name associated). Usually this IP address is dynamic and can change. Static IP addresses are limited in number and are more expensive. One solution is to use a DDNS service. This service provide a free domain that will point to a public IP address. A script will update periodically my public IP to this service, so in case my IP changes, the domain will point to the new IP.

If you have a static public IP address, you can skip this step. I will use duckdns. They have detailed instructions and provide scripts to install to several devices, including raspberry pi.

In our case we are going to create the cron with the sudo command and execute the script at 5 minutes past every hour. I think it is enough update every hour and not every 5 minutes. My script has xiuxiueig.sh as its name since I will be adding more scripts.

$sudo crontab -e

This is how the crontab looks


With crontab guru you can play with different combinations: https://crontab.guru/

Installing and configuring Pi-hole

Now that system is configured and secured, we can install Pi-hole. The install process is very simple, we just to execute the following command and the script downloaded it will start to install the application:

$sudo curl -sSL https://install.pi-hole.net | bash

After some checks, you’ll be greeted with the install screen:

Remember to give a donation to the project if you find useful (I did it)


I recommend to select all the third-party list listed. We can add additional sources later.

Choose the protocols you have in your network

Ensure you have a IP reservation for your raspberry


I will recommend to install the web interface

Let the log enable


When the installation is complete you will get a final screen with some important info. Save this information to access to the Pi-hole server:

Save the admin webpage password in your password manager for now, it should be changed later.

This same info is displayed once you return to the shell, note the command to change the web admin password (pihole -a -p)

Tweaking Pi-hole

To change the privacy setting from Pi-hole application, we have to edit the following file:

$sudo nano /etc/pihole/pihole-FTL.conf 

Set the privacy level and the days to store the queries in the database.

#Which privacy level is used?. More info: https://docs.pi-hole.net/ftldns/privacylevels/
PRIVACYLEVEL=0 
#How long should queries be stored in the database? Setting this to 0 disables the database. Default 365
MAXDBDAYS=30

Installing Unbound

Enhancing Pi-hole Security (optional if we are not fine with Cloudfare DNS)

So now we have a working Pi-hole, but it has minimal blocking and just forwards lookup to Google DNS. We can change our upstream DNS provider, but that is just changing who we trust with our DNS. What if we don’t trust anyone? We can install Unbound and resolve DNS ourselves using root servers to recursively resolve DNS names. A more in depth explanation of how this works can be found here: https://docs.pi-hole.net/guides/dns/unbound/ but essentially Unbound will look up a DNS query by asking TLD servers for DNS in a recursive manner. The benefit is more security; you do not have to trust an upstream provider with your DNS traffic. The drawback is performance for initial lookup, as they need to traverse and this takes time. Pi-hole and Unbound can both be configured with caching, which will help mitigate this for subsequent lookup.

$sudo apt install unbound -y $wget https://www.internic.net/domain/named.root -qO- | sudo tee /var/lib/unbound/root.hints

Creating a configuration for Pi-hole

$sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf

Paste into the file this configuration. This is different than the one in Pi-hole’s documentation. It includes caching configuration that will improve performance.

server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0
    
interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

# May be set to yes if you have IPv6 connectivity
    do-ip6: no
    
# You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no
    
# Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    root-hints: "/var/lib/unbound/root.hints"
    
# Trust glue only if it is within the server's authority
    harden-glue: yes
    
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes
    
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no
    
# Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472
    
# Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    # This refreshes expiring cache entries if they have been accessed with
    # less than 10% of their TTL remaining
    prefetch: yes

    # This attempts to reduce latency by serving the outdated record before
    # updating it instead of the other way around. Alternative is to increase
    # cache-min-ttl to e.g. 3600.
    cache-min-ttl: 0
    serve-expired: yes
    # I had best success leaving this next entry unset.
    # serve-expired-ttl: 3600 # 0 or not set means unlimited (I think)

    # Use about 2x more for rrset cache, total memory use is about 2-2.5x
    # total cache size. Current setting is way overkill for a small network.
    # Judging from my used cache size you can get away with 8/16 and still
    # have lots of room, but I've got the ram and I'm not using it on anything else.
    # Default is 4m/4m
    msg-cache-size: 128m
    rrset-cache-size: 256m

# One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1
    
# Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m
    
# Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

# To get unbound stats (sudo unbound-control stats_noreset)
remote-control:
    control-enable: yes

Let’s gonna check the unbound configuration

$sudo unbound-checkconf


Last step: restart the service

$sudo service unbound restart

Testing Unbound

Now we are going to test unbound, measuring the time it spend to reach a domain, coneixement.info in this example.

As you can see in the second test, the time decrease, since unbound has a cache.


Keeping unbound updated

Let’s setup some cron jobs to keep unbound updated

$sudo crontab -e

Add a new line at the end and paste the following:

01 02 03 */4 * wget -N -O -q /var/lib/unbound/root.hints https://www.internic.net/domain/named.root

Exit and save.

With the -O option we have to tell it the path to store the file. Also the -N will only update it if the remote file is newer than the file you have. The -q option will keep it quiet so it doesn’t dump a bunch of output in your logs needlessly.

The update will be done at 02:01 on day-of-month 3 every 4 months. I think it is not necessary to update more often.

Keeping updated Pi-hole (optional)

Let’s setup some cron jobs to keep Pi-hole updated. In case we want to keep Pi-hole updated, we have to run periodically the ‘pihole -up’ command.

$sudo crontab -e

Paste the following to update every sunday at 2:30 AM

#30 2 * * SUN  pihole -up

Warning: The PiHole team does not recommend updating Pi-hole via cron jobs. Be aware that with the previous configuration your server will update Pi-hole every Sunday via cron, and stay up-to-date on patch notes. If there is a major change, and you don’t want to update, runsudo crontabe -e’ again and comment out the line to update Pi-hole (place a # before the line).

Configuring Pi-hole to use unbound

Login to your Pi-hole admin page at http://pi.hole/admin and use the password you saved from the install. Navigate to Settings, and click on the DNS tab. Uncheck the DNS Servers checked and check custom 1 and enter 127.0.0.1#5335. Click Save button at the bottom of the page.

As things get queried initial performance will be slow but quickly improve because of the caching nature of Pi-hole and the cache that has been configured for Unbound. Here is an example:

If we login into the web interface, we will see some statistics.

And here how the statistics of queries blocked increase over time

Improving our Blocklists (Blacklist, Adlist and Whitelist)

I strongly recommend to understand which kind of block do you want (advertising, telemetry, parental control, NSFW, malware domain, etc..) and add list from each category. Pi-hole comes out-the-box with an optional blocklist (in case we have selected them during the installation process). This list is maintained and updated regularly. In case we want to add additional blocklist, we can check several sources. Firebog is the main reference (The Big Blocklist Collection) of blocklist where we can find several lists separated into categories:

  • Suspicious
  • Advertising
  • Tracking & Telemetry
  • Malicious
  • Other

We can start adding from one to three list from each category you are interested to block, but before starting to add sources, read the points regarding each list from Firebog page. To add a new list, once logged into the Pi-hole web interface, you should to the Adlists option and paste the url list.


If the list has been successfully added, a message like this will appear:In case we have added previously this list, this will be ignored and a warning message like this will appear:Once we have added all the lists, we have to update the internal database to have applied the new blocklists. This can be done running ‘pihole -g’ at the command line or through the web interface, clicking the update button we can find under ‘Update Gravity’.

This will take a while . Be patient. As appear on the screen, do not navigate away from or close the page

Wait until a success message appears

Remember “The more is not always the better”. If you add too much lists, you will get false positives, which implies you will get troubles while you are surfing Internet, being some services inaccessible, unreachable or not fully functional

Some domains should be added to the Whitelist to avoid malfunctions or troubles while browsing.

You can also add domains to the Blacklist or Whitelist (Domains menu). Here you have an example of domains enabled:

For example, if you have problems with gmail icons (does not appear), you should add the domain gstaticadssl.l.google.com to the whitelist.

Removing existing blocklist

To remove the existing blocklist, we have to run this command:

$sudo sqlite3 /etc/pihole/gravity.db "DELETE FROM adlist"

Backup Pi-hole configuration

After all the tuning done, I will recommend to make a backup. This can be done through the web interface, creating a file (steps 1 to 3) that can be imported (4) in the same client or another pi-hole, saving configuration time:

Additional functionalities

Here’s a list of additional functionalities, among others, that Pi-hole can do:

  • Transforming Pi-hole to our DHCP service provider
  • Managing clients and groups
  • Disable blocking
  • Query log to review black and white list, allowing to add or remove from black or whitelist

Installing WireGuard (light, secure and fast VPN)

A light, secure and fast VPN Server to allow remote and secure access.

Introduction

WireGuard is a communication protocol and free and open-source software that implements encrypted virtual private networks (VPNs), and was designed with the goals of ease of use, high speed performance, and low attack surface. It aims for better performance and more power than others VPN Servers like IPsec and OpenVPN. (From the Wikipedia :-))

To install the most recent version of WireGuard, we’ll need packages from the Debian unstable release. Add the Debian unstable release, and pin the Debian unstable priority behind Raspbian stable. This allows us to install packages that are not available in Debian stable, while keeping the “stable” versions of everything else.

Configuring repositories

By default, Raspbian doesn’t trust the Debian package repository. We need to add Debian’s public keys to the trusted set of keys.

$sudo apt-key adv --keyserver http://p80.pool.sks-keyservers.net:80 --recv-keys 04EE7237B7D453EC 648ACFD622F3D138

And

$sudo sh -c "echo 'deb http://deb.debian.org/debian/ unstable main' >> /etc/apt/sources.list.d/unstable.list"

And prevent RPi from using the Debian distro for normal Raspbian packages to avoid conflicts.

$sudo sh -c "printf 'Package: *\nPin: release a=unstable\nPin-Priority: 90\n' >> /etc/apt/preferences.d/limit-unstable"

And

$wget -O - https://ftp-master.debian.org/keys/archive-key-$(lsb_release -sr).asc | sudo apt-key add -

Installing applications

We need some additional stuff along WireGuard, so let’s gonna update the system database

$sudo apt-get update

And install all the packages needed.

$sudo apt-get install wireguard wireguard-dkms wireguard-tools linux-headers-$(uname r) qrencode linux-hearders

Note: In case you are using a raspbian OS, you will need the kernel headers:

$sudo apt-get install raspberrypi-kernel-headers

Set Up and Configuring the WireGuard VPN Server

We are going to configure 2 access, from a phone and from a laptop.

Generating security keys

To ensure that not just anyone gets access to our network and ensure a secure connection, we’ll first need to generate a set of public/private key pairs with the following commands (execute them one line at a time in your RPi):

$sudo su -
#cd /etc/wireguard
#umask 077
#wg genkey | tee server_private_key | wg pubkey > server_public_key
#wg genkey | tee phone_private_key | wg pubkey > phone_public_key
#wg genkey | tee laptop_private_key | wg pubkey > laptop_public_key
#wg genpsk < phone_private_key > phone_preshared_key
#wg genpsk < laptop_private_key > laptop_preshared_key

This is the list of files created:

This is the content of each file (in this particular case, you will get another result)

server_public o7Omx+P/xRTtIAYw04msRW2IU3llreJ/EZ2ZLVeTEA8=
server_private yL3BldjULCz/zqitAReoPLTfDTCM8khZbOV1+g0ZtHg=
phone_public M0bXWPhF/qbDJeKP52gAM+igeR6csNnKf4pWZexYynM=
phone_private 4LGoHHvFUacRvXC19LvMldEKZWsLpY3SupcLg5Dx/V8=
phone_preshared RP37rPp6ARczPuL0j8NDMB41vEOLqHvtSjmVAlPYzoI=
laptop_public PQ1k3QVZoV1OOCKHBG8PGH5XIsakI+44W4aKYp/IKic=
laptop_private IMT6LFk00+iJbRrY0/yWTUnfh/rOb1AHrXtoh/yfV1A=
laptop_preshared CeBp3tPfoDBRX+5qpvugNVajs217nFeeJg3OjJAyomg=

Generating server configuration

We need to create the server configuration:

#nano /etc/wireguard/server.conf

With this content

[Interface]
PrivateKey = 
#SaveConfig = false
ListenPort = 51900
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
### begin phone configuration ###
[Peer]
PublicKey = 
#PresharedKey = 
#AllowedIPs = 10.6.0.2/32
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25
### end phone ###
### begin laptop configuration ###
[Peer]
PublicKey = 
#PresharedKey = 
AllowedIPs = 10.6.0.3/32
PersistentKeepalive = 25
### end laptop ###

In case you need to edit the server configuration later, you will have to stop the interface with this command:

#systemctl stop wg-quick@wg0.service

Gotchas

  1. Be sure to replace the key values in the configuration for PrivateKey and PublicKey.

  2. Note that the above configuration assumes you are using a wired ethernet connection on your RPi WireGuard server. If you instead wish to use wifi (wlan0), change the above config to use -o wlan0 in PostUp and PostDown. See this forum post for additional information.

Enabling IP Forwarding on the Server

Edit sysctl.conf on the Raspberry Pi with:

#nano /etc/sysctl.conf

Uncomment the line with “net.ipv4.ip_forward=1″ and save changes.

