1. DEBIAN GNU/LINUX AND HARDENING

"Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately endpoint security is so terrifically weak that NSA can frequently find ways around it." (Edward Snowden)

---

1.01 System Hardening Must Have

Anonymous Planet - The Hitchhiker’s Guide (PDF)	Madaidan's - Security & Privacy Evaluations
Whonix - Essential Host Security	Hardened GNU/Linux
Whonix - System Hardening Checklist	Bleachbit - Clean Your System and Free Disk Space
Kicksecure - Documentation	ShredOS - Secure disk erasure/wipe
Debian - Security Management	EFF - Surveillance Self-defense
OWASP - No more insecure software	Cryptomator - Put a lock on your cloud
CIS Benchmark - Debian Linux Guides	Duplicati - Store securely encrypted backups on cloud storage services!
NSA GOV - Cybersecurity Advisories & Guidance (GitHub)	Virus Total - Free virus, malware and URL online scanning
NIST GOV - Cybersecurity Framework	Hybrid Analysis - This is a free malware analysis service

       _{*Kernel Hacking Guides - https://docs.kernel.org/kernel-hacking/index.html}

---

1.02 Essential Tools

1. Ventoy	(Secure Boot)	(Checksums)	7. Qubes	(*Secure Boot)	(Checksums)
2. rEFInd	(Secure Boot)	(Checksums)	8. KaliLinux	(*Secure Boot)	(Checksums)
3. Clonezilla	(Secure Boot)	(Checksums)	9. GnuPG	(Guides)	(Check)
4. GParted	(Secure Boot)	(Checksums)	10. WinPE	(Sergei Strelec)	(Checksums)
5. ShredOS	(Secure Boot)	(Checksums)	11. Hiren's BootCD PE	(Secure Boot)	(Checksums)
6. Tails	(Secure Boot)	(Checksums)

_{Others: Security Onion, NST, Android-x86, HardenedBSD, OSGeoLive, OpenWRT, LibreELEC.tv, SteamOS .}

_{¹ Check hash with GtkHash (GUI)}

Check hash with GtkHash (GUI) https://gtkhash.org

_{² How to summarize iso file with GNU Coreutils (CLI)}

Summarize iso file with GNU Coreutils (CLI)https://gnu.org/software/coreutils/manual/html_node/Summarizing-files.html

_{³ Manual method with sha256sum}

The SHA-256 checksum hashes in a file called SHA256SUMS in the same directory listing as the download page.

First install it

$ sudo apt install sha256sum

Open a terminal and go to the correct directory to check a downloaded iso file:

$ cd download_directory

Then run the following command from within the download directory.

$ sha256sum name.iso

sha256sum should then print out a single line after calculating the hash:

$ sdd31231c0421be56f39c7a31245c423fgcc3b048ds321a3e83d2c4d714fa9a76 *name.iso

Compare the hash (the alphanumeric string on left) that your machine calculated with the corresponding hash in the SHA256SUMS file.

_{⁴ Semi-automatic method with sha256sum}

First download the SHA256SUMS and SHA256SUMS.gpg files to the same directory as the iso. Then run the following commands in a terminal.

$ cd download_directory

$ sha256sum -c SHA256SUMS 2>&1 | grep OK

The sha256sum line should output a line such as:

name.iso: OK

If the OK for your file appears, that indicates the hash matches.

---

2. SYSTEM INSTALLATION

👷🛠️UNDER CONSTRUCTION🚧🏗

2.01 Hardware

BIOS Simulators

• Phoenix BIOS Simulator
https://grs-software.de/sims/bios/phoenix/pages/
• Phoenix BIOS Setup Utility Simulator - Pranx
https://pranx.com/bios
• Lenovo BIOS Simulator
https://download.lenovo.com/bsco/index.html

Hardware Compatibility

• Hardware for Linux
https://linux-hardware.org
• Linux Vendor Firmware Service
https://fwupd.org/lvfs/devices
• r/linuxhardware
https://reddit.com/r/linuxhardware
• SANE - Lists of supported scanners firmware
http://www.sane-project.org/sane-supported-devices.html
• USB WiFI
https://github.com/morrownr/USB-WiFi
• Mac
https://wiki.debian.org/DebianOnIntelMacPro

Open Hardware

• GNU/Linux Open Hardware PowerPC notebook
https://powerpc-notebook.org
• PINE64 - Community-driven hardware projects
https://pine64.com
https://pine64.org
• Framework - Fix Consumer Electronics
https://frame.work
• "Respects Your Freedom" Certification Program
https://ryf.fsf.org

Hardware Vulnerabilities

https://docs.kernel.org/admin-guide/hw-vuln/index.html
https://github.com/chipsec/chipsec

Hardware Security Based

https://en.wikipedia.org/wiki/Open-source_firmware
https://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption
https://en.wikipedia.org/wiki/Write_protection
https://en.m.wikipedia.org/wiki/Random-access_memory
https://usbguard.github.io
https://digistor.com (*EUA partner)
https://seagate.com/enterprise-storage/enterprise-security
https://github.com/openssl/openssl/blob/master/README-FIPS.md

Hardware Spoof

https://whonix.org/wiki/Protocol-Leak-Protection_and_Fingerprinting-Protection#Less_important_identifiers
https://whonix.org/wiki/MAC_Address
https://github.com/alobbs/macchanger
https://hwidspoofer.com
https://xaze.gitbook.io/how-to-spoof-with-hwid-serial-changer
https://github.com/segofensiva/OSfooler-ng

Secure Boot

Visit our repo tree: 2.SECURITY/2.05_Secure_Boot

https://libreboot.org
https://osresearch.net

Sanitize options

Visit our repo tree: 2.SECURITY/2.06_Sanitization

Not all SSD support sanitize. And if you use SSDs, enable TRIM in your BIOS. Take care with SSD over-provisioning. Take care with SSD flaws.

Volatile Memory

https://usbkill.com
https://github.com/Kicksecure/ram-wipe
https://kicksecure.com/wiki/Hardened_Malloc
https://forums.whonix.org/t/hardened-malloc-hardened-memory-allocator/7474/4

Performance

• SSD Over-provisioning

This prevents degradation of SSD speed and durability.

Depending on use, some manufacturers recommend 40% OP. For general use, 20% of the general capacity of the SSD, that is, more or less 14% counting the minimum that comes from the factory. For example, a 240GB SSD is limited to -14%, which results in 206GB (34GB of OP).

You must consider the file system you will use.

Cost benefit

•

2.02 Installation

Visit our repo tree: 1.INSTALLATION

2.02.01 Basic Installation Guide

• Basic tips about Linux System

Debian Wiki - https://wiki.debian.org/FrontPage
Command Line - https://github.com/jlevy/the-art-of-command-line#everyday-use
Terminal - https://github.com/onceupon/Bash-Oneliner#terminal-tricks

• Bash autocompletion with TAB

$ sudo apt install bash-completion

Overview of Terminal's Shortcuts

Shortcut	Action	Shortcut	Action
Esc + t	Swap the two words before the cursor	Ctrl + f	Go forward one character
Ctrl + r	Search command history	Ctrl + b	Go back one character
Ctrl + g	Cancel command history search without running command	Ctrl + a	Go to the beginning of the line
Ctrl + l	Clear terminal screen	Ctrl + e	Go to the end of the line
Ctrl + x	List possible filename completions	Ctrl + w	Delete the word before the cursor
Ctrl + c	Cancels the running command	Ctrl + y	Retrieves the last word deleted or cut
Ctrl + z	Suspends the running command	Ctrl + xx	Toggle between current cursor position and start or end of line
Ctrl + u	Deletes entire line before the cursor	Alt + u	Capitalize all letters in word after cursor
Ctrl + k	Deletes entire line after the cursor	Alt + l	Lower case all letters in word after cursor
Ctrl + t	Swap the two characters before the cursor	Alt + .	Use the last word of the last command
Ctrl + d	Close the terminal

Overview of Nano's Shortcuts

Basically we will use CTRL+O and ENTER to save the changes and then CTRL+X exit nano editor.

Shortcut	Action	Shortcut	Action
File handling		Moving around
Ctrl+S	Save current file	Ctrl+B	One character backward
Ctrl+O	Offer to write file ("Save as")	Ctrl+F	One character forward
Ctrl+R	Insert a file into current one	Ctrl+←	One word backward
Ctrl+X	Close buffer, exit from nano	Ctrl+→	One word forward
		Ctrl+A	To start of line
Editing		Ctrl+E	To end of line
Ctrl+K	Cut current line into cutbuffer	Ctrl+P	One line up
Alt+6	Copy current line into cutbuffer	Ctrl+N	One line down
Ctrl+U	Paste contents of cutbuffer	Ctrl+↑	To previous block
Alt+T	Cut until end of buffer	Ctrl+↓	To next block
Ctrl+]	Complete current word	Ctrl+Y	One page up
Alt+3	Comment/uncomment line/region	Ctrl+V	One page down
Alt+U	Undo last action	Alt+\ To	top of buffer
Alt+E	Redo last undone action	Alt+/ To	end of buffer
Search and replace		Special movement
Ctrl+Q	Start backward search	Alt+G	Go to specified line
Ctrl+W	Start forward search	Alt+] Go	to complementary bracket
Alt+Q	Find next occurrence backward	Alt+↑	Scroll viewport up
Alt+W	Find next occurrence forward	Alt+↓	Scroll viewport down
Alt+R	Start a replacing session	Alt+< Switch	to preceding buffer
		Alt+> Switch	to succeeding buffer
Deletion		Information
Ctrl+H	Delete character before cursor	Ctrl+C	Report cursor position
Ctrl+D	Delete character under cursor	Alt+D	Report line/word/character count
Alt+Bsp	Delete word to the left	Ctrl+G	Display help text
Ctrl+Del	Delete word to the right
Alt+Del	Delete current line
Operations		Various
Ctrl+T	Execute some command	Alt+A	Turn the mark on/off
Ctrl+J	Justify paragraph or region	Tab	Indent
Alt+J	Justify entire buffer	Shift+Tab	Unindent marked region
Alt+B	Run a syntax check	Alt+V	Enter next keystroke verbatim
Alt+F	Run a formatter/fixer/arranger	Alt+N	Turn line numbers on/off
Alt+: Start	/stop recording of macro	Alt+P	Turn visible whitespace on/off
Alt+; Replay	macro	Alt+X	Hide or unhide the help lines
		Ctrl+L	Refresh the screen

Virtual Machines

• Using VirtualBox as training or to test ultra-advanced configurations

https://debian.org/doc/manuals/debian-handbook/sect.virtualization.en.html

VirtualBox on Windows 10 Windows 10

"How to Install Debian Linux in VirtualBox on Windows 10 | Beginners Guide | (Buster)"
https://youtube.com/watch?v=cx8GzudB6uE

Hypervisor

KVM, Kernel-based Virtual Machine, is a hypervisor built into the Linux kernel. It is similar to Xen in purpose but much simpler to get running. Unlike native QEMU, which uses emulation, KVM is a special operating mode of QEMU that uses CPU extensions (HVM) for virtualization via a kernel module.

The difference between a type 1 hypervisor and a type 2 hypervisor. KVM is a type 1 hypervisor, it is able to run on bare metal, while QEMU is a type 2 hypervisor, it runs on top of the operating system. QEMU will utilize KVM in order to utilize the machine’s physical resources for the virtual machines. In brief, QEMU uses emulation; KVM uses processor extensions (HVM) for virtualization.

Using QEMU/KVM - "Kernel-based Virtual Machine"

https://wiki.debian.org/KVM
https://wiki.archlinux.org/title/KVM

Visit our repo tree: 6.SYSADMIN/6.05_VMs_and_Containers

Quick Installation Guide and Others

http://www.rodsbooks.com/linux-uefi
https://wiki.debian.org/DontBreakDebian
https://distrowatch.com/table.php?distribution=debian
https://debian.org/releases/bookworm/amd64/apb.en.html

2.2.2 Desktop interface

XFCE vs LXQt - Lightweight Linux Desktop Environments
https://youtube.com/watch?v=cs8JW3zDDoI

2.2.3 Debootstrap

👷🛠️UNDER CONSTRUCTION🚧🏗

Visit our repo tree: 1.INSTALLATION/2.02_Debootstrap

• Debootstrap
https://wiki.debian.org/Debootstrap
• Debian 11.0 Debootstrap | Debian Command Line Install Guide
https://youtube.com/watch?v=oKnkOwdysNs
• Debian 11.4 ZFS Bootstrap | Debian ZFS Command Line Installation
https://youtube.com/watch?v=7F7Ch-ZkiQU
• Nilsmeyer - An ansible role for bootstrapping new Debian based systems, including setting up partitions, file systems, encryption (luks), RAID and LVM
https://github.com/nilsmeyer/ansible-debootstrap
• Linux Dabbler - Scripts to run after installing debian
https://github.com/linuxdabbler/debian-install-scripts

 File system: EXT4, XFS, BTRFS AND ZFS

2.03 Encryption

Visit our repo tree: 2.SECURITY/2.03_Encryption

Visit our repo tree: 1.INSTALLATION/2.02_Debootstrap

2.3.1 Encryption

https://wiki.archlinux.org/title/Security
https://wiki.archlinux.org/title/Data-at-rest_encryption
https://en.wikipedia.org/wiki/Disk_encryption#Implementations
https://csrc.nist.gov/Projects/cryptographic-module-validation-program/fips-140-2

2.3.2 Partitioning scenarios: advantages and disadvantages

https://wiki.archlinux.org/title/dm-crypt/Encrypting_an_entire_system
https://wiki.archlinux.org/title/dm-crypt/Device_encryption#top-page

2.3.3 FSTAB, CRYPTTAB AND DM-CRYPT - Linux kernel's device mapper crypto target

• Dm-crypt
https://wiki.archlinux.org/title/Dm-crypt

• Fstab
https://wiki.debian.org/fstab
https://manpages.debian.org/bookworm/mount/fstab.5.en.html

• Crypttab
https://manpages.debian.org/bookworm/cryptsetup/crypttab.5.en.html

• Tips

∙ Copy and paste blkid to fstab

# echo "$(blkid -o export /dev/sdbX | grep ^UUID=) REMEMBEREFI" | tee --append /etc/fstab

or

# blkid -o value -s UUID >> /etc/fstab

2.3.4 Example 1 - FSTAB - Non-encrypted Boot Removable Medium (USB Key) Multi-device

#      
UUID=e4c627c2-69f2-11ee-8c99-0242ac120002  / ext4 errors=remount-ro 0 1
# /boot was on /dev/sdc2 during installation
PARTUUID=f2c4ec78-69f2-11ee-8c99-0242ac120002 /boot ext2 noauto, x-systemd.device-timeout=1m, defaults 0 2
# /boot/efi was on /dev/sdc1 during installation
PARTUUID=a15355f4-15ce-4ea6-a57b-161e9eea19fc /boot/efi vfat noauto, x-systemd.device-timeout=1m, umask=0077 0 1
UUID=2701e126-69f3-11ee-8c99-0242ac120002 /home ext4 defaults 0 2
UUID=447e4a14-69f3-11ee-8c99-0242ac120002 none swap sw 0 0 

2.3.5 Example 2 - FSTAB - Encrypted Boot Removable Medium (USB Key) Multi-device

👷🛠️UNDER CONSTRUCTION🚧🏗

https://tqdev.com/2022-luks-with-usb-unlock

"Install debian 9 stretch on one encrypted btrfs partition including /boot and booting if via EFI"
https://github.com/rob31415/cryptBoot

https://github.com/stupidpupil/https-keyscript

2.3.6 Example 3 - FSTAB - Encrypted Boot Removable Medium (USB Key) Multi-device and Keyfile

Key File Encryption with USB Key
https://github.com/aomgiwjc/Unix-Bootstrap-Installs/wiki
https://github.com/aomgiwjc/Unix-Bootstrap-Installs.wiki.git
https://cloudkid.fr/unlock-a-luks-partition-with-a-usb-key
https://blog.fidelramos.net/software/unlock-luks-usb-drive
https://willhaley.com/blog/unlock-luks-volumes-with-usb-key
https://dwarmstrong.org/fde-debian
https://cyberciti.biz/hardware/cryptsetup-add-enable-luks-disk-encryption-keyfile-linux

2.3.7 Nuke Password
https://packages.debian.org/bookworm/cryptsetup-nuke-password
https://salsa.debian.org/pkg-security-team/cryptsetup-nuke-password

$ 
sudo apt install cryptsetup-nuke-password

2.04 After Installing

Basic Things to do After Installing Debian for Everyday Use

1. Update and Upgrade

https://itsfoss.com/apt-get-upgrade-vs-dist-upgrade

$ sudo apt update -y && sudo apt upgrade -y

$ sudo apt dist-upgrade

Note:

apt upgrade only upgrades existing packages. It doesn’t install new packages or remove existing packages, doesn’t upgrade kernel version.

dist-upgrade can remove dependency packages or install new ones (if required), can also upgrade kernel version, doesn’t upgrade the distribution version.

_{*sudo apt full-upgrade}

2. Adding sudo user and common user

$ 

_{Security consideration, under construction}

3. Firewall

Install and enable Uncomplicated Firewall - UFW (CLI)

$ sudo apt install ufw

$ sudo ufw enable

$ sudo ufw default deny incoming

$ sudo ufw default allow outgoing

$ sudo ufw status verbose

4. Fast Grub Time

Edit and add GRUB_TIMEOUT=0

$ sudo nano /etc/default/grub

GRUB_TIMEOUT=0

$ sudo update-grub

5. Swapiness

https://unix.stackexchange.com/questions/265713/how-to-configure-swappiness-in-linux-memory-management

Verify

$ sudo cat /proc/sys/vm/swappiness

Edit and add sw.swappiness=10

$ sudo nano /etc/sysctl.conf

sw.swappiness=10

or simply

$ sudo bash -c "echo 'vm.swappiness = 10' >> /etc/sysctl.conf"

To take effect:

$ sudo sysctl -p

$ sysctl vm.swappiness=10

Verify

$ sudo cat /proc/sys/vm/swappiness

6. Installing Java

• Java Runtime Environment (JRE)

• OpenJDK - Java Development Kit (JDK)

$ java --version
$ apt-cache search openjdk | grep openjdk

$ sudo apt install

7. Installing Micro$oft Fonts

$ sudo apt install -y ttf-mscorefonts-installer

*Do not install energy manager TLP, many problems.

2.05 Low Level Linux

• Kernel Linux
https://kernel.org

• Linux Training
https://training.linuxfoundation.org
https://training.linuxfoundation.org/training/a-beginners-guide-to-linux-kernel-development-lfd103

• Linux From Scratch (LFS)
https://linuxfromscratch.org

• Reproducible Builds
https://reproducible-builds.org

2.06 Ventoy

Ventoy

Ventoy - A New Bootable USB Solution - Downloads

https://ventoy.net/en/download.html

Ventoy - Source Code - Releases

https://github.com/ventoy/Ventoy/releases

Start to use Ventoy - Install Ventoy To USB Drive

https://ventoy.net/en/doc_start.html
https://woshub.com/multi-iso-boot-usb-flash-ventoy
https://pureinfotech.com/ventoy-create-bootable-usb-windows-11-10

About Secure Boot in UEFI mode

https://ventoy.net/en/doc_secure.html

Ventoy Persistence Plugin

https://ventoy.net/en/plugin_persistence.html

(*recomended only for rescue disk pourouses)

2.07 Clonezilla

Clonezilla

Clonezilla - The Free and Open Source Software for Disk Imaging and Cloning.

https://clonezilla.org//clonezilla-live-doc.php

How to Use Clonezilla Software

https://wikihow.com/Use-Clonezilla

Changing disk name

Command
$ cnvt-ocs-dev -d /home/partimag 'image' 'sda3' 'sda2'

---

3. SECURE BOOT

👷🛠️UNDER CONSTRUCTION🚧🏗

3.01 Introduction

"Most modern systems will ship with SB enabled - they will not run any unsigned code by default, but it is possible to change the firmware configuration to either disable SB or to enroll extra signing keys. The whole point of Secure Boot is to prevent malware from gaining control of the computer. Therefore, when booting with Secure Boot active, Fedora 18 and later, Ubuntu 16.04 and later, and probably other distributions restrict actions that some Linux users take for granted. For instance, Linux kernel modules must be signed, which complicates use of third-party kernel drivers, such as Nvidia's and AMD/ATI's proprietary video drivers. More recent kernels may, if Secure Boot is active, also check that they were launched from a boot loader that honors Secure Boot, and shut down if this was not the case."

"To launch a locally-compiled kernel, you must sign it with a MOK and register that MOK with the system. (In both cases, you can register a hash rather than sign the binary; but this approach results in an ever-growing database in NVRAM, which is undesirable.) The extent of such restrictions is entirely up to those who develop and sign the boot loader launched by Shim and the kernel launched by that boot loader, though. Some distributions ship kernels that are relatively unencumbered by added security restrictions."

"As a practical matter, if you want to use Shim, you have two choices: You can run a distribution that provides its own signed version of Shim, such as Fedora 18 or later or Ubuntu 12.10 or later; or you can run a signed version from such a distribution or from another source, add your own MOK, and sign whatever binaries you like. This first option is quite straightforward if you happen to want to use a distribution that ships with Shim, and it requires little extra elaboration.If you want to build and run your own kernel (e.g. for development or debugging), then you will obviously end up making binaries that are not signed with the Debian key. If you wish to use those binaries, you will need to either sign them yourself and enroll the key used with MOK or disable SB."

! CAUTION:
! • Use an administrator password in the BIOS and do not use the same for disk encryption.
! • Building and signing kernel modules is independent of building and signing your own kernel.
! • In Debian, if you do not install the DKMS package, you will have more work to create the X.509
! keys or OpenSSL keys, import the keys with sbsigntool or mokutil, sign the kernel or the kernel
! module file with sbsigntool or sign-file, respectively.
! • Debian comes with signed kernels to work with your GRUB so it will most likely not be 
! necessary to sign the kernel that includes Debian, however any foreign kernel or compiled from
! its source www.kernel.org must be signed or will not be able to load.
! • Ubuntu uses DKMS with signed key by default, Ubuntu creates and imports mok key during system
! installation.
! • In Fedora, if you use DKMS with Secure Boot enabled, you have to import the DKMS sign key
! with mokutil --import /var/lib/dkms/mok.pub and reboot to enroll the key. In Fedora the mok.pub
! and mok.key keys are created and module is signed by DKMS, but only if openssl package
! is installed.
! • UEFI specifications use the terms key and public key (.der) to mean the public part of the
! key pair, or the X.509 certificate. However, in OpenSSL, the term key is the private key (.priv) 
! that's used for signing. Thus, all Secure Boot keys must be X.509 keys and not OpenSSL keys.
! • The instructions provided assume that you're signing a module for the currently running 
! kernel. If you're signing a module for a different kernel, you must provide the path to the
! sign-file utility within the correct kernel version source. Otherwise, the signature type
! for the module for that kernel might not align correctly with the expected signature type.
! • Only a single custom certificate can be added to the kernel because the compressed size 
! of the kernel's boot image can not increase. Do not add multiple certificates to the kernel
! boot image.

- WARNING:
- https://makedebianfunagainandlearnhowtodoothercoolstufftoo.computer/doku.php?id=start:issecurebootworking
- https://discourse.ubuntu.com/t/dkms-package-support-extra-drivers-does-not-work-in-ubuntu-22-10-install-media/31655

- BUGS:
- • Debian Bug report logs - #1037146 Key was rejected by service
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037146
- • Debian Bug report logs - #1012741 Key was rejected by service
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012741
- • Debian Bug report logs - #1012816 Key was rejected by service 
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1012816;msg=22
- • Debian Bug report logs - #989463 please align shim-signed dkms behaviour with Ubuntu
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=989463
- • Debian Bug report logs - #939392 please provide kmodsign like Ubuntu does
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939392
- • Debian Bug report logs - #928300 shim-signed: secure boot via removable media path unavailable
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928300

3.02 Secure Boot References

BASIC:
• https://rodsbooks.com/efi-bootloaders
• https://rodsbooks.com/efi-bootloaders/secureboot.html
• https://rodsbooks.com/efi-bootloaders/controlling-sb.html
• https://ubuntu.com/blog/how-to-sign-things-for-secure-boot
• https://wiki.ubuntu.com/UEFI/SecureBoot/DKMS
• https://help.ubuntu.com/community/DKMS
• https://wiki.ubuntu.com/UEFI/SecureBoot/KeyManagement/KeyGeneration
• https://github.com/dell/dkms#dynamic-kernel-module-system-dkms
• https://wiki.debian.org/SecureBoot
• https://github.com/sitmsiteman/secure-boot-in-debian-based-distro
• https://github.com/Batu33TR/secureboot-mok-keys
• https://github.com/M-P-P-C/Signing-an-Ubuntu-Kernel-for-Secure-Boot
• https://medium.com/@vvvrrooomm/practical-secure-boot-for-linux-d91021ae6471
• https://lastdragon.net/?p=2513
ADVANCED:
• https://uefi.org
• https://intel.com/content/www/us/en/developer/articles/tool/unified-extensible-firmware-interface.html
• https://kernel.org/doc/html/v4.15/admin-guide/module-signing.html
• https://kernel.org/doc./html/latest/admin-guide/module-signing.html
• https://docs.oracle.com/en/operating-systems/oracle-linux/secure-boot/toc.htm#Table-of-Contents
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/managing_monitoring_and_updating_the_kernel/signing-a-kernel-and-modules-for-secure-boot_managing-monitoring-and-updating-the-kernel
• https://ubs_csse.gitlab.io/secu_os/tutorials/linux_secure_boot.html
• https://wiki.archlinux.org/title/Unified_Extensible_Firmware_Interface/Secure_Boot
• https://wiki.archlinux.org/title/GRUB/EFI_examples#top-page
• https://wiki.archlinux.org/title/Signed_kernel_modules
• https://wiki.gentoo.org/wiki/Signed_kernel_module_support
• https://stack.nexedi.com/P-VIFIB-Enhanced.UEFI.Secure.Boot.Debian
• https://manpages.debian.org/buster/openssl/config.5ssl.en.html
• https://manpages.debian.org/stretch/keyutils/keyctl.1.en.html
• https://manpages.debian.org/testing/pesign/pesign.1.en.html
• https://manpages.debian.org/testing/libnss3-tools/index.html
• https://openssl.org/docs/man1.0.2/man1/openssl-req.html
• https://openssl.org/docs/man1.1.1/man1/req.html
• https://openssl.org/docs/manmaster/man5/x509v3_config.html
• https://kicksecure.com/wiki/Verified_Boot
• https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html
• https://github.com/nsacyber/TrustedSHIM
• https://github.com/nsacyber/HIRS
• https://askubuntu.com/questions/762254/why-do-i-get-required-key-not-available-when-install-3rd-party-kernel-modules
• https://help.eset.com/efs/8.1/en-US/secure-boot.html
• https://help.ggcircuit.com/knowledge/how-to-inject-custom-secure-boot-keys-example
• https://blogs.oracle.com/linux/post/the-machine-keyring
• https://paldan.altervista.org/signed-linux-kernel-deb-creation-how-to/?doing_wp_cron=1690057748.1645970344543457031250
• https://linuxjournal.com/content/take-control-your-pc-uefi-secure-boot

3.03 YouTube References

• Use UEFI Secure Boot NOW! (Trafotin)
• Best Practices for UEFI Secure Boot Customization (UEFIForum)
• Secure Boot from A to Z (The Linux Foundation)
• Secure Boot. In Debian. In Buster. Really (DebConf Videos)

3.04 Sign GRUB

https://wiki.archlinux.org/title/Kernel_parameters

Debian comes with signed kernels to work with your GRUB so it will most likely not be necessary to sign the kernel that includes Debian, however any foreign kernel or compiled from its source www.kernel.org must be signed or will not be able to load.

3.05 Sign Debian Kernel

Debian comes with signed kernels to work with your GRUB so it will most likely not be necessary to sign the kernel that includes Debian, however any foreign kernel or compiled from its source www.kernel.org must be signed or will not be able to load.

Only a single custom certificate can be added to the kernel because the compressed size of the kernel's boot image can not increase. Do not add multiple certificates to the kernel boot image.

1.First steps

All the items below have to do with SecureBoot mode.

$ sudo mokutil --sb-state
SecureBoot enabled

If controlling the Secure Boot state through the EFI setup program is difficult, you can optionally use the mokutil utility to disable Secure Boot at the level of the Shim so that, although UEFI Secure Boot is enabled, no further validation takes place after the Shim is loaded.

What keys are on my system?

user@debian:~$ sudo mokutil --list-enrolled
or
$ sudo mokutil --list-enrolled | grep Subject:

Also the command modinfo prints the signature if available, for example:

$ sudo modinfo /lib/modules/6.1.0-11-amd64/kernel/mm/zsmalloc.ko 

2.Place to auto-generated MOK

MOK - Machine Owner Key

Introduction

The use of mokutil that's most relevant to this page is to import a MOK. In this context, importing refers to storing a MOK in the computer's NVRAM, along with a flag to tell Shim and MokUtil that the MOK is there and ready to be enlisted when you next reboot the computer. Keys can be added and removed in the MOK list by the user, entirely separate from the distro CA key. Unlike Debian, Ubuntu has chosen to place their auto-generated MOK at "/var/lib/shim-signed/mok/", which some software--such as Oracle's virtualbox package -expect to be present. Note that using this same location may result in future conflicts. Warning: The MOK.key file is extremely sensitive! An attacker who gains access to it could generate binaries that your computer would accept as authorized. You should change permissions to prevent unauthorized access, and ideally store it on an encrypted external storage medium and unplug it when you're not signing binaries.If you see the key there (consisting of the files MOK.der, MOK.pem and MOK.priv) then you can use these, rather than creating your own.

First make sure the key doesn't exist yet:

$ ls /var/lib/shim-signed/mok/

To create a folder to MOK key:

$ sudo mkdir -p /var/lib/shim-signed/mok/

You can choose another placcautione like "/etc/mok_key/" since there is no standard location at the moment.

$ sudo mkdir -p /etc/mok_key/

3.Generating a new key

Before you create the public and private key for signing the kernel, you need to access the folder you created to be the destination of the keys. Then create the public (mokcertificate.der) and private key (moksigningkey.priv) with one-time password for signing the kernel

$ cd /var/lib/shim-signed/mok/
$ sudo openssl req -config $(openssl version -d) -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=ShimSigned/"

$ sudo openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem
$ ls -l 
total 12
-rw-r--r-- 1 root root787MOK.der
-rw-r--r-- 1 root root 1123MOK.pem
-rw------- 1 root root 1854MOK.priv
$ sudo chmod 600 /var/lib/shim-signed/mok/*

This commands will create both the private and public part of the certificate to sign things. You need both files to sign; and just the public part (MOK.der) to enroll the key in Shim.

To read the certificate file in a human readable format, use

$ sudo openssl x509 -in /var/lib/shim-signed/mok/MOK.pem -noout -text 

Another example of key generation:

```bash $ sudo openssl req -x509 -new -nodes -utf8 -sha512 -days 3650 -batch -config /etc/ssl/x509.conf -outform DER -out /etc/ssl/certs/pubkey.der -keyout /etc/ssl/certs/priv.key $ sudo openssl x509 -inform DER -in /etc/ssl/certs/pubkey.der -out /etc/ssl/certs/pubkey.pem ```

---

4.Enrolling your key im Shim

Enroll the key to your installation:

$ cd /var/lib/shim-signed/mok/
$ sudo mokutil --import MOK.der

You will be asked for a one-time password (remember it and type it correctly), you will just use it to confirm your key selection in the next step (you won't need this password beyond this point, though), so choose any.

Recheck your key will be prompted on next boot

$ sudo mokutil --list-new

5.Restart and finsh the process

Restart your system. Changes to the MOK keys may only be confirmed directly from the`bash at boot time. You will encounter a blue screen of a tool called MOKManager. Select "Enroll MOK" and then "View key". Make sure it is your key you created in step 3. Afterwards continue the process and you must enter the password which you provided in step 4. Continue with booting your system.

Verify your key is already enrolled, if the MOK was loaded correctly, with:

$ sudo mokutil --test-key /var/lib/shim-signed/mok/MOK.der

6.Sign your installed kernel or modules

6.1 Modern Method: Signing the Debian kernel and modules with DKMS

Building Debian kernel modules with DKMS. The dkms frameworks allows building kernel modules "on the fly" on the local system instead of building them centrally on the Debian infrastructure, DKMS could automatically sign kernel updated modules. If you install the kernel modules through the apt repository, chances are that modules have already been signed by the DKMS signing key. In that case, the traditional method won't work. And the thing you only need to do is to enroll the DKMS signing key into your machine. On systems that use SecureBoot, you will need a Machine Owner Key (MOK) to load DKMS modules. Generate it, enroll it, sign modules with it and then you will be able to load the signed modules.

In Debian, it depends on the dkms package:

$ sudo apt install dkms

In order for dkms to automatically sign kernel modules, it must be told which key to sign the module with. This is done by adding two configuration values to "/etc/dkms/framework.conf", adjusting paths as required:

mok_signing_key="/var/lib/shim-signed/mok/MOK.priv"

mok_certificate="/var/lib/shim-signed/mok/MOK.der"

DKMS Sign Helper Script

If these values are provided and dkms is able to build modules but does not attempt to sign them, then it is likely that sign_tool is missing. This is more common in older and/or custom kernels. In "/etc/dkms/framework.conf", add:

sign_tool="/etc/dkms/sign_helper.sh"

Create "/etc/dkms/sign_helper.sh" with:

/lib/modules/"$1"/build/scripts/sign-file sha512 /root/.mok/client.priv /root/.mok/client.der "$2"

Set Linux kernel info variables

$ VERSION="$(uname -r)"
$ SHORT_VERSION="$(uname -r | cut -d . -f 1-2)"
$ MODULES_DIR=/lib/modules/$VERSION
$ KBUILD_DIR=/usr/lib/linux-kbuild-$SHORT_VERSION

Making DKMS modules signing by DKMS signing key usable with the secure boot

If you install the kernel modules through the apt repository, chances are that modules have already been signed by the DKMS signing key. In that case, the traditional method won't work. And the thing you only need to do is to enroll the DKMS signing key into your machine. Here is how we can do that:

First, use the method mentioned in Verifying if a module is signed to check if the modules are signed by DKMS signing key.

Next, find the location of the mok signing key and mok certificate. You can view the location in /etc/dkms/framework.conf, and the default location is /var/lib/dkms.

Then, run the following command to enroll the key into the machine:

$ sudo mokutil --import /var/lib/dkms/mok.pub # prompts for one-time password and /var/lib/mok.pub can be changed, if mok certificate isn't located there.
$ sudo mokutil --list-new # recheck your key will be prompted on next boot

!rebooting machine then enters MOK manager EFI utility: enroll MOK, continue, confirm, enter password, reboot!

$ sudo dmesg | grep cert # verify your key is loaded

6.2 Traditional Method: signing the Debian kernel with sbsigntool

Building and signing modules is independent of building and signing your own kernel (vmlinuz). To sign a custom kernel or any other EFI binary you want to have loaded by Shim, you’ll need to use a different command: sbsign (PEM). In this case, we’ll need the certificate in a different format, mokutil needs DER, sbsign needs PEM. Convert the certificate into PEM (.der to .pem), for example:

$ sudo openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem

For example, use it to sign our Kernel:

$ sudo sbsign --key MOK.priv --cert MOK.pem "/boot/vmlinuz-$VERSION" --output "/boot/vmlinuz-$VERSION.tmp"
$ sudo mv "/boot/vmlinuz-$VERSION.tmp" "/boot/vmlinuz-$VERSION"

For example, use it to sign our EFI binary:

$ sudo sbsign --key MOK.priv --cert MOK.pem grubx64.efi --output grubx64.efi.signed
$ sudo mv "grubx64.efi.signed" "grubx64.efi"

Sign the installed Kernel using the key created according to the location you gave it, this will create a new signed vmlinuz. Sign vmlinuz using sbsign and .pem certificate, it should be at /boot/vmlinuz-[KERNEL-VERSION]:

To check your Kernel version, you can also use the command:

$ uname -r
6.1.0-12-amd64

Signing vmlinuz (kernel) using sbsign:

$ sudo sbsign --key MOK.priv --cert MOK.pem /boot/vmlinuz-[KERNEL-VERSION] --output /boot/vmlinuz-[KERNEL-VERSION].signed

For example

$ sudo sbsign --key /var/lib/shim-signed/mok/MOK.priv --cert /var/lib/shim-signed/mok/MOK.pem "/boot/vmlinuz-6.1.0-12-amd64" --output "/boot/vmlinuz-6.1.0-12-amd64.signed"

alternatively:

$ cd /var/lib/shim-signed/mok/
$ sudo sbsign --key MOK.priv --cert MOK.pem "/boot/vmlinuz-[KERNEL-VERSION] --output "/boot/vmlinuz-[KERNEL-VERSION].signed"

Remove the unsigned one and restore the original name of the signed one, this will create a new signed vmlinuz:

$ sudo mv "/boot/vmlinuz-6.1.0-12-amd64.signed" "/boot/vmlinuz-6.1.0-12-amd64"

Update your grub-config

$ sudo update-grub

Reboot your system and select the signed kernel. Now your system should run under a signed kernel and upgrading GRUB2 works again. If you want to upgrade the custom kernel, you can sign the new version easily by following above steps again from step seven on. Thus BACKUP the MOK-keys (MOK.der, MOK.pem, MOK.priv) in an encrypted device.

Verifying if a module is signed. The command modinfo prints the signature if available, for example:

$ sudo modinfo /boot/vmlinuz-6.1.0-12-amd64

Others commands

$ sudo dmesg | grep cert
$ sudo sbverify --list /boot/vmlinuz-6.1.0-12-amd64
$ sudo sbverify --cert /etc/mok_key/mok.crt /boot/vmlinuz-6.1.0-12-amd64

3.06 Reset Secure Boot Keys

Reset Secure Boot keys for Kernel or Modules

Reset Key for Kernel 👷🛠️UNDER CONSTRUCTION🚧🏗

https://rodsbooks.com/efi-bootloaders/controlling-sb.html#setuputil

"The ASUS permits to you restore the default keys, so this isn't really vital if you're starting from the factory defaults with this model; but if yours doesn't offer such a reset-to-defaults option or if you've modified the keys, saving them may be prudent. As the name implies, this option also erases all your Secure Boot keys. (It does not erase your MOKs, though.)"

Reset MOK Keys for Modules 👷🛠️UNDER CONSTRUCTION🚧🏗

https://rodsbooks.com/efi-bootloaders/controlling-sb.html#key-revocation

$ sudo mokuitil --sb-state
SecureBoot disabled

$ sudo mokutil --disable-validation

Backup. Exports to list (ideally store it on an encrypted external storage medium).

$ sudo mokutil --export

To remove all (MOKs being a list and not just a single MOK, you can make the shim trust keys from several different vendors, allowing dual and multi-boot)

$ sudo mokutil --reset --mok

$ sudo mokutil --reset

To remove one key, first show all keys.

$ sudo ls -1 MOK*

Shows you keys enrolled.

$ sudo mokutil --list-enrolled | grep Subject:

Delete those not enrolled to maintain secure boot.

$ sudo mokutil --delete MOK-0001.der

Uninstall the modules, if it was made with script "make".

$ cd ~/realtekwifi
$ sudo make uninstall

or

sudo rmmod 8192eu
sudo rmmod rtl8xxxu
sudo dkms remove -m rtl8192eu -v 1.0

or

sudo lshw -C network

Reset de modules and unload them in Kernel

$ sudo depmod -a -v
$ sudo update-initramfs -k all -u -v

3.07 OpenSSL Errors

Error 1 - No such file

At main.c:298:
- SSL error:FFFFFFFF80000002:system library::No such file or directory: ../crypto/bio/bss_file.c:67
- SSL error:10000080:BIO routines::no such file: ../crypto/bio/bss_file.c:75

Error 2 - Unable to get passphrase

At main.c:170:
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../crypto/passphrase.c:184
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../crypto/passphrase.c:184
- SSL error:1C80009F:Provider routines::unable to get passphrase: ../providers/implementations/encode_decode/decode_epki2pki.c:96
- SSL error:07880109:common libcrypto routines::interrupted or cancelled: ../crypto/passphrase.c:184
- SSL error:04800068:PEM routines::bad password read: ../crypto/pem/pem_pkey.c:155
sign-file: /var/lib/shim-signed/mok/MOK.priv: Success

Possible Causes Certificate or key are missing. That statement is telling us one of both files that DKMS or OpenSSL.conf are looking for are not where it is looking. Another possibility is that to sign a custom kernel or any other EFI binary you want to have loaded by shim, you’ll need to use a different command: sbsign or mokutil. Unfortunately, we’ll need the certificate in a different format in this case, mokutil needs DER, sbsign needs PEM. Convert the certificate into PEM (.der to .pem).

Under normal conditions, when CONFIG_MODULE_SIG_KEY is unchanged from its default, the kernel build will automatically generate a new keypair using openssl if one does not exist in the file:

certs/signing_key.pem during the building of vmlinux (the public part of the key needs to be built into vmlinux) using parameters in the:

certs/x509.genkey file (which is also generated if it does not already exist).

It is strongly recommended that you provide your own x509.genkey file.

As long as the signing key is enrolled in shim and does not contain the Object Identifier (OID) from earlier (since that limits the use of the key to kernel module signing), the binary should be loaded just fine by shim.

Cause 1

Wrong syntax of sign-file

$ sudo scripts/sign-file sha512 kernel-signkey.priv kernel-signkey.x509 module.ko

https://kernel.org/doc/html/v4.15/admin-guide/module-signing.html

Cause 2

This is where Debian places openssl.cnf for the OpenSSL they provide:

$ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"
$ ls -l /usr/lib/ssl
lrwxrwxrwx 1 root root mmm 30 mm:mm openssl.cnf -> /etc/ssl/openssl.cnf
$ ls -l /etc/ssl/
-rw-r--r-- 1 root root mmm 30 mm:mm openssl.cnf

It is kind of buried in OpenSSL source code for apps.c, load_config and what happens when openssl.cnf is NULL (i.e., no -config option or OPENSSL_CONF envar). When openssl.cnf is NULL and no overrides, then OPENSSLDIR is used.

Cause 2

Wrong syntax of OpenSSL

*Man Page OpenSSL: Man OpenSSL

$ sudo openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config openssl.cnf -outform DER -out MOK.der -keyout MOK.priv
$ sudo openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -outform DER -out MOK.der -keyout MOK.priv
$ sudo openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -config openssl.cnf -outform DER -out MOK.der -keyout MOK.priv
$ sudo openssl req -x509 -new -nodes -utf8 -sha256 -days 36500 -batch -outform DER -out MOK.der -keyout MOK.priv

*Ubuntu: https://ubuntu.com/blog/how-to-sign-things-for-secure-boot

$ sudo openssl req -config ./openssl.cnf -new -x509 -newkey rsa:2048 -nodes -days 36500 -outform DER -keyout "MOK.priv" -out "MOK.der"

*Debian: https://wiki.debian.org/SecureBoot

$ sudo openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -days 36500 -subj "/CN=My Name/"
$ sudo openssl x509 -inform der -in MOK.der -out MOK.pem

*Fedora: https://docs.fedoraproject.org/en-US/quick-docs/kernel-build-custom/

$ sudo openssl req -new -x509 -newkey rsa:2048 -keyout "key.pem" -outform DER -out "cert.der" -nodes -days 36500 -subj "/CN= yourname/"

Solutions

Solution 1:

$ sudo dpkg -S sign-file

Solution 2:

Location

$ openssl version -d

You can use strace (man strace) to check the configuration file being used while generating the self-signed certificate.

$ strace -e trace=open,openat -o /tmp/strace.log.0 openssl req \
-newkey rsa:2048 -x509 -nodes -keyout localhost.key \
-new -out localhost.crt
$ grep "openssl.cnf" /tmp/strace.log.0
openat(AT_FDCWD, "/etc/pki/tls/openssl.cnf", O_RDONLY) = 3
sudo cat /etc/ssl/openssl.cnf
openssl_conf = openssl_init from /etc/ssl/openssl.cnf

To override system default with user level environment. An empty file will do:

touch ~/.openssl.cnf

BASH define & export:

export OPENSSL_CONF=~/.openssl.cnf

Wrap application within a script:

export OPENSSL_CONF=/dev/null

Solution 3:

Rescue if install/build fails in previous step

$ sudo apt-get install -f
$ sudo dpkg-reconfigure broadcom-sta-dkms

3.08 Sign Wi-Fi

How to get Wi-Fi Module signed for Secure Boot

Mandatory packages: openssl, sign-file and mokutil.

If you are going to compile the module in the kernel, usually the maintainer will indicate the packages to be installed beforehand. For example, you will need to install "make", "gcc", "kernel headers", "kernel build essentials", and "git".

$ sudo apt install git make gcc build-essential linux-image-$(uname -r|sed 's,[^-]*-[^-]*-,,') linux-headers-$(uname -r|sed 's,[^-]*-[^-]*-,,')

Brief - Sign with Sign-file

1- Install a driver and test without Secure Boot
2- Enable Secure Boot
3- Generate a private and public keys
5- Import
6- Reboot and Enroll
4- Sign the module with sign-file

1. Check if secure boot is enabled. When Secure Boot is disabled, the shimx64.efi will just directly load the real grubx64.efi bypassing all the Secure Boot steps, including loading the MOK. With the MOK not loaded, the kernel will have no way to recognize the signature on your module as valid. And with Secure Boot disabled, a signed module with an invalid signature is rejected, while unsigned modules only get a warning and a taint mark on any future oops/panic messages.

$ sudo mokutil --sb-state
SecureBoot enabled

You can create a personal public/private RSA key pair to sign the kernel modules. You can chose to store the key/pair, for example, in the /var/lib/shim-signed/mok/ directory. Then create a new pair of private key (MOK.priv) and public key (MOK.der).

$ sudo mkdir -p /var/lib/shim-signed/mok
$ sudo openssl req -config /usr/lib/ssl/openssl.cnf -new -x509 -newkey rsa:2048 -nodes -days 36500 -outform DER -keyout "/var/lib/shim-signed/mok/MOK.priv" -out "/var/lib/shim-signed/mok/MOK.der" -subj "/CN=MODULE/"
$ ls -l /var/lib/shim-signed/mok/
total 8
-rw-r--r-- 1 root root779 MOK.der
-rw------- 1 root root 1704 MOK.priv
$ sudo chmod 600 /var/lib/shim-signed/mok/*

2. Enroll the public key (MOK.der) to MOK (Machine Owner Key) by entering the command:

$ sudo mokutil --import /var/lib/shim-signed/mok/MOK.der
input password:
input password again:

Recheck if your key will be prompted on next boot:

$ sudo mokutil --list-new

3. Reboot and Enroll

The password in this step is a temporary use password you'll only need to remember for a few minutes. Reboot the machine. When the bootloader starts, you should see a screen asking you to press a button to enter the MOK manager EFI utility. Note that any external external keyboards won't work in this step. Select Enroll MOK in the first menu, then continue, and then select Yes to enroll the keys, and re-enter the password established in previous step. Then select OK to continue the system boot.

Steps: -> "Enroll MOK" -> "Continue". -> "Yes". -> Enter the password you set up just now. -> Select "OK" and the computer will reboot again.

There are serveral commands to verify if your key "MODULE" is loaded and enrolled

$ sudo mokutil --test-key /var/lib/shim-signed/mok/MOK.der
$ sudo dmesg | grep cert
$ sudo cat /proc/keys | grep MODULE
$ openssl x509 -in /var/lib/shim-signed/mok/MOK.der -inform DER -text -noout

4. Sign the module with sign-file

Use the same password you used before when setting up MOK for the BIOS to avoid confusion. Make sure you type the password carefully here with no errors, and dont get confused by it just waiting.

$ sudo su
~# read -s KBUILD_SIGN_PIN

Next export it and sign all modules.

$ sudo su
~# export KBUILD_SIGN_PIN

NOTE: KBUILD_SIGN_PIN allows a passphrase or PIN to be passed to the sign-file utility when signing kernel modules, if the private key requires such.

For sing the module, depending on your platform, the exact location of sign-file might vary. In Debian 12 (Bookworm) it was in kernel generic /usr/src/linux-kbuild-$(uname -r | cut -d . -f 1-2)/scripts/sign-file .

And where was the module installed? In /lib/modules/$(uname -r)/kernel/drivers/*.ko

$ sudo modinfo -n rtw_8723d
/lib/modules/6.1.0-13-amd64/kernel/drivers/net/wireless/realtek/rtw88/rtw_8723d.ko

To sign modules (with your KBUILD_SIGN_PIN), go to the directory containing the modules, and run

$ sudo su
~# cd /lib/modules/6.1.0-13-amd64/kernel/drivers/net/wireless/realtek/rtw88/
~# /usr/src/linux-kbuild-6.1/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der rtw_8723d.ko

Other not tested form

sudo --preserve-env=KBUILD_SIGN_PIN sh /usr/src/linux-kbuild-$(uname -r | cut -d . -f 1-2)/scripts/sign-file sha256 /var/lib/shim-signed/mok/MOK.priv /var/lib/shim-signed/mok/MOK.der $(modinfo -n rtw_8723d)

Assuming you type the password correct, you wont get any errors. You should be able to now see that a module is signed. You can pick any module in that directory but as an example:

$ sudo modinfo rtw_8723d
(...)
signer: MODULE
sig_key:XX:XX:XX:XX:XX:XX:XX:XX...
sig_hashalgo: sha256
signature:XX:XX:XX:XX:XX:XX:XX:XX...
(...)

NOTE: Filename may be different just use tab completion to find appropriate file to check some other name.

You could try load the modules

$ sudo modprobe -v rtw_8723d

After any kernel module loading failure, you should check the dmesg output: it might include a more specific error message. In this case it is likely to indicate that a module signature failed a validity check.

$ sudo dmesg --since -1m

If the modules are needed to boot your machine, make sure to update the initramfs, e.g. using

$ sudo update-initramfs -k all -u

---

Building and signing modules is independent of building and signing your own kernel. To sign a custom kernel or any other EFI binary you want to have loaded by shim (PEM), you’ll need to use a different command: sbsign (PEM). In this case, we’ll need the certificate in a different format, mokutil needs DER, sbsign needs PEM. Convert the certificate into PEM (.der to .pem), for example:

$ sudo openssl x509 -in MOK.der -inform DER -outform PEM -out MOK.pem

For example, use it to sign our Kernel:

$ sudo sbsign --key MOK.priv --cert MOK.pem "/boot/vmlinuz-$VERSION" --output "/boot/vmlinuz-$VERSION.tmp"
$ sudo mv "/boot/vmlinuz-$VERSION.tmp" "/boot/vmlinuz-$VERSION"

For example, use it to sign our EFI binary:

$ sudo sbsign --key MOK.priv --cert MOK.pem my_binary.efi --output my_binary.efi.signed

As long as the signing key is enrolled in shim and does not contain the Object Identifier (OID) from earlier (since that limits the use of the key to kernel module signing), the binary should be loaded just fine by shim.

5.VirtualBox Sign Helper Script

Future kernel updates would require the updated kernels to be signed again, so it makes sense to put the signing commands in a script that can be run at a later date as necessary (DKMS package could do it automatically).

$ sudo touch /var/lib/shim-signed/modules/sign-modules
$ sudo nano /var/lib/shim-signed/modules/sign-modules

#!/bin/bash

for modfile in $(dirname $(modinfo -n </yourmodulehere>))/*.ko; do
echo "Signing $modfile"
/usr/src/linux-headers-$(uname -r)/scripts/sign-file sha256 \
/var/lib/shim-signed/modules/module.priv \
/var/lib/shim-signed/modules/module.der "$modfile"
done

Add execution permission, and run the script above as root from the /var/lib/shim-signed/modules/ directory.

$ sudo -i
$ cd /var/lib/shim-signed/modules
$ chmod 700 /var/lib/shim-signed/modules/sign-vbox-modules ./sign-vbox-modules

Load vboxdrv module and launch VirtualBox.

$ sudo modprobe vboxdrv
or
$ /sbin/modprobe vboxdrv 

3.09 Sign NVIDIA

https://wiki.debian.org/DontBreakDebian#Don.27t_use_GPU_manufacturer_install_scripts
https://github.com/NVIDIA/open-gpu-kernel-modules
https://askubuntu.com/questions/1023036/how-to-install-nvidia-driver-with-secure-boot-enabled

Download the latest driver from the NVIDIA website: https://geforce.com/drivers.

Create a new pair of private key (Nvidia.key) and public key (Nvidia.der) by running the command:

openssl req -new -x509 -newkey rsa:2048 -keyout PATH_TO_PRIVATE_KEY -outform DER -out PATH_TO_PUBLIC_KEY -nodes -days 36500 -subj "/CN=Graphics Drivers"

Example:

openssl req -new -x509 -newkey rsa:2048 -keyout /home/$USER/Nvidia.key -outform DER -out /home/$USER/Nvidia.der -nodes -days 36500 -subj "/CN=Graphics Drivers"

Enroll the public key (nvidia.der) to MOK (Machine Owner Key) by entering the command:

sudo mokutil --import PATH_TO_PUBLIC_KEY

Example:

sudo mokutil --import /home/$USER/Nvidia.der`

This command requires you to create a password for enrolling. Afterwards, reboot your computer, in the next boot, when the system asks you to enroll, you enter the password you created in this step to enroll it. Read more: https://sourceware.org/systemtap/wiki/SecureBoot

For installing the NVidia driver for the first time, you need to disable the Nouveau kernel driver by entering the command:

echo options nouveau modeset=0 | sudo tee -a /etc/modprobe.d/nouveau-kms.conf; sudo update-initramfs -u

Reboot.

Install the driver by entering the command:

sudo sh ./XXXXXX.run -s --module-signing-secret-key=PATH_TO_PRIVATE_KEY --module-signing-public-key=PATH_TO_PUBLIC_KEY

here:

XXXXXX: name of file installer (downloaded from NVIDIA).

PATH_TO_PRIVATE_KEY: full path to private key. If you place it in your home folder, use /home/USER_NAME/ instead of ~.

PATH_TO_PUBLIC_KEY: full path to public key. If you place it in your home folder, use /home/USER_NAME/ instead of ~.

Example:

sudo sh ./NVIDIA-Linux-x86_64-390.67.run -s --module-signing-secret-key=/home/$USER/Nvidia.key --module-signing-public-key=/home/$USER/Nvidia.der

Done.

3.10 Sign VirtualBox

How to get VirtualBox signed for Secure Boot

https://wiki.debian.org/SecureBoot#MOK_-_Machine_Owner_Key

3.11 Sign Ventoy

About Secure Boot in UEFI mode

https://ventoy.net/en/doc_secure.html

3.12 rEFInd Bootloader

https://rodsbooks.com/refind/getting.html
https://wiki.ubuntu.com/EFIBootLoaders

3.13 Sign Custom Secure Keys

https://github.com/nsacyber/Hardware-and-Firmware-Security-Guidance/blob/master/secureboot/Linux.md

3.14 Encrypted boot

Encrypted boot partition manager with UEFI Secure Boot support

https://github.com/xmikos/cryptboot
https://github.com/kmille/cryptboot

3.15 Sign with TPM 2.0

https://github.com/squarooticus/efi-measured-boot
https://github.com/osresearch/safeboot

3.16 Secure Boot with Yubikey

https://github.com/DimanNe/secure-boot
https://github.com/sandrokeil/yubikey-full-disk-encryption-secure-boot-uefi

---

4. SYSTEM SECURITY

👷🛠️UNDER CONSTRUCTION🚧🏗

4.01 Introduction

Shut up, keep personal life separated and do not boast

Nerver contamine systems

Never reveal yoour operational details

Never reveal your plans

Never trust anyone
(don't be blackmailed)

Never operate from your own house

Maintain cautious habits
(be proactively paranoid DSM-5 301.0 F60.0).

The weakest link is human

Drink water

*It seems that the worst problem is collateral intrusion, the involvement of seemingly trustworthy uninvolved close third parties. The end of trust.

*OWASP Principles

4.02 Apparmor

https://github.com/Kicksecure/security-misc
https://apparmor.net
https://wiki.debian.org/AppArmor
https://wiki.debian.org/AppArmor/HowToUse
https://github.com/Kicksecure/apparmor-profile-torbrowser
https://wiki.ubuntu.com/DebuggingApparmor

$ sudo apt install -y apparmor &&
$ sudo apt install -y apparmor-profiles &&
$ sudo apt install -y apparmor-utils &&
$ sudo apt install -y apparmor-profiles-extra

*Note: an AppArmor rule could prevent port use by an individual program.

4.03 Privileges

How to Add User to Sudoers

$ su
# usermod -aG sudo username
# exit
$ getent group sudo

*Logoff to take effect.

-a - append groups to group user belongs to (instead of overwrite). groupnames - a comma-separated (no spaces!) list of group names to add user to. User must log out and back in for group membership updates to be applied.

"Safe" alternative to bypassing password prompt for sudo

To avoid getting prompted for password when running commands with sudo, one common option is to append NOPASSWD:ALL to your user name in the /etc/sudoers file. Obviously, this is a security risk. Instead, you can run the sudo command with the -s ("session") flag to allow the sudo session to be persistent until your close the terminal (end the session). To explicitly end the session run sudo -k ("kill"). Reference

Table

Examples

CHOW

$ sudo chown user:user -R /home
$ sudo chown user:user -R /media

CHMOD

$ sudo chmod 766 -R /home
$ sudo chmod 766 -R /media

4.04 Audit System

https://redhat.com/sysadmin/configure-linux-auditing-auditd

System Auditors

Automatic

$ sudo apt install lynis
$ sudo apt install checksecurity

Manual

$ sudo apt install audit

Rootkit Detect

$ sudo apt install chkrootkit
$ sudo apt install rkhunter
$ sudo apt install chkboot

4.05 Antimalware

Dangerous PDFs, office documents, or images and

Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs.

https://dangerzone.rocks
https://github.com/freedomofpress/dangerzone

ClamAV

https://clamav.net
https://docs.clamav.net
https://docs.clamav.net/manual/Usage
https://github.com/Cisco-Talos/clamav
https://wiki.archlinux.org/title/ClamAV

ClamAV is malware detection toolkit, not an endpoint security suite. ClamAV does not disinfect files, It only removes them from the system or moves them to a specified location.

"Clam AntiVirus is an open source (GPL) anti-virus toolkit for UNIX. It provides a number of utilities including a flexible and scalable multi-threaded daemon, a command line scanner and advanced tool for automatic database updates. Because ClamAV's main use is on file/mail servers for Windows desktops, it primarily detects Windows viruses and malware with its built-in signatures."

False positives happen, include --remove options for deleting any file which alerts during a scan is generally a terrible idea.

ClamAV (GUI)

https://github.com/dave-theunsub/clamtk

$ sudo apt install clamtk

ClamAV (CLI)

$ sudo apt install -y clamav
$ sudo apt install -y clamav-daemon
$ sudo systemctl start clamav-freshclam
$ sudo freshclam

_{*Note that Clamscan doesn't need the daemon running.}

_{*Note that the "clamd" process (clamav-daemon.service) uses about 1GB of memory (doubles to 2G when new database is loaded), it loads the complete database of virus definitions into memory. In the other side, this allows it to be super fast. You could circunvent:}

$ sudo nano /etc/clamav/clamd.conf

ConcurrentDatabaseReload no
ReadTimeout 10
MaxThreads 3

$ sudo nano /etc/systemd/system/clamav-daemon.service.d/extend.conf

[Service]
IOSchedulingPriority = 7
CPUSchedulingPolicy = 5
MemoryLimit=256M
CPUQuota=30%
Nice = 19

  • Commands
  $ man clamscan
  • Basic command to scan all system, copy infected files and log
  $ mkdir /home/$USER/Virus && touch /home/$USER/Virus/Virus.txt  
  $ sudo freshclam && sudo clamscan -vir --copy=/home/$USER/Virus --log=/home/$USER/Virus/Virus.txt --exclude-dir="^/sys" /
  • Basic command to scan all system, move infected files and log
  $ mkdir /home/$USER/Virus && touch /home/$USER/Virus/Virus.txt  
  $ sudo freshclam && sudo clamscan -vir --move=/home/$USER/Virus --log=/home/$USER/Virus/Virus.txt --exclude-dir="^/sys" /
  • Scan file
  $ clamscan --verbose /file.bin
  • Scan compressed files
  $ clamscan --verbose --scan-archive --alert-exceeds-max --alert-encrypted /file.zip
  • Others
  $ clamscan -vr --suppress-ok-results --bell /$USER/home
  $ clamscan -vro --heuristic-alert --copy=/home/$USER/Virus --log=/home/$USER/Virus/Virus.txt --bell /$USER/home
  $ clamscan -vro --bell --remove /$USER/home 

  • Debug
  $ sudo cat /etc/clamav/clamd.conf
  $ sudo nano /etc/clamav/clamd.conf
  $ sudo nano /etc/systemd/system/clamav-daemon.service.d/extend.conf
  $ sudo cat /var/log/clamav/clamav.log
  $ sudo systemctl status clamav-daemon
  $ sudo systemctl stop clamav-daemon
  $ sudo systemctl disable clamav-daemon
  $ sudo systemctl status clamav-freshclam
  $ sudo systemctl stop clamav-freshclam
  $ sudo systemctl disable clamav-freshclam
  $ sudo crontab -l 
  $ sudo systemctl list-timers

*If you get AppArmor denials about clamd, set the profile to a complain-only mode:

$ sudo aa-complain clamd

Signatures compatible with ClamAV

• RFXN https://rfxn.com/projects/linux-malware-detect

• Malware Blocklist https://malwareblocklist.org

• YARA rules https://github.com/Cisco-Talos/clamav-documentation/blob/873bc5f95c1b79f94d7f55602b5e433423ba9705/src/manual/Signatures/YaraRules.md

https://infosecinstitute.com/resources/reverse-engineering/malware-analysis-clamav-yara

$ sudo apt install yara
$ sudo clamscan -d yara.rule -r /

ESET NOD32 Antivirus for Linux Desktop

https://eset.com/my/home/antivirus-linux/download

4.06 Updating

https://www.debian.org/doc/manuals/debian-handbook/sect.regular-upgrades.en.html

Apply security updates as quickly as possible. According to 2020 reached conducted by Unit 42 at Palo Alto, approximately 80% of exploits are published faster than Common Vulnerabilities and Exposures (CVEs).

SYSTEMD Vs. CRON

sudo apt install systemd-cron ?

• Commands
$ sudo crontab -l 
$ sudo systemctl list-timers
$ systemctl start "service"
$ systemctl enable "service"
$ systemctl status "service"

Set up automatic updates on Debian

---

5. NETWORK

👷🛠️UNDER CONSTRUCTION🚧🏗

5.01 Router

Router Freedom - Open-source routers - Device Neutrality

https://docs.fsfe.org/en/teams/router-freedom-tech-wiki
https://fsfe.org/contribute/spreadtheword#device-neutrality

"There are a number of open-source options for routers that will take even a small consumer router and turn it into a powerful device with enterprise-level capabilities. My personal favorite is DD-WRT, but other popular options include pfSense, OpenWRT, and Tomato. While you can buy pre-flashed devices in some cases (FlashRouters for DD-WRT and Protectli for pfSense), I always encourage you to do it yourself if you’re comfortable to ensure maximum security (and also to be familiar with the update process). Having said all of this, if you are unsure if an open source router is right for you (the wealth of options can be overwhelming to some), I still encourage you to get a router that wasn’t provided by your ISP. Make sure it offers VLANs and VPN capabilities, as we will be using these heavily to protect your home."

https://thenewoil.org/en/guides/quick-start/wifi-guide

Examples of VPN routers and firmwares

Router	Firmware
EdgeRouter and Ubiquiti GL.iNet Netduma Netgear MikroTik Peplink/Pepwave	OpenWRT AsusWRT Merlin DD-WRT DrayTek Vigor OPNsense 19.1 Padavan pfSense 2.4.4 pfSense 2.4.5 pfSense 2.5 Sabai Tomato

https://openwrt.org
https://pfsense.org

Router Guide

https://avoidthehack.com/router-wireless-guide

• Change the default router password
• Turn off UPnP
• Use the router’s firewall capabilities
• Use sufficient Wi-Fi encryption
• Set a strong Wi-Fi password
• Change the Wi-Fi (SSID) name from the default
• Hide the Wi-Fi (SSID)
• Consider using open-source router firmware
• Keep router firmware updated
• Keep other software up to date

*These are solutions outside the military level. Forgetting Wi-Fi and using an RJ-45 to USB should be considered for home use.

*Misconfigured DNS settings on a router may lead to the device sending DNS queries to unintended DNS servers.

5.02 Network

Network Managers

NetworkManager (GUI)

$ sudo apt install network-manager-gnome

NetworkManager (CLI)

$ sudo apt install network-manager

  Commands 
    • Connecting WiFi manualy with nmcli
    $ nmcli dev status
    $ nmcli radio wifi on
    • List wifi
    $ nmcli dev wifi list
    • Connect
    $ sudo nmcli dev wifi connect SSID(TAB)
    $ sudo nmcli --ask dev wifi connect SSID(TAB)
    • Disconnecting
    $ nmcli con down NAME 
    • Saved ones
    $ ls /etc/NetworkManager/system-connections/

  Commands
    • Editing
    $ nmcli connection edit
    $ nmcli connection edit type wifi
    $ nmcli c edit type vpn
    $ nmcli c up wificonnectionname
    $ nmcli c show wificonnectionname
    $ nmcli connection show
    $ nmcli connection reload
    • Avtivating MAC randomization
    $ nmcli connection modify NAME 802-11-wireless.mac-address-randomization always

  Config files
    $ sudo ls /etc/NetworkManager/
    $ sudo ls /etc/NetworkManager/system-connections/
    $ sudo nano /etc/NetworkManager/NetworkManager.conf/mywifiname
    $ sudo nano /etc/NetworkManager/NetworkManager.conf

Connman

Connman (GUI)

$ sudo apt install connman-ui

Connman (CLI)

$ sudo apt install connman

  Commands
    $ 
    $ 
    $ 
    $ 
    $ 

Setting up networking without a network manager

https://unix.stackexchange.com/questions/253030/how-to-setup-network-without-wicd-or-networkmanager

Set up static networking. Configured only wlan0 because of wireless, you just need to skip the wireless related things in it.

Show your interfaces:

$ ip a show

Note the default Ethernet and wifi interfaces:

Looks our Ethernet port is eth0 and WiFi radio is wlan0

$ ip a show | awk  '/^[0-9]: /{print $2}'

The output of this command will look something like this:

lo:
eth0:
wlan0:

Your gateway IP address is found with:

$ sudo route -n

It provides access to destination 0.0.0.0 (everything). Possible it is 192.168.0.1, which is perfectly nominal.

Let’s do a bit of easy configuration in our /etc/networking/interfaces file. The format of this file is not difficult to put together from the man page, but really, you should search for examples first. Plug in your Ethernet port.

Basically, we’re just adding DHCP entries for our interfaces. Above you’ll see a route to another network that appears when I get a DHCP lease on my Ethernet port. Next, add this:

auto lo
iface lo inet loopback
auto eth0
iface eth0 inet dhcp
auto wlan0
iface wlan0 inet dhcp

Next, enable and start the networking service:

sudo update-rc.d networking enable
sudo /etc/init.d/networking start

Let’s make sure this works, by resetting the port with these commands:

sudo ifdown eth0
sudo ip a flush eth0

    sudo ifup eth0

This downs the interface, flushes the address assignment to it, and then brings it up. Test it out by pinging your gateway IP: ping 192.168.0.1. If you don’t get a response, your interface is not connected or your made a typo.

Let’s “do some WiFi” next! We want to make an /etc/wpa_supplicant.conf file. Consider mine:

network={
ssid="CenturyLink7851"
scan_ssid=1
key_mgmt=WPA-PSK
psk="4f-------------ac"
}

Now we can reset the WiFi interface and put this to work:

sudo ifdown wlan0

sudo ip a flush wlan0

    sudo ifup wlan0

sudo wpa_supplicant -Dnl80211 -c /root/wpa_supplicant.conf -iwlan0 -B

sudo dhclient wlan0

That should do it. Use a ping to find out, and do it explicitly from wlan0, so it gets it’s address first:

$ ip a show wlan0 | grep "inet"

Presumably dhclient updated your /etc/resolv.conf, so you can also do a:

ping -I 192.168.0.45 www.yahoo.com

You’re now running without NetworkManager!

How to reset Network Manager to default?

https://askubuntu.com/questions/637637/how-to-reset-network-manager-to-default

5.03 DNS

DNS Resolution

• The resolv.conf configuration file

https://wiki.debian.org/NetworkConfiguration
https://wiki.debian.org/resolv.conf
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/manually-configuring-the-etc-resolv-conf-file_configuring-and-managing-networking
https://github.com/jonathanio/update-systemd-resolved
https://freedesktop.org/software/systemd/man/systemd.network.html

• The resolvconf program

https://salsa.debian.org/debian/resolvconf

• The openresolv program

An open-source implementation of resolvconf to properly configure DNS and prevent DNS leaks.

https://roy.marples.name/projects/openresolv

• The systemd-resolved service

https://wiki.archlinux.org/title/Systemd-resolved
https://freedesktop.org/software/systemd/man/latest/systemd-resolved.service.html

• Avahi

https://wiki.debian.org/Avahi

Router DNS

https://developers.cloudflare.com/1.1.1.1/ip-addresses
https://opendns.com/setupguide
https://docs.fsfe.org/en/teams/router-freedom-tech-wiki

Misconfigured DNS settings on a router may lead to the device sending DNS queries to unintended DNS servers. Verify the DNS of your WAN are set in your router.

Pi-hole ®

The Pi-hole ® is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software.

https://pi-hole.net
https://docs.pi-hole.net
https://reddit.com/r/pihole

5.04 Firewall

Visit our repo tree: 3.NETWORK/3.03_Firewall

Note that these commands show ports that are in a listening state, but that doesn’t necessarily mean that the ports are open to the internet, because our firewall may be denying connections.

• GUFW (GUI)

https://gufw.org
https://help.ubuntu.com/community/Gufw

$ sudo apt install gufw

• UFW (CLI)

https://launchpad.net/ufw
https://wiki.debian.org/Uncomplicated%20Firewall%20%28ufw%29
https://wiki.archlinux.org/title/Uncomplicated_Firewall
http://manpages.ubuntu.com/manpages/precise/man8/ufw.8.html
https://help.ubuntu.com/community/UFW
https://paulligocki.com/vpn-only-ufw-setup
https://linuxconfig.org/how-to-install-and-use-ufw-firewall-on-linux
https://openvpn.net
https://pypi.org/project/openpyn

$ sudo apt install ufw

∙ Generic UFW configuration (without VPN)

  Commands, basic to install UFW
    $ sudo apt install ufw
    $ sudo ufw enable
    $ sudo ufw status
    $ sudo nano /etc/default/ufw
     
      IPV6=no
     
    $ sudo nano /etc/sysctl.conf
     
      net.ipv6.conf.all.disable_ipv6 = 1
      net.ipv6.conf.default.disable_ipv6 = 1
      net.ipv6.conf.lo.disable_ipv6 = 1
      net.ipv6.conf.tun0.disable_ipv6 = 1
     
    $ sudo ufw default deny incoming 
    $ sudo ufw default allow outgoing
    $ sudo ufw status numbered
    $ sudo iptables -L --line-numbers
    $ sudo ufw delete 123
    $ sudo ufw reload
    $ sudo reboot

∙ Advanced

• R-fx Networks Projects - https://rfxn.com
• Vuurmuur Firewall - https://vuurmuur.org
• Port Checker - https://portchecker.co

Note: an AppArmor rule could prevent port use by an individual program.

  Commands, some advanced commands
    • Show which ports are listening for connections
    $ ss -tlnp

    • Check for open ports with nmap
    $ sudo apt install nmap
    $ sudo nmap localhost

    • Find the name and IP address of your tunnel
    $ ip -o addr | cut -d'\' -f 1

    • Handling DNS queries
    $ apt install tcpdump
    $ sudo tcpdump -eni any port 53
    $ sudo tcpdump -eni any port 53 and host 172.27.10.22
    $ sudo tcpdump -n -i tun0 udp port 53

    • Show Iptables rules
    $ sudo iptables -L --line-numbers

    • Open TCP SSH PORT for VPN IP only
    $ sudo ufw allow from 1.2.3.4 to any port 22 proto tcp comment 'Open TCP SSH PORT for VPN IP only'

    • Open TCP Torrent PORT for VPN IP only
    $ sudo ufw allow in on tun0 from 10.8.0.0/16 to any port 60000 proto tcp comment 'Open TCP Torrent PORT for VPN IP only'
    • Port Forwarding to router 
    $ sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -p udp --dport 51413 -j ACCEPT

    • For uploading torrent
    $ sudo iptables -A OUTPUT -p udp --sport 51413 -j ACCEPT
    $ sudo ufw allow 51413/udp
    $ sudo iptables -L --line-numbers

    • Reset UFW
    $ sudo ufw reset

    • Troubles
    $ sudo apt purge iptables-persistent

∙ Custom application profile

  Commands
    $ sudo ls /etc/ufw/applications.d/
    $ sudo touch /etc/ufw/applications.d/ufw-custom
    $ sudo nano /etc/ufw/applications.d/ufw-custom
   
      [CustomApp 1 Full]
      title=The first Custom Application
      description=Custom Application Description
      ports=36892|23976|19827
      
      [CustomApp 1 TCP]
      title=The first Custom Application - TPC only
      description=Custom Application Description
      ports=36892,23976,19827/tcp
      
      [CustomApp 1 UDP]
      title=The first Custom Application - UDP only
      description=Custom Application Description
      ports=36892,23976,19827/udp
    
    • Check if the syntax is correct 
    $ sudo ufw app info "CustomApp 1 Full"
    • Create new rule based on this profile
    $ sudo ufw allow in on tun0 to any app "CustomApp 1 Full"
    • Check
    $ sudo ufw status numbered | grep CustomApp

∙ Configure NAT with UFW

  Commands
    $ sudo nano /etc/default/ufw
   
      DEFAULT_FORWARD_POLICY="ACCEPT"
   
    $ sudo nano /etc/ufw/sysctl.conf
   
      net/ipv4/ip_forward=1 
   
    $ sudo nano /etc/ufw/before.rules
   
      # NAT table rules
      *nat
      :POSTROUTING ACCEPT [0:0]
      
      # Forward traffic through eth0 - Change to match you out-interface
      -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
      
      # don't delete the 'COMMIT' line or these nat table rules won't be processed
      COMMIT
   
    $ sudo ufw disable
    $ sudo ufw enable

∙ Configure Port Forwarding with UFW

  Commands
    $ sudo nano /etc/default/before.rules
   
      :PREROUTING ACCEPT [0:0] 
      -A PREROUTING -i eth0 -d 150.129.148.155 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.120:80 
      -A PREROUTING -i eth0 -d 150.129.148.155 -p tcp --dport 443 -j DNAT --to-destination 192.168.1.120:443 
      -A POSTROUTING -s 192.168.1.0/24 ! -d 192.168.1.0/24 -j MASQUERADE 
   
    $ sudo ufw disable
    $ sudo ufw enable
    $ sudo ufw allow proto tcp from any to 150.129.148.155 port 80
    $ sudo ufw allow proto tcp from any to 150.129.148.155 port 443

5.05 VPN

• Buying VPN Services

∙ Choosing the VPN that's right for you - https://ssd.eff.org/en/module/choosing-vpn-thats-right-you
∙ Choosing the best VPN (for you) - https://reddit.com/r/VPN/comments/4iho8e/that_one_privacy_guys_guide_to_choosing_the_best/?st=iu9u47u7&sh=459a76f2
∙ r/vpnrecommendations - https://reddit.com/r/vpnrecommendations
∙ r/VPN - https://reddit.com/r/VPN
∙ r/VPNTorrents - https://reddit.com/r/VPNTorrents
∙ VPN Alert - https://vpnalert.com
∙ VPN-reviews - https://github.com/techlore/VPN-reviews
∙ Mullvad - https://mullvad.net
∙ Mullvad - http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion
∙ Private Internet Access (PIA) - https://privateinternetaccess.com
∙ ProtonVPN - https://protonvpn.com
∙ IVPN - https://ivpn.net
∙ AirVPN - https://airvpn.org
∙ VPN.XXX - https://vpn.xxx
∙ Windscribe - https://windscribe.com
∙ ExpressVPN - https://expressvpn.com/vpnmentor1
∙ NordVPN - https://nordvpn.com

• VPN Guides and Tutorials

∙ That One Privacy Site - https://thatoneprivacysite.net/vpn-section
∙ privacytools.io - https://privacytools.io
∙ VPN over SSH - https://wiki.archlinux.org/index.php/VPN_over_SSH

• Creating your own VPN with VPS

• VPN Protocols

5.06 OpenVPN

OpenVPN

https://openvpn.net/community-resources/how-to/
https://wiki.debian.org/OpenVPN
https://debian-handbook.info/browse/stable/sect.virtual-private-network.html
https://debian.org/doc/manuals/securing-debian-manual/vpn.en.html
https://wiki.archlinux.org/index.php/OpenVPN
https://wiki.archlinux.org/index.php/OpenVPN#DNS
https://ubuntu.com/core/docs/networkmanager/configure-vpn
https://community.openvpn.net
https://github.com/OpenVPN/openvpn/tree/master/sample/sample-config-files
https://linuxconfig.org/how-to-run-openvpn-automatically-on-debian-with-a-static-ip-address
https://linuxconfig.org/how-to-encrypt-your-dns-with-dnscrypt-on-ubuntu-and-debian

  OpenVPN Sample Configuration Files
    $ sudo ls /usr/share/doc/openvpn
    $ /usr/share/doc/openvpn/README.Debian.gz

OpenVPN Client Possibilities

OpenVPN + Network Manager (GUI) + Autostart + Autoconnect + Kill Switch
OpenVPN + nmcli (CLI) + Autostart + Autoconnect + Kill Switch

*Autoconnect: random server selection

Installing OpenVPN with NetworkManager (GUI)

You may use graphical VPN tool network-manager UI by providing the key and certificates

  Commands GUI
    $ sudo apt install network-manager-openvpn-gnome
    $ nm-connection-editor

"Find a network connection, open its settings, then under General, enable Automatically connect to VPN. After saving, a secondaries= line is added in that network's configuration file in the [connection] section. It will contain a list of secondary connection UUIDs to be activated. The configuration file is usually /etc/NetworkManager/system-connections/."

Import OVPN to NetworkManager in terminal

Copy the OpenVPN configuration from your VPN provider into /etc/openvpn
  Commands nmcli, to easy import
    $ sudo nmcli connection import type openvpn file /etc/openvpn/client/cc00-myvpn.com_tcp.ovpn
    $ nmcli connection show
    $ nmcli connection up myopvnname
    $ nmcli connection show 
    $ ip route
    $ nmcli connection edit type wifi
    $ nmcli c edit type vpn
    $ nmcli c up wificonnectionname
    $ nmcli c show wificonnectionname
    $ nmcli connection show
    $ nmcli connection reload
    $ sudo service openvpn restart
    $ sudo service NetworkManager restart
    $ sudo systemctl status NetworkManager 

Editing OVPN with NetworkManager in terminal

  Config files
    $ sudo ls /etc/NetworkManager/
    $ sudo ls /etc/NetworkManager/system-connections/
    $ sudo nano /etc/NetworkManager/NetworkManager.conf/mywifiname

    $ sudo nano /etc/NetworkManager/NetworkManager.conf

Installing OpenVPN (CLI)

  Commands
    $ sudo apt install resolvconf
    $ sudo systemctl enable --now resolvconf.service
    $ sudo apt install openvpn
    • Copy the OpenVPN configuration from your VPN provider into /etc/openvpn
    $ sudo wget https://vpnprovider.com/openvpn.zip
    $ sudo unzip openvpn.zip
    $ sudo rm openvpn.zip
    $ cd /etc/openvpn
    • Instead of .ovpn extension, OpenVPN on Linux uses .conf 
      for config files. Rename them accordingly, you could simply
      substitute it in the appropriate file name with copy
    $ sudo cp cc00-myvpn_tcp.ovpn /etc/openvpn/client/client.conf
    • Alternatively, rename and copy in batch
    $ sudo rename 's/ovpn/conf/' openvpn/*.ovpn
    $ sudo cp openvpn/* /etc/openvpn

*resolvconf vs. systemd-resolved

*resolvconf vs. openresolv

Basic OpenVPN Connection (Manual connection for test)

    • Basic connection, OpenVPN will ask for a username and
      password each time you want to connect, and that's
      not a good headless setup.
    $ sudo openvpn cc00-myvpn.com_tcp.ovpn
      Enter Auth Username: 
      Enter Auth Password: (press TAB for no echo)
    • You can autoconnect with saved username and password,
      create another file in the OpenVPN folder called, auth.txt .
      Inside that file, put your VPN username on the first
      line and your password on the second one.
    $ sudo touch /etc/openvpn/auth.txt
    $ sudo nano /etc/openvpn/auth.txt
      user
      password
    $ sudo chmod 600 /etc/openvpn/auth.txt
    • You can autoconnect with saved login
    $ sudo openvpn --config cc00-myvpn.com_tcp.ovpn --auth-user-pass /etc/openvpn/auth.txt
      (...)
      Initialization Sequence Completed

Basic connection with autoconnect and DNS resolver, make OpenVPN update its nameservers when it starts and exits.

  Commands
    $ openvpn --script-security 2 --config cc00-myvpn.com_tcp.ovpn 
    • Or
    $ sudo openvpn --config cc00-myvpn.com_tcp.ovpn --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf --script-security 2 --auth-user-pass /home/user/auth

Creating a autologin file

    • Configuring auth manually 
    $ sudo touch /home/user/auth
    $ sudo nano /home/user/auth
              user
              password
    • A little protection
    $ sudo chmod 600 /home/user/auth

OpenVPN Random Server Selection and Autologin

👷🛠️UNDER CONSTRUCTION🚧🏗

https://openvpn.net/community-resources/how-to/#auth

You could use the client.conf example below to random access multiple opvn files and auto login with auth configuration. Make the configurations refer to auth file by appending some directives at the end of each. Also create keepalive, a log record to facilitate troubleshooting and automatically run a script called update-resolv-conf, which may be necessary for DNS resolution to work correctly when enabling VPN and turn off. On Debian, this script is included with the OpenVPN installation.

    • Configuring client.conf manually 
    $ sudo nano /etc/openvpn/client/client.conf
client
dev tun

#It's TCP or UDP server?
proto tcp

remote my-server-1.com 1194
remote my-server-2.com 1194
remote my-server-3.com 1194
remote my-server-4.com 1194
remote my-server-5.com 1194
remote my-server-6.com 1194
remote my-server-7.com 1194
remote my-server-8.com 1194
remote my-server-9.com 1194
remote my-server-10.com 1194
remote-random #It choose a random config server
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no #Enable it if enabled in the server
verify-x509-name CN=my.vpn-1.com

#Protect against MITM see http://openvpn.net/howto.html#mitm
remote-cert-tls server 

#Your autologin config
auth-user-pass /etc/openvpn/client/auth

#OpenVPN DNS Resolver
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

#Others
keepalive 10 60
log-append /var/log/openvpn.log

verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512


# Note SSL/TLS parms.See the server config
# file for more description. # It's best
# to use # a separate .crt/.key file pair
# for each client. A single ca file can
# be used for all clients.

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>

    • Configuring client.conf automatically
    $ sudo cd /etc/openvpn/client/
    $ sudo cat << EOF > client.conf
client
dev tun

#It's TCP or UDP server?
proto tcp

remote my-server-1.com 1194
remote my-server-2.com 1194
remote my-server-3.com 1194
remote my-server-4.com 1194
remote my-server-5.com 1194
remote my-server-6.com 1194
remote my-server-7.com 1194
remote my-server-8.com 1194
remote my-server-9.com 1194
remote my-server-10.com 1194
remote-random #It choose a random config server
resolv-retry infinite
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0
comp-lzo no #Enable it if enabled in the server
verify-x509-name CN=my.vpn-1.com

#Protect against MITM see http://openvpn.net/howto.html#mitm
remote-cert-tls server 

#Your autologin config
auth-user-pass /etc/openvpn/client/auth 

#OpenVPN DNS Resolver
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

#Others
keepalive 10 60
log-append /var/log/openvpn.log

verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512


# Note SSL/TLS parms.See the server config
# file for more description. # It's best
# to use # a separate .crt/.key file pair
# for each client. A single ca file can
# be used for all clients.

<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
key-direction 1
<tls-auth>
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>

    • Configuring client.conf automatically in batch
$ echo 'auth-user-pass /etc/openvpn/client/auth
keepalive 10 60
log-append /var/log/openvpn.log
script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf' | tee -a openvpn/*.conf

Create a autologin file

    • Configuring auth manually 
    $ sudo touch /etc/openvpn/client/auth
    $ sudo nano /etc/openvpn/client/auth
              user
              password

    • Configuring auth automatically 
    • If you are not going to copy the example, to create a 
      newline (press ENTER) after you type the \ to tell the 
      shell you want to enter more parameters but on a
      separate line.
    $ cd /etc/openvpn/client/auth
    $ sudo echo 'user
              password' > openvpn/auth
    • A little protection
    # chmod 600 /etc/openvpn/client/auth
    • Load daemon
    $ sudo openvpn --config /etc/openvpn/client.conf --daemon

    • Alternatively
    $ sudo chmod 600 /etc/openvpn/client/auth
    $ sudo bash -c 'echo "USERNAME" >> /etc/openvpn/client/auth'
    $ sudo bash -c 'echo "PASSWORD" >> /etc/openvpn/client/auth'
    # chmod 600 /etc/openvpn/client/auth
    • Load daemon
    $ sudo openvpn --config /etc/openvpn/client.conf --daemon

    • Alternatively
    $ sudo su
    # echo 'myuser' >> /etc/openvpn/client/auth
    # echo 'mypassword' >> /etc/openvpn/client/auth
    # chmod 600 /etc/openvpn/client/auth
    • Load daemon
    $ sudo openvpn --config /etc/openvpn/client.conf --daemon

    • Alternatively
    $ sudo su
    # echo 'myuser' | tee --append /etc/openvpn/client/auth
    # echo 'mypassword' | tee --append /etc/openvpn/client/auth
    # chmod 600 /etc/openvpn/client/auth
    • Load daemon
    $ sudo openvpn --config /etc/openvpn/client.conf --daemon

OpenVPN DNS Resolver

👷🛠️UNDER CONSTRUCTION🚧🏗

https://wiki.archlinux.org/title/OpenVPN#DNS
https://github.com/jonathanio/update-systemd-resolved

"By default, all configured VPNs in /etc/openvpn/ are started during system boot. Edit /etc/default/openvpn to start specific VPNs or to disable this behavior. You need to run systemctl daemon-reload once to enable new VPNs."

  Commands
    $ sudo su
    # cd /etc/openvpn/client
    # echo "script-security 2" >> /etc/openvpn/client/openvpn.conf
    # echo "up /etc/openvpn/update-resolv-conf" >> /etc/openvpn/client/openvpn.conf
    # echo "down /etc/openvpn/update-resolv-conf" >> /etc/openvpn/client/openvpn.conf

Solving DNS problems with OpenVPN

https://openvpn.net/vpn-server-resources/troubleshooting-dns-resolution-problems

OpenVPN DNS

👷🛠️UNDER CONSTRUCTION🚧🏗

$ sudo apt install resolvconf

* Consider $ sudo apt install openvpn-systemd-resolved

$ sudo nano /etc/openvpn/update-resolv-conf

$ sudo mv /etc/resolv.conf /etc/resolv.conf.bak

• Add this lines into your openvpn client.conf:

$ nano client.conf

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

Your could run openvpn with DNS resolver

$ openvpn --script-security 2 --config cc00-myvpn.com_tcp.ovpn

Disabling OpenVPN's client DNS

$ sudo nano /etc/openvpn/client/client.conf

#Actual DNS name
dhcp-option DNS 10.10.10.10

Take care with DNS leaks

curl ipleak.net/json/
curl ipinfo.io

#IPV4
pull-filter ignore "dhcp-option DNS"

#IPV6
pull-filter ignore "dhcp-option DNS6"

Disabling NetworkManager's own dnsmasq

👷🛠️UNDER CONSTRUCTION🚧🏗

$ sudo nano /etc/NetworkManager/NetworkManager.conf

#dns=dnsmasq

$ sudo restart network-manager

NetworkManager dnsmasq (CLI)

DNS requests are directed to VPN-supplied DNS servers without any manipulations with dnsmasq, up/down/dispatch helper scripts.

nmcli -p connection modify MY_VPN_CONNECTION ipv4.never-default no
nmcli -p connection modify MY_VPN_CONNECTION ipv4.ignore-auto-dns no
nmcli -p connection modify MY_VPN_CONNECTION ipv4.dns-priority -42

*Using OpenVPN through NetworkManager (GUI) allows users to disable the connection.

Enable OpenVPN as service at boot

To make OpenVPN automatically connect with a certain configuration, set the AUTOSTART directive in /etc/default/openvpn to the configuration filename without the extension.

  Commands
    • At boot, by default client.conf is enabled
    $ sudo ls /etc/openvpn/client
    • Set the audoestart directive
    $ sudo nano in /etc/default/openvpn
                AUTOSTART="nameofopvnconfigfile"
    • Save or edit your configuration with
    $ sudo nano /etc/openvpn/client/.conf
    • Alternatively
    $ sudo echo 'AUTOSTART="nameofopvnconfigfile"' >> /etc/default/openvpn
    • Enable the service by calling 
    $ sudo systemctl start openvpn-client@nameofopvnconfigfile
    $ sudo systemctl enable openvpn-client@nameofopvnconfigfile
    • Verify
    $ sudo cat /etc/default/openvpn
    • Load OpenVPN and connect
    $ sudo systemctl daemon-reload 
    $ sudo systemctl restart openvpn

Test if the killswitch is working

$ sudo systemctl start openvpn-client@
$ sudo systemctl stop openvpn-client@
$ sudo systemctl status openvpn-client@
$ curl ipleak.net/json/
$ curl ipinfo.io

OpenVPN UFW kill switch

👷🛠️UNDER CONSTRUCTION🚧🏗

Set up a firewall to deny everything but the VPN handshake on the regular interfaces eth0 and wlan0 while placing no restrictions on tun0.

$ sudo su
# apt install ufw
# ufw allow in on tun0
# ufw allow out on tun0
# ufw allow out on eth0 from any to any port 53
# ufw allow out on wlan0 from any to any port 53
# ufw allow out on eth0 from any to any port 1198
# ufw allow out on wlan0 from any to any port 1198
# ufw deny in on eth0
# ufw deny in on wlan0
# ufw deny out on eth0
# ufw deny out on wlan0
# ufw enable

Testing killswitch

$ sudo systemctl start openvpn-client@
$ sudo systemctl stop openvpn-client@
$ sudo systemctl status openvpn-client@
$ curl ipleak.net/json/
$ curl ipinfo.io

$ systemctl stop openvpn
$ curl --connect-timeout 5 ipinfo.io

OpenVPN DNS

👷🛠️UNDER CONSTRUCTION🚧🏗

resolv-conf

$ sudo apt install resolvconf

"Parses DHCP options from openvpn to update resolv.conf . To use set as 'up' and 'down' script in your openvpn *.conf:

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

"Example envs set from openvpn:"

foreign_option_1='dhcp-option DNS 193.43.27.132'
foreign_option_2='dhcp-option DNS 193.43.27.133'
foreign_option_3='dhcp-option DOMAIN be.bnc.ch'

openvpn-systemd-resolved

$ sudo apt install openvpn-systemd-resolved

"OpenVPN helper to add DHCP information into systemd-resolved via DBus.(...)This script will parse DHCP options set via OpenVPN (dhcp-option) to update systemd-resolved directly via DBus, instead of updating /etc/resolv.conf. To install, set as the 'up' and 'down' script in your OpenVPN configuration file or via the command-line arguments, alongside setting the 'down-pre' option to run the 'down' script before the device is closed. For example:"

up /etc/openvpn/scripts/update-systemd-resolved
down /etc/openvpn/scripts/update-systemd-resolved
down-pre

5.07 WireGuard

∙ WireGuard

https://github.com/WireGuard
https://wiki.ubuntuusers.de/WireGuard

$ sudo apt install wireguard
$ sudo apt install wireguard-tools

5.08 strongSwan

strongSwan

https://github.com/strongswan/strongswan
https://docs.strongswan.org/docs/5.9/index.html
https://docs.strongswan.org/docs/5.9/config/IKEv2.html
https://docs.strongswan.org/docs/5.9/config/logging.html

strongSwan (Client Side)

$ sudo apt install strongswan-charon

$ sudo apt install libcharon-extra-plugins

$ sudo apt install libcharon-extauth-plugins

• Add username and password
$ sudo nano /etc/ipsec.secrets​
"Username : EAP "Password"
• Configure
$ sudo su
$ Password


sudo printf '%s\n\t' 'conn MyVPN' 'keyexchange=ikev2' 'dpdaction=clear' 'dpddelay=300s' 'eap_identity="USERNAME"' 'leftauth=eap-mschapv2' 'left=%defaultroute' 'leftsourceip=%config' 'right=SERVER_IP' 'rightauth=pubkey' 'rightsubnet=0.0.0.0/0' 'rightid=%SERVER_HOSTNAME' 'rightca=/etc/ipsec.d/cacerts/VPN.pem' 'type=tunnel' 'auto=add' > /etc/ipsec.conf


• Inside the file change load = yes to load = no.
 $ sudo nano /etc/strongswan.d/charon/constraints.conf
• Download the VPN certificate.
$ sudo wget https://download/certificate/root.pem -O /etc/ipsec.d/cacerts/VPN.pem

$ sudo wget https://download/certificate/root.pem -O /etc/ipsec.d/cacerts/VPN.pem
• Connecting
$ sudo ipsec restart
$ sudo ipsec up VPN
“Connection VPN has been established successfully”.
• Disconnecting
$ sudo ipsec down NordVPN
• Debuging
$ sudo cat /var/log/syslog

sudo ls /etc/strongswan.d/charon/

5.09 Firewall + VPN

∙ Firewall (UFW) + VPN (OpenVPN)

  Commands to setup UFW + OpenVPN
    • You could add specifically rules for each port separately on tun0 (VPN tunnel interface)
    $ sudo ufw allow in on tun0 to any port 60000 proto tcp
    $ sudo ufw allow in on tun0 to any port 60000 proto udp

    • You could test to connect in and out to anywhere on tun0
    $ sudo ufw allow in on tun0
    $ sudo ufw allow out on tun0

    • To allow access only from a specific address you could use
    $ sudo ufw allow in on tun0 from 192.168.0.1 to any port 60000 proto tcp

    • Allow OpenVPN to connect to the regular network interface (e.g. eth0, wlan0...)
      through the ports present in the .opvn file (e.g.DNS resolution on
      port 53 and VPN server on 1198...)
    $ sudo ufw allow out on eth0 from any to any port 53,1198

    • Consider this tcp or udp rules
    $ sudo ufw allow out on eth0 to any port 53,1197 proto tcp
    $ sudo ufw allow out on eth0 to any port 53,1197 proto udp

    • For a hard policy, working only with tun0, you could block the rest and enable the firewall
    $ sudo ufw deny in on eth0
    $ sudo ufw deny out on eth0

    • For a hard policy, you could block the rest and enable the firewall
    $ sudo ufw status numbered 
    $ sudo ufw enable
    $ sudo ufw reload
    $ sudo reboot

  Commands to secure the server with iptables
    • Allow everything from within your VPN
    $ sudo iptables -I INPUT -i tun0 -j ACCEPT

    • Explicitly allow what can be accessed within the VPN, for example, allow DNS and HTTP
    $ sudo iptables -A INPUT -i tun0 -p tcp --destination-port 53 -j ACCEPT
    $ sudo iptables -A INPUT -i tun0 -p udp --destination-port 53 -j ACCEPT
    $ sudo iptables -A INPUT -i tun0 -p tcp --destination-port 80 -j ACCEPT

    • To enable SSH and VPN access from anywhere.
    $ sudo iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
    $ sudo iptables -A INPUT -p tcp --destination-port 1194 -j ACCEPT
    $ sudo iptables -A INPUT -p udp --destination-port 1194 -j ACCEPT

    • To explicitly allow TCP/IP to do "three-way handshakes"
    $ sudo iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    • To allow any loopback traffic, the server is allowed to talk to itself 
    $ sudo iptables -I INPUT -i lo -j ACCEPT

    • To reject access from anywhere else 
    $ sudo iptables -P INPUT DROP

    • To list rules
    $ sudo iptables -L --line-numbers

(*ip6tables)

Troubleshooting iptables

$ sudo systemctl restart servicedaemon.service
$ sudo systemctl restart service.service
$ sudo iptables -S
$ ping google.com

5.10 Leak Test

Leak Test

∙ DNSLeakTest.com (run the "Extended test")
∙ IPLeak.net
∙ Mullvad DNS Leak Test
∙ Surfshark DNS Leak Test
∙ BrowserLeaks IP Test
∙ IPX.AC DNS Leak Test

• EFF Test - https://coveryourtracks.eff.org/learn
• TOR Fingerprinting - https://blog.torproject.org/browser-fingerprinting-introduction-and-challenges-ahead

You could test your current public IP address and compare that to the one from before with 'ipleak.net'. If they match, your VPN is not working correctly.

$ curl ipleak.net/json/
$ curl ipinfo.io
$ curl --connect-timeout 5 ipinfo.io

5.11 Spoofing

https://github.com/alobbs/macchanger
https://github.com/refraction-networking/utls
https://github.com/0xsirus/tirdad

• Address Spoof

  Commands for a random MAC address
    $ ip link
    $ sudo ifconfig wlan0 down
    $ sudo macchanger -r wlan0
    • Shows specified MAC Address of NIC
    $ sudo macchanger -s wlan0
    $ sudo ifconfig wlan0 up

• Opt-Out WLAN-SSID

∙ To opt-out of global maps (https://wigle.net), rename your network WiFi SSID to

 <SSID>_optout_nomap 

∙ To opt-out of Mozilla Location Services

Go to https://location.services.mozilla.com/optout

5.12 Others

• Torrenting

https://portforward.com
https://wiki.wireshark.org/BitTorrent
https://github.com/LiamTheBox/Torrent-With-A-VPN
https://github.com/mdlam92/vpn_torrenting
https://github.com/tool-maker/VPN_just_for_torrents/wiki
https://askubuntu.com/questions/559016/ufw-rules-dont-block-deluge
https://transmissionbt.com
https://comparitech.com/blog/vpn-privacy/how-to-make-a-vpn-kill-switch-in-linux-with-ufw

👷🛠️UNDER CONSTRUCTION🚧🏗

Transmission remotely access

  Commands for remote Transmission
    $ sudo apt-get install transmission-cli
    $ sudo apt-get install transmission-common
    $ sudo apt-get install transmission-daemon
    $ sudo service transmission-daemon stop
    • To 
    $ sudo nano /etc/transmission-daemon/settings.json
    > “rpc-whitelist”: “127.0.0.1,192.168.*.*”,
    > “rpc-whitelist-enabled”: true,
    • To change the download directory
    > "download-dir": /home/user/Downloads
    $ sudo service transmission-daemon start
    • To find local IP address
    $ hostname -I
    • To find local MAC address
    $ sudo cat /sys/class/net/eth0/address 
    • In your browser
    > http://192.168.0.15:9091
    > Login: transmission
    > Password: transmission

---

6. SOFTWARES

6.01 Office Softwares

  Office Suites

Libre Office

https://libreoffice.org
https://wiki.documentfoundation.org/Documentation/Install/Linux

Libre Office - Extensions

   Language Tool
   Zotero

Libre Office - Tips and Tricks

Cursor Position

In general, all documents open with the cursor at the start of the document.

One exception appears when the author of a Writer text document saves and reopens a document: The cursor will be at the same position where it has been when the document was saved. This only works when the name of the author was entered in Tools - Options - LibreOffice - User Data.

Press Shift+F5 to set the cursor to the last saved position.

Version Management

The File menu contains a Versions command that enables you to save multiple versions of a document in the same file.

You can choose to view individual versions of a document, or you can display the differences between versions with color markings.

In the dialog to open a document, you can select from a combo box which version of this document you want to open.

Saving Documents Automatically

To create a backup file every time you save a document Choose Tools - Options - Load/Save - General.

Mark Always create backup copy.

If the Always create backup copy option is selected, the old version of the file is saved to the backup directory whenever you save the current version of the file.

You can change the backup directory by choosing Tools - Options - LibreOffice - Paths, then change the Backups path in the dialog.

The backup copy has the same name as the document, but the extension is .BAK. If the backup folder already contains such a file, it will be overwritten without warning.

To save recovery information automatically every n minutes Choose Tools - Options - Load/Save - General.

Mark Save AutoRecovery information every and select the time interval.

This command saves the information necessary to restore the current document in case of a crash. Additionally, in case of a crash LibreOffice tries automatically to save AutoRecovery information for all open documents, if possible.

Zotero

Zotero - Your personal research assistant.

Zotero

Zotero - Support

Zotero - Default Translators

Zotero - Item Types and Fields

Zotero - Citing Fields from "Extra" (Exporting - Extra fields)

Place (Publisher and Publisher Place)	publisher: Publisher publisher-place: Publisher Place	For Presentations, the place where the meeting was held or the presentation was made. For Conference Papers (published in a conference proceedings), use this field for the place where the proceedings was published. If separate locations are needed for the publication place and the location of the conference, leave this field blank and add Event Place and Publisher Place fields to Extra
Archive Place	archive-place: Archive Place	The geographic location of an archive.

Original Title	original-title: Original Title	The original title of a work (e.g., the untranslated title).
Original Publisher	original-publisher: Original Publisher	The publisher of the original version of an item (e.g., the untranslated version).
Original Publisher Place	original-publisher-place: Original Publisher Place	The geographic location of the publisher of the original version of an item (e.g., the untranslated version).

Issue Date, Date Decided or Enacted	issued: Issue Date	The original date an item was published. Enter in ISO format (year-month-day).
Submitted Date or Filing Date	submitted: Submitted	The date an item was submitted for publication.
Access Date	Accessed	Date an electronic resource was accessed.
Event Date	event-date: Event Date	The date an event took place. Enter in ISO format (year-month-day).
Original Date	original-date: Original Date	The original date an item was published. Enter in ISO format (year-month-day).

Zotero - Groups

Zotero - Importing standardized bib. formats

*Importing bibliographic data: the most popular formats are BibLaTex (.bib), RIS (.ris) and MODS (.xml).

Juris-M (For Legal Citations)

Jurism is based on Zotero reference manager, to which it adds feature for handling legal and multilingual resources.

Juris-M for heavy or frequent legal citations for US, UK and GE legal cases and legislation.

It is possible to create proper citation for basic legal citations in Zotero, particularly if only a few such citations are needed.

Juris-M
Zotero - Legal Citations: Juris-M

  Document Converter

Libre Office (Headless)

https://help.libreoffice.org/latest/en-US/text/shared/guide/convertfilters.html

$ sudo sudo apt install -y libreoffice (CLI)

  Commands for libreoffice headless
    • Syntax
    $ soffice --convert-to OutputFileExtension[:OutputFilterName[:OutputFilterParams[,param]]] [--outdir output_dir]
    • To convert a DOCX file to PDF
    $ soffice –-headless --convert-to pdf:writer_pdf_Export --outdir /home/user *.docx
    $ soffice --headless --convert-to pdf:writer_pdf_Export:ExportNotesPages=True --outdir /home/user *.docx
    • To convert a ODT file to PDF
    $ soffice –-headless --convert-to pdf:writer_pdf_Export --outdir /home/user *.odt
    • To convert a ODT file to DOCX
    $ soffice –-headless --convert-to pdf:writer_odt_Export --outdir /home/user *.docx
    • To convert a PPTX file to PDF
    $ soffice --headless --convert-to pdf:impress_pdf_Export --outdir /home/user *.pptx
    $ soffice --headless --convert-to pdf:impress_pdf_Export:ExportNotesPages=True --outdir /home/user *.pptx
    • To convert a XLSX file to PDF
    $ soffice --headless --convert-to pdf:calc_pdf_Export --outdir /home/user *.xlsx
    • To convert a ODT file to PDF
    $ soffice –-headless --convert-to pdf:writer_pdf_Export --outdir /home/user *.odt
    • To convert a HTML file to PDF
    $ soffice –-headless --convert-to pdf:writer_pdf_Export --outdir /home/user *.html

Output as PDF

To control, which LibreOffice component generates PDF output, you can use these variants:

--convert-to pdf:writer_pdf_Export
--convert-to pdf:calc_pdf_Export
--convert-to pdf:draw_pdf_Export
--convert-to pdf:impress_pdf_Export
--convert-to pdf:writer_web_pdf_Export

Input which is not DOCX

To enforce infilters for non-DOCX input formats, you could use (list is not complete):

--infilter="HTML Document"                      # for HTML input
--infilter="MediaWiki"                          # for MediaWiki input
--infilter="Text CSV"                           # for CSV spreadsheet input
--infilter="Microsoft PowerPoint 2007/2010 XML" # for PPTX input
--infilter="Microsoft PowerPoint 97/2000/XP"    # for PPT input
--infilter="Windows Metafile"                   # for WMF input
--infilter="Enhanced Metafile"                  # for EMF input
--infilter="Scalable Vector Graphics"           # for SVG input
--infilter="Microsoft Excel 2007/2010 XML"      # for XLSX input
--infilter="Microsoft Excel 97/2000/XP"         # for XLS input
--infilter="Microsoft Excel 95"                 # for some XLS input
--infilter="Microsoft Excel 5.0"                # for some XLS input

Output which is not PDF

To convert to specific output formats, you could use (list not complete):

--convert-to html:HTML
--convert-to html:draw_html_Export                 # force "Draw" to generate the HTML
--convert-to mediawiki:MediaWiki_Web               # generate MediaWiki output
--convert-to csv:"Text - txt - csv (StarCalc)"     # generate CSV spreadsheet output
--convert-to pptx:"Impress MS PowerPoint 2007 XML" # generate PPTX
--convert-to ppt:"MS PowerPoint 97"                # generate PPT
--convert-to wmf:impress_wmf_Export                # force "Impress" to generate the WMF
--convert-to wmf:draw_wmf_Export                   # force "Draw" to generate the WMF
--convert-to emf:impress_emf_Export                # force "Impress" to generate the EMF
--convert-to emf:draw_emf_Export                   # force "Draw" to generate the EMF
--convert-to svg:impress_svg_Export                # force "Impress" to generate the SVG
--convert-to svg:draw_svg_Export                   # force "Draw" to generate the SVG
--convert-to xlsx:"Calc MS Excel 2007 XML"         # generate XLSX
--convert-to xls:"MS Excel 97"                     # generate XLS like Excel 97
--convert-to xls:"MS Excel 95"                     # generate XLS like Excel 95
--convert-to xls:"MS Excel 5.0/95"                 # generate XLS like Excel 5.0/95

Headless vs. Invisible

--invisible   Starts in invisible mode. Neither the start-up logo nor 
              the initial program window will be visible. Application 
              can be controlled, and documents and dialogs can be     
              controlled and opened via the API. Using the parameter, 
              the process can only be ended using the taskmanager     
              (Windows) or the kill command (UNIX-like systems). It   
              cannot be used in conjunction with --quickstart.        

--headless    Starts in "headless mode" which allows using the      
              application without GUI. This special mode can be used  
              when the application is controlled by external clients  
              via the API.                          

Pandoc

$ sudo sudo apt install -y pandoc (CLI)

  Commands for pandoc
    • Convert ODT to DOCX
    $ pandoc -o document.odt document.docx
    • Convert DOCX to PDF
    $ pandoc -s document.docx -o document.pdf
    • Convert ODT to PDF
    $ pandoc -s document.odt -o document.pdf
    • Convert HTML to PDF
    $ pandoc document.html -t latex -o document.pdf

  PDF Suites

PDF Reader

$ sudo apt install -y okular
$ sudo apt install -y okular-extra-backends

PDF Editor

PDF Arranger (GUI)

https://github.com/pdfarranger/pdfarranger

$ sudo apt install -y pdfarranger

How to combine PDFs in CLI

$ sudo apt install -y ghostscript (CLI)

• Command to combine
$ gs -dBATCH -dNOPAUSE -q -sDEVICE=pdfwrite -sOutputFile=combined.pdf file1.pdf file2.pdf
• Output in low resolution
$ gs -dBATCH -dNOPAUSE -q -sDEVICE=pdfwrite -dPDFSETTINGS=/prepress -sOutputFile=merged.pdf mine1.pdf mine2.pdf

PDF Crop and Split

Krop (GUI)

https://arminstraub.com/software/krop

