Install PeerGuardian Peer to Peer firewall on Debian

Published by Pierre-Yves Landuré on

PeerGuardian is a firewall for Peer to Peer software (i.e. BitTorrent) blocking bad peers.

This howto is tested on:

  • Debian 10.0 Buster

This howto is tested with these versions of the software:

  • 2.3.1

Requirements

This howto recommends :

Installation

Detect if sudo is available (“command” is used if not):

cmdProxy='command'
command type -f 'sudo' &>'/dev/null' && cmdProxy='sudo'

Install the software’s requirements:

${cmdProxy} apt install 'gnupg'

Setup the software repository:

${cmdProxy} tee '/etc/apt/sources.list.d/moblock-deb.list' \
    <<< '# Moblock & PeerGuardian for Debian Stretch and newer.
deb http://moblock-deb.sourceforge.net/debian stretch main
deb-src http://moblock-deb.sourceforge.net/debian stretch main'

Fetch the repository signing key:

${cmdProxy} apt-key adv --keyserver 'hkp://keyserver.ubuntu.com:80' \
    --recv-keys 'C0145138'

Update the list of available packages:

${cmdProxy} apt update

Install the software:

callChain=("DEBIAN_FRONTEND=noninteractive" "${cmdProxy}")
test "${cmdProxy}"='sudo' && callChain=('sudo' "DEBIAN_FRONTEND=noninteractive")
${callChain[@]} apt install 'pgld' 'pglcmd'

Configuration

Install a completer block lists configuration:

${cmdProxy} wget --quiet --output-document='/etc/pgl/blocklists.list' \
    'https://raw.githubusercontent.com/biapy/howto.biapy.com/master/torrent/blocklists.list'

Detect the ports used by vsFTPd passive mode, if needed:

ftpPassiveRange=""
if [ -e '/etc/vsftpd.conf' ]; then
  minPort=$(command grep '^pasv_min_port=' '/etc/vsftpd.conf' \
    | command cut --delimiter="=" --fields=2)
  maxPort=$(command grep '^pasv_max_port=' '/etc/vsftpd.conf' \
    | command cut --delimiter="=" --fields=2)
  [[ -n "${minPort}" -a -n "${maxPort}" ]] && ftpPassiveRange="${minPort}:${maxPort}"
fi

Disable blockcontrol for HTTP, HTTPS and SSH (and FTP passive) ports:

${cmdProxy} tee -a '/etc/pgl/pglcmd.conf' \
  <<< "WHITE_TCP_OUT=\"http https ssh ftp ${ftpPassiveRange}\"
WHITE_TCP_IN=\"http https ssh ftp ${ftpPassiveRange}\""

Reload the PGL settings:

${cmdProxy} systemctl reload 'pgl'

White list management

Install the tool :

${cmdProxy} wget "https://raw.githubusercontent.com/biapy/howto.biapy.com/master/torrent/pgl-tools" \
    --quiet --no-check-certificate --output-document="/usr/local/bin/pgl-tools"

Declare the downloaded file as executable:

${cmdProxy} chmod +x "/usr/local/bin/pgl-tools"

Automatic updates

Configure biapy-updater automatic updates to check for new versions of the software:

${cmdProxy} tee -a '/etc/biapy-updater.conf' <<< 'pgl-tools'

Usage

Add a Torrent tracker to the PGL’s white list (here for openbittorrent):

${cmdProxy} pgl-tools --add 'tracker.openbittorrent.com'

A line for the added whitelisted host is added in “/etc/pgl/allow.p2p”.

Reload the PGL settings:

${cmdProxy} systemctl reload 'pgl'

Thanks

Categories: Security

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Security

Setup a SFTP server on Debian

SFTP is a protocol allowing for secure file transfers over SSH. This guide describe how to setup SFTP only accounts on a SSH server.

Security

Install Rootkit Hunter (rkhunter) on Debian

Rootkit Hunter is, as its name describe, a rootkits detection tool. It can detect if a system has been compromised. It is a required tool for checking a system health. This guide describe how to configure rkhunter on Debian.

Security

Block DFind vulnerability scanner using IPtables

DFind is the vulnerability scanner generating the "w00tw00t.at.ISC.SANS.DFind" HTTP requests found in Web servers logs. This guide setup some iptables rules blocking these requests. A better method is to use fail2ban to block the sources of these requests.