And enable the interface

#systemctl enable wg-quick@wg0

Securing access to sensitive files

Ensure sensitive files are protected (root rw olny)

#chown -R root:root /etc/wireguard/

And

#chmod -R og-rwx /etc/wireguard/*

Reboot the raspberry

$sudo reboot

Access to your raspberry and check the WireGuard interface is correctly created with the command ‘ip addr’

You need to access to your router to forwards 51900 to the internal IP address and port 51900 of the Raspberry protocol UDP. This is an example of configuration:

Set Up the WireGuard Client for each client

Create a file for each client with the content

Phone access

Creating the file for the phone client

$sudo nano /etc/wireguard/phone.conf

With this content

[Interface]
Address = 10.6.0.2/24
PrivateKey = 
DNS = 10.6.0.1

[Peer]
PublicKey = 
#PresharedKey = 
Endpoint = :51900
AllowedIPs = 0.0.0.0/0, ::/0

Laptop access

Creating the file for the laptop client

$sudo nano /etc/wireguard/laptop.conf

With this content

[Interface]
Address = 10.6.0.3/24
PrivateKey = 
DNS = 10.6.0.1

[Peer]
PublicKey = 
#PresharedKey = 
Endpoint = :51900
AllowedIPs = 0.0.0.0/0, ::/0

With the qrencode command we generate a qr code to import the configuration easily into the wireguard app.

#qrencode -t ansiutf8 < /etc/wireguard/phone.conf

Set Up the WireGuard Server

To configure WireGuard we have to create the wg0 file:

$sudo nano /etc/network/interfaces.d/wg0

With this information

# indicate that wg0 should be created when the system boots, and on ifup -a 
auto wg0 

# describe wg0 as an IPv4 interface with static address 
iface wg0 inet static 

       # static IP address  
       address 10.6.0.1/24 

       # before ifup, create the device with this ip link command 
       pre-up ip link add wg0 type wireguard 

       # before ifup, set the WireGuard config from earlier 
       pre-up wg setconf wg0 /etc/wireguard/server.conf 

       # Routing 
       pre-up iptables -A FORWARD -i wg0 -j ACCEPT 
       pre-up iptables -A FORWARD -o wg0 -j ACCEPT 
       pre-up iptables -t nat -A  POSTROUTING -o eth0 -j MASQUERADE 

       # route packages when the VPN interface is up 
       #post-up sysctl --write net.ipv4.ip_forward=1 

       # and stop routing when stopping the VPN interface 
       #post-down sysctl --write net.ipv4.ip_forward=0 

       # Routing post-down 
       post-down iptables -D FORWARD -i wg0 -j ACCEPT 
       post-down iptables -D FORWARD -o wg0 -j ACCEPT 
       post-down iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE 

       # after ifdown, destroy the wg0 interface 
       post-down ip link del wg0

Adding unattended upgrades (optional)

If you are using third-party packages (e.g. via PPAs), the system has no idea about security updates for those packages. So you need to take an additional step and get them included manually.

Remember to determine the PPA Origin and Suite

The first goal is to determine the details from the PPA (or other external package type). This can be done by peeking in the /var/lib/apt/lists directory. Use the related files ending with InRelease, to see more details about the specific package.

$less /var/lib/apt/lists/deb.debian.org_debian_dists_unstable_InRelease

The two things we need from this file is the field Origin and Suite. These two strings have to be combined and provided to unattended-upgrade. It then understands that this PPA should be upgraded automatically.

Installing Pi.Alert, a Wi-Fi/LAN intruder detector (optional)

Pi.Alert is a nice and small project that provide a Wi-Fi and LAN intruder detector. Check the devices connected and alert you with unknown devices. It also warns of the disconnection of “always connected” devices. It can be located at https://github.com/pucherot/Pi.Alert

The installation is quite simple. Just run the following script (It will ask for the sudo password)

$curl -sSL https://github.com/pucherot/Pi.Alert/raw/main/install/pialert_install.sh | bash

Here you have the screens you will have with the options I have choose for my system:

Save this information to access to the Pi.Alert server:

And this is how Pi.Alert looks like

Here you will find more information regarding device management:

https://github.com/pucherot/Pi.Alert/blob/main/docs/DEVICE_MANAGEMENT.md

To have Pi.alert updated, we have to add to the cron

$sudo crontab -e

And paste this command at the end of the file

3 1 4 */1 * curl -sSL https://github.com/pucherot/Pi.Alert/raw/main/install/pialert_update.sh | bash

Attention: Since I start to write this guide, it seems Pi.Alert project has not quite activity, and others users has started to create forks that are more updated:

Installing a monitoring tool (optional)

We have several options to monitor our system. We can use light applications or heavier ones with a lot of functionalities but with more resource consumptions.

When I started to write this guide I choose RPi-Monitor. An simple and light monitor with all the basic parameters. The problem I found is that is not longer maintained. The last version is from august 2017, so I decided to find another light solution and I found NetData, an open source tool designed to collect real-time metrics, such as CPU usage, disk activity, bandwidth usage, website visits, etc., and then display them in live, easy-to-interpret charts. It offers the possibility to create a free cloud account to complement the netdata agent to provide:

  • Infrastructure level dashboards (each chart aggregates data from multiple nodes)
  • Central dispatch of alert notifications
  • Custom dashboards editor
  • Intelligence assisted troubleshooting, to help surface the root cause of issues

The offer some paid functionalities but they claim the free account will be free forever.

In case you need a powerful solution to monitor devices with a lot of integrations and functionalities like Machine Learning, you can use Grafana. There is a sandbox where you can play with Dashboards.

Installing RPi-Monitor (deprecated)

Rpi-Monitor let us to monitor basic parameters like temperature, CPU load, disk space, and packages upgradables. To install we need to execute the following commands:

$sudo apt-get install dirmngr
$sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 2C0D3C0F
$sudo wget http://goo.gl/vewCLL -O /etc/apt/sources.list.d/rpimonitor.list
$sudo apt-get update
$sudo apt-get install rpimonitor

Configure RPi-Monitor to show network statistics:

$sudo nano /etc/rpimonitor/template/network.conf

Uncomment the first two sections that start with “dynamic.10” and “dynamic.11”. Comment out the third, fourth and fifth lines in the next section that start with “web.status.1” and uncomment the last one. Uncomment the next section that starts with “web.statistics.1”. Exit and save.

Restart RPi-Monitor.

$sudo service rpimonitor restart

Update RPi-Monitor package status:

$sudo /etc/init.d/rpimonitor update

Check the RPi-Monitor web page at http://<IPAddress>:8888

You now have a web dashboard of your server’s status, and there is a historical view under Statistics. This can be helpful for monitoring and troubleshooting. Here is a view in Statistics of temperature over 14 days:

Installing Netdata (recommended)

Netdata helps to monitor and troubleshoot several kind of devices and applications they run, like raspberry pi and Pi-hole.

Afet a quick installation and with no additional configuration required, you will be able to see device parameters like CPU load, memory and disk usage, bandwidth… Netdata collects about 1.500 metrics every second.

On Raspberry Pi, the installation is done by one commands script. This script asks you tto install dependencies and compile Netdata from the source:

$wget -O /tmp/netdata-kickstart.sh https://my-netdata.io/kickstart.sh && sh /tmp/netdata-kickstart.sh --disable-telemetry

Parameters:

  • Use a stable release: ‘–stable-channel’
  • Do not send anonymous statistics, ‘–disable-telemetry’
  • No automatic updates: ‘–no-updates’

As you can see, the command line use a nightly version (more updated), I do not want to sent anonymous statistics and I want to receive automatic updates.

