Securing Internet services on your home network
Single Source Protection
Mistborn bundles important Internet services on your home network and secures them with a WireGuard VPN tunnel, Pi-hole, iptables rules, and separate containers.
COVID-19 has forced many people to work from home, relying on Internet services for file sharing, videoconferencing, and more. In addition to outside threats that exploit the current situation, security risks within the services themselves also pose a problem. For instance, the videoconferencing platform Zoom [1], which has had an influx of users since the beginning of the pandemic, can hardly keep up with the task of closing its security gaps.
To avoid these pitfalls, Steven Foerster, the developer of security software at Cyber5k, needed an easy-to-implement security solution for all his family's Internet activities. The result is the Mistborn [2] project on GitLab, which is exclusively based on free software. (The name comes from the epic fantasy book series of the same name by Brandon Sanderson.)
Mistborn offers the script-controlled setup of a VPN tunnel with WireGuard, as well as ad-blocking with Pi-hole using DNSCrypt [3] (Figure 1). In addition, Mistborn lets you activate and manage other services, such as Nextcloud, Cockpit, Syncthing, Rocket.Chat, Home Assistant, Jellyfin, Bitwarden, ONLYOFFICE, Tor, and Jitsi.
Setup
In our lab, we used Mistborn on a Lenovo ThinkPad X220 as the server and a ThinkPad X230 as the client, both with Ubuntu 20.04 LTS (Focal Fossa). You control the software via a web interface from any device.
The developer recommends 1GB RAM and 15GB memory for WireGuard with Pi-hole. If you want to use the Cockpit management tool, you need at least 2GB RAM. If services like Jitsi Meet, Nextcloud, Jellyfin, Rocket.Chat, Home Assistant, or ONLYOFFICE enter into play, you need at least 4GB RAM, which also increases the storage space requirement to around 25GB. For videoconferences with Jitsi Meet, 10GB bandwidth is optimal.
Alternatively, you can run Mistborn in the cloud, as long as the cloud environment supports PostgreSQL databases. Options are available for about one dollar per month.
Static IP and DDNS
If you install Mistborn on a device on your home network, it requires a static IP address [4]. If the services will be available only on your LAN, it is sufficient to give the computer a private static address. This can usually be easily done via the router configuration or the operating system.
The easiest way to obtain a fixed public IP address is to use one of the many dynamic DNS (DDNS) service providers. Some routers, such as the AVM FRITZ!Box, offer DDNS as part of their software.
You can install Mistborn directly or via SSH. If the installation is taking place via SSH, the setup creates an iptables rule that allows future connections via SSH from the same IP address, but blocks all other external connections. The PC continues to accept internal connections via the WireGuard tunnel. The same applies to installation on remote devices via SSH.
All services in Mistborn run in Docker containers. Mistborn automatically sets up and manages the containers for you. It also dynamically creates iptables rules as required to prevent external data traffic via the containers.
Installation
For the basic Mistborn installation, the script does most of the work leaving you little to do besides reading the output in the terminal as a matter of interest. The first two lines in Listing 1 set up the software. The first line downloads the script from GitLab; the second line starts the actual installation (Figure 2). This takes place below /opt/mistborn/
.
Listing 1
Installing Mistborn
$ git clone https://gitlab.com/cyber5k/mistborn.git $ sudo bash ./mistborn/scripts/install.sh $ sudo mistborn-cli getconf
On the laptop, the process took about 15 minutes on a fast network (Figure 3). For a list of installation steps, visit Mistborn's GitLab page [5]. When prompted to install the resource-hungry Cockpit management tool on a Raspberry Pi, answer no unless you absolutely need it.
After the installation success message, wait another minute and then create the configuration with the command from the last line of Listing 1 (Figure 4).
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs