1. DEBIAN GNU/LINUX

"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately endpoint security is so terrifically weak that NSA can frequently find ways around it." (Edward Snowden)

1.01 System Hardening

Anonymous Planet - The Hitchhiker’s Guide (PDF)	Madaidan's - Security & Privacy Evaluations
Whonix - Essential Host Security	Hardened GNU/Linux
Whonix - System Hardening Checklist	Bleachbit - Clean Your System and Free Disk Space
Kicksecure - Documentation	ShredOS - Secure disk erasure/wipe
Debian - Security Management	EFF - Surveillance Self-defense
OWASP - No more insecure software	Cryptomator - Put a lock on your cloud
CIS Benchmark - Debian Linux Guides	Duplicati - Store securely encrypted backups on cloud storage services!
NSA GOV - Cybersecurity Advisories & Guidance (GitHub)	Virus Total - Free virus, malware and URL online scanning
NIST GOV - Cybersecurity Framework	Hybrid Analysis - This is a free malware analysis service

_{*Kernel Hacking Guides - https://docs.kernel.org/kernel-hacking/index.html}

1.02 Essential Tools

1. Ventoy	(Secure Boot)	(Checksums)	7. Qubes	(*Secure Boot)	(Checksums)
2. rEFInd	(Secure Boot)	(Checksums)	8. KaliLinux	(*Secure Boot)	(Checksums)
3. Clonezilla	(Secure Boot)	(Checksums)	9. GnuPG	(Guides)	(Check)
4. GParted	(Secure Boot)	(Checksums)	10. WinPE	(Sergei Strelec)	(Checksums)
5. ShredOS	(Secure Boot)	(Checksums)	11. Hiren's BootCD PE	(Secure Boot)	(Checksums)
6. Tails	(Secure Boot)	(Checksums)

_{Others: Security Onion, NST, Android-x86, HardenedBSD, OSGeoLive, OpenWRT, LibreELEC.tv, SteamOS .}

_{¹ Check hash with GtkHash (GUI)}

Check hash with GtkHash (GUI) https://gtkhash.org

$ sudo apt install gtkhash

Copy

_{² How to summarize iso file with GNU Coreutils (CLI)}

Summarize iso file with GNU Coreutils (CLI)https://gnu.org/software/coreutils/manual/html_node/Summarizing-files.html

_{³ Manual method with sha256sum}

The SHA-256 checksum hashes in a file called SHA256SUMS in the same directory listing as the download page.

First install it

$ sudo apt install sha256sum

Copy

Open a terminal and go to the correct directory to check a downloaded iso file:

$ cd download_directory

Copy

Then run the following command from within the download directory.

$ sha256sum name.iso

Copy

sha256sum should then print out a single line after calculating the hash:

sdd31231c0421be56f39c7a31245c423fgcc3b048ds321a3e83d2c4d714fa9a76 *name.iso

Compare the hash (the alphanumeric string on left) that your machine calculated with the corresponding hash in the SHA256SUMS file.

_{⁴ Semi-automatic method with sha256sum}

First download the SHA256SUMS and SHA256SUMS.gpg files to the same directory as the iso. Then run the following commands in a terminal.

$ cd download_directory

Copy

$ sha256sum -c SHA256SUMS 2>&1 | grep OK

Copy

The sha256sum line should output a line such as:

name.iso: OK

If the OK for your file appears, that indicates the hash matches.

2. SYSTEM INSTALLATION

👷🛠️UNDER CONSTRUCTION🚧🏗

2.01 Hardware

BIOS Simulators

• Phoenix BIOS Simulator
https://grs-software.de/sims/bios/phoenix/pages/
• Phoenix BIOS Setup Utility Simulator - Pranx
https://pranx.com/bios
• Lenovo BIOS Simulator
https://download.lenovo.com/bsco/index.html

Hardware Compatibility

• Hardware for Linux
https://linux-hardware.org
• Linux Vendor Firmware Service
https://fwupd.org/lvfs/devices
• r/linuxhardware
https://reddit.com/r/linuxhardware
• SANE - Lists of supported scanners firmware
http://www.sane-project.org/sane-supported-devices.html
• USB WiFI
https://github.com/morrownr/USB-WiFi
• Mac
https://wiki.debian.org/DebianOnIntelMacPro

Open Hardware

• GNU/Linux Open Hardware PowerPC notebook
https://powerpc-notebook.org
• PINE64 - Community-driven hardware projects
https://pine64.com
https://pine64.org
• Framework - Fix Consumer Electronics
https://frame.work
• "Respects Your Freedom" Certification Program
https://ryf.fsf.org

Secure Boot

Visit our repo tree: 2.SECURITY/2.05_Secure_Boot

https://libreboot.org
https://osresearch.net

Sanitize options

Visit our repo tree: 2.SECURITY/2.06_Sanitization

Not all SSD support sanitize. And if you use SSDs, enable TRIM in your BIOS. Take care with SSD over-provisioning. Take care with SSD flaws.

Volatile Memory

https://usbkill.com
https://github.com/Kicksecure/ram-wipe
https://kicksecure.com/wiki/Hardened_Malloc
https://forums.whonix.org/t/hardened-malloc-hardened-memory-allocator/7474/4

Performance

• SSD Over-provisioning

This prevents degradation of SSD speed and durability.

Depending on use, some manufacturers recommend 40% OP. For general use, 20% of the general capacity of the SSD, that is, more or less 14% counting the minimum that comes from the factory. For example, a 240GB SSD is limited to -14%, which results in 206GB (34GB of OP).

You must consider the file system you will use.

Cost benefit

•

2.02 Installation

Visit our repo tree: 1.INSTALLATION

2.02.01 Basic Installation Guide

• Basic tips about Linux System

Debian Wiki - https://wiki.debian.org/FrontPage
Command Line - https://github.com/jlevy/the-art-of-command-line#everyday-use
Terminal - https://github.com/onceupon/Bash-Oneliner#terminal-tricks

• Bash autocompletion with TAB

$ sudo apt install bash-completion

Copy

Overview of Terminal's Shortcuts

Shortcut	Action	Shortcut	Action
Esc + t	Swap the two words before the cursor	Ctrl + f	Go forward one character
Ctrl + r	Search command history	Ctrl + b	Go back one character
Ctrl + g	Cancel command history search without running command	Ctrl + a	Go to the beginning of the line
Ctrl + l	Clear terminal screen	Ctrl + e	Go to the end of the line
Ctrl + x	List possible filename completions	Ctrl + w	Delete the word before the cursor
Ctrl + c	Cancels the running command	Ctrl + y	Retrieves the last word deleted or cut
Ctrl + z	Suspends the running command	Ctrl + xx	Toggle between current cursor position and start or end of line
Ctrl + u	Deletes entire line before the cursor	Alt + u	Capitalize all letters in word after cursor
Ctrl + k	Deletes entire line after the cursor	Alt + l	Lower case all letters in word after cursor
Ctrl + t	Swap the two characters before the cursor	Alt + .	Use the last word of the last command
Ctrl + d	Close the terminal

Overview of Nano's Shortcuts

Basically we will use CTRL+O and ENTER to save the changes and then CTRL+X exit nano editor.

Shortcut	Action	Shortcut	Action
File handling		Moving around
Ctrl+S	Save current file	Ctrl+B	One character backward
Ctrl+O	Offer to write file ("Save as")	Ctrl+F	One character forward
Ctrl+R	Insert a file into current one	Ctrl+←	One word backward
Ctrl+X	Close buffer, exit from nano	Ctrl+→	One word forward
		Ctrl+A	To start of line
Editing		Ctrl+E	To end of line
Ctrl+K	Cut current line into cutbuffer	Ctrl+P	One line up
Alt+6	Copy current line into cutbuffer	Ctrl+N	One line down
Ctrl+U	Paste contents of cutbuffer	Ctrl+↑	To previous block
Alt+T	Cut until end of buffer	Ctrl+↓	To next block
Ctrl+]	Complete current word	Ctrl+Y	One page up
Alt+3	Comment/uncomment line/region	Ctrl+V	One page down
Alt+U	Undo last action	Alt+\ To	top of buffer
Alt+E	Redo last undone action	Alt+/ To	end of buffer

Search and replace		Special movement
Ctrl+Q	Start backward search	Alt+G	Go to specified line
Ctrl+W	Start forward search	Alt+] Go	to complementary bracket
Alt+Q	Find next occurrence backward	Alt+↑	Scroll viewport up
Alt+W	Find next occurrence forward	Alt+↓	Scroll viewport down
Alt+R	Start a replacing session	Alt+< Switch	to preceding buffer
		Alt+> Switch	to succeeding buffer

Deletion		Information
Ctrl+H	Delete character before cursor	Ctrl+C	Report cursor position
Ctrl+D	Delete character under cursor	Alt+D	Report line/word/character count
Alt+Bsp	Delete word to the left	Ctrl+G	Display help text
Ctrl+Del	Delete word to the right
Alt+Del	Delete current line

Operations		Various
Ctrl+T	Execute some command	Alt+A	Turn the mark on/off
Ctrl+J	Justify paragraph or region	Tab	Indent
Alt+J	Justify entire buffer	Shift+Tab	Unindent marked region
Alt+B	Run a syntax check	Alt+V	Enter next keystroke verbatim
Alt+F	Run a formatter/fixer/arranger	Alt+N	Turn line numbers on/off
Alt+: Start	/stop recording of macro	Alt+P	Turn visible whitespace on/off
Alt+; Replay	macro	Alt+X	Hide or unhide the help lines
		Ctrl+L	Refresh the screen

Virtual Machines

• Using VirtualBox as training or to test ultra-advanced configurations

https://debian.org/doc/manuals/debian-handbook/sect.virtualization.en.html

VirtualBox on Windows 10

"How to Install Debian Linux in VirtualBox on Windows 10 | Beginners Guide | (Buster)"
https://youtube.com/watch?v=cx8GzudB6uE

Hypervisor

KVM, Kernel-based Virtual Machine, is a hypervisor built into the Linux kernel. It is similar to Xen in purpose but much simpler to get running. Unlike native QEMU, which uses emulation, KVM is a special operating mode of QEMU that uses CPU extensions (HVM) for virtualization via a kernel module.

The difference between a type 1 hypervisor and a type 2 hypervisor. KVM is a type 1 hypervisor, it is able to run on bare metal, while QEMU is a type 2 hypervisor, it runs on top of the operating system. QEMU will utilize KVM in order to utilize the machine’s physical resources for the virtual machines. In brief, QEMU uses emulation; KVM uses processor extensions (HVM) for virtualization.

Using QEMU/KVM - "Kernel-based Virtual Machine"

https://wiki.debian.org/KVM
https://wiki.archlinux.org/title/KVM

Visit our repo tree: 6.SYSADMIN/6.05_VMs_and_Containers

Quick Installation Guide and Others

http://www.rodsbooks.com/linux-uefi
https://wiki.debian.org/DontBreakDebian
https://distrowatch.com/table.php?distribution=debian
https://debian.org/releases/bookworm/amd64/apb.en.html

2.2.2 Desktop interface

XFCE vs LXQt - Lightweight Linux Desktop Environments
https://youtube.com/watch?v=cs8JW3zDDoI

2.2.3 Debootstrap

👷🛠️UNDER CONSTRUCTION🚧🏗

Visit our repo tree: 1.INSTALLATION/2.02_Debootstrap

• Debootstrap
https://wiki.debian.org/Debootstrap
• Debian 11.0 Debootstrap | Debian Command Line Install Guide
https://youtube.com/watch?v=oKnkOwdysNs
• Debian 11.4 ZFS Bootstrap | Debian ZFS Command Line Installation
https://youtube.com/watch?v=7F7Ch-ZkiQU
• Nilsmeyer - An ansible role for bootstrapping new Debian based systems, including setting up partitions, file systems, encryption (luks), RAID and LVM
https://github.com/nilsmeyer/ansible-debootstrap
• Linux Dabbler - Scripts to run after installing debian
https://github.com/linuxdabbler/debian-install-scripts

File system: EXT4, XFS, BTRFS AND ZFS

2.03 Encryption

Visit our repo tree: 2.SECURITY/2.03_Cryptography

Visit our repo tree: 1.INSTALLATION/2.02_Debootstrap

Encryption

<ul>
    <li><a href="https://wiki.archlinux.org/title/Security" target="_blank">Arch Linux Security</a></li>
    <li><a href="https://wiki.archlinux.org/title/Data-at-rest_encryption" target="_blank">Data-at-rest encryption</a></li>
    <li><a href="https://en.wikipedia.org/wiki/Disk_encryption#Implementations" target="_blank">Disk encryption implementations</a></li>
    <li><a href="https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-2" target="_blank">FIPS 140-2 Cryptographic Module Validation Program</a></li>
</ul>

Partitioning scenarios: advantages and disadvantages

<ul>
    <li><a href="https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system" target="_blank">Encrypting an entire system with dm-crypt</a></li>
    <li><a href="https://wiki.archlinux.org/title/dm-crypt/Device_encryption#top-page" target="_blank">Device encryption with dm-crypt</a></li>
</ul>

FSTAB, CRYPTTAB AND DM-CRYPT - Linux kernel's device mapper crypto target

<ul>
    <li><a href="https://wiki.archlinux.org/title/Dm-crypt" target="_blank">Dm-crypt</a></li>
    <li><a href="https://wiki.debian.org/fstab" target="_blank">Fstab</a></li>
    <li><a href="https://manpages.debian.org/bookworm/cryptsetup/crypttab.5.en.html" target="_blank">Crypttab</a></li>
    <li><strong>Tips:</strong> Copy and paste blkid to fstab</li>
    <li><code># echo "$(blkid -o export /dev/sdbX | grep ^UUID=) REMEMBEREFI" | tee --append /etc/fstab</code></li>
   <li><code># blkid -o value -s UUID >> /etc/fstab</code></li>
</ul>

Example 1 - FSTAB - Non-encrypted Boot Removable Medium (USB Key) Multi-device

#      
UUID=e4c627c2-69f2-11ee-8c99-0242ac120002  / ext4 errors=remount-ro 0 1
# /boot was on /dev/sdc2 during installation
PARTUUID=f2c4ec78-69f2-11ee-8c99-0242ac120002 /boot ext2 noauto, x-systemd.device-timeout=1m, defaults 0 2
# /boot/efi was on /dev/sdc1 during installation
PARTUUID=a15355f4-15ce-4ea6-a57b-161e9eea19fc /boot/efi vfat noauto, x-systemd.device-timeout=1m, umask=0077 0 1
UUID=2701e126-69f3-11ee-8c99-0242ac120002 /home ext4 defaults 0 2
UUID=447e4a14-69f3-11ee-8c99-0242ac120002 none swap sw 0 0

Example 2 - FSTAB - Encrypted Boot Removable Medium (USB Key) Multi-device

👷🛠️UNDER CONSTRUCTION🚧🏗

Example 3 - FSTAB - Encrypted Boot Removable Medium (USB Key) Multi-device and Keyfile

Time-based Autentication (OTP, TOTP, and HOTP)

Term	Definition	Example
OTP	One-Time Password	A unique password that is valid for only one login session or transaction.
TOTP	Time-Based One-Time Password	An OTP that is valid for a certain period of time, typically 30 seconds.
HOTP	HMAC-Based One-Time Password	An OTP that is generated based on a counter and a shared secret key.

Nuke Password

<pre><code><span>$ </span>sudo apt install cryptsetup-nuke-password</code></pre><button onclick="navigator.clipboard.writeText('sudo apt install cryptsetup-nuke-password')">Copy</button>

2.04 After Installing

For Everyday Use, Basic Things to do After Installing Debian

1. Update and Upgrade

https://itsfoss.com/apt-get-upgrade-vs-dist-upgrade

$ sudo apt update -y && sudo apt upgrade -y

Copy

$ sudo apt dist-upgrade

Copy

Note:

apt upgrade only upgrades existing packages. It doesn’t install new packages or remove existing packages, doesn’t upgrade kernel version.

dist-upgrade can remove dependency packages or install new ones (if required), can also upgrade kernel version, doesn’t upgrade the distribution version.

_{*sudo apt full-upgrade}

2. Adding User to Sudo

How to securely configure sudo for everyday use on your personal Linux machine

Open a Terminal Window:
- Press Ctrl + Alt + T or search for "Terminal" in your application menu.
Switch to the Root User:
- If you have access to the root account, switch to root by running:
- ```
$ su -
```
  Copy
- Enter the root password when prompted.
Run visudo:
- As the root user, execute:
- ```
# visudo
```
  Copy
- This command opens the sudoers file in your default text editor and ensures that any syntax errors won't be saved, preventing potential misconfigurations.
Add Your User to the Sudoers File:
- Locate the line that includes root ALL=(ALL:ALL) ALL.
- Below that line, add the following line, replacing your_username with your actual username:
- ```
$ your_username ALL=(ALL:ALL) ALL
```
  Copy
- Save the file and exit the editor:
  - For nano, use Ctrl + O to save and press Enter, press Ctrl + X to exit.

Test Sudo Access

Open a New Terminal Window or Log Out and Log Back In:
- This ensures that the changes take effect.
Test Sudo Access:
- Run a command with sudo to verify:
- ```
$ sudo ls
```
  Copy
- Enter your password when prompted.
- If the command executes successfully, sudo is configured correctly for your user.

Optional: Configure Sudo Timeout

Open the Sudoers Configuration for Timeout:
- Create or edit a specific sudoers configuration file for the timeout setting:
- ```
$ sudo nano /etc/sudoers.d/timeout
```
  Copy
Set the Timeout Value:
- Add or modify the following line to set the timeout (e.g., 3 minutes):
- ```
Defaults timestamp_timeout=3
```
  Copy
- Save the file and exit nano.

Additional Tips

Use Sudo Only When Necessary:
- Only use sudo for commands that require elevated privileges to minimize the risk of accidental system changes.
Keep Your System Updated Regularly:
- Run updates frequently to ensure you have the latest security patches and software versions.
Secure Your Password:
- Use a strong and unique password for your user account to enhance security.

_{*Logoff to take effect.}
_{*Worthless if full disk encryption with strong password is not implemented.}
_{*To avoid having your password stored in the bash history or typed directly into the command line:}
_{$ read -s -p "Enter your sudo password: " password; echo "$password" | sudo -S su -c "/etc/init.d/iptables -L -vn"; unset passwordCopy}

3. Firewall

Install and enable Uncomplicated Firewall - UFW (CLI)

$ sudo apt install ufw

$ sudo ufw enable

$ sudo ufw default deny incoming

$ sudo ufw default allow outgoing

$ sudo ufw status verbose

4. Fast Grub Time

Edit Grub timeout

$ sudo nano /etc/default/grub

Copy

GRUB_TIMEOUT=0

Copy

$ sudo update-grub

Copy

5. Swapiness

https://unix.stackexchange.com/questions/265713/how-to-configure-swappiness-in-linux-memory-management

Verify

$ sudo cat /proc/sys/vm/swappiness

Copy

Edit and add sw.swappiness=10

$ sudo nano /etc/sysctl.conf

Copy

sw.swappiness=10

Copy

or simply

$ sudo bash -c "echo 'vm.swappiness = 10' >> /etc/sysctl.conf"

> /etc/sysctl.conf"')">Copy

To take effect:

$ sudo sysctl -p

Copy

sysctl vm.swappiness=10

Copy

Verify

$ sudo cat /proc/sys/vm/swappiness

Copy

6. Installing Java

• Java Runtime Environment (JRE)

• OpenJDK - Java Development Kit (JDK)

$ java --version

$ apt-cache search openjdk | grep openjdk

$ apt search openjdk

$ sudo apt install default-jre

7. Installing Micro$oft Fonts

$ sudo apt install -y ttf-mscorefonts-installer

Copy

*Do not install TLP (Optimize Linux Laptop Battery Life, Link), avoid problems.

2.05 Low Level Linux

<ul>
    <li>Kernel Linux<br>
        <a href="https://kernel.org" target="_blank">https://kernel.org</a>
    </li>
    <li>Linux Training<br>
        <a href="https://training.linuxfoundation.org" target="_blank">https://training.linuxfoundation.org</a><br>
        <a href="https://training.linuxfoundation.org/training/a-beginners-guide-to-linux-kernel-development-lfd103" target="_blank">A Beginner's Guide to Linux Kernel Development (LFD103)</a>
    </li>
    <li>Linux From Scratch (LFS)<br>
        <a href="https://linuxfromscratch.org" target="_blank">https://linuxfromscratch.org</a>
    </li>
    <li>Reproducible Builds<br>
        <a href="https://reproducible-builds.org" target="_blank">https://reproducible-builds.org</a>
    </li>
    <li>Unix & Linux Stack Exchange<br>
        <a href="https://unix.stackexchange.com" target="_blank">https://unix.stackexchange.com</a>
    </li>
    <li>Linux Journal<br>
        <a href="https://www.linuxjournal.com" target="_blank">https://www.linuxjournal.com</a>
    </li>
    <li>Linux Performance<br>
        <a href="https://www.brendangregg.com/linuxperf.html" target="_blank">https://www.brendangregg.com/linuxperf.html</a>
    </li>
    <li>Linux Assembly Language Programming<br>
        <a href="https://asmtutor.com" target="_blank">https://asmtutor.com</a>
    </li>
    <li>Linux System Programming<br>
        <a href="https://www.cs.fsu.edu/~baker/opsys/" target="_blank">https://www.cs.fsu.edu/~baker/opsys/</a>
    </li>
</ul>

2.06 Ventoy

Ventoy

Ventoy - A New Bootable USB Solution - Downloads

Download Ventoy

Ventoy - Source Code - Releases

Ventoy Releases on GitHub

Start to use Ventoy - Install Ventoy To USB Drive

About Secure Boot in UEFI mode

Ventoy Documentation - Secure Boot in UEFI mode

Ventoy Persistence Plugin

Ventoy Persistence Plugin Documentation

(*recommended only for rescue disk purposes)

2.07 Clonezilla

Clonezilla

Clonezilla - The Free and Open Source Software for Disk Imaging and Cloning.

Clonezilla Documentation

How to Use Clonezilla Software

WikiHow Guide: How to Use Clonezilla

Changing disk name

Command

$ cnvt-ocs-dev -d /home/partimag 'image' 'sda3' 'sda2'

Copy

3. SECURE BOOT

👷🛠️UNDER CONSTRUCTION🚧🏗

3.01 Introduction

"Most modern systems will ship with SB enabled - they will not run any unsigned code by default, but it is possible to change the firmware configuration to either disable SB or to enroll extra signing keys. The whole point of Secure Boot is to prevent malware from gaining control of the computer. Therefore, when booting with Secure Boot active, Fedora 18 and later, Ubuntu 16.04 and later, and probably other distributions restrict actions that some Linux users take for granted. For instance, Linux kernel modules must be signed, which complicates use of third-party kernel drivers, such as Nvidia's and AMD/ATI's proprietary video drivers. More recent kernels may, if Secure Boot is active, also check that they were launched from a boot loader that honors Secure Boot, and shut down if this was not the case."

"To launch a locally-compiled kernel, you must sign it with a MOK and register that MOK with the system. (In both cases, you can register a hash rather than sign the binary; but this approach results in an ever-growing database in NVRAM, which is undesirable.) The extent of such restrictions is entirely up to those who develop and sign the boot loader launched by Shim and the kernel launched by that boot loader, though. Some distributions ship kernels that are relatively unencumbered by added security restrictions."

"As a practical matter, if you want to use Shim, you have two choices: You can run a distribution that provides its own signed version of Shim, such as Fedora 18 or later or Ubuntu 12.10 or later; or you can run a signed version from such a distribution or from another source, add your own MOK, and sign whatever binaries you like. This first option is quite straightforward if you happen to want to use a distribution that ships with Shim, and it requires little extra elaboration.If you want to build and run your own kernel (e.g. for development or debugging), then you will obviously end up making binaries that are not signed with the Debian key. If you wish to use those binaries, you will need to either sign them yourself and enroll the key used with MOK or disable SB."

! CAUTION:
! • Use an administrator password in the BIOS and do not use the same for disk encryption.
! • Building and signing kernel modules is independent of building and signing your own kernel.
! • In Debian, if you do not install the DKMS package, you will have more work to create the X.509
! keys or OpenSSL keys, import the keys with sbsigntool or mokutil, sign the kernel or the kernel
! module file with sbsigntool or sign-file, respectively.
! • Debian comes with signed kernels to work with your GRUB so it will most likely not be 
! necessary to sign the kernel that includes Debian, however any foreign kernel or compiled from
! its source www.kernel.org must be signed or will not be able to load.
! • Ubuntu uses DKMS with signed key by default, Ubuntu creates and imports mok key during system
! installation.
! • In Fedora, if you use DKMS with Secure Boot enabled, you have to import the DKMS sign key
! with mokutil --import /var/lib/dkms/mok.pub and reboot to enroll the key. In Fedora the mok.pub
! and mok.key keys are created and module is signed by DKMS, but only if openssl package
! is installed.
! • UEFI specifications use the terms key and public key (.der) to mean the public part of the
! key pair, or the X.509 certificate. However, in OpenSSL, the term key is the private key (.priv) 
! that's used for signing. Thus, all Secure Boot keys must be X.509 keys and not OpenSSL keys.
! • The instructions provided assume that you're signing a module for the currently running 
! kernel. If you're signing a module for a different kernel, you must provide the path to the
! sign-file utility within the correct kernel version source. Otherwise, the signature type
! for the module for that kernel might not align correctly with the expected signature type.
! • Only a single custom certificate can be added to the kernel because the compressed size 
! of the kernel's boot image can not increase. Do not add multiple certificates to the kernel
! boot image.

- WARNING:
- https://makedebianfunagainandlearnhowtodoothercoolstufftoo.computer/doku.php?id=start:issecurebootworking
- https://discourse.ubuntu.com/t/dkms-package-support-extra-drivers-does-not-work-in-ubuntu-22-10-install-media/31655

- BUGS:
- • Debian Bug report logs - #1037146 Key was rejected by service
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037146
- • Debian Bug report logs - #1012741 Key was rejected by service
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012741
- • Debian Bug report logs - #1012816 Key was rejected by service 
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012816;msg=22
- • Debian Bug report logs - #989463 please align shim-signed dkms behaviour with Ubuntu
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989463
- • Debian Bug report logs - #939392 please provide kmodsign like Ubuntu does
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939392
- • Debian Bug report logs - #928300 shim-signed: secure boot via removable media path unavailable
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928300

3.02 Secure Boot References

3.03 YouTube References

3.04 Sign GRUB

https://wiki.archlinux.org/title/Kernel_parameters

Debian comes with signed kernels to work with your GRUB so it will most likely not be necessary to sign the kernel that includes Debian, however any foreign kernel or compiled from its source www.kernel.org must be signed or will not be able to load.

3.05 Sign Debian Kernel

Debian comes with signed kernels to work with your GRUB so it will most likely not be necessary to sign the kernel that includes Debian, however any foreign kernel or compiled from its source www.kernel.org must be signed or will not be able to load.

Only a single custom certificate can be added to the kernel because the compressed size of the kernel's boot image can not increase. Do not add multiple certificates to the kernel boot image.

1.First steps

All the items below have to do with SecureBoot mode.

$ sudo mokutil --sb-state
SecureBoot enabled

If controlling the Secure Boot state through the EFI setup program is difficult, you can optionally use the mokutil utility to disable Secure Boot at the level of the Shim so that, although UEFI Secure Boot is enabled, no further validation takes place after the Shim is loaded.

What keys are on my system?

user@debian:~$ sudo mokutil --list-enrolled
or
$ sudo mokutil --list-enrolled | grep Subject:

Also the command modinfo prints the signature if available, for example:

$ sudo modinfo /lib/modules/6.1.0-11-amd64/kernel/mm/zsmalloc.ko

2.Place to auto-generated MOK

MOK - Machine Owner Key

Introduction

The use of mokutil that's most relevant to this page is to import a MOK. In this context, importing refers to storing a MOK in the computer's NVRAM, along with a flag to tell Shim and MokUtil that the MOK is there and ready to be enlisted when you next reboot the computer. Keys can be added and removed in the MOK list by the user, entirely separate from the distro CA key. Unlike Debian, Ubuntu has chosen to place their auto-generated MOK at "/var/lib/shim-signed/mok/", which some software--such as Oracle's virtualbox package -expect to be present. Note that using this same location may result in future conflicts. Warning: The MOK.key file is extremely sensitive! An attacker who gains access to it could generate binaries that your computer would accept as authorized. You should change permissions to prevent unauthorized access, and ideally store it on an encrypted external storage medium and unplug it when you're not signing binaries.If you see the key there (consisting of the files MOK.der, MOK.pem and MOK.priv) then you can use these, rather than creating your own.

First make sure the key doesn't exist yet:

$ ls /var/lib/shim-signed/mok/

To create a folder to MOK key:

$ sudo mkdir -p /var/lib/shim-signed/mok/

You can choose another placcautione like "/etc/mok_key/" since there is no standard location at the moment.

$ sudo mkdir -p /etc/mok_key/

3.Generating a new key

Before you create the public and private key for signing the kernel, you need to access the folder you created to be the destination of the keys. Then create the public (mokcertificate.der) and private key (moksigningkey.priv) with one-time password for signing the kernel

$ cd /var/lib/shim-signed/mok/
$ sudo openssl req -config $(openssl version -d) -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=ShimSigned/"

$ sudo openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
$ ls -l 
total 12
-rw-r--r-- 1 root root787MOK.der
-rw-r--r-- 1 root root 1123MOK.pem
-rw------- 1 root root 1854MOK.priv
$ sudo chmod 600 /var/lib/shim-signed/mok/*

This commands will create both the private and public part of the certificate to sign things. You need both files to sign; and just the public part (MOK.der) to enroll the key in Shim.