When we run this script, it will ask for you administrator account and install all the required packages.

Once finished, we have to modify a configuration file in order to enable the temperature sensor monitoring. We have to uncomment the sensors=force line from the charts.d.conf configuration file. The installation path differs if we have Debian or Raspbian

Debian:

$cd /etc/netdata
$sudo ./edit-config charts.d.conf

Raspbian:

$cd /opc/netdata
$sudo cp usr/lib/netdata/conf.d/charts.d.conf etc/netdata/
$cd etc/netdata
$sudo ./edit-config charts.d.conf

Once modified we have to restart the service to enable Raspberry Pi temperature sensor monitoring:

$sudo systemctl restart netdata

Another improvement suggested by Netdata is to increase the allocation to increase historical metrics. As they said on their website, I will recommend to use their database sizing calculator and guide on storing historical metrics to help you determine the right setting for your Raspberry Pi.

Once installed, we can point our browser to our raspberry pi IP with the port 19999 (http://[our raspberry pi IP]:19999)

The first login will show a reminder to create a cloud account to access your data through Internet and provide:

  • Infrastructure level dashboards (each chart aggregates data from multiple nodes)
  • Central dispatch of alert notifications
  • Custom dashboards editor
  • Intelligence assisted troubleshooting, to help surface the root cause of issues

Through the right menu you can browse different metrics Netdata collects, from the device like CPU, memory, Disks, network, temperature (under sensors Section)… to metrics from the applications installed, like Fail2ban, firewall, Pi-hole, WireGuard

In case you create a cloud account, a command with an agent to be installed is provided in order to grab the data and send to the cloud.

I will also strongly recommend the use of their app to monitoring remotely our systems.

Grafana

Grafana has a web where explain step by step how to install an agent for raspberry pi.

Securing the Raspberry

In case we have a raspberry with a Wi-Fi interface and we do not use it, we can disable it

To completely disable the onboard WiFi from the firmware on the Pi3 / Pi4, add in /boot/config.txt

dtoverlay=disable-wifi
dtoverlay=pi3-disable-wifi

Or can add to this two lines

blacklist brcmfmac
blacklist brcmutil

to the module blacklist

$sudo nano /etc/modprobe.d/raspi-blacklist.conf

Backup & restore

Method 1: Copy the SD Card Image

The easiest way is dump the SD Card or USB to an image. Let’s assume the SD is at the sdb partition.

$sudo dd bs=4M if=/dev/sdb of=raspbian_bck.img conv=fdatasync status=progress

Method 2: Zip the Home Directory

(To Be Done)

Method 3: Scheduled Backups

(To Be Done)

Bonus track. Password manager: Vaultwarden

When I started to use password managers, I choose a light an open-source solution, keepass. I have written on my blog an article a few years ago how to set and use passwords in a safety way using this solution. With the time, a new solution has appear with more functionalities and open-source also: Bitwarden.

Instead Bitwarden I choose Vaultwarden, an alternative implementation of the Bitwarden server API written in Rust and compatible with upstream Bitwarden clients, perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.

The basic installation of Vaultwarden can be done following the instructions from here. I decided to use another raspberry pi since the first one has dedicated exclusively to privacy filter and VPN Server and I prefer to not overload with more services running in the same device.

To access to the password manager server a proxy manager is needed (Nginx). We will need a container manager, portainer, since Vaultwarden and Nginx (application and database) are running within containers.

As we did it before, a DDNS service is needed in order to reach the raspberry from Internet. This also will help us to have a secure connection since it is mandatory to access the password manager. It will be foolish to access your passwords with an http connection.

How to update components

Here I detailed the steps to update all the components we have inside this raspberry pi. The update procedure is not always explained in the installation pages, so I decided to describe how to update each component.

Portainer

Updating Portainer can be done in 4 steps from the raspberry pi command line:

  1. stop portainer dock

    $docker stop portainer
  2. Remove the container

    $docker rm portainer
  3. Pull the new version

    $docker pull portainer/portainer-ce:latest
  4. Run the docker

    $sudo docker run -d -p 9000:9000 --name=portainer --restart=always -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer-ce:latest

Containers

Every certain time we should check if a new version has been released and evaluate if we want to update it. The update can be done in two ways, through portainer or by command line.

Updating through portainer

  1. Select Containers, then stop the container that you’d like to update.
  2. Select the container, and you’ll see a button named Recreate. By selecting this button, the container will take the persistent data and recreate the container. Keep in mind that the only data that will stay on the container is data that was mapped to a volume.
  3. Select Pull latest image, then Recreate.
  4. When this process is finished, the container will be recreated with the latest image. Select the container and Start it. The status will change to running.
  5. The container will now exist with the newest released version!

Note 1: It will take some time. Be patient.

Note 2: You can remove old container images in order to save space.

Updating command line

First we pull the latest image

$docker pull vaultwarden/server:latest
 sudo docker run -d --name bitwarden \
    --restart=always \
    -v /bw-data/:/data/ \
    -p 127.0.0.1:8080:80 \
    -p 127.0.0.1:3012:3012 \
    vaultwarden/server:latest

And with this command we launch it removing the previous one

$docker run --rm -it --mount type=volume,source=vaultwarden-rclone-data,target=/config/ ttionya/vaultwarden-backup:latest rclone config

Updating Nginx

The reverse proxy should be updated in this order. First the app

$sudo docker update --restart always nginx_app_1

And later the database

$sudo docker update --restart always nginx_db_1

Bibliography

Base

  1. https://www.forbes.com/sites/marketshare/2012/03/05/if-youre-not-paying-for-it-you-become-the-product/
  2. https://medium.com/change-your-mind/if-you-are-not-paying-for-the-product-you-are-the-product-4dbc15b9a3f2
  3. https://clearcode.cc/blog/what-is-data-broker/
  4. https://www.peekyou.com/
  5. https://www.toptenreviews.com/best-people-search-services
  6. https://thesmashy.medium.com/building-a-pihole-for-privacy-and-performance-f762dbcb66e5
  7. https://www.thetechherald.com/tech-news/raspberry-pi-raspbian-os-gets-a-microsoft-repo-without-any-notification-heres-how-to-remove-concerns-of-telemetry-data-collection/
  8. https://arstechnica.com/gadgets/2021/02/raspberry-pi-os-added-a-microsoft-repo-no-its-not-an-evil-secret/
  9. https://betanews.com/2021/02/08/linux-based-raspberry-pi-os-secret-microsoft-repo/
  10. https://www.raspberrypi.org/documentation/hardware/raspberrypi/bootmodes/msd.md

Pi-hole

Unbound

Fail2ban

Unattended-Upgrades

Pi.Alert

WireGuard

Monitoring tools

Backup

Vaultwarden

Others

Zebra Crossing: an easy-to-use digital safety checklist

Note from mine (Daniel Alomar)

I will recommend to use andOTP (Android) or freeOTP  (iOS) as a OTP app manager instead Google Authenticator  and Authy. Both have telemetry. AndOTP is an opensource OTP app that contains no tracker, furthermore, it has PIN protection..

thinking Who this guide is for

  • You use the internet on a day-to-day basis – for work, social media, financial transactions, etc.
  • You feel you could be doing more to ensure your digital safety and privacy, but you’re not in immediate danger. (If you are, seek out an expert for a one-on-one consult.)
  • You’re comfortable with technology. For example, you’re comfortable going into the settings section of your computer/smartphone.

seedling How to use this guide

  • Recommendations have been sorted in ascending levels of difficulty. Start from level one and work your way up!
  • Everyone should follow the recommendations in levels one and two. They will protect you from the widely-used (yet simple) attacks. Going through them shouldn’t take more than 1-2 hours.
  • Level three is a bit more involved in terms of time and money and may not be 100% necessary. But if you’re worried at all and can afford to, we recommend going through that list too. Depending on the amount of digital housekeeping you have to do, it may take anywhere from an hour to an afternoon.
  • The scenarios listed after are for higher-stakes situations — scan them to see if any of them apply to you. (Because the stakes are higher, they assume that you’ve done everything in levels 1-3.)
  • This guide is a living document – please feel free to submit a pull request or fork your own version of this guide on GitHub.

speaking_head This guide in other languages

clock3 Last updated

  • 20 January 2021

monocle_face Theory & science

dart Threat modeling

  • What kind of danger are you in? E.g. credit card hack, corporate espionage, online harassment/doxxing.
  • What kind of assets are you protecting? E.g. confidential documents, private photos.
  • We’re all in a little bit of danger (otherwise we wouldn’t bother putting a password on our computer or phone) but it’s important to think about what’s at stake before dismissing concerns or becoming paranoid.

link Weakest link

  • Remember the weakest link is all that matters! E.g. if password recovery is linked to email, then hackers only need to get access to your email.

abcd Encryption levels

  1. No encryption: Any third party who intercepts the data can read it as-is.
  2. Regular encryption: Data is encrypted so that third parties cannot read them. But the platform (e.g. Google or Facebook) still has access, and may hand the data over to law enforcement if they are required to do so by the courts.
  3. End-to-end encryption: the data can only be read by the original sender and receiver. This means not even the platform has access. So if the courts call, the service provider can’t hand over the messages because they don’t have them either.

jigsaw Metadata

  • Data about your data – e.g. what number you called, and for how long (but not the contents of the call). With enough metadata, hackers can piece together a pretty good picture of who you are, who you know, where you’re going, etc. Plus legal protections around metadata are generally weaker.

 

sweat_drops Level 1 recommendations

white_check_mark Things to do now

Strengthen passwords

  • Any password less than 10 characters is bad, but it’s also okay-to-string-together-non-sequitur-words.
  • Double check the security questions for your key online services (email, bank, Facebook, etc.) and make sure that they’re not easy to answer by friends or by anyone looking you up on Google.
  • Start using a different password for every service, because password leaks happen all the time. To make this easy, use a password manager (see Wirecutter’s picks here) to store/autofill/generate them. For now, make sure you use a unique password for essential services (email, social media, banking, cloud storage).
  • Use a non-common/obvious unlock code for your phone with at least 9 digits.

Double lock important accounts

Use two-factor authentication (also known as 2FA and two-step verification) to add an extra lock on top of a typed password. Usually this takes the form of a short code that’s sent to your phone via a specialized app or SMS.

  • Download an authenticator app like Authy or Duo Mobile. Apps are far more secure than SMS so use one if it’s available.
  • Turn on 2FA on your:
  • Turn on cloud backup for your authenticator app in case you ever lose your phone. See instructions for Authy and Duo Mobile.

Email

  • If you’re on a webmail service, check that you’re logging into it using an https:// URL. And if there isn’t one, find a new email provider.
  • After turning on two-factor authentication, see if your email service supports backup codes (a single-use code in case you lose your phone). See Gmail instructions.

Encrypt your devices

  • Encrypt your computer hard drive:
  • Encrypt your phone storage:
    • iOS: Automatically encrypt.
    • Android: Recent versions automatically encrypt. Double check by going to Settings → Security → Encryption.
  • Secure your backups too!
  • N.B. Remember encryption is only fully effective when the device is off!

Other

?? Habits to cultivate

Email

  • Be on the lookout for phishing scams: where possible double check the From email address and the domains that outbound links go to.
  • Don’t open unnecessary email attachments. Where possible, open or preview them first in an online document reader. Ask colleagues to use a filesharing service (Dropbox, Google Drive, Tresorit, SpiderOak), which tend to be a little harder to hack into.
  • You can upload a suspicious attachment to VirusTotal for a check-up (but keep in mind files submitted to VirusTotal are available to security researchers so don’t submit sensitive information).

Update all the things

  • When you get a notification to update your operating system (on your mobile or computer), do it as soon as you can.
  • Update your apps (on mobile or computer) similarly.
  • Check occasionally for firmware updates for your router (and other Internet-connected devices).

Other

  • Change important passwords (e.g. email, computer login, password manager master) every year or two.
  • Wipe your devices properly before donating/giving away. If you’ve encrypted all of your phones and computers (as suggested above), a normal factory reset will do the job for almost all use cases. If you want an extra layer of security for your computer hard drives, see Wired’s guide on this topic.
  • Don’t charge your phone at public charging stations/ports – they may steal your data. Consider charging your portable battery instead.

+1 Great job! You’ve covered the basics. +1 Treat yourself to a cup of tea and a stretch.
+1 Now, ready for the next level?

 

sweat_dropssweat_drops Level 2 recommendations

white_check_mark Things to do now

Enhance your privacy

  • Review the privacy settings on social networks you frequent: who can see your content, who can comment on it, and who can see your location.
  • Review the privacy settings on messaging apps you normally use: read receipts, time stamps for “last seen,” and whether your phone number/profile picture are public.
  • Install these protective web browsers add-ons on your computer (and make sure they’re on even during private/incognito mode):
  • Review which apps on your smartphone have access to your location data. Turn off access if the app doesn’t need it, and minimize the number of apps that track your location all the time.
    • iOS: Settings → Privacy → Location Services.
    • Android: Settings → Apps & notifications → App permissions.
  • On your smartphone, delete any third-party keyboards you might have installed ( they often share what you type with the software maker). On both iOS and Android, they are installed as apps so just delete that. If you really need to use a third-party keyboard, make sure that it is an open source project where others have verified that it does not share your data with third parties.
  • If you use smart speakers, turn off its recording function:

Set up your home wifi router

  • Login to the administration and settings dashboard (check your router’s instructions but it’s often at http://192.168.0.1)
  • If the password to login to this dashboard is really simple, then update it.
  • Look through what devices are connected to the network right now (click around until you find the access control) and make sure you know what every device on the list is.
  • If you see these options, turn them off. Look for them under advanced settings or gateway functions:
    • UPnP (universal plug and play)
    • WPS (wi-fi protected setup)
    • Remote management

Other

?? Habits to cultivate

Enhance your privacy

  • Post less personal information online – especially information that can be used to identify/track/scam you (addresses, phone numbers, birthday, etc.). Remember almost everything you say online is logged somewhere and that even if your setup is secure, your recipient’s setup may not be.
  • If you own domains, use WHOIS privacy services and stick with it (they’re worth the money). But note that with WHOIS lookup/history tools, if you’ve ever put in your real address, it’s very difficult to remove from the logs.

Watch what you say in online groups

Don’t say anything you’d regret on in a “private” Slack group, Facebook page, WhatsApp group chat or Telegram channel because:

  • Any one member can leak all of the data.
  • Administrators usually have access to everything within the group, including that private direct message between two people, and sometimes even deleted messages.
  • Even if you’re not using your real name or photo, what you say can often be traced back to your phone number or email (that is linked to the account).
    • To prevent this in Telegram, go into Settings → Privacy and Security → Phone Number, and then set:
      • Who can see my phone number to Nobody.
      • Who can find me by my number to My Contacts.

Other

  • When you download new mobile apps, double check to make sure it’s the right one — there are a lot of fake apps that try to trick people by using a slightly modified name or icon of an existing, popular app.
  • Check what apps you have installed on your phone once in a while, and delete the ones you’re not using anymore.
  • If you ever need to send someone a password, split it in half and send via two different channels (e.g. email + voice call).
  • Put a sticker (or webcam cover) over your laptop’s front-facing camera.
  • Don’t use Google/Twitter/Facebook to sign up/login to other services – each service should have its own account.

tada Congratulations! You’re now reasonably
tada secure, which is more than most 🙂
tada Take the rest of the day off, and
tada come back tomorrow for Level 3.

sweat_dropssweat_dropssweat_drops Level 3 recommendations

white_check_mark To do

Lock up sensitive files

  • Identify files that you don’t want others to access (e.g. private photos, passport documents).
  • Use Cryptomator or Veracrypt to create an encrypted, password-protected vault for them.
  • Set them up on both your computer and your phone.
  • Move your files into these secure vaults. Make sure they’re not still hanging around on an old folder or on your phone.

Upgrade your gear

  • Use a paid VPN service when on public networks (e.g. cafe wifi) and even at home if you don’t want your service provider to know where you’re going. Free VPN services are bad because operators don’t have enough incentive to protect you/your data. See recommendations from Wirecutter and Freedom of the Press.
  • Buy a privacy screen (prevents onlookers from seeing your screen, see this 3M example) for your laptop and phone.

Revisit old passwords

  • Store all of your online service passwords in a password manager. (If you have the right browser add-on/plugin installed, it will capture all the relevant details during a login process.)
  • Using your password manager’s analysis feature, see which accounts/services have weak passwords and update the ones that might have any personal information about you or that you would really hate to lose.

?? Habits to cultivate

  • Start using Signal, an end-to-end encrypted mobile messaging app that’s generally agreed to be safe/secure/robust. (Beyond Signal, there is little consensus on what’s secure and people tend to get very emotional about their choice of mobile messaging apps.)
  • When making voice or video calls, use an end-to-end encrypted app (e.g. Signal, Jitsi, Wire).
  • Buy a harder-to-hack mobile phone moneybag. Typically, this is an iPhone or Android phone that implements a “pure” Google version of Android.

astonished Wow, you completed all three levels!
astonished Well done! Now quickly look below
astonished to see if any apply to you.

sweat_dropsexclamation Scenario-based recommendations

??‍? Hosting a public event on a video calling platform (e.g. Zoom)

  • Set a password to enter the meeting to prevent random people from wandering in via a meeting ID generator. Consider setting up an RSVP system so that you don’t have to give out the meeting link and password publicly.
  • Familiarize yourself with the platform’s settings and minimize the amount of control (e.g. screen sharing) that non-hosts have. (E.g. settings on Zoom)
  • Create a plan of action for what you would do if a malicious troll gains access to your call.
  • Don’t say what you wouldn’t say in a public forum. Encourage your attendees to do the same. Most commercial platforms have access to your audio/video data and are mining your metadata to create consumer profiles.

flight_departure Crossing an international border

  • Turn off your devices because:
    • Storage/hard drives are only encrypted when they’re off, not when they’re just in sleep mode
    • This will also ensure that your mobile devices require a pin when they are turned on, which is protected by freedom of speech laws in some jurisdictions.
  • Store less information on your devices – in case they’re seized, what you don’t have they can’t take.
  • Be mindful of what stickers you put on your devices – a border agent could mistake them for something suspicious.
  • Notify your people about your flight number and arrival time. Check in with one of them at regular points in your journey. Have them contact a lawyer/relevant organization if you do not show up.
  • For extreme situations (some of these practices might raise suspicions and backfire):
    • Set up alternate photo albums, email addresses and social media accounts full of harmless content.
    • “Forget” half of your password: Password lock your device/account so that only a trusted friend has the second half of the password.
    • Log out of all important accounts (or simply leave your devices at home).
  • For more information, see Wired’s Guide to Getting Past Customs With Your Digital Privacy Intact and BoingBoing’s addendum about filing for attorney privileges at the US border.

sob Somebody took my phone/computer!

  • Wipe your phone remotely:
  • Log out of all important accounts from another device.
  • If this happened at an international border: Ask for a seizure receipt (available in some jurisdictions, e.g. Canada)
  • Get a new SIM card.
  • If you get it back, reset your phone/computer back to its factory settings. Then run some anti-virus and anti-spyware programs just in case.

space_invader I think my computer has been hacked!

  • Download an application that will notify you when data is being sent out from your computer. E.g. Little Snitch for Mac.
  • Run Activity Monitor on Mac or Process Explorer on Windows to look at what processes/applications are running. Google any suspicious names.
  • Login to important online accounts to see if there have been any suspicious logins – see this Motherboard guide for details.
  • Setup a spare smartphone using Haven as a room monitor to detect unwanted intrusions.

eggplant Sexting & non-consensual image sharing

✊? Attending a protest

In case of emergency

  • Draft a message to a trusted friend (not at protest) or legal hotline. Be ready to hit send if you are arrested/there is an emergency.
  • Write the phone number of the trusted friend/hotline on your arm with permanent marker as a backup.
  • Bring a spare battery for your phone.
  • If you use your fingerprint or face to unlock your phone, turn it off for now. In some places, officers can compel you to provide your fingerprint but not your passcode.
  • Immediately power off your phone if you think you’ll be arrested (disk encryption works better if it’s off).
  • Consider using a burner phone (instructions for the US) with a burner SIM card.

Store less share less

  • Keep as little sensitive personal information on your phone as possible. Delete any photos, chat logs and notes that can be used against you.
  • Use a messaging app that lets you create disappearing messages (e.g. Signal). Turn on the timer when discussing the protest.
  • Don’t take any photos or videos where people’s faces are clearly visible. Taking a photo of people’s backs is okay. (The one exception is if you’re filming a video of a conflict or arrest where documentation is key.)
  • Wear a face mask so you are not easily caught on camera.
  • When sharing photos/videos:

Minimize location tracking

  • Turn off location history:
    • iOS: Settings → Privacy → Location Services → System Services → Significant Locations.
    • Android: Settings → Google → Google Account → Data & personalization → Location History → Manage setting → Your account & all your devices → Use Location History Off.
    • Google Maps: Settings → Maps history → Web & App Activity.
  • Delete past location history:
    • iOS: Settings → Privacy → Location Services → System Services → Significant Locations → Clear History.
    • Android
    • Google Maps
  • Consider turning off all location services temporarily:
    • iPhone: Settings → Privacy → Location Services → Location Services Off.
    • Android: Security & location → Location → Use location Off.

Other

  • Double check your messaging apps’ privacy settings.
  • Turn off message previews in your notifications:
    • iOS: Settings → Notifications → Show Previews: When Unlocked.
    • Android: Settings → Apps & notifications → Notifications → On lock screen: Hide sensitive content.
  • Remember to make voice calls through end-to-end encrypted apps like Signal.

newspaper I’m a journalist working on a sensitive topic

Below are some basics that all journalists should consider. If you’re working on/in a particularly sensitive story/region (e.g. a whisteblower story), you and your team should get an tailored training session from an expert.

Be prepared

  • To remotely wipe the contents of your devices using a tracking app (e.g. Find My on iOS, Find My Device on Android, Prey, Lookout Security).
  • To be on the receiving end of an email phishing campaign (as journalist emails are usually more public than others).

Protect yourself

  • If you’re traveling, review the Crossing an international border scenario above.
  • If you’re covering a protest, review the Attending a protest scenario above and decide which parts apply to you (if you have special journalist rights/protections where you’re working).
  • Use a VPN if you’re browsing the internet at the office (website administrators can usually see that you’re coming from, say, the New York Times network)

Protect your sources

Protect your data

For more information

??‍♂️ Online harassment & doxxing

Harassment and doxxing can get very specific and complicated based on the attacker, your position, the overall cultural context, etc. While we have some general suggestions below, we implore you to think about whether your situation has escalated sufficiently and whether it’s time to find professional, one-on-one help.

Recruit a trusted friend

  • Do not force yourself into a corner by going at this alone!
    • Baseline: Ask a trusted friend to hold space for your situation and be your sounding board on analyzing how bad the threat is.
    • Preferred: Ask a trusted friend to help you investigate, record, report and block harassers — see Take Back The Tech’s Hey Friend! guide for more details about this. In some cases, it may be healthier to hand over your phone/social media/accounts over to them so that you’re not constantly triggered.
  • Alternately, reach out to online communities you’re an active member of and ask for help. See PEN America’s article on Deploying Your Supportive Cyber Communities.
  • If no one is available right now, Heartmob has a list of supportive organizations, some of which have 24/7 hotlines.

Monitor updates & collect receipts

  • Run keyword searches for your name, nickname, and address to see what’s out there. Also run an image search on your most-used profile pictures.
  • Monitor your name/username using these services: Talkwalker, Google Alerts and/or Mention moneybag.
  • Monitor and archive webpages that mention you using ChangeTower.
  • Start logging (date, time, description, screenshot) incidents in whatever program/app that’s easiest for you.
  • If future legal action is likely, pay Page Vault to capture a snapshot of a website and ask a lawyer to file an evidence preservation request with the relevant online platform.
  • Remember to take care of yourself as much as you can — eat, sleep, exercise. Call in friends to help share a meal, take a break or watch your cats for a few days.

Remove information about you off of the internet

  • Follow the instructions in the section/scenario that follows this one.

Ignore/reply/report/block your harassers

  • Together with your support person/friend and the log of receipts, decide on your course of action (these aren’t mutually exclusive):
    • Ignore: Sometimes harassers will walk away if they don’t get attention.
    • De-escalate: In some contexts, you can defuse the situation with some calm words before it gets worse.
    • Report: Report the harasser to the relevant online platform and/or your local law enforcement.
    • Mute on social media: Allows for peace of mind.
    • Block on social media: Maximizes peace of mind as the harasser won’t be able to see your posts. But they will notice and see it as a sign of escalation.
    • Go public: Can be dangerous, but sometimes shaming them publicly or rallying people to your support will make them go away.
  • For Twitter users:
    • Block previously-identified offenders using Block Together — ask around in your communities for shared block lists.
    • Block troll bots using Bot Sentinel.
    • Reduce dogpiling by blocking all followers of a certain profile using Red Block or Twitter Block Chain (only available on Chrome).
    • See what lists you’ve been added to by going to Profile → Lists → ··· → Lists you’re on. If you see a suspicious list or list owner, tap the three dots on the top right to report the list and leave the list by blocking the creator.
    • Filter unwanted mentions and replies using Block Party.

Notify other parties

  • If your physical safety is under threat, notify law enforcement or someone in your community with crisis experience for protection.
  • If the situation escalates, consider informing your employer, communities and family about what is going on, in case you might need their help at some point or so that they are not caught off-guard.

For more information

eyes Remove information about you off of the internet

If you’re about to become a public figure or are experiencing harassment, consider some of the suggestions below.

Clean up your social media presences

You might not need to delete your entire account, but consider deleting (or making private) posts that are old and/or reveal too much about where you live, where you go, and who you’re with.

  • Facebook:
    • See what your public profile looks and remove/restrict things as you see fit.
      • On desktop, go to your profile and click the eye button next to the right of the Edit Profile button.
      • On mobile, go to your proflie, tap the three dots on the right of Add Story and tap View As.
    • Make it so only friends can see your past posts.
      • On desktop, go to Settings → Privacy → Limit Past Posts.
      • On mobile, go to Settings & Privacy → Settings → Privacy Settings → Limit who can see past posts.
    • To bulk delete past posts, see this article in PC Magazine.
  • Whatsapp:
    • Swipe to delete individual conversations.
    • Delete chat content but keep the chat groups: Settings → Chats → Clear All Chats.
    • Delete all chats including the chat groups: Settings → Chats → Delete All Chats.
    • Turn off chat backups on WhatsApp (Settings → Chats → Chat backup) and delete your previous backups (instructions for iOS, Android).
  • Instagram:
    • Look through your profile and manually delete posts (tap the three dots above upper-right corner of a photo).
    • If need be, bulk delete using third-party tools.
  • Twitter:
  • Reddit and other forums:
    • There’s often no easy solution. Sometimes you have to delete your entire account, or in the case of Reddit, you have to use third-party scripts because deleting your account still leaves your posts up.

Remove your information from other people’s accounts or websites

Obscure your personal information

  • Use Burner or Hushed to set up burner phone numbers for calling/texting.
  • Get a PO box at a post office or use Traveling Mailbox (USA only) to hide your home address.
  • Delete old accounts to eliminate traces of personal information on the Internet. Use JustDeleteMe to accelerate this process.

broken_heart I think my partner is spying on me through my phone (stalkerware)

If you’re not sure and things between you and your partner aren’t that bad yet:

  • Keep a hidden, pen-and-paper log of suspicious incidents.
  • Make sure your partner is not getting information from previously shared accounts or because you left the location share on within Google Maps.
  • Review and redo the items in Levels 1-3 of this guide. Reset your passwords, check your privacy/data sharing permissions, and look up any apps you don’t recognize on your computer and phone.
  • Keep an eye out for other signs. E.g. your phone battery doesn’t last very long anymore, or your laptop internet connection is slow. Review the Coalition Against Stalkerware’s full of list of indicators.
  • Don’t delete suspicious apps immediately — you may need to keep them as evidence. Plus, deletion may also cause the situation with your partner to escalate.

If you’re pretty sure they’re spying on you and you’re scared:

  • Seek help. You should not go through this alone:
    • Find a public or friend’s computer/phone to contact the organizations in this global resource list compiled by the Coalition Against Stalkerware. Some of them can even help you collect evidence and remove stalkerware safely.
    • Reach out to a trusted friend (through a public device/line) and ask them to hold space for your situation and be your sounding board on analyzing how bad the situation is.
  • Keep digital and printed records of relevant texts, emails, calls, etc. See the NNEDV’s guide on documenting/saving evidence.
  • When you no longer need evidence anymore, remove the suspicous apps/stalkerware yourself either by deleting them one by one, or by performing a full factory reset on your computer/phone. (Buying brand new device is even safer of course.) Remember to reinstall apps and import data manually, lest you restore a backup with stalkerware in it.

For more information

bust_in_silhouette I don’t want to give out my real phone number for online dating/networking/organizing

For messaging apps that use phone numbers as the primary identifier/username (e.g. Signal, WhatsApp, Telegram), get a secondary number from:

  • Twilio (1 USD/month, but complicated setup – see the Twilio section here and this guide)
  • Google Voice (free but only available in the US)
  • Burner or Hushed (5 and 4 USD/month respectively + other prepaid plans for short-term use, US/Canada numbers)
  • A phone company: get a prepaid or cheap SIM card plan (rates vary)

For sites and services that use email as the primary identifier/username, get a separate, new email address.

Keep in mind:

  • If you lose/unsubscribe to your secondary phone number, other people can buy it and impersonate you.
  • Courts can still compel companies to hand over your information in most cases.

For true anonymity – create an untraceable online persona under a pseudonymn

zipper_mouth_face Traveling to a place with weak data protection laws or internet censorship

  • Be aware that the phone companies there might share your location data and personal info with others without permission.
  • Setup a VPN beforehand so you can a) access services uninterrupted, and b) to minimize the amount of data collected about you. Avoid VPNs that are free or have opaque ownership. See recommendations from Wirecutter and Freedom of the Press.
  • Consider traveling with a burner phone while leaving your laptop at home. This will be especially useful if you need to install new/untested software for work that might violate data privacy policies.
  • Re-evaluate which online services are safe to use:

persevere I need help now, my systems are under attack!

If you work as part of a civil society group, contact:

If you are being harassed online, contact:

Alternately, hotlines that don’t focus on digital/online safety may still be able to help:

If someone else has taken control of your accounts:

If you’ve been a victim of an online scam, fraud or ransomware:

sweat_dropsquestion Other recommendations

This section is a catch-all for difficult or esoteric practices that do not fall under any of our scenarios above and might not lead to an immediate payoff for the casual user.

Emails

  • Sign up for a Protonmail or Tutanota end-to-end encrypted email account.
  • Use PGP to secure your emails.

File storage & sharing

  • Use an end-to-end encrypted cloud storage service (not Dropbox): Tresorit, SpiderOak.
  • Use encrypted external USB/hard drives from companies like Apricorn.
  • If you want to send a file anonymously, use a special sharing service like OnionShare.
  • Instead of Google Docs or Microsoft Office, use CryptPad or Standard Notes (both are open-source and end-to-end encrypted).

Messaging apps

  • WhatsApp additional settings:
    • To be 100% end-to-end encrypted, turn off chat backups on WhatsApp (Settings → Chats → Chat backup) and delete your previous backups (instructions for iOS, Android).
    • Turn on security notifications on WhatsApp (Settings → Account → Security).
    • Set up a pin number (Settings → Account → Two-Step Verification) and email address (Account → Two-step verification → tap Add Email Address) to prevent your account from being moved without your permission.
  • Telegram:
    • Use only the Secret Chat function for secure chats (note that this means your messages will not show up in your desktop or web app)
    • Only allow your contacts to add / find your account
    • Turn on self-destruct timers for your Secret Chat.
  • Apple Messages:
    • Auto-delete messages after a year: `Settings → Messages → Keep Messages → 1 Year.
  • Check these two lists of secure messaging apps (Secure Messaging Apps Comparison and IntelTechnique’s Messaging) to learn more about security considerations beyond end-to-end encryption and what trade-offs you may be OK with.

Hosting/running a website

Other

  • Buy a YubiKey USB key to use for two-factor authentication. If you work in free speech/press/internet, you may qualify for a free Yubico for Free Speech.
  • Keep less information/data/photos on your devices – you can’t lose what you don’t have.
  • Don’t use smart TVs or smart speakers.
  • Turn suspicious PDFs into safe ones using Dangerzone.
  • Search the web anonymously with DuckDuckGo.
  • Access Facebook with more anonymity and/or bypass internet filtering by using its onion service.
  • If you (or your organization) is really wedded to the Google Suite, consider Google’s Advance Protection program.
  • Put your smart cards/passports/phones in a Faraday bag that blocks signals from going in and out. (See Micah Lee’s guide on them.)
  • Use One Time to send a password-protected, self-destructing message.
  • Use a more secure operating system: Tails (works off of a USB stick) or Qubes OS.
  • For Android users: Download apps using F-Droid, an open-source, security-focused app store.
  • For US residents: Freeze your credit to prevent bad actors from accessing or mis-using your personal information. See IntelTechniques’ Credit Freeze Guide for details.

trophy Oh my, you made it this far.
trophy You are a true champ!

brain Other resources

We consulted many sources and drew upon our own experiences in creating this resource. If you’re not finding quite what you want here, we recommend checking out these other resources:

memo License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

?? Special thanks

Special thanks to the students at the School of Journalism and Communication at the Chinese University of Hong Kong, and to our GitHub contributors.

This article originally appeared on github.com