*Kernel Hacking Guides - https://docs.kernel.org/kernel-hacking/index.html
Others: Security Onion, NST, Android-x86, HardenedBSD, OSGeoLive, OpenWRT, LibreELEC.tv, SteamOS .
² How to summarize iso file with GNU Coreutils (CLI)
Summarize iso file with GNU Coreutils (CLI)https://gnu.org/software/coreutils/manual/html_node/Summarizing-files.html
³ Manual method with sha256sum
The SHA-256 checksum hashes in a file called SHA256SUMS in the same directory listing as the download page.
First install it
$ sudo apt install sha256sum
Open a terminal and go to the correct directory to check a downloaded iso file:
$ cd download_directory
Then run the following command from within the download directory.
$ sha256sum name.iso
sha256sum should then print out a single line after calculating the hash:
$ sdd31231c0421be56f39c7a31245c423fgcc3b048ds321a3e83d2c4d714fa9a76 *name.iso
Compare the hash (the alphanumeric string on left) that your machine calculated with the corresponding hash in the SHA256SUMS file.
⁴ Semi-automatic method with sha256sum
First download the SHA256SUMS and SHA256SUMS.gpg files to the same directory as the iso. Then run the following commands in a terminal.
$ cd download_directory
$ sha256sum -c SHA256SUMS 2>&1 | grep OK
The sha256sum line should output a line such as:
name.iso: OK
If the OK for your file appears, that indicates the hash matches.
👷🛠️UNDER CONSTRUCTION🚧🏗
2.01 Hardware
• Phoenix BIOS Simulator
https://grs-software.de/sims/bios/phoenix/pages/
• Phoenix BIOS Setup Utility Simulator - Pranx
https://pranx.com/bios
• Lenovo BIOS Simulator
https://download.lenovo.com/bsco/index.html
• Hardware for Linux
https://linux-hardware.org
• Linux Vendor Firmware Service
https://fwupd.org/lvfs/devices
• r/linuxhardware
https://reddit.com/r/linuxhardware
• SANE - Lists of supported scanners firmware
http://www.sane-project.org/sane-supported-devices.html
• USB WiFI
https://github.com/morrownr/USB-WiFi
• Mac
https://wiki.debian.org/DebianOnIntelMacPro
• GNU/Linux Open Hardware PowerPC notebook
https://powerpc-notebook.org
• PINE64 - Community-driven hardware projects
https://pine64.com
https://pine64.org
• Framework - Fix Consumer Electronics
https://frame.work
• "Respects Your Freedom" Certification Program
https://ryf.fsf.org
https://docs.kernel.org/admin-guide/hw-vuln/index.html
https://github.com/chipsec/chipsec
https://en.wikipedia.org/wiki/Open-source_firmware
https://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption
https://en.wikipedia.org/wiki/Write_protection
https://en.m.wikipedia.org/wiki/Random-access_memory
https://usbguard.github.io
https://digistor.com (*EUA partner)
https://seagate.com/enterprise-storage/enterprise-security
https://github.com/openssl/openssl/blob/master/README-FIPS.md
https://whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection#Less_important_identifiers
https://whonix.org/wiki/MAC_Address
https://github.com/alobbs/macchanger
https://hwidspoofer.com
https://xaze.gitbook.io/how-to-spoof-with-hwid-serial-changer
https://github.com/segofensiva/OSfooler-ng
Visit our repo tree: 2.SECURITY/2.05_Secure_Boot
https://libreboot.org
https://osresearch.net
Visit our repo tree: 2.SECURITY/2.06_Sanitization
Not all SSD support sanitize. And if you use SSDs, enable TRIM in your BIOS. Take care with SSD over-provisioning. Take care with SSD flaws.
https://usbkill.comhttps://github.com/Kicksecure/ram-wipe
https://kicksecure.com/wiki/Hardened_Malloc
https://forums.whonix.org/t/hardened-malloc-hardened-memory-allocator/7474/4
• SSD Over-provisioning
This prevents degradation of SSD speed and durability.
Depending on use, some manufacturers recommend 40% OP. For general use, 20% of the general capacity of the SSD, that is, more or less 14% counting the minimum that comes from the factory. For example, a 240GB SSD is limited to -14%, which results in 206GB (34GB of OP).
You must consider the file system you will use.
•
2.02 Installation
Visit our repo tree: 1.INSTALLATION
2.02.01 Basic Installation Guide
• Basic tips about Linux System
Debian Wiki - https://wiki.debian.org/FrontPage
Command Line - https://github.com/jlevy/the-art-of-command-line#everyday-use
Terminal - https://github.com/onceupon/Bash-Oneliner#terminal-tricks
• Bash autocompletion with TAB
$ sudo apt install bash-completion
Shortcut | Action | Shortcut | Action |
---|---|---|---|
Esc + t | Swap the two words before the cursor | Ctrl + f | Go forward one character |
Ctrl + r | Search command history | Ctrl + b | Go back one character |
Ctrl + g | Cancel command history search without running command | Ctrl + a | Go to the beginning of the line |
Ctrl + l | Clear terminal screen | Ctrl + e | Go to the end of the line |
Ctrl + x | List possible filename completions | Ctrl + w | Delete the word before the cursor |
Ctrl + c | Cancels the running command | Ctrl + y | Retrieves the last word deleted or cut |
Ctrl + z | Suspends the running command | Ctrl + xx | Toggle between current cursor position and start or end of line |
Ctrl + u | Deletes entire line before the cursor | Alt + u | Capitalize all letters in word after cursor |
Ctrl + k | Deletes entire line after the cursor | Alt + l | Lower case all letters in word after cursor |
Ctrl + t | Swap the two characters before the cursor | Alt + . | Use the last word of the last command |
Ctrl + d | Close the terminal |
Basically we will use CTRL+O and ENTER to save the changes and then CTRL+X exit nano editor.
Shortcut | Action | Shortcut | Action |
---|---|---|---|
File handling | Moving around | ||
Ctrl+S | Save current file | Ctrl+B | One character backward |
Ctrl+O | Offer to write file ("Save as") | Ctrl+F | One character forward |
Ctrl+R | Insert a file into current one | Ctrl+← | One word backward |
Ctrl+X | Close buffer, exit from nano | Ctrl+→ | One word forward |
Ctrl+A | To start of line | ||
Editing | Ctrl+E | To end of line | |
Ctrl+K | Cut current line into cutbuffer | Ctrl+P | One line up |
Alt+6 | Copy current line into cutbuffer | Ctrl+N | One line down |
Ctrl+U | Paste contents of cutbuffer | Ctrl+↑ | To previous block |
Alt+T | Cut until end of buffer | Ctrl+↓ | To next block |
Ctrl+] | Complete current word | Ctrl+Y | One page up |
Alt+3 | Comment/uncomment line/region | Ctrl+V | One page down |
Alt+U | Undo last action | Alt+\ To | top of buffer |
Alt+E | Redo last undone action | Alt+/ To | end of buffer |
Search and replace | Special movement | ||
Ctrl+Q | Start backward search | Alt+G | Go to specified line |
Ctrl+W | Start forward search | Alt+] Go | to complementary bracket |
Alt+Q | Find next occurrence backward | Alt+↑ | Scroll viewport up |
Alt+W | Find next occurrence forward | Alt+↓ | Scroll viewport down |
Alt+R | Start a replacing session | Alt+< Switch | to preceding buffer |
Alt+> Switch | to succeeding buffer | ||
Deletion | Information | ||
Ctrl+H | Delete character before cursor | Ctrl+C | Report cursor position |
Ctrl+D | Delete character under cursor | Alt+D | Report line/word/character count |
Alt+Bsp | Delete word to the left | Ctrl+G | Display help text |
Ctrl+Del | Delete word to the right | ||
Alt+Del | Delete current line | ||
Operations | Various | ||
Ctrl+T | Execute some command | Alt+A | Turn the mark on/off |
Ctrl+J | Justify paragraph or region | Tab | Indent |
Alt+J | Justify entire buffer | Shift+Tab | Unindent marked region |
Alt+B | Run a syntax check | Alt+V | Enter next keystroke verbatim |
Alt+F | Run a formatter/fixer/arranger | Alt+N | Turn line numbers on/off |
Alt+: Start | /stop recording of macro | Alt+P | Turn visible whitespace on/off |
Alt+; Replay | macro | Alt+X | Hide or unhide the help lines |
Ctrl+L | Refresh the screen |
https://debian.org/doc/manuals/debian-handbook/sect.virtualization.en.html
"How to Install Debian Linux in VirtualBox on Windows 10 | Beginners Guide | (Buster)"
https://youtube.com/watch?v=cx8GzudB6uE
KVM, Kernel-based Virtual Machine, is a hypervisor built into the Linux kernel. It is similar to Xen in purpose but much simpler to get running. Unlike native QEMU, which uses emulation, KVM is a special operating mode of QEMU that uses CPU extensions (HVM) for virtualization via a kernel module.
The difference between a type 1 hypervisor and a type 2 hypervisor. KVM is a type 1 hypervisor, it is able to run on bare metal, while QEMU is a type 2 hypervisor, it runs on top of the operating system. QEMU will utilize KVM in order to utilize the machine’s physical resources for the virtual machines. In brief, QEMU uses emulation; KVM uses processor extensions (HVM) for virtualization.https://wiki.debian.org/KVM
https://wiki.archlinux.org/title/KVM
Visit our repo tree: 6.SYSADMIN/6.05_VMs_and_Containers
http://www.rodsbooks.com/linux-uefi
https://wiki.debian.org/DontBreakDebian
https://distrowatch.com/table.php?distribution=debian
https://debian.org/releases/bookworm/amd64/apb.en.html
XFCE vs LXQt - Lightweight Linux Desktop Environments
https://youtube.com/watch?v=cs8JW3zDDoI
👷🛠️UNDER CONSTRUCTION🚧🏗
Visit our repo tree: 1.INSTALLATION/2.02_Debootstrap
• Debootstrap
https://wiki.debian.org/Debootstrap
• Debian 11.0 Debootstrap | Debian Command Line Install Guide
https://youtube.com/watch?v=oKnkOwdysNs
• Debian 11.4 ZFS Bootstrap | Debian ZFS Command Line Installation
https://youtube.com/watch?v=7F7Ch-ZkiQU
• Nilsmeyer - An ansible role for bootstrapping new Debian based systems, including setting up partitions, file systems, encryption (luks), RAID and LVM
https://github.com/nilsmeyer/ansible-debootstrap
• Linux Dabbler - Scripts to run after installing debian
https://github.com/linuxdabbler/debian-install-scripts
2.03 Encryption
Visit our repo tree: 2.SECURITY/2.03_Encryption
Visit our repo tree: 1.INSTALLATION/2.02_Debootstrap
2.3.1 Encryption
https://wiki.archlinux.org/title/Security
https://wiki.archlinux.org/title/Data-at-rest_encryption
https://en.wikipedia.org/wiki/Disk_encryption#Implementations
https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-2
2.3.2 Partitioning scenarios: advantages and disadvantages
https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system
https://wiki.archlinux.org/title/dm-crypt/Device_encryption#top-page
2.3.3 FSTAB, CRYPTTAB AND DM-CRYPT - Linux kernel's device mapper crypto target
• Dm-crypt
https://wiki.archlinux.org/title/Dm-crypt
• Fstab
https://wiki.debian.org/fstab
https://manpages.debian.org/bookworm/mount/fstab.5.en.html
• Crypttab
https://manpages.debian.org/bookworm/cryptsetup/crypttab.5.en.html
• Tips
∙ Copy and paste blkid to fstab
# echo "$(blkid -o export /dev/sdbX | grep ^UUID=) REMEMBEREFI" | tee --append /etc/fstab
or
# blkid -o value -s UUID >> /etc/fstab
2.3.4 Example 1 - FSTAB - Non-encrypted Boot Removable Medium (USB Key) Multi-device
# UUID=e4c627c2-69f2-11ee-8c99-0242ac120002 / ext4 errors=remount-ro 0 1 # /boot was on /dev/sdc2 during installation PARTUUID=f2c4ec78-69f2-11ee-8c99-0242ac120002 /boot ext2 noauto, x-systemd.device-timeout=1m, defaults 0 2 # /boot/efi was on /dev/sdc1 during installation PARTUUID=a15355f4-15ce-4ea6-a57b-161e9eea19fc /boot/efi vfat noauto, x-systemd.device-timeout=1m, umask=0077 0 1 UUID=2701e126-69f3-11ee-8c99-0242ac120002 /home ext4 defaults 0 2 UUID=447e4a14-69f3-11ee-8c99-0242ac120002 none swap sw 0 0
2.3.5 Example 2 - FSTAB - Encrypted Boot Removable Medium (USB Key) Multi-device
👷🛠️UNDER CONSTRUCTION🚧🏗
https://tqdev.com/2022-luks-with-usb-unlock
"Install debian 9 stretch on one encrypted btrfs partition including /boot and booting if via EFI"
https://github.com/rob31415/cryptBoot
https://github.com/stupidpupil/https-keyscript
2.3.6 Example 3 - FSTAB - Encrypted Boot Removable Medium (USB Key) Multi-device and Keyfile
Key File Encryption with USB Key
https://github.com/aomgiwjc/Unix-Bootstrap-Installs/wiki
https://github.com/aomgiwjc/Unix-Bootstrap-Installs.wiki.git
https://cloudkid.fr/unlock-a-luks-partition-with-a-usb-key
https://blog.fidelramos.net/software/unlock-luks-usb-drive
https://willhaley.com/blog/unlock-luks-volumes-with-usb-key
https://dwarmstrong.org/fde-debian
https://cyberciti.biz/hardware/cryptsetup-add-enable-luks-disk-encryption-keyfile-linux
2.3.7 Nuke Password
https://packages.debian.org/bookworm/cryptsetup-nuke-password
https://salsa.debian.org/pkg-security-team/cryptsetup-nuke-password
$
sudo apt install cryptsetup-nuke-password
2.04 After Installing
1. Update and Upgrade
https://itsfoss.com/apt-get-upgrade-vs-dist-upgrade
$ sudo apt update -y && sudo apt upgrade -y
$ sudo apt dist-upgrade
Note:
apt upgrade
only upgrades existing packages. It doesn’t install new packages or remove existing packages, doesn’t upgrade kernel version.
dist-upgrade
can remove dependency packages or install new ones (if required), can also upgrade kernel version, doesn’t upgrade the distribution version.
*sudo apt full-upgrade
$
Security consideration, under construction
Install and enable Uncomplicated Firewall - UFW (CLI)$ sudo apt install ufw
$ sudo ufw enable
$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing
$ sudo ufw status verbose
Edit and add GRUB_TIMEOUT=0
$ sudo nano /etc/default/grub
GRUB_TIMEOUT=0
$ sudo update-grub
Verify
$ sudo cat /proc/sys/vm/swappiness
Edit and add sw.swappiness=10
$ sudo nano /etc/sysctl.conf
sw.swappiness=10
or simply
$ sudo bash -c "echo 'vm.swappiness = 10' >> /etc/sysctl.conf"
To take effect:
$ sudo sysctl -p
$ sysctl vm.swappiness=10
Verify
$ sudo cat /proc/sys/vm/swappiness
• Java Runtime Environment (JRE)
• OpenJDK - Java Development Kit (JDK)
$ java --version
$ apt-cache search openjdk | grep openjdk
$ sudo apt install
$ sudo apt install -y ttf-mscorefonts-installer
*Do not install energy manager TLP, many problems.
2.05 Low Level Linux
• Kernel Linux
https://kernel.org
• Linux Training
https://training.linuxfoundation.org
https://training.linuxfoundation.org/training/a-beginners-guide-to-linux-kernel-development-lfd103
• Linux From Scratch (LFS)
https://linuxfromscratch.org
• Reproducible Builds
https://reproducible-builds.org
2.06 Ventoy
Ventoy - A New Bootable USB Solution - Downloads
https://ventoy.net/en/download.html
Ventoy - Source Code - Releases
https://github.com/ventoy/Ventoy/releases
https://ventoy.net/en/doc_start.html
https://woshub.com/multi-iso-boot-usb-flash-ventoy
https://pureinfotech.com/ventoy-create-bootable-usb-windows-11-10
https://ventoy.net/en/doc_secure.html
https://ventoy.net/en/plugin_persistence.html
(*recomended only for rescue disk pourouses)
2.07 Clonezilla
Clonezilla - The Free and Open Source Software for Disk Imaging and Cloning.
https://clonezilla.org//clonezilla-live-doc.php
https://wikihow.com/Use-Clonezilla
Command
$ cnvt-ocs-dev -d /home/partimag 'image' 'sda3' 'sda2'
👷🛠️UNDER CONSTRUCTION🚧🏗
3.01 Introduction
"Most modern systems will ship with SB enabled - they will not run any unsigned code by default, but it is possible to change the firmware configuration to either disable SB or to enroll extra signing keys. The whole point of Secure Boot is to prevent malware from gaining control of the computer. Therefore, when booting with Secure Boot active, Fedora 18 and later, Ubuntu 16.04 and later, and probably other distributions restrict actions that some Linux users take for granted. For instance, Linux kernel modules must be signed, which complicates use of third-party kernel drivers, such as Nvidia's and AMD/ATI's proprietary video drivers. More recent kernels may, if Secure Boot is active, also check that they were launched from a boot loader that honors Secure Boot, and shut down if this was not the case."
"To launch a locally-compiled kernel, you must sign it with a MOK and register that MOK with the system. (In both cases, you can register a hash rather than sign the binary; but this approach results in an ever-growing database in NVRAM, which is undesirable.) The extent of such restrictions is entirely up to those who develop and sign the boot loader launched by Shim and the kernel launched by that boot loader, though. Some distributions ship kernels that are relatively unencumbered by added security restrictions."
"As a practical matter, if you want to use Shim, you have two choices: You can run a distribution that provides its own signed version of Shim, such as Fedora 18 or later or Ubuntu 12.10 or later; or you can run a signed version from such a distribution or from another source, add your own MOK, and sign whatever binaries you like. This first option is quite straightforward if you happen to want to use a distribution that ships with Shim, and it requires little extra elaboration.If you want to build and run your own kernel (e.g. for development or debugging), then you will obviously end up making binaries that are not signed with the Debian key. If you wish to use those binaries, you will need to either sign them yourself and enroll the key used with MOK or disable SB."
! CAUTION:
! • Use an administrator password in the BIOS and do not use the same for disk encryption.
! • Building and signing kernel modules is independent of building and signing your own kernel.
! • In Debian, if you do not install the DKMS package, you will have more work to create the X.509
! keys or OpenSSL keys, import the keys with sbsigntool or mokutil, sign the kernel or the kernel
! module file with sbsigntool or sign-file, respectively.
! • Debian comes with signed kernels to work with your GRUB so it will most likely not be
! necessary to sign the kernel that includes Debian, however any foreign kernel or compiled from
! its source www.kernel.org must be signed or will not be able to load.
! • Ubuntu uses DKMS with signed key by default, Ubuntu creates and imports mok key during system
! installation.
! • In Fedora, if you use DKMS with Secure Boot enabled, you have to import the DKMS sign key
! with mokutil --import /var/lib/dkms/mok.pub and reboot to enroll the key. In Fedora the mok.pub
! and mok.key keys are created and module is signed by DKMS, but only if openssl package
! is installed.
! • UEFI specifications use the terms key and public key (.der) to mean the public part of the
! key pair, or the X.509 certificate. However, in OpenSSL, the term key is the private key (.priv)
! that's used for signing. Thus, all Secure Boot keys must be X.509 keys and not OpenSSL keys.
! • The instructions provided assume that you're signing a module for the currently running
! kernel. If you're signing a module for a different kernel, you must provide the path to the
! sign-file utility within the correct kernel version source. Otherwise, the signature type
! for the module for that kernel might not align correctly with the expected signature type.
! • Only a single custom certificate can be added to the kernel because the compressed size
! of the kernel's boot image can not increase. Do not add multiple certificates to the kernel
! boot image.
- WARNING:
- https://makedebianfunagainandlearnhowtodoothercoolstufftoo.computer/doku.php?id=start:issecurebootworking
- https://discourse.ubuntu.com/t/dkms-package-support-extra-drivers-does-not-work-in-ubuntu-22-10-install-media/31655
- BUGS:
- • Debian Bug report logs - #1037146 Key was rejected by service
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037146
- • Debian Bug report logs - #1012741 Key was rejected by service
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012741
- • Debian Bug report logs - #1012816 Key was rejected by service
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012816;msg=22
- • Debian Bug report logs - #989463 please align shim-signed dkms behaviour with Ubuntu
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989463
- • Debian Bug report logs - #939392 please provide kmodsign like Ubuntu does
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939392
- • Debian Bug report logs - #928300 shim-signed: secure boot via removable media path unavailable
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928300
3.02 Secure Boot References
-
BASIC:
- https://rodsbooks.com/efi-bootloaders
- https://rodsbooks.com/efi-bootloaders/secureboot.html
- https://rodsbooks.com/efi-bootloaders/controlling-sb.html
- https://ubuntu.com/blog/how-to-sign-things-for-secure-boot
- https://wiki.ubuntu.com/UEFI/SecureBoot/DKMS
- https://help.ubuntu.com/community/DKMS
- https://wiki.ubuntu.com/UEFI/SecureBoot/KeyManagement/KeyGeneration
- https://github.com/dell/dkms#dynamic-kernel-module-system-dkms
- https://wiki.debian.org/SecureBoot
- https://github.com/sitmsiteman/secure-boot-in-debian-based-distro
- https://github.com/Batu33TR/secureboot-mok-keys
- https://github.com/M-P-P-C/Signing-an-Ubuntu-Kernel-for-Secure-Boot
- https://medium.com/@vvvrrooomm/practical-secure-boot-for-linux-d91021ae6471
- https://lastdragon.net/?p=2513 ADVANCED:
- https://uefi.org
- https://intel.com/content/www/us/en/developer/articles/tool/unified-extensible-firmware-interface.html
- https://kernel.org/doc/html/v4.15/admin-guide/module-signing.html
- https://kernel.org/doc./html/latest/admin-guide/module-signing.html
- https://docs.oracle.com/en/operating-systems/oracle-linux/secure-boot/toc.htm#Table-of-Contents
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_monitoring_and_updating_the_kernel/signing-a-kernel-and-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel
- https://ubs_csse.gitlab.io/secu_os/tutorials/linux_secure_boot.html
- https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
- https://wiki.archlinux.org/title/GRUB/EFI_examples#top-page
- https://wiki.archlinux.org/title/Signed_kernel_modules
- https://wiki.gentoo.org/wiki/Signed_kernel_module_support
- https://stack.nexedi.com/P-VIFIB-Enhanced.UEFI.Secure.Boot.Debian
- https://manpages.debian.org/buster/openssl/config.5ssl.en.html
- https://manpages.debian.org/stretch/keyutils/keyctl.1.en.html
- https://manpages.debian.org/testing/pesign/pesign.1.en.html
- https://manpages.debian.org/testing/libnss3-tools/index.html
- https://openssl.org/docs/man1.0.2/man1/openssl-req.html
- https://openssl.org/docs/man1.1.1/man1/req.html
- https://openssl.org/docs/manmaster/man5/x509v3_config.html
- https://kicksecure.com/wiki/Verified_Boot
- https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html
- https://github.com/nsacyber/TrustedSHIM
- https://github.com/nsacyber/HIRS
- https://askubuntu.com/questions/762254/why-do-i-get-required-key-not-available-when-install-3rd-party-kernel-modules
- https://help.eset.com/efs/8.1/en-US/secure-boot.html
- https://help.ggcircuit.com/knowledge/how-to-inject-custom-secure-boot-keys-example
- https://blogs.oracle.com/linux/post/the-machine-keyring
- https://paldan.altervista.org/signed-linux-kernel-deb-creation-how-to/?doing_wp_cron=1690057748.1645970344543457031250
- https://linuxjournal.com/content/take-control-your-pc-uefi-secure-boot
3.03 YouTube References
- Use UEFI Secure Boot NOW! (Trafotin)
- Best Practices for UEFI Secure Boot Customization (UEFIForum)
- Secure Boot from A to Z (The Linux Foundation)
- Secure Boot. In Debian. In Buster. Really (DebConf Videos)
3.04 Sign GRUB
https://wiki.archlinux.org/title/Kernel_parameters
Debian comes with signed kernels to work with your GRUB so it will most likely not be necessary to sign the kernel that includes Debian, however any foreign kernel or compiled from its source www.kernel.org must be signed or will not be able to load.
3.05 Sign Debian Kernel
Debian comes with signed kernels to work with your GRUB so it will most likely not be necessary to sign the kernel that includes Debian, however any foreign kernel or compiled from its source www.kernel.org must be signed or will not be able to load.
Only a single custom certificate can be added to the kernel because the compressed size of the kernel's boot image can not increase. Do not add multiple certificates to the kernel boot image.
1.First steps
All the items below have to do with SecureBoot mode.
$ sudo mokutil --sb-state
SecureBoot enabled
If controlling the Secure Boot state through the EFI setup program is difficult, you can optionally use the mokutil utility to disable Secure Boot at the level of the Shim so that, although UEFI Secure Boot is enabled, no further validation takes place after the Shim is loaded.
What keys are on my system?
user@debian:~$ sudo mokutil --list-enrolled
or
$ sudo mokutil --list-enrolled | grep Subject:
Also the command modinfo prints the signature if available, for example:
$ sudo modinfo /lib/modules/6.1.0-11-amd64/kernel/mm/zsmalloc.ko
2.Place to auto-generated MOK
MOK - Machine Owner Key
Introduction
The use of mokutil that's most relevant to this page is to import a MOK. In this context, importing refers to storing a MOK in the computer's NVRAM, along with a flag to tell Shim and MokUtil that the MOK is there and ready to be enlisted when you next reboot the computer. Keys can be added and removed in the MOK list by the user, entirely separate from the distro CA key. Unlike Debian, Ubuntu has chosen to place their auto-generated MOK at "/var/lib/shim-signed/mok/", which some software--such as Oracle's virtualbox package -expect to be present. Note that using this same location may result in future conflicts. Warning: The MOK.key file is extremely sensitive! An attacker who gains access to it could generate binaries that your computer would accept as authorized. You should change permissions to prevent unauthorized access, and ideally store it on an encrypted external storage medium and unplug it when you're not signing binaries.If you see the key there (consisting of the files MOK.der, MOK.pem and MOK.priv) then you can use these, rather than creating your own.
First make sure the key doesn't exist yet:
$ ls /var/lib/shim-signed/mok/
To create a folder to MOK key:
$ sudo mkdir -p /var/lib/shim-signed/mok/
You can choose another placcautione like "/etc/mok_key/" since there is no standard location at the moment.
$ sudo mkdir -p /etc/mok_key/
3.Generating a new key
Before you create the public and private key for signing the kernel, you need to access the folder you created to be the destination of the keys. Then create the public (mokcertificate.der) and private key (moksigningkey.priv) with one-time password for signing the kernel
$ cd /var/lib/shim-signed/mok/
$ sudo openssl req -config $(openssl version -d) -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=ShimSigned/"
$ sudo openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
$ ls -l
total 12
-rw-r--r-- 1 root root787MOK.der
-rw-r--r-- 1 root root 1123MOK.pem
-rw------- 1 root root 1854MOK.priv
$ sudo chmod 600 /var/lib/shim-signed/mok/*
This commands will create both the private and public part of the certificate to sign things. You need both files to sign; and just the public part (MOK.der) to enroll the key in Shim.
To read the certificate file in a human readable format, use
$ sudo openssl x509 -in /var/lib/shim-signed/mok/MOK.pem -noout -text
Another example of key generation:
```bash $ sudo openssl req -x509 -new -nodes -utf8 -sha512 -days 3650 -batch -config /etc/ssl/x509.conf -outform DER -out /etc/ssl/certs/pubkey.der -keyout /etc/ssl/certs/priv.key $ sudo openssl x509 -inform DER -in /etc/ssl/certs/pubkey.der -out /etc/ssl/certs/pubkey.pem ```4.Enrolling your key im Shim
Enroll the key to your installation:
$ cd /var/lib/shim-signed/mok/
$ sudo mokutil --import MOK.der
You will be asked for a one-time password (remember it and type it correctly), you will just use it to confirm your key selection in the next step (you won't need this password beyond this point, though), so choose any.
Recheck your key will be prompted on next boot
$ sudo mokutil --list-new
5.Restart and finsh the process
Restart your system. Changes to the MOK keys may only be confirmed directly from the`bash at boot time. You will encounter a blue screen of a tool called MOKManager. Select "Enroll MOK" and then "View key". Make sure it is your key you created in step 3. Afterwards continue the process and you must enter the password which you provided in step 4. Continue with booting your system.
Verify your key is already enrolled, if the MOK was loaded correctly, with:
$ sudo mokutil --test-key /var/lib/shim-signed/mok/MOK.der
6.Sign your installed kernel or modules
6.1 Modern Method: Signing the Debian kernel and modules with DKMS
Building Debian kernel modules with DKMS. The dkms frameworks allows building kernel modules "on the fly" on the local system instead of building them centrally on the Debian infrastructure, DKMS could automatically sign kernel updated modules. If you install the kernel modules through the apt repository, chances are that modules have already been signed by the DKMS signing key. In that case, the traditional method won't work. And the thing you only need to do is to enroll the DKMS signing key into your machine. On systems that use SecureBoot, you will need a Machine Owner Key (MOK) to load DKMS modules. Generate it, enroll it, sign modules with it and then you will be able to load the signed modules.
In Debian, it depends on the dkms package:
$ sudo apt install dkms
In order for dkms to automatically sign kernel modules, it must be told which key to sign the module with. This is done by adding two configuration values to "/etc/dkms/framework.conf", adjusting paths as required:
mok_signing_key="/var/lib/shim-signed/mok/MOK.priv"
mok_certificate="/var/lib/shim-signed/mok/MOK.der"
DKMS Sign Helper Script
If these values are provided and dkms is able to build modules but does not attempt to sign them, then it is likely that sign_tool is missing. This is more common in older and/or custom kernels. In "/etc/dkms/framework.conf", add:
sign_tool="/etc/dkms/sign_helper.sh"
Create "/etc/dkms/sign_helper.sh" with:
/lib/modules/"$1"/build/scripts/sign-file sha512 /root/.mok/client.priv /root/.mok/client.der "$2"
Set Linux kernel info variables
$ VERSION="$(uname -r)"
$ SHORT_VERSION="$(uname -r | cut -d . -f 1-2)"
$ MODULES_DIR=/lib/modules/$VERSION
$ KBUILD_DIR=/usr/lib/linux-kbuild-$SHORT_VERSION
Making DKMS modules signing by DKMS signing key usable with the secure boot
If you install the kernel modules through the apt repository, chances are that modules have already been signed by the DKMS signing key. In that case, the traditional method won't work. And the thing you only need to do is to enroll the DKMS signing key into your machine. Here is how we can do that:
First, use the method mentioned in Verifying if a module is signed to check if the modules are signed by DKMS signing key.
Next, find the location of the mok signing key and mok certificate. You can view the location in /etc/dkms/framework.conf, and the default location is /var/lib/dkms.
Then, run the following command to enroll the key into the machine:
$ sudo mokutil --import /var/lib/dkms/mok.pub # prompts for one-time password and /var/lib/mok.pub can be changed, if mok certificate isn't located there.
$ sudo mokutil --list-new # recheck your key will be prompted on next boot
!rebooting machine then enters MOK manager EFI utility: enroll MOK, continue, confirm, enter password, reboot!
$ sudo dmesg | grep cert # verify your key is loaded
6.2 Traditional Method: signing the Debian kernel with sbsigntool
Building and signing modules is independent of building and signing your own kernel (vmlinuz). To sign a custom kernel or any other EFI binary you want to have loaded by Shim, you’ll need to use a different command: sbsign (PEM). In this case, we’ll need the certificate in a different format, mokutil needs DER, sbsign needs PEM. Convert the certificate into PEM (.der to .pem), for example:
$ sudo openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
For example, use it to sign our Kernel:
$ sudo sbsign --key MOK.priv --cert MOK.pem "/boot/vmlinuz-$VERSION" --output "/boot/vmlinuz-$VERSION.tmp"
$ sudo mv "/boot/vmlinuz-$VERSION.tmp" "/boot/vmlinuz-$VERSION"
For example, use it to sign our EFI binary:
$ sudo sbsign --key MOK.priv --cert MOK.pem grubx64.efi --output grubx64.efi.signed
$ sudo mv "grubx64.efi.signed" "grubx64.efi"
Sign the installed Kernel using the key created according to the location you gave it, this will create a new signed vmlinuz. Sign vmlinuz using sbsign and .pem certificate, it should be at /boot/vmlinuz-[KERNEL-VERSION]:
To check your Kernel version, you can also use the command:
$ uname -r
6.1.0-12-amd64
Signing vmlinuz (kernel) using sbsign:
$ sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-[KERNEL-VERSION] --output /boot/vmlinuz-[KERNEL-VERSION].signed
For example
$ sudo sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim-signed/mok/MOK.pem "/boot/vmlinuz-6.1.0-12-amd64" --output "/boot/vmlinuz-6.1.0-12-amd64.signed"
alternatively:
$ cd /var/lib/shim-signed/mok/
$ sudo sbsign --key MOK.priv --cert MOK.pem "/boot/vmlinuz-[KERNEL-VERSION] --output "/boot/vmlinuz-[KERNEL-VERSION].signed"
Remove the unsigned one and restore the original name of the signed one, this will create a new signed vmlinuz:
$ sudo mv "/boot/vmlinuz-6.1.0-12-amd64.signed" "/boot/vmlinuz-6.1.0-12-amd64"
Update your grub-config
$ sudo update-grub
Reboot your system and select the signed kernel. Now your system should run under a signed kernel and upgrading GRUB2 works again. If you want to upgrade the custom kernel, you can sign the new version easily by following above steps again from step seven on. Thus BACKUP the MOK-keys (MOK.der, MOK.pem, MOK.priv) in an encrypted device.
Verifying if a module is signed. The command modinfo prints the signature if available, for example:
$ sudo modinfo /boot/vmlinuz-6.1.0-12-amd64
Others commands
$ sudo dmesg | grep cert
$ sudo sbverify --list /boot/vmlinuz-6.1.0-12-amd64
$ sudo sbverify --cert /etc/mok_key/mok.crt /boot/vmlinuz-6.1.0-12-amd64
3.06 Reset Secure Boot Keys
Reset Key for Kernel
👷🛠️UNDER CONSTRUCTION🚧🏗
https://rodsbooks.com/efi-bootloaders/controlling-sb.html#setuputil
"The ASUS permits to you restore the default keys, so this isn't really vital if you're starting from the factory defaults with this model; but if yours doesn't offer such a reset-to-defaults option or if you've modified the keys, saving them may be prudent. As the name implies, this option also erases all your Secure Boot keys. (It does not erase your MOKs, though.)"
Reset MOK Keys for Modules
👷🛠️UNDER CONSTRUCTION🚧🏗
https://rodsbooks.com/efi-bootloaders/controlling-sb.html#key-revocation
$ sudo mokuitil --sb-state
SecureBoot disabled
$ sudo mokutil --disable-validation
Backup. Exports to list (ideally store it on an encrypted external storage medium).
$ sudo mokutil --export
To remove all (MOKs being a list and not just a single MOK, you can make the shim trust keys from several different vendors, allowing dual and multi-boot)
$ sudo mokutil --reset --mok
$ sudo mokutil --reset
To remove one key, first show all keys.
$ sudo ls -1 MOK*
Shows you keys enrolled.
$ sudo mokutil --list-enrolled | grep Subject:
Delete those not enrolled to maintain secure boot.
$ sudo mokutil --delete MOK-0001.der
Uninstall the modules, if it was made with script "make".
$ cd ~/realtekwifi
$ sudo make uninstall
or
sudo rmmod 8192eu
sudo rmmod rtl8xxxu
sudo dkms remove -m rtl8192eu -v 1.0
or
sudo lshw -C network
Reset de modules and unload them in Kernel
$ sudo depmod -a -v
$ sudo update-initramfs -k all -u -v
3.07 OpenSSL Errors
Error 1 - No such file
At main.c:298: - SSL error:FFFFFFFF80000002:system library::No such file or directory: ../crypto/bio/bss_file.c:67 - SSL error:10000080:BIO routines::no such file: ../crypto/bio/bss_file.c:75
Error 2 - Unable to get passphrase
At main.c:170: - SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../crypto/passphrase.c:184 - SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../crypto/passphrase.c:184 - SSL error:1C80009F:Provider routines::unable to get passphrase: ../providers/implementations/encode_decode/decode_epki2pki.c:96 - SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../crypto/passphrase.c:184 - SSL error:04800068:PEM routines::bad password read: ../crypto/pem/pem_pkey.c:155 sign-file: /var/lib/shim-signed/mok/MOK.priv: Success
Possible Causes Certificate or key are missing. That statement is telling us one of both files that DKMS or OpenSSL.conf are looking for are not where it is looking. Another possibility is that to sign a custom kernel or any other EFI binary you want to have loaded by shim, you’ll need to use a different command: sbsign or mokutil. Unfortunately, we’ll need the certificate in a different format in this case, mokutil needs DER, sbsign needs PEM. Convert the certificate into PEM (.der to .pem).
Under normal conditions, when CONFIG_MODULE_SIG_KEY is unchanged from its default, the kernel build will automatically generate a new keypair using openssl if one does not exist in the file:
certs/signing_key.pem during the building of vmlinux (the public part of the key needs to be built into vmlinux) using parameters in the:
certs/x509.genkey file (which is also generated if it does not already exist).
It is strongly recommended that you provide your own x509.genkey file.
As long as the signing key is enrolled in shim and does not contain the Object Identifier (OID) from earlier (since that limits the use of the key to kernel module signing), the binary should be loaded just fine by shim.
Cause 1
Wrong syntax of sign-file
$ sudo scripts/sign-file sha512 kernel-signkey.priv kernel-signkey.x509 module.ko
https://kernel.org/doc/html/v4.15/admin-guide/module-signing.html
Cause 2
This is where Debian places openssl.cnf for the OpenSSL they provide:
$ openssl version -d OPENSSLDIR: "/usr/lib/ssl" $ ls -l /usr/lib/ssl lrwxrwxrwx 1 root root mmm 30 mm:mm openssl.cnf -> /etc/ssl/openssl.cnf $ ls -l /etc/ssl/ -rw-r--r-- 1 root root mmm 30 mm:mm openssl.cnf
It is kind of buried in OpenSSL source code for apps.c, load_config and what happens when openssl.cnf is NULL (i.e., no -config option or OPENSSL_CONF envar). When openssl.cnf is NULL and no overrides, then OPENSSLDIR is used.
Cause 2
Wrong syntax of OpenSSL
*Man Page OpenSSL: Man OpenSSL
$ sudo openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config openssl.cnf -outform DER -out MOK.der -keyout MOK.priv
$ sudo openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -outform DER -out MOK.der -keyout MOK.priv
$ sudo openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config openssl.cnf -outform DER -out MOK.der -keyout MOK.priv
$ sudo openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -outform DER -out MOK.der -keyout MOK.priv
*Ubuntu: https://ubuntu.com/blog/how-to-sign-things-for-secure-boot
$ sudo openssl req -config ./openssl.cnf -new -x509 -newkey rsa:2048 -nodes -days 36500 -outform DER -keyout "MOK.priv" -out "MOK.der"
*Debian: https://wiki.debian.org/SecureBoot
$ sudo openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=My Name/"
$ sudo openssl x509 -inform der -in MOK.der -out MOK.pem
*Fedora: https://docs.fedoraproject.org/en-US/quick-docs/kernel-build-custom/
$ sudo openssl req -new -x509 -newkey rsa:2048 -keyout "key.pem" -outform DER -out "cert.der" -nodes -days 36500 -subj "/CN= yourname/"
Solutions
Solution 1:
$ sudo dpkg -S sign-file
Solution 2:
Location
$ openssl version -d
You can use strace (man strace) to check the configuration file being used while generating the self-signed certificate.
$ strace -e trace=open,openat -o /tmp/strace.log.0 openssl req \
-newkey rsa:2048 -x509 -nodes -keyout localhost.key \
-new -out localhost.crt
$ grep "openssl.cnf" /tmp/strace.log.0
openat(AT_FDCWD, "/etc/pki/tls/openssl.cnf", O_RDONLY) = 3
sudo cat /etc/ssl/openssl.cnf
openssl_conf = openssl_init from /etc/ssl/openssl.cnf
To override system default with user level environment. An empty file will do:
touch ~/.openssl.cnf
BASH define & export:
export OPENSSL_CONF=~/.openssl.cnf
Wrap application within a script:
export OPENSSL_CONF=/dev/null
Solution 3:
Rescue if install/build fails in previous step
$ sudo apt-get install -f
$ sudo dpkg-reconfigure broadcom-sta-dkms
3.08 Sign Wi-Fi
How to get Wi-Fi Module signed for Secure Boot
Mandatory packages: openssl
, sign-file
and mokutil
.
If you are going to compile the module in the kernel, usually the maintainer will indicate the packages to be installed beforehand. For example, you will need to install "make", "gcc", "kernel headers", "kernel build essentials", and "git".
$ sudo apt install git make gcc build-essential linux-image-$(uname -r|sed 's,[^-]*-[^-]*-,,') linux-headers-$(uname -r|sed 's,[^-]*-[^-]*-,,')
Brief - Sign with Sign-file
1- Install a driver and test without Secure Boot 2- Enable Secure Boot 3- Generate a private and public keys 5- Import 6- Reboot and Enroll 4- Sign the module with sign-file
- Check if secure boot is enabled. When Secure Boot is disabled, the shimx64.efi will just directly load the real grubx64.efi bypassing all the Secure Boot steps, including loading the MOK. With the MOK not loaded, the kernel will have no way to recognize the signature on your module as valid. And with Secure Boot disabled, a signed module with an invalid signature is rejected, while unsigned modules only get a warning and a taint mark on any future oops/panic messages.
$ sudo mokutil --sb-state
SecureBoot enabled
You can create a personal public/private RSA key pair to sign the kernel modules. You can chose to store the key/pair, for example, in the /var/lib/shim-signed/mok/ directory. Then create a new pair of private key (MOK.priv) and public key (MOK.der).
$ sudo mkdir -p /var/lib/shim-signed/mok
$ sudo openssl req -config /usr/lib/ssl/openssl.cnf -new -x509 -newkey rsa:2048 -nodes -days 36500 -outform DER -keyout "/var/lib/shim-signed/mok/MOK.priv" -out "/var/lib/shim-signed/mok/MOK.der" -subj "/CN=MODULE/"
$ ls -l /var/lib/shim-signed/mok/
total 8
-rw-r--r-- 1 root root779 MOK.der
-rw------- 1 root root 1704 MOK.priv
$ sudo chmod 600 /var/lib/shim-signed/mok/*
- Enroll the public key (MOK.der) to MOK (Machine Owner Key) by entering the command:
$ sudo mokutil --import /var/lib/shim-signed/mok/MOK.der
input password:
input password again:
Recheck if your key will be prompted on next boot:
$ sudo mokutil --list-new
- Reboot and Enroll
The password in this step is a temporary use password you'll only need to remember for a few minutes. Reboot the machine. When the bootloader starts, you should see a screen asking you to press a button to enter the MOK manager EFI utility. Note that any external external keyboards won't work in this step. Select Enroll MOK in the first menu, then continue, and then select Yes to enroll the keys, and re-enter the password established in previous step. Then select OK to continue the system boot.
Steps: -> "Enroll MOK" -> "Continue". -> "Yes". -> Enter the password you set up just now. -> Select "OK" and the computer will reboot again.
There are serveral commands to verify if your key "MODULE" is loaded and enrolled
$ sudo mokutil --test-key /var/lib/shim-signed/mok/MOK.der
$ sudo dmesg | grep cert
$ sudo cat /proc/keys | grep MODULE
$ openssl x509 -in /var/lib/shim-signed/mok/MOK.der -inform DER -text -noout
- Sign the module with sign-file
Use the same password you used before when setting up MOK for the BIOS to avoid confusion. Make sure you type the password carefully here with no errors, and dont get confused by it just waiting.
$ sudo su
~# read -s KBUILD_SIGN_PIN
Next export it and sign all modules.
$ sudo su
~# export KBUILD_SIGN_PIN
NOTE: KBUILD_SIGN_PIN allows a passphrase or PIN to be passed to the sign-file utility when signing kernel modules, if the private key requires such.
For sing the module, depending on your platform, the exact location of sign-file
might vary. In Debian 12 (Bookworm) it was in kernel generic /usr/src/linux-kbuild-$(uname -r | cut -d . -f 1-2)/scripts/sign-file .
And where was the module installed? In /lib/modules/$(uname -r)/kernel/drivers/*.ko
$ sudo modinfo -n rtw_8723d
/lib/modules/6.1.0-13-amd64/kernel/drivers/net/wireless/realtek/rtw88/rtw_8723d.ko
To sign modules (with your KBUILD_SIGN_PIN), go to the directory containing the modules, and run
$ sudo su
~# cd /lib/modules/6.1.0-13-amd64/kernel/drivers/net/wireless/realtek/rtw88/
~# /usr/src/linux-kbuild-6.1/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der rtw_8723d.ko
Other not tested form
sudo --preserve-env=KBUILD_SIGN_PIN sh /usr/src/linux-kbuild-$(uname -r | cut -d . -f 1-2)/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der $(modinfo -n rtw_8723d)
Assuming you type the password correct, you wont get any errors. You should be able to now see that a module is signed. You can pick any module in that directory but as an example:
$ sudo modinfo rtw_8723d
(...)
signer: MODULE
sig_key:XX:XX:XX:XX:XX:XX:XX:XX...
sig_hashalgo: sha256
signature:XX:XX:XX:XX:XX:XX:XX:XX...
(...)
NOTE: Filename may be different just use tab completion to find appropriate file to check some other name.
You could try load the modules
$ sudo modprobe -v rtw_8723d
After any kernel module loading failure, you should check the dmesg output: it might include a more specific error message. In this case it is likely to indicate that a module signature failed a validity check.
$ sudo dmesg --since -1m
If the modules are needed to boot your machine, make sure to update the initramfs, e.g. using
$ sudo update-initramfs -k all -u
Building and signing modules is independent of building and signing your own kernel. To sign a custom kernel or any other EFI binary you want to have loaded by shim (PEM), you’ll need to use a different command: sbsign (PEM). In this case, we’ll need the certificate in a different format, mokutil needs DER, sbsign needs PEM. Convert the certificate into PEM (.der to .pem), for example:
$ sudo openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
For example, use it to sign our Kernel:
$ sudo sbsign --key MOK.priv --cert MOK.pem "/boot/vmlinuz-$VERSION" --output "/boot/vmlinuz-$VERSION.tmp"
$ sudo mv "/boot/vmlinuz-$VERSION.tmp" "/boot/vmlinuz-$VERSION"
For example, use it to sign our EFI binary:
$ sudo sbsign --key MOK.priv --cert MOK.pem my_binary.efi --output my_binary.efi.signed
As long as the signing key is enrolled in shim and does not contain the Object Identifier (OID) from earlier (since that limits the use of the key to kernel module signing), the binary should be loaded just fine by shim.
5.VirtualBox Sign Helper Script
Future kernel updates would require the updated kernels to be signed again, so it makes sense to put the signing commands in a script that can be run at a later date as necessary (DKMS package could do it automatically).
$ sudo touch /var/lib/shim-signed/modules/sign-modules
$ sudo nano /var/lib/shim-signed/modules/sign-modules
#!/bin/bash
for modfile in $(dirname $(modinfo -n </yourmodulehere>))/*.ko; do
echo "Signing $modfile"
/usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \
/var/lib/shim-signed/modules/module.priv \
/var/lib/shim-signed/modules/module.der "$modfile"
done
Add execution permission, and run the script above as root from the /var/lib/shim-signed/modules/ directory.
$ sudo -i
$ cd /var/lib/shim-signed/modules
$ chmod 700 /var/lib/shim-signed/modules/sign-vbox-modules ./sign-vbox-modules
Load vboxdrv module and launch VirtualBox.
$ sudo modprobe vboxdrv
or
$ /sbin/modprobe vboxdrv
3.09 Sign NVIDIA
https://wiki.debian.org/DontBreakDebian#Don.27t_use_GPU_manufacturer_install_scripts
https://github.com/NVIDIA/open-gpu-kernel-modules
https://askubuntu.com/questions/1023036/how-to-install-nvidia-driver-with-secure-boot-enabled
Download the latest driver from the NVIDIA website: https://geforce.com/drivers.
Create a new pair of private key (Nvidia.key) and public key (Nvidia.der) by running the command:
openssl req -new -x509 -newkey rsa:2048 -keyout PATH_TO_PRIVATE_KEY -outform DER -out PATH_TO_PUBLIC_KEY -nodes -days 36500 -subj "/CN=Graphics Drivers"
Example:
openssl req -new -x509 -newkey rsa:2048 -keyout /home/$USER/Nvidia.key -outform DER -out /home/$USER/Nvidia.der -nodes -days 36500 -subj "/CN=Graphics Drivers"
Enroll the public key (nvidia.der) to MOK (Machine Owner Key) by entering the command:
sudo mokutil --import PATH_TO_PUBLIC_KEY
Example:
sudo mokutil --import /home/$USER/Nvidia.der`
This command requires you to create a password for enrolling. Afterwards, reboot your computer, in the next boot, when the system asks you to enroll, you enter the password you created in this step to enroll it. Read more: https://sourceware.org/systemtap/wiki/SecureBoot
For installing the NVidia driver for the first time, you need to disable the Nouveau kernel driver by entering the command:
echo options nouveau modeset=0 | sudo tee -a /etc/modprobe.d/nouveau-kms.conf; sudo update-initramfs -u
Reboot.
Install the driver by entering the command:
sudo sh ./XXXXXX.run -s --module-signing-secret-key=PATH_TO_PRIVATE_KEY --module-signing-public-key=PATH_TO_PUBLIC_KEY
here:
XXXXXX: name of file installer (downloaded from NVIDIA).
PATH_TO_PRIVATE_KEY: full path to private key. If you place it in your home folder, use /home/USER_NAME/ instead of ~.
PATH_TO_PUBLIC_KEY: full path to public key. If you place it in your home folder, use /home/USER_NAME/ instead of ~.
Example:
sudo sh ./NVIDIA-Linux-x86_64-390.67.run -s --module-signing-secret-key=/home/$USER/Nvidia.key --module-signing-public-key=/home/$USER/Nvidia.der
Done.
3.10 Sign VirtualBox
How to get VirtualBox signed for Secure Boot
https://wiki.debian.org/SecureBoot#MOK_-_Machine_Owner_Key
3.12 rEFInd Bootloader
https://rodsbooks.com/refind/getting.html
https://wiki.ubuntu.com/EFIBootLoaders
3.13 Sign Custom Secure Keys
https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance/blob/master/secureboot/Linux.md
3.14 Encrypted boot
Encrypted boot partition manager with UEFI Secure Boot support
https://github.com/xmikos/cryptboot
https://github.com/kmille/cryptboot
3.15 Sign with TPM 2.0
https://github.com/squarooticus/efi-measured-boot
https://github.com/osresearch/safeboot
3.16 Secure Boot with Yubikey
https://github.com/DimanNe/secure-boot
https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi
👷🛠️UNDER CONSTRUCTION🚧🏗
4.01 Introduction
*It seems that the worst problem is collateral intrusion, the involvement of seemingly trustworthy uninvolved close third parties. The end of trust.
*OWASP Principles
4.02 Apparmor
https://github.com/Kicksecure/security-misc
https://apparmor.net
https://wiki.debian.org/AppArmor
https://wiki.debian.org/AppArmor/HowToUse
https://github.com/Kicksecure/apparmor-profile-torbrowser
https://wiki.ubuntu.com/DebuggingApparmor
$ sudo apt install -y apparmor &&
$ sudo apt install -y apparmor-profiles &&
$ sudo apt install -y apparmor-utils &&
$ sudo apt install -y apparmor-profiles-extra
*Note: an AppArmor rule could prevent port use by an individual program.
4.03 Privileges
$ su
# usermod -aG sudo username
# exit
$ getent group sudo
*Logoff to take effect.
-a
- append groups to group user belongs to (instead of overwrite).
groupnames
- a comma-separated (no spaces!) list of group names to add user to.
User must log out and back in for group membership updates to be applied.
To avoid getting prompted for password when running commands with sudo
, one common option is to append NOPASSWD:ALL
to your user name in the /etc/sudoers
file. Obviously, this is a security risk. Instead, you can run the sudo
command with the -s
("session") flag to allow the sudo
session to be persistent until your close the terminal (end the session). To explicitly end the session run sudo -k
("kill").
Reference
$ sudo chown user:user -R /home $ sudo chown user:user -R /media
$ sudo chmod 766 -R /home $ sudo chmod 766 -R /media
4.04 Audit System
https://redhat.com/sysadmin/configure-linux-auditing-auditd
$ sudo apt install lynis
$ sudo apt install checksecurity
$ sudo apt install audit
$ sudo apt install chkrootkit
$ sudo apt install rkhunter
$ sudo apt install chkboot
4.05 Antimalware
Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs.
https://dangerzone.rocks
https://github.com/freedomofpress/dangerzone
https://clamav.net
https://docs.clamav.net
https://docs.clamav.net/manual/Usage
https://github.com/Cisco-Talos/clamav
https://wiki.archlinux.org/title/ClamAV
ClamAV is malware detection toolkit, not an endpoint security suite. ClamAV does not disinfect files, It only removes them from the system or moves them to a specified location.
"Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. Because ClamAV's main use is on file/mail servers for Windows desktops, it primarily detects Windows viruses and malware with its built-in signatures."
False positives happen, include --remove options for deleting any file which alerts during a scan is generally a terrible idea.
https://github.com/dave-theunsub/clamtk
$ sudo apt install clamtk
$ sudo apt install -y clamav
$ sudo apt install -y clamav-daemon
$ sudo systemctl start clamav-freshclam
$ sudo freshclam
*Note that Clamscan doesn't need the daemon running.
*Note that the "clamd" process (clamav-daemon.service) uses about 1GB of memory (doubles to 2G when new database is loaded), it loads the complete database of virus definitions into memory. In the other side, this allows it to be super fast. You could circunvent:
$ sudo nano /etc/clamav/clamd.conf
ConcurrentDatabaseReload no
ReadTimeout 10
MaxThreads 3
$ sudo nano /etc/systemd/system/clamav-daemon.service.d/extend.conf
[Service]
IOSchedulingPriority = 7
CPUSchedulingPolicy = 5
MemoryLimit=256M
CPUQuota=30%
Nice = 19
• Commands $ man clamscan • Basic command to scan all system, copy infected files and log $ mkdir /home/$USER/Virus && touch /home/$USER/Virus/Virus.txt $ sudo freshclam && sudo clamscan -vir --copy=/home/$USER/Virus --log=/home/$USER/Virus/Virus.txt --exclude-dir="^/sys" / • Basic command to scan all system, move infected files and log $ mkdir /home/$USER/Virus && touch /home/$USER/Virus/Virus.txt $ sudo freshclam && sudo clamscan -vir --move=/home/$USER/Virus --log=/home/$USER/Virus/Virus.txt --exclude-dir="^/sys" / • Scan file $ clamscan --verbose /file.bin • Scan compressed files $ clamscan --verbose --scan-archive --alert-exceeds-max --alert-encrypted /file.zip • Others $ clamscan -vr --suppress-ok-results --bell /$USER/home $ clamscan -vro --heuristic-alert --copy=/home/$USER/Virus --log=/home/$USER/Virus/Virus.txt --bell /$USER/home $ clamscan -vro --bell --remove /$USER/home
• Debug $ sudo cat /etc/clamav/clamd.conf $ sudo nano /etc/clamav/clamd.conf $ sudo nano /etc/systemd/system/clamav-daemon.service.d/extend.conf $ sudo cat /var/log/clamav/clamav.log $ sudo systemctl status clamav-daemon $ sudo systemctl stop clamav-daemon $ sudo systemctl disable clamav-daemon $ sudo systemctl status clamav-freshclam $ sudo systemctl stop clamav-freshclam $ sudo systemctl disable clamav-freshclam $ sudo crontab -l $ sudo systemctl list-timers
*If you get AppArmor denials about clamd, set the profile to a complain-only mode:
$ sudo aa-complain clamd
• RFXN
https://rfxn.com/projects/linux-malware-detect
• Malware Blocklist
https://malwareblocklist.org
https://infosecinstitute.com/resources/reverse-engineering/malware-analysis-clamav-yara
$ sudo apt install yara $ sudo clamscan -d yara.rule -r /
https://eset.com/my/home/antivirus-linux/download
4.06 Updating
https://www.debian.org/doc/manuals/debian-handbook/sect.regular-upgrades.en.html
Apply security updates as quickly as possible. According to 2020 reached conducted by Unit 42 at Palo Alto, approximately 80% of exploits are published faster than Common Vulnerabilities and Exposures (CVEs).
sudo apt install systemd-cron
?
• Commands $ sudo crontab -l $ sudo systemctl list-timers $ systemctl start "service" $ systemctl enable "service" $ systemctl status "service"
👷🛠️UNDER CONSTRUCTION🚧🏗
5.01 Router
https://docs.fsfe.org/en/teams/router-freedom-tech-wiki
https://fsfe.org/contribute/spreadtheword#device-neutrality
"There are a number of open-source options for routers that will take even a small consumer router and turn it into a powerful device with enterprise-level capabilities. My personal favorite is DD-WRT, but other popular options include pfSense, OpenWRT, and Tomato. While you can buy pre-flashed devices in some cases (FlashRouters for DD-WRT and Protectli for pfSense), I always encourage you to do it yourself if you’re comfortable to ensure maximum security (and also to be familiar with the update process). Having said all of this, if you are unsure if an open source router is right for you (the wealth of options can be overwhelming to some), I still encourage you to get a router that wasn’t provided by your ISP. Make sure it offers VLANs and VPN capabilities, as we will be using these heavily to protect your home."
https://thenewoil.org/en/guides/quick-start/wifi-guide
Router | Firmware |
---|---|
EdgeRouter and Ubiquiti GL.iNet Netduma Netgear MikroTik Peplink/Pepwave |
OpenWRT AsusWRT Merlin DD-WRT DrayTek Vigor OPNsense 19.1 Padavan pfSense 2.4.4 pfSense 2.4.5 pfSense 2.5 Sabai Tomato |
https://openwrt.org
https://pfsense.org
https://avoidthehack.com/router-wireless-guide
- Change the default router password
- Turn off UPnP
- Use the router’s firewall capabilities
- Use sufficient Wi-Fi encryption
- Set a strong Wi-Fi password
- Change the Wi-Fi (SSID) name from the default
- Hide the Wi-Fi (SSID)
- Consider using open-source router firmware
- Keep router firmware updated
- Keep other software up to date
*These are solutions outside the military level. Forgetting Wi-Fi and using an RJ-45 to USB should be considered for home use.
*Misconfigured DNS settings on a router may lead to the device sending DNS queries to unintended DNS servers.
5.02 Network
$ sudo apt install network-manager-gnome
$ sudo apt install network-manager
Commands • Connecting WiFi manualy with nmcli $ nmcli dev status $ nmcli radio wifi on • List wifi $ nmcli dev wifi list • Connect $ sudo nmcli dev wifi connect SSID(TAB) $ sudo nmcli --ask dev wifi connect SSID(TAB) • Disconnecting $ nmcli con down NAME • Saved ones $ ls /etc/NetworkManager/system-connections/
Commands • Editing $ nmcli connection edit $ nmcli connection edit type wifi $ nmcli c edit type vpn $ nmcli c up wificonnectionname $ nmcli c show wificonnectionname $ nmcli connection show $ nmcli connection reload • Avtivating MAC randomization $ nmcli connection modify NAME 802-11-wireless.mac-address-randomization always
Config files $ sudo ls /etc/NetworkManager/ $ sudo ls /etc/NetworkManager/system-connections/ $ sudo nano /etc/NetworkManager/NetworkManager.conf/mywifiname $ sudo nano /etc/NetworkManager/NetworkManager.conf
$ sudo apt install connman-ui
$ sudo apt install connman
Commands $ $ $ $ $
https://unix.stackexchange.com/questions/253030/how-to-setup-network-without-wicd-or-networkmanager
Set up static networking. Configured only wlan0 because of wireless, you just need to skip the wireless related things in it.
Show your interfaces:
$ ip a show
Note the default Ethernet and wifi interfaces:
Looks our Ethernet port is eth0 and WiFi radio is wlan0
$ ip a show | awk '/^[0-9]: /{print $2}'
The output of this command will look something like this:
lo:
eth0:
wlan0:
Your gateway IP address is found with:
$ sudo route -n
It provides access to destination 0.0.0.0 (everything). Possible it is 192.168.0.1, which is perfectly nominal.
Let’s do a bit of easy configuration in our /etc/networking/interfaces file. The format of this file is not difficult to put together from the man page, but really, you should search for examples first. Plug in your Ethernet port.
Basically, we’re just adding DHCP entries for our interfaces. Above you’ll see a route to another network that appears when I get a DHCP lease on my Ethernet port. Next, add this:
auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto wlan0
iface wlan0 inet dhcp
Next, enable and start the networking service:
sudo update-rc.d networking enable
sudo /etc/init.d/networking start
Let’s make sure this works, by resetting the port with these commands:
sudo ifdown eth0
sudo ip a flush eth0
sudo ifup eth0
This downs the interface, flushes the address assignment to it, and then brings it up. Test it out by pinging your gateway IP: ping 192.168.0.1. If you don’t get a response, your interface is not connected or your made a typo.
Let’s “do some WiFi” next! We want to make an /etc/wpa_supplicant.conf file. Consider mine:
network={
ssid="CenturyLink7851"
scan_ssid=1
key_mgmt=WPA-PSK
psk="4f-------------ac"
}
Now we can reset the WiFi interface and put this to work:
sudo ifdown wlan0
sudo ip a flush wlan0
sudo ifup wlan0
sudo wpa_supplicant -Dnl80211 -c /root/wpa_supplicant.conf -iwlan0 -B
sudo dhclient wlan0
That should do it. Use a ping to find out, and do it explicitly from wlan0, so it gets it’s address first:
$ ip a show wlan0 | grep "inet"
Presumably dhclient updated your /etc/resolv.conf, so you can also do a:
ping -I 192.168.0.45 www.yahoo.com
You’re now running without NetworkManager!
https://askubuntu.com/questions/637637/how-to-reset-network-manager-to-default
5.03 DNS
https://wiki.debian.org/NetworkConfiguration
https://wiki.debian.org/resolv.conf
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/manually-configuring-the-etc-resolv-conf-file_configuring-and-managing-networking
https://github.com/jonathanio/update-systemd-resolved
https://freedesktop.org/software/systemd/man/systemd.network.html
https://salsa.debian.org/debian/resolvconf
An open-source implementation of resolvconf to properly configure DNS and prevent DNS leaks.
https://roy.marples.name/projects/openresolv
https://wiki.archlinux.org/title/Systemd-resolved
https://freedesktop.org/software/systemd/man/latest/systemd-resolved.service.html
https://developers.cloudflare.com/1.1.1.1/ip-addresses
https://opendns.com/setupguide
https://docs.fsfe.org/en/teams/router-freedom-tech-wiki
Misconfigured DNS settings on a router may lead to the device sending DNS queries to unintended DNS servers. Verify the DNS of your WAN are set in your router.
The Pi-hole ® is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software.
https://pi-hole.net
https://docs.pi-hole.net
https://reddit.com/r/pihole
5.04 Firewall
Visit our repo tree: 3.NETWORK/3.03_Firewall
Note that these commands show ports that are in a listening state, but that doesn’t necessarily mean that the ports are open to the internet, because our firewall may be denying connections.
https://gufw.org
https://help.ubuntu.com/community/Gufw
$ sudo apt install gufw
https://launchpad.net/ufw
https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29
https://wiki.archlinux.org/title/Uncomplicated_Firewall
http://manpages.ubuntu.com/manpages/precise/man8/ufw.8.html
https://help.ubuntu.com/community/UFW
https://paulligocki.com/vpn-only-ufw-setup
https://linuxconfig.org/how-to-install-and-use-ufw-firewall-on-linux
https://openvpn.net
https://pypi.org/project/openpyn
$ sudo apt install ufw
Commands, basic to install UFW $ sudo apt install ufw $ sudo ufw enable $ sudo ufw status $ sudo nano /etc/default/ufw IPV6=no $ sudo nano /etc/sysctl.conf net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 net.ipv6.conf.tun0.disable_ipv6 = 1 $ sudo ufw default deny incoming $ sudo ufw default allow outgoing $ sudo ufw status numbered $ sudo iptables -L --line-numbers $ sudo ufw delete 123 $ sudo ufw reload $ sudo reboot
• R-fx Networks Projects - https://rfxn.com
• Vuurmuur Firewall - https://vuurmuur.org
• Port Checker - https://portchecker.co
Note: an AppArmor rule could prevent port use by an individual program.
Commands, some advanced commands • Show which ports are listening for connections $ ss -tlnp • Check for open ports with nmap $ sudo apt install nmap $ sudo nmap localhost • Find the name and IP address of your tunnel $ ip -o addr | cut -d'\' -f 1 • Handling DNS queries $ apt install tcpdump $ sudo tcpdump -eni any port 53 $ sudo tcpdump -eni any port 53 and host 172.27.10.22 $ sudo tcpdump -n -i tun0 udp port 53 • Show Iptables rules $ sudo iptables -L --line-numbers • Open TCP SSH PORT for VPN IP only $ sudo ufw allow from 1.2.3.4 to any port 22 proto tcp comment 'Open TCP SSH PORT for VPN IP only' • Open TCP Torrent PORT for VPN IP only $ sudo ufw allow in on tun0 from 10.8.0.0/16 to any port 60000 proto tcp comment 'Open TCP Torrent PORT for VPN IP only' • Port Forwarding to router $ sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -p udp --dport 51413 -j ACCEPT • For uploading torrent $ sudo iptables -A OUTPUT -p udp --sport 51413 -j ACCEPT $ sudo ufw allow 51413/udp $ sudo iptables -L --line-numbers • Reset UFW $ sudo ufw reset • Troubles $ sudo apt purge iptables-persistent
Commands $ sudo ls /etc/ufw/applications.d/ $ sudo touch /etc/ufw/applications.d/ufw-custom $ sudo nano /etc/ufw/applications.d/ufw-custom [CustomApp 1 Full] title=The first Custom Application description=Custom Application Description ports=36892|23976|19827 [CustomApp 1 TCP] title=The first Custom Application - TPC only description=Custom Application Description ports=36892,23976,19827/tcp [CustomApp 1 UDP] title=The first Custom Application - UDP only description=Custom Application Description ports=36892,23976,19827/udp • Check if the syntax is correct $ sudo ufw app info "CustomApp 1 Full" • Create new rule based on this profile $ sudo ufw allow in on tun0 to any app "CustomApp 1 Full" • Check $ sudo ufw status numbered | grep CustomApp
Commands $ sudo nano /etc/default/ufw DEFAULT_FORWARD_POLICY="ACCEPT" $ sudo nano /etc/ufw/sysctl.conf net/ipv4/ip_forward=1 $ sudo nano /etc/ufw/before.rules # NAT table rules *nat :POSTROUTING ACCEPT [0:0] # Forward traffic through eth0 - Change to match you out-interface -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE # don't delete the 'COMMIT' line or these nat table rules won't be processed COMMIT $ sudo ufw disable $ sudo ufw enable
Commands $ sudo nano /etc/default/before.rules :PREROUTING ACCEPT [0:0] -A PREROUTING -i eth0 -d 150.129.148.155 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.120:80 -A PREROUTING -i eth0 -d 150.129.148.155 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.120:443 -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE $ sudo ufw disable $ sudo ufw enable $ sudo ufw allow proto tcp from any to 150.129.148.155 port 80 $ sudo ufw allow proto tcp from any to 150.129.148.155 port 443
5.05 VPN
∙ Choosing the VPN that's right for you - https://ssd.eff.org/en/module/choosing-vpn-thats-right-you
∙ Choosing the best VPN (for you) - https://reddit.com/r/VPN/comments/4iho8e/that_one_privacy_guys_guide_to_choosing_the_best/?st=iu9u47u7&sh=459a76f2
∙ r/vpnrecommendations - https://reddit.com/r/vpnrecommendations
∙ r/VPN - https://reddit.com/r/VPN
∙ r/VPNTorrents - https://reddit.com/r/VPNTorrents
∙ VPN Alert - https://vpnalert.com
∙ VPN-reviews - https://github.com/techlore/VPN-reviews
∙ Mullvad - https://mullvad.net
∙ Mullvad - http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion
∙ Private Internet Access (PIA) - https://privateinternetaccess.com
∙ ProtonVPN - https://protonvpn.com
∙ IVPN - https://ivpn.net
∙ AirVPN - https://airvpn.org
∙ VPN.XXX - https://vpn.xxx
∙ Windscribe - https://windscribe.com
∙ ExpressVPN - https://expressvpn.com/vpnmentor1
∙ NordVPN - https://nordvpn.com
∙ privacytools.io - https://privacytools.io
∙ VPN over SSH - https://wiki.archlinux.org/index.php/VPN_over_SSH
5.06 OpenVPN
https://openvpn.net/community-resources/how-to/
https://wiki.debian.org/OpenVPN
https://debian-handbook.info/browse/stable/sect.virtual-private-network.html
https://debian.org/doc/manuals/securing-debian-manual/vpn.en.html
https://wiki.archlinux.org/index.php/OpenVPN
https://wiki.archlinux.org/index.php/OpenVPN#DNS
https://ubuntu.com/core/docs/networkmanager/configure-vpn
https://community.openvpn.net
https://github.com/OpenVPN/openvpn/tree/master/sample/sample-config-files
https://linuxconfig.org/how-to-run-openvpn-automatically-on-debian-with-a-static-ip-address
https://linuxconfig.org/how-to-encrypt-your-dns-with-dnscrypt-on-ubuntu-and-debian
OpenVPN Sample Configuration Files $ sudo ls /usr/share/doc/openvpn $ /usr/share/doc/openvpn/README.Debian.gz
OpenVPN + Network Manager (GUI) + Autostart + Autoconnect + Kill Switch OpenVPN + nmcli (CLI) + Autostart + Autoconnect + Kill Switch
*Autoconnect: random server selection
You may use graphical VPN tool network-manager UI by providing the key and certificates
Commands GUI $ sudo apt install network-manager-openvpn-gnome $ nm-connection-editor
"Find a network connection, open its settings, then under General, enable Automatically connect to VPN. After saving, a secondaries= line is added in that network's configuration file in the [connection] section. It will contain a list of secondary connection UUIDs to be activated. The configuration file is usually /etc/NetworkManager/system-connections/
."
Import OVPN to NetworkManager in terminal
Copy the OpenVPN configuration from your VPN provider into /etc/openvpn Commands nmcli, to easy import $ sudo nmcli connection import type openvpn file /etc/openvpn/client/cc00-myvpn.com_tcp.ovpn $ nmcli connection show $ nmcli connection up myopvnname $ nmcli connection show $ ip route $ nmcli connection edit type wifi $ nmcli c edit type vpn $ nmcli c up wificonnectionname $ nmcli c show wificonnectionname $ nmcli connection show $ nmcli connection reload $ sudo service openvpn restart $ sudo service NetworkManager restart $ sudo systemctl status NetworkManager
Editing OVPN with NetworkManager in terminal
Config files $ sudo ls /etc/NetworkManager/ $ sudo ls /etc/NetworkManager/system-connections/ $ sudo nano /etc/NetworkManager/NetworkManager.conf/mywifiname
$ sudo nano /etc/NetworkManager/NetworkManager.conf
Commands $ sudo apt install resolvconf $ sudo systemctl enable --now resolvconf.service $ sudo apt install openvpn • Copy the OpenVPN configuration from your VPN provider into /etc/openvpn $ sudo wget https://vpnprovider.com/openvpn.zip $ sudo unzip openvpn.zip $ sudo rm openvpn.zip $ cd /etc/openvpn • Instead of .ovpn extension, OpenVPN on Linux uses .conf for config files. Rename them accordingly, you could simply substitute it in the appropriate file name with copy $ sudo cp cc00-myvpn_tcp.ovpn /etc/openvpn/client/client.conf • Alternatively, rename and copy in batch $ sudo rename 's/ovpn/conf/' openvpn/*.ovpn $ sudo cp openvpn/* /etc/openvpn
*resolvconf vs. systemd-resolved
*resolvconf vs. openresolv
• Basic connection, OpenVPN will ask for a username and password each time you want to connect, and that's not a good headless setup. $ sudo openvpn cc00-myvpn.com_tcp.ovpn Enter Auth Username: Enter Auth Password: (press TAB for no echo) • You can autoconnect with saved username and password, create another file in the OpenVPN folder called, auth.txt . Inside that file, put your VPN username on the first line and your password on the second one. $ sudo touch /etc/openvpn/auth.txt $ sudo nano /etc/openvpn/auth.txt user password $ sudo chmod 600 /etc/openvpn/auth.txt • You can autoconnect with saved login $ sudo openvpn --config cc00-myvpn.com_tcp.ovpn --auth-user-pass /etc/openvpn/auth.txt (...) Initialization Sequence Completed
Basic connection with autoconnect and DNS resolver, make OpenVPN update its nameservers when it starts and exits.
Commands $ openvpn --script-security 2 --config cc00-myvpn.com_tcp.ovpn • Or $ sudo openvpn --config cc00-myvpn.com_tcp.ovpn --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf --script-security 2 --auth-user-pass /home/user/auth
Creating a autologin file
• Configuring auth manually $ sudo touch /home/user/auth $ sudo nano /home/user/auth user password • A little protection $ sudo chmod 600 /home/user/auth
👷🛠️UNDER CONSTRUCTION🚧🏗
https://openvpn.net/community-resources/how-to/#auth
You could use the client.conf example below to random access multiple opvn files and auto login with auth configuration. Make the configurations refer to auth file by appending some directives at the end of each. Also create keepalive, a log record to facilitate troubleshooting and automatically run a script called update-resolv-conf, which may be necessary for DNS resolution to work correctly when enabling VPN and turn off. On Debian, this script is included with the OpenVPN installation.
• Configuring client.conf manually $ sudo nano /etc/openvpn/client/client.conf client dev tun #It's TCP or UDP server? proto tcp remote my-server-1.com 1194 remote my-server-2.com 1194 remote my-server-3.com 1194 remote my-server-4.com 1194 remote my-server-5.com 1194 remote my-server-6.com 1194 remote my-server-7.com 1194 remote my-server-8.com 1194 remote my-server-9.com 1194 remote my-server-10.com 1194 remote-random #It choose a random config server resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ping 15 ping-restart 0 ping-timer-rem reneg-sec 0 comp-lzo no #Enable it if enabled in the server verify-x509-name CN=my.vpn-1.com #Protect against MITM see http://openvpn.net/howto.html#mitm remote-cert-tls server #Your autologin config auth-user-pass /etc/openvpn/client/auth #OpenVPN DNS Resolver script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf #Others keepalive 10 60 log-append /var/log/openvpn.log verb 3 pull fast-io cipher AES-256-CBC auth SHA512 # Note SSL/TLS parms.See the server config # file for more description. # It's best # to use # a separate .crt/.key file pair # for each client. A single ca file can # be used for all clients. <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> key-direction 1 <tls-auth> # 2048 bit OpenVPN static key -----BEGIN OpenVPN Static key V1----- -----END OpenVPN Static key V1----- </tls-auth>
• Configuring client.conf automatically $ sudo cd /etc/openvpn/client/ $ sudo cat << EOF > client.conf client dev tun #It's TCP or UDP server? proto tcp remote my-server-1.com 1194 remote my-server-2.com 1194 remote my-server-3.com 1194 remote my-server-4.com 1194 remote my-server-5.com 1194 remote my-server-6.com 1194 remote my-server-7.com 1194 remote my-server-8.com 1194 remote my-server-9.com 1194 remote my-server-10.com 1194 remote-random #It choose a random config server resolv-retry infinite nobind tun-mtu 1500 tun-mtu-extra 32 mssfix 1450 persist-key persist-tun ping 15 ping-restart 0 ping-timer-rem reneg-sec 0 comp-lzo no #Enable it if enabled in the server verify-x509-name CN=my.vpn-1.com #Protect against MITM see http://openvpn.net/howto.html#mitm remote-cert-tls server #Your autologin config auth-user-pass /etc/openvpn/client/auth #OpenVPN DNS Resolver script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf #Others keepalive 10 60 log-append /var/log/openvpn.log verb 3 pull fast-io cipher AES-256-CBC auth SHA512 # Note SSL/TLS parms.See the server config # file for more description. # It's best # to use # a separate .crt/.key file pair # for each client. A single ca file can # be used for all clients. <ca> -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- </ca> key-direction 1 <tls-auth> # 2048 bit OpenVPN static key -----BEGIN OpenVPN Static key V1----- -----END OpenVPN Static key V1----- </tls-auth>
• Configuring client.conf automatically in batch $ echo 'auth-user-pass /etc/openvpn/client/auth keepalive 10 60 log-append /var/log/openvpn.log script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf' | tee -a openvpn/*.conf
• Configuring auth manually $ sudo touch /etc/openvpn/client/auth $ sudo nano /etc/openvpn/client/auth user password
• Configuring auth automatically • If you are not going to copy the example, to create a newline (press ENTER) after you type the \ to tell the shell you want to enter more parameters but on a separate line. $ cd /etc/openvpn/client/auth $ sudo echo 'user password' > openvpn/auth • A little protection # chmod 600 /etc/openvpn/client/auth • Load daemon $ sudo openvpn --config /etc/openvpn/client.conf --daemon
• Alternatively $ sudo chmod 600 /etc/openvpn/client/auth $ sudo bash -c 'echo "USERNAME" >> /etc/openvpn/client/auth' $ sudo bash -c 'echo "PASSWORD" >> /etc/openvpn/client/auth' # chmod 600 /etc/openvpn/client/auth • Load daemon $ sudo openvpn --config /etc/openvpn/client.conf --daemon
• Alternatively $ sudo su # echo 'myuser' >> /etc/openvpn/client/auth # echo 'mypassword' >> /etc/openvpn/client/auth # chmod 600 /etc/openvpn/client/auth • Load daemon $ sudo openvpn --config /etc/openvpn/client.conf --daemon
• Alternatively $ sudo su # echo 'myuser' | tee --append /etc/openvpn/client/auth # echo 'mypassword' | tee --append /etc/openvpn/client/auth # chmod 600 /etc/openvpn/client/auth • Load daemon $ sudo openvpn --config /etc/openvpn/client.conf --daemon
👷🛠️UNDER CONSTRUCTION🚧🏗
https://wiki.archlinux.org/title/OpenVPN#DNS
https://github.com/jonathanio/update-systemd-resolved
"By default, all configured VPNs in /etc/openvpn/
are started during system boot. Edit /etc/default/openvpn
to start specific VPNs or to disable this behavior. You need to run systemctl daemon-reload
once to enable new VPNs."
Commands $ sudo su # cd /etc/openvpn/client # echo "script-security 2" >> /etc/openvpn/client/openvpn.conf # echo "up /etc/openvpn/update-resolv-conf" >> /etc/openvpn/client/openvpn.conf # echo "down /etc/openvpn/update-resolv-conf" >> /etc/openvpn/client/openvpn.conf
https://openvpn.net/vpn-server-resources/troubleshooting-dns-resolution-problems
👷🛠️UNDER CONSTRUCTION🚧🏗
$ sudo apt install resolvconf
* Consider
$ sudo apt install openvpn-systemd-resolved
$ sudo nano /etc/openvpn/update-resolv-conf
$ sudo mv /etc/resolv.conf /etc/resolv.conf.bak • Add this lines into your openvpn client.conf: $ nano client.conf script-security 2 up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
Your could run openvpn with DNS resolver
$ openvpn --script-security 2 --config cc00-myvpn.com_tcp.ovpn
$ sudo nano /etc/openvpn/client/client.conf
#Actual DNS name dhcp-option DNS 10.10.10.10
Take care with DNS leaks
curl ipleak.net/json/
curl ipinfo.io
#IPV4 pull-filter ignore "dhcp-option DNS" #IPV6 pull-filter ignore "dhcp-option DNS6"
👷🛠️UNDER CONSTRUCTION🚧🏗
$ sudo nano /etc/NetworkManager/NetworkManager.conf #dns=dnsmasq $ sudo restart network-manager
DNS requests are directed to VPN-supplied DNS servers without any manipulations with dnsmasq, up/down/dispatch helper scripts.
nmcli -p connection modify MY_VPN_CONNECTION ipv4.never-default no nmcli -p connection modify MY_VPN_CONNECTION ipv4.ignore-auto-dns no nmcli -p connection modify MY_VPN_CONNECTION ipv4.dns-priority -42
*Using OpenVPN through NetworkManager (GUI) allows users to disable the connection.
To make OpenVPN automatically connect with a certain configuration, set the AUTOSTART directive in /etc/default/openvpn
to the configuration filename without the extension.
Commands • At boot, by default client.conf is enabled $ sudo ls /etc/openvpn/client • Set the audoestart directive $ sudo nano in /etc/default/openvpn AUTOSTART="nameofopvnconfigfile" • Save or edit your configuration with $ sudo nano /etc/openvpn/client/.conf • Alternatively $ sudo echo 'AUTOSTART="nameofopvnconfigfile"' >> /etc/default/openvpn • Enable the service by calling $ sudo systemctl start openvpn-client@nameofopvnconfigfile $ sudo systemctl enable openvpn-client@nameofopvnconfigfile • Verify $ sudo cat /etc/default/openvpn • Load OpenVPN and connect $ sudo systemctl daemon-reload $ sudo systemctl restart openvpn
$ sudo systemctl start openvpn-client@ $ sudo systemctl stop openvpn-client@ $ sudo systemctl status openvpn-client@ $ curl ipleak.net/json/ $ curl ipinfo.io
👷🛠️UNDER CONSTRUCTION🚧🏗
$ sudo su # apt install ufw # ufw allow in on tun0 # ufw allow out on tun0 # ufw allow out on eth0 from any to any port 53 # ufw allow out on wlan0 from any to any port 53 # ufw allow out on eth0 from any to any port 1198 # ufw allow out on wlan0 from any to any port 1198 # ufw deny in on eth0 # ufw deny in on wlan0 # ufw deny out on eth0 # ufw deny out on wlan0 # ufw enable
Testing killswitch
$ sudo systemctl start openvpn-client@ $ sudo systemctl stop openvpn-client@ $ sudo systemctl status openvpn-client@ $ curl ipleak.net/json/ $ curl ipinfo.io
$ systemctl stop openvpn $ curl --connect-timeout 5 ipinfo.io
👷🛠️UNDER CONSTRUCTION🚧🏗
$ sudo apt install resolvconf
"Parses DHCP options from openvpn to update resolv.conf . To use set as 'up' and 'down' script in your openvpn *.conf:
up /etc/openvpn/update-resolv-conf down /etc/openvpn/update-resolv-conf
"Example envs set from openvpn:"
foreign_option_1='dhcp-option DNS 193.43.27.132' foreign_option_2='dhcp-option DNS 193.43.27.133' foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
$ sudo apt install openvpn-systemd-resolved
"OpenVPN helper to add DHCP information into systemd-resolved via DBus.(...)This script will parse DHCP options set via OpenVPN (dhcp-option) to update systemd-resolved directly via DBus, instead of updating /etc/resolv.conf. To install, set as the 'up' and 'down' script in your OpenVPN configuration file or via the command-line arguments, alongside setting the 'down-pre' option to run the 'down' script before the device is closed. For example:"
up /etc/openvpn/scripts/update-systemd-resolved down /etc/openvpn/scripts/update-systemd-resolved down-pre
5.07 WireGuard
https://github.com/WireGuard
https://wiki.ubuntuusers.de/WireGuard
$ sudo apt install wireguard
$ sudo apt install wireguard-tools
5.08 strongSwan
https://github.com/strongswan/strongswan
https://docs.strongswan.org/docs/5.9/index.html
https://docs.strongswan.org/docs/5.9/config/IKEv2.html
https://docs.strongswan.org/docs/5.9/config/logging.html
$ sudo apt install strongswan-charon
$ sudo apt install libcharon-extra-plugins
$ sudo apt install libcharon-extauth-plugins
• Add username and password $ sudo nano /etc/ipsec.secrets "Username : EAP "Password" • Configure $ sudo su $ Passwordsudo printf '%s\n\t' 'conn MyVPN' 'keyexchange=ikev2' 'dpdaction=clear' 'dpddelay=300s' 'eap_identity="USERNAME"' 'leftauth=eap-mschapv2' 'left=%defaultroute' 'leftsourceip=%config' 'right=SERVER_IP' 'rightauth=pubkey' 'rightsubnet=0.0.0.0/0' 'rightid=%SERVER_HOSTNAME' 'rightca=/etc/ipsec.d/cacerts/VPN.pem' 'type=tunnel' 'auto=add' > /etc/ipsec.conf
• Inside the file change load = yes to load = no.$ sudo nano /etc/strongswan.d/charon/constraints.conf
• Download the VPN certificate.$ sudo wget https://download/certificate/root.pem -O /etc/ipsec.d/cacerts/VPN.pem
$ sudo wget https://download/certificate/root.pem -O /etc/ipsec.d/cacerts/VPN.pem
• Connecting $ sudo ipsec restart $ sudo ipsec up VPN “Connection VPN has been established successfully”. • Disconnecting $ sudo ipsec down NordVPN • Debuging $ sudo cat /var/log/syslog
sudo ls /etc/strongswan.d/charon/
5.09 Firewall + VPN
Commands to setup UFW + OpenVPN • You could add specifically rules for each port separately on tun0 (VPN tunnel interface) $ sudo ufw allow in on tun0 to any port 60000 proto tcp $ sudo ufw allow in on tun0 to any port 60000 proto udp • You could test to connect in and out to anywhere on tun0 $ sudo ufw allow in on tun0 $ sudo ufw allow out on tun0 • To allow access only from a specific address you could use $ sudo ufw allow in on tun0 from 192.168.0.1 to any port 60000 proto tcp • Allow OpenVPN to connect to the regular network interface (e.g. eth0, wlan0...) through the ports present in the .opvn file (e.g.DNS resolution on port 53 and VPN server on 1198...) $ sudo ufw allow out on eth0 from any to any port 53,1198 • Consider this tcp or udp rules $ sudo ufw allow out on eth0 to any port 53,1197 proto tcp $ sudo ufw allow out on eth0 to any port 53,1197 proto udp • For a hard policy, working only with tun0, you could block the rest and enable the firewall $ sudo ufw deny in on eth0 $ sudo ufw deny out on eth0 • For a hard policy, you could block the rest and enable the firewall $ sudo ufw status numbered $ sudo ufw enable $ sudo ufw reload $ sudo reboot
Commands to secure the server with iptables • Allow everything from within your VPN $ sudo iptables -I INPUT -i tun0 -j ACCEPT • Explicitly allow what can be accessed within the VPN, for example, allow DNS and HTTP $ sudo iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT $ sudo iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT $ sudo iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT • To enable SSH and VPN access from anywhere. $ sudo iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT $ sudo iptables -A INPUT -p tcp --destination-port 1194 -j ACCEPT $ sudo iptables -A INPUT -p udp --destination-port 1194 -j ACCEPT • To explicitly allow TCP/IP to do "three-way handshakes" $ sudo iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT • To allow any loopback traffic, the server is allowed to talk to itself $ sudo iptables -I INPUT -i lo -j ACCEPT • To reject access from anywhere else $ sudo iptables -P INPUT DROP • To list rules $ sudo iptables -L --line-numbers
(*ip6tables)
Troubleshooting iptables
$ sudo systemctl restart servicedaemon.service $ sudo systemctl restart service.service $ sudo iptables -S $ ping google.com
5.10 Leak Test
∙ DNSLeakTest.com (run the "Extended test")
∙ IPLeak.net
∙ Mullvad DNS Leak Test
∙ Surfshark DNS Leak Test
∙ BrowserLeaks IP Test
∙ IPX.AC DNS Leak Test
- EFF Test - https://coveryourtracks.eff.org/learn
- TOR Fingerprinting - https://blog.torproject.org/browser-fingerprinting-introduction-and-challenges-ahead
You could test your current public IP address and compare that to the one from before with 'ipleak.net'. If they match, your VPN is not working correctly.
$ curl ipleak.net/json/
$ curl ipinfo.io
$ curl --connect-timeout 5 ipinfo.io
5.11 Spoofing
https://github.com/alobbs/macchanger
https://github.com/refraction-networking/utls
https://github.com/0xsirus/tirdad
Commands for a random MAC address $ ip link $ sudo ifconfig wlan0 down $ sudo macchanger -r wlan0 • Shows specified MAC Address of NIC $ sudo macchanger -s wlan0 $ sudo ifconfig wlan0 up
∙ To opt-out of global maps (https://wigle.net), rename your network WiFi SSID to
<SSID>_optout_nomap
Go to https://location.services.mozilla.com/optout
5.12 Others
https://portforward.com
https://wiki.wireshark.org/BitTorrent
https://github.com/LiamTheBox/Torrent-With-A-VPN
https://github.com/mdlam92/vpn_torrenting
https://github.com/tool-maker/VPN_just_for_torrents/wiki
https://askubuntu.com/questions/559016/ufw-rules-dont-block-deluge
https://transmissionbt.com
https://comparitech.com/blog/vpn-privacy/how-to-make-a-vpn-kill-switch-in-linux-with-ufw
👷🛠️UNDER CONSTRUCTION🚧🏗
Commands for remote Transmission $ sudo apt-get install transmission-cli $ sudo apt-get install transmission-common $ sudo apt-get install transmission-daemon $ sudo service transmission-daemon stop • To $ sudo nano /etc/transmission-daemon/settings.json > “rpc-whitelist”: “127.0.0.1,192.168.*.*”, > “rpc-whitelist-enabled”: true, • To change the download directory > "download-dir": /home/user/Downloads $ sudo service transmission-daemon start • To find local IP address $ hostname -I • To find local MAC address $ sudo cat /sys/class/net/eth0/address • In your browser > http://192.168.0.15:9091 > Login: transmission > Password: transmission
6.01 Office Softwares
Office Suites
https://libreoffice.org
https://wiki.documentfoundation.org/Documentation/Install/Linux
Libre Office - Tips and Tricks
In general, all documents open with the cursor at the start of the document.
One exception appears when the author of a Writer text document saves and reopens a document: The cursor will be at the same position where it has been when the document was saved. This only works when the name of the author was entered in Tools - Options - LibreOffice - User Data
.
Press Shift+F5
to set the cursor to the last saved position.
The File menu contains a Versions command that enables you to save multiple versions of a document in the same file.
You can choose to view individual versions of a document, or you can display the differences between versions with color markings.
In the dialog to open a document, you can select from a combo box which version of this document you want to open.
To create a backup file every time you save a document Choose Tools - Options - Load/Save - General.
Mark Always create backup copy.
If the Always create backup copy option is selected, the old version of the file is saved to the backup directory whenever you save the current version of the file.
You can change the backup directory by choosing Tools - Options - LibreOffice - Paths, then change the Backups path in the dialog.
The backup copy has the same name as the document, but the extension is .BAK. If the backup folder already contains such a file, it will be overwritten without warning.
To save recovery information automatically every n minutes Choose Tools - Options - Load/Save - General.
Mark Save AutoRecovery information every and select the time interval.
This command saves the information necessary to restore the current document in case of a crash. Additionally, in case of a crash LibreOffice tries automatically to save AutoRecovery information for all open documents, if possible.
Zotero - Your personal research assistant.
Zotero - Item Types and Fields
Zotero - Citing Fields from "Extra" (Exporting - Extra fields)
Place (Publisher and Publisher Place) |
publisher: Publisher publisher-place: Publisher Place
|
For Presentations, the place where the meeting was held or the presentation was made. For Conference Papers (published in a conference proceedings), use this field for the place where the proceedings was published. If separate locations are needed for the publication place and the location of the conference, leave this field blank and add Event Place and Publisher Place fields to Extra |
Archive Place | archive-place: Archive Place |
The geographic location of an archive. |
Original Title | original-title: Original Title |
The original title of a work (e.g., the untranslated title). |
Original Publisher | original-publisher: Original Publisher |
The publisher of the original version of an item (e.g., the untranslated version). |
Original Publisher Place | original-publisher-place: Original Publisher Place |
The geographic location of the publisher of the original version of an item (e.g., the untranslated version). |
Issue Date, Date Decided or Enacted | issued: Issue Date |
The original date an item was published. Enter in ISO format (year-month-day). |
Submitted Date or Filing Date | submitted: Submitted |
The date an item was submitted for publication. |
Access Date | Accessed |
Date an electronic resource was accessed. |
Event Date | event-date: Event Date |
The date an event took place. Enter in ISO format (year-month-day). |
Original Date | original-date: Original Date |
The original date an item was published. Enter in ISO format (year-month-day). |
Zotero - Importing standardized bib. formats
*Importing bibliographic data: the most popular formats are BibLaTex (.bib), RIS (.ris) and MODS (.xml).
Jurism is based on Zotero reference manager, to which it adds feature for handling legal and multilingual resources.
Juris-M for heavy or frequent legal citations for US, UK and GE legal cases and legislation.
It is possible to create proper citation for basic legal citations in Zotero, particularly if only a few such citations are needed.
Juris-M
Zotero - Legal Citations: Juris-M
Document Converter
https://help.libreoffice.org/latest/en-US/text/shared/guide/convertfilters.html
$ sudo sudo apt install -y libreoffice
(CLI)
Commands for libreoffice headless • Syntax $ soffice --convert-to OutputFileExtension[:OutputFilterName[:OutputFilterParams[,param]]] [--outdir output_dir] • To convert a DOCX file to PDF $ soffice –-headless --convert-to pdf:writer_pdf_Export --outdir /home/user *.docx $ soffice --headless --convert-to pdf:writer_pdf_Export:ExportNotesPages=True --outdir /home/user *.docx • To convert a ODT file to PDF $ soffice –-headless --convert-to pdf:writer_pdf_Export --outdir /home/user *.odt • To convert a ODT file to DOCX $ soffice –-headless --convert-to pdf:writer_odt_Export --outdir /home/user *.docx • To convert a PPTX file to PDF $ soffice --headless --convert-to pdf:impress_pdf_Export --outdir /home/user *.pptx $ soffice --headless --convert-to pdf:impress_pdf_Export:ExportNotesPages=True --outdir /home/user *.pptx • To convert a XLSX file to PDF $ soffice --headless --convert-to pdf:calc_pdf_Export --outdir /home/user *.xlsx • To convert a ODT file to PDF $ soffice –-headless --convert-to pdf:writer_pdf_Export --outdir /home/user *.odt • To convert a HTML file to PDF $ soffice –-headless --convert-to pdf:writer_pdf_Export --outdir /home/user *.html
Output as PDF
To control, which LibreOffice component generates PDF output, you can use these variants:
--convert-to pdf:writer_pdf_Export --convert-to pdf:calc_pdf_Export --convert-to pdf:draw_pdf_Export --convert-to pdf:impress_pdf_Export --convert-to pdf:writer_web_pdf_Export
Input which is not DOCX
To enforce infilters for non-DOCX input formats, you could use (list is not complete):
--infilter="HTML Document" # for HTML input --infilter="MediaWiki" # for MediaWiki input --infilter="Text CSV" # for CSV spreadsheet input --infilter="Microsoft PowerPoint 2007/2010 XML" # for PPTX input --infilter="Microsoft PowerPoint 97/2000/XP" # for PPT input --infilter="Windows Metafile" # for WMF input --infilter="Enhanced Metafile" # for EMF input --infilter="Scalable Vector Graphics" # for SVG input --infilter="Microsoft Excel 2007/2010 XML" # for XLSX input --infilter="Microsoft Excel 97/2000/XP" # for XLS input --infilter="Microsoft Excel 95" # for some XLS input --infilter="Microsoft Excel 5.0" # for some XLS input
Output which is not PDF
To convert to specific output formats, you could use (list not complete):
--convert-to html:HTML --convert-to html:draw_html_Export # force "Draw" to generate the HTML --convert-to mediawiki:MediaWiki_Web # generate MediaWiki output --convert-to csv:"Text - txt - csv (StarCalc)" # generate CSV spreadsheet output --convert-to pptx:"Impress MS PowerPoint 2007 XML" # generate PPTX --convert-to ppt:"MS PowerPoint 97" # generate PPT --convert-to wmf:impress_wmf_Export # force "Impress" to generate the WMF --convert-to wmf:draw_wmf_Export # force "Draw" to generate the WMF --convert-to emf:impress_emf_Export # force "Impress" to generate the EMF --convert-to emf:draw_emf_Export # force "Draw" to generate the EMF --convert-to svg:impress_svg_Export # force "Impress" to generate the SVG --convert-to svg:draw_svg_Export # force "Draw" to generate the SVG --convert-to xlsx:"Calc MS Excel 2007 XML" # generate XLSX --convert-to xls:"MS Excel 97" # generate XLS like Excel 97 --convert-to xls:"MS Excel 95" # generate XLS like Excel 95 --convert-to xls:"MS Excel 5.0/95" # generate XLS like Excel 5.0/95
Headless vs. Invisible
--invisible Starts in invisible mode. Neither the start-up logo nor the initial program window will be visible. Application can be controlled, and documents and dialogs can be controlled and opened via the API. Using the parameter, the process can only be ended using the taskmanager (Windows) or the kill command (UNIX-like systems). It cannot be used in conjunction with --quickstart. --headless Starts in "headless mode" which allows using the application without GUI. This special mode can be used when the application is controlled by external clients via the API.
$ sudo sudo apt install -y pandoc
(CLI)
Commands for pandoc • Convert ODT to DOCX $ pandoc -o document.odt document.docx • Convert DOCX to PDF $ pandoc -s document.docx -o document.pdf • Convert ODT to PDF $ pandoc -s document.odt -o document.pdf • Convert HTML to PDF $ pandoc document.html -t latex -o document.pdf
PDF Suites
$ sudo apt install -y okular
$ sudo apt install -y okular-extra-backends
PDF Arranger (GUI)
https://github.com/pdfarranger/pdfarranger
$ sudo apt install -y pdfarranger
$ sudo apt install -y ghostscript
(CLI)
• Command to combine $ gs -dBATCH -dNOPAUSE -q -sDEVICE=pdfwrite -sOutputFile=combined.pdf file1.pdf file2.pdf • Output in low resolution $ gs -dBATCH -dNOPAUSE -q -sDEVICE=pdfwrite -dPDFSETTINGS=/prepress -sOutputFile=merged.pdf mine1.pdf mine2.pdf
Krop (GUI)
https://arminstraub.com/software/krop
Note, krop only adjusts which parts of a PDF are displayed; the original content is still there in the file and will, for instance, show up when editing the file in inkscape. As a result, krop is not suited for censoring a PDF document or decreasing the size of a PDF file. You may have some success in decreasing the size of the PDF (and even censoring some parts) using the option to use Ghostscript to optimize the final PDF.
$ sudo apt install -y krop
• To automatically undo 4 pages print onto a single page: $ krop --go --grid=2x2 file.pdf • To trim each of these pages: $ krop --go --grid=2x2 --trim --trim-use=all file.pdf • Others krop --grid=2x1 --initialpage=3 --exceptions=1 --trim-use=all --trim ~/file.pdf
View a page that has an annotation, find them in the annotation side pane. Right-click on the annotation icon in the document, and click Remove Annotation. Then save the changes to a new document by clicking the menu button in the top right, followed by Save As….
Commands for pdftocairo $ pdftocairo -pdf "input.pdf" "output-with-flatten-annotations.pdf"
Commands for qpdf $ qpdf --flatten-annotations=all input.pdf output.pdf
*May apply some differences.
*May result in larger PDF.
https://github.com/SiddharthPant/booky
PDF OCR
OCRFeeder (GUI)
https://wiki.gnome.org/Apps/OCRFeeder
$ sudo apt install -y ocrfeeder
*Unpaper
Cuneiform (CLI)
https://packages.debian.org/bookworm/cuneiformOcrmOCRmyPDF (CLI)
https://ocrmypdf.readthedocs.io
$ sudo apt install -y ocrmypdf
Also install the Tesseract OCR plugins for your desired language
$ sudo apt install -y tesseract-ocr-eng
$ sudo apt install -y tesseract-ocr-deu
$ sudo apt install -y tesseract-ocr-fra
$ sudo apt install -y tesseract-ocr-spa
$ sudo apt install -y tesseract-ocr-por
$ sudo apt install -y tesseract-ocr-rus
$ sudo apt install -y tesseract-ocr-ara
$ sudo apt install -y tesseract-ocr-chi-sim
$ sudo apt install -y tesseract-ocr-chi-tra
Basic commands • How to OCR a PDF $ ocrmypdf -v input.pdf output.pdf $ ocrmypdf -v --language deu input.pdf output.pdf $ ocrmypdf -v --language por+deu input.pdf output.pdf • To modify a file in the same place $ ocrmypdf -v ~/input.pdf ~/input.pdf • To skip text $ ocrmypdf -v --skip-text input.pdf output.pdf • To redo OCR $ ocrmypdf -v --redo-ocr input.pdf output.pdf
• Compression settings $ ocrmypdf -v --pdfa-image-compression=jpeg --language=por+deu input.pdf output.pdf $ ocrmypdf -v --pdfa-image-compression=lossless --language=por+deu input.pdf output.pdf $ ocrmypdf -v --output-type=pdf --language por+deu input.pdf output.pdf
• Image processing $ ocrmypdf -v --clean --language=por+deu input.pdf output.pdf $ ocrmypdf -v --clean-final --language=por+deu input.pdf output.pdf $ ocrmypdf -v --remove-background --language=por+deu input.pdf output.pdf
Warning
In many cases image processing will rasterize PDF pages as images, potentially losing quality. We caution against using ImageMagick or Ghostscript to convert images to PDF, since they may transcode images or produce downsampled images, sometimes without warning.
OCRmyPDF perform some image processing on each page of a PDF, if desired. The same processing is applied to each page. It is suggested that the user review files after image processing as these commands might remove desirable content, especially from poor quality scans.
Note that --clean-final
and --remove-background
may leave undesirable visual artifacts in some images where their algorithms have shortcomings. Files should be visually reviewed after using these options.
--clean
uses unpaper
to clean up pages before OCR, but does not alter the final output. This makes it less likely that OCR will try to find text in background noise.
--clean-final
uses unpaper
to clean up pages before OCR and inserts the page into the final output. You will want to review each page to ensure that unpaper did not remove something important.
--remove-background
attempts to detect and remove a noisy background from grayscale or color images. Monochrome images are ignored. This should not be used on documents that contain color photos as it may remove them.
• Optimization settings $ ocrmypdf -v --optimize={0,1,2,3} input.pdf output.pdf
By default OCRmyPDF will attempt to perform lossless optimizations on the images inside PDFs after OCR is complete. Optimization is performed even if no OCR text is found.
The --optimize N (short form -O) argument controls optimization, where N ranges from 0 to 3 inclusive, analogous to the optimization levels in the GCC compiler.
Level
Comments
--optimize 0
Disables optimization.
--optimize 1
Enables lossless optimizations, such as transcoding images to more efficient formats. Also compress other uncompressed objects in the PDF and enables the more efficient “object streams” within the PDF. (If --jbig2-lossy is issued, then lossy JBIG2 optimization is used. The decision to use lossy JBIG2 is separate from standard optimization settings.)
--optimize 2
All of the above, and enables lossy optimizations and color quantization.
--optimize 3
All of the above, and enables more aggressive optimizations and targets lower image quality.
Optimization is improved when a JBIG2 encoder is available and when pngquant is installed. If either of these components are missing, then some types of images cannot be optimized.
The types of optimization available may expand over time. By default, OCRmyPDF compresses data streams inside PDFs, and will change inefficient compression modes to more modern versions. A program like qpdf can be used to change encodings, e.g. to inspect the internals for a PDF.
ocrmypdf --optimize 3 in.pdf out.pdf # Make it small Some users may consider enabling lossy JBIG2. See: jbig2-lossy.
Note
Image processing and PDF/A conversion can also introduce lossy transformations to your PDF images, even when --optimize 1 is in use.
• To automatic correct the rotation of each page $ ocrmypdf -v --deskew input.pdf output.pdf $ ocrmypdf -v --rotate-pages input.pdf output.pdf $ ocrmypdf -v --rotate-pages-threshold {0.0-2.0} input.pdf output.pdf
--rotate-pages
attempts to determine the correct orientation for each page and rotates the page if necessary.
--deskew
will correct pages that were scanned at a skewed angle by rotating them back into place.
PDF Optimizers
https://imagemagick.org/Usage/crop
https://imagemagick.org/Usage/crop/#crop_repage
$ sudo apt install imagemagick
• Commands to crop .pdf $ convert -monitor `ls input-*.png` -crop 3704x1852+160+20 output.png $ convert -monitor -crop 1000x1350+20+145 +repage -path cropped *.png
Monitor progress: -monitor
Print detailed information about the image: -verbose
• Commands to reduce .pdf size $ convert -density 300x300 -quality 100 input.pdf output.pdf $ convert -monitor -density 200x200 -quality 60 -compress jpeg input.pdf output.pdf $ convert -monitor -density 150x150 -quality 70 -compress jpeg -resize 15% input.pdf output.pdf $ convert -monitor -density 150x150 -compress Zip input.pdf output.pdf $ convert -monitor -density 80 -page a4 input.pdf output.pdf $ convert -monitor input.pdf -resample 85% output.pdf $ convert -monitor *.png -colorspace gray -resample 100% "input.pdf"
• Commands to scanned books $ convert -normalize -density 300 -depth 8 *.png $ convert -normalize -density 300 -depth 8 -crop 50%x100% +repage *.png $ convert -monochrome -normalize -density 300 *.png
-normalize : increase the contrast in an image by stretching the range of intensity values.
-depth : the number of bits per channel for each pixel.
-monochrome : transform the image to black and white.
pdfCropMargins - Python
https://pypi.org/project/pdfCropMargins
$ pip install "pdfCropMargins" --upgrade $ pdf-crop-margins -v -p 0 -a -6 input.pdf
$ sudo apt install -y ghostscript
(CLI)
Commands to optimize pdf size with ghostscript.
• Reduce size of scanned book $ gs -dNOPAUSE -dBATCH -dQUIET \ -sDEVICE=pdfwrite \ -dCompatibilityLevel=1.4 \ -dPDFSETTINGS=/screen \ -sOutputFile=output.pdf \ input.pdf
$ gs -dNOPAUSE -dBATCH -dQUIET \ -sDEVICE=pdfwrite \ -dCompatibilityLevel=1.4 \ -dPDFSETTINGS=/printer \ -sOutputFile=output.pdf \ input.pdf
$ gs -dNOPAUSE -dBATCH -dQUIET \ -sDEVICE=pdfwrite \ -dCompatibilityLevel=1.4 \ -dPDFSETTINGS=/prepress \ -dDetectDuplicateImages \ -dCompressFonts=true \ -r150 \ -sOutputFile=output.pdf \ input.pdf
$ gs -dNOPAUSE -dBATCH -dQUIET \ -sDEVICE=pdfwrite \ -dCompatibilityLevel=1.4 \ -dPDFSETTINGS=/prepress \ -dDetectDuplicateImages \ -dCompressFonts=true \ -r300 \ -sOutputFile=output.pdf \ input.pdf
$ gs -q -dNOPAUSE -dBATCH -dSAFER \ -sDEVICE=pdfwrite \ -dCompatibilityLevel=1.4 \ -dPDFSETTINGS=/ebook \ -dEmbedAllFonts=true \ -dSubsetFonts=true \ -dColorImageDownsampleType=/Bicubic \ -dColorImageResolution=96 \ -dGrayImageDownsampleType=/Bicubic \ -dGrayImageResolution=96 \ -dMonoImageDownsampleType=/Bicubic \ -dMonoImageResolution=96 \ -sOutputFile=output.pdf \ input.pdf
gs -q -dNOPAUSE -dBATCH -dSAFER \ -sDEVICE=pdfwrite \ -dCompatibilityLevel=1.3 \ -dPDFSETTINGS=/screen \ -dEmbedAllFonts=true \ -dSubsetFonts=true \ -dColorImageDownsampleType=/Bicubic \ -dColorImageResolution=144 \ -dGrayImageDownsampleType=/Bicubic \ -dGrayImageResolution=144 \ -dMonoImageDownsampleType=/Bicubic -\ dMonoImageResolution=144 \ -sOutputFile=output.pdf \ input.pdfReferences -dPDFSETTINGS=/screen - Low quality and small size at 72dpi. -dPDFSETTINGS=/ebook - Slightly better quality but also a larger file size at 150dpi. -dPDFSETTINGS=/prepress - High quality and large size at 300 dpi. -dPDFSETTINGS=/default - System chooses the best output, which can create larger PDF files.
Commands for ebook-convert • How to convert .epub to .pdf $ sudo apt install calibre $ ebook-convert input.epub output.pdf $ ebook-convert input.epub output.pdf --enable-heuristics $ find ./ -iname "*pdf" -type f | while read f; do echo -e "\e[1mConverting file $f \e[0m" ; ebook-convert "$f" "${f%.pdf}.epub" --enable-heuristics ; done
*Ref.: https://manpages.debian.org/bookworm/calibre/ebook-convert.1.en.html
*Utility.: https://convertfiles.com
Commands for ps2pdf • How to convert .ps to .pdf $ sudo apt install ps2pdf $ ps2pdf -dPDFSETTINGS=/ebook input.pdf output.pdf
*LibreOffice Draw: DPI of 100 and JPEG compression of 80%.
*Try: $ ps2pdf input.pdf output.pdf
Image Editors
https://gitlab.gnome.org/GNOME/gthumb
$ sudo apt install gthumb
(GUI)
$ sudo apt install imagemagick
(GUI or CLI)
"Whether you are a graphic designer, photographer, illustrator, or scientist, GIMP provides you with sophisticated tools to get your job done."
$ sudo apt install gimp
(GUI)
"Inkscape is a Free and open source vector graphics editor for GNU/Linux, Windows and macOS. It offers a rich set of features and is widely used for both artistic and technical illustrations such as cartoons, clip art, logos, typography, diagramming and flowcharting."
An API to programmatically generate memes based solely on requested URLs
https://github.com/jacebrowning/memegen
https://memegen.link
https://imgflip.com/memegenerator
Image Convert
$ sudo apt install webp
Commands for webp files • How to convert .webp to .png #It's a command-line interface $ dwebp -v input.webp -o ~/output.png $ dwebp -v -resize width x height input.webp -o ~/output.png *If either (but not both) of the width or height parameters is 0, the value will be calculated preserving the aspect-ratio.
Commands for webp files in batch $ for file in *.webp ; do dwebp "$file" -o "${file%.*}.png" ; done • Testing alternatives $ find . -name "*.webp" -exec dwebp {} -o "${file%.*}.png" \; $ find . -type f -name "*.webp" -exec dwebp {} -o *.png $ sudo apt install parallel $ parallel dwebp {} -o *.png $ find . -name "*.webp" -print0 | parallel --progress -0 dwebp {} -o *.png $ for x in `ls -1 *.jpg`; do dwebp {} -o ${x%.*}.png ; done $ for x in `find . -name "*.webp"`; do dwebp {} -o ${x%.*}.png ; done
https://imagemagick.org/script/formats.php
https://imagemagick.org/script/mogrify.php
https://imagemagick.org/script/command-line-tools.php
$ sudo apt install imagemagick
*Note that convert
is part of ImageMagick package.
• Commands $ mogrify -format png *.jpg $ mogrify -format png *.jpeg $ mogrify -format png *.gif • In batch $ cd ~/Donwloads $ find . -name "*.jpg" -exec mogrify -format png {} \; $ find . -name "*.jpeg" -exec mogrify -format png {} \; $ find . -name "*.gif" -exec mogrify -format png {} \;
$ sudo apt install imagemagick
• Commands $ mogrify -monitor -rotate -90 *.png
https://wiki.gnome.org/Apps/OCRFeeder
$ sudo apt install -y ocrfeeder
Tools -> Unpaper
https://ocrmypdf.readthedocs.io
$ sudo apt install -y ocrmypdf
$ ocrmypdf --clean
$ ocrmypdf --clean-final
$ ocrmypdf --remove-background
Note that --clean-final
and --remove-background
may leave undesirable visual artifacts in some images where their algorithms have shortcomings. Files should be visually reviewed after using these options.
--remove-background
attempts to detect and remove a noisy background from grayscale or color images. Monochrome images are ignored. This should not be used on documents that contain color photos as it may remove them.
--clean
uses unpaper
to clean up pages before OCR, but does not alter the final output. This makes it less likely that OCR will try to find text in background noise.
--clean-final
uses unpaper
to clean up pages before OCR and inserts the page into the final output. You will want to review each page to ensure that unpaper did not remove something important.
--clean uses unpaper
to clean up pages before OCR, but does not alter the final output. This makes it less likely that OCR will try to find text in background noise.
https://diybookscanner.org
https://diybookscanner.org/forum
https://scantips.com
https://github.com/unpaper/unpaper
https://github.com/unpaper/unpaper/blob/main/doc/basic-concepts.md
https://github.com/unpaper/unpaper/blob/main/doc/image-processing.md
https://mesonbuild.com/Quick-guide.html#compiling-a-meson-project
https://gallium.readthedocs.io/en/latest/meson.html
https://imagemagick.org/script/formats.php
https://netpbm.sourceforge.net/doc/pnm.html
SANE - Lists of supported scanners firmware
http://www.sane-project.org
http://www.sane-project.org/sane-supported-devices.html
The output format of Unpaper is restricted to the PNM family of formats, and conversions to other formats need to happen with tools such as pnmtopng, pnmtotiff or pnmtojpeg. Alternatively you can use the convert tool from ImageMagick.
PNM is a family of formats supporting portable bitmaps (.pbm) , graymaps (.pgm), and pixmaps (.ppm). There is no file format associated with pnm itself. If PNM is used as the output format specifier, then ImageMagick automagically selects the most appropriate format to represent the image. The default is to write the binary version of the formats. Use -compress none to write the ASCII version of the formats. On some platforms, ImageMagick automagically processes a PNM image, called image.pnm.gz is automagically uncompressed.
Unpaper uses the Meson Build system, which can be installed using Python's package manage (pip3 or pip), the only hard dependency of Unpaper is ffmpeg,
• Commands, python and ffmpeg installation using package manager $ sudo apt install python3 && sudo apt install python3-pip && sudo apt install python3-setuptools && sudo apt install python3-wheel && sudo apt install ninja-build && sudo apt install python3-mesonpy && sudo apt install python3-sphinx && sudo apt install python3-pytest && sudo apt install python3-pil && sudo apt install cmake && sudo apt install pkg-config && sudo apt install libavformat-dev && sudo apt install ffmpeg && sudo apt install gitInstall other depedencies
$ sudo apt install libsdl2-dev libavcodec-dev libavdevice-dev libavformat-dev libavutil-dev libswresample-dev libusb-1.0-0 libusb-1.0-0-dev
Basic configuration. The most common use case of Meson is compiling code on a code base you are working on.
• Compiling Unpaper with Meson project $ git clone https://github.com/unpaper/unpaper $ cd unpaper $ CFLAGS="-march=native" meson --buildtype=debugoptimized builddir -Db_lto=true $ meson compile -C builddirWarning: Before making modifications to files, create backup copies.
File formats
https://github.com/unpaper/unpaper/blob/main/doc/file-formats.md
$ sudo apt install imagemagick
• Commands to convert .png in .pbm $ cd ~/Folder $ find . -name "*.png" -exec mogrify -monitor -format pbm {} \;• Commands to convert .pdf in .pbm $ convert -monitor input.pdf +repage -quality 100 output%03d.pbm $ convert -monitor "*.pdf" +repage -path /livros output%03d.pbm $ find . -name "*.pdf" -exec convert *.pdf output%03d.pbmImagemagick Repage
https://imagemagick.org/Usage/crop/#crop_repageYou can use the special "+repage" operator to reset the page canvas and position to match the actual cropped image.
* -repage: adjust the canvas and offset information of the image.
* +repage: offset may need to be removed using +repage, to remove if it is unwanted.
• Commands to convert multiple .pbm in .pdf $ convert -monitor *.png +adjoin output.pdf $ convert -monitor *.pbm output.pdf $ find . -name "*.pbm" -exec convert -units PixelsPerInch *.pbm -density 96 output.pdfImagemagick Adjoin
https://imagemagick.org/script/command-line-options.php#adjoin
Join images into a single multi-image file.
* -adjoin: join images into a single multi-image file
* +adjoin: to force each image to be written to separate files, whether or not the file format allows multiple images per file (for example, GIF, MIFF, and TIFF).
Alternative - Combining pictures into PDF file
ttps://gitlab.mister-muffin.de/josch/img2pdf
$ img2pdf --pagesize A4 img*.png $ img2pdf --pagesize A4 img*.png | ocrmypdf - myfile.pdf $ img2pdf --imgsize 300dpix300dpi -i *.jp2 -o output.pdf• Commands to reduce .pdf size $ convert -monitor +repage -density 200 -quality 60 -compress jpeg input.pdf output.pdf $ convert -monitor +repage input.pdf -resample 85% output.pdf $ convert -monitor +repage scan*.jpg -colorspace gray -resample 100% "input.pdf" $ convert -monitor +repage -compress Zip -density 200 input.pdf output.pdf
Error: mogrify-im6.q16: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/426
• Policy edit $ sudo sed -i '/disable ghostscript format types/,+6d' /etc/ImageMagick-6/policy.xml • Alternatively uncomment $ sudo nano /etc/ImageMagick-6/policy.xml • Alternatively remove this whole following section $ sudo nano /etc/ImageMagick-6/policy.xml
• Increase the available memoryfile $ sudo nano /etc/ImageMagick-6/policy.xml • Alternatively use $ convert -limit memory 1GiB -limit disk 1GiB *.png new.pdf
Renaming in numbered order
• Renamer $ sudo apt install rename • Commands to rename to numbered order $ cd /bookfolder • Test the output before $ rename -n 's/.+/our $i; sprintf("input%03d.png", 1+$i++)/e' * • Apply the change $ rename 's/.+/our $i; sprintf("input%03d.png", 1+$i++)/e' *Unpaper - Basic usage
https://github.com/unpaper/unpaper/blob/main/doc/basic-concepts.md
Use case: two pages per sheet, "open book" format where the input image-file already contains two scanned pages in a double-page layout
Process multiple files using a wildcard of the form %0nd, e.g. input%03d.pbm and output%03d.pbm. It will successively read images from files input001.pbm, input002.pbm, input003.pbm etc., and write output to the files output001.pbm, output002.pbm, output003.pbm etc., until no more input image-files with the current index number are available. Wildcards in filenames like "%03d" will get replaced with strings in the sequence 001, 002, 003 etc.
• Commands for double-page layout $ unpaper --layout double input%03d.pbm output%03d.pbm $ unpaper --layout double input%03d.pbm --output-pages 2 output%03d.pbmUse case: combine single-page image-files onto a double-page layout sheet
• Commands for single-page onto a double-page layout sheet $ unpaper --no-processing --input-pages 2 singlepage%03d.pgm output%03d.pgmImage processing
https://github.com/unpaper/unpaper/blob/main/doc/image-processing.md
• Commands $ unpaper • Commands $Command line processing of multipage book-type scanned documents with ImageMagick.
https://edison23.net/blog/posts/crop-and-split-book-scan-in-3-commands
http://www.imagemagick.org/script/command-line-processing.php#geometry
$ sudo apt install imagemagick
*Note that
convert
is part of ImageMagick package.How to make a clean PDF with one page per sheet. The quality and quantity of additional work depends on how carefully you digitized the book.
• Command all-in-one $ convert -monitor -density 300 orig-scan.pdf pages.png convert `ls pages-*.png` -crop 3704x1852+160+20 +repage -crop 50%x100% pages-split.png convert `ls pages-split*` -page 100%x100% result.pdf• Commands • Convert PDF to images in ordered sequence $ convert -density 300 orig-scan.pdf pages.png $ convert -density 300 orig-scan.pdf[0-9] pages.png • Batch cropping and batch splitting the pages (*before, test the resullt) $ convert `ls pages-*.png` -crop 3704x1852+160+20 +repage -crop 50%x100% pages-split.png • Recombining all the single pages back to PDF $ convert `ls pages-split*` -page 100%x100% result.pdf • Commands $
6.02 Password Manager
$ sudo apt install keepassxc
6.03 Browsers
https://avoidthehack.com/util/browser-comparison
https://librewolf.net/installation/debian/
$ sudo apt install
$ sudo apt install
Firefox | Chrome | Make |
---|---|---|
https://whonix.org/wiki/Install_Tor_Browser_Outside_of_Whonix#Easy
$ sudo apt install torbrowser-launcher
$ torbrowser-launcher
$ torbrowser-launcher --settings
https://kutt.it
https://shlink.io
6.04 Cloud Services
https://forum.rclone.org
https://reddit.com/r/cloudstorage
https://reddit.com/r/DataHoarder
https://reddit.com/r/Piracy
https://reddit.com/r/Scams
https://tahoe-lafs.org/trac/tahoe-lafs
https://github.com/glotlabs/gdrive
https://mega.io
https://mega.io/desktop
https://github.com/rclone/rclone
https://360.yandex.com
https://rclone.org/yandex (*Backend supported)
*Russian
https://idrive.com
https://idrive.com/online-backup-linux
https://idrive.com/linux-backup-scripts
https://rclone.org/s3/#idrive-e2
https://1024tera.com
https://1024tera.com/terabox-cloud-storage-for-pc-free-download
https://reddit.com/r/TeraBox/
https://pcloud.com
https://pcloud.com/how-to-install-pcloud-drive-linux.html
https://github.com/pcloudcom/console-client
https://sugarsync.com
https://rclone.org/sugarsync (*Not backend supported)
https://box.com
https://github.com/box/boxcli
https://github.com/rclone/rclone
6.05 File Host
https://unsee.cc
https://rapidgator.net
https://nitroflare.net
https://uploadgig.com https://mediafire.com/upgrade/
https://ufile.io
https://1fichier.com/hlp.html
https://turbobit.net http://filescase.com/
https://hexupload.org
https://tempsend.com
https://wetransfer.com https://send-anywhere.com
https://sendgb.com
https://volafile.org
https://sendspace.com
https://myairbridge.com/en/eng
https://gofile.io/welcome
https://gofile.io/welcome
https://bitwarden.com/products/send
6.06 Media Players
$ sudo apt install mpv
Shortcuts - https://github.com/mpv-player/mpv/blob/master/DOCS/man/mpv.rst#keyboard-control
Window Geometry - https://mpv.io/manual/master/#options-geometry
Video Autofit - https://mpv.io/manual/master/#options-autofit
Config - https://github.com/mpv-player/mpv/blob/master/etc/mpv.conf
Coping basic MPV configs
$ cp -r /usr/share/doc/mpv/ ~/.config/mpv/
Editing only MPV configuration file (.conf)
$ cp /usr/share/doc/mpv/mpv.conf.gz ~/.config/mpv/
$ gzip -d ~/.config/mpv/mpv.conf.gz
$ nano ~/.config/mpv/mpv.conf
Examples:
save-position-on-quit=yes no-border volume-max=125 geometry=50%x96%
To automatically save the current playback position on quit, start mpv with --save-position-on-quit, or add save-position-on-quit=yes to the configuration file.
Set volume-max=value in your configuration file to a reasonable amount, such as volume-max=150
, which then allows you to increase your volume up to 150%, which is more than twice as loud. Increasing your volume too high will result in clipping artefacts. Additionally (or alternatively), you can utilize dynamic range compression with af=acompressor
.
MPV Read-me and examples
$ sudo gzip -d /usr/share/doc/README.md.gz ~/
$ ls ~/.config/mpv/examples/lua/
Editing only MPV keybindings (input.conf)
$ cp /usr/share/doc/mpv/input.conf.gz ~/.config/mpv/
$ gzip -d ~/.config/mpv/input.conf.gz
$ nano ~/.config/mpv/input.conf
*It's recommended to use mplayer-input.conf as reference-only. To use it save as input.conf
$ sudo apt install vlc
$ sudo apt install totem
6.07 Video Editors
$ sudo apt install handbrake
(GUI)
$ sudo apt install handbrake-cli
(CLI)
$ sudo apt install ffmpeg
(CLI)
Usefull links:
- https://keepvid.ch
- https://gifs.com
- https://omnicalculator.com/other/video-size
- https://vidon.me/compress-mp4
- https://dvdfab.at/resource/blu-ray/free-blu-ray-to-mp4-converter
$ sudo apt install
(GUI)https://github.com/yt-dlp/yt-dlp
$ sudo apt install yt-dlp
(CLI)
Download YouTube videos
• Commands • Download a video or playlist $ yt-dlp $ yt-dlp -F $ yt-dlp -f 247 $ yt-dlp -f "best[height<=480]" $ yt-dlp -f "best[height<=480]" $ yt-dlp -f worstvideo $ yt-dlp -o 'qwerty' • Download with metadata $ yt-dlp -o '%(title)s by %(uploader)s on %(upload_date)s in %(playlist)s.%(ext)s' $ yt-dlp --write-description --write-info-json --write-annotations --write-sub --write-thumbnail • Download audio-only $ yt-dlp -x --audio-format mp3
https://trac.ffmpeg.org/wiki/Encode/H.264
• Commands • Compressing videos $ ffmpeg -i input.ext output.mp4 $ ffmpeg -i input.ext -b:v output.mp4 $ ffmpeg -i input.ext -vf scale=1280:720 output.mp4 $ ffmpeg -i input.ext -c:v libx265 output.mp4 $ ffmpeg -i input.mp4 -vcodec h264 -acodec mp2 output.mp4 $ ffmpeg -y -i input.mp4 -vcodec h264 -acodec mp3 output.mp4 $ ffmpeg -y -i input.mp4 -vcodec h264 -acodec aac output.mp4 $ ffmpeg -i input.mp4 -vcodec h264 -b:a 96k output.mp4 $ ffmpeg -i input.mp4 -vcodec h264 -b:v 1000k -acodec mp3 output.mp4 $ ffmpeg -i input.mp4 -vcodec libx265 -acodec aac -crf 23 output.mp4 $ ffmpeg -i input.mp4 -c:v libx265 -preset ultrafast -crf 28 -c:a aac -b:a 250k output.mp4 $ ffmpeg -i input.mov -c:v libx265 -preset veryfast -tag:v hvc1 -vf format=yuv420p -c:a copy output.mp4 • Compressing video removing sound (to disable audio you must use -an) $ ffmpeg -i input.mp4 -vcodec h264 -an output.mp4 • Converting videos $ ffmpeg -y -i input.wmv output.mp4 $ ffmpeg -i input.mp4 -vf "scale=-2:240" output.mp4 $ ffmpeg -i input.wmv -c:v libx264 -crf 23 output.mp4 $ ffmpeg -i input.wmv -c:v libx264 -crf 23 -c:a aac -q:a 100 output.mp4 $ ffmpeg -i input.wmv -c:v libx264 -crf 23 -c:a aac -strict -2 -q:a 100 output.mp4 $ ffmpeg -i input.wmv -c:v libx264 -crf 23 -profile:v high -r 30 -c:a aac -q:a 100 -ar 48000 output.mp4 • Scaling down the size of the MP4 $ ffmpeg -i input.mp4 -s 1280x720 -acodec copy -y output.mp4 $ ffmpeg -i input.mp4 -vf "scale=-2:720" -c:v libx264 -crf 20 -preset slow -c:a copy output.mp4 $ ffmpeg -i input.mp4 -s 1920x1080 -c:v libx265 -preset ultrafast -crf 28 -c:a aac -b:a 250k output.mp4 $ ffmpeg -i input.mp4 scale=1080:1920,format=yuv420p -c:v libx265 -preset veryfast -tag:v hvc1 -b:v 800k -bufsize 1200k -vf -b:a 128k output.mp4 $ ffmpeg -i input.mp4 -c:v libx265 -preset veryfast -tag:v hvc1 -vf format=yuv420p -c:a copy output.mp4 $ ffmpeg -i input.mp4 -c:v libx265 -preset veryfast -tag:v hvc1 -b:v new_bitrate -vf scale=new_width:new_height,format=yuv420p -c:a copy output.mp4
Bulk compress MP4 with ffmpeg
• One-line convert script $ for file in *.mp4; do ffmpeg -i "$file" -vf "scale=-2:240" "Output-${file%.*}.mp4"; done
Bulk compress script
#!/bin/bash # This script converts automatically a folder of video files. # You need to change SRC (source folder) and DEST (destination folder) # The default scale is -2x240. # # Commands to create # $ touch video-convert.sh # $ chmod +x convert.sh # $ nano video-convert.sh # $ bash video-convert.sh mkdir converted_videos for file in *.mp4; do filename=$(basename -- "$file") extension="${filename##*.}" filename="${filename%.*}" output="converted_videos/Output_${filename}.mp4" ffmpeg -i "$file" -vf "scale=-2:240" "$output" done
Bulk compress script with ffmpeg and handbreak-cli
$ touch video-convert.sh
$ chmod +x convert.sh
$ nano convert.sh
$ bash convert.sh
#!/bin/bash # This script is to convert automatically a folder of video files to MP4. # You need to change SRC (source folder) and DEST (destination folder) # The MP4 format is 480x270. # # Commands to create # $ touch video-convert.sh # $ chmod +x convert.sh # $ nano video-convert.sh # $ bash video-convert.sh SRC=/home/video/ DEST=/home/www/mp4files/ DEST_EXT=mp4 HANDBRAKE_CLI=HandBrakeCLI for FILE in `ls $SRC` do filename=$(basename $FILE) extension=${filename##*.} filename=${filename%.*} $HANDBRAKE_CLI -i $SRC/$FILE -o $DEST/$filename.$DEST_EXT -e x264 -q 22 -r 12 -B 64 -X 480 -O done
*Not working.
6.09 Email
$ sudo apt install -y thunderbird
$ sudo apt install -y birdtray
https://emailselfdefense.fsf.org/en/
https://emailselfdefense.fsf.org/en/workshops.html
https://riseup.net/en/security/message-security/openpgp/best-practices
https://riseup.net/en/security/message-security/openpgp/enigmail
https://linuxbabe.com/security/encrypt-emails-gpg-thunderbird
https://wiki.archlinux.org/title/Paperkey
https://keys.openpgp.org/about/usage
https://efail.de
Note 1: You cannot recover the secret key from the public key and the passphrase. You cannot recover your secret gpg key without a backup.
Note 2: Create an expiration date for security reasons.
👷🛠️UNDER CONSTRUCTION🚧🏗
Note 3: Create an .
Commands for gnupg (GnuPG - GNU Privacy Guard) • How to export and import GPG key: $ gpg --export ${ID} > public.key $ gpg --export-secret-key ${ID} > private.key $ gpg --import --batch public.key $ gpg --import --batch backup_dir/.gnupg/pubring.gpg $ gpg --import --batch backup_dir/.gnupg/secring.gpg $ gpg --edit-key ${KEY} trust quit $ gpg --list-keys $ gpg --list-secret-keys
Commands for gnupg (GnuPG - GNU Privacy Guard) • How to extend the expiration date of an already expired GPG key: $ gpg --list-keys $ gpg --edit-key (key id) • GPG console will open in the primary key, select a sub-key: gpg> gpg> list gpg> key 1 • Set the expiration for the selected key gpg> expire gpg> save • After update, you can send it out gpg --keyserver site.com --send-keys (key id)
gpg --list-secret-keys --verbose --with-subkey-fingerprints
6.10 Encryption
👷🛠️UNDER CONSTRUCTION🚧🏗
Visit our repo tree: 2.SECURITY/2.03_Encryption
Visit our repo tree: 1.INSTALLATION/2.02_Debootstrap
https://mhogomchungu.github.io/zuluCrypt
https://github.com/mhogomchungu/zuluCrypt
https://mhogomchungu.github.io/sirikali
$ sudo apt install zulucrypt-gui
https://veracrypt.fr/en/Downloads.html
https://reddit.com/r/VeraCrypt
https://github.com/veracrypt/VeraCrypt
∙ Command to automount favorite volume at startup session:
/usr/bin/veracrypt %f /dev/sda2
∙ Password less:
$ sudo groupadd veracrypt
$ sudo usermod -aG veracrypt "$(whoami)"
(or)
$ sudo usermod -aG veracrypt $USER
$ sudoedit /etc/sudoers
%veracrypt ALL=(root) NOPASSWD:/usr/bin/veracrypt #Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL %veracrypt ALL=(root) NOPASSWD:/usr/bin/veracrypt #Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL %veracrypt ALL=(root) NOPASSWD:/usr/bin/veracrypt
*Reboot
$ sudo reboot
∙ NTFS - Read only error
$ sudo ntfsfix /dev/mapper/veracrypt1
In Windowns (WinPE, )
C://> chkdsk /F
Close and open again
Commands for gnupg • How to encrypt file $ gpg -c backup.tar.gz • How to decrypt file $ gpg backup.tar.gz.gpg
https://cryptomator.org
https://github.com/cryptomator/cryptomator
https://github.com/cryptomator/cli
https://reddit.com/r/Cryptomator
https://duplicati.com
https://github.com/duplicati/duplicati
https://forum.duplicati.com
https://reddit.com/r/duplicati
6.11 Extracting Files
https://wiki.debian.org/Compression
$ sudo apt install -y tar gzip 7zip unrar
zlib1g bzip2 xz-utils tarlz
Add this function to your .bashrc
or .bash_profile
configure file in your home directory.
# Extract common archive files by file extension function extract() { if [ -f $1 ] ; then case $1 in # *.tar.gz|*.tgz) tar xzf $1 ;; # *.tar|*.tar.xz) tar xf $1 ;; # *.tar.bz2|*.tbz2) tar xjf $1 ;; # *.xz) unxz $1 ;; # *.zip) unzip $1 ;; # *.Z) uncompress $1 ;; # *.tar.zst) tar -I=unzstd xf $1 ;; # *.zst) unzstd $1 ;; # *.7z) 7z x $1 ;; esac else echo "'$1' is not valid archive file." fi }
Commands for .tar archives • How to create an .tar file with gzip archiver: $ tar –cvf outarchive.tar ~/Documents • How to decompress a .tar file with with gzip: $ tar -xvf archive.tar
Commands for .tar.gz archives • How to create an .tar.gz file $ tar –cvzf outarchive.tar.gz ~/Documents • To list the contents of a .tar.gz file: $ tar –tzf archive.tar.gz • How to decompress a .tar.gz file $ tar –xvzf archive.tar.gz $ tar –xvzf archive.tar.gz –C /home/user/Downloads
$ sudo apt install gzip
Commands for .gz archives • How to create an .gz file $ gzip outarchive.gz indoc1.pdf • How to decompress a .gz file $ gunzip archive.gz
$ sudo apt install p7zip-full
Commands for .7z archives • How to create an .7z file $ 7z a outarchive.7z indoc1.pdf • How to decompress a .7z file $ 7z x archive.7z
Commands for .zip archives • How to create an zip file $ 7z a outarchive.zip indoc1.pdf • How to decompress a zip file $ 7z x archive.zip
Commands for encrypted .7z and .zip archives • How to create an encrypted .zip file $ 7z a -p -t7z -scrc=AES256 archive.7z /input/directory $ 7z a -p -tzip -scrc=AES256 outarchive.zip indoc1.pdf inpdoc2.pdf $ 7z a -p -tzip -scrc=AES256 archive.zip /input/directory • How to create an encrypted header .7z file (only) $ 7z a -p -mhe=on -scrc=AES256 archive.7z input_dir $ 7z a -p -mhe=on -scrc=AES256 /output/archive.7z /input/directory • How to decompress a .7z and .zip file that is encrypted $ 7z x archive.zip
*Encrypted header: no file list contents visible without the password
$ sudo apt install unrar-free
Commands for .rar archives (*proprietary: extract only) • How to decompress a rar file $ unrar e ~/Downloads/filename.rar ~/Downloads/ • How to decompress a rar file encrypted $ unrar-free -x ~/Downloads/filename.rar ~/Downloads/ • How to decompress a rar file encrypted parts, only unrar the first part01.rar and it goes itself for the rest. Navigate to the directory containing the file: $ cd /path/to/directory/ $ unrar-free -xp /part01.rar ~/Downloads/
https://infozip.sourceforge.net
$ sudo apt install zip unzip
Commands for .zip archives • Add file.txt to z.zip (create z if needed) $ zip z file.txt • Zip all files in current dir: $ zip z * • Zip files in current dir and subdirs also: $ zip -r z . • How to decompress a .zip file: $ unzip ~/Downloads/filename.zip • How to unzip multiple .zip files: $ unzip '*.zip' • How to decompress a .zip file to directory: $ unzip filename.zip -d /path/to/directory $ unzip -d file file.zip • Unzip Multiple Files (using single quote or backslash) $ unzip '*.zip' $ unzip \*.zip • Locale encoding name error $ unzip -I (encoding) (FILE_PATH) -d (Destination) $ unzip -I UTF-8 Desktop.zip
Commands for encrypted .zip archives • How to create an encrypted .zip file $ zip -e filename.zip ~/Downloads/ • How to decompress a encrypted .zip file $ unzip ~/Downloads/filename.zip • How to decompress a encrypted .zip file to directory $ unzip ~/Downloads/filename.zip -d ~/Downloads/
6.12 Sanitation
Visit our repo tree: 2.SECURITY/2.06_Sanitization
$ sudo apt install exiftool
(CLI)
$ sudo apt install metadata-cleaner
(GUI)
$ sudo apt install metacam
(GUI)
• Exiftool - https://github.com/exiftool/exiftool
• List of metadata TAGS - https://exiftool.org/TagNames/index.html
• Common Mistakes - https://exiftool.org/mistakes.html
• Metacam - https://packages.debian.org/unstable/graphics/metacam
Commands for exiftool basic commands • Remove all metadata from all files possible inside a folder and all its subfolders without backup (take care, might affect the colors) $ exiftool -v -all:all= -overwrite_original -r /path/to/files/ • Shows only selected EXIF metadata: $ exiftool -v -Model -ImageSize photo.jpg • Process all files of specified file type (case insensitive extension) $ exiftool -v -Model -ImageSize -ext jpg /path/to/files/ • recursively process all jpg files under specified directory and sub-directory $ exiftool -v -r -Model -ImageSize -ext jpg /path/to/files/
Commands $ metadata-cleaner /path/to/file.png
$ sudo apt install bleachbit
Prevent recovery
In both user profile and root Bleachbit, go to Options -> Preferences -> General Tab and check "Overwrite contents of files to prevent recovery".
Freeze Bug - Free space erase optionTake care with free space erase in root mode, this has several problems. This can block the system from starting because the disk is full of randomized files.
Commands to debug if your are freeze
• Acess tty (teletype)
CTRL + ALT + {2,3,4,5,6}
• Delete tmp files in root
user:
password:
$ sudo su
user@host /: ls
user@host /: rm -R tmp*
user@host /: sudo reboot
• To find the large files in other folders
$ df -h
$ df -h ~/.cache
$ sudo df -h /mnt
$ find ~/.cache -xdev -type f -size +1G
$ sudo find /root -xdev -type f -size +1G
$ rm ~/.cache/tmp*
$ sudo rm /root/tmp*
• List system targets $ sudo bleachbit -l • Erase space $ sudo bleachbit --clean system.cache \ system.clipboard \ system.custom \ system.desktop_entry \ system.free_disk_space \ system.localizations \ system.memory \ system.recent_documents \ system.rotated_logs \ system.tmp \ system.trash
* cron
Mark your preferred language besides en-US
$ sudo apt install -y localepurge
$ sudo localepurge
In Bleachbit as Administrator, go to Options -> Preferences -> Languages Tab and mark your preferred language besides en-US.Start cleaning, this may take some time.
https://wiki.debian.org/SSDOptimization
https://wiki.archlinux.org/title/Solid_state_drive
*Not all SSD support sanitize. To properly way to erase a SSD is using the SSDs manufacturer's software. Other methods might not work, due to wear leveling and over-provisioning.
*If you use SSDs, enable TRIM in your BIOS. Confirm you are using SSD in the BIOS options.
*Consider hardware flaws.
- Corsair SSD Toolbox
- Samsung Magician
- Seagate Seatools
- Lenovo ThinkPad Drive Erase Utility
- Crucial Storage Executive
- Western Digital Dashboard
- HP Secure Erase [ BIOS / UEFI ]
- Trendscend SSD Scope
- Dell Data Wipe function [ BIOS / UEFI ]
- SanDisk SSD Dashboard
- Kingston SSD Manager
- Micron SSD Management
- Intel Memory and Storage Tool
https://github.com/PartialVolume/shredos.x86_64
https://github.com/martijnvanbrummelen/nwipe
$ sudo apt install -y nwipe
$ sudo apt install -y hdparm
• Commands $
6.13 Display
$ sudo apt install redshift
(CLI)
$ sudo apt install redshift-gtk
(GUI)
redshift.conf
https://raw.githubusercontent.com/jonls/redshift/master/redshift.conf.sample
$ ~/.config/redshift/redshift.conf
$ redshift -P -O TEMPERATURE
$ redshift -P -O 4000
$ redshift -P -O 6000
$ sudo apt install brightnessctl
$ brightnessctl s 25% && redshift -P -O 4000
$ brightnessctl s 50% && redshift -P -O 6500
$ redshift -l LAT:LONG
6.14 Files and Folders
$ sudo apt install grsync
(GUI)
(*by name, size, hash)
$ sudo apt install dupeguru
(GUI)
$ sudo apt install fdupes
(CLI)
• Command $ fdupes -r dir $ fdupes -r -S .
https://github.com/pixelb/fslint
$ sudo apt install coreutils
(CLI) (BUILT-IN)
• For small files based on hash $ find . -type f -print0 | xargs -0 md5sum | sort | uniq -w32 --all-repeated=separate • For large ones based on size $ find . -type f -size {}c -print0 | xargs -0 md5sum | sort | uniq -w32 --all-repeated=separate • For large ones based in based on size first and then hash $ find . -not -empty -type f -printf "%s\n" | sort -rn | uniq -d |\ xargs -I{} -n1 find . -type f -size {}c -print0 | xargs -0 md5sum |\ sort | uniq -w32 --all-repeated=separate
$ sudo apt install tree
• List directories only $ tree -d • Control the depth of the tree $ tree -d -L 2 .
6.15 Renamers
You might consider including some of the following information in your file names, but you can include any information that will allow you to distinguish your files from one another.
- Project or experiment name or acronym
- Location/spatial coordinates
- Researcher name/initials
- Date or date range of experiment
- Type of data
- Conditions
- Version number of file
- Three-letter file extension for application-specific files
Another good idea is to include in the directory a readme.txt file that explains your naming format along with any abbreviations or codes you have used.
Machine readable
- Regular expression and globbing friendly
- Avoid spaces, punctuation, accented characters, case sensitivity
- Easy to compute on
- Deliberate use of delimiters
Consider these additional tips as you develop a file naming scheme:
- A good format for date designations is YYYYMMDD or YYMMDD. This format makes sure all of your files stay in chronological order, even over the span of many years.
- Try not to make file names too long, since long file names do not work well with all types of software.
- Special characters such as ~ ! @ # $ % ^ & * ( ) ` ; < > ? , [ ] { } ' " and | should be avoided.
- When using a sequential numbering system, using leading zeros for clarity and to make sure files sort in sequential order. For example, use "001, 002, ...010, 011 ... 100, 101, etc." instead of "1, 2, ...10, 11 ... 100, 101, etc."
- Do not use spaces. Some software will not recognize file names with spaces, and file names with spaces must be enclosed in quotes when using the command line. Other options include:
- Underscores, e.g. file_name.xxx
- Dashes, e.g. file-name.xxx
- No separation, e.g. filename.xxx
- Camel case, where the first letter of each section of text is capitalized, e.g. FileName.xxx
- Periods can be used in files names but consider these points before doing so and proceed cautiously:
- Periods are used in regular expressions.
- Periods at the start of a file name are used to indicate configuration and/or hidden files in a file directory.
- Periods are used to separate file names from file extensions.
• Dencode - https://dencode.com
• Commonly Used Software Development Tools - https://ctool.dev
• Text Fixer - https://textfixer.com
• SS64 Syntax Utils - https://ss64.com
• Tools4noobs - https://tools4noobs.com
$ sudo apt install krename
(GUI)
$ sudo apt install gprename
(GUI)
camelCase
PascalCase
kebab-case
snake_case
UPPER_CASE_(SNAKE_CASE)
• Commands with move • Simply rename $ mv /home/user/oldname /home/user/newname • Convert Uppercase to Lowercase Characters #FAIL $ for f in *; do mv -T "$f" "$(echo $f | tr [A-Z] [a-z])"; done $ for i in $( ls | grep [A-Z] ); do mv -f $i `echo $i | tr 'A-Z' 'a-z'`; done
• Commands with sed • Convert Camel case to kebab-case $ echo "MyDirectoryFileLine" | sed -e 's/\([A-Z]\)/-\L\1/g' $ echo "MyDirectoryFileLine" | sed -e 's/\([A-Z]\)/-\L\1/g' -e 's/^-//' $ echo "MyDirectoryFileLine" | sed -e 's/\([A-Z]\)/-\1/g' -e 's/^-//' $ echo "MyDirectoryFileLine" | sed -e 's/[A-Z]/-\L&/g' -e 's/^-//' $ echo "MyDirectoryFileLine" | sed -e 's/[A-Z]/-\l&/g;s/.//' $ echo "SomeACRONYMInCamelCaseString" | sed -e 's/\([a-z]\)\([A-Z]\)/\1-\L\2/' | sed -e 's/\(.*\)/\L\1/') • $ • $ • $
$ sudo apt install rename
(CLI)
• Commands for rename • Syntax $ rename [options] 's/[pattern]/[replacement]/' [file name] • Replacing the blank space with an underscore (_) $ rename -v 'y/ /\_/' *.pdf $ rename -v 'y/ /\_/' ~/Downloads/* $ rename -v 'y/ /\_/' ~/Downloads/*.pdf $ rename -v 'y/\n/\_/' ~/Downloads/*.pdf $ rename -v 'y/\-/\_/' ~/Downloads/*.pdf • Commands to rename to numbered order $ cd /Files • Test the output before (* -n) $ rename -n 's/.+/our $i; sprintf("input%03d.png", 1+$i++)/e' * • Apply the change $ rename 's/.+/our $i; sprintf("input%03d.png", 1+$i++)/e' * • Delete a Part of a Filename $ rename -v 's/example//' *.pdf • Convert Uppercase to Lowercase Characters #FAIL $ rename -v 'y/[A-Z]/[a-z]/' *.PDF $ find my_dir -type f -execdir rename 'y/A-Z/a-z/' {} \; • Convert Lowercase to Uppercase Characters #FAIL $ rename -v 'y/[a-z]/[A-Z]/' *.pdf • Convert to Camel case $ rename 's/ /_/g' *
\n is a symbol for new line \t is a symbol for tab \r is for 'return'
Note: \n or \t or \r are interpreted inside of <pre> text </pre>
Char | Numeric code |
Named code |
Description |
---|---|---|---|
	 | horizontal tab | ||
| line feed | ||
| carriage return / enter | ||
  | | non-breaking space |
6.16 Backup
https://github.com/bit-team/backintime
https://github.com/teejee2008/timeshift
https://github.com/restic/restic
$ sudo apt install grsync
GRSYNC is a graphical interface for the rsync command line program. It can be used for local directory synchronization.
Copy files and directories (CLI)$ cp ~/.config/example/ /media/backup
$ cp -vur ~/.config/example/ /media/backup
*This will preserve the files permissions/ownership.
$ cp -a ~/.config/example/ /media/backup
https://wiki.archlinux.org/title/Rsync
$ sudo apt install rsync
• Copying $ rsync -ah --progress ~/source /backup/destination $ rsync -ah --info=progress2 ~/source /backup/destination $ rsync -rah --info=progress2 ~/source /backup/destination • Moving $ rsync -ravzP --remove-sent-files ~/source /backup/destination • Copy a File or Directory from Local to Remote Machine $ rsync -ravP Directory/ server@192.168.1.56:/home/server
*This will preserve the files permissions/ownership.
$ dd if=~/source of=/backup/destination status=progress
$ sudo apt install pv
$ pv ~/source > /backup/destination
*This won't preserve the files permissions/ownership.
$ curl -o destination FILE://source
*This won't preserve the files permissions/ownership.
The Free and Open Source Software for Disk Imaging and Cloning
https://clonezilla.org//clonezilla-live-doc.php
Changing disk name
$ cnvt-ocs-dev -d /home/partimag 'image' 'sda3' 'sda2'
https://debian.org/doc/manuals/securing-debian-manual/ch04s17.en.html#check-integ
6.18 Online Utilities
• Message Header Analyzer - https://mha.azurewebsites.net
• Message Header Analyzer - https://github.com/microsoft/MHA
• PhishTank - https://phishtank.org
• Simple Email Reputation - https://emailrep.io
• Whois - https://iana.org/whois
• ViewDNS - https://viewdns.info
• WhoisMyDNS - https://whoismydns.com
• NSLookup - https://nslookup.io
• My-Addr - https://my-addr.com
• Malpedia - https://malpedia.caad.fkie.fraunhofer.de
• CVE Details - https://cvedetails.com
• Exploit Database - https://exploit-db.com
• FileInfo - https://fileinfo.co
• xCyclopedia - https://strontic.github.io/xcyclopedia
• The Windows Binary Index - https://winbindex.m417z.com
• Palo Alto Applipedia - https://applipedia.paloaltonetworks.com
• Windows Securitiy Logs - https://ultimatewindowssecurity.com/securitylog/encyclopedia
• Internet Archive (WayBackMachine) - https://web.archive.org
• Archive web content - https://archive.ph
• Internet Archive - https://archive.org
• HTTrack - https://httrack.com
• IPVOID - https://ipvoid.com
• AbuseIPDB - https://abuseipdb.com
• Grabify IP Logger - https://grabify.link/
• IP Logger - https://iplogger.org
• IP Tracker - https://iplogger.org/ip-tracker
• IP Location Tracker - https://iplogger.org/location-tracker
• IP Location - https://iplocation.net
• URL Checker - https://iplogger.org/url_checker
• MAC Address Lookup - https://iplogger.org/mac-checker
• MAC Vendor - https://macvendors.com
• IP API
- ip-api - https://ip-api.com
- ipify - https://ipify.org
- ipapi - https://ipapi.co
- vpnapi - https://vpnapi.io
- ipapi - https://ipapi.com
• The ZMap Project - https://zmap.io
• WiGLE - https://wigle.net
• urlscan.io - https://urlscan.io
• Virus Total - https://virustotal.com
• Hybrid Analysis - https://hybrid-analysis.com
• Cuckoo Sandbox - https://cuckoo.cert.ee
• AlienVault OTX - https://otx.alienvault.com
• IBM X-Force Exchange - https://exchange.xforce.ibmcloud.com
• Cisco Talos - https://talosintelligence.com/reputation_center
• Maltiverse - https://maltiverse.com/collection
• GreyNoise - https://greynoise.io
• SANS Internet Storm Center - https://isc.sans.edu
• Intelligence X - https://intelx.io
• MetaDefender Cloud - https://metadefender.opswat.com
• RiskIQ Community Edition - https://community.riskiq.com/home
• Pulsedive - https://pulsedive.com
• Valhalla YARA Rules - https://valhalla.nextron-systems.com
• ANY.RUN - https://any.run
• Binvis - https://binvis.io
• JoeSandbox - https://joesandbox.com
• Verexif - https://verexif.com/en/
• Reverse Shell Generator - https://revshells.com
• Rainbow Tables (Hashes) - https://hashes.com/en/decrypt/hash
• File Signatures ("Magic Numbers") - https://en.wikipedia.org/wiki/Magic_number_(programming)
• List of File Signatures - https://en.wikipedia.org/wiki/List_of_file_signatures
• CyberChef - https://gchq.github.io/CyberChef
• explainshell - https://explainshell.com
• Epoch Converter - https://epochconverter.com
• Regex - https://regex-generator.olafneumann.org
• DeHashed - https://dehashed.com
• Dencode - https://dencode.com
• Commonly Used Software Development Tools - https://ctool.dev
• Text Fixer - https://textfixer.com
• SS64 Syntax Utils - https://ss64.com
• Tools4noobs - https://tools4noobs.com
• Text to ASCII Art Generator - https://patorjk.com/software/taag
• Have I Been Pwned - https://haveibeenpwned.com
• Name OSINT - https://namechk.com
• Breach Directory - https://breachdirectory.org
• MD5 Decrypt - https://md5decrypt.net/en/Sha1
• DeepL - https://deepl.com/translator
6.20 Tips and Tricks
$ sudo apt install tree
• List directories only $ tree -d • Control the depth of the tree $ tree -d -L 2 .
$ sudo shutdown -h 23:59
Since 24 hours (24×60=1440 minutes), you could adapt
$ sudo shutdown +1440
Execute shutdown +60 at a specific time and day:
$ sudo apt install at $ sudo echo "shutdown +767" | at 08:46am 2024-09-11
$ sleep 5m && mpv alarm.mp3
$ time cat CTRL + C
$ df -h $ df -h /home/$USER/Downloads $ du -h ~/Downloads | sort -rh | head -n 10 $ find ~/Downloads -type f -size +3G -exec du -h {} + | sort -rh $ find /home/$USER/Downloads -xdev -type f -size +1G $ find . -size +1M -printf "%p \t%k kb\n" | sort -k2n
Be cautious of using -n
code> (quiet) with -i
(in-place): the former disables aut in-place omatic printing of lines and the latter changes the file in-place without a backup. Make a backup before editing -i.bak
.
$ sed --options [optional SCRIPT] [INPUT STREAM]
• Append line after match $ sed '/\option/a Hello World' *.txt • Insert line before match $ sed '/\option\/i Hello World' *.txt • Append text after a line for the specific match only $ sed '0,/\option\/a Hello World' *.txt • Append text before a line for the specific match only $ sed '0,/\option\/i Hello World' *.txt • Inserting a text file
$ sed -i -e '1r text1' text2.txt • If you want to append string in a multiline text $ sed -i '/pattern/ r snippet.txt' filename • Batch inserting specific text after pattern in .txt files $ sed -i '/SearchPattern/aNew Text' *.txt $ find . -name '*.txt' -exec sed -i -e 's/textp1/textp2\ text.txt/g' {} \;
• Replacement syntax $ sed s/regexp/replacement/[flags] • Replace closed with open on lines containing code $ sed '/code/ s/closed/open/' text.txt • Replace all closed with open on lines containing code $ sed '/code/ s/closed/open/g' text.txt • Replace all occurrences of ‘hello’ to ‘world’ in the file input.txt: $ sed ’s/hello/world/’ input.txt > output.txt
• Batch removing specific text in .txt files, the –i option tells to sed make the change in place, inside the file itself $ sed -i 's/text//' *.txt • Batch making a backup before editing the file, by specifying a suffix when using –i $ sed -i.bak 's/word//' *.txt
• Convert Lowercase to Uppercase Characters $ sed -i -e '/UPPERCASe/,$s/.*/\U&/' text.txt $ sed 's/[a-z]/\U&/g' < ./myfile.txt $ echo "HELLO WORLD " | sed 's/[A-Z]/\L&/g' • Convert Uppercase to Lowercase Characters $ echo "hello world" | sed 's/[a-z]/\U&/g' • Remove leading spaces and tabs from line $ sed 's/^[ \t]*//' text.txt • Remove all digits in a range $ sed 's/\([a-z]*\).*/\1/' text.txt
*Note, in terminal: Alt + u Make uppercase from the cursor position to the end of the word. Alt + l Make lowercase from the cursor position to the end of the word/text.
• $ • $
To open maximized browser window use "--start-maximized" as a parameter.
$ nano /home/user/Desktop/browser.desktop [Desktop Entry] Exec=/usr/bin/browser --start-maximized %U
$ wmctrl -lG
By default, Linux systems use the $VISUAL
or $EDITOR
environment variables (usually defined in your ~/.bashrc
file or /etc/profile
) as the default editor the visudo
command. If you'd prefer to use a different editor, such as nano, you can use either of these methods.
- To temporarily use a different editor, run:
$ sudo EDITOR=/path/to/editor visudo
For example, to use
nano
, you would run:$ sudo EDITOR=nano visudo
- To permanently change the default editor, edit the
/etc/sudoers
file (you can use the temporary method above!) and add the following line to the file near the top, but afterDefaults env_reset
:Defaults editor=/path/to/editor
http://www.gnu.org/software/bash/manual/html_node/Bash-Builtins.html
https://www.gnu.org/software/bash/manual/html_node/Shell-Builtin-Commands.html
http://pubs.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html#tag_02_04
https://en.wikipedia.org/wiki/POSIX
https://packages.debian.org/stable
http://www.gsp.com/cgi-bin/man.cgi?section=1&topic=zshbuiltins
• Use type command $ type -t cd $ type -t ls $ type -t test $ type -t echo $ type -t apt $ type -t grep $ type -t for • Use builtin command $ builtin cd $ builtin ls $ builtin test $ builtin echo $ builtin apt $ builtin grep $ builtin for • You can use the builtin command enable to show the list of builtin commands and their activation state $ enable -a
Why use the built-in command? It does not depend on granting permissions to install packages, work on reduced sets like linux embedded hardwares (IoTs), reduces the attack surface and has better performance.
• For just a single command, from native language to english $ LC_ALL=C man ls $ LC_ALL=C sudo apt update
• Commands $ man find | grep -A 4 -- '-size' • $ man find | grep -e '-size' • $ • $ • $
👷🛠️UNDER CONSTRUCTION🚧🏗
7.02 IDEs
https://neovim.io
https://neovim.io/doc/user/starting.html
https://neovim.io/doc/user/usr_01.html#vimtutor
https://github.com/neovim/nvim-lspconfig#suggested-configuration
https://youtube.com/watch?v=RZ4p-saaQkc
https://github.com/rockerBOO/awesome-neovim
https://reddit.com/r/neovim
https://github.com/LazyVim/LazyVim
https://github.com/LunarVim/LunarVim
https://github.com/NvChad/NvChad
https://spacevim.org/
https://siddharta.me/configuring-neovim-as-a-python-ide-2023.html
https://thevaluable.dev/vim-php-ide/
https://github.com/VSCodium/vscodium
https://reddit.com/r/vscodium
https://sublimetext.com/docs/linux_repositories.html
https://reddit.com/r/sublimetext
👷🛠️UNDER CONSTRUCTION🚧🏗
👷🛠️UNDER CONSTRUCTION🚧🏗
9.01 Linux Community
https://forums.debian.net
https://forum.linuxfoundation.org
https://docs.kernel.org
https://linuxquestions.org
https://superuser.com
https://stackoverflow.com
https://howtoforge.com
https://unix.stackexchange.com
https://security.stackexchange.com
https://data.stackexchange.com
https://elinux.org
https://hardforum.com
https://askubuntu.com
https://snbforums.com
https://reddit.com/r/debian
https://reddit.com/r/linuxquestions
https://reddit.com/r/sysadmin
9.02 Audit Logs
$ sudo dmesg --since -5m
$ sudo dmesg -w
$ sudo dmesg | grep iwl
$ sudo dmesg | grep rtw
$ sudo dmesg | grep ath
$ sudo dmesg -w
$ sudo dmesg -T | grep xhci
$ sudo dmesg -T | grep xhci
$ sudo journalctl -k -b -1
$ sudo journalctl -p 3 -xb
$ sudo journalctl -b | grep -i net
$ sudo journalctl -S -1h00m
$ sudo journalctl -S today
$ sudo journalctl -S today -u name.service
$ sudo journalctl -S "2024-01-01 00:00:00"
$ sudo journalctl -S "2024-01-01 00:00:00" > ~/journal.txt
$ sudo tail /var/log/syslog
$ sudo tail -n20 /var/log/syslog
$ sudo tail -f /var/log/syslog
$ head /home/pat/file.txt
$ head -n20 /home/pat/file.txt
To only run a single command in English, you can write the LANG=C directly in front of the command itself, e.g.
LANG=C sudo apt-get update
All program output will be in English. You can add a line
export LANG=C
to the end of your ~/.bashrc file and restart the terminal.
9.03 System Boot
https://wiki.debian.org/KernelHeaders
The simplest way to display your Grub is to press and hold the shift
button while booting.
Debian Live in Rescue Mode
Download rEFInd rescue media
https://rodsbooks.com/refind/getting.html
$ sudo apt install grub-customizer
$ sudo cp /usr/share/grub/default/grub /etc/default/grub
$ sudo update-grub
$ sudo apt -f install
$ sudo ls /boot
$ sudo ls -l /vmlinuz
$ sudo ls /boot | grep vmlinuz
$ sudo dpkg -l | grep grub
$ sudo dpkg -l | grep linux-image
$ sudo dpkg -l | grep linux-headers
$ sudo ls /sys/firmware
$ sudo cat /etc/default/grub
$ sudo cat /boot/grub/grub.cfg
$ sudo cat /boot/grub/grub.cfg | grep menuentry
$ sudo cat /boot/grub/grub.cfg | grep submenu
$ sudo cat /etc/grub.d
$ sudo cat /etc/grub.d/40_custom
$ sudo
Removable Medium Boot
$ sudo grub-install /dev/sdX -v --force-extra-removable
Cryptab
$ sudo nano /boot/grub/grub.cfg
GRUB_DISABLE_OS_PROBER=false
GRUB_ENABLE_CRYPTODISK=y
$ sudo update-grub
An easy way to remove old kernels is to use Synaptic Package Manager to search for "linux-image" and "linux-headers" and remove all except the version you are currently using.
$ sudo dpkg -l | grep linux-image
$ sudo dpkg -l | grep linux-headers
$ sudo rm /boot/-4.18.0-{15,17}-
$ sudo dpkg --configure -a
$ sudo apt install -f
$ sudo update-grub
$ sudo apt autoremove
$ sudo apt upgrade
9.04 Display Manager and Monitors
https://wiki.archlinux.org/title/Display_manager
https://baeldung.com/linux/display-managers-install-uninstall
https://github.com/sddm/sddm/releases
$ sudo apt install -y brightnessctl
$ brightnessctl s 100%
$ brightnessctl s 70%
$ brightnessctl s 50%
Qt applications can be scaled with the following environment variables, note that many applications are hard-coding sizing and font and thus the result on such app may not be as expected.
$ export QT_AUTO_SCREEN_SET_FACTOR=0
$ export QT_SCALE_FACTOR=1
$ export QT_FONT_DPI=96
$ sudo apt install arandr
(GUI)
$ sudo apt install xserver-xorg-input-all
Debug commands
$ sudo apt install inxi
$ sudo inxi -G
$ sudo inxi -Fxxrzc0
$ sudo xrandr --output eDP-1 --primary
$ sudo xrandr --output DP2 --auto --left-to DP1
$ sudo xrandr --output LVDS1 --panning 1920x1080 --scale 1.406x1.406
$ sudo xrandr --output LVDS1 --panning 1366x768 --scale 1x1
You can make this change permanent for a specific user by adding this to the startup applications:
$ /usr/bin/xrandr --output LVDS1 --panning 1920x1080 --scale 1.406x1.406
*Firefox and Thunderbird - Advanced Settings
layout.css.devPixelsPerPx 0.8
Debug commands
$ sudo systemctl status default.target
$ sudo systemctl status sddm.service
$ sudo systemctl list-unit-files | grep sddm
$ sudo ls -la /etc/systemd/system/display-manager.service
$ cat /proc/cmdline
$ sudo dpkg-reconfigure sddm
9.05 Network
https://wiki.ubuntu.com/X/Debugging/WirelessWithoutX
https://wireless.wiki.kernel.org/en/users/drivers/iwlwifi
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/intel
https://intel.com/content/www/us/en/support/articles/000005511/network-and-io/wireless.html
https://wiki.archlinux.org/title/Power_management#USB_autosuspend
https://docs.kernel.org/driver-api/usb/power-management.html
$ sudo apt install firmware-realtek
or
$ sudo apt install firmware-iwlwifi
or
$ sudo apt install firmware-atheros
$ ip link
$ nmcli device show
$ nmcli dev wifi
$ ping localhost
$ ping 8.8.8.8
$ traceroute 8.8.8.8
$ sudo ifconfig wlan0
$ sudo iwconfig wlan0
$ sudo dmesg | grep iwl
$ sudo dmesg | grep rtw
$ sudo dmesg | grep ath
$ sudo journalctl -b | grep -i net
Power up
$ sudo ifconfig eth0 up
$ sudo lspci
$ sudo lspci -v -k
$ sudo lspci -v | grep Ethernet
$ sudo lspci -Knn | grep Net -A2
$ sudo lsusb
$ sudo apt install lshw
$ sudo lshw -C network
$ sudo apt install inxi
$ sudo inxi -Fxxz
*PCI vs USB - Kernel - Integrated chip - Need to investigate
Listing modules
$ sudo lsmod
$ sudo lsmod | grep iwl
$ sudo lsmod | grep rtw
$ sudo lsmod | grep ath
Module info
$ sudo modinfo rtw_8723d
$ sudo apt install rfkill
Commands $ sudo rfkill list $ sudo rfkill unblock wifi
Deactivating module
$ sudo modprobe -vr rtw_8723d
$ sudo modprobe -vr rtw_core
Activating module
$ sudo modprobe -v rtw_core
$ sudo modprobe -v rtw_8723d
$ sudo ls /etc/NetworkManager/conf.d
$ sudo touch /etc/NetworkManager/conf.d/default-wifi-powersave-on.conf
$ sudo nano /etc/NetworkManager/conf.d/default-wifi-powersave-on.conf
$ wifi.powersave = 2
or
$ sudo sed -i 's/3/2/' /etc/NetworkManager/conf.d/default-wifi-powersave-on.conf
Notes:
pcie_aspm.policy=powersasave
pcie_aspm.policy=performance
usbcore
$ sudo touch /etc/modprobe.d/50-rtw-core.conf
$ sudo nano /etc/modprobe.d/50-rtw-core.conf
options rtw_core
$ sudo sudo modprobe -rv rtw_9999xy && sudo modprobe -v rtw_6666wz
$ sudo
$ sudo
$ sudo
$ ping -c 4 duckduckgo.com
$ nslookup duckduckgo.com
$ dig +trace +nodnssec duckduckgo.com
$ host duckduckgo.com
$ sudo resolvectl status
$ sudo cat /etc/resolv.conf
$ sudo cat /var/run/NetworkManager/resolv.conf
nmcli device show wlan0 | grep IP4.DNS
$ sudo apt install resolvconf
$ sudo resolvconf --list
$ sudo resolvconf --enable-updates
$ sudo resolvconf -u
$ sudo apt install iproute2
$ sudo ss -nlup
$ sudo
• Syntax checks $ sudo dnsmasq --test • Print errors $ sudo grep -c dnsmasq /var/log/* $ sudo grep -c dnsmasq /var/log/syslog $ sudo dnsmasq --no-daemon --log-queries=extra --log-dhcp --log-debug -C /etc/dnsmasq.conf
*Conflicts between dnsmasq and systemd-resolved
$ sudo apt install tcpdump
$ sudo apt install nmap
$ sudo apt install wireshark
9.06 USB Devices
https://wiki.ubuntu.com/Kernel/Debugging/USB
https://wiki.archlinux.org/title/Power_management#USB_autosuspend
https://docs.kernel.org/driver-api/usb/power-management.html
https://wiki.debian.org/HowToIdentifyADevice/USB
https://wiki.debian.org/HowToIdentifyADevice/PCI
https://kernel.org/doc/html/latest/usb/index.html
https://kernel.org/doc/html/v4.16/driver-api/usb/power-management.html
UAS Issues - https://forums.raspberrypi.com/viewtopic.php?t=245931
Bug - xhci_hcd 0000:15:00.0: WARN Set TR Deq Ptr cmd failed due to incorrect slot or ep state - https://bugzilla.kernel.org/show_bug.cgi?id=202541
Bug - CPU hard lockup related to xhci/dma - https://bugzilla.kernel.org/show_bug.cgi?id=217242
Bug - Debootstrap is very slow. Please use eatmydata to fix this. - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700633
Tip: If you are transferring large amounts of data via a problematic USB, use grsync
as a manager.
$ lsusb -t
$ lsusb -v
$ lsusb -v | grep 1111
$ usb-devices
$ sudo dmesg -w
$ sudo dmesg -T | grep xhci
$ sudo lspci -v | grep xhci
$ sudo grep -i xhci /boot/config-$(uname -r)
See usb device getting plugged in
$ sudo dmesg -wH
Firmware
$ sudo modinfo xhci_hcd
$ sudo modinfo ehci_hcd
$ sudo modinfo btusb
$ sudo modprobe -v ohci-pci
$ sudo modprobe -v ehci-hcd
$ sudo modprobe -v xhci-hcd
$ sudo modprobe -v xhci-pci
You may try to force your system to use USB 2.0 insted of USB 1.1:
$ sudo modprobe -vr ohci-pci
$ sudo modprobe -v ehci-hcd
Deactivate
$ sudo modprobe -vr xhci-hcd
$ sudo modprobe -vr xhci-pci
Activate
$ sudo modprobe -v xhci-hcd
$ sudo modprobe -v xhci-pci
Power and suspend control
$ sudo cat /etc/tlp.conf
$ grep . /sys/bus/usb/devices//power/autosuspend
$ grep . /sys/bus/usb/devices/
/power/control
$ grep . /sys/bus/usb/devices/*/power/wakeup
If your keyboard and mouse, etc stop working sometimes, see if power manager is affecting you, execute this command:
$ cat /sys/module/usbcore/parameters/autosuspend
You're affected If you get back a "2". To disable it simply writing a -1 to that file, as root:
$ sudo su
# echo -1 > /sys/module/usbcore/parameters/autosuspend
To make the change permanent, edit
$ sudo nano /etc/default/grub
and add
usbcore.autosuspend=-1
to the end of the command in GRUB_CMDLINE_LINUX_DEFAULT
GRUB_CMDLINE_LINUX_DEFAULT="quiet usbcore.autosuspend=-1"
and update grub
$ sudo update-grub
Alternativelly:
$ sudo perl -p -i.bak -n -e '{GRUB_CMDLINE_LINUX_DEFAULT} s/"$/ usbcore.autosuspend=-1"/' /etc/default/grub
$ sudo update-grub
https://forums.raspberrypi.com/viewtopic.php?t=245931
Symptoms of a misbehaving UAS device
• Slow transference
• Frequent disconnects-reconnects
• Dmesg reports errors relating to a UAS device.
Solving
Plug in the USB device(s) and run the command dmesg
$ sudo dmesg --since -2m
Take note of the VID (idVendor) and PID (idProduct) of your USB device(s)
(...) [ 4906.696463] usb 2-1: New USB device found, idVendor=1111, idProduct=2222, bcdDevice=c3.33 (...)
Add the quirks to /boot/cmdline.txt
$ sudo nano /boot/cmdline.txt
Add the text with your idVendor and idProduct, respectively.
usb-storage.quirks=1111:2222:u
usb-storage.quirks=4444:5555:u,6666:7777:u.,8888:9999:u
Reboot
$ sudo reboot
Check
$ sudo dmesg | grep usb-storage
$ sudo systemctl status udisks2.service
$ sudo apt install libblockdev-crypto2 libblockdev-mdraid2 --no-install-recommends
Into bios, have usb 3.0 turned on, an any other options turned on, but turn off legacy usb option.But think that after legacy USB disabling, in some cases, you could lost ability to enter your BIOS, if you have USB keyboard, because your keyboard will not work at the moment when you need to press DEL or F2 or whatever.
https://github.com/sriemer/fix-linux-mouse
9.07 Bluetooth
https://wiki.archlinux.org/title/Bluetooth
https://wiki.archlinux.org/title/Bluetooth#Troubleshooting
https://wiki.debian.org/BluetoothUser
https://wiki.debian.org/Bluetooth/Alsa
https://github.com/Arkq/bluez-alsa
$ sudo apt install firmware-realtek
or
$ sudo apt install firmware-iwlwifi
or
$ sudo apt install firmware-atheros
$ sudo apt install pulseaudio-module-bluetooth
or
$ sudo apt install bluez-alsa-utils
Debug
$ sudo service bluetooth status
$ hciconfig -a
$ hciconfig hci0
$ sudo dmesg | grep Bluetooth
$ sudo dmesg | grep iwl
$ sudo dmesg | grep rtl
$ sudo dmesg | grep ath
Commands • Connecting bluetooth manualy with Bluez $ bluetoothctl [bluetooth]# scan on [bluetooth]# pair xx:xx:xx [bluetooth]# connect xx:xx:xx [bluetooth]# trust xx:xx:xx [bluetooth]# block yy:yy:yy
Commands • Bluetooth managment $ btmgmt [btmgmt]# info
https://github.com/arkq/bluez-alsa/wiki/Bluetooth-Pairing-And-Connecting
$ sudo apt install bluez-alsa-utils
https://github.com/sriemer/fix-linux-mouse
9.08 Sound
https://wiki.ubuntu.com/DebuggingSoundProblems
https://wiki.archlinux.org/title/Advanced_Linux_Sound_Architecture
https://wiki.archlinux.org/title/PulseAudio/Troubleshooting
https://thesofproject.github.io/latest/getting_started/intel_debug/suggestions.html
https://wiki.debian.org/Sound
https://wiki.debian.org/SoundConfiguration
https://alsa-project.org
https://github.com/thesofproject/sof/issues
https://github.com/thesofproject
$ sudo apt install firmware-sof-signed
$ sudo apt install firmware-intel-sound
List of PLAYBACK Hardware Devices
$ aplay -l
$ lspci |grep -i audio
$ cat /proc/asound/cards
$ cat /proc/asound/card*/id
List of CAPTURE Hardware Devices
$ arecord -l
$ speaker-test
$ cat /proc/asound/cards
$ cat /proc/asound/modules
$ lspci -v | grep Audio
$ lsusb
$ lsmod | grep snd
$ aplay -lL
$ amixer
$ amixer -c0
$ sudo dpkg-reconfigure linux-sound-base
$ sudo alsa-info
The "Advanced Linux Sound Architecture" (ALSA) is a part of the Linux kernel. PulseAudio is a sound server that sits between ALSA and user applications, aiming to provide easy automatic sound configuration for users. PulseAudio controls underlying ALSA-level volume controls.
$ sudo apt install alsa-utils
$ alsamixer
$ amixer -c 0 set Master 100%
$ amixer -c 1 set Speaker 50%
$ amixer -c 1 set Speaker 3db
$ amixer -c 1 set Speaker 2db+
$ amixer -c 0 set Mic unmute
$ sudo nano /etc/pulse/default.pa
Allows you to control both the volume of hardware devices and of each playback stream separately. It also allows you to redirect a playback stream to another output device.
$ sudo apt install pavucontrol
Install the SOF firmware binaries from the source: https://github.com/thesofproject/sof-bin
Clone the repository:
$ git clone https://github.com/thesofproject/sof-bin.git
Change to directory:
$ cd sof-bin
Follow: https://github.com/thesofproject/sof-bin#install-process-with-installsh
$ sudo mv /lib/firmware/intel/sof* some_backup_location/
$ sudo mv /usr/local/bin/sof-* some_backup_location/ # optional
$ sudo ./install.sh v2.2.x/v2.2
Reboot
$ sudo reboot
https://thesofproject.github.io/latest/getting_started/intel_debug/suggestions.html#es8336-support
Check your kernel configuration, typically available as a /boot/config-*. These options below will allow you to use Sound Open Firmware, start with:
$ grep SND_SOC_INTEL_APL /boot/config-*
For your system you could select:
ALSA for SoC audio support (CONFIG_SND_SOC=m) Intel ASoC SST drivers (CONFIG_SND_SOC_INTEL_SST_TOPLEVEL=y) and the appropriate platform option, which in your case would be "Broxton/ApolloLake platforms" (CONFIG_SND_SOC_INTEL_APL=m)
Others options:
Sound Open Firmware support (CONFIG_SND_SOC_SOF_TOPLEVEL=y) SOF support for Intel Audio DSPs (CONFIG_SND_SOC_SOF_INTEL_TOPLEVEL=y) SOF PCI enumeration support (CONFIG_SND_SOC_SOF_PCI=m) SOF support for Apollolake (CONFIG_SND_SOC_SOF_APOLLOLAKE_SUPPORT=m) SOF support for HDA Links (HDA/HDMI) (CONFIG_SND_SOC_SOF_HDA_LINK=y) SOF support for HDAudio codecs (CONFIG_SND_SOC_SOF_HDA_AUDIO_CODEC=y)
9.09 Printers
https://wiki.debian.org/SystemPrinting
https://wiki.ubuntu.com/DebuggingPrintingProblems
https://developers.hp.com/hp-linux-imaging-and-printing/install/manual/distros/debian
https://wiki.debian.org/InstallingDebianOn/HP
https://developers.hp.com/hp-linux-imaging-and-printing
$ sudo apt install hplip
https://epson.com/Support/wa00821
$ sudo apt install
$
9.10 Keyboard
https://pubs.opengroup.org/onlinepubs/7908799/xbd/envvar.html#tag_002_002
$ locale
$ locale -a
$ sudo dpkg-reconfigure keyboard-configuration
$ sudo service keyboard-setup restart
$ sudo update-initramfs -u
Can't type accented letters in certain programs.
$
https://superuser.com/questions/428945/defining-keyboard-shortcuts-involving-the-fn-key
https://superuser.com/questions/1069211/assign-home-and-end-to-fnarrows
$
https://github.com/dongjinleekr/hid-apple-numberless-ko
https://github.com/isakhauge/nor-apple-keyboard-xmodmap
9.11 Locales and Time/Date
https://man7.org/linux/man-pages/man1/locale.1.html
https://linuxfromscratch.org/lfs/view/stable-systemd/chapter09/locale.html
https://pubs.opengroup.org/onlinepubs/7908799/xbd/envvar.html#tag_002_002
$ locale
$ sudo apt reinstall locales
$ sudo locale-gen
$ sudo locale-gen en_US.UTF-8
$ sudo dpkg-reconfigure locales
*Logoff
$ locale
$ export LANGUAGE=en_US.UTF-8
$ export LC_ALL=en_US.UTF-8
$ export LANG=en_US.UTF-8
$ export LC_CTYPE=en_US.UTF-8
Even no results
$ export LC_ALL="C.UTF-8"
$ sudo dpkg-reconfigure locales
Even no results
In /etc/locale.gen, uncommenting the line: en_US.UTF-8 UTF-8 then running: locale-gen
UNDER TEST! NOT FULL TESTED!
http://manpages.ubuntu.com/manpages/trusty/man7/locale.7.html
Bash function for terminal
Switching between DE and EN locales. Put it in your ~/.bashrc (or ~/.bash_profile).
Call it with _configure_locale
EN to switch to English.
function _configure_locale() { # [profile] local profile=${1:-EN} case ${profile} in DE|DE_DE|de_DE) LC_ALL="de_DE.UTF-8" LANG="de_DE.UTF-8" LANGUAGE="de_DE:de:en_US:en" ;; EN|EN_US|en|en_US) LC_ALL="en_US.UTF-8" LANG="en_US.UTF-8" LANGUAGE="en_US:en" ;; *) echo "ALERT" "${FUNCNAME}: unknown profile '${profile}'" ;; esac LC_PAPER="de_DE.UTF-8"; # independent from locale LESSCHARSET="utf-8"; # independent from locale MM_CHARSET="utf-8" # independent from locale echo "locale settings" "${LANG}"; export LC_ALL LANG LANGUAGE LC_PAPER LESSCHARSET MM_CHARSET }
$ timedatectl
$ tzselect
$ sudo dpkg-reconfigure tzdata
$ sudo apt install ntpdate && ntpdate in.pool.ntp.org && dpkg-reconfigure tzdata
$
$
9.12 Torrenting
1. Resetting qBittorrent / trying another torrent client 2. Trying another device on same network 3. Trying ethernet instead of Wi-Fi 4. Trying downloading to external storage rather than SSD 5. Stopping all running apps/services in background 6. Running speed tests to see if it also happens outside torrenting
1. Your external disk case, awful flash drive or internal SSD just not being able to handle the simultaneous writes and reads. 2. Your VPN limiting you bandwidth. 3. Your ISP throttling. Torrent traffic throttled even through a VPN.
Disk Benchmarks Test
$ sudo apt install gnome-disk-utility
For your ISP throttle, try your VPN Obfuscated Servers or P2P Servers.
Do a Leak Test
∙ DNSLeakTest.com (run the "Extended test")
∙ IPLeak.net
curl ipleak.net/json/
curl ipinfo.io
Alternativelly, begin to VPN+Torrent on PC, wait until throttling begins. Try to play back a 1080p video on your smartphone, try to choose one where you can see the quality difference (for example one with many text elements such as computer hardware benchmarks). A 1080p video needs about 1-2Mbps (250KB/s) bandwidth.
Instead you can try to download something on the phone. This is to find out if it's an issue VPN server/software or with your ISP line as a whole. It's possible for your ISP to only throttle the connection to the VPN server and leave the rest alone.
$ sudo
9.13 Disks
https://wiki.debian.org/SSDOptimization
https://wiki.archlinux.org/title/Solid_state_drive
$ sudo apt install gparted
$ sudo apt install gnome-disk-utility
$ sudo apt install partitionmanager
$ dmesg -T | grep xhci $ lsusb -tv
Commands for fdisk • EXT - Badblock: $ sudo fdisk -l /dev/sdb • *NTFS - Badblock: $ sudo e2fsck -p /dev/sde1 $ sudo e2fsck -c $ sudo e2fsck -l /dev/sdb1 /badblock/file
https://cgsecurity.org/wiki/TestDisk
$ sudo apt install smartmontools
Commands for smartmontools • How to : $ sudo smartctl -a /dev/sda
$ sudo apt install hdparm
Commands for hdparm • How to : $ sudo hdparm -I /dev/sda
$ sudo apt install -y kdiskmark
$ sudo debugfs
9.14 Hardware
$ sudo apt install lshw
$ sudo apt install inxi
$ sudo apt install cpu-x
$ sudo apt install hardinfo
$ sudo apt install s-tui stress
10.01 Some Links
https://creativecommons.org
https://fsf.org
https://fsfe.org
https://gnu.org
https://iec.ch/cyber-security
https://iso.org/standards.html
https://linuxfoundation.org
https://linuxfromscratch.org
https://man7.org
https://nist.gov/standards
https://opengroup.org
https://opensource.com
https://opensource.org
https://todogroup.org
https://youtube.com/@DebConfVideos
https://youtube.com/@BlackHatOfficialYT
https://youtube.com/@DEFCONConference
https://youtube.com/@mediacccde
https://youtube.com/@DFRWS
https://youtube.com/@44contv
https://youtube.com/@secwestnet
https://youtube.com/@EkopartyConference
https://youtube.com/@reconmtl
https://youtube.com/@TROOPERScon
https://0pointer.net/blog/
https://blog.carsoncheng.ca
https://dwarmstrong.org
https://fabianlee.org
https://itsfoss.com
https://lwn.net
https://linux-tips.us
https://linuxcnf.com
https://linuxconfig.org
https://linuxhandbook.com
https://linuxiac.com
https://linuxinsider.com
https://linuxsecurity.com
https://ostechnix.com
https://programmerall.com
https://slant.co
https://techviewleo.com
https://tqdev.com
https://vitux.com
• https://en.wikiversity.org/wiki/Open_Educational_Resources/Open_Courses
• https://en.wikiversity.org/wiki/Open_Educational_Resources/Open_Textbooks
• https://freecomputerbooks.com
• http://www.freetechbooks.com
• https://www.ibiblio.org/kuphaldt/electricCircuits
• https://www.electronics-tutorials.ws
• https://riptutorial.com/ebook
• https://shellcheck.net
• https://shellscript.sh
• https://shellhacks.com
• https://explainshell.com
• https://regular-expressions.info
• https://notrace.how
• https://anarsec.guide
• https://0x00sec.org