To read the certificate file in a human readable format, use

$ sudo openssl x509 -in /var/lib/shim-signed/mok/MOK.pem -noout -text

Another example of key generation:

```bash $ sudo openssl req -x509 -new -nodes -utf8 -sha512 -days 3650 -batch -config /etc/ssl/x509.conf -outform DER -out /etc/ssl/certs/pubkey.der -keyout /etc/ssl/certs/priv.key $ sudo openssl x509 -inform DER -in /etc/ssl/certs/pubkey.der -out /etc/ssl/certs/pubkey.pem ```

4.Enrolling your key im Shim

Enroll the key to your installation:

$ cd /var/lib/shim-signed/mok/
$ sudo mokutil --import MOK.der

You will be asked for a one-time password (remember it and type it correctly), you will just use it to confirm your key selection in the next step (you won't need this password beyond this point, though), so choose any.

Recheck your key will be prompted on next boot

$ sudo mokutil --list-new

5.Restart and finsh the process

Restart your system. Changes to the MOK keys may only be confirmed directly from the`bash at boot time. You will encounter a blue screen of a tool called MOKManager. Select "Enroll MOK" and then "View key". Make sure it is your key you created in step 3. Afterwards continue the process and you must enter the password which you provided in step 4. Continue with booting your system.

Verify your key is already enrolled, if the MOK was loaded correctly, with:

$ sudo mokutil --test-key /var/lib/shim-signed/mok/MOK.der

6.Sign your installed kernel or modules

6.1 Modern Method: Signing the Debian kernel and modules with DKMS

Building Debian kernel modules with DKMS. The dkms frameworks allows building kernel modules "on the fly" on the local system instead of building them centrally on the Debian infrastructure, DKMS could automatically sign kernel updated modules. If you install the kernel modules through the apt repository, chances are that modules have already been signed by the DKMS signing key. In that case, the traditional method won't work. And the thing you only need to do is to enroll the DKMS signing key into your machine. On systems that use SecureBoot, you will need a Machine Owner Key (MOK) to load DKMS modules. Generate it, enroll it, sign modules with it and then you will be able to load the signed modules.

In Debian, it depends on the dkms package:

$ sudo apt install dkms

In order for dkms to automatically sign kernel modules, it must be told which key to sign the module with. This is done by adding two configuration values to "/etc/dkms/framework.conf", adjusting paths as required:

mok_signing_key="/var/lib/shim-signed/mok/MOK.priv"

mok_certificate="/var/lib/shim-signed/mok/MOK.der"

DKMS Sign Helper Script

If these values are provided and dkms is able to build modules but does not attempt to sign them, then it is likely that sign_tool is missing. This is more common in older and/or custom kernels. In "/etc/dkms/framework.conf", add:

sign_tool="/etc/dkms/sign_helper.sh"

Create "/etc/dkms/sign_helper.sh" with:

/lib/modules/"$1"/build/scripts/sign-file sha512 /root/.mok/client.priv /root/.mok/client.der "$2"

Set Linux kernel info variables

$ VERSION="$(uname -r)"
$ SHORT_VERSION="$(uname -r | cut -d . -f 1-2)"
$ MODULES_DIR=/lib/modules/$VERSION
$ KBUILD_DIR=/usr/lib/linux-kbuild-$SHORT_VERSION

Making DKMS modules signing by DKMS signing key usable with the secure boot

If you install the kernel modules through the apt repository, chances are that modules have already been signed by the DKMS signing key. In that case, the traditional method won't work. And the thing you only need to do is to enroll the DKMS signing key into your machine. Here is how we can do that:

First, use the method mentioned in Verifying if a module is signed to check if the modules are signed by DKMS signing key.

Next, find the location of the mok signing key and mok certificate. You can view the location in /etc/dkms/framework.conf, and the default location is /var/lib/dkms.

Then, run the following command to enroll the key into the machine:

$ sudo mokutil --import /var/lib/dkms/mok.pub # prompts for one-time password and /var/lib/mok.pub can be changed, if mok certificate isn't located there.
$ sudo mokutil --list-new # recheck your key will be prompted on next boot

!rebooting machine then enters MOK manager EFI utility: enroll MOK, continue, confirm, enter password, reboot!

$ sudo dmesg | grep cert # verify your key is loaded

6.2 Traditional Method: signing the Debian kernel with sbsigntool

Building and signing modules is independent of building and signing your own kernel (vmlinuz). To sign a custom kernel or any other EFI binary you want to have loaded by Shim, you’ll need to use a different command: sbsign (PEM). In this case, we’ll need the certificate in a different format, mokutil needs DER, sbsign needs PEM. Convert the certificate into PEM (.der to .pem), for example:

$ sudo openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem

For example, use it to sign our Kernel:

$ sudo sbsign --key MOK.priv --cert MOK.pem "/boot/vmlinuz-$VERSION" --output "/boot/vmlinuz-$VERSION.tmp"
$ sudo mv "/boot/vmlinuz-$VERSION.tmp" "/boot/vmlinuz-$VERSION"

For example, use it to sign our EFI binary:

$ sudo sbsign --key MOK.priv --cert MOK.pem grubx64.efi --output grubx64.efi.signed
$ sudo mv "grubx64.efi.signed" "grubx64.efi"

Sign the installed Kernel using the key created according to the location you gave it, this will create a new signed vmlinuz. Sign vmlinuz using sbsign and .pem certificate, it should be at /boot/vmlinuz-[KERNEL-VERSION]:

To check your Kernel version, you can also use the command:

$ uname -r
6.1.0-12-amd64

Signing vmlinuz (kernel) using sbsign:

$ sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-[KERNEL-VERSION] --output /boot/vmlinuz-[KERNEL-VERSION].signed

For example

$ sudo sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim-signed/mok/MOK.pem "/boot/vmlinuz-6.1.0-12-amd64" --output "/boot/vmlinuz-6.1.0-12-amd64.signed"

alternatively:

$ cd /var/lib/shim-signed/mok/
$ sudo sbsign --key MOK.priv --cert MOK.pem "/boot/vmlinuz-[KERNEL-VERSION] --output "/boot/vmlinuz-[KERNEL-VERSION].signed"

Remove the unsigned one and restore the original name of the signed one, this will create a new signed vmlinuz:

$ sudo mv "/boot/vmlinuz-6.1.0-12-amd64.signed" "/boot/vmlinuz-6.1.0-12-amd64"

Update your grub-config

$ sudo update-grub

Reboot your system and select the signed kernel. Now your system should run under a signed kernel and upgrading GRUB2 works again. If you want to upgrade the custom kernel, you can sign the new version easily by following above steps again from step seven on. Thus BACKUP the MOK-keys (MOK.der, MOK.pem, MOK.priv) in an encrypted device.

Verifying if a module is signed. The command modinfo prints the signature if available, for example:

$ sudo modinfo /boot/vmlinuz-6.1.0-12-amd64

Others commands

$ sudo dmesg | grep cert
$ sudo sbverify --list /boot/vmlinuz-6.1.0-12-amd64
$ sudo sbverify --cert /etc/mok_key/mok.crt /boot/vmlinuz-6.1.0-12-amd64

3.06 Reset Secure Boot Keys

Reset Secure Boot keys for Kernel or Modules

Reset Key for Kernel 👷🛠️UNDER CONSTRUCTION🚧🏗

https://rodsbooks.com/efi-bootloaders/controlling-sb.html#setuputil

"The ASUS permits to you restore the default keys, so this isn't really vital if you're starting from the factory defaults with this model; but if yours doesn't offer such a reset-to-defaults option or if you've modified the keys, saving them may be prudent. As the name implies, this option also erases all your Secure Boot keys. (It does not erase your MOKs, though.)"

Reset MOK Keys for Modules 👷🛠️UNDER CONSTRUCTION🚧🏗

https://rodsbooks.com/efi-bootloaders/controlling-sb.html#key-revocation

$ sudo mokuitil --sb-state
SecureBoot disabled

$ sudo mokutil --disable-validation

Backup. Exports to list (ideally store it on an encrypted external storage medium).

$ sudo mokutil --export

To remove all (MOKs being a list and not just a single MOK, you can make the shim trust keys from several different vendors, allowing dual and multi-boot)

$ sudo mokutil --reset --mok

$ sudo mokutil --reset

To remove one key, first show all keys.

$ sudo ls -1 MOK*

Shows you keys enrolled.

$ sudo mokutil --list-enrolled | grep Subject:

Delete those not enrolled to maintain secure boot.

$ sudo mokutil --delete MOK-0001.der

Uninstall the modules, if it was made with script "make".

$ cd ~/realtekwifi
$ sudo make uninstall

or

sudo rmmod 8192eu
sudo rmmod rtl8xxxu
sudo dkms remove -m rtl8192eu -v 1.0

or

sudo lshw -C network

Reset de modules and unload them in Kernel

$ sudo depmod -a -v
$ sudo update-initramfs -k all -u -v

3.07 OpenSSL Errors

Error 1 - No such file

At main.c:298:
- SSL error:FFFFFFFF80000002:system library::No such file or directory: ../crypto/bio/bss_file.c:67
- SSL error:10000080:BIO routines::no such file: ../crypto/bio/bss_file.c:75

Error 2 - Unable to get passphrase

At main.c:170:
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../crypto/passphrase.c:184
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../crypto/passphrase.c:184
- SSL error:1C80009F:Provider routines::unable to get passphrase: ../providers/implementations/encode_decode/decode_epki2pki.c:96
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../crypto/passphrase.c:184
- SSL error:04800068:PEM routines::bad password read: ../crypto/pem/pem_pkey.c:155
sign-file: /var/lib/shim-signed/mok/MOK.priv: Success

Possible Causes Certificate or key are missing. That statement is telling us one of both files that DKMS or OpenSSL.conf are looking for are not where it is looking. Another possibility is that to sign a custom kernel or any other EFI binary you want to have loaded by shim, you’ll need to use a different command: sbsign or mokutil. Unfortunately, we’ll need the certificate in a different format in this case, mokutil needs DER, sbsign needs PEM. Convert the certificate into PEM (.der to .pem).

Under normal conditions, when CONFIG_MODULE_SIG_KEY is unchanged from its default, the kernel build will automatically generate a new keypair using openssl if one does not exist in the file:

certs/signing_key.pem during the building of vmlinux (the public part of the key needs to be built into vmlinux) using parameters in the:

certs/x509.genkey file (which is also generated if it does not already exist).

It is strongly recommended that you provide your own x509.genkey file.

As long as the signing key is enrolled in shim and does not contain the Object Identifier (OID) from earlier (since that limits the use of the key to kernel module signing), the binary should be loaded just fine by shim.

Cause 1

Wrong syntax of sign-file

$ sudo scripts/sign-file sha512 kernel-signkey.priv kernel-signkey.x509 module.ko

https://kernel.org/doc/html/v4.15/admin-guide/module-signing.html

Cause 2

This is where Debian places openssl.cnf for the OpenSSL they provide:

$ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"
$ ls -l /usr/lib/ssl
lrwxrwxrwx 1 root root mmm 30 mm:mm openssl.cnf -> /etc/ssl/openssl.cnf
$ ls -l /etc/ssl/
-rw-r--r-- 1 root root mmm 30 mm:mm openssl.cnf

It is kind of buried in OpenSSL source code for apps.c, load_config and what happens when openssl.cnf is NULL (i.e., no -config option or OPENSSL_CONF envar). When openssl.cnf is NULL and no overrides, then OPENSSLDIR is used.

Cause 2

Wrong syntax of OpenSSL

*Man Page OpenSSL: Man OpenSSL

$ sudo openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config openssl.cnf -outform DER -out MOK.der -keyout MOK.priv
$ sudo openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -outform DER -out MOK.der -keyout MOK.priv
$ sudo openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config openssl.cnf -outform DER -out MOK.der -keyout MOK.priv
$ sudo openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -outform DER -out MOK.der -keyout MOK.priv

*Ubuntu: https://ubuntu.com/blog/how-to-sign-things-for-secure-boot

$ sudo openssl req -config ./openssl.cnf -new -x509 -newkey rsa:2048 -nodes -days 36500 -outform DER -keyout "MOK.priv" -out "MOK.der"

*Debian: https://wiki.debian.org/SecureBoot

$ sudo openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=My Name/"
$ sudo openssl x509 -inform der -in MOK.der -out MOK.pem

*Fedora: https://docs.fedoraproject.org/en-US/quick-docs/kernel-build-custom/

$ sudo openssl req -new -x509 -newkey rsa:2048 -keyout "key.pem" -outform DER -out "cert.der" -nodes -days 36500 -subj "/CN= yourname/"

Solutions

Solution 1:

$ sudo dpkg -S sign-file

Solution 2:

Location

$ openssl version -d

You can use strace (man strace) to check the configuration file being used while generating the self-signed certificate.

$ strace -e trace=open,openat -o /tmp/strace.log.0 openssl req \
-newkey rsa:2048 -x509 -nodes -keyout localhost.key \
-new -out localhost.crt
$ grep "openssl.cnf" /tmp/strace.log.0
openat(AT_FDCWD, "/etc/pki/tls/openssl.cnf", O_RDONLY) = 3
sudo cat /etc/ssl/openssl.cnf
openssl_conf = openssl_init from /etc/ssl/openssl.cnf

To override system default with user level environment. An empty file will do:

touch ~/.openssl.cnf

BASH define & export:

export OPENSSL_CONF=~/.openssl.cnf

Wrap application within a script:

export OPENSSL_CONF=/dev/null

Solution 3:

Rescue if install/build fails in previous step

$ sudo apt-get install -f
$ sudo dpkg-reconfigure broadcom-sta-dkms

3.08 Sign Wi-Fi

How to get Wi-Fi Module signed for Secure Boot

Mandatory packages: openssl, sign-file and mokutil.

If you are going to compile the module in the kernel, usually the maintainer will indicate the packages to be installed beforehand. For example, you will need to install "make", "gcc", "kernel headers", "kernel build essentials", and "git".

$ sudo apt install git make gcc build-essential linux-image-$(uname -r|sed 's,[^-]*-[^-]*-,,') linux-headers-$(uname -r|sed 's,[^-]*-[^-]*-,,')

Brief - Sign with Sign-file

1- Install a driver and test without Secure Boot
2- Enable Secure Boot
3- Generate a private and public keys
5- Import
6- Reboot and Enroll
4- Sign the module with sign-file

Check if secure boot is enabled. When Secure Boot is disabled, the shimx64.efi will just directly load the real grubx64.efi bypassing all the Secure Boot steps, including loading the MOK. With the MOK not loaded, the kernel will have no way to recognize the signature on your module as valid. And with Secure Boot disabled, a signed module with an invalid signature is rejected, while unsigned modules only get a warning and a taint mark on any future oops/panic messages.

$ sudo mokutil --sb-state
SecureBoot enabled

You can create a personal public/private RSA key pair to sign the kernel modules. You can chose to store the key/pair, for example, in the /var/lib/shim-signed/mok/ directory. Then create a new pair of private key (MOK.priv) and public key (MOK.der).

$ sudo mkdir -p /var/lib/shim-signed/mok
$ sudo openssl req -config /usr/lib/ssl/openssl.cnf -new -x509 -newkey rsa:2048 -nodes -days 36500 -outform DER -keyout "/var/lib/shim-signed/mok/MOK.priv" -out "/var/lib/shim-signed/mok/MOK.der" -subj "/CN=MODULE/"
$ ls -l /var/lib/shim-signed/mok/
total 8
-rw-r--r-- 1 root root779 MOK.der
-rw------- 1 root root 1704 MOK.priv
$ sudo chmod 600 /var/lib/shim-signed/mok/*

Enroll the public key (MOK.der) to MOK (Machine Owner Key) by entering the command:

$ sudo mokutil --import /var/lib/shim-signed/mok/MOK.der
input password:
input password again:

Recheck if your key will be prompted on next boot:

$ sudo mokutil --list-new

Reboot and Enroll

The password in this step is a temporary use password you'll only need to remember for a few minutes. Reboot the machine. When the bootloader starts, you should see a screen asking you to press a button to enter the MOK manager EFI utility. Note that any external external keyboards won't work in this step. Select Enroll MOK in the first menu, then continue, and then select Yes to enroll the keys, and re-enter the password established in previous step. Then select OK to continue the system boot.

Steps: -> "Enroll MOK" -> "Continue". -> "Yes". -> Enter the password you set up just now. -> Select "OK" and the computer will reboot again.

There are serveral commands to verify if your key "MODULE" is loaded and enrolled

$ sudo mokutil --test-key /var/lib/shim-signed/mok/MOK.der
$ sudo dmesg | grep cert
$ sudo cat /proc/keys | grep MODULE
$ openssl x509 -in /var/lib/shim-signed/mok/MOK.der -inform DER -text -noout

Sign the module with sign-file

Use the same password you used before when setting up MOK for the BIOS to avoid confusion. Make sure you type the password carefully here with no errors, and dont get confused by it just waiting.

$ sudo su
~# read -s KBUILD_SIGN_PIN

Next export it and sign all modules.

$ sudo su
~# export KBUILD_SIGN_PIN

NOTE: KBUILD_SIGN_PIN allows a passphrase or PIN to be passed to the sign-file utility when signing kernel modules, if the private key requires such.

For sing the module, depending on your platform, the exact location of sign-file might vary. In Debian 12 (Bookworm) it was in kernel generic /usr/src/linux-kbuild-$(uname -r | cut -d . -f 1-2)/scripts/sign-file .

And where was the module installed? In /lib/modules/$(uname -r)/kernel/drivers/*.ko

$ sudo modinfo -n rtw_8723d
/lib/modules/6.1.0-13-amd64/kernel/drivers/net/wireless/realtek/rtw88/rtw_8723d.ko

To sign modules (with your KBUILD_SIGN_PIN), go to the directory containing the modules, and run

$ sudo su
~# cd /lib/modules/6.1.0-13-amd64/kernel/drivers/net/wireless/realtek/rtw88/
~# /usr/src/linux-kbuild-6.1/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der rtw_8723d.ko

Other not tested form

sudo --preserve-env=KBUILD_SIGN_PIN sh /usr/src/linux-kbuild-$(uname -r | cut -d . -f 1-2)/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der $(modinfo -n rtw_8723d)

Assuming you type the password correct, you wont get any errors. You should be able to now see that a module is signed. You can pick any module in that directory but as an example:

$ sudo modinfo rtw_8723d
(...)
signer: MODULE
sig_key:XX:XX:XX:XX:XX:XX:XX:XX...
sig_hashalgo: sha256
signature:XX:XX:XX:XX:XX:XX:XX:XX...
(...)

NOTE: Filename may be different just use tab completion to find appropriate file to check some other name.

You could try load the modules

$ sudo modprobe -v rtw_8723d

After any kernel module loading failure, you should check the dmesg output: it might include a more specific error message. In this case it is likely to indicate that a module signature failed a validity check.

$ sudo dmesg --since -1m

If the modules are needed to boot your machine, make sure to update the initramfs, e.g. using

$ sudo update-initramfs -k all -u

Building and signing modules is independent of building and signing your own kernel. To sign a custom kernel or any other EFI binary you want to have loaded by shim (PEM), you’ll need to use a different command: sbsign (PEM). In this case, we’ll need the certificate in a different format, mokutil needs DER, sbsign needs PEM. Convert the certificate into PEM (.der to .pem), for example:

$ sudo openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem

For example, use it to sign our Kernel:

$ sudo sbsign --key MOK.priv --cert MOK.pem "/boot/vmlinuz-$VERSION" --output "/boot/vmlinuz-$VERSION.tmp"
$ sudo mv "/boot/vmlinuz-$VERSION.tmp" "/boot/vmlinuz-$VERSION"

For example, use it to sign our EFI binary:

$ sudo sbsign --key MOK.priv --cert MOK.pem my_binary.efi --output my_binary.efi.signed

As long as the signing key is enrolled in shim and does not contain the Object Identifier (OID) from earlier (since that limits the use of the key to kernel module signing), the binary should be loaded just fine by shim.

5.VirtualBox Sign Helper Script

Future kernel updates would require the updated kernels to be signed again, so it makes sense to put the signing commands in a script that can be run at a later date as necessary (DKMS package could do it automatically).

$ sudo touch /var/lib/shim-signed/modules/sign-modules
$ sudo nano /var/lib/shim-signed/modules/sign-modules

#!/bin/bash

for modfile in $(dirname $(modinfo -n </yourmodulehere>))/*.ko; do
echo "Signing $modfile"
/usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \
/var/lib/shim-signed/modules/module.priv \
/var/lib/shim-signed/modules/module.der "$modfile"
done

Add execution permission, and run the script above as root from the /var/lib/shim-signed/modules/ directory.

$ sudo -i
$ cd /var/lib/shim-signed/modules
$ chmod 700 /var/lib/shim-signed/modules/sign-vbox-modules ./sign-vbox-modules

Load vboxdrv module and launch VirtualBox.

$ sudo modprobe vboxdrv
or
$ /sbin/modprobe vboxdrv

3.09 Sign NVIDIA

https://wiki.debian.org/DontBreakDebian#Don.27t_use_GPU_manufacturer_install_scripts
https://github.com/NVIDIA/open-gpu-kernel-modules
https://askubuntu.com/questions/1023036/how-to-install-nvidia-driver-with-secure-boot-enabled

Download the latest driver from the NVIDIA website: https://geforce.com/drivers.

Create a new pair of private key (Nvidia.key) and public key (Nvidia.der) by running the command:

openssl req -new -x509 -newkey rsa:2048 -keyout PATH_TO_PRIVATE_KEY -outform DER -out PATH_TO_PUBLIC_KEY -nodes -days 36500 -subj "/CN=Graphics Drivers"

Example:

openssl req -new -x509 -newkey rsa:2048 -keyout /home/$USER/Nvidia.key -outform DER -out /home/$USER/Nvidia.der -nodes -days 36500 -subj "/CN=Graphics Drivers"

Enroll the public key (nvidia.der) to MOK (Machine Owner Key) by entering the command:

sudo mokutil --import PATH_TO_PUBLIC_KEY

Example:

sudo mokutil --import /home/$USER/Nvidia.der`

This command requires you to create a password for enrolling. Afterwards, reboot your computer, in the next boot, when the system asks you to enroll, you enter the password you created in this step to enroll it. Read more: https://sourceware.org/systemtap/wiki/SecureBoot

For installing the NVidia driver for the first time, you need to disable the Nouveau kernel driver by entering the command:

echo options nouveau modeset=0 | sudo tee -a /etc/modprobe.d/nouveau-kms.conf; sudo update-initramfs -u

Reboot.

Install the driver by entering the command:

sudo sh ./XXXXXX.run -s --module-signing-secret-key=PATH_TO_PRIVATE_KEY --module-signing-public-key=PATH_TO_PUBLIC_KEY

here:

XXXXXX: name of file installer (downloaded from NVIDIA).

PATH_TO_PRIVATE_KEY: full path to private key. If you place it in your home folder, use /home/USER_NAME/ instead of ~.

PATH_TO_PUBLIC_KEY: full path to public key. If you place it in your home folder, use /home/USER_NAME/ instead of ~.

Example:

sudo sh ./NVIDIA-Linux-x86_64-390.67.run -s --module-signing-secret-key=/home/$USER/Nvidia.key --module-signing-public-key=/home/$USER/Nvidia.der

Done.

3.10 Sign VirtualBox

How to get VirtualBox signed for Secure Boot

https://wiki.debian.org/SecureBoot#MOK_-_Machine_Owner_Key

3.11 Sign Ventoy

About Secure Boot in UEFI mode

https://ventoy.net/en/doc_secure.html

3.12 rEFInd Bootloader

https://rodsbooks.com/refind/getting.html
https://wiki.ubuntu.com/EFIBootLoaders

3.13 Sign Custom Secure Keys

https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance/blob/master/secureboot/Linux.md

3.14 Encrypted boot

Encrypted boot partition manager with UEFI Secure Boot support

https://github.com/xmikos/cryptboot
https://github.com/kmille/cryptboot

3.15 Sign with TPM 2.0

https://github.com/squarooticus/efi-measured-boot
https://github.com/osresearch/safeboot

3.16 Secure Boot with Yubikey

https://github.com/DimanNe/secure-boot
https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi

4. SYSTEM SECURITY

👷🛠️UNDER CONSTRUCTION🚧🏗

4.01 Introduction

General guidelines for protecting yourself

Stay Silent: Avoid discussing sensitive information, especially online or in public.
Keep Personal and Professional Separate: Don't mix your personal life with any potentially sensitive or illegal activities.
Avoid Bragging: Don’t boast about your activities, connections, or capabilities, as this can draw unwanted attention.
Avoid contaminating ("watering hole"): Refrain from contamination of systems, maintain strict compartmentalization.
Keep Operational Details Confidential: Never disclose specific details about your operations or plans to anyone.
Maintain OpSec: Operational Security (OpSec) is crucial; don't reveal your plans, strategies, or tactics.
Be Mindful of Metadata: Understand that even seemingly harmless metadata (e.g., location data, timestamps) can be used to track your activities, so be cautious about what information you share and how it can be interpreted.
Exercise Caution with Trust: Be wary of trusting anyone, and never allow yourself to be blackmailed.
Operate Discreetly: Avoid conducting any sensitive activities from your home or easily traceable locations.
Cultivate Safe Habits: Practice cautious behaviors online and offline to minimize risks.
Understand Human Vulnerabilities: Remember that humans can be the weakest link in security, so be mindful of social engineering tactics.
Know Your Rights: Familiarize yourself with your legal rights and protections regarding surveillance and privacy (search warrant rules), so you can assert them if necessary.
Stay Informed about Surveillance Practices: Educate yourself about common surveillance techniques used by law enforcement and intelligence agencies, so you can take appropriate precautions to protect your privacy.
Seek Specialized Advice if Needed: If you believe you are being unfairly targeted or monitored, seek legal advice from a qualified attorney who specializes in privacy and surveillance issues. Report suspicious behavior or incidents to journalists or tech NGOs.

   <h5>*Social engineering tactics and contaminated systems (watering hole): It seems that the worst problem is collateral intrusion, the involvement of seemingly trustworthy uninvolved close third parties. The end of trust.</h5>

General guidelines for protecting systens

<h4>Install and Update Security Software</h4>

<ul>
    <li>Use reputable antivirus software compatible with Linux, such as ClamAV.</li>
    <li>Update your antivirus definitions regularly to detect new threats.</li>
</ul>

<h4>Secure System Updates</h4>

<ul>
    <li>Set up automatic updates for your Linux distribution to ensure you receive security patches promptly.</li>
    <li>Regularly update installed software and libraries to the latest versions.</li>
</ul>

<h4>Enable Firewall</h4>

<ul>
    <li>Configure a firewall, such as UFW (Uncomplicated Firewall) or iptables, to control incoming and outgoing network traffic.</li>
    <li>Define strict rules to block unauthorized access and suspicious connections.</li>
</ul>

<h4>Secure Network Connections</h4>

<ul>
    <li>Use encrypted connections (HTTPS, SSH, VPN) for sensitive activities and avoid public or unsecured networks.</li>
    <li>Disable unnecessary network services and ports to reduce the attack surface.</li>
</ul>

<h4>Implement User Permissions</h4>

<ul>
    <li>Use non-administrator (regular) user accounts for daily tasks to limit the impact of malware if a compromise occurs.</li>
    <li>Avoid running applications with root privileges unless absolutely necessary.</li>
</ul>

<h4>Secure File Systems</h4>

<ul>
    <li>Enable filesystem encryption (e.g., using LUKS for disk encryption) to protect sensitive data.</li>
    <li>Set appropriate file permissions to restrict access to critical system files and directories.</li>
</ul>

<h4>Monitor System Logs</h4>

<ul>
    <li>Regularly review system logs (e.g., /var/log/syslog, /var/log/auth.log) for unusual activities or potential security incidents.</li>
    <li>Install and configure intrusion detection systems (IDS) or security monitoring tools.</li>
</ul>

<h2>Backup and Recovery</h4>

<ul>
    <li>Implement regular backups of important data to an external device or secure cloud storage.</li>
    <li>Test your backup and recovery procedures periodically to ensure they work effectively.</li>
</ul>

<h4>Hardening Services</h4>

<ul>
    <li>Disable or remove unnecessary services and daemons to reduce the attack surface.</li>
    <li>Configure services securely, following best practices and guidelines for each service.</li>
</ul>

<h4>Stay Informed and Educated</h4>

<ul>
    <li>Stay updated with cybersecurity news, vulnerabilities, and threat intelligence related to Linux systems.</li>
    <li>Educate yourself on Linux security best practices and techniques for detecting and mitigating malware.</li>
</ul>

<h4>Utilize Security Tools</h4>

<ul>
    <li>Use tools like Lynis, OpenVAS, or Nessus for vulnerability scanning and system hardening.</li>
    <li>Consider employing intrusion prevention systems (IPS) or endpoint security solutions for additional protection.</li>
</ul>

<h2>Secure Boot and BIOS/UEFI</h4>

<ul>
    <li>Enable Secure Boot in your system's BIOS/UEFI settings to ensure that only trusted software can boot.</li>
    <li>Regularly update your BIOS/UEFI firmware to patch known vulnerabilities.</li>
</ul>

4.02 Apparmor

https://github.com/Kicksecure/security-misc
https://apparmor.net
https://wiki.debian.org/AppArmor
https://wiki.debian.org/AppArmor/HowToUse