Note, krop only adjusts which parts of a PDF are displayed; the original content is still there in the file and will, for instance, show up when editing the file in inkscape. As a result, krop is not suited for censoring a PDF document or decreasing the size of a PDF file. You may have some success in decreasing the size of the PDF (and even censoring some parts) using the option to use Ghostscript to optimize the final PDF.

$ sudo apt install -y krop

• To automatically undo 4 pages print onto a single page:
$ krop --go --grid=2x2 file.pdf
• To trim each of these pages:
$ krop --go --grid=2x2 --trim --trim-use=all file.pdf
• Others
krop --grid=2x1 --initialpage=3 --exceptions=1 --trim-use=all --trim ~/file.pdf

Remove PDF annotations

Removing annotations at once in Okular

View a page that has an annotation, find them in the annotation side pane. Right-click on the annotation icon in the document, and click Remove Annotation. Then save the changes to a new document by clicking the menu button in the top right, followed by Save As….

  Commands for pdftocairo
    $ pdftocairo -pdf "input.pdf" "output-with-flatten-annotations.pdf"

  Commands for qpdf
    $ qpdf --flatten-annotations=all input.pdf output.pdf

*May apply some differences.

*May result in larger PDF.

PDF Bookmarks Creation

https://github.com/SiddharthPant/booky

  PDF OCR

• PDF OCR - Optical Character Recognition

OCRFeeder (GUI)

https://wiki.gnome.org/Apps/OCRFeeder

$ sudo apt install -y ocrfeeder

*Unpaper

Cuneiform (CLI)

https://packages.debian.org/bookworm/cuneiform

OcrmOCRmyPDF (CLI)

https://ocrmypdf.readthedocs.io

$ sudo apt install -y ocrmypdf

Also install the Tesseract OCR plugins for your desired language

$ sudo apt install -y tesseract-ocr-eng
$ sudo apt install -y tesseract-ocr-deu
$ sudo apt install -y tesseract-ocr-fra
$ sudo apt install -y tesseract-ocr-spa
$ sudo apt install -y tesseract-ocr-por
$ sudo apt install -y tesseract-ocr-rus
$ sudo apt install -y tesseract-ocr-ara
$ sudo apt install -y tesseract-ocr-chi-sim
$ sudo apt install -y tesseract-ocr-chi-tra

  Basic commands
    • How to OCR a PDF
    $ ocrmypdf -v input.pdf output.pdf
    $ ocrmypdf -v --language deu input.pdf output.pdf
    $ ocrmypdf -v --language por+deu input.pdf output.pdf
    • To modify a file in the same place
    $ ocrmypdf -v ~/input.pdf ~/input.pdf
    • To skip text 
    $ ocrmypdf -v --skip-text input.pdf output.pdf
    • To redo OCR 
    $ ocrmypdf -v --redo-ocr input.pdf output.pdf

    • Compression settings
    $ ocrmypdf -v --pdfa-image-compression=jpeg --language=por+deu input.pdf output.pdf
    $ ocrmypdf -v --pdfa-image-compression=lossless --language=por+deu input.pdf output.pdf
    $ ocrmypdf -v --output-type=pdf --language por+deu input.pdf output.pdf

OcrmOCRmyPDF - Image processing

    • Image processing
    $ ocrmypdf -v --clean --language=por+deu input.pdf output.pdf
    $ ocrmypdf -v --clean-final --language=por+deu input.pdf output.pdf
    $ ocrmypdf -v --remove-background --language=por+deu input.pdf output.pdf

Warning

In many cases image processing will rasterize PDF pages as images, potentially losing quality. We caution against using ImageMagick or Ghostscript to convert images to PDF, since they may transcode images or produce downsampled images, sometimes without warning.

OCRmyPDF perform some image processing on each page of a PDF, if desired. The same processing is applied to each page. It is suggested that the user review files after image processing as these commands might remove desirable content, especially from poor quality scans.

Note that --clean-final and --remove-background may leave undesirable visual artifacts in some images where their algorithms have shortcomings. Files should be visually reviewed after using these options.

--clean uses unpaper to clean up pages before OCR, but does not alter the final output. This makes it less likely that OCR will try to find text in background noise.

--clean-final uses unpaper to clean up pages before OCR and inserts the page into the final output. You will want to review each page to ensure that unpaper did not remove something important.

--remove-background attempts to detect and remove a noisy background from grayscale or color images. Monochrome images are ignored. This should not be used on documents that contain color photos as it may remove them.

OcrmOCRmyPDF - PDF optimization

    • Optimization settings
    $ ocrmypdf -v --optimize={0,1,2,3} input.pdf output.pdf

By default OCRmyPDF will attempt to perform lossless optimizations on the images inside PDFs after OCR is complete. Optimization is performed even if no OCR text is found.

The --optimize N (short form -O) argument controls optimization, where N ranges from 0 to 3 inclusive, analogous to the optimization levels in the GCC compiler.

Level

Comments

--optimize 0

Disables optimization.

--optimize 1

Enables lossless optimizations, such as transcoding images to more efficient formats. Also compress other uncompressed objects in the PDF and enables the more efficient “object streams” within the PDF. (If --jbig2-lossy is issued, then lossy JBIG2 optimization is used. The decision to use lossy JBIG2 is separate from standard optimization settings.)

--optimize 2

All of the above, and enables lossy optimizations and color quantization.

--optimize 3

All of the above, and enables more aggressive optimizations and targets lower image quality.

Optimization is improved when a JBIG2 encoder is available and when pngquant is installed. If either of these components are missing, then some types of images cannot be optimized.

The types of optimization available may expand over time. By default, OCRmyPDF compresses data streams inside PDFs, and will change inefficient compression modes to more modern versions. A program like qpdf can be used to change encodings, e.g. to inspect the internals for a PDF.

ocrmypdf --optimize 3 in.pdf out.pdf # Make it small Some users may consider enabling lossy JBIG2. See: jbig2-lossy.

Note

Image processing and PDF/A conversion can also introduce lossy transformations to your PDF images, even when --optimize 1 is in use.

OcrmOCRmyPDF - PDF Rotation

    • To automatic correct the rotation of each page
    $ ocrmypdf -v --deskew input.pdf output.pdf
    $ ocrmypdf -v --rotate-pages input.pdf output.pdf
    $ ocrmypdf -v --rotate-pages-threshold {0.0-2.0} input.pdf output.pdf

--rotate-pages attempts to determine the correct orientation for each page and rotates the page if necessary.

--deskew will correct pages that were scanned at a skewed angle by rotating them back into place.

  PDF Optimizers

ImageMagick (GUI or CLI)

https://imagemagick.org/Usage/crop
https://imagemagick.org/Usage/crop/#crop_repage

$ sudo apt install imagemagick

• Commands to crop .pdf 
$ convert -monitor `ls input-*.png` -crop 3704x1852+160+20 output.png
$ convert -monitor -crop 1000x1350+20+145 +repage -path cropped *.png

Monitor progress: -monitor

Print detailed information about the image: -verbose

• Commands to reduce .pdf size
$ convert -density 300x300 -quality 100 input.pdf output.pdf
$ convert -monitor -density 200x200 -quality 60 -compress jpeg input.pdf output.pdf
$ convert -monitor -density 150x150 -quality 70 -compress jpeg -resize 15% input.pdf output.pdf
$ convert -monitor -density 150x150 -compress Zip input.pdf output.pdf
$ convert -monitor -density 80 -page a4 input.pdf output.pdf
$ convert -monitor input.pdf -resample 85% output.pdf
$ convert -monitor *.png -colorspace gray -resample 100% "input.pdf"

• Commands to scanned books
$ convert -normalize -density 300 -depth 8 *.png
$ convert -normalize -density 300 -depth 8 -crop 50%x100% +repage *.png
$ convert -monochrome -normalize -density 300 *.png

-normalize : increase the contrast in an image by stretching the range of intensity values.

-depth : the number of bits per channel for each pixel.

-monochrome : transform the image to black and white.

pdfCropMargins - Python

https://pypi.org/project/pdfCropMargins

$ pip install "pdfCropMargins" --upgrade
$ pdf-crop-margins -v -p 0 -a -6 input.pdf

Ghostscript

https://ghostscript.com

$ sudo apt install -y ghostscript (CLI)

Commands to optimize pdf size with ghostscript.

• Reduce size of scanned book
$ gs -dNOPAUSE -dBATCH -dQUIET \
-sDEVICE=pdfwrite \
-dCompatibilityLevel=1.4 \
-dPDFSETTINGS=/screen \
-sOutputFile=output.pdf \
input.pdf

$ gs -dNOPAUSE -dBATCH -dQUIET \
-sDEVICE=pdfwrite \
-dCompatibilityLevel=1.4 \
-dPDFSETTINGS=/printer \
-sOutputFile=output.pdf \
input.pdf

$ gs -dNOPAUSE -dBATCH -dQUIET \
-sDEVICE=pdfwrite \
-dCompatibilityLevel=1.4 \
-dPDFSETTINGS=/prepress \
-dDetectDuplicateImages \
-dCompressFonts=true \
-r150  \
-sOutputFile=output.pdf \
input.pdf

$ gs -dNOPAUSE -dBATCH -dQUIET \
-sDEVICE=pdfwrite \
-dCompatibilityLevel=1.4 \
-dPDFSETTINGS=/prepress \
-dDetectDuplicateImages \
-dCompressFonts=true \
-r300  \
-sOutputFile=output.pdf \
input.pdf

Editing Acrobat PDF

$ gs -q -dNOPAUSE -dBATCH -dSAFER \
-sDEVICE=pdfwrite \
-dCompatibilityLevel=1.4 \
-dPDFSETTINGS=/ebook \
-dEmbedAllFonts=true \
-dSubsetFonts=true \
-dColorImageDownsampleType=/Bicubic \
-dColorImageResolution=96 \
-dGrayImageDownsampleType=/Bicubic \
-dGrayImageResolution=96 \
-dMonoImageDownsampleType=/Bicubic \
-dMonoImageResolution=96 \
-sOutputFile=output.pdf \
input.pdf

gs -q -dNOPAUSE -dBATCH -dSAFER \
-sDEVICE=pdfwrite \
-dCompatibilityLevel=1.3 \
-dPDFSETTINGS=/screen \
-dEmbedAllFonts=true \
-dSubsetFonts=true \
-dColorImageDownsampleType=/Bicubic \
-dColorImageResolution=144 \
-dGrayImageDownsampleType=/Bicubic \
-dGrayImageResolution=144 \
-dMonoImageDownsampleType=/Bicubic -\
dMonoImageResolution=144 \
-sOutputFile=output.pdf \
input.pdf

  _{References -dPDFSETTINGS=/screen - Low quality and small size at 72dpi. -dPDFSETTINGS=/ebook - Slightly better quality but also a larger file size at 150dpi. -dPDFSETTINGS=/prepress - High quality and large size at 300 dpi. -dPDFSETTINGS=/default - System chooses the best output, which can create larger PDF files.}

Commands for ebook-convert
• How to convert .epub to .pdf
$ sudo apt install calibre
$ ebook-convert input.epub  output.pdf
$ ebook-convert input.epub  output.pdf --enable-heuristics
$ find ./ -iname "*pdf" -type f | while read f; do echo -e "\e[1mConverting file $f \e[0m" ; ebook-convert "$f" "${f%.pdf}.epub" --enable-heuristics ; done

*Ref.: https://manpages.debian.org/bookworm/calibre/ebook-convert.1.en.html

*Utility.: https://convertfiles.com

Commands for ps2pdf
• How to convert .ps to .pdf
$ sudo apt install ps2pdf 
$ ps2pdf -dPDFSETTINGS=/ebook input.pdf output.pdf

*LibreOffice Draw: DPI of 100 and JPEG compression of 80%.

*Try: $ ps2pdf input.pdf output.pdf

  Image Editors

Basic Image Editors

Gthumb

https://gitlab.gnome.org/GNOME/gthumb

$ sudo apt install gthumb (GUI)

Image Magick

https://imagemagick.org

$ sudo apt install imagemagick (GUI or CLI)

Advanced Image Editors

GIMP

https://gimp.org

"Whether you are a graphic designer, photographer, illustrator, or scientist, GIMP provides you with sophisticated tools to get your job done."

$ sudo apt install gimp (GUI)

Inkscape

https://inkscape.org

"Inkscape is a Free and open source vector graphics editor for GNU/Linux, Windows and macOS. It offers a rich set of features and is widely used for both artistic and technical illustrations such as cartoons, clip art, logos, typography, diagramming and flowcharting."

Other

Memegen (Open Source)

An API to programmatically generate memes based solely on requested URLs

https://github.com/jacebrowning/memegen
https://memegen.link

imgflip (Free)

https://imgflip.com/memegenerator

  Image Convert

Image Convert

Convert with webp (dwebp)

$ sudo apt install webp

  Commands for webp files
    • How to convert .webp to .png #It's a command-line interface
    $ dwebp -v input.webp -o ~/output.png 
    $ dwebp -v -resize width x height input.webp -o ~/output.png
    *If either (but not both) of the width or height parameters is 0,
   the value will be calculated preserving the aspect-ratio.

  Commands for webp files in batch
    $ for file in *.webp ; do dwebp "$file" -o "${file%.*}.png" ; done
    • Testing alternatives
    $ find . -name "*.webp" -exec dwebp {} -o "${file%.*}.png" \;
    $ find . -type f -name "*.webp" -exec dwebp {} -o *.png
    $ sudo apt install parallel
    $ parallel dwebp {} -o *.png
    $ find . -name "*.webp" -print0 | parallel --progress -0 dwebp {} -o *.png
    $ for x in `ls -1 *.jpg`; do dwebp {} -o ${x%.*}.png ; done
    $ for x in `find . -name "*.webp"`; do dwebp {} -o ${x%.*}.png ; done

Convert image with ImageMagick

https://imagemagick.org/script/formats.php
https://imagemagick.org/script/mogrify.php
https://imagemagick.org/script/command-line-tools.php

$ sudo apt install imagemagick

*Note that convert is part of ImageMagick package.

• Commands
$ mogrify -format png *.jpg
$ mogrify -format png *.jpeg
$ mogrify -format png *.gif
• In batch
$ cd ~/Donwloads
$ find . -name "*.jpg" -exec mogrify -format png {} \;
$ find . -name "*.jpeg" -exec mogrify -format png {} \;
$ find . -name "*.gif" -exec mogrify -format png {} \;

Rotate image with ImageMagick

$ sudo apt install imagemagick

• Commands
$ mogrify -monitor -rotate -90 *.png

Unpaper

Unpaper built-in - OCRFeeder (GUI)

https://wiki.gnome.org/Apps/OCRFeeder

$ sudo apt install -y ocrfeeder

Tools -> Unpaper

Unpaper built-in - OcrmOCRmyPDF (CLI)

https://ocrmypdf.readthedocs.io

$ sudo apt install -y ocrmypdf
$ ocrmypdf --clean
$ ocrmypdf --clean-final
$ ocrmypdf --remove-background

Note that --clean-final and --remove-background may leave undesirable visual artifacts in some images where their algorithms have shortcomings. Files should be visually reviewed after using these options.

--remove-background attempts to detect and remove a noisy background from grayscale or color images. Monochrome images are ignored. This should not be used on documents that contain color photos as it may remove them.

--clean uses unpaper to clean up pages before OCR, but does not alter the final output. This makes it less likely that OCR will try to find text in background noise.

--clean-final uses unpaper to clean up pages before OCR and inserts the page into the final output. You will want to review each page to ensure that unpaper did not remove something important.

--clean uses unpaper to clean up pages before OCR, but does not alter the final output. This makes it less likely that OCR will try to find text in background noise.

Unpaper - A post-processing tool for scanned sheets of paper

https://diybookscanner.org
https://diybookscanner.org/forum
https://scantips.com
https://github.com/unpaper/unpaper
https://github.com/unpaper/unpaper/blob/main/doc/basic-concepts.md
https://github.com/unpaper/unpaper/blob/main/doc/image-processing.md
https://mesonbuild.com/Quick-guide.html#compiling-a-meson-project
https://gallium.readthedocs.io/en/latest/meson.html
https://imagemagick.org/script/formats.php
https://netpbm.sourceforge.net/doc/pnm.html

SANE - Lists of supported scanners firmware
http://www.sane-project.org
http://www.sane-project.org/sane-supported-devices.html

The output format of Unpaper is restricted to the PNM family of formats, and conversions to other formats need to happen with tools such as pnmtopng, pnmtotiff or pnmtojpeg. Alternatively you can use the convert tool from ImageMagick.

PNM is a family of formats supporting portable bitmaps (.pbm) , graymaps (.pgm), and pixmaps (.ppm). There is no file format associated with pnm itself. If PNM is used as the output format specifier, then ImageMagick automagically selects the most appropriate format to represent the image. The default is to write the binary version of the formats. Use -compress none to write the ASCII version of the formats. On some platforms, ImageMagick automagically processes a PNM image, called image.pnm.gz is automagically uncompressed.

Unpaper uses the Meson Build system, which can be installed using Python's package manage (pip3 or pip), the only hard dependency of Unpaper is ffmpeg,

• Commands, python and ffmpeg installation using package manager
$ sudo apt install python3 &&
sudo apt install python3-pip &&
sudo apt install python3-setuptools &&
sudo apt install python3-wheel &&
sudo apt install ninja-build &&
sudo apt install python3-mesonpy &&
sudo apt install python3-sphinx &&
sudo apt install python3-pytest &&
sudo apt install python3-pil &&
sudo apt install cmake &&
sudo apt install pkg-config &&
sudo apt install libavformat-dev &&
sudo apt install ffmpeg &&
sudo apt install git 
Error: libavformat-dev


Install other depedencies


$ sudo apt install libsdl2-dev libavcodec-dev libavdevice-dev libavformat-dev libavutil-dev libswresample-dev libusb-1.0-0 libusb-1.0-0-dev


Basic configuration. The most common use case of Meson is compiling code on a code base you are working on.

• Compiling Unpaper with Meson project
$ git clone https://github.com/unpaper/unpaper
$ cd unpaper
$ CFLAGS="-march=native" meson --buildtype=debugoptimized builddir -Db_lto=true
$ meson compile -C builddir

Warning: Before making modifications to files, create backup copies.
File formats
https://github.com/unpaper/unpaper/blob/main/doc/file-formats.md

$ sudo apt install imagemagick
• Commands to convert .png in .pbm
$ cd ~/Folder
$ find . -name "*.png" -exec mogrify -monitor -format pbm {} \;

• Commands to convert .pdf in .pbm
$ convert -monitor input.pdf +repage -quality 100 output%03d.pbm
$ convert -monitor "*.pdf" +repage -path /livros output%03d.pbm
$ find . -name "*.pdf" -exec convert *.pdf output%03d.pbm

Imagemagick Repage
https://imagemagick.org/Usage/crop/#crop_repage
You can use the special "+repage" operator to reset the page canvas and position to match the actual cropped image.
* -repage: adjust the canvas and offset information of the image.
* +repage: offset may need to be removed using +repage, to remove if it is unwanted.
• Commands to convert multiple .pbm in .pdf
$ convert -monitor *.png +adjoin output.pdf
$ convert -monitor *.pbm output.pdf
$ find . -name "*.pbm" -exec convert -units PixelsPerInch *.pbm -density 96 output.pdf

Imagemagick Adjoin
https://imagemagick.org/script/command-line-options.php#adjoin

Join images into a single multi-image file.
* -adjoin: join images into a single multi-image file
* +adjoin: to force each image to be written to separate files, whether or not the file format allows multiple images per file (for example, GIF, MIFF, and TIFF).
Alternative - Combining pictures into PDF file

ttps://gitlab.mister-muffin.de/josch/img2pdf

$ img2pdf --pagesize A4 img*.png
$ img2pdf --pagesize A4 img*.png | ocrmypdf - myfile.pdf
$ img2pdf --imgsize 300dpix300dpi -i *.jp2 -o output.pdf 

• Commands to reduce .pdf size
$ convert -monitor +repage -density 200 -quality 60 -compress jpeg input.pdf output.pdf
$ convert -monitor +repage input.pdf -resample 85% output.pdf
$ convert -monitor +repage scan*.jpg -colorspace gray -resample 100% "input.pdf"
$ convert -monitor +repage -compress Zip -density 200 input.pdf output.pdf


Error: mogrify-im6.q16: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/426

• Policy edit
$ sudo sed -i '/disable ghostscript format types/,+6d' /etc/ImageMagick-6/policy.xml

• Alternatively uncomment 
$ sudo nano /etc/ImageMagick-6/policy.xml



• Alternatively remove this whole following section 
$ sudo nano /etc/ImageMagick-6/policy.xml












Error: convert-im6.q16: cache resources exhausted

• Increase the available memoryfile
$ sudo nano /etc/ImageMagick-6/policy.xml




• Alternatively use
$ convert -limit memory 1GiB -limit disk 1GiB *.png new.pdf


Renaming in numbered order
• Renamer
$ sudo apt install rename
• Commands to rename to numbered order
$ cd /bookfolder
• Test the output before
$ rename -n 's/.+/our $i; sprintf("input%03d.png", 1+$i++)/e' *
• Apply the change
$ rename 's/.+/our $i; sprintf("input%03d.png", 1+$i++)/e' *

Unpaper - Basic usage
https://github.com/unpaper/unpaper/blob/main/doc/basic-concepts.md

Use case: two pages per sheet, "open book" format where the input image-file already contains two scanned pages in a double-page layout

Process multiple files using a wildcard of the form %0nd, e.g. input%03d.pbm and output%03d.pbm. It will successively read images from files input001.pbm, input002.pbm, input003.pbm etc., and write output to the files output001.pbm, output002.pbm, output003.pbm etc., until no more input image-files with the current index number are available. Wildcards in filenames like "%03d" will get replaced with strings in the sequence 001, 002, 003 etc.
• Commands for double-page layout
$ unpaper --layout double input%03d.pbm output%03d.pbm
$ unpaper --layout double input%03d.pbm --output-pages 2 output%03d.pbm

Use case: combine single-page image-files onto a double-page layout sheet

• Commands for single-page onto a double-page layout sheet
$ unpaper --no-processing --input-pages 2 singlepage%03d.pgm output%03d.pgm

Image processing
https://github.com/unpaper/unpaper/blob/main/doc/image-processing.md

• Commands
$ unpaper 
• Commands
$ 

Processing of multipage with ImageMagick

Command line processing of multipage book-type scanned documents with ImageMagick.
https://edison23.net/blog/posts/crop-and-split-book-scan-in-3-commands

http://www.imagemagick.org/script/command-line-processing.php#geometry

$ sudo apt install imagemagick

*Note that convert is part of ImageMagick package.
How to make a clean PDF with one page per sheet. The quality and quantity of additional work depends on how carefully you digitized the book.
• Command all-in-one
$ convert -monitor -density 300 orig-scan.pdf pages.png convert `ls pages-*.png` -crop 3704x1852+160+20 +repage -crop 50%x100% pages-split.png convert `ls pages-split*` -page 100%x100% result.pdf

• Commands
• Convert PDF to images in ordered sequence
$ convert -density 300 orig-scan.pdf pages.png
$ convert -density 300 orig-scan.pdf[0-9] pages.png
• Batch cropping and batch splitting the pages (*before, test the resullt)
$ convert `ls pages-*.png` -crop 3704x1852+160+20 +repage -crop 50%x100% pages-split.png
• Recombining all the single pages back to PDF
$ convert `ls pages-split*` -page 100%x100% result.pdf
• Commands
$ 

  Office Utilities

Office Utilities

$ sudo apt install xpad
$ sudo apt install kcalc

6.02 Password Manager

Password Manager

• KeePassXC

https://keepassxc.org/docs/

$ sudo apt install keepassxc

6.03 Browsers

Browsers

https://avoidthehack.com/util/browser-comparison

• LibreWolf

https://librewolf.net/installation/debian/

• Firefox

$ sudo apt install

• Chromium

$ sudo apt install

Extensions

Firefox	Chrome	Make
Ublock Origin LanguageTool ClearURLs Temporary Containers Canvas Blocker Decentraleyes Terms of Service; Didn't Read	Simple Speed Dial Ublock Origin LanguageTool XBrowserSync Reader View jDownloader Strips Google Analytics Privacy Badger is a browser extension that automatically learns to block invisible trackers	Simple Speed Dial Bypass Paywalls

Everyday TOR

torbrowser-launcher [contrib]

https://wiki.debian.org/TorBrowser
https://whonix.org/wiki/Install_Tor_Browser_Outside_of_Whonix#Easy

$ sudo apt install torbrowser-launcher
$ torbrowser-launcher
$ torbrowser-launcher --settings

AppImage

https://github.com/RENANZG/My-Debian-GNU-Linux/blob/main/6.SOFTWARES/6.01_Softwares_AppImage/Tor-Browser_Installer.sh

URL shorteners

https://kutt.it
https://shlink.io

6.04 Cloud Services

Info

https://forum.rclone.org
https://reddit.com/r/cloudstorage
https://reddit.com/r/DataHoarder
https://reddit.com/r/Piracy
https://reddit.com/r/Scams

Cloud Privacy

∙ Cryptomator (GUI)

https://cryptomator.org

∙ Duplicati (GUI)

https://duplicati.com

∙ Tahoe-LAFS

https://tahoe-lafs.org/trac/tahoe-lafs

∙

Cloud Providers

• Google Drive

https://github.com/glotlabs/gdrive

• MEGA

https://mega.io
https://mega.io/desktop
https://github.com/rclone/rclone

• Yandex

https://360.yandex.com
https://rclone.org/yandex (*Backend supported)

*Russian

• IDrive

https://idrive.com
https://idrive.com/online-backup-linux
https://idrive.com/linux-backup-scripts
https://rclone.org/s3/#idrive-e2

• TeraBox

https://1024tera.com
https://1024tera.com/terabox-cloud-storage-for-pc-free-download
https://reddit.com/r/TeraBox/

• pCloud

https://pcloud.com
https://pcloud.com/how-to-install-pcloud-drive-linux.html
https://github.com/pcloudcom/console-client

• SugarSync

https://sugarsync.com
https://rclone.org/sugarsync (*Not backend supported)

• Box

https://box.com
https://github.com/box/boxcli
https://github.com/rclone/rclone

6.05 File Host

File Host

• Unsee

https://unsee.cc

• Rapidgator

https://rapidgator.net

• Nitroflare

https://nitroflare.net

• Uploadgig

https://uploadgig.com

• Mediafire

https://mediafire.com/upgrade/

• UploadFiles

https://ufile.io

• 1Fichier

https://1fichier.com/hlp.html

• Turbobit

https://turbobit.net

• Filescase

http://filescase.com/

• Hex Upload

https://hexupload.org

Anonymous File Sharing Services With Temporary Online Storage

• Tempsend

https://tempsend.com

• WeTransfer

https://wetransfer.com

• Send Anywhere

https://send-anywhere.com

• SendGB

https://sendgb.com

• Volafile

https://volafile.org

• SendSpace

https://sendspace.com

• MyAirBridge

https://myairbridge.com/en/eng

• Gofile

https://gofile.io/welcome

• OTF One Time File

https://gofile.io/welcome

• Bitwarden Send

https://bitwarden.com/products/send

6.06 Media Players

MPV

$ sudo apt install mpv

Shortcuts - https://github.com/mpv-player/mpv/blob/master/DOCS/man/mpv.rst#keyboard-control

Window Geometry - https://mpv.io/manual/master/#options-geometry

Video Autofit - https://mpv.io/manual/master/#options-autofit

MPV Config

Config - https://github.com/mpv-player/mpv/blob/master/etc/mpv.conf

Coping basic MPV configs

$ cp -r /usr/share/doc/mpv/ ~/.config/mpv/

Editing only MPV configuration file (.conf)

$ cp /usr/share/doc/mpv/mpv.conf.gz ~/.config/mpv/
$ gzip -d ~/.config/mpv/mpv.conf.gz
$ nano ~/.config/mpv/mpv.conf

Examples:

save-position-on-quit=yes
no-border
volume-max=125
geometry=50%x96%

To automatically save the current playback position on quit, start mpv with --save-position-on-quit, or add save-position-on-quit=yes to the configuration file.

Set volume-max=value in your configuration file to a reasonable amount, such as volume-max=150, which then allows you to increase your volume up to 150%, which is more than twice as loud. Increasing your volume too high will result in clipping artefacts. Additionally (or alternatively), you can utilize dynamic range compression with af=acompressor.

MPV Read-me and examples

$ sudo gzip -d /usr/share/doc/README.md.gz ~/
$ ls ~/.config/mpv/examples/lua/

Editing only MPV keybindings (input.conf)

$ cp /usr/share/doc/mpv/input.conf.gz ~/.config/mpv/
$ gzip -d ~/.config/mpv/input.conf.gz
$ nano ~/.config/mpv/input.conf

_{*It's recommended to use mplayer-input.conf as reference-only. To use it save as input.conf}

VLC

$ sudo apt install vlc

GNOME Media Player

$ sudo apt install totem

6.07 Video Editors

Video Editors

$ sudo apt install handbrake (GUI)
$ sudo apt install handbrake-cli (CLI)
$ sudo apt install ffmpeg (CLI)

Usefull links:

• https://keepvid.ch
• https://gifs.com
• https://omnicalculator.com/other/video-size
• https://vidon.me/compress-mp4
• https://dvdfab.at/resource/blu-ray/free-blu-ray-to-mp4-converter

OBS Studio

$ sudo apt install (GUI)

YT-DLP - A feature-rich command-line audio/video downloader

https://github.com/yt-dlp/yt-dlp

$ sudo apt install yt-dlp (CLI)

Download YouTube videos

• Commands
• Download a video or playlist
$ yt-dlp 
$ yt-dlp -F 
$ yt-dlp -f 247 
$ yt-dlp -f "best[height<=480]" 
$ yt-dlp -f "best[height<=480]" 
$ yt-dlp -f worstvideo 
$ yt-dlp -o 'qwerty' 
• Download with metadata
$ yt-dlp -o '%(title)s by %(uploader)s on %(upload_date)s in %(playlist)s.%(ext)s' 
$ yt-dlp --write-description --write-info-json --write-annotations --write-sub --write-thumbnail 
• Download audio-only
$ yt-dlp -x --audio-format mp3 

FFmpeg editor

https://trac.ffmpeg.org/wiki/Encode/H.264

• Commands
• Compressing videos
$ ffmpeg -i input.ext output.mp4
$ ffmpeg -i input.ext -b:v output.mp4 
$ ffmpeg -i input.ext -vf scale=1280:720 output.mp4
$ ffmpeg -i input.ext -c:v libx265 output.mp4 
$ ffmpeg -i input.mp4 -vcodec h264 -acodec mp2 output.mp4
$ ffmpeg -y -i input.mp4 -vcodec h264 -acodec mp3 output.mp4
$ ffmpeg -y -i input.mp4 -vcodec h264 -acodec aac output.mp4
$ ffmpeg -i input.mp4 -vcodec h264 -b:a 96k output.mp4
$ ffmpeg -i input.mp4 -vcodec h264 -b:v 1000k -acodec mp3 output.mp4
$ ffmpeg -i input.mp4 -vcodec libx265 -acodec aac -crf 23 output.mp4
$ ffmpeg -i input.mp4 -c:v libx265 -preset ultrafast -crf 28 -c:a aac -b:a 250k output.mp4
$ ffmpeg -i input.mov -c:v libx265 -preset veryfast -tag:v hvc1 -vf format=yuv420p -c:a copy output.mp4 

• Compressing video removing sound (to disable audio you must use -an)
$ ffmpeg -i input.mp4 -vcodec h264 -an output.mp4

• Converting videos
$ ffmpeg -y -i input.wmv output.mp4
$ ffmpeg -i input.mp4 -vf "scale=-2:240" output.mp4
$ ffmpeg -i input.wmv -c:v libx264 -crf 23 output.mp4
$ ffmpeg -i input.wmv -c:v libx264 -crf 23 -c:a aac -q:a 100 output.mp4
$ ffmpeg -i input.wmv -c:v libx264 -crf 23 -c:a aac -strict -2 -q:a 100 output.mp4
$ ffmpeg -i input.wmv -c:v libx264 -crf 23 -profile:v high -r 30 -c:a aac -q:a 100 -ar 48000 output.mp4

• Scaling down the size of the MP4 
$ ffmpeg -i input.mp4 -s 1280x720 -acodec copy -y output.mp4
$ ffmpeg -i input.mp4 -vf "scale=-2:720" -c:v libx264 -crf 20 -preset slow -c:a copy output.mp4
$ ffmpeg -i input.mp4 -s 1920x1080 -c:v libx265 -preset ultrafast -crf 28 -c:a aac -b:a 250k output.mp4
$ ffmpeg -i input.mp4 scale=1080:1920,format=yuv420p -c:v libx265 -preset veryfast -tag:v hvc1 -b:v 800k -bufsize 1200k -vf -b:a 128k output.mp4
$ ffmpeg -i input.mp4 -c:v libx265 -preset veryfast -tag:v hvc1 -vf format=yuv420p -c:a copy output.mp4
$ ffmpeg -i input.mp4 -c:v libx265 -preset veryfast -tag:v hvc1 -b:v new_bitrate -vf scale=new_width:new_height,format=yuv420p -c:a copy output.mp4

Bulk compress MP4

Bulk compress MP4 with ffmpeg

• One-line convert script
$ for file in *.mp4; do ffmpeg -i "$file" -vf "scale=-2:240" "Output-${file%.*}.mp4"; done

Bulk compress script

#!/bin/bash

# This script converts automatically a folder of video files.
# You need to change SRC (source folder) and DEST (destination folder)
# The default scale is -2x240.
#
# Commands to create
#  $ touch video-convert.sh
#  $ chmod +x convert.sh
#  $ nano video-convert.sh
#  $ bash video-convert.sh

mkdir converted_videos

for file in *.mp4; do
    filename=$(basename -- "$file")
    extension="${filename##*.}"
    filename="${filename%.*}"
    output="converted_videos/Output_${filename}.mp4"
    ffmpeg -i "$file" -vf "scale=-2:240" "$output"
done

Bulk compress script with ffmpeg and handbreak-cli

$ touch video-convert.sh $ chmod +x convert.sh $ nano convert.sh $ bash convert.sh

#!/bin/bash

# This script is to convert automatically a folder of video files to MP4.
# You need to change SRC (source folder) and DEST (destination folder)
# The MP4 format is 480x270.
#
# Commands to create
#  $ touch video-convert.sh
#  $ chmod +x convert.sh
#  $ nano video-convert.sh
#  $ bash video-convert.sh

SRC=/home/video/
DEST=/home/www/mp4files/
DEST_EXT=mp4
HANDBRAKE_CLI=HandBrakeCLI

for FILE in `ls $SRC`
do
        filename=$(basename $FILE)
        extension=${filename##*.}
        filename=${filename%.*}

        $HANDBRAKE_CLI -i $SRC/$FILE -o $DEST/$filename.$DEST_EXT -e x264 -q 22 -r 12 -B 64 -X 480 -O
done

HTML code to add video in GitHub README.md

*Not working.

6.08 Audio Editors

Audacity

$ sudo apt install audacity (GUI)

6.09 Email

Email

$ sudo apt install -y thunderbird
$ sudo apt install -y birdtray

Encrypted Emails

https://emailselfdefense.fsf.org/en/
https://emailselfdefense.fsf.org/en/workshops.html
https://riseup.net/en/security/message-security/openpgp/best-practices
https://riseup.net/en/security/message-security/openpgp/enigmail
https://linuxbabe.com/security/encrypt-emails-gpg-thunderbird
https://wiki.archlinux.org/title/Paperkey
https://keys.openpgp.org/about/usage
https://efail.de

Note 1: You cannot recover the secret key from the public key and the passphrase. You cannot recover your secret gpg key without a backup.

Note 2: Create an expiration date for security reasons.

👷🛠️UNDER CONSTRUCTION🚧🏗

Note 3: Create an .

  Commands for gnupg (GnuPG - GNU Privacy Guard) 
    • How to export and import GPG key:
    $ gpg --export ${ID} > public.key
    $ gpg --export-secret-key ${ID} > private.key
    $ gpg --import --batch public.key
    $ gpg --import --batch backup_dir/.gnupg/pubring.gpg
    $ gpg --import --batch backup_dir/.gnupg/secring.gpg
    $ gpg --edit-key ${KEY} trust quit
    $ gpg --list-keys
    $ gpg --list-secret-keys

  Commands for gnupg (GnuPG - GNU Privacy Guard) 
    • How to extend the expiration date of an already expired GPG key:
    $ gpg --list-keys
    $ gpg --edit-key (key id)
    • GPG console will open in the primary key, select a sub-key:
    gpg>
    gpg> list
    gpg> key 1
    • Set the expiration for the selected key
    gpg> expire
    gpg> save
    • After update, you can send it out
    gpg --keyserver site.com --send-keys (key id)

gpg --list-secret-keys --verbose --with-subkey-fingerprints

6.10 Encryption

Encryption

👷🛠️UNDER CONSTRUCTION🚧🏗

Visit our repo tree: 2.SECURITY/2.03_Encryption

Visit our repo tree: 1.INSTALLATION/2.02_Debootstrap

• Disk Encryption

∙ ZuluCrypt (GUI)

https://mhogomchungu.github.io/zuluCrypt
https://github.com/mhogomchungu/zuluCrypt

∙ SiriKali (GUI)

https://mhogomchungu.github.io/sirikali

$ sudo apt install zulucrypt-gui

∙ VeraCrypt (GUI)

https://veracrypt.fr/en/Downloads.html
https://reddit.com/r/VeraCrypt
https://github.com/veracrypt/VeraCrypt

∙ Command to automount favorite volume at startup session:

/usr/bin/veracrypt %f /dev/sda2

∙ Password less:

$ sudo groupadd veracrypt
$ sudo usermod -aG veracrypt "$(whoami)"(or)
$ sudo usermod -aG veracrypt $USER
$ sudoedit /etc/sudoers

%veracrypt ALL=(root) NOPASSWD:/usr/bin/veracrypt

#Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
%veracrypt ALL=(root) NOPASSWD:/usr/bin/veracrypt

#Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
%veracrypt ALL=(root) NOPASSWD:/usr/bin/veracrypt

*Reboot $ sudo reboot

∙ NTFS - Read only error

$ sudo ntfsfix /dev/mapper/veracrypt1

In Windowns (WinPE, )

C://> chkdsk /F

Close and open again

• Archive Encryption

∙ GnuPG - GNU Privacy Guard

  Commands for gnupg
    • How to encrypt file
    $ gpg -c backup.tar.gz
    • How to decrypt file
    $ gpg backup.tar.gz.gpg

• Cloud Encryption

∙ Cryptomator (GUI)

https://cryptomator.org
https://github.com/cryptomator/cryptomator
https://github.com/cryptomator/cli
https://reddit.com/r/Cryptomator

∙ Duplicati (GUI)

https://duplicati.com
https://github.com/duplicati/duplicati
https://forum.duplicati.com
https://reddit.com/r/duplicati

6.11 Extracting Files

https://wiki.debian.org/Compression

All-in-one extract()

$ sudo apt install -y tar gzip 7zip unrar zlib1g bzip2 xz-utils tarlz

Add this function to your .bashrc or .bash_profile configure file in your home directory.

# Extract common archive files by file extension
function extract() {
    if [ -f $1 ] ; then
        case $1 in
#            *.tar.gz|*.tgz)     tar xzf $1          ;;
#            *.tar|*.tar.xz)     tar xf $1           ;;
#            *.tar.bz2|*.tbz2)   tar xjf $1          ;;
#            *.xz)               unxz $1             ;;
#            *.zip)              unzip $1            ;;
#            *.Z)                uncompress $1       ;;
#            *.tar.zst)          tar -I=unzstd xf $1 ;;
#            *.zst)              unzstd $1           ;;
#            *.7z)               7z x $1             ;;
        esac
    else
        echo "'$1' is not valid archive file."
    fi
}

• TAR (.gz , .tar and .tar.gz)

  Commands for .tar archives
    • How to create an .tar file with gzip archiver:
    $ tar –cvf outarchive.tar ~/Documents
    • How to decompress a .tar file with with gzip:
    $ tar -xvf archive.tar

  Commands for .tar.gz archives
    • How to create an .tar.gz file
    $ tar –cvzf outarchive.tar.gz ~/Documents
    • To list the contents of a .tar.gz file:
    $ tar –tzf archive.tar.gz
    • How to decompress a .tar.gz file
    $ tar –xvzf archive.tar.gz
    $ tar –xvzf archive.tar.gz –C /home/user/Downloads

• GZIP (.gz , .tar and .tar.gz)

$ sudo apt install gzip

  Commands for .gz archives
    • How to create an .gz file
    $ gzip outarchive.gz indoc1.pdf
    • How to decompress a .gz file
    $ gunzip archive.gz

• 7Z (.7z and .zip)

https://7-zip.org

$ sudo apt install p7zip-full

  Commands for .7z archives
    • How to create an .7z file
    $ 7z a outarchive.7z indoc1.pdf
    • How to decompress a .7z file
    $ 7z x archive.7z

  Commands for .zip archives
    • How to create an zip file
    $ 7z a outarchive.zip indoc1.pdf
    • How to decompress a zip file
    $ 7z x archive.zip

  Commands for encrypted .7z and .zip archives
    • How to create an encrypted .zip file
    $ 7z a -p -t7z -scrc=AES256 archive.7z /input/directory
    $ 7z a -p -tzip -scrc=AES256 outarchive.zip indoc1.pdf inpdoc2.pdf
    $ 7z a -p -tzip -scrc=AES256 archive.zip /input/directory
    • How to create an encrypted header .7z file (only)
    $ 7z a -p -mhe=on -scrc=AES256 archive.7z input_dir
    $ 7z a -p -mhe=on -scrc=AES256 /output/archive.7z /input/directory
    • How to decompress a .7z and .zip file that is encrypted
    $ 7z x archive.zip 

*Encrypted header: no file list contents visible without the password

• RAR (.rar)

$ sudo apt install unrar-free

  Commands for .rar archives (*proