starred/hardening
1
0
Fork 0
mirror of https://github.com/konstruktoid/hardening.git synced 2026-04-26 01:05:56 +03:00
Code Issues 6 Projects Releases 4 Packages Wiki Activity

[GH-ISSUE #60] DNS Service #27

New issue
Closed
opened 2026-03-03 13:58:29 +03:00 by kerem · 9 comments
kerem commented 2026-03-03 13:58:29 +03:00
Owner
Copy link

Originally created by @roobyz on GitHub (Feb 4, 2020).
Original GitHub issue: https://github.com/konstruktoid/hardening/issues/60

You've done some great work.

Sorry if this goes beyond your original intent of your hardening scripts. I'm trying to harden a server that is running Pihole. After running your process, the DNS Service (dnsmasq) gets completely disabled somehow and prevents Pihole from working. Also, Pihole uses php7.4-fpm, which leverages a run folder (/run/php) that also disappears after hardening.

Could you point me in the right direction on debugging the part of your process "over hardens"? :)

Thanks in advance!!

Originally created by @roobyz on GitHub (Feb 4, 2020). Original GitHub issue: https://github.com/konstruktoid/hardening/issues/60 You've done some great work. Sorry if this goes beyond your original intent of your hardening scripts. I'm trying to harden a server that is running Pihole. After running your process, the DNS Service (dnsmasq) gets completely disabled somehow and prevents Pihole from working. Also, Pihole uses php7.4-fpm, which leverages a run folder (/run/php) that also disappears after hardening. Could you point me in the right direction on debugging the part of your process "over hardens"? :) Thanks in advance!!
kerem closed this issue 2026-03-03 13:58:29 +03:00
kerem commented 2026-03-03 13:58:30 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Feb 4, 2020):

Hi @roobyz, thank you and sorry for any inconvenience this has caused.
On which platform and version are you running Pihole? (I've only tried it on a RaspberryPi).

<!-- gh-comment-id:581822041 --> @konstruktoid commented on GitHub (Feb 4, 2020): Hi @roobyz, thank you and sorry for any inconvenience this has caused. On which platform and version are you running Pihole? (I've only tried it on a RaspberryPi).
kerem commented 2026-03-03 13:58:30 +03:00
Author
Owner
Copy link

@roobyz commented on GitHub (Feb 4, 2020):

Oh yes.... Ubuntu 18.04 running on an LXC container (AMD x86_.64). Most everything works great, but there are a few functions that don't apply or don't work correctly on LXC containers that I've had to disable. This one isn't as obvious to me. :-)

<!-- gh-comment-id:582002139 --> @roobyz commented on GitHub (Feb 4, 2020): Oh yes.... Ubuntu 18.04 running on an LXC container (AMD x86_.64). Most everything works great, but there are a few functions that don't apply or don't work correctly on LXC containers that I've had to disable. This one isn't as obvious to me. :-)
kerem commented 2026-03-03 13:58:30 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Feb 5, 2020):

Hi again @roobyz, I've updated the script so it hopefully won't fail as much when running in a LXC, feel free to test.

Had no issues running Pihole; I created the LXC, ran the hardening script, and then installed Pihole.

Could you please update with some logs?

<!-- gh-comment-id:582462412 --> @konstruktoid commented on GitHub (Feb 5, 2020): Hi again @roobyz, I've updated the script so it hopefully won't fail as much when running in a LXC, feel free to test. Had no issues running Pihole; I created the LXC, ran the hardening script, and then installed Pihole. Could you please update with some logs?
kerem commented 2026-03-03 13:58:30 +03:00
Author
Owner
Copy link

@roobyz commented on GitHub (Feb 6, 2020):

Super cool. I'll test tonight. FYI, I created a similar variable LXC as a one-liner like:

LXC="$(grep -E 'container=lxc|container=lxd' /proc/1/environ | wc -l)"
<!-- gh-comment-id:582728884 --> @roobyz commented on GitHub (Feb 6, 2020): Super cool. I'll test tonight. FYI, I created a similar variable LXC as a one-liner like: ``` bash LXC="$(grep -E 'container=lxc|container=lxd' /proc/1/environ | wc -l)" ```
kerem commented 2026-03-03 13:58:30 +03:00
Author
Owner
Copy link

@roobyz commented on GitHub (Feb 6, 2020):

@konstruktoid I ran the updated code. It was successful, "in part". :-)

I used LXC with Pihole already installed, and ran the hardening script. Afterward I repaired Pihole (pihole -r), and everything seemed to work. However after restarting my VPS, it stopping working. I had to also fix php7.4-fpm (missing /run/php folder), so I ran:

sudo mkdir -p /run/php
sudo chown www-data:www-data /run/php
sudo systemctl start php7.4-fpm
sudo systemctl restart nginx
sudo systemctl restart pihole-FTL

At this point I end up with Pihole with a message like "Lost API connection" on the Pihole page. Running pihole status gives:

  [] DNS service is NOT running

However, trying pihole restartdns doesn't do anything.

Also, question regarding 17_packages, wondering why you didn't do something like:

APPARMOR="apparmor-profiles apparmor-utils libpam-apparmor"

if [[ $LXC == "1" ]]; then
  APPARMOR=""
fi

PACKAGE_INSTALL="acct aide-common debsums gnupg2 haveged libpam-cracklib libpam-tmpdir needrestart openssh-server postfix rkhunter sysstat systemd-coredump tcpd update-notifier-common vlock $APPARMOR $AUDITD $VM"

The attached log as requested:
hardening-script-200206.log

<!-- gh-comment-id:582748283 --> @roobyz commented on GitHub (Feb 6, 2020): @konstruktoid I ran the updated code. It was successful, "in part". :-) I used LXC with Pihole already installed, and ran the hardening script. Afterward I repaired Pihole (pihole -r), and everything seemed to work. However after restarting my VPS, it stopping working. I had to also fix **php7.4-fpm** (missing /run/php folder), so I ran: ``` bash sudo mkdir -p /run/php sudo chown www-data:www-data /run/php sudo systemctl start php7.4-fpm sudo systemctl restart nginx sudo systemctl restart pihole-FTL ``` At this point I end up with Pihole with a message like "Lost API connection" on the Pihole page. Running `pihole status` gives: ``` bash [✗] DNS service is NOT running ``` However, trying `pihole restartdns` doesn't do anything. Also, question regarding `17_packages`, wondering why you didn't do something like: ``` bash APPARMOR="apparmor-profiles apparmor-utils libpam-apparmor" if [[ $LXC == "1" ]]; then APPARMOR="" fi PACKAGE_INSTALL="acct aide-common debsums gnupg2 haveged libpam-cracklib libpam-tmpdir needrestart openssh-server postfix rkhunter sysstat systemd-coredump tcpd update-notifier-common vlock $APPARMOR $AUDITD $VM" ``` The attached log as requested: [hardening-script-200206.log](https://github.com/konstruktoid/hardening/files/4163407/hardening-script-200206.log)
kerem commented 2026-03-03 13:58:30 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Feb 6, 2020):

Thanks, will have a look.

<!-- gh-comment-id:582793119 --> @konstruktoid commented on GitHub (Feb 6, 2020): Thanks, will have a look.
kerem commented 2026-03-03 13:58:30 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Feb 6, 2020):

It seems Pihole doesn't configure a dnsmasq systemd service, and after running the script you'll probably need to reinstall dnsmasq.
So my suggestion is that you (re)install dnsmasq, create a dnsmasq.service file and disable systemd-resolved.

systemctl disable systemd-resolved.service

/etc/systemd/system/dnsmasq.service:

[Unit]
Description=DNS caching server.

After=network.target docker.service

[Service]

ExecStartPre=-/bin/systemctl stop systemd-resolved.service
ExecStartPost=-/bin/systemctl start systemd-resolved.service
ExecStart=/usr/sbin/dnsmasq -k

[Install]
WantedBy=multi-user.target

But where does php7.4-fpm come from?

ls -l /run/php
ls: cannot access '/run/php': No such file or directory
root@issue:~/hardening# dpkg -l | grep php
ii  php-cgi                        1:7.2+60ubuntu1                     all          server-side, HTML-embedded scripting language (CGI binary) (default)
ii  php-common                     1:60ubuntu1                         all          Common files for PHP packages
ii  php-sqlite3                    1:7.2+60ubuntu1                     all          SQLite3 module for PHP [default]
ii  php7.2-cgi                     7.2.24-0ubuntu0.18.04.2             amd64        server-side, HTML-embedded scripting language (CGI binary)
ii  php7.2-cli                     7.2.24-0ubuntu0.18.04.2             amd64        command-line interpreter for the PHP scripting language
ii  php7.2-common                  7.2.24-0ubuntu0.18.04.2             amd64        documentation, examples and common module for PHP
ii  php7.2-json                    7.2.24-0ubuntu0.18.04.2             amd64        JSON module for PHP
ii  php7.2-opcache                 7.2.24-0ubuntu0.18.04.2             amd64        Zend OpCache module for PHP
ii  php7.2-readline                7.2.24-0ubuntu0.18.04.2             amd64        readline module for PHP
ii  php7.2-sqlite3                 7.2.24-0ubuntu0.18.04.2             amd64        SQLite3 module for PHP
root@issue:~/hardening# dpkg-reconfigure php7.4-fpm
dpkg-query: package 'php7.4-fpm' is not installed and no information is available
Use dpkg --info (= dpkg-deb --info) to examine archive files,
and dpkg --contents (= dpkg-deb --contents) to list their contents.
/usr/sbin/dpkg-reconfigure: php7.4-fpm is not installed
root@issue:~/hardening# curl -sSL https://install.pi-hole.net | bash
[... OUTPUT REMOVED ...]
  [✓] Cleaning up stray matter
  [✓] Restarting DNS service

  [✓] DNS service is running
  [✓] Pi-hole blocking is Enabled

  [i] The install log is located at: /etc/pihole/install.log
Update Complete! 

  Current Pi-hole version is v4.3.2
  Current AdminLTE version is v4.3.2
  Current FTL version is v4.3.1
root@issue:~/hardening# dpkg -l | grep php
ii  php-cgi                        1:7.2+60ubuntu1                     all          server-side, HTML-embedded scripting language (CGI binary) (default)
ii  php-common                     1:60ubuntu1                         all          Common files for PHP packages
ii  php-sqlite3                    1:7.2+60ubuntu1                     all          SQLite3 module for PHP [default]
ii  php7.2-cgi                     7.2.24-0ubuntu0.18.04.2             amd64        server-side, HTML-embedded scripting language (CGI binary)
ii  php7.2-cli                     7.2.24-0ubuntu0.18.04.2             amd64        command-line interpreter for the PHP scripting language
ii  php7.2-common                  7.2.24-0ubuntu0.18.04.2             amd64        documentation, examples and common module for PHP
ii  php7.2-json                    7.2.24-0ubuntu0.18.04.2             amd64        JSON module for PHP
ii  php7.2-opcache                 7.2.24-0ubuntu0.18.04.2             amd64        Zend OpCache module for PHP
ii  php7.2-readline                7.2.24-0ubuntu0.18.04.2             amd64        readline module for PHP
ii  php7.2-sqlite3                 7.2.24-0ubuntu0.18.04.2             amd64        SQLite3 module for PHP
root@issue:~/hardening# ls -l /run/php
ls: cannot access '/run/php': No such file or directory

root@issue:~# pihole status
  [✓] DNS service is running
  [✓] Pi-hole blocking is Enabled
root@issue:~# pihole restartdns
  [✓] Restarting DNS service
root@issue:~# pihole status
  [✓] DNS service is running
  [✓] Pi-hole blocking is Enabled
root@issue:~# reboot
root@issue:~#
$ sudo lxc exec issue bash
root@issue:~# pihole status
  [✗] DNS service is NOT running
root@issue:~# pihole restartdns
  [✓] Restarting DNS service
root@issue:~# pihole status
  [✓] DNS service is running
  [✓] Pi-hole blocking is Enabled                                                  
root@issue:~# systemctl disable systemd-resolved.service 
Removed /etc/systemd/system/dbus-org.freedesktop.resolve1.service.
Removed /etc/systemd/system/multi-user.target.wants/systemd-resolved.service.
root@issue:~# reboot
root@issue:~#
$ sudo lxc exec issue bash
root@issue:~# pihole status
  [✓] DNS service is running
  [✓] Pi-hole blocking is Enabled
root@issue:~# pihole restartdns
  [✓] Restarting DNS service
root@issue:~# pihole status
  [✓] DNS service is running
  [✓] Pi-hole blocking is Enabled
root@issue:~#
<!-- gh-comment-id:582836804 --> @konstruktoid commented on GitHub (Feb 6, 2020): It seems `Pihole` doesn't configure a dnsmasq systemd service, and after running the script you'll probably need to reinstall dnsmasq. So my suggestion is that you (re)install dnsmasq, create a dnsmasq.service file and disable systemd-resolved. `systemctl disable systemd-resolved.service ` `/etc/systemd/system/dnsmasq.service`: ``` [Unit] Description=DNS caching server. After=network.target docker.service [Service] ExecStartPre=-/bin/systemctl stop systemd-resolved.service ExecStartPost=-/bin/systemctl start systemd-resolved.service ExecStart=/usr/sbin/dnsmasq -k [Install] WantedBy=multi-user.target ``` But where does ` php7.4-fpm` come from? ``` ls -l /run/php ls: cannot access '/run/php': No such file or directory root@issue:~/hardening# dpkg -l | grep php ii php-cgi 1:7.2+60ubuntu1 all server-side, HTML-embedded scripting language (CGI binary) (default) ii php-common 1:60ubuntu1 all Common files for PHP packages ii php-sqlite3 1:7.2+60ubuntu1 all SQLite3 module for PHP [default] ii php7.2-cgi 7.2.24-0ubuntu0.18.04.2 amd64 server-side, HTML-embedded scripting language (CGI binary) ii php7.2-cli 7.2.24-0ubuntu0.18.04.2 amd64 command-line interpreter for the PHP scripting language ii php7.2-common 7.2.24-0ubuntu0.18.04.2 amd64 documentation, examples and common module for PHP ii php7.2-json 7.2.24-0ubuntu0.18.04.2 amd64 JSON module for PHP ii php7.2-opcache 7.2.24-0ubuntu0.18.04.2 amd64 Zend OpCache module for PHP ii php7.2-readline 7.2.24-0ubuntu0.18.04.2 amd64 readline module for PHP ii php7.2-sqlite3 7.2.24-0ubuntu0.18.04.2 amd64 SQLite3 module for PHP root@issue:~/hardening# dpkg-reconfigure php7.4-fpm dpkg-query: package 'php7.4-fpm' is not installed and no information is available Use dpkg --info (= dpkg-deb --info) to examine archive files, and dpkg --contents (= dpkg-deb --contents) to list their contents. /usr/sbin/dpkg-reconfigure: php7.4-fpm is not installed root@issue:~/hardening# curl -sSL https://install.pi-hole.net | bash [... OUTPUT REMOVED ...] [✓] Cleaning up stray matter [✓] Restarting DNS service [✓] DNS service is running [✓] Pi-hole blocking is Enabled [i] The install log is located at: /etc/pihole/install.log Update Complete! Current Pi-hole version is v4.3.2 Current AdminLTE version is v4.3.2 Current FTL version is v4.3.1 root@issue:~/hardening# dpkg -l | grep php ii php-cgi 1:7.2+60ubuntu1 all server-side, HTML-embedded scripting language (CGI binary) (default) ii php-common 1:60ubuntu1 all Common files for PHP packages ii php-sqlite3 1:7.2+60ubuntu1 all SQLite3 module for PHP [default] ii php7.2-cgi 7.2.24-0ubuntu0.18.04.2 amd64 server-side, HTML-embedded scripting language (CGI binary) ii php7.2-cli 7.2.24-0ubuntu0.18.04.2 amd64 command-line interpreter for the PHP scripting language ii php7.2-common 7.2.24-0ubuntu0.18.04.2 amd64 documentation, examples and common module for PHP ii php7.2-json 7.2.24-0ubuntu0.18.04.2 amd64 JSON module for PHP ii php7.2-opcache 7.2.24-0ubuntu0.18.04.2 amd64 Zend OpCache module for PHP ii php7.2-readline 7.2.24-0ubuntu0.18.04.2 amd64 readline module for PHP ii php7.2-sqlite3 7.2.24-0ubuntu0.18.04.2 amd64 SQLite3 module for PHP root@issue:~/hardening# ls -l /run/php ls: cannot access '/run/php': No such file or directory ``` ``` root@issue:~# pihole status [✓] DNS service is running [✓] Pi-hole blocking is Enabled root@issue:~# pihole restartdns [✓] Restarting DNS service root@issue:~# pihole status [✓] DNS service is running [✓] Pi-hole blocking is Enabled root@issue:~# reboot root@issue:~# $ sudo lxc exec issue bash root@issue:~# pihole status [✗] DNS service is NOT running root@issue:~# pihole restartdns [✓] Restarting DNS service root@issue:~# pihole status [✓] DNS service is running [✓] Pi-hole blocking is Enabled root@issue:~# systemctl disable systemd-resolved.service Removed /etc/systemd/system/dbus-org.freedesktop.resolve1.service. Removed /etc/systemd/system/multi-user.target.wants/systemd-resolved.service. root@issue:~# reboot root@issue:~# $ sudo lxc exec issue bash root@issue:~# pihole status [✓] DNS service is running [✓] Pi-hole blocking is Enabled root@issue:~# pihole restartdns [✓] Restarting DNS service root@issue:~# pihole status [✓] DNS service is running [✓] Pi-hole blocking is Enabled root@issue:~# ```
kerem commented 2026-03-03 13:58:30 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Feb 17, 2020):

any progress @roobyz ?

<!-- gh-comment-id:586992172 --> @konstruktoid commented on GitHub (Feb 17, 2020): any progress @roobyz ?
kerem commented 2026-03-03 13:58:31 +03:00
Author
Owner
Copy link

@konstruktoid commented on GitHub (Mar 30, 2020):

Closing due to inactivity.

<!-- gh-comment-id:605933411 --> @konstruktoid commented on GitHub (Mar 30, 2020): Closing due to inactivity.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
renovate/github-codeql-action-4.x
v2.2.0
v2.1.0
v2.0.0
v1.0.0
v1.0
Labels
Clear labels   
Stale

   
bug

   
bug

   
bug

   
pull-request

Mirrored from GitHub Pull Request

No labels
Stale
bug
bug
bug
pull-request
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/hardening#27
No description provided.