https://github.com/Kicksecure/apparmor-profile-torbrowser
https://wiki.ubuntu.com/DebuggingApparmor

$ sudo apt install -y apparmor &&

Copy

$ sudo apt install -y apparmor-profiles &&

Copy

$ sudo apt install -y apparmor-utils &&

Copy

$ sudo apt install -y apparmor-profiles-extra

Copy

*Note: an AppArmor rule could prevent port use by an individual program.

4.03 Privileges

How to securely configure sudo for everyday use on your personal Linux machine

Open a Terminal Window:
- Press Ctrl + Alt + T or search for "Terminal" in your application menu.
Switch to the Root User:
- If you have access to the root account, switch to root by running:
- ```
$ su -
```
  Copy
- Enter the root password when prompted.
Run visudo:
- As the root user, execute:
- ```
# visudo
```
  Copy
- This command opens the sudoers file in your default text editor and ensures that any syntax errors won't be saved, preventing potential misconfigurations.
Add Your User to the Sudoers File:
- Locate the line that includes root ALL=(ALL:ALL) ALL.
- Below that line, add the following line, replacing your_username with your actual username:
- ```
$ your_username ALL=(ALL:ALL) ALL
```
  Copy
- Save the file and exit the editor:
  - For nano, use Ctrl + O to save and press Enter, press Ctrl + X to exit.

Test Sudo Access

Open a New Terminal Window or Log Out and Log Back In:
- This ensures that the changes take effect.
Test Sudo Access:
- Run a command with sudo to verify:
- ```
$ sudo ls
```
  Copy
- Enter your password when prompted.
- If the command executes successfully, sudo is configured correctly for your user.

Optional: Configure Sudo Timeout

Open the Sudoers Configuration for Timeout:
- Create or edit a specific sudoers configuration file for the timeout setting:
- ```
$ sudo nano /etc/sudoers.d/timeout
```
  Copy
Set the Timeout Value:
- Add or modify the following line to set the timeout (e.g., 3 minutes):
- ```
Defaults timestamp_timeout=3
```
  Copy
- Save the file and exit nano.

Additional Tips

Use Sudo Only When Necessary:
- Only use sudo for commands that require elevated privileges to minimize the risk of accidental system changes.
Keep Your System Updated Regularly:
- Run updates frequently to ensure you have the latest security patches and software versions.
Secure Your Password:
- Use a strong and unique password for your user account to enhance security.

_{*Logoff to take effect.}
_{*It's worthless if full disk encryption with strong password is not implemented.}
_{*To avoid having your password stored in the bash history or typed directly into the command line:}
_{$ read -s -p "Enter your sudo password: " password; echo "$password" | sudo -S su -c "/etc/init.d/iptables -L -vn"; unset passwordCopy}

Table

Examples

CHOW

$ sudo chown user:user -R /home
$ sudo chown user:user -R /media

CHMOD

$ sudo chmod 766 -R /home
$ sudo chmod 766 -R /media

4.04 Audit System

https://redhat.com/sysadmin/configure-linux-auditing-auditd

System Auditors

Automatic

$ sudo apt install lynis

Copy

$ sudo apt install checksecurity

Copy

Manual

$ sudo apt install audit

Copy

Rootkit Detect

$ sudo apt install chkrootkit

Copy

$ sudo apt install rkhunter

Copy

$ sudo apt install chkboot

Copy

4.05 Antimalware

Dangerous PDFs, Office Documents, or Images

Handle potentially dangerous PDFs, office documents, or images by converting them to safe PDFs.

Dangerzone
GitHub - Freedom of Press

Online Virus and URL Scanning

Online Phishing and Email Reputation Verifiers

ClamAV

ClamAV Official Website
ClamAV Documentation
ClamAV Manual
ClamAV on GitHub
ClamAV Wiki

ClamAV is a malware detection toolkit, not an endpoint security suite. It detects malware but does not disinfect files; it only removes or isolates them.

"Clam AntiVirus is an open-source (GPL) anti-virus toolkit for UNIX. It offers various utilities, including a flexible and scalable multi-threaded daemon, a command-line scanner, and an advanced tool for automatic database updates. Since ClamAV is mainly used on file/mail servers for Windows desktops, it primarily targets Windows viruses and malware using its built-in signatures."

False positives can occur. Using the --remove option to delete any file that triggers an alert during a scan is generally not recommended.

ClamAV (GUI)

s ClamAV GUI on GitHub

$ sudo apt install clamtk

ClamAV (CLI)

$ sudo apt install -y clamav

Copy

$ sudo apt install -y clamav-daemon

Copy

$ sudo systemctl start clamav-freshclam

Copy

$ sudo freshclam

Copy

_{*Note that Clamscan doesn't require the daemon to be running.}

_{*Note that the "clamd" process (clamav-daemon.service) uses about 1GB of memory (doubles to 2GB when a new database is loaded); it loads the complete database of virus definitions into memory. However, this makes it super fast. You can optimize this:}

$ sudo nano /etc/clamav/clamd.conf

ConcurrentDatabaseReload no
ReadTimeout 10
MaxThreads 3

$ sudo nano /etc/systemd/system/clamav-daemon.service.d/extend.conf

[Service]
IOSchedulingPriority = 7
CPUSchedulingPolicy = 5
MemoryLimit=256M
CPUQuota=30%
Nice = 19

• Commands $ man clamscan • Basic command to scan the entire system, copy infected files, and log $ mkdir /home/$USER/Virus && touch /home/$USER/Virus/Virus.txt $ sudo freshclam && sudo clamscan -vir --copy=/home/$USER/Virus --log=/home/$USER/Virus/Virus.txt --exclude-dir="^/sys" / • Basic command to scan the entire system, move infected files, and log $ mkdir /home/$USER/Virus && touch /home/$USER/Virus/Virus.txt $ sudo freshclam && sudo clamscan -vir --move=/home/$USER/Virus --log=/home/$USER/Virus/Virus.txt --exclude-dir="^/sys" / • Scan a file $ clamscan --verbose /file.bin • Scan compressed files $ clamscan --verbose --scan-archive --alert-exceeds-max --alert-encrypted /file.zip • Other commands $ clamscan -vr --suppress-ok-results --bell /$USER/home $ clamscan -vro --heuristic-alert --copy=/home/$USER/Virus --log=/home/$USER/Virus/Virus.txt --bell /$USER/home $ clamscan -vro --bell --remove /$USER/home

• Debugging $ sudo cat /etc/clamav/clamd.conf $ sudo nano /etc/clamav/clamd.conf $ sudo nano /etc/systemd/system/clamav-daemon.service.d/extend.conf $ sudo cat /var/log/clamav/clamav.log $ sudo systemctl status clamav-daemon $ sudo systemctl stop clamav-daemon $ sudo systemctl disable clamav-daemon $ sudo systemctl status clamav-freshclam $ sudo systemctl stop clamav-freshclam $ sudo systemctl disable clamav-freshclam $ sudo crontab -l $ sudo systemctl list-timers

*If you encounter AppArmor denials related to clamd, switch the profile to complain-only mode:

$ sudo aa-complain clamd

Signatures Compatible with ClamAV

• RFXN Linux Malware Detect by RFXN

• Malware Blocklist Malware Blocklist

• YARA Rules YARA Rules for ClamAV

Malware Analysis with ClamAV and YARA

$ sudo apt install yara $ sudo clamscan -d yara.rule -r /

ESET NOD32 Antivirus for Linux Desktop

Download ESET NOD32 Antivirus for Linux Desktop

4.06 Updating

https://debian.org/doc/manuals/debian-handbook/sect.regular-upgrades.en.html

Apply security updates as quickly as possible. According to 2020 reached conducted by Unit 42 at Palo Alto, approximately 80% of exploits are published faster than Common Vulnerabilities and Exposures (CVEs).

SYSTEMD Vs. CRON

sudo apt install systemd-cron ?

• Commands $ sudo crontab -l $ sudo systemctl list-timers $ systemctl start "service" $ systemctl enable "service" $ systemctl status "service"

Set up automatic updates on Debian

5. NETWORK

👷🛠️UNDER CONSTRUCTION🚧🏗

5.01 Router

Router Freedom - Open-source routers - Device Neutrality

https://docs.fsfe.org/en/teams/router-freedom-tech-wiki
https://fsfe.org/contribute/spreadtheword#device-neutrality

"There are a number of open-source options for routers that will take even a small consumer router and turn it into a powerful device with enterprise-level capabilities. My personal favorite is DD-WRT, but other popular options include pfSense, OpenWRT, and Tomato. While you can buy pre-flashed devices in some cases (FlashRouters for DD-WRT and Protectli for pfSense), I always encourage you to do it yourself if you’re comfortable to ensure maximum security (and also to be familiar with the update process). Having said all of this, if you are unsure if an open source router is right for you (the wealth of options can be overwhelming to some), I still encourage you to get a router that wasn’t provided by your ISP. Make sure it offers VLANs and VPN capabilities, as we will be using these heavily to protect your home."

https://thenewoil.org/en/guides/quick-start/wifi-guide

Examples of VPN routers and firmwares

Router Firmware

EdgeRouter and Ubiquiti
GL.iNet
Netduma
Netgear
MikroTik
Peplink/Pepwave
OpenWRT
AsusWRT Merlin
DD-WRT
DrayTek Vigor
OPNsense 19.1
Padavan
pfSense 2.4.4
pfSense 2.4.5
pfSense 2.5
Sabai
Tomato

https://openwrt.org
https://pfsense.org

Router Guide

https://avoidthehack.com/router-wireless-guide

Change the default router password

Turn off UPnP

Use the router’s firewall capabilities

Use sufficient Wi-Fi encryption

Set a strong Wi-Fi password

Change the Wi-Fi (SSID) name from the default

Hide the Wi-Fi (SSID)

Consider using open-source router firmware

Keep router firmware updated

Keep other software up to date

*These are solutions outside the military level. Forgetting Wi-Fi and using an RJ-45 to USB should be considered for home use.

*Misconfigured DNS settings on a router may lead to the device sending DNS queries to unintended DNS servers.

5.02 Network

Network Managers

NetworkManager (GUI)

$ sudo apt install network-manager-gnome

NetworkManager (CLI)

$ sudo apt install network-manager

Commands • Connecting WiFi manualy with nmcli $ nmcli dev status $ nmcli radio wifi on • List wifi $ nmcli dev wifi list • Connect $ sudo nmcli dev wifi connect SSID(TAB) $ sudo nmcli --ask dev wifi connect SSID(TAB) • Disconnecting $ nmcli con down NAME • Saved ones $ ls /etc/NetworkManager/system-connections/

Commands • Editing $ nmcli connection edit $ nmcli connection edit type wifi $ nmcli c edit type vpn $ nmcli c up wificonnectionname $ nmcli c show wificonnectionname $ nmcli connection show $ nmcli connection reload • Avtivating MAC randomization $ nmcli connection modify NAME 802-11-wireless.mac-address-randomization always

Config files $ sudo ls /etc/NetworkManager/ $ sudo ls /etc/NetworkManager/system-connections/ $ sudo nano /etc/NetworkManager/NetworkManager.conf/mywifiname $ sudo nano /etc/NetworkManager/NetworkManager.conf

Connman

Connman (GUI)

$ sudo apt install connman-ui

Connman (CLI)

$ sudo apt install connman

Commands $ $ $ $ $

Setting up networking without a network manager

https://unix.stackexchange.com/questions/253030/how-to-setup-network-without-wicd-or-networkmanager

Set up static networking. Configured only wlan0 because of wireless, you just need to skip the wireless related things in it.

Show your interfaces:

$ ip a show

Note the default Ethernet and wifi interfaces:

Looks our Ethernet port is eth0 and WiFi radio is wlan0

$ ip a show | awk '/^[0-9]: /{print $2}'

The output of this command will look something like this:

lo: eth0: wlan0:

Your gateway IP address is found with:

$ sudo route -n

It provides access to destination 0.0.0.0 (everything). Possible it is 192.168.0.1, which is perfectly nominal.

Let’s do a bit of easy configuration in our /etc/networking/interfaces file. The format of this file is not difficult to put together from the man page, but really, you should search for examples first. Plug in your Ethernet port.

Basically, we’re just adding DHCP entries for our interfaces. Above you’ll see a route to another network that appears when I get a DHCP lease on my Ethernet port. Next, add this:

auto lo iface lo inet loopback auto eth0 iface eth0 inet dhcp auto wlan0 iface wlan0 inet dhcp

Next, enable and start the networking service:

sudo update-rc.d networking enable

sudo /etc/init.d/networking start

Let’s make sure this works, by resetting the port with these commands:

sudo ifdown eth0

sudo ip a flush eth0

sudo ifup eth0

This downs the interface, flushes the address assignment to it, and then brings it up. Test it out by pinging your gateway IP: ping 192.168.0.1. If you don’t get a response, your interface is not connected or your made a typo.

Let’s “do some WiFi” next! We want to make an /etc/wpa_supplicant.conf file. Consider mine:

network={ ssid="CenturyLink7851" scan_ssid=1 key_mgmt=WPA-PSK psk="4f-------------ac" }

Now we can reset the WiFi interface and put this to work:

sudo ifdown wlan0 sudo ip a flush wlan0 sudo ifup wlan0 sudo wpa_supplicant -Dnl80211 -c /root/wpa_supplicant.conf -iwlan0 -B sudo dhclient wlan0

That should do it. Use a ping to find out, and do it explicitly from wlan0, so it gets it’s address first:

ip a show wlan0 | grep "inet" Presumably dhclient updated your /etc/resolv.conf, so you can also do a: ping -I 192.168.0.45 www.yahoo.com

You’re now running without NetworkManager!

How to reset Network Manager to default?

https://askubuntu.com/questions/637637/how-to-reset-network-manager-to-default

5.03 DNS

DNS Resolution

• The resolv.conf configuration file

https://wiki.debian.org/NetworkConfiguration
https://wiki.debian.org/resolv.conf
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/manually-configuring-the-etc-resolv-conf-file_configuring-and-managing-networking
https://github.com/jonathanio/update-systemd-resolved
https://freedesktop.org/software/systemd/man/systemd.network.html

• The resolvconf program

https://salsa.debian.org/debian/resolvconf

• The openresolv program

An open-source implementation of resolvconf to properly configure DNS and prevent DNS leaks.

https://roy.marples.name/projects/openresolv

• The systemd-resolved service

https://wiki.archlinux.org/title/Systemd-resolved
https://freedesktop.org/software/systemd/man/latest/systemd-resolved.service.html

• dnsmasq

• Avahi

https://wiki.debian.org/Avahi

Router DNS

https://developers.cloudflare.com/1.1.1.1/ip-addresses
https://opendns.com/setupguide
https://docs.fsfe.org/en/teams/router-freedom-tech-wiki

Misconfigured DNS settings on a router may lead to the device sending DNS queries to unintended DNS servers. Verify the DNS of your WAN are set in your router.

Pi-hole®

The Pi-hole® is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software.

https://pi-hole.net
https://docs.pi-hole.net
https://reddit.com/r/pihole

Others

OpenNIC

Dot-Bit: Decentralized DNS using Bitcoin technology

5.04 Firewall

Visit our repo tree: 3.NETWORK/3.03_Firewall

Note that these commands show ports that are in a listening state, but that doesn’t necessarily mean that the ports are open to the internet, because our firewall may be denying connections.

• GUFW (GUI)

https://gufw.org
https://help.ubuntu.com/community/Gufw

$ sudo apt install gufw

• UFW (CLI)

https://launchpad.net/ufw
https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29
https://wiki.archlinux.org/title/Uncomplicated_Firewall
http://manpages.ubuntu.com/manpages/precise/man8/ufw.8.html
https://help.ubuntu.com/community/UFW
https://paulligocki.com/vpn-only-ufw-setup
https://linuxconfig.org/how-to-install-and-use-ufw-firewall-on-linux
https://openvpn.net
https://pypi.org/project/openpyn

$ sudo apt install ufw

∙ Generic UFW configuration (without VPN)

Commands, basic to install UFW $ sudo apt install ufw $ sudo ufw enable $ sudo ufw status $ sudo nano /etc/default/ufw IPV6=no $ sudo nano /etc/sysctl.conf net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 net.ipv6.conf.tun0.disable_ipv6 = 1 $ sudo ufw default deny incoming $ sudo ufw default allow outgoing $ sudo ufw status numbered $ sudo iptables -L --line-numbers $ sudo ufw delete 123 $ sudo ufw reload $ sudo reboot

∙ Advanced

• R-fx Networks Projects - https://rfxn.com
• Vuurmuur Firewall - https://vuurmuur.org
• Port Checker - https://portchecker.co

Note: an AppArmor rule could prevent port use by an individual program.

Commands, some advanced commands • Show which ports are listening for connections $ ss -tlnp • Check for open ports with nmap $ sudo apt install nmap $ sudo nmap localhost • Find the name and IP address of your tunnel $ ip -o addr | cut -d'\' -f 1 • Handling DNS queries $ apt install tcpdump $ sudo tcpdump -eni any port 53 $ sudo tcpdump -eni any port 53 and host 172.27.10.22 $ sudo tcpdump -n -i tun0 udp port 53 • Show Iptables rules $ sudo iptables -L --line-numbers • Open TCP SSH PORT for VPN IP only $ sudo ufw allow from 1.2.3.4 to any port 22 proto tcp comment 'Open TCP SSH PORT for VPN IP only' • Open TCP Torrent PORT for VPN IP only $ sudo ufw allow in on tun0 from 10.8.0.0/16 to any port 60000 proto tcp comment 'Open TCP Torrent PORT for VPN IP only' • Port Forwarding to router $ sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -p udp --dport 51413 -j ACCEPT • For uploading torrent $ sudo iptables -A OUTPUT -p udp --sport 51413 -j ACCEPT $ sudo ufw allow 51413/udp $ sudo iptables -L --line-numbers • Reset UFW $ sudo ufw reset • Troubles $ sudo apt purge iptables-persistent

∙ Custom application profile

Commands $ sudo ls /etc/ufw/applications.d/ $ sudo touch /etc/ufw/applications.d/ufw-custom $ sudo nano /etc/ufw/applications.d/ufw-custom [CustomApp 1 Full] title=The first Custom Application description=Custom Application Description ports=36892|23976|19827 [CustomApp 1 TCP] title=The first Custom Application - TPC only description=Custom Application Description ports=36892,23976,19827/tcp [CustomApp 1 UDP] title=The first Custom Application - UDP only description=Custom Application Description ports=36892,23976,19827/udp • Check if the syntax is correct $ sudo ufw app info "CustomApp 1 Full" • Create new rule based on this profile $ sudo ufw allow in on tun0 to any app "CustomApp 1 Full" • Check $ sudo ufw status numbered | grep CustomApp

∙ Configure NAT with UFW

Commands $ sudo nano /etc/default/ufw DEFAULT_FORWARD_POLICY="ACCEPT" $ sudo nano /etc/ufw/sysctl.conf net/ipv4/ip_forward=1 $ sudo nano /etc/ufw/before.rules # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic through eth0 - Change to match you out-interface -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't be processed COMMIT $ sudo ufw disable $ sudo ufw enable

∙ Configure Port Forwarding with UFW

Commands $ sudo nano /etc/default/before.rules :PREROUTING ACCEPT [0:0] -A PREROUTING -i eth0 -d 150.129.148.155 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.120:80 -A PREROUTING -i eth0 -d 150.129.148.155 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.120:443 -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE $ sudo ufw disable $ sudo ufw enable $ sudo ufw allow proto tcp from any to 150.129.148.155 port 80 $ sudo ufw allow proto tcp from any to 150.129.148.155 port 443

5.05 VPN

• Buying VPN Services

∙ Choosing the VPN that's right for you - https://ssd.eff.org/en/module/choosing-vpn-thats-right-you
∙ Choosing the best VPN (for you) - https://reddit.com/r/VPN/comments/4iho8e/that_one_privacy_guys_guide_to_choosing_the_best/?st=iu9u47u7&sh=459a76f2
∙ r/vpnrecommendations - https://reddit.com/r/vpnrecommendations
∙ r/VPN - https://reddit.com/r/VPN
∙ r/VPNTorrents - https://reddit.com/r/VPNTorrents
∙ VPN Alert - https://vpnalert.com
∙ VPN-reviews - https://github.com/techlore/VPN-reviews
∙ Mullvad - https://mullvad.net
∙ Mullvad - http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion
∙ Private Internet Access (PIA) - https://privateinternetaccess.com
∙ ProtonVPN - https://protonvpn.com
∙ IVPN - https://ivpn.net
∙ AirVPN - https://airvpn.org
∙ VPN.XXX - https://vpn.xxx
∙ Windscribe - https://windscribe.com
∙ ExpressVPN - https://expressvpn.com/vpnmentor1
∙ NordVPN - https://nordvpn.com

• VPN Guides and Tutorials
∙ That One Privacy Site - https://thatoneprivacysite.net/vpn-section
∙ privacytools.io - https://privacytools.io
∙ VPN over SSH - https://wiki.archlinux.org/index.php/VPN_over_SSH

• Creating your own VPN with VPS

• VPN Protocols

5.06 OpenVPN

OpenVPN
https://openvpn.net/community-resources/how-to/
https://wiki.debian.org/OpenVPN
https://debian-handbook.info/browse/stable/sect.virtual-private-network.html
https://debian.org/doc/manuals/securing-debian-manual/vpn.en.html
https://wiki.archlinux.org/index.php/OpenVPN
https://wiki.archlinux.org/index.php/OpenVPN#DNS
https://ubuntu.com/core/docs/networkmanager/configure-vpn
https://community.openvpn.net
https://github.com/OpenVPN/openvpn/tree/master/sample/sample-config-files
https://linuxconfig.org/how-to-run-openvpn-automatically-on-debian-with-a-static-ip-address
https://linuxconfig.org/how-to-encrypt-your-dns-with-dnscrypt-on-ubuntu-and-debian

OpenVPN Sample Configuration Files $ sudo ls /usr/share/doc/openvpn $ /usr/share/doc/openvpn/README.Debian.gz

OpenVPN Client Possibilities

OpenVPN + Network Manager (GUI) + Autostart + Autoconnect + Kill Switch OpenVPN + nmcli (CLI) + Autostart + Autoconnect + Kill Switch

*Autoconnect: random server selection.

Installing OpenVPN with NetworkManager (GUI)

You may use graphical VPN tool network-manager UI by providing the key and certificates

Commands GUI $ sudo apt install network-manager-openvpn-gnome $ nm-connection-editor

"Find a network connection, open its settings, then under General, enable Automatically connect to VPN. After saving, a secondaries= line is added in that network's configuration file in the [connection] section. It will contain a list of secondary connection UUIDs to be activated. The configuration file is usually /etc/NetworkManager/system-connections/."

Import OVPN to NetworkManager in terminal

Copy the OpenVPN configuration from your VPN provider into /etc/openvpn Commands nmcli, to easy import $ sudo nmcli connection import type openvpn file /etc/openvpn/client/cc00-myvpn.com_tcp.ovpn $ nmcli connection show $ nmcli connection up myopvnname $ nmcli connection show $ ip route $ nmcli connection edit type wifi $ nmcli c edit type vpn $ nmcli c up wificonnectionname $ nmcli c show wificonnectionname $ nmcli connection show $ nmcli connection reload $ sudo service openvpn restart $ sudo systemctl status NetworkManager.service $ sudo systemctl restart NetworkManager.service

Editing OVPN with NetworkManager in terminal

Config files $ sudo ls /etc/NetworkManager/ $ sudo ls /etc/NetworkManager/system-connections/ $ sudo nano /etc/NetworkManager/NetworkManager.conf/mywifiname
$ sudo nano /etc/NetworkManager/NetworkManager.conf

Installing OpenVPN (CLI)

Commands $ sudo apt install resolvconf $ sudo systemctl enable --now resolvconf.service $ sudo apt install openvpn • Copy the OpenVPN configuration from your VPN provider into /etc/openvpn $ sudo wget https://vpnprovider.com/openvpn.zip $ sudo unzip openvpn.zip $ sudo rm openvpn.zip $ cd /etc/openvpn • Instead of .ovpn extension, OpenVPN on Linux uses .conf for config files. Rename them accordingly, you could simply substitute it in the appropriate file name with copy $ sudo cp cc00-myvpn_tcp.ovpn /etc/openvpn/client/client.conf • Alternatively, rename and copy in batch $ sudo rename 's/ovpn/conf/' openvpn/*.ovpn $ sudo cp openvpn/* /etc/openvpn

*resolvconf vs. systemd-resolved

*resolvconf vs. openresolv

Basic OpenVPN Connection (Manual connection for test)

• Basic connection, OpenVPN will ask for a username and password each time you want to connect, and that's not a good headless setup. $ sudo openvpn cc00-myvpn.com_tcp.ovpn Enter Auth Username: Enter Auth Password: (press TAB for no echo) • You can autoconnect with saved username and password, create another file in the OpenVPN folder called, auth.txt . Inside that file, put your VPN username on the first line and your password on the second one. $ sudo touch /etc/openvpn/auth.txt $ sudo nano /etc/openvpn/auth.txt user password $ sudo chmod 600 /etc/openvpn/auth.txt • You can autoconnect with saved login $ sudo openvpn --config cc00-myvpn.com_tcp.ovpn --auth-user-pass /etc/openvpn/auth.txt (...) Initialization Sequence Completed

Basic connection with autoconnect and DNS resolver, make OpenVPN update its nameservers when it starts and exits.

Commands $ openvpn --script-security 2 --config cc00-myvpn.com_tcp.ovpn • Or $ sudo openvpn --config cc00-myvpn.com_tcp.ovpn --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf --script-security 2 --auth-user-pass /home/user/auth

Creating a autologin file

• Configuring auth manually $ sudo touch /home/user/auth $ sudo nano /home/user/auth user password • A little protection $ sudo chmod 600 /home/user/auth

OpenVPN Random Server Selection and Autologin

👷🛠️UNDER CONSTRUCTION🚧🏗

https://openvpn.net/community-resources/how-to/#auth

You could use the client.conf example below to random access multiple opvn files and auto login with auth configuration. Make the configurations refer to auth file by appending some directives at the end of each. Also create keepalive, a log record to facilitate troubleshooting and automatically run a script called update-resolv-conf, which may be necessary for DNS resolution to work correctly when enabling VPN and turn off. On Debian, this script is included with the OpenVPN installation.

• Configuring client.conf manually $ sudo nano /etc/openvpn/client/client.conf client dev tun #It's TCP or UDP server? proto tcp remote my-server-1.com 1194 remote my-server-2.com 1194 remote my-server-3.com 1194 remote my-server-4.com 1194 remote my-server-5.com 1194 remote my-server-6.com 1194 remote my-server-7.com 1194 remote my-server-8.com 1194 remote my-server-9.com 1194 remote my-server-10.com 1194 remote-random #It choose a random config server resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ping 15 ping-restart 0 ping-timer-rem reneg-sec 0 comp-lzo no #Enable it if enabled in the server verify-x509-name CN=my.vpn-1.com #Protect against MITM see http://openvpn.net/howto.html#mitm remote-cert-tls server #Your autologin config auth-user-pass /etc/openvpn/client/auth #OpenVPN DNS Resolver script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf #Others keepalive 10 60 log-append /var/log/openvpn.log verb 3 pull fast-io cipher AES-256-CBC auth SHA512 # Note SSL/TLS parms.See the server config # file for more description. # It's best # to use # a separate .crt/.key file pair # for each client. A single ca file can # be used for all clients. <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> key-direction 1 <tls-auth> # 2048 bit OpenVPN static key -----BEGIN OpenVPN Static key V1----- -----END OpenVPN Static key V1----- </tls-auth>

• Configuring client.conf automatically $ sudo cd /etc/openvpn/client/ $ sudo cat << EOF > client.conf client dev tun #It's TCP or UDP server? proto tcp remote my-server-1.com 1194 remote my-server-2.com 1194 remote my-server-3.com 1194 remote my-server-4.com 1194 remote my-server-5.com 1194 remote my-server-6.com 1194 remote my-server-7.com 1194 remote my-server-8.com 1194 remote my-server-9.com 1194 remote my-server-10.com 1194 remote-random #It choose a random config server resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ping 15 ping-restart 0 ping-timer-rem reneg-sec 0 comp-lzo no #Enable it if enabled in the server verify-x509-name CN=my.vpn-1.com #Protect against MITM see http://openvpn.net/howto.html#mitm remote-cert-tls server #Your autologin config auth-user-pass /etc/openvpn/client/auth #OpenVPN DNS Resolver script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf #Others keepalive 10 60 log-append /var/log/openvpn.log verb 3 pull fast-io cipher AES-256-CBC auth SHA512 # Note SSL/TLS parms.See the server config # file for more description. # It's best # to use # a separate .crt/.key file pair # for each client. A single ca file can # be used for all clients. <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> key-direction 1 <tls-auth> # 2048 bit OpenVPN static key -----BEGIN OpenVPN Static key V1----- -----END OpenVPN Static key V1----- </tls-auth>

• Configuring client.conf automatically in batch $ echo 'auth-user-pass /etc/openvpn/client/auth keepalive 10 60 log-append /var/log/openvpn.log script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf' | tee -a openvpn/*.conf

Create a autologin file

• Configuring auth manually $ sudo touch /etc/openvpn/client/auth $ sudo nano /etc/openvpn/client/auth user password

• Configuring auth automatically • If you are not going to copy the example, to create a newline (press ENTER) after you type the \ to tell the shell you want to enter more parameters but on a separate line. $ cd /etc/openvpn/client/auth $ sudo echo 'user password' > openvpn/auth • A little protection # chmod 600 /etc/openvpn/client/auth • Load daemon $ sudo openvpn --config /etc/openvpn/client.conf --daemon

• Alternatively $ sudo chmod 600 /etc/openvpn/client/auth $ sudo bash -c 'echo "USERNAME" >> /etc/openvpn/client/auth' $ sudo bash -c 'echo "PASSWORD" >> /etc/openvpn/client/auth' # chmod 600 /etc/openvpn/client/auth • Load daemon $ sudo openvpn --config /etc/openvpn/client.conf --daemon

• Alternatively $ sudo su # echo 'myuser' >> /etc/openvpn/client/auth # echo 'mypassword' >> /etc/openvpn/client/auth # chmod 600 /etc/openvpn/client/auth • Load daemon $ sudo openvpn --config /etc/openvpn/client.conf --daemon

• Alternatively $ sudo su # echo 'myuser' | tee --append /etc/openvpn/client/auth # echo 'mypassword' | tee --append /etc/openvpn/client/auth # chmod 600 /etc/openvpn/client/auth • Load daemon $ sudo openvpn --config /etc/openvpn/client.conf --daemon

OpenVPN DNS Resolver

👷🛠️UNDER CONSTRUCTION🚧🏗

https://wiki.archlinux.org/title/OpenVPN#DNS
https://github.com/jonathanio/update-systemd-resolved

"By default, all configured VPNs in /etc/openvpn/ are started during system boot. Edit /etc/default/openvpn to start specific VPNs or to disable this behavior. You need to run systemctl daemon-reload once to enable new VPNs."

Commands $ sudo su # cd /etc/openvpn/client # echo "script-security 2" >> /etc/openvpn/client/openvpn.conf # echo "up /etc/openvpn/update-resolv-conf" >> /etc/openvpn/client/openvpn.conf # echo "down /etc/openvpn/update-resolv-conf" >> /etc/openvpn/client/openvpn.conf

Solving DNS problems with OpenVPN

https://openvpn.net/vpn-server-resources/troubleshooting-dns-resolution-problems

OpenVPN DNS

👷🛠️UNDER CONSTRUCTION🚧🏗

$ sudo apt install resolvconf
Copy
* Consider
$ sudo apt install openvpn-systemd-resolved
Copy

$ sudo nano /etc/openvpn/update-resolv-conf

$ sudo mv /etc/resolv.conf /etc/resolv.conf.bak • Add this lines into your openvpn client.conf: $ nano client.conf script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf

Your could run openvpn with DNS resolver

$ openvpn --script-security 2 --config cc00-myvpn.com_tcp.ovpn

Disabling OpenVPN's client DNS

$ sudo nano /etc/openvpn/client/client.conf

#Actual DNS name dhcp-option DNS 10.10.10.10

Take care with DNS leaks

curl ipleak.net/json/

curl ipinfo.io

#IPV4 pull-filter ignore "dhcp-option DNS" #IPV6 pull-filter ignore "dhcp-option DNS6"

Disabling NetworkManager's own dnsmasq

👷🛠️UNDER CONSTRUCTION🚧🏗

$ sudo nano /etc/NetworkManager/NetworkManager.conf #dns=dnsmasq $ sudo restart network-manager

NetworkManager dnsmasq (CLI)

DNS requests are directed to VPN-supplied DNS servers without any manipulations with dnsmasq, up/down/dispatch helper scripts.

nmcli -p connection modify MY_VPN_CONNECTION ipv4.never-default no nmcli -p connection modify MY_VPN_CONNECTION ipv4.ignore-auto-dns no nmcli -p connection modify MY_VPN_CONNECTION ipv4.dns-priority -42

*Using OpenVPN through NetworkManager (GUI) allows users to disable the connection.

Enable OpenVPN as service at boot

To make OpenVPN automatically connect with a certain configuration, set the AUTOSTART directive in /etc/default/openvpn to the configuration filename without the extension.

Commands • At boot, by default client.conf is enabled $ sudo ls /etc/openvpn/client • Set the audoestart directive $ sudo nano in /etc/default/openvpn AUTOSTART="nameofopvnconfigfile" • Save or edit your configuration with $ sudo nano /etc/openvpn/client/.conf • Alternatively $ sudo echo 'AUTOSTART="nameofopvnconfigfile"' >> /etc/default/openvpn • Enable the service by calling $ sudo systemctl start openvpn-client@nameofopvnconfigfile $ sudo systemctl enable openvpn-client@nameofopvnconfigfile • Verify $ sudo cat /etc/default/openvpn • Load OpenVPN and connect $ sudo systemctl daemon-reload $ sudo systemctl restart openvpn

Test if the killswitch is working

$ sudo systemctl start openvpn-client@ $ sudo systemctl stop openvpn-client@ $ sudo systemctl status openvpn-client@ $ curl ipleak.net/json/ $ curl ipinfo.io

OpenVPN UFW kill switch

👷🛠️UNDER CONSTRUCTION🚧🏗

Set up a firewall to deny everything but the VPN handshake on the regular interfaces eth0 and wlan0 while placing no restrictions on tun0.

$ sudo su # apt install ufw # ufw allow in on tun0 # ufw allow out on tun0 # ufw allow out on eth0 from any to any port 53 # ufw allow out on wlan0 from any to any port 53 # ufw allow out on eth0 from any to any port 1198 # ufw allow out on wlan0 from any to any port 1198 # ufw deny in on eth0 # ufw deny in on wlan0 # ufw deny out on eth0 # ufw deny out on wlan0 # ufw enable

Testing killswitch

$ sudo systemctl start openvpn-client@ $ sudo systemctl stop openvpn-client@ $ sudo systemctl status openvpn-client@ $ curl ipleak.net/json/ $ curl ipinfo.io

$ systemctl stop openvpn $ curl --connect-timeout 5 ipinfo.io

OpenVPN DNS

👷🛠️UNDER CONSTRUCTION🚧🏗

resolv-conf

$ sudo apt install resolvconf

"Parses DHCP options from openvpn to update resolv.conf . To use set as 'up' and 'down' script in your openvpn *.conf:
up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf

"Example envs set from openvpn:"
foreign_option_1='dhcp-option DNS 193.43.27.132' foreign_option_2='dhcp-option DNS 193.43.27.133' foreign_option_3='dhcp-option DOMAIN be.bnc.ch'

openvpn-systemd-resolved

$ sudo apt install openvpn-systemd-resolved
Copy
"OpenVPN helper to add DHCP information into systemd-resolved via DBus.(...)This script will parse DHCP options set via OpenVPN (dhcp-option) to update systemd-resolved directly via DBus, instead of updating /etc/resolv.conf. To install, set as the 'up' and 'down' script in your OpenVPN configuration file or via the command-line arguments, alongside setting the 'down-pre' option to run the 'down' script before the device is closed. For example:"
up /etc/openvpn/scripts/update-systemd-resolved down /etc/openvpn/scripts/update-systemd-resolved down-pre

5.07 WireGuard

∙ WireGuard

https://github.com/WireGuard
https://wiki.ubuntuusers.de/WireGuard

$ sudo apt install wireguard
Copy
$ sudo apt install wireguard-tools
Copy

5.08 strongSwan

strongSwan

https://github.com/strongswan/strongswan
https://docs.strongswan.org/docs/5.9/index.html
https://docs.strongswan.org/docs/5.9/config/IKEv2.html
https://docs.strongswan.org/docs/5.9/config/logging.html

strongSwan (Client Side)

$ sudo apt install strongswan-charon
Copy
$ sudo apt install libcharon-extra-plugins
Copy
$ sudo apt install libcharon-extauth-plugins
Copy
• Add username and password $ sudo nano /etc/ipsec.secrets Username : EAP "Password" • Configure $ sudo su Password sudo printf '%s\n\t' 'conn MyVPN' \ 'keyexchange=ikev2' 'dpdaction=clear' 'dpddelay=300s' \ 'eap_identity="USERNAME"' 'leftauth=eap-mschapv2' 'left=%defaultroute' \ 'leftsourceip=%config' 'right=SERVER_IP' 'rightauth=pubkey' \ 'rightsubnet=0.0.0.0/0' 'rightid=%SERVER_HOSTNAME' \ 'rightca=/etc/ipsec.d/cacerts/VPN.pem' 'type=tunnel' \ 'auto=add' > /etc/ipsec.conf • Inside the file change load = yes to load = no. $ sudo nano /etc/strongswan.d/charon/constraints.conf • Download the VPN certificate. $ sudo wget https://download/certificate/root.pem -O /etc/ipsec.d/cacerts/VPN.pem $ sudo wget https://download/certificate/root.pem -O /etc/ipsec.d/cacerts/VPN.pem • Connecting $ sudo ipsec restart $ sudo ipsec up VPN “Connection VPN has been established successfully”. • Disconnecting $ sudo ipsec down VPN • Debuging $ sudo cat /var/log/syslog

sudo ls /etc/strongswan.d/charon/

5.09 Firewall + VPN

∙ Firewall (UFW) + VPN (OpenVPN)

Commands to setup UFW + OpenVPN • You could add specifically rules for each port separately on tun0 (VPN tunnel interface) $ sudo ufw allow in on tun0 to any port 60000 proto tcp $ sudo ufw allow in on tun0 to any port 60000 proto udp • You could test to connect in and out to anywhere on tun0 $ sudo ufw allow in on tun0 $ sudo ufw allow out on tun0 • To allow access only from a specific address you could use $ sudo ufw allow in on tun0 from 192.168.0.1 to any port 60000 proto tcp • Allow OpenVPN to connect to the regular network interface (e.g. eth0, wlan0...) through the ports present in the .opvn file (e.g.DNS resolution on port 53 and VPN server on 1198...) $ sudo ufw allow out on eth0 from any to any port 53,1198 • Consider this tcp or udp rules $ sudo ufw allow out on eth0 to any port 53,1197 proto tcp $ sudo ufw allow out on eth0 to any port 53,1197 proto udp • For a hard policy, working only with tun0, you could block the rest and enable the firewall $ sudo ufw deny in on eth0 $ sudo ufw deny out on eth0 • For a hard policy, you could block the rest and enable the firewall $ sudo ufw status numbered $ sudo ufw enable $ sudo ufw reload $ sudo reboot

Commands to secure the server with iptables • Allow everything from within your VPN $ sudo iptables -I INPUT -i tun0 -j ACCEPT • Explicitly allow what can be accessed within the VPN, for example, allow DNS and HTTP $ sudo iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT $ sudo iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT $ sudo iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT • To enable SSH and VPN access from anywhere. $ sudo iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT $ sudo iptables -A INPUT -p tcp --destination-port 1194 -j ACCEPT $ sudo iptables -A INPUT -p udp --destination-port 1194 -j ACCEPT • To explicitly allow TCP/IP to do "three-way handshakes" $ sudo iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT • To allow any loopback traffic, the server is allowed to talk to itself $ sudo iptables -I INPUT -i lo -j ACCEPT • To reject access from anywhere else $ sudo iptables -P INPUT DROP • To list rules $ sudo iptables -L --line-numbers

(*ip6tables)

Troubleshooting iptables

$ sudo systemctl restart servicedaemon.service $ sudo systemctl restart service.service $ sudo iptables -S $ ping duckduckgo.com

5.10 Leak Test

Leak Test

∙ DNSLeakTest.com (run the "Extended test")
∙ IPLeak.net
∙ Mullvad DNS Leak Test
∙ Surfshark DNS Leak Test
∙ BrowserLeaks IP Test
∙ IPX.AC DNS Leak Test

EFF Test - https://coveryourtracks.eff.org/learn

TOR Fingerprinting - https://blog.torproject.org/browser-fingerprinting-introduction-and-challenges-ahead

You could test your current public IP address and compare that to the one from before with 'ipleak.net'. If they match, your VPN is not working correctly.

$ curl ipleak.net/json/
Copy
$ curl ipinfo.io
Copy
$ curl --connect-timeout 5 ipinfo.io
Copy

5.11 Spoofing

https://github.com/alobbs/macchanger
https://github.com/refraction-networking/utls
https://github.com/0xsirus/tirdad

• Address Spoof

Commands for a random MAC address $ ip link $ sudo ifconfig wlan0 down $ sudo macchanger -r wlan0 • Shows specified MAC Address of NIC $ sudo macchanger -s wlan0 $ sudo ifconfig wlan0 up

• Opt-Out WLAN-SSID

∙ To opt-out of global maps (https://wigle.net), rename your network WiFi SSID to

<SSID>_optout_nomap

∙ To opt-out of Mozilla Location Services

Go to https://location.services.mozilla.com/optout

5.12 Others

• Torrenting

https://portforward.com
https://wiki.wireshark.org/BitTorrent
https://github.com/LiamTheBox/Torrent-With-A-VPN
https://github.com/mdlam92/vpn_torrenting
https://github.com/tool-maker/VPN_just_for_torrents/wiki
https://askubuntu.com/questions/559016/ufw-rules-dont-block-deluge
https://transmissionbt.com
https://comparitech.com/blog/vpn-privacy/how-to-make-a-vpn-kill-switch-in-linux-with-ufw

👷🛠️UNDER CONSTRUCTION🚧🏗

Transmission remotely access

Commands for remote Transmission $ sudo apt-get install transmission-cli $ sudo apt-get install transmission-common $ sudo apt-get install transmission-daemon $ sudo service transmission-daemon stop • To $ sudo nano /etc/transmission-daemon/settings.json > “rpc-whitelist”: “127.0.0.1,192.168.*.*”, > “rpc-whitelist-enabled”: true, • To change the download directory > "download-dir": /home/user/Downloads $ sudo service transmission-daemon start • To find local IP address $ hostname -I • To find local MAC address $ sudo cat /sys/class/net/eth0/address • In your browser > http://192.168.0.15:9091 > Login: transmission > Password: transmission

6. SOFTWARES

6.01 Office Softwares

Office Suites

Libre Office

https://libreoffice.org
https://wiki.documentfoundation.org/Documentation/Install/Linux

Libre Office - Extensions

Language Tool
Zotero

Libre Office - Tips and Tricks

Cursor Position

In general, all documents open with the cursor at the start of the document.

One exception appears when the author of a Writer text document saves and reopens a document: The cursor will be at the same position where it has been when the document was saved. This only works when the name of the author was entered in Tools - Options - LibreOffice - User Data.

Press Shift+F5 to set the cursor to the last saved position.

Version Management

The File menu contains a Versions command that enables you to save multiple versions of a document in the same file.

You can choose to view individual versions of a document, or you can display the differences between versions with color markings.

In the dialog to open a document, you can select from a combo box which version of this document you want to open.

Saving Documents Automatically

To create a backup file every time you save a document Choose Tools - Options - Load/Save - General.

Mark Always create backup copy.

If the Always create backup copy option is selected, the old version of the file is saved to the backup directory whenever you save the current version of the file.

You can change the backup directory by choosing Tools - Options - LibreOffice - Paths, then change the Backups path in the dialog.

The backup copy has the same name as the document, but the extension is .BAK. If the backup folder already contains such a file, it will be overwritten without warning.

To save recovery information automatically every n minutes Choose Tools - Options - Load/Save - General.

Mark Save AutoRecovery information every and select the time interval.

This command saves the information necessary to restore the current document in case of a crash. Additionally, in case of a crash LibreOffice tries automatically to save AutoRecovery information for all open documents, if possible.

Zotero

Zotero - Your personal research assistant.

Zotero

Zotero - Support

Zotero - Default Translators

Zotero - Item Types and Fields

Zotero - Citing Fields from "Extra" (Exporting - Extra fields)

Place
(Publisher and Publisher Place)
publisher: Publisher

publisher-place: Publisher Place
For Presentations, the place where the meeting was held or the presentation was made. For Conference Papers (published in a conference proceedings), use this field for the place where the proceedings was published. If separate locations are needed for the publication place and the location of the conference, leave this field blank and add Event Place and Publisher Place fields to Extra

Archive Place archive-place: Archive Place The geographic location of an archive.

Original Title original-title: Original Title The original title of a work (e.g., the untranslated title).

Original Publisher original-publisher: Original Publisher The publisher of the original version of an item (e.g., the untranslated version).

Original Publisher Place original-publisher-place: Original Publisher Place The geographic location of the publisher of the original version of an item (e.g., the untranslated version).

Issue Date, Date Decided or Enacted issued: Issue Date The original date an item was published. Enter in ISO format (year-month-day).

Submitted Date or Filing Date submitted: Submitted The date an item was submitted for publication.

Access Date Accessed Date an electronic resource was accessed.

Event Date event-date: Event Date The date an event took place. Enter in ISO format (year-month-day).

Original Date original-date: Original Date The original date an item was published. Enter in ISO format (year-month-day).

Zotero - Groups

Zotero - Importing standardized bib. formats

*Importing bibliographic data: the most popular formats are BibLaTex (.bib), RIS (.ris) and MODS (.xml).

Juris-M (For Legal Citations)

Jurism is based on Zotero reference manager, to which it adds feature for handling legal and multilingual resources.

Juris-M for heavy or frequent legal citations for US, UK and GE legal cases and legislation.

It is possible to create proper citation for basic legal citations in Zotero, particularly if only a few such citations are needed.

Juris-M
Zotero - Legal Citations: Juris-M

Document Converter

Libre Office (Headless)

https://help.libreoffice.org/latest/en-US/text/shared/guide/convertfilters.html

$ sudo sudo apt install -y libreoffice
(CLI)

Commands for libreoffice headless • Syntax $ soffice --convert-to OutputFileExtension[:OutputFilterName[:OutputFilterParams[,param]]] [--outdir output_dir] • To convert a DOCX file to PDF $ soffice –-headless --convert-to pdf:writer_pdf_Export --outdir /home/user *.docx $ soffice --headless --convert-to pdf:writer_pdf_Export:ExportNotesPages=True --outdir /home/user *.docx • To convert a ODT file to PDF $ soffice –-headless --convert-to pdf:writer_pdf_Export --outdir /home/user *.odt • To convert a ODT file to DOCX $ soffice –-headless --convert-to pdf:writer_odt_Export --outdir /home/user *.docx • To convert a PPTX file to PDF $ soffice --headless --convert-to pdf:impress_pdf_Export --outdir /home/user *.pptx $ soffice --headless --convert-to pdf:impress_pdf_Export:ExportNotesPages=True --outdir /home/user *.pptx • To convert a XLSX file to PDF $ soffice --headless --convert-to pdf:calc_pdf_Export --outdir /home/user *.xlsx • To convert a ODT file to PDF $ soffice –-headless --convert-to pdf:writer_pdf_Export --outdir /home/user *.odt • To convert a HTML file to PDF $ soffice –-headless --convert-to pdf:writer_pdf_Export --outdir /home/user *.html

Output as PDF

To control, which LibreOffice component generates PDF output, you can use these variants:

--convert-to pdf:writer_pdf_Export --convert-to pdf:calc_pdf_Export --convert-to pdf:draw_pdf_Export --convert-to pdf:impress_pdf_Export --convert-to pdf:writer_web_pdf_Export

Input which is not DOCX

To enforce infilters for non-DOCX input formats, you could use (list is not complete):

--infilter="HTML Document" # for HTML input --infilter="MediaWiki" # for MediaWiki input --infilter="Text CSV" # for CSV spreadsheet input --infilter="Microsoft PowerPoint 2007/2010 XML" # for PPTX input --infilter="Microsoft PowerPoint 97/2000/XP" # for PPT input --infilter="Windows Metafile" # for WMF input --infilter="Enhanced Metafile" # for EMF input --infilter="Scalable Vector Graphics" # for SVG input --infilter="Microsoft Excel 2007/2010 XML" # for XLSX input --infilter="Microsoft Excel 97/2000/XP" # for XLS input --infilter="Microsoft Excel 95" # for some XLS input --infilter="Microsoft Excel 5.0" # for some XLS input

Output which is not PDF

To convert to specific output formats, you could use (list not complete):

--convert-to html:HTML --convert-to html:draw_html_Export # force "Draw" to generate the HTML --convert-to mediawiki:MediaWiki_Web # generate MediaWiki output --convert-to csv:"Text - txt - csv (StarCalc)" # generate CSV spreadsheet output --convert-to pptx:"Impress MS PowerPoint 2007 XML" # generate PPTX --convert-to ppt:"MS PowerPoint 97" # generate PPT --convert-to wmf:impress_wmf_Export # force "Impress" to generate the WMF --convert-to wmf:draw_wmf_Export # force "Draw" to generate the WMF --convert-to emf:impress_emf_Export # force "Impress" to generate the EMF --convert-to emf:draw_emf_Export # force "Draw" to generate the EMF --convert-to svg:impress_svg_Export # force "Impress" to generate the SVG --convert-to svg:draw_svg_Export # force "Draw" to generate the SVG --convert-to xlsx:"Calc MS Excel 2007 XML" # generate XLSX --convert-to xls:"MS Excel 97" # generate XLS like Excel 97 --convert-to xls:"MS Excel 95" # generate XLS like Excel 95 --convert-to xls:"MS Excel 5.0/95" # generate XLS like Excel 5.0/95

Headless vs. Invisible

--invisible Starts in invisible mode. Neither the start-up logo nor the initial program window will be visible. Application can be controlled, and documents and dialogs can be controlled and opened via the API. Using the parameter, the process can only be ended using the taskmanager (Windows) or the kill command (UNIX-like systems). It cannot be used in conjunction with --quickstart. --headless Starts in "headless mode" which allows using the application without GUI. This special mode can be used when the application is controlled by external clients via the API.

Pandoc

$ sudo sudo apt install -y pandoc
(CLI)

Commands for pandoc • Convert ODT to DOCX $ pandoc -o document.odt document.docx • Convert DOCX to PDF $ pandoc -s document.docx -o document.pdf • Convert ODT to PDF $ pandoc -s document.odt -o document.pdf • Convert HTML to PDF $ pandoc document.html -t latex -o document.pdf

PDF Suites

PDF Reader

$ sudo apt install -y okular
Copy
$ sudo apt install -y okular-extra-backends
Copy
PDF Editor

PDF Arranger (GUI)

https://github.com/pdfarranger/pdfarranger

$ sudo apt install -y pdfarranger
Copy
How to combine PDFs in CLI

$ sudo apt install -y ghostscript
(CLI)

• Command to combine $ gs -dBATCH -dNOPAUSE -q -sDEVICE=pdfwrite -sOutputFile=combined.pdf file1.pdf file2.pdf • Output in low resolution $ gs -dBATCH -dNOPAUSE -q -sDEVICE=pdfwrite -dPDFSETTINGS=/prepress -sOutputFile=merged.pdf mine1.pdf mine2.pdf

PDF Crop and Split

Krop (GUI)

https://arminstraub.com/software/krop

Note, krop only adjusts which parts of a PDF are displayed; the original content is still there in the file and will, for instance, show up when editing the file in inkscape. As a result, krop is not suited for censoring a PDF document or decreasing the size of a PDF file. You may have some success in decreasing the size of the PDF (and even censoring some parts) using the option to use Ghostscript to optimize the final PDF.

$ sudo apt install -y krop
Copy
• To automatically undo 4 pages print onto a single page: $ krop --go --grid=2x2 input.pdf • To trim each of these pages: $ krop --go --grid=2x2 --trim --trim-use=all input.pdf • Others krop --grid=2x1 --initialpage=3 --exceptions=1 --trim-use=all --trim ~/input.pdf

Remove PDF annotations

Removing annotations at once in Okular

View a page that has an annotation, find them in the annotation side pane. Right-click on the annotation icon in the document, and click Remove Annotation. Then save the changes to a new document by clicking the menu button in the top right, followed by Save As….

Commands for pdftocairo $ pdftocairo -pdf "input.pdf" "output-with-flatten-annotations.pdf"

Commands for qpdf $ qpdf --flatten-annotations=all input.pdf output.pdf

*May apply some differences.

*May result in larger PDF.

PDF Bookmarks Creation

https://github.com/SiddharthPant/booky

PDF Metadata

$ sudo apt-get install poppler-utils
Copy
Poppler-utils package contains pdfinfo.

$ pdfinfo input.pdf
Copy
$ pdfinfo -meta input.pdf
Copy
$ pdfinfo -js filename.pdf
Copy

PDF OCR

• PDF OCR - Optical Character Recognition

OCRFeeder (GUI)

https://wiki.gnome.org/Apps/OCRFeeder

$ sudo apt install -y ocrfeeder
Copy
*Unpaper

Cuneiform (CLI)
https://packages.debian.org/bookworm/cuneiform
OcrmOCRmyPDF (CLI)

https://ocrmypdf.readthedocs.io

$ sudo apt install -y ocrmypdf
Copy
Also install the Tesseract OCR plugins for your desired language

$ sudo apt install -y tesseract-ocr-eng
Copy
$ sudo apt install -y tesseract-ocr-deu
Copy
$ sudo apt install -y tesseract-ocr-fra
Copy
$ sudo apt install -y tesseract-ocr-spa
Copy
$ sudo apt install -y tesseract-ocr-por
Copy
$ sudo apt install -y tesseract-ocr-rus
Copy
$ sudo apt install -y tesseract-ocr-ara
Copy
$ sudo apt install -y tesseract-ocr-chi-sim
Copy
$ sudo apt install -y tesseract-ocr-chi-tra
Copy
Basic commands • How to OCR a PDF $ ocrmypdf -v input.pdf output.pdf $ ocrmypdf -v --language eng input.pdf output.pdf $ ocrmypdf -v --language eng+deu input.pdf output.pdf $ ocrmypdf -v --language eng+spa input.pdf output.pdf $ ocrmypdf -v --language por+deu input.pdf output.pdf • To modify a file in the same place $ ocrmypdf -v ~/input.pdf ~/input.pdf • To skip text $ ocrmypdf -v --skip-text input.pdf output.pdf • To redo OCR $ ocrmypdf -v --redo-ocr input.pdf output.pdf

• Compression settings $ ocrmypdf -v --pdfa-image-compression=jpeg --language=por+deu input.pdf output.pdf $ ocrmypdf -v --pdfa-image-compression=lossless --language=por+deu input.pdf output.pdf $ ocrmypdf -v --output-type=pdf --language por+deu input.pdf output.pdf

OcrmOCRmyPDF - Image processing

• Image processing $ ocrmypdf -v --clean --language=por+deu input.pdf output.pdf $ ocrmypdf -v --clean-final --language=por+deu input.pdf output.pdf $ ocrmypdf -v --remove-background --language=por+deu input.pdf output.pdf

Warning

In many cases image processing will rasterize PDF pages as images, potentially losing quality. We caution against using ImageMagick or Ghostscript to convert images to PDF, since they may transcode images or produce downsampled images, sometimes without warning.

OCRmyPDF perform some image processing on each page of a PDF, if desired. The same processing is applied to each page. It is suggested that the user review files after image processing as these commands might remove desirable content, especially from poor quality scans.

Note that --clean-final and --remove-background may leave undesirable visual artifacts in some images where their algorithms have shortcomings. Files should be visually reviewed after using these options.

--clean uses unpaper to clean up pages before OCR, but does not alter the final output. This makes it less likely that OCR will try to find text in background noise.

--clean-final uses unpaper to clean up pages before OCR and inserts the page into the final output. You will want to review each page to ensure that unpaper did not remove something important.

--remove-background attempts to detect and remove a noisy background from grayscale or color images. Monochrome images are ignored. This should not be used on documents that contain color photos as it may remove them.

OcrmOCRmyPDF - PDF optimization

• Optimization settings $ ocrmypdf -v --optimize=[0,1,2,3] input.pdf output.pdf

By default OCRmyPDF will attempt to perform lossless optimizations on the images inside PDFs after OCR is complete. Optimization is performed even if no OCR text is found.

The --optimize N (short form -O) argument controls optimization, where N ranges from 0 to 3 inclusive, analogous to the optimization levels in the GCC compiler.

Level

Comments

--optimize 0

Disables optimization.

--optimize 1

Enables lossless optimizations, such as transcoding images to more efficient formats. Also compress other uncompressed objects in the PDF and enables the more efficient “object streams” within the PDF. (If --jbig2-lossy is issued, then lossy JBIG2 optimization is used. The decision to use lossy JBIG2 is separate from standard optimization settings.)

--optimize 2

All of the above, and enables lossy optimizations and color quantization.

--optimize 3

All of the above, and enables more aggressive optimizations and targets lower image quality.

Optimization is improved when a JBIG2 encoder is available and when pngquant is installed. If either of these components are missing, then some types of images cannot be optimized.

The types of optimization available may expand over time. By default, OCRmyPDF compresses data streams inside PDFs, and will change inefficient compression modes to more modern versions. A program like qpdf can be used to change encodings, e.g. to inspect the internals for a PDF.

ocrmypdf --optimize 3 in.pdf out.pdf # Make it small Some users may consider enabling lossy JBIG2. See: jbig2-lossy.

Note

Image processing and PDF/A conversion can also introduce lossy transformations to your PDF images, even when --optimize 1 is in use.

OcrmOCRmyPDF - PDF Rotation

• To automatic correct the rotation of each page $ ocrmypdf -v --deskew input.pdf output.pdf $ ocrmypdf -v --rotate-pages input.pdf output.pdf $ ocrmypdf -v --rotate-pages-threshold {0.0-2.0} input.pdf output.pdf

--rotate-pages attempts to determine the correct orientation for each page and rotates the page if necessary.

--deskew will correct pages that were scanned at a skewed angle by rotating them back into place.

PDF Optimizers

ImageMagick (GUI or CLI)

https://imagemagick.org/Usage/crop
https://imagemagick.org/Usage/crop/#crop_repage
https://www.cvedetails.com/vendor/1749/Imagemagick.html

$ sudo apt install imagemagick
Copy
• Commands to crop .pdf $ convert -monitor `ls input-*.png` -crop 3704x1852+160+20 output.png $ convert -monitor -crop 1000x1350+20+145 +repage -path cropped *.png

Monitor progress: -monitor

Print detailed information about the image: -verbose

• Commands to reduce .pdf size $ convert -monitor -density 300x300 -quality 100 input.pdf output.pdf $ convert -monitor -density 200x200 -quality 60 -compress jpeg input.pdf output.pdf $ convert -monitor -density 150x150 -quality 70 -compress jpeg -resize 15% input.pdf output.pdf $ convert -monitor -density 150x150 -compress Zip input.pdf output.pdf $ convert -monitor -density 80 -page a4 input.pdf output.pdf $ convert -monitor input.pdf -resample 85% output.pdf $ convert -monitor *.png -colorspace gray -resample 100% "input.pdf"

• Commands to scanned books $ convert -normalize -density 300 -depth 8 *.png $ convert -normalize -density 300 -depth 8 -crop 50%x100% +repage *.png $ convert -monochrome -normalize -density 300 *.png

-normalize : increase the contrast in an image by stretching the range of intensity values.

-depth : the number of bits per channel for each pixel.

-monochrome : transform the image to black and white.

pdfCropMargins - Python

https://pypi.org/project/pdfCropMargins

$ pip install "pdfCropMargins" --upgrade $ pdf-crop-margins -v -p 0 -a -6 input.pdf

Ghostscript

https://ghostscript.com
https://www.cvedetails.com/vendor/10846/Artifex.html

$ sudo apt install -y ghostscript
(CLI)

Commands to optimize pdf size with ghostscript.

Convert PDF - Reduce size of scanned book

$ gs -dNOPAUSE -dBATCH -dQUIET \ -sDEVICE=pdfwrite \ -dCompatibilityLevel=1.4 \ -dPDFSETTINGS=/screen \ -sOutputFile=output.pdf \ input.pdf

$ gs -dNOPAUSE -dBATCH -dQUIET \ -sDEVICE=pdfwrite \ -dCompatibilityLevel=1.4 \ -dPDFSETTINGS=/printer \ -sOutputFile=output.pdf \ input.pdf

$ gs -dNOPAUSE -dBATCH -dQUIET \ -sDEVICE=pdfwrite \ -dCompatibilityLevel=1.4 \ -dPDFSETTINGS=/prepress \ -dDetectDuplicateImages \ -dCompressFonts=true \ -r150 \ -sOutputFile=output.pdf \ input.pdf

$ gs -dNOPAUSE -dBATCH -dQUIET \ -sDEVICE=pdfwrite \ -dCompatibilityLevel=1.4 \ -dPDFSETTINGS=/prepress \ -dDetectDuplicateImages \ -dCompressFonts=true \ -r300 \ -sOutputFile=output.pdf \ input.pdf

Convert PDF - Reduce size of Acrobat PDF

_{*Test results with comp. 1.3 and 1.4 .}

$ gs -dNOPAUSE -dBATCH -dSAFER \ -sDEVICE=pdfwrite \ -dCompatibilityLevel=1.4 \ -dPDFSETTINGS=/ebook \ -dEmbedAllFonts=true \ -dSubsetFonts=true \ -dColorImageDownsampleType=/Bicubic \ -dColorImageResolution=96 \ -dGrayImageDownsampleType=/Bicubic \ -dGrayImageResolution=96 \ -dMonoImageDownsampleType=/Bicubic \ -dMonoImageResolution=96 \ -sOutputFile=output.pdf \ input.pdf

gs -dNOPAUSE -dBATCH -dSAFER \ -sDEVICE=pdfwrite \ -dCompatibilityLevel=1.3 \ -dPDFSETTINGS=/screen \ -dEmbedAllFonts=true \ -dSubsetFonts=true \ -dColorImageDownsampleType=/Bicubic \ -dColorImageResolution=144 \ -dGrayImageDownsampleType=/Bicubic \ -dGrayImageResolution=144 \ -dMonoImageDownsampleType=/Bicubic -\ dMonoImageResolution=144 \ -sOutputFile=output.pdf \ input.pdf

• Batch combine tips $ cd /folder $ find . -name '*.pdf' -exec gs -o -sDEVICE=pdfwrite -dPDFSETTINGS=/prepress -sOutputFile=../output.pdf {} +

• Batch process all pdfs one by one renaming the output $ cd /folder $ find . -name '*.pdf' -exec sh -c ' for pdf; do output="${pdf%.pdf}-processed.pdf" gs -dNOPAUSE -dBATCH -dSAFER \ -sDEVICE=pdfwrite \ -dCompatibilityLevel=1.4 \ -dPDFSETTINGS=/screen \ -dEmbedAllFonts=true \ -dSubsetFonts=true \ -dColorImageDownsampleType=/Bicubic \ -dColorImageResolution=144 \ -dGrayImageDownsampleType=/Bicubic \ -dGrayImageResolution=144 \ -dMonoImageDownsampleType=/Bicubic \ -dMonoImageResolution=144 \ -sOutputFile="$output" "$pdf" done ' sh {} +

• Name tips -sOutputFile=ABC-%d.png produces 'ABC-1.png', ... , 'ABC-10.png', .. -sOutputFile=ABC-%03d.pgm produces 'ABC-001.pgm', ... , 'ABC-010.pgm', ... -sOutputFile=ABC_p%04d.tiff produces 'ABC_p0001.tiff', ... , 'ABC_p0510.tiff', ... , 'ABC_p5238.tiff'
_{• References
-dPDFSETTINGS=/screen - Low quality and small size at 72dpi.
-dPDFSETTINGS=/ebook - Slightly better quality but also a larger file size at 150dpi.
-dPDFSETTINGS=/prepress - High quality and large size at 300 dpi.
-dPDFSETTINGS=/default - System chooses the best output, which can create larger PDF files.}
Commands for ebook-convert • How to convert .epub to .pdf $ sudo apt install calibre $ ebook-convert input.epub output.pdf $ ebook-convert input.epub output.pdf --enable-heuristics $ find ./ -iname "*pdf" -type f | while read f; do echo -e "\e[1mConverting file $f \e[0m" ; ebook-convert "$f" "${f%.pdf}.epub" --enable-heuristics ; done

*Ref.: https://manpages.debian.org/bookworm/calibre/ebook-convert.1.en.html

*Utility.: https://convertfiles.com

Commands for ps2pdf • How to convert .ps to .pdf $ sudo apt install ps2pdf $ ps2pdf -dPDFSETTINGS=/ebook input.pdf output.pdf

*LibreOffice Draw: DPI of 100 and JPEG compression of 80%.

*Try: $ ps2pdf input.pdf output.pdf

Image Editors

Basic Image Editors

Gthumb

https://gitlab.gnome.org/GNOME/gthumb
https://www.cvedetails.com/vendor/283/Gnome.html

$ sudo apt install gthumb
(GUI)

Imagemagick

https://imagemagick.org
https://www.cvedetails.com/vendor/1749/Imagemagick.html

$ sudo apt install imagemagick
(GUI or CLI)

Advanced Image Editors

GIMP

https://gimp.org
https://www.cvedetails.com/vendor/9605/?q=Gimp

"Whether you are a graphic designer, photographer, illustrator, or scientist, GIMP provides you with sophisticated tools to get your job done."

$ sudo apt install gimp
(GUI)

Inkscape

https://inkscape.org
https://www.cvedetails.com/vendor/3488/Inkscape.html

"Inkscape is a Free and open source vector graphics editor for GNU/Linux, Windows and macOS. It offers a rich set of features and is widely used for both artistic and technical illustrations such as cartoons, clip art, logos, typography, diagramming and flowcharting."

Other

Memegen (Open Source)

An API to programmatically generate memes based solely on requested URLs

https://github.com/jacebrowning/memegen
https://memegen.link

imgflip (Free)

https://imgflip.com/memegenerator

Image Convert

Image Converter

Convert image with ImageMagick

https://imagemagick.org/script/formats.php
https://imagemagick.org/script/mogrify.php
https://imagemagick.org/script/command-line-tools.php
https://www.cvedetails.com/vendor/1749/Imagemagick.html

$ sudo apt install imagemagick
Copy
*Note that convert is part of ImageMagick package.

• Commands $ mogrify -format png *.jpg $ mogrify -format png *.jpeg $ mogrify -format png *.gif • In batch $ cd ~/Donwloads $ find . -name "*.jpg" -exec mogrify -monitor -format png {} \; $ find . -name "*.jpeg" -exec mogrify -monitor -format png {} \; $ find . -name "*.gif" -exec mogrify -monitor -format png {} \; $ find . -name "*.webp" -exec mogrify -monitor -format png {} \; $ find . -name "*.avif" -exec mogrify -monitor -format png {} \;

Rotate image with ImageMagick

$ sudo apt install imagemagick
Copy
• Commands $ mogrify -monitor -rotate -90 *.png

Unpaper

Unpaper built-in - OCRFeeder (GUI)

https://wiki.gnome.org/Apps/OCRFeeder

$ sudo apt install -y ocrfeeder
Copy
Tools -> Unpaper

Unpaper built-in - OCRmyPDF (CLI)

https://ocrmypdf.readthedocs.io
https://ocrmypdf.readthedocs.io/en/latest/cookbook.html

$ sudo apt install -y ocrmypdf
Copy
$ ocrmypdf --clean
Copy
$ ocrmypdf --clean-final
Copy
$ ocrmypdf --remove-background
Copy
Note that --clean-final and --remove-background may leave undesirable visual artifacts in some images where their algorithms have shortcomings. Files should be visually reviewed after using these options.

--remove-background attempts to detect and remove a noisy background from grayscale or color images. Monochrome images are ignored. This should not be used on documents that contain color photos as it may remove them.

--clean uses unpaper to clean up pages before OCR, but does not alter the final output. This makes it less likely that OCR will try to find text in background noise.

--clean-final uses unpaper to clean up pages before OCR and inserts the page into the final output. You will want to review each page to ensure that unpaper did not remove something important.

--clean uses unpaper to clean up pages before OCR, but does not alter the final output. This makes it less likely that OCR will try to find text in background noise.

Convert with webp (dwebp)

$ sudo apt install webp
Copy
Commands for webp files • How to convert .webp to .png #It's a command-line interface $ dwebp -v input.webp -o ~/output.png $ dwebp -v -resize width x height input.webp -o ~/output.png *If either (but not both) of the width or height parameters is 0, the value will be calculated preserving the aspect-ratio.

Commands for webp files in batch $ for file in *.webp ; do dwebp "$file" -o "${file%.*}.png" ; done • Testing alternatives $ find . -name "*.webp" -exec dwebp {} -o "${file%.*}.png" \; $ find . -type f -name "*.webp" -exec dwebp {} -o *.png $ sudo apt install parallel $ parallel dwebp {} -o *.png $ find . -name "*.webp" -print0 | parallel --progress -0 dwebp {} -o *.png $ for x in `ls -1 *.jpg`; do dwebp {} -o ${x%.*}.png ; done $ for x in `find . -name "*.webp"`; do dwebp {} -o ${x%.*}.png ; done

Office Utilities

Office Utilities

$ sudo apt install xpad
Copy
$ sudo apt install kcalc
Copy

6.02 Password Manager

Password Manager

• KeePassXC

https://keepassxc.org/docs/
https://www.cvedetails.com/vendor/12214/Keepass.html

$ sudo apt install keepassxc
Copy

6.03 Browsers

Browsers

https://avoidthehack.com/util/browser-comparison

• LibreWolf

https://librewolf.net/installation/debian/

• Firefox
https://www.cvedetails.com/vulnerability-list/vendor_id-452/product_id-22101/Mozilla-Firefox-Esr.html

https://www.cvedetails.com/vendor/452/Mozilla.html

$ sudo apt install
Copy
• Chromium
https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-15031/Google-Chrome.html

$ sudo apt install
Copy
Extensions

Others

Adblock Plus (Firefox, Chome, Opera, Android): Customizable ad-blocking plugin

Beef Taco (Targeted Advertising Cookie Opt-Out) (Firefox): Sets permanent targeted-advertising opt-out cookies
BetterPrivacy (Firefox): Removes and deletes long-term “super-cookies”

Blur (Firefox): Tracker blocking, password management, and e-mail masking
Decentraleyes (Firefox): Limits tracking by third-party content delivery networks by storing copies of the content locally

Disconnect (Firefox, Chrome, Safari, Opera): Stops 3rd party tracking sites around the web.

Facebook Disconnect (Firefox, Chrome, Opera): Blocks third-party website requests to Facebook to limit Facebook's tracking of users' web activity
Flashblock (Firefox): Allows selective blocking and execution of Flash content.

Flash Control (Chrome): Allows selective blocking and execution of Flash content.

Ghostery (Firefox, Chrome, Safari, Opera): Script and tracker blocking.

HTTPS Everywhere (Firefox, Chrome): Forces HTTPS versions of websites were they are available

Lightbeam (Firefox): Visualization plugin that shows web sites visited, including the third-party web sites that users may not be aware of

NoScript (Firefox, derivatives of Mozilla): highly customizable plugin to selectively allow Javascript, Java, and Flash to run.

Privacy Badger (Firefox, Chrome, Opera): Blocks third-party scripts and images

Protect My Choices (Chrome): Sets cookies to opt out of targeted advertising

ScriptSafe (Chrome): Script blocking

Self-Destructing Cookies (Firefox): Automatically removes a site's cookies on closing its browser tab

uBlock Origin (Firefox, Chrome, Safari, Opera): Lightweight blocking plug-in for multiple browsers

Firefox Chrome Make

Ublock Origin

LanguageTool

ClearURLs

Temporary Containers

Canvas Blocker

Decentraleyes

Terms of Service; Didn't Read

Simple Speed Dial

Ublock Origin

LanguageTool

XBrowserSync

Reader View

jDownloader

Strips Google Analytics

Privacy Badger is a browser extension that automatically learns to block invisible trackers

Simple Speed Dial

Bypass Paywalls

Torproject - Tor Browser

https://www.cvedetails.com/vulnerability-list/vendor_id-12287/product_id-50922/Torproject-Tor-Browser.html

Everyday TOR

torbrowser-launcher [contrib]
https://wiki.debian.org/TorBrowser
https://whonix.org/wiki/Install_Tor_Browser_Outside_of_Whonix#Easy

$ sudo apt install torbrowser-launcher
Copy
$ torbrowser-launcher
Copy
$ torbrowser-launcher --settings
Copy
AppImage

https://github.com/RENANZG/My-Debian-GNU-Linux/blob/main/6.SOFTWARES/6.01_Softwares_AppImage/Tor-Browser_Installer.sh

URL shorteners

https://kutt.it
https://shlink.io

6.04 Cloud Services

Info

https://forum.rclone.org
https://reddit.com/r/cloudstorage
https://reddit.com/r/DataHoarder
https://reddit.com/r/Piracy
https://reddit.com/r/Scams

Cloud Privacy

ownCloud: Self-hosted file and sync server

Tahoe-LAFS: Encrypted cloud storage system

Cryptomator (GUI):

Duplicati (GUI):

Cloud Providers

• Google Drive

https://github.com/glotlabs/gdrive

• MEGA

https://mega.io
https://mega.io/desktop
https://github.com/rclone/rclone

• Yandex

https://360.yandex.com
https://rclone.org/yandex (*Backend supported)

*Russian

• IDrive

https://idrive.com
https://idrive.com/online-backup-linux
https://idrive.com/linux-backup-scripts
https://rclone.org/s3/#idrive-e2

• TeraBox

https://1024tera.com
https://1024tera.com/terabox-cloud-storage-for-pc-free-download
https://reddit.com/r/TeraBox/

• pCloud

https://pcloud.com
https://pcloud.com/how-to-install-pcloud-drive-linux.html
https://github.com/pcloudcom/console-client

• SugarSync

https://sugarsync.com
https://rclone.org/sugarsync (*Not backend supported)

• Box

https://box.com
https://github.com/box/boxcli
https://github.com/rclone/rclone

6.05 File Host

File Host

• Unsee
https://unsee.cc

• Rapidgator
https://rapidgator.net

• Nitroflare
https://nitroflare.net

• Uploadgig
https://uploadgig.com
• Mediafire
https://mediafire.com/upgrade/

• UploadFiles
https://ufile.io

• 1Fichier
https://1fichier.com/hlp.html

• Turbobit
https://turbobit.net
• Filescase
http://filescase.com/

• Hex Upload
https://hexupload.org

Anonymous File Sharing Services With Temporary Online Storage

• Tempsend
https://tempsend.com

• WeTransfer
https://wetransfer.com
• Send Anywhere
https://send-anywhere.com

• SendGB
https://sendgb.com

• Volafile
https://volafile.org

• SendSpace
https://sendspace.com

• MyAirBridge
https://myairbridge.com/en/eng

• Gofile
https://gofile.io/welcome

• OTF One Time File
https://gofile.io/welcome

• Bitwarden Send
https://bitwarden.com/products/send

6.06 Media Players

MPV

$ sudo apt install mpv
Copy
Shortcuts - https://github.com/mpv-player/mpv/blob/master/DOCS/man/mpv.rst#keyboard-control

Window Geometry - https://mpv.io/manual/master/#options-geometry

Video Autofit - https://mpv.io/manual/master/#options-autofit

MPV Config

Config - https://github.com/mpv-player/mpv/blob/master/etc/mpv.conf

Coping basic MPV configs

$ cp -r /usr/share/doc/mpv/ ~/.config/mpv/
Copy
Editing only MPV configuration file (.conf)

$ cp /usr/share/doc/mpv/mpv.conf.gz ~/.config/mpv/
Copy
$ gzip -d ~/.config/mpv/mpv.conf.gz
Copy
$ nano ~/.config/mpv/mpv.conf
Copy
Examples:

save-position-on-quit=yes no-border volume-max=125 geometry=50%x96%

To automatically save the current playback position on quit, start mpv with --save-position-on-quit, or add save-position-on-quit=yes to the configuration file.

Set volume-max=value in your configuration file to a reasonable amount, such as volume-max=150, which then allows you to increase your volume up to 150%, which is more than twice as loud. Increasing your volume too high will result in clipping artefacts. Additionally (or alternatively), you can utilize dynamic range compression with af=acompressor.

MPV Read-me and examples

$ sudo gzip -d /usr/share/doc/README.md.gz ~/
Copy
$ ls ~/.config/mpv/examples/lua/
Copy
Editing only MPV keybindings (input.conf)

$ cp /usr/share/doc/mpv/input.conf.gz ~/.config/mpv/
Copy
$ gzip -d ~/.config/mpv/input.conf.gz
Copy
$ nano ~/.config/mpv/input.conf
Copy
_{*It's recommended to use mplayer-input.conf as reference-only. To use it save as input.conf}

VLC

$ sudo apt install vlc
Copy
GNOME Media Player

$ sudo apt install totem
Copy

6.07 Video Editors

Video Editors

$ sudo apt install handbrake
(GUI)

$ sudo apt install handbrake-cli
(CLI)

$ sudo apt install ffmpeg
(CLI)

Usefull links:

https://keepvid.ch

https://gifs.com

https://omnicalculator.com/other/video-size

https://vidon.me/compress-mp4

https://dvdfab.at/resource/blu-ray/free-blu-ray-to-mp4-converter

OBS Studio

$ sudo apt install
(GUI)

YT-DLP - A feature-rich command-line audio/video downloader

https://github.com/yt-dlp/yt-dlp

$ sudo apt install yt-dlp
(CLI)

Download YouTube videos

• Commands • Download a video or playlist $ yt-dlp $ yt-dlp -F $ yt-dlp -f 247 $ yt-dlp -f "best[height<=480]" $ yt-dlp -f "best[height<=480]" $ yt-dlp -f worstvideo $ yt-dlp -o 'qwerty' • Download with metadata $ yt-dlp -o '%(title)s by %(uploader)s on %(upload_date)s in %(playlist)s.%(ext)s' $ yt-dlp --write-description --write-info-json --write-annotations --write-sub --write-thumbnail • Download audio-only $ yt-dlp -x --audio-format mp3

FFmpeg editor

https://trac.ffmpeg.org/wiki/Encode/H.264

• Compressing videos

$ ffmpeg -i input.ext output.mp4

$ ffmpeg -i input.ext -b:v output.mp4

$ ffmpeg -i input.ext -vf scale=1280:720 output.mp4

$ ffmpeg -i input.ext -c:v libx265 output.mp4

$ ffmpeg -i input.mp4 -vcodec h264 -acodec mp2 output.mp4

$ ffmpeg -y -i input.mp4 -vcodec h264 -acodec mp3 output.mp4

$ ffmpeg -y -i input.mp4 -vcodec h264 -acodec aac output.mp4

$ ffmpeg -i input.mp4 -vcodec h264 -b:a 96k output.mp4

$ ffmpeg -i input.mp4 -vcodec h264 -b:v 1000k -acodec mp3 output.mp4

$ ffmpeg -i input.mp4 -vcodec libx265 -acodec aac -crf 23 output.mp4

$ ffmpeg -i input.mp4 -c:v libx265 -preset ultrafast -crf 28 -c:a aac -b:a 250k output.mp4

$ ffmpeg -i input.mov -c:v libx265 -preset veryfast -tag:v hvc1 -vf format=yuv420p -c:a copy output.mp4

• Compressing video removing sound (to disable audio you must use -an)

$ ffmpeg -i input.mp4 -vcodec h264 -an output.mp4

• Converting videos

$ ffmpeg -y -i input.wmv output.mp4

$ ffmpeg -i input.mp4 -vf "scale=-2:240" output.mp4

$ ffmpeg -i input.wmv -c:v libx264 -crf 23 output.mp4

$ ffmpeg -i input.wmv -c:v libx264 -crf 23 -c:a aac -q:a 100 output.mp4

$ ffmpeg -i input.wmv -c:v libx264 -crf 23 -c:a aac -strict -2 -q:a 100 output.mp4

$ ffmpeg -i input.wmv -c:v libx264 -crf 23 -profile:v high -r 30 -c:a aac -q:a 100 -ar 48000 output.mp4

• Scaling down the size of the MP4

$ ffmpeg -i input.mp4 -s 1280x720 -acodec copy -y output.mp4

$ ffmpeg -i input.mp4 -vf "scale=-2:720" -c:v libx264 -crf 20 -preset slow -c:a copy output.mp4

$ ffmpeg -i input.mp4 -s 1920x1080 -c:v libx265 -preset ultrafast -crf 28 -c:a aac -b:a 250k output.mp4

$ ffmpeg -i input.mp4 scale=1080:1920,format=yuv420p -c:v libx265 -preset veryfast -tag:v hvc1 -b:v 800k -bufsize 1200k -vf -b:a 128k output.mp4

$ ffmpeg -i input.mp4 -c:v libx265 -preset veryfast -tag:v hvc1 -vf format=yuv420p -c:a copy output.mp4

$ ffmpeg -i input.mp4 -c:v libx265 -preset veryfast -tag:v hvc1 -b:v new_bitrate -vf scale=new_width:new_height,format=yuv420p -c:a copy output.mp4

In batch compress MP4

In batch compress MP4 with ffmpeg

• One-line convert script $ for file in *.mp4; do ffmpeg -i "$file" -vf "scale=-2:240" "Output-${file%.*}.mp4"; done

HTML code to add video in GitHub README.md

*Not working.

6.08 Audio Editors

Audacity

$ sudo apt install audacity
(GUI)

6.09 Email

Email

$ sudo apt install -y thunderbird
Copy
$ sudo apt install -y birdtray
Copy
Encrypted Emails

https://emailselfdefense.fsf.org/en/
https://emailselfdefense.fsf.org/en/workshops.html
https://riseup.net/en/security/message-security/openpgp/best-practices
https://riseup.net/en/security/message-security/openpgp/enigmail
https://linuxbabe.com/security/encrypt-emails-gpg-thunderbird
https://wiki.archlinux.org/title/Paperkey
https://keys.openpgp.org/about/usage
https://efail.de

Note 1: You cannot recover the secret key from the public key and the passphrase. You cannot recover your secret gpg key without a backup.

Note 2: Create an expiration date for security reasons.

👷🛠️UNDER CONSTRUCTION🚧🏗

Note 3: Create an .

Commands for gnupg (GnuPG - GNU Privacy Guard) • How to export and import GPG key: $ gpg --export ${ID} > public.key $ gpg --export-secret-key ${ID} > private.key $ gpg --import --batch public.key $ gpg --import --batch backup_dir/.gnupg/pubring.gpg $ gpg --import --batch backup_dir/.gnupg/secring.gpg $ gpg --edit-key ${KEY} trust quit $ gpg --list-keys $ gpg --list-secret-keys

Commands for gnupg (GnuPG - GNU Privacy Guard) • How to extend the expiration date of an already expired GPG key: $ gpg --list-keys $ gpg --edit-key (key id) • GPG console will open in the primary key, select a sub-key: gpg> gpg> list gpg> key 1 • Set the expiration for the selected key gpg> expire gpg> save • After update, you can send it out gpg --keyserver site.com --send-keys (key id)

gpg --list-secret-keys --verbose --with-subkey-fingerprints

6.10 Encryption

Encryption

👷🛠️UNDER CONSTRUCTION🚧🏗

Visit our repo tree: 2.SECURITY/2.03_Cryptography

Visit our repo tree: 1.INSTALLATION/2.02_Debootstrap

Anti-Tampering Measures
https://www.veracrypt.fr/en/Hidden%20Volume.html

• Disk Encryption

∙ ZuluCrypt (GUI)

https://mhogomchungu.github.io/zuluCrypt
https://github.com/mhogomchungu/zuluCrypt

∙ SiriKali (GUI)

https://mhogomchungu.github.io/sirikali

$ sudo apt install zulucrypt-gui
Copy
∙ VeraCrypt (GUI)

https://veracrypt.fr/en/Downloads.html
https://reddit.com/r/VeraCrypt
https://github.com/veracrypt/VeraCrypt

∙ Command to automount favorite volume at startup session:

/usr/bin/veracrypt %f /dev/sda2

∙ Password less:

$ sudo groupadd veracrypt
Copy
$ sudo usermod -aG veracrypt "$(whoami)"(or)

$ sudo usermod -aG veracrypt $USER
Copy
$ sudoedit /etc/sudoers
Copy
%veracrypt ALL=(root) NOPASSWD:/usr/bin/veracrypt #Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL %veracrypt ALL=(root) NOPASSWD:/usr/bin/veracrypt #Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL %veracrypt ALL=(root) NOPASSWD:/usr/bin/veracrypt

*Reboot

$ sudo reboot
Copy
∙ NTFS - Read only error

$ sudo ntfsfix /dev/mapper/veracrypt1
Copy
In Windowns (WinPE, )

C://> chkdsk /F

Close and open again

• Archive Encryption

∙ GnuPG - GNU Privacy Guard

Commands for gnupg • How to encrypt file $ gpg -c backup.tar.gz • How to decrypt file $ gpg backup.tar.gz.gpg

• Cloud Encryption

∙ Cryptomator (GUI)

https://cryptomator.org
https://github.com/cryptomator/cryptomator
https://github.com/cryptomator/cli
https://reddit.com/r/Cryptomator

∙ Duplicati (GUI)

https://duplicati.com
https://github.com/duplicati/duplicati
https://forum.duplicati.com
https://reddit.com/r/duplicati

6.11 Extracting Files

https://wiki.debian.org/Compression

All-in-one extract in shell

$ sudo apt install -y tar gzip 7zip unrar zlib1g bzip2 xz-utils tarlz

To incorporate the script into your .bashrc or .bash_profile configuration file, follow these steps:

Open your .bashrc or .bash_profile file using a text editor. For example, you can use nano:

$ nano ~/.bashrc
Copy
Add the script function extract() along with the necessary helper function is_encrypted() to the file. You can copy the entire extract() function along with the is_encrypted() function from the script I provided earlier into your configuration file.

# Function to check if a file is encrypted function is_encrypted() { file "$1" | grep -q "encrypted" } # Function to securely prompt for password function prompt_password() { local password="" prompt="Enter password for $1: " # Prompt for password without echoing to the terminal while IFS= read -rs -p "$prompt" char; do # Exit loop when Enter key is pressed if [[ $char == $'\0' ]]; then break fi password+="$char" prompt='*' done echo "$password" # Output the password (optional, for debugging) } # Extract common archive files by file extension function extract() { if [ -f "$1" ] ; then case "$1" in *.tar.gz|*.tgz) tar xzf "$1" ;; *.tar|*.tar.xz) tar xf "$1" ;; *.tar.bz2|*.tbz2) tar xjf "$1" ;; *.xz) unxz "$1" ;; *.zip) if is_encrypted "$1"; then password=$(prompt_password "$1") unzip -P "$password" "$1" else unzip "$1" fi ;; *.Z) uncompress "$1" ;; *.tar.zst) tar -I=unzstd -xf "$1" ;; *.zst) unzstd "$1" ;; *.7z) if is_encrypted "$1"; then password=$(prompt_password "$1") 7z x -p"$password" "$1" else 7z x "$1" fi ;; *.tar.gz.gpg|*.tgz.gpg) gpg -d "$1" | tar xzf - ;; *.tar.gpg) gpg -d "$1" | tar xf - ;; *.tar.bz2.gpg|*.tbz2.gpg) gpg -d "$1" | tar xjf - ;; *.zip.gpg) password=$(prompt_password "$1") gpg -d "$1" | unzip -P "$password" - ;; *.xz.gpg) gpg -d "$1" | unxz - ;; *) echo "Unsupported file format: '$1'" ;; esac else echo "'$1' is not a valid archive file." fi }

Save and exit the text editor. In Nano, you can do this by pressing Ctrl + O to write the changes and Ctrl + X to exit.

Source your updated configuration file to apply the changes immediately:

$ source ~/.bashrc
Copy
or

$ source ~/.bash_profile
Copy
You can use the extract function directly from your terminal to extract archive files. For example:

$ extract example.tar.gz
Copy
• TAR (.gz , .tar and .tar.gz)

Commands for .tar archives • How to create an .tar file with gzip archiver: $ tar –cvf outarchive.tar ~/Documents • How to decompress a .tar file with with gzip: $ tar -xvf archive.tar

Commands for .tar.gz archives • How to create an .tar.gz file $ tar –cvzf outarchive.tar.gz ~/Documents • To list the contents of a .tar.gz file: $ tar –tzf archive.tar.gz • How to decompress a .tar.gz file $ tar –xvzf archive.tar.gz $ tar –xvzf archive.tar.gz –C /home/user/Downloads

• GZIP (.gz , .tar and .tar.gz)

$ sudo apt install gzip
Copy
Commands for .gz archives • How to create an .gz file $ gzip outarchive.gz indoc1.pdf • How to decompress a .gz file $ gunzip archive.gz

• 7Z (.7z and .zip)

https://7-zip.org

$ sudo apt install p7zip-full
Copy
Commands for .7z archives • How to create an .7z file $ 7z a outarchive.7z indoc1.pdf • How to decompress a .7z file $ 7z x archive.7z

Commands for .zip archives • How to create an zip file $ 7z a outarchive.zip indoc1.pdf • How to decompress a zip file $ 7z x archive.zip

Commands for encrypted .7z and .zip archives • How to create an encrypted .zip file $ 7z a -p -t7z -scrc=AES256 archive.7z /input/directory $ 7z a -p -tzip -scrc=AES256 outarchive.zip indoc1.pdf inpdoc2.pdf $ 7z a -p -tzip -scrc=AES256 archive.zip /input/directory • How to create an encrypted header .7z file (only) $ 7z a -p -mhe=on -scrc=AES256 archive.7z input_dir $ 7z a -p -mhe=on -scrc=AES256 /output/archive.7z /input/directory • How to decompress a .7z and .zip file that is encrypted $ 7z x archive.zip

*Encrypted header: no file list contents visible without the password

• RAR (.rar)

$ sudo apt install unrar-free
Copy
Commands for .rar archives (*proprietary: extract only) • How to decompress a rar file $ unrar e ~/Downloads/filename.rar ~/Downloads/ • How to decompress a rar file encrypted $ unrar-free -x ~/Downloads/filename.rar ~/Downloads/ • How to decompress a rar file encrypted parts, only unrar the first part01.rar and it goes itself for the rest. Navigate to the directory containing the file: $ cd /path/to/directory/ $ unrar-free -xp /part01.rar ~/Downloads/

• ZIP (.zip)

https://infozip.sourceforge.net

$ sudo apt install zip unzip
Copy
Commands for .zip archives • Add file.txt to z.zip (create z if needed) $ zip z file.txt • Zip all files in current dir: $ zip z * • Zip files in current dir and subdirs also: $ zip -r z . • How to decompress a .zip file: $ unzip ~/Downloads/filename.zip • How to unzip multiple .zip files: $ unzip '*.zip' • How to decompress a .zip file to directory: $ unzip filename.zip -d /path/to/directory $ unzip -d file file.zip • Unzip Multiple Files (using single quote or backslash) $ unzip '*.zip' $ unzip \*.zip • Locale encoding name error $ unzip -I (encoding) (FILE_PATH) -d (Destination) $ unzip -I UTF-8 Desktop.zip

Commands for encrypted .zip archives • How to create an encrypted .zip file $ zip -e filename.zip ~/Downloads/ • How to decompress a encrypted .zip file $ unzip ~/Downloads/filename.zip • How to decompress a encrypted .zip file to directory $ unzip ~/Downloads/filename.zip -d ~/Downloads/

6.12 Sanitation

Visit our repo tree: 2.SECURITY/2.06_Sanitization

Metadata Cleaners

$ sudo apt install exiftool
(CLI)

$ sudo apt install metadata-cleaner
(GUI)

$ sudo apt install metacam
(GUI)

• Exiftool - https://github.com/exiftool/exiftool
• Index of ExifTool Tag Names - https://exiftool.org/TagNames/index.html
• List of PDF Tags - https://www.exiftool.org/TagNames/PDF.html
• List of Audio Tags - https://www.exiftool.org/TagNames/ID3.html
• Common Mistakes - https://exiftool.org/mistakes.html
• Exiftool Pseudo Tags - https://exiftool.org/filename.html
• Metacam - https://packages.debian.org/unstable/graphics/metacam

*Exiftool PDF Tags: "All metadata edits are reversible. While this would normally be considered an advantage, it is a potential security problem because old information is never actually deleted from the file. (However, after running ExifTool the old information may be removed permanently using the "qpdf" utility with this command: "qpdf --linearize in.pdf out.pdf".)"

∙ Exiftool

Commands for exiftool basic commands • Remove all metadata from all files possible inside a folder and all its subfolders without backup (take care, might affect the colors) $ exiftool -v -all:all= -overwrite_original -r /path • Shows only selected EXIF metadata: $ exiftool -a -Title input.pdf $ exiftool -a -G1 input.pdf $ exiftool -a -Model -ImageSize photo.jpg • Process all files of specified file type (case insensitive extension) $ exiftool -v -Model -ImageSize -ext jpg /path/to/files/ • Recursively process all jpg files under specified directory and sub-directory $ exiftool -v -r -Model -ImageSize -ext jpg /path/to/files/

• Editing PDF metadata from command line $ exiftool -Title="" / -Author="" / -Description="" / -Subject="" / -Date="" / -CreationDate="" / -Publisher="" / -ISBN="" / input.pdf

*To not create a backup in command-line the option is -overwrite_original .

*To not creat a backup in ExifToolGUI, there's menu "Options">"Don't backup files when modifying".

PDF etadata

$ sudo apt-get install poppler-utils
Copy
Copy

Poppler-utils package contains pdfinfo.

$ pdfinfo input.pdf
Copy
Copy

$ pdfinfo -meta input.pdf
Copy
Copy

$ pdfinfo -js filename.pdf
Copy
Copy

∙ Metadata Cleaner

Commands $ metadata-cleaner /path/to/file.png

System Sanitation

∙ Bleachbit

$ sudo apt install bleachbit
Copy
Prevent recovery

In both user profile and root Bleachbit, go to Options -> Preferences -> General Tab and check "Overwrite contents of files to prevent recovery".

Freeze Bug - Free space erase option

Take care with free space erase in root mode, this has several problems. This can block the system from starting because the disk is full of randomized files.

Commands to debug if your are freeze

• Acess tty (teletype)
CTRL + ALT + {2,3,4,5,6}
• Delete tmp files in root
User: Password:
$ sudo su
Copy
# ls
Copy
# rm -R tmp*
Copy
# reboot
Copy
• To find the large files in other folders

$ df -h
Copy
$ df -h ~/.cache
Copy
$ sudo df -h /mnt
Copy
$ find ~/.cache -xdev -type f -size +1G
Copy
$ sudo find /root -xdev -type f -size +1G
Copy
$ rm ~/.cache/tmp*
Copy
$ sudo rm /root/tmp*
Copy
∙ Free space erase from CLI

• List system targets $ sudo bleachbit -l • Erase space $ sudo bleachbit --clean system.cache \ system.clipboard \ system.custom \ system.desktop_entry \ system.free_disk_space \ system.localizations \ system.memory \ system.recent_documents \ system.rotated_logs \ system.tmp \ system.trash

* cron

∙ Locale Purge

https://wiki.debian.org/ReduceDebian

Mark your preferred language besides en-US

$ sudo apt install -y localepurge
Copy
$ sudo localepurge
Copy
In Bleachbit as Administrator, go to Options -> Preferences -> Languages Tab and mark your preferred language besides en-US.Start cleaning, this may take some time.

Full Disk Sanitation

https://wiki.debian.org/SSDOptimization
https://wiki.archlinux.org/title/Solid_state_drive

*Not all SSD support sanitize. To properly way to erase a SSD is using the SSDs manufacturer's software. Other methods might not work, due to wear leveling and over-provisioning.

*If you use SSDs, enable TRIM in your BIOS. Confirm you are using SSD in the BIOS options.

*Consider hardware flaws.

Manufacturers that supply software to update firmware and perform tasks like secure erase

Corsair SSD Toolbox

Samsung Magician

Seagate Seatools

Lenovo ThinkPad Drive Erase Utility

Crucial Storage Executive

Western Digital Dashboard

HP Secure Erase [ BIOS / UEFI ]

Trendscend SSD Scope

Dell Data Wipe function [ BIOS / UEFI ]

SanDisk SSD Dashboard

Kingston SSD Manager

Micron SSD Management

Intel Memory and Storage Tool

∙ ShredOS

https://github.com/PartialVolume/shredos.x86_64

∙ Nwipe

https://github.com/martijnvanbrummelen/nwipe

$ sudo apt install -y nwipe
Copy
∙ Hdparm

$ sudo apt install -y hdparm
Copy
• Commands $

6.13 Display

Utilities

Set color temperature of display

Redshift

$ sudo apt install redshift
(CLI)

$ sudo apt install redshift-gtk
(GUI)

redshift.conf

https://raw.githubusercontent.com/jonls/redshift/master/redshift.conf.sample

$ ~/.config/redshift/redshift.conf
Copy
$ redshift -P -O TEMPERATURE
Copy
$ redshift -P -O 4000
Copy
$ redshift -P -O 6000
Copy
$ sudo apt install brightnessctl
Copy
$ brightnessctl s 25% && redshift -P -O 4000
Copy
$ brightnessctl s 50% && redshift -P -O 6500
Copy
$ redshift -l LAT:LONG
Copy

6.14 Files and Folders

Synchronize files and folders

$ sudo apt install grsync
(GUI)

Duplicated files

(*by name, size, hash)

dupeGuru

$ sudo apt install dupeguru
(GUI)

fdupes (slow)

$ sudo apt install fdupes
(CLI)

• Command $ fdupes -r dir $ fdupes -r -S .

Duplicate Files Finder with md5sum

https://github.com/pixelb/fslint

$ sudo apt install coreutils
(CLI) (BUILT-IN)

For small files based on hash:

find . -type f -print0 | xargs -0 md5sum | sort | uniq -w32 --all-repeated=separate

For large files based on size:

find . -type f -size {}c -print0 | xargs -0 md5sum | sort | uniq -w32 --all-repeated=separate

*Note: Replace "{}" with the desired file size in bytes.

For large files based on size first and then hash:

find . -not -empty -type f -printf "%s\n" | sort -rn | uniq -d | xargs -I{} -n1 find . -type f -size {}c -print0 | xargs -0 md5sum | sort | uniq -w32 --all-repeated=separate

Visualize folder tree

$ sudo apt install tree

• List directories only $ tree -d • Control the depth of the tree $ tree -d -L 2 .

6.15 Renamers

Renamers

Online regex tools

• Dencode - https://dencode.com
• Commonly Used Software Development Tools - https://ctool.dev
• Text Fixer - https://textfixer.com
• SS64 Syntax Utils - https://ss64.com
• Tools4noobs - https://tools4noobs.com
• Regex101 - https://regex101.com

File Naming Best Practices

You might consider including some of the following information in your file names, but you can include any information that will allow you to distinguish your files from one another.

Project or experiment name or acronym

Location/spatial coordinates

Researcher name/initials

Date or date range of experiment

Type of data

Conditions

Version number of file

Three-letter file extension for application-specific files

_{Another good idea is to include in the directory a readme.txt file that explains your naming format along with any abbreviations or codes you have used.}

Machine readable

Regular expression and globbing friendly

Avoid spaces, punctuation, accented characters, case sensitivity

Easy to compute on

Deliberate use of delimiters

Consider these additional tips as you develop a file naming scheme:

A good format for date designations is YYYYMMDD or YYMMDD. This format makes sure all of your files stay in chronological order, even over the span of many years.

Try not to make file names too long, since long file names do not work well with all types of software.

Special characters such as ~ ! @ # $ % ^ & * ( ) ` ; < > ? , [ ] { } ' " and | should be avoided.

Illegal characters in Windows file names are: / \ ? * : | " < > .

When using a sequential numbering system, using leading zeros for clarity and to make sure files sort in sequential order. For example, use "001, 002, ...010, 011 ... 100, 101, etc." instead of "1, 2, ...10, 11 ... 100, 101, etc."

Do not use spaces. Some software will not recognize file names with spaces, and file names with spaces must be enclosed in quotes when using the command line. Other options include:

Underscores, e.g. file_name.xxx

Dashes, e.g. file-name.xxx

No separation, e.g. filename.xxx

Camel case, where the first letter of each section of text is capitalized, e.g. FileName.xxx

Periods can be used in files names but consider these points before doing so and proceed cautiously:

Periods are used in regular expressions.

Periods at the start of a file name are used to indicate configuration and/or hidden files in a file directory.

Periods are used to separate file names from file extensions.

Special Symbols

\n is a symbol for new line \t is a symbol for tab \r is for 'return'

Note: \n or \t or \r are interpreted inside of <pre> text </pre>

Special HTML codes

Char Numeric
code Named
code Description

	 horizontal tab


 line feed

 carriage return / enter

    non-breaking space

KRename

$ sudo apt install krename
(GUI)

GPRename

$ sudo apt install gprename
(GUI)

Case Styles

camelCase PascalCase kebab-case snake_case UPPER_CASE_(SNAKE_CASE)

Bash's built-in commands to rename (Debian/GNU Linux)

• Commands with move • Simply rename $ mv /home/user/oldname /home/user/newname • Convert Uppercase to Lowercase Characters #FAIL $ for f in *; do mv -T "$f" "$(echo $f | tr [A-Z] [a-z])"; done $ for i in $( ls | grep [A-Z] ); do mv -f $i `echo $i | tr 'A-Z' 'a-z'`; done • Rename by replacing a particular pattern in the filenames $ for f in *.jpg; do mv "$f" "$(echo "$f" | sed s/IMG/VACATION/)"; done

• Commands with sed • Convert Camel case to kebab-case $ echo "MyDirectoryFileLine" | sed -e 's/$[A-Z]$/-\L\1/g' $ echo "MyDirectoryFileLine" | sed -e 's/$[A-Z]$/-\L\1/g' -e 's/^-//' $ echo "MyDirectoryFileLine" | sed -e 's/$[A-Z]$/-\1/g' -e 's/^-//' $ echo "MyDirectoryFileLine" | sed -e 's/[A-Z]/-\L&/g' -e 's/^-//' $ echo "MyDirectoryFileLine" | sed -e 's/[A-Z]/-\l&/g;s/.//' $ echo "SomeACRONYMInCamelCaseString" | sed -e 's/$[a-z]$$[A-Z]$/\1-\L\2/' | sed -e 's/$.*$/\L\1/') • $ • $ • $

Convert Camel case to kebab-case

• Simple command $ echo "MyDirectoryFileLine" | sed -e 's/$[A-Z]$/-\L\1/g' -e 's/^-//' • Batch command $ find . -maxdepth 1 -type f -name '*[A-Z]*' -exec bash -c 'mv "$0" "$(echo "$0" | sed -e "s/$[A-Z]$/-\L\1/g" -e "s/^-//")"' {} \;

Kebab-case to CamelCase

• Simple command $ echo "my-directory-file-line" | sed -r 's/-(.)/\U\1/g' • Batch command $ find . -maxdepth 1 -type f -name '*-*' -exec bash -c 'mv "$0" "$(echo "$0" | sed -r "s/-(.)/\U\1/g")"' {} \;

Kebab-case to snake_case

• Simple command $ echo "my-directory-file-line" | sed 's/-/_/g' • Batch command $ find . -maxdepth 1 -type f -name '*-*' -exec bash -c 'mv "$0" "$(echo "$0" | sed "s/-/_/g")"' {} \;

PascalCase to snake_case

• Simple command $ echo "MyDirectoryFileLine" | sed -r 's/([A-Z])/_\L\1/g' | sed 's/^_//' • Batch command $ find . -maxdepth 1 -type f -name '*[A-Z]*' -exec bash -c 'mv "$0" "$(echo "$0" | sed -r "s/([A-Z])/_\L\1/g" | sed "s/^_//")"' {} \;

Kebab-case to CamelCase and Snake_Case with first character in uppercase, execpt prepositions (Title format)

• Batch command $ find . -maxdepth 1 -type f -name '*-*' -exec bash -c ' to_snake_case() { echo "$1" | sed -E "s/-/_/g" | awk '\''{ for (i = 1; i <= NF; i++) { if (tolower($i) ~ /^(in|on|at|of|and|or|but|to|the|a|an)$/) { $i = tolower($i) } else { $i = toupper(substr($i, 1, 1)) tolower(substr($i, 2)) } } print $0 }'\'' FS="_" OFS="_" } new_name=$(to_snake_case "$(basename "$0" .${0##*.})") mv "$0" "$(dirname "$0")/$new_name.${0##*.}" ' {} \;

Rename

$ sudo apt install rename
(CLI)

• Commands for rename • Syntax $ rename [options] 's/[pattern]/[replacement]/' [file name] • Replacing the blank space with an underscore (_) $ rename -v 'y/ /\_/' *.pdf $ rename -v 'y/ /\_/' ~/Downloads/* $ rename -v 'y/ /\_/' ~/Downloads/*.pdf $ rename -v 'y/\n/\_/' ~/Downloads/*.pdf $ rename -v 'y/\-/\_/' ~/Downloads/*.pdf • Commands to rename to numbered order $ cd /Files • Test the output before (* -n) $ rename -n 's/.+/our $i; sprintf("input%03d.png", 1+$i++)/e' * • Apply the change $ rename 's/.+/our $i; sprintf("input%03d.png", 1+$i++)/e' * • Delete a Part of a Filename $ rename -v 's/example//' *.pdf • Convert Uppercase to Lowercase Characters #FAIL $ rename -v 'y/[A-Z]/[a-z]/' *.PDF $ find my_dir -type f -execdir rename 'y/A-Z/a-z/' {} \; • Convert Lowercase to Uppercase Characters #FAIL $ rename -v 'y/[a-z]/[A-Z]/' *.pdf • Convert to Camel case $ rename 's/ /_/g' *

Metadata Renamer

• Rename files into directories according to metadata contained in.
• Exiftool Pseudo Tags - https://exiftool.org/filename.html
• Illegal characters in Windows file names are: / \ ? * : | " < >

• Basic of metadata

$ exiftool -a input.pdf

$ exiftool -a -G1 input.pdf

$ pdfinfo input.pdf

$ pdfinfo -meta input.pdf

• Rename by creation date and time tags [20060327_1058-2.jpg]

$ exiftool -d %Y%m%d_%H%M%%-c.%%e "-filename
• Rename by title tag [title.pdf] $ exiftool '-filename • Rename by title and author tags [Title - Author .pdf] $ exiftool '-filename<$Title ${Author}.%e' /input.pdf • Rename by title, author and date tags [Title - Author (Year).pdf] $ exiftool '-filename<$Title - ${Author} (${Date#;DateFmt("%Y")}).%e' /input.pdf $ exiftool '-filename<$Title - ${Author} (${CreationDate#;DateFmt("%Y")}).%e' /input.pdf • Recursively $ exiftool -r '-filename<${Title} - ${Author}.%e' /DIR -ext pdf $ exiftool -r '-filename<${Title} - ${Author} (${CreationDate#;DateFmt("%Y")}).%e' /DIR -ext pdf $ exiftool -r '-filename<${Title}_-_${Author}_(${CreationDate#;DateFmt("%Y")}).%e' /DIR -ext pdf • Rename by title, author and date tags [Title - Author (Year).pdf] and insert snake case format $ exiftool -r '-filename<${Title;s/ /_/g}_-_${Author;s/ /_/g}_(${CreationDate#;DateFmt("%Y")}).%e' /DIR -ext pdf
6.16 Backup https://github.com/bit-team/backintime https://github.com/teejee2008/timeshift https://github.com/restic/restic Recover plan Backup Folders and Files Backup GRSYNC (GUI) $ sudo apt install grsyncCopy GRSYNC is a graphical interface for the rsync command line program. It can be used for local directory synchronization. Copy files and directories (CLI) Full backup $ cp ~/.config/example/ /media/backupCopy Incremental backup $ cp -vur ~/.config/example/ /media/backupCopy _{*This will preserve the files permissions/ownership.} ∙ To get the progress information $$ cp -a ~/.config/example/ /media/backup ∙ Transfer progress and speed when copying files (CLI) RSYNC https://wiki.archlinux.org/title/Rsync $ sudo apt install rsyncCopy • Copying $ rsync -ah --progress ~/source /backup/destination $ rsync -ah --info=progress2 ~/source /backup/destination $ rsync -rah --info=progress2 ~/source /backup/destination • Moving $ rsync -ravzP --remove-sent-files ~/source /backup/destination • Copy a File or Directory from Local to Remote Machine $ rsync -ravP Directory/ server@192.168.1.56:/home/server _{*This will preserve the files permissions/ownership.} DD $ dd if=~/source of=/backup/destination status=progress PV $ sudo apt install pvCopy $ pv ~/source > /backup/destination _{*This won't preserve the files permissions/ownership.} CURL $ curl -o destination FILE://source _{*This won't preserve the files permissions/ownership.} Disk Imaging and Cloning Clonezilla The Free and Open Source Software for Disk Imaging and Cloning https://clonezilla.org//clonezilla-live-doc.php Changing disk name $ cnvt-ocs-dev -d /home/partimag 'image' 'sda3' 'sda2' Copy Data Integrity https://debian.org/doc/manuals/securing-debian-manual/ch04s17.en.html#check-integ 6.17 Metaverse Vircadia - Open Source Metaverse Platform https://vircadia.com Overte - Open source virtual worlds and social VR https://overte.org 6.18 Online Utilities Utilities Message Header Analysis Message Header Analyzer (Azure) Message Header Analyzer (GitHub) Phishing and Email Reputation PhishTank Simple Email Reputation Email Blacklist Check Whois and DNS Lookup Whois ViewDNS WhoisMyDNS NSLookup My-Addr MXToolbox DNSstuff Malware and Vulnerability Databases Malpedia CVE Details Exploit Database FileInfo xCyclopedia The Windows Binary Index Palo Alto Applipedia Windows Security Logs National Vulnerability Database (NVD) Archiving Tools Internet Archive (WayBackMachine) Archive Web Content Internet Archive HTTrack Perma.cc IP and MAC Address Tools IPVOID AbuseIPDB Grabify IP Logger IP Logger IP Tracker IP Location Tracker IP Location URL Checker MAC Address Lookup MAC Vendor Ip-api Ipify Ipapi Vpnapi Ipapi The ZMap Project WiGLE Shodan Censys URL and Virus Scanning urlscan.io Virus Total Hybrid Analysis Cuckoo Sandbox AlienVault OTX IBM X-Force Exchange Cisco Talos Maltiverse GreyNoise SANS Internet Storm Center Intelligence X MetaDefender Cloud RiskIQ Community Edition Pulsedive Valhalla YARA Rules ANY.RUN Binvis JoeSandbox File Analysis and Reverse Engineering Verexif Reverse Shell Generator Rainbow Tables (Hashes) File Signatures ("Magic Numbers") List of File Signatures CyberChef explainshell VirusShare Reverse.IT Utilities and Development Tools Epoch Converter Regex Generator DeHashed Dencode Commonly Used Software Development Tools Text Fixer SS64 Syntax Utils Tools4noobs Text to ASCII Art Generator Regex101 Cron Expression Generator OSINT and Breach Checking Have I Been Pwned Name OSINT Breach Directory Hunter.io Intel Techniques Translation and Others Tools DeepL Markdown Toolbox Mermaid Table Convert Tables Generator Kutt your links shorter Grammarly 6.19 Fun Steam OS Steam OS LibreELEC.tv LibreELEC.tv Linux distribution that transforms devices in consoles Batocera 6.20 Tips and Tricks Visualize folder tree $ sudo apt install treeCopy • List directories only $ tree -d • Control the depth of the tree $ tree -d -L 2 . Schedule a Shutdown in Command Line Shutdown at specific time $ sudo shutdown -h 23:59 Shutdown at specific date and time Since 24 hours (24×60=1440 minutes), you could adapt $ sudo shutdown +1440 Execute shutdown +60 at a specific time and day: $ sudo apt install at $ sudo echo "shutdown +767" | at 08:46am 2024-09-11 Set an Alarm from the Terminal $ sleep 5m && mpv alarm.mp3 Use Terminal as a Stopwatch $ time cat CTRL + C Commands for you to find large files $ df -h $ df -h /home/$USER/Downloads $ du -h ~/Downloads | sort -rh | head -n 10 $ find ~/Downloads -type f -size +3G -exec du -h {} + | sort -rh $ find /home/$USER/Downloads -xdev -type f -size +1G $ find . -size +1M -printf "%p \t%k kb\n" | sort -k2n Editig text with sed in terminal Be cautious of using -ncode> (quiet) with -i (in-place): the former disables aut in-place omatic printing of lines and the latter changes the file in-place without a backup. Make a backup before editing -i.bak . $ sed --options [optional SCRIPT] [INPUT STREAM]Copy • Append line after match $ sed '/option/a Hello World' *.txt • Insert line before match $ sed '/option\/i Hello World' *.txt • Append text after a line for the specific match only $ sed '0,/option\/a Hello World' *.txt • Append text before a line for the specific match only $ sed '0,/option\/i Hello World' *.txt • Inserting a text file. Content of text1 after the first line of text2.txt $ sed -i -e '1r text1' text2.txt • Append string in a multiline text $ sed -i '/pattern/ r snippet.txt' filename • Batch inserting specific text after pattern in .txt files $ sed -i '/SearchPattern/a New Text' *.txt $ find . -name '*.txt' -exec sed -i -e 's/textp1/textp2 text.txt/g' {} \; • Replacement syntax $ sed s/regexp/replacement/[flags] • Replace closed with open on lines containing code $ sed '/code/ s/closed/open/' text.txt • Replace all closed with open on lines containing code $ sed '/code/ s/closed/open/g' text.txt • Replace all occurrences of ‘hello’ to ‘world’ in the file input.txt: $ sed 's/hello/world/g' input.txt > output.txt • Batch removing specific text in .txt files, the –i option tells to sed make the change in place, inside the file itself $ sed -i 's/text//g' *.txt • Batch making a backup before editing the file, by specifying a suffix when using –i $ sed -i.bak 's/word//g' *.txt • Convert Lowercase to Uppercase Characters $ sed -i 's/.*/\U&/' text.txtCopy $ sed 's/[a-z]/\U&/g' < ./myfile.txt $ echo "HELLO WORLD " | sed 's/[A-Z]/\L&/g'Copy • Convert Uppercase to Lowercase Characters $ echo "hello world" | sed 's/[a-z]/\U&/g'Copy • Remove leading spaces and tabs from line $ sed 's/^[ \t]*//' text.txtCopy • Remove all digits in a range $ sed 's/[0-9]//g' text.txtCopy *Note, in terminal: Alt + u Make uppercase from the cursor position to the end of the word. Alt + l Make lowercase from the cursor position to the end of the word/text. • $ • $ Reopen maximized browser To open maximized browser window use "--start-maximized" as a parameter. $ nano /home/user/Desktop/browser.desktop [Desktop Entry] Exec=/usr/bin/browser --start-maximized %U Geting windows sizes in shell $ wmctrl -lG Change default editor for visudo By default, Linux systems use the $VISUAL or $EDITOR environment variables (usually defined in your ~/.bashrc file or /etc/profile) as the default editor the visudo command. If you'd prefer to use a different editor, such as nano, you can use either of these methods. To temporarily use a different editor, run: $sudo EDITOR=/path/to/editor visudo For example, to use nano, you would run: $ sudo EDITOR=nano visudo To permanently change the default editor, edit the /etc/sudoers file (you can use the temporary method above!) and add the following line to the file near the top, but after Defaults env_reset: Defaults editor=/path/to/editor Reference: https://unix.stackexchange.com/questions/4408/how-to-set-visudo-to-use-a-different-editor-than-the-default-on-fedora Test if a bash shell built-in command or external program package http://www.gnu.org/software/bash/manual/html_node/Bash-Builtins.html https://gnu.org/software/bash/manual/html_node/Shell-Builtin-Commands.html http://pubs.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html#tag_02_04 https://en.wikipedia.org/wiki/POSIX https://packages.debian.org/stable http://www.gsp.com/cgi-bin/man.cgi?section=1&topic=zshbuiltins • Use type command $ type -t cd $ type -t ls $ type -t test $ type -t echo $ type -t apt $ type -t grep $ type -t for • Use builtin command $ builtin cd $ builtin ls $ builtin test $ builtin echo $ builtin apt $ builtin grep $ builtin for • You can use the builtin command enable to show the list of builtin commands and their activation state $ enable -a Why use the built-in command? It does not depend on granting permissions to install packages, work on reduced sets like linux embedded hardwares (IoTs), reduces the attack surface and has better performance. Changing terminal command output language • For just a single command, from native language to english $ LC_ALL=C man ls $ LC_ALL=C sudo apt update Grep - Global regular expression search • Commands $ man find | grep -A 4 -- '-size' • $ man find | grep -e '-size' • $ • $ • $ 7. DEV SETUP 👷🛠️UNDER CONSTRUCTION🚧🏗 7.01 System Tweaks Visit our repo tree: 5.DEVELOPMENT Sytem Tweaks ∙ Terminal ∙ Window Shortcuts ∙ Passwords Mananger SSH ∙ Interface 7.02 IDEs IDEs • NeoVim https://neovim.io https://neovim.io/doc/user/starting.html https://neovim.io/doc/user/usr_01.html#vimtutor https://github.com/neovim/nvim-lspconfig#suggested-configuration https://youtube.com/watch?v=RZ4p-saaQkc https://github.com/rockerBOO/awesome-neovim https://reddit.com/r/neovim ∙ Setups https://github.com/nvim-lua/kickstart.nvim https://github.com/LazyVim/LazyVim https://github.com/LunarVim/LunarVim https://github.com/NvChad/NvChad https://spacevim.org/ ∙ Plugins https://siddharta.me/configuring-neovim-as-a-python-ide-2023.html https://thevaluable.dev/vim-php-ide/ • VSCodium https://github.com/VSCodium/vscodium https://reddit.com/r/vscodium ∙ Extensions • Sublime-text® https://sublimetext.com/docs/linux_repositories.html https://reddit.com/r/sublimetext 7.03 Git & GitHub Git & GitHub • 7.04 Languages Languages • C, C++, C# • Python • Rust • PHP • Ruby 7.05 Others Others • Deploy • Database • Projects Folder • Team 8. SYSADMIN 👷🛠️UNDER CONSTRUCTION🚧🏗 8.01 Sysadmin Visit our repo tree: 6.SYSADMIN 9. TROUBLESHOOTING 👷🛠️UNDER CONSTRUCTION🚧🏗 9.01 Linux Community Linux Community https://forums.debian.net https://unix.stackexchange.com https://askubuntu.com https://forum.linuxfoundation.org https://docs.kernel.org https://linuxquestions.org https://superuser.com https://stackoverflow.com https://howtoforge.com https://security.stackexchange.com https://data.stackexchange.com https://elinux.org https://hardforum.com https://snbforums.com https://reddit.com/r/debian https://reddit.com/r/linuxquestions https://reddit.com/r/sysadmin 9.02 Audit Logs Audit Logs $ sudo dmesg --since -5mCopy $ sudo dmesg -wCopy $ sudo dmesg | grep iwlCopy $ sudo dmesg | grep rtwCopy $ sudo dmesg | grep ath Copy$ sudo dmesg -wCopy $ sudo dmesg -T | grep xhciCopy $ sudo dmesg -T | grep xhciCopy $ sudo journalctl -k -b -1Copy $ sudo journalctl -p 3 -xbCopy $ sudo journalctl -b | grep -i netCopy $ sudo journalctl -S -1h00mCopy $ sudo journalctl -S todayCopy $ sudo journalctl -S today -u name.serviceCopy $ sudo journalctl -S "2024-01-01 00:00:00"Copy $ sudo journalctl -S "2024-01-01 00:00:00" > ~/journal.txt ~/journal.txt')">Copy $ sudo tail /var/log/syslogCopy $ sudo tail -n20 /var/log/syslogCopy $ sudo tail -f /var/log/syslogCopy $ head /home/$USER/file.txtCopy $ head -n20 /home/$USER/file.txtCopy Terminal output in English To only run a single command in English, you can write the LANG=C directly in front of the command itself, e.g. LANG=C sudo apt-get update All program output will be in English. You can add a line export LANG=C to the end of your ~/.bashrc file and restart the terminal. 9.03 System Boot https://wiki.debian.org/KernelHeaders Grub The simplest way to display your Grub is to press and hold the shift button while booting. System Boot ∙ Rescue Mode Debian Live in Rescue Mode ∙ rEFInd (GUI) Download rEFInd rescue media https://rodsbooks.com/refind/getting.html ∙ Grub customizer (GUI) $ sudo apt install grub-customizerCopy ∙ Restoring grub $ sudo cp /usr/share/grub/default/grub /etc/default/grub Copy $ sudo update-grubCopy $ sudo apt -f installCopy ∙ Menuentries debug $ sudo ls /bootCopy $ sudo ls -l /vmlinuzCopy $ sudo ls /boot | grep vmlinuzCopy $ sudo dpkg -l | grep grubCopy $ sudo dpkg -l | grep linux-imageCopy $ sudo dpkg -l | grep linux-headersCopy $ sudo ls /sys/firmwareCopy $ sudo cat /etc/default/grubCopy $ sudo cat /boot/grub/grub.cfgCopy $ sudo cat /boot/grub/grub.cfg | grep menuentryCopy $ sudo cat /boot/grub/grub.cfg | grep submenuCopy $ sudo cat /etc/grub.dCopy $ sudo cat /etc/grub.d/40_customCopy ∙ Chroot $ sudoCopy ∙ Grub Issues Removable Medium Boot $ sudo grub-install /dev/sdX -v --force-extra-removableCopy Cryptab $ sudo nano /boot/grub/grub.cfgCopy GRUB_DISABLE_OS_PROBER=false GRUB_ENABLE_CRYPTODISK=y $ sudo update-grubCopy Remove Old Kernels An easy way to remove old kernels is to use Synaptic Package Manager to search for "linux-image" and "linux-headers" and remove all except the version you are currently using. Not recommended $ sudo dpkg -l | grep linux-imageCopy $ sudo dpkg -l | grep linux-headersCopy $ sudo rm /boot/*-4.18.0-{15,17}-*Copy $ sudo dpkg --configure -aCopy $ sudo apt install -fCopy $ sudo update-grubCopy $ sudo apt autoremoveCopy $ sudo apt upgradeCopy 9.04 Display Manager and Monitors Display Manager and Monitors https://wiki.archlinux.org/title/Display_manager https://baeldung.com/linux/display-managers-install-uninstall https://github.com/sddm/sddm/releases Brightness $ sudo apt install -y brightnessctlCopy $ brightnessctl s 100%Copy $ brightnessctl s 70%Copy $ brightnessctl s 50%Copy Environment variables Qt applications can be scaled with the following environment variables, note that many applications are hard-coding sizing and font and thus the result on such app may not be as expected. $ export QT_AUTO_SCREEN_SET_FACTOR=0Copy $ export QT_SCALE_FACTOR=1Copy $ export QT_FONT_DPI=96Copy Monitor and resolution https://dpi.lv $ sudo apt install arandr (GUI) $ sudo apt install xserver-xorg-input-allCopy Debug commands $ sudo apt install inxiCopy $ sudo inxi -GCopy $ sudo inxi -Fxxrzc0Copy $ sudo xrandr --output eDP-1 --primaryCopy $ sudo xrandr --output DP2 --auto --left-to DP1Copy $ sudo xrandr --output LVDS1 --panning 1920x1080 --scale 1.406x1.406Copy $ sudo xrandr --output LVDS1 --panning 1366x768 --scale 1x1 Copy You can make this change permanent for a specific user by adding this to the startup applications: $ /usr/bin/xrandr --output LVDS1 --panning 1920x1080 --scale 1.406x1.406Copy *Firefox and Thunderbird - Advanced Settings layout.css.devPixelsPerPx 0.8 SSDM Debug commands $ sudo systemctl status default.targetCopy $ sudo systemctl status sddm.serviceCopy $ sudo systemctl list-unit-files | grep sddmCopy $ sudo ls -la /etc/systemd/system/display-manager.serviceCopy $ cat /proc/cmdlineCopy $ sudo dpkg-reconfigure sddmCopy 9.05 Network https://wiki.ubuntu.com/X/Debugging/WirelessWithoutX https://wireless.wiki.kernel.org/en/users/drivers/iwlwifi https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/intel https://intel.com/content/www/us/en/support/articles/000005511/network-and-io/wireless.html https://wiki.archlinux.org/title/Power_management#USB_autosuspend https://docs.kernel.org/driver-api/usb/power-management.html Troubleshooting a network using OSI model, starting from physical to application layer. First things first: $ sudo apt install firmware-realtekCopy or $ sudo apt install firmware-iwlwifiCopy or $ sudo apt install firmware-atherosCopy • Network ∙ Debug WiFi Debug WiFi by OSI Layers Application Layer (7) $ nmcli radio wifi off $ nmcli radio wifi on $ sudo ls /etc/NetworkManager/ $ sudo cat /etc/NetworkManager/NetworkManager.conf $ sudo journalctl -u NetworkManager $ sudo journalctl -xe NM_CONNECTION=123456 + NM_DEVICE=eth0 $ sudo systemctl status NetworkManager.service $ sudo systemctl restart NetworkManager.service $ sudo systemctl status resolvconf.service $ sudo systemctl restart resolvconf.service $ sudo systemctl status systemd-resolved.service $ sudo systemctl restart systemd-resolved.service Presentation Layer (6) $ sudo cat /etc/resolv.conf $ sudo cat /run/resolvconf/resolv.conf $ sudo cat /lib/systemd/resolv.conf $ sudo cat /etc/systemd/resolved.conf $ sudo cat /run/systemd/resolve/stub-resolv.conf $ sudo cat /var/run/NetworkManager/resolv.conf $ echo "blacklist conflicting_driver" | sudo tee -a /etc/modprobe.d/blacklist.conf Network Layer (5) $ ip address $ ip route $ nmcli device show $ nmcli dev wifi $ nmcli device show wlan0 | grep IP4.DNS $ sudo journalctl -b | grep -i net $ ping -c3 8.8.8.8 $ ping localhost $ traceroute 8.8.8.8 $ traceroute localhost $ sudo grep -c dnsmasq /var/log/* $ sudo grep -c dnsmasq /var/log/syslog $ sudo dnsmasq --no-daemon --log-queries=extra --log-dhcp --log-debug -C /etc/dnsmasq.conf $ sudo dhclient -v $ sudo apt install resolvconf $ sudo resolvconf --list $ sudo resolvconf --enable-updates $ sudo resolvconf -u $ sudo systemctl status resolvconf.service $ sudo systemctl restart resolvconf.service $ sudo apt install systemd-resolved $ sudo systemctl status systemd-resolved.service $ sudo systemctl restart systemd-resolved.service Data Link Layer (4) $ ip link $ sudo iwconfig wlan0 $ sudo iwconfig eth0 $ sudo ifconfig wlan0 Physical Layer (3) $ sudo ifconfig wlan0 down $ sudo ifconfig wlan0 up $ sudo ifconfig eth0 down $ sudo ifconfig eth0 up $ sudo dmesg | grep iwl $ sudo dmesg | grep rtw $ sudo dmesg | grep ath $ lsusb $ ls /sys/bus/usb/devices Data Link Layer (2) $ ip link $ sudo iwconfig eth0 $ sudo iwconfig wlan0 $ sudo ifconfig wlan0 Physical Layer (1) $ sudo ifconfig wlan0 down $ sudo ifconfig wlan0 up $ sudo ifconfig eth0 down $ sudo ifconfig eth0 up $ sudo dmesg | grep iwl $ sudo dmesg | grep rtw $ sudo dmesg | grep ath $ lsusb $ ls /sys/bus/usb/devices $ echo 'on' | sudo tee /sys/bus/usb/devices/1-4/power/control $ sudo sudo modprobe -rv [WIFIMODULE] && sudo modprobe -v [WIFIMODULE] *SIOCSIFFLAGS *RTNETLINK ∙ Getting help Enable Debugging Features: Depending on your Linux distribution, you may need to enable specific debug options. For example, you can enable debug logging for NetworkManager by editing its configuration file: sudo nano /etc/NetworkManager/NetworkManager.conf Add the following lines under the [logging] section: [logging] level=DEBUG Save the file and restart NetworkManager: sudo systemctl restart NetworkManager Send Kernel Logs with Debugging On: After enabling debugging features, gather kernel logs and NetworkManager logs: sudo dmesg | grep wifi > kernel_logs.txt sudo journalctl -u NetworkManager > nm_logs.txt Be Specific About Hardware and Software: Mention the specific hardware details such as the Wi-Fi adapter model, firmware version, Linux distribution, and kernel version. Describe What Doesn't Work and What You've Tried: Clearly explain the issues you are facing with your Wi-Fi, such as connection drops, slow speeds, or inability to connect. Mention any troubleshooting steps you've already taken, such as restarting the router, checking network settings, or reinstalling drivers. Include Wireless Captures: Use tools like Wireshark to capture wireless traffic for further analysis. Install Wireshark if not already installed: sudo apt install wireshark Capture Wi-Fi packets on your specific interface (e.g., wlan0): sudo tshark -i wlan0 -w wifi_capture.pcap Contacting Support or Forums: Once you have gathered all the necessary information, consider reaching out to the official support channels of your Wi-Fi adapter's manufacturer, Linux distribution forums, or community support forums like Stack Exchange or Reddit. Provide all the details you've gathered to get more targeted assistance. ∙ Debug Hardware $ sudo lspciCopy $ sudo lspci -v -kCopy $ sudo lspci -v | grep EthernetCopy $ sudo lspci -Knn | grep Net -A2Copy $ sudo lsusbCopy $ sudo apt install lshwCopy $ sudo lshw -C networkCopy $ sudo apt install inxiCopy $ sudo inxi -FxxzCopy *PCI vs USB - Kernel - Integrated chip - Need to investigate Listing modules $ sudo lsmodCopy $ sudo lsmod | grep iwlCopy $ sudo lsmod | grep rtwCopy $ sudo lsmod | grep athCopy Module info $ sudo modinfo rtw_8723dCopy Rfkill $ sudo apt install rfkillCopy Commands $ sudo rfkill listCopy $ sudo rfkill unblock wifiCopy $ sudo rfkill unblock allCopy ∙ Deactivating and Activating WiFi Firmware Deactivating module $ sudo modprobe -vr rtw_8723dCopy $ sudo modprobe -vr rtw_coreCopy Activating module $ sudo modprobe -v rtw_coreCopy $ sudo modprobe -v rtw_8723dCopy ∙ Power and suspend control $ sudo ls /etc/NetworkManager/conf.dCopy $ sudo touch /etc/NetworkManager/conf.d/default-wifi-powersave-on.confCopy $ sudo nano /etc/NetworkManager/conf.d/default-wifi-powersave-on.confCopy $ wifi.powersave = 2Copy or simply $ sudo sed -i 's/3/2/' /etc/NetworkManager/conf.d/default-wifi-powersave-on.confCopy Notes: pcie_aspm.policy=powersasave pcie_aspm.policy=performance usbcore ∙ Wifi stops workin after resume $ sudo touch /etc/modprobe.d/50-rtw-core.confCopy $ sudo nano /etc/modprobe.d/50-rtw-core.confCopy options rtw_core $ sudo sudo modprobe -rv [WIFIMODULE] && sudo modprobe -v [WIFIMODULE]Copy $ sudo Copy $ sudo Copy $ sudo Copy ∙ DNS Issues Resolvectl: "resolvectl is a multi-call binary. When invoked as "resolvconf" (generally achieved by means of a symbolic link of this name to the resolvectl binary) it is run in a limited resolvconf(8) compatibility mode. It accepts mostly the same arguments and pushes all data into systemd-resolved.service(8), similar to how dns and domain commands operate. Note that systemd-resolved.service is the only supported backend, which is different from other implementations of this command. Systemd-resolved: "the DNS servers contacted are determined from the global settings in /etc/systemd/resolved.conf, the per-link static settings in /etc/systemd/network/*.network files (in case systemd-networkd.service(8) is used), the per-link dynamic settings received over DHCP, information provided via resolvectl(1), and any DNS server information made available by other system services. See resolved.conf(5) and systemd.network(5) for details about systemd's own configuration files for DNS servers. To improve compatibility, /etc/resolv.conf is read in order to discover configured system DNS servers, but only if it is not a symlink to /run/systemd/resolve/stub-resolv.conf, /usr/lib/systemd/resolv.conf or /run/systemd/resolve/resolv.conf ." /etc/resolv.conf will only be updated with servers added with this command when /etc/resolv.conf is a symlink to /run/systemd/resolve/resolv.conf, and not a static file." Add a custom DNS $ sudo nano /etc/systemd/resolved.confCopy [Resolve] DNS=8.8.8.8 1.1.1.1 $ sudo systemctl restart systemd-resolved.serviceCopy $ sudo systemctl status systemd-resolved.serviceCopy $ sudo apt install iproute2Copy $ sudo ss -nlupCopy $ sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.confCopy • Syntax checks $ sudo dnsmasq --test • Print errors $ sudo grep -c dnsmasq /var/log/* $ sudo grep -c dnsmasq /var/log/syslog $ sudo dnsmasq --no-daemon --log-queries=extra --log-dhcp --log-debug -C /etc/dnsmasq.conf $ sudo dhclient -v Disabling NetworkManager's own dnsmasq 👷🛠️UNDER CONSTRUCTION🚧🏗 $ sudo nano /etc/NetworkManager/NetworkManager.conf #dns=dnsmasq $ sudo restart network-manager Disabling NetworkManager's IPV6 $ sudo Copy $ sudo Copy NetworkManager dnsmasq (CLI) DNS requests are directed to VPN-supplied DNS servers without any manipulations with dnsmasq, up/down/dispatch helper scripts. nmcli -p connection modify MY_VPN_CONNECTION ipv4.never-default no nmcli -p connection modify MY_VPN_CONNECTION ipv4.ignore-auto-dns no nmcli -p connection modify MY_VPN_CONNECTION ipv4.dns-priority -42 *Using OpenVPN through NetworkManager (GUI) allows users to disable the connection. ∙ DHCP Issues $ sudo apt install tcpdumpCopy $ sudo apt install nmapCopy $ sudo apt install wiresharkCopy 9.06 USB Devices https://wiki.ubuntu.com/Kernel/Debugging/USB https://wiki.archlinux.org/title/Power_management#USB_autosuspend https://docs.kernel.org/driver-api/usb/power-management.html https://wiki.debian.org/HowToIdentifyADevice/USB https://wiki.debian.org/HowToIdentifyADevice/PCI https://kernel.org/doc/html/latest/usb/index.html https://kernel.org/doc/html/v4.16/driver-api/usb/power-management.html UAS Issues - https://forums.raspberrypi.com/viewtopic.php?t=245931 Bug - xhci_hcd 0000:15:00.0: WARN Set TR Deq Ptr cmd failed due to incorrect slot or ep state - https://bugzilla.kernel.org/show_bug.cgi?id=202541 Bug - CPU hard lockup related to xhci/dma - https://bugzilla.kernel.org/show_bug.cgi?id=217242 Bug - Debootstrap is very slow. Please use eatmydata to fix this. - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700633 Tip: If you are transferring large amounts of data via a problematic USB, use grsync as a manager. USB debug $ lsusb -tCopy $ lsusb -vCopy $ lsusb -v | grep 1111Copy $ usb-devicesCopy $ sudo dmesg -wCopy $ sudo dmesg -T | grep xhciCopy $ sudo lspci -v | grep xhciCopy $ sudo grep -i xhci /boot/config-$(uname -r)Copy See usb device getting plugged in $ sudo dmesg -wHCopy Firmware $ sudo modinfo xhci_hcdCopy $ sudo modinfo ehci_hcdCopy $ sudo modinfo btusbCopy $ sudo modprobe -v ohci-pciCopy $ sudo modprobe -v ehci-hcdCopy $ sudo modprobe -v xhci-hcdCopy $ sudo modprobe -v xhci-pciCopy You may try to force your system to use USB 2.0 insted of USB 1.1: $ sudo modprobe -vr ohci-pciCopy $ sudo modprobe -v ehci-hcdCopy Deactivate $ sudo modprobe -vr xhci-hcdCopy $ sudo modprobe -vr xhci-pciCopy Activate $ sudo modprobe -v xhci-hcdCopy $ sudo modprobe -v xhci-pciCopy Power and suspend control $ lsusbCopy $ ls /sys/bus/usb/devicesCopy $ echo 'on' | sudo tee /sys/bus/usb/devices/1-4/power/controlCopy $ sudo cat /etc/tlp.confCopy $ grep . /sys/bus/usb/devices/*/power/autosuspendCopy $ grep . /sys/bus/usb/devices/*/power/autosuspend | awk -F: '{print $1}' | xargs -I{} sudo sh -c 'echo "-1" > {}' {}'')">Copy $ grep . /sys/bus/usb/devices/*/power/controlCopy $ grep . /sys/bus/usb/devices/*/power/control | awk -F: '{print $1}' | xargs -I{} sudo sh -c 'echo "on" > {}' {}'')">Copy $ grep . /sys/bus/usb/devices/*/power/wakeupCopy $ grep . /sys/bus/usb/devices/*/power/wakeup | awk -F: '{print $1}' | xargs -I{} sudo sh -c 'echo "disabled" > {}' {}'')">Copy If your keyboard, mouse, or other devices stop working sometimes, power management might be affecting you. Execute this command to check: $ cat /sys/module/usbcore/parameters/autosuspend You are affected if you get back a "2". To disable it, simply write a -1 to that file as root: $ sudo su # echo -1 > /sys/module/usbcore/parameters/autosuspend To make the change permanent, edit the GRUB configuration: $ sudo nano /etc/default/grub Add usbcore.autosuspend=-1 to the end of the command in GRUB_CMDLINE_LINUX_DEFAULT: GRUB_CMDLINE_LINUX_DEFAULT="quiet splash usbcore.autosuspend=-1" Then update GRUB: $ sudo update-grub Alternatively, you can use this one-line command to modify the configurations: $ sudo sudo sed -i.bak '/^GRUB_CMDLINE_LINUX_DEFAULT/ s/"$ usbcore.autosuspend=-1"/' /etc/default/grub && sudo update-grub Verify: $ sudo cat /etc/default/grub UAS Issues https://forums.raspberrypi.com/viewtopic.php?t=245931 Symptoms of a misbehaving UAS device • Slow transference • Frequent disconnects-reconnects • Dmesg reports errors relating to a UAS device. Solving Plug in the USB device(s) and run the command dmesg $ sudo dmesg --since -2mCopy Take note of the VID (idVendor) and PID (idProduct) of your USB device(s) (...) [ 4906.696463] usb 2-1: New USB device found, idVendor=1111, idProduct=2222, bcdDevice=c3.33 (...) Add the quirks to /boot/cmdline.txt $ sudo nano /boot/cmdline.txtCopy Add the text with your idVendor and idProduct, respectively. usb-storage.quirks=1111:2222:u usb-storage.quirks=4444:5555:u,6666:7777:u.,8888:9999:u Reboot $ sudo rebootCopy Check $ sudo dmesg | grep usb-storageCopy udisks2.service $ sudo systemctl status udisks2.serviceCopy $ sudo apt install libblockdev-crypto2 libblockdev-mdraid2 --no-install-recommendsCopy intel_iommu=off legacy USB Into bios, have usb 3.0 turned on, an any other options turned on, but turn off legacy usb option.But think that after legacy USB disabling, in some cases, you could lost ability to enter your BIOS, if you have USB keyboard, because your keyboard will not work at the moment when you need to press DEL or F2 or whatever. Mouse https://github.com/sriemer/fix-linux-mouse 9.07 Bluetooth Bluetooth https://wiki.archlinux.org/title/Bluetooth https://wiki.archlinux.org/title/Bluetooth#Troubleshooting https://wiki.debian.org/BluetoothUser https://wiki.debian.org/Bluetooth/Alsa https://github.com/Arkq/bluez-alsa First things first: $ sudo apt install firmware-realtekCopy or $ sudo apt install firmware-iwlwifiCopy or $ sudo apt install firmware-atherosCopy Audio compatibility $ sudo apt install pulseaudio-module-bluetoothCopy or $ sudo apt install bluez-alsa-utilsCopy Debug $ sudo service bluetooth statusCopy $ hciconfig -aCopy $ hciconfig hci0Copy $ sudo dmesg | grep BluetoothCopy $ sudo dmesg | grep iwlCopy $ sudo dmesg | grep rtlCopy $ sudo dmesg | grep athCopy Connecting Bluetooth Commands • Connecting bluetooth manualy with Bluez $ bluetoothctl [bluetooth]# scan on [bluetooth]# pair xx:xx:xx [bluetooth]# connect xx:xx:xx [bluetooth]# trust xx:xx:xx [bluetooth]# block yy:yy:yy Bluetooth Managment Commands • Bluetooth managment $ btmgmt [btmgmt]# info Bluetooth Audio ALSA Backend (bluealsa) https://github.com/arkq/bluez-alsa/wiki/Bluetooth-Pairing-And-Connecting $ sudo apt install bluez-alsa-utilsCopy Mouse https://github.com/sriemer/fix-linux-mouse 9.08 Sound https://wiki.ubuntu.com/DebuggingSoundProblems https://wiki.archlinux.org/title/Advanced_Linux_Sound_Architecture https://wiki.archlinux.org/title/PulseAudio/Troubleshooting https://thesofproject.github.io/latest/getting_started/intel_debug/suggestions.html https://wiki.debian.org/Sound https://wiki.debian.org/SoundConfiguration https://alsa-project.org https://github.com/thesofproject/sof/issues https://github.com/thesofproject First things first: $ sudo apt install firmware-sof-signedCopy $ sudo apt install firmware-intel-soundCopy Debug commands List of PLAYBACK Hardware Devices $ aplay -lCopy $ lspci |grep -i audioCopy $ cat /proc/asound/cardsCopy $ cat /proc/asound/card*/idCopy List of CAPTURE Hardware Devices $ arecord -lCopy Testing $ speaker-testCopy Other debug commands $ cat /proc/asound/cardsCopy $ cat /proc/asound/modulesCopy $ lspci -v | grep AudioCopy $ lsusbCopy $ lsmod | grep sndCopy $ aplay -lLCopy $ amixerCopy $ amixer -c0Copy $ sudo dpkg-reconfigure linux-sound-baseCopy $ sudo alsa-infoCopy ALSA The "Advanced Linux Sound Architecture" (ALSA) is a part of the Linux kernel. PulseAudio is a sound server that sits between ALSA and user applications, aiming to provide easy automatic sound configuration for users. PulseAudio controls underlying ALSA-level volume controls. $ sudo apt install alsa-utilsCopy $ alsamixerCopy $ amixer -c 0 set Master 100%Copy $ amixer -c 1 set Speaker 50%Copy $ amixer -c 1 set Speaker 3dbCopy $ amixer -c 1 set Speaker 2db+Copy $ amixer -c 0 set Mic unmuteCopy $ sudo nano /etc/pulse/default.paCopy PulseAudio Volume Control Allows you to control both the volume of hardware devices and of each playback stream separately. It also allows you to redirect a playback stream to another output device. $ sudo apt install pavucontrolCopy Advanced solution Install the SOF firmware binaries from the source: https://github.com/thesofproject/sof-bin Clone the repository: $ git clone https://github.com/thesofproject/sof-bin.gitCopy Change to directory: $ cd sof-binCopy Follow: https://github.com/thesofproject/sof-bin#install-process-with-installsh $ sudo mv /lib/firmware/intel/sof* some_backup_location/Copy $ sudo mv /usr/local/bin/sof-* some_backup_location/ # optional Copy $ sudo ./install.sh v2.2.x/v2.2Copy Reboot $ sudo rebootCopy "Apollo Lake" platform https://thesofproject.github.io/latest/getting_started/intel_debug/suggestions.html#es8336-support Check your kernel configuration, typically available as a /boot/config-*. These options below will allow you to use Sound Open Firmware, start with: $ grep SND_SOC_INTEL_APL /boot/config-*Copy For your system you could select: ALSA for SoC audio support (CONFIG_SND_SOC=m) Intel ASoC SST drivers (CONFIG_SND_SOC_INTEL_SST_TOPLEVEL=y) and the appropriate platform option, which in your case would be "Broxton/ApolloLake platforms" (CONFIG_SND_SOC_INTEL_APL=m) Others options: Sound Open Firmware support (CONFIG_SND_SOC_SOF_TOPLEVEL=y) SOF support for Intel Audio DSPs (CONFIG_SND_SOC_SOF_INTEL_TOPLEVEL=y) SOF PCI enumeration support (CONFIG_SND_SOC_SOF_PCI=m) SOF support for Apollolake (CONFIG_SND_SOC_SOF_APOLLOLAKE_SUPPORT=m) SOF support for HDA Links (HDA/HDMI) (CONFIG_SND_SOC_SOF_HDA_LINK=y) SOF support for HDAudio codecs (CONFIG_SND_SOC_SOF_HDA_AUDIO_CODEC=y) 9.09 Printers Printers https://wiki.debian.org/SystemPrinting https://wiki.ubuntu.com/DebuggingPrintingProblems ∙ HP https://developers.hp.com/hp-linux-imaging-and-printing/install/manual/distros/debian https://wiki.debian.org/InstallingDebianOn/HP https://developers.hp.com/hp-linux-imaging-and-printing $ sudo apt install hplipCopy ∙ EPSON https://epson.com/Support/wa00821 $ sudo apt install Copy ∙ Wireless Firewall Ports $ Copy 9.10 Keyboard https://www.debian.org/doc/manuals/debian-reference/ch08.en.html#_the_keyboard_input https://pubs.opengroup.org/onlinepubs/7908799/xbd/envvar.html#tag_002_002 Keyboard debug $ localeCopy $ locale -aCopy Reset Layout $ sudo dpkg-reconfigure keyboard-configurationCopy $ sudo service keyboard-setup restartCopy $ sudo update-initramfs -uCopy Accents not working Can't type accented letters in certain programs. $ Copy Assign Home and End to Fn + Arrows https://superuser.com/questions/428945/defining-keyboard-shortcuts-involving-the-fn-key https://superuser.com/questions/1069211/assign-home-and-end-to-fnarrows $ Copy Remap Apple Magic Keyboard https://github.com/dongjinleekr/hid-apple-numberless-ko https://github.com/isakhauge/nor-apple-keyboard-xmodmap 9.11 Locales and Time/Date https://man7.org/linux/man-pages/man1/locale.1.html https://linuxfromscratch.org/lfs/view/stable-systemd/chapter09/locale.html https://pubs.opengroup.org/onlinepubs/7908799/xbd/envvar.html#tag_002_002 Locales $ localeCopy $ sudo apt reinstall localesCopy $ sudo locale-genCopy $ sudo locale-gen en_US.UTF-8Copy $ sudo dpkg-reconfigure localesCopy *Logoff If locale-gen had not results $ localeCopy $ export LANGUAGE=en_US.UTF-8Copy $ export LC_ALL=en_US.UTF-8Copy $ export LANG=en_US.UTF-8Copy $ export LC_CTYPE=en_US.UTF-8Copy Even no results $ export LC_ALL="C.UTF-8"Copy $ sudo dpkg-reconfigure localesCopy Even no results In /etc/locale.gen, uncommenting the line: en_US.UTF-8 UTF-8 then running: locale-gen Switch terminal command output UNDER TEST! NOT FULL TESTED! http://manpages.ubuntu.com/manpages/trusty/man7/locale.7.html • Defitenelly change output language from native language to english $ env $ env | egrep -e 'LC_ALL|LANG' $ cat ~/.bashrc $ cat ~/.bash_profile $ LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LANGUAGE=en_US.UTF-8 $SHELL Bash function for terminal Switching between DE and EN locales. Put it in your ~/.bashrc (or ~/.bash_profile). Call it with _configure_locale EN to switch to English. function _configure_locale() { # [profile] local profile=${1:-EN} case ${profile} in DE|DE_DE|de_DE) LC_ALL="de_DE.UTF-8" LANG="de_DE.UTF-8" LANGUAGE="de_DE:de:en_US:en" ;; EN|EN_US|en|en_US) LC_ALL="en_US.UTF-8" LANG="en_US.UTF-8" LANGUAGE="en_US:en" ;; *) echo "ALERT" "${FUNCNAME}: unknown profile '${profile}'" ;; esac LC_PAPER="de_DE.UTF-8"; # independent from locale LESSCHARSET="utf-8"; # independent from locale MM_CHARSET="utf-8" # independent from locale echo "locale settings" "${LANG}"; export LC_ALL LANG LANGUAGE LC_PAPER LESSCHARSET MM_CHARSET } Time and Date Control the system time and date $ timedatectlCopy $ tzselectCopy How Reconfigure time and date $ sudo dpkg-reconfigure tzdataCopy NTP $ sudo apt install ntpdate && ntpdate in.pool.ntp.org && dpkg-reconfigure tzdataCopy ∙ Coordinated Universal Time - UTC-00:00 $ Copy ∙ Greenwich Mean Time - GMT $ Copy 9.12 Torrenting General debug 1. Resetting qBittorrent / trying another torrent client 2. Trying another device on same network 3. Trying ethernet instead of Wi-Fi 4. Trying downloading to external storage rather than SSD 5. Stopping all running apps/services in background 6. Running speed tests to see if it also happens outside torrenting Download speed fluctuations and near zero uploading, speed spikes Possible causes 1. Your external disk case, awful flash drive or internal SSD just not being able to handle the simultaneous writes and reads. 2. Your VPN limiting you bandwidth. 3. Your ISP throttling. Torrent traffic throttled even through a VPN. Possible solutions Disk Benchmarks Test $ sudo apt install gnome-disk-utilityCopy For your ISP throttle, try your VPN Obfuscated Servers or P2P Servers. Do a Leak Test ∙ DNSLeakTest.com (run the "Extended test") ∙ IPLeak.net curl ipleak.net/json/ curl ipinfo.io Alternativelly, begin to VPN+Torrent on PC, wait until throttling begins. Try to play back a 1080p video on your smartphone, try to choose one where you can see the quality difference (for example one with many text elements such as computer hardware benchmarks). A 1080p video needs about 1-2Mbps (250KB/s) bandwidth. Instead you can try to download something on the phone. This is to find out if it's an issue VPN server/software or with your ISP line as a whole. It's possible for your ISP to only throttle the connection to the VPN server and leave the rest alone. Problem 2 $ sudo Copy 9.13 Disks https://wiki.debian.org/SSDOptimization https://wiki.archlinux.org/title/Solid_state_drive Disk managers GParted $ sudo apt install gpartedCopy Gnome Disk - "Disks" $ sudo apt install gnome-disk-utilityCopy Disk manager with LVM support KDE Partition Manager $ sudo apt install partitionmanagerCopy Disk debug $ dmesg -T | grep xhci $ lsusb -tv Commands for fdisk • EXT - Badblock: $ sudo fdisk -l /dev/sdb • *NTFS - Badblock: $ sudo e2fsck -p /dev/sde1 $ sudo e2fsck -c $ sudo e2fsck -l /dev/sdb1 /badblock/file Disk Utilities TESTDISK https://cgsecurity.org/wiki/TestDisk SMARTMONTOOLS $ sudo apt install smartmontoolsCopy Commands for smartmontools • How to : $ sudo smartctl -a /dev/sda HDPARM $ sudo apt install hdparmCopy Commands for hdparm • How to : $ sudo hdparm -I /dev/sda KDISKMARK $ sudo apt install -y kdiskmarkCopy DEBUGFS $ sudo debugfsCopy 9.14 Hardware Hardware Utilities $ sudo apt install lshwCopy $ sudo apt install inxiCopy $ sudo apt install cpu-xCopy $ sudo apt install hardinfoCopy $ sudo apt install s-tui stressCopy 10. OTHERS 10.01 Some Links Links Free Software Foundation Free Software Foundation Europe GNU Project Debian Micronews https://bits.debian.org https://iec.ch/cyber-security https://iso.org/standards.html https://linuxfoundation.org https://training.linuxfoundation.org https://linuxfromscratch.org https://man7.org https://man7.org/training https://reproducible-builds.org https://creativecommons.org https://nist.gov/standards https://opengroup.org https://opensource.com https://opensource.org https://todogroup.org YouTube Links DebConf Videos https://youtube.com/@DebConfVideos https://youtube.com/@BlackHatOfficialYT https://youtube.com/@DEFCONConference https://youtube.com/@mediacccde https://youtube.com/@DFRWS https://youtube.com/@44contv https://youtube.com/@secwestnet https://youtube.com/@EkopartyConference https://youtube.com/@reconmtl https://youtube.com/@TROOPERScon Linux Blogs https://0pointer.net/blog/ https://blog.carsoncheng.ca https://dwarmstrong.org https://fabianlee.org https://itsfoss.com https://lwn.net https://linux-tips.us https://linuxcnf.com https://linuxconfig.org https://linuxhandbook.com https://linuxiac.com https://linuxinsider.com https://linuxsecurity.com https://ostechnix.com https://programmerall.com https://slant.co https://techviewleo.com https://tqdev.com https://vitux.com Shell e others https://shellcheck.net https://shellscript.sh https://shellhacks.com https://explainshell.com https://regular-expressions.info https://notrace.how https://0x00sec.org https://anarsec.guide https://www.darkreading.com Libraries https://en.wikiversity.org/wiki/Open_Educational_Resources/Open_Courses https://en.wikiversity.org/wiki/Open_Educational_Resources/Open_Textbooks https://freecomputerbooks.com https://freetechbooks.com https://riptutorial.com/ebook https://e-booksdirectory.com https://programmer-books.com Piracy https://torrentfreak.com https://github.com/Igglybuff/awesome-piracy https://github.com/lkrjangid1/Awesome-Warez https://github.com/Illegal-Services/Illegal_Services https://github.com/fmh https://fmhy.net https://github.com/Lucetia/piracy https://github.com/the-rarbg/yaps https://reddit.com/r/Piracy https://lemmy.dbzer0.com/c/piracy https://bitmagnet.io https://rentry.co/megathread https://1337x.to https://fitgirl-repacks.site Self-hosting https://github.com/awesome-selfhosted/awesome-selfhosted https://github.com/syncthing/syncthing https://github.com/anonaddy/anonaddy https://reddit.com/r/selfhosted Eletronics https://ibiblio.org/kuphaldt/electricCircuits https://electronics-tutorials.ws Back to Top ⬆ Made with ♥

Name		Name	Last commit message	Last commit date
Latest commit History 329 Commits
.data		.data
1.INSTALLATION		1.INSTALLATION
2.SECURITY		2.SECURITY
3.NETWORK		3.NETWORK
4.SOFTWARES		4.SOFTWARES
5.DEVELOPMENT		5.DEVELOPMENT
6.SYSADMIN		6.SYSADMIN
README.html		README.html
README.md		README.md

Place (Publisher and Publisher Place)	`publisher: Publisher` `publisher-place: Publisher Place`	For Presentations, the place where the meeting was held or the presentation was made. For Conference Papers (published in a conference proceedings), use this field for the place where the proceedings was published. If separate locations are needed for the publication place and the location of the conference, leave this field blank and add Event Place and Publisher Place fields to Extra
Archive Place	`archive-place: Archive Place`	The geographic location of an archive.

Original Title	`original-title: Original Title`	The original title of a work (e.g., the untranslated title).
Original Publisher	`original-publisher: Original Publisher`	The publisher of the original version of an item (e.g., the untranslated version).
Original Publisher Place	`original-publisher-place: Original Publisher Place`	The geographic location of the publisher of the original version of an item (e.g., the untranslated version).

Issue Date, Date Decided or Enacted	`issued: Issue Date`	The original date an item was published. Enter in ISO format (year-month-day).
Submitted Date or Filing Date	`submitted: Submitted`	The date an item was submitted for publication.
Access Date	`Accessed`	Date an electronic resource was accessed.
Event Date	`event-date: Event Date`	The date an event took place. Enter in ISO format (year-month-day).
Original Date	`original-date: Original Date`	The original date an item was published. Enter in ISO format (year-month-day).

Char	Numeric code	Named code	Description
			horizontal tab
			line feed
			carriage return / enter
			non-breaking space

RENANZG/My-Debian-GNU-Linux

Folders and files

Latest commit

History

Repository files navigation

1. DEBIAN GNU/LINUX

"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately endpoint security is so terrifically weak that NSA can frequently find ways around it." (Edward Snowden)

1.01 System Hardening

1.02 Essential Tools

2. SYSTEM INSTALLATION

BIOS Simulators

Hardware Compatibility

Open Hardware

Hardware Security Based

Hardware Vulnerabilities

Hardware Spoof

Secure Boot

Visit our repo tree: 2.SECURITY/2.05_Secure_Boot

Sanitize options

Visit our repo tree: 2.SECURITY/2.06_Sanitization

Volatile Memory

Performance

Cost benefit

Visit our repo tree: 1.INSTALLATION

Overview of Terminal's Shortcuts

Overview of Nano's Shortcuts

Virtual Machines

• Using VirtualBox as training or to test ultra-advanced configurations

VirtualBox on Windows 10

Hypervisor

Using QEMU/KVM - "Kernel-based Virtual Machine"

Visit our repo tree: 6.SYSADMIN/6.05_VMs_and_Containers

Quick Installation Guide and Others

2.2.2 Desktop interface

2.2.3 Debootstrap

Visit our repo tree: 1.INSTALLATION/2.02_Debootstrap

File system: EXT4, XFS, BTRFS AND ZFS

Visit our repo tree: 2.SECURITY/2.03_Cryptography

Visit our repo tree: 1.INSTALLATION/2.02_Debootstrap

Encryption

Partitioning scenarios: advantages and disadvantages

FSTAB, CRYPTTAB AND DM-CRYPT - Linux kernel's device mapper crypto target

Example 1 - FSTAB - Non-encrypted Boot Removable Medium (USB Key) Multi-device

Example 2 - FSTAB - Encrypted Boot Removable Medium (USB Key) Multi-device

Example 3 - FSTAB - Encrypted Boot Removable Medium (USB Key) Multi-device and Keyfile

Time-based Autentication (OTP, TOTP, and HOTP)

Nuke Password

For Everyday Use, Basic Things to do After Installing Debian

1. Update and Upgrade

2. Adding User to Sudo

How to securely configure sudo for everyday use on your personal Linux machine

Test Sudo Access

Optional: Configure Sudo Timeout

Additional Tips

3. Firewall

Install and enable Uncomplicated Firewall - UFW (CLI)

4. Fast Grub Time

5. Swapiness

6. Installing Java

7. Installing Micro$oft Fonts

Ventoy

Start to use Ventoy - Install Ventoy To USB Drive

About Secure Boot in UEFI mode

Ventoy Persistence Plugin

Clonezilla

How to Use Clonezilla Software

Changing disk name

Command

3. SECURE BOOT

Reset Secure Boot keys for Kernel or Modules

About Secure Boot in UEFI mode

4. SYSTEM SECURITY

General guidelines for protecting yourself

General guidelines for protecting systens

How to securely configure sudo for everyday use on your personal Linux machine

Test Sudo Access

Optional: Configure Sudo Timeout

Additional Tips

Table

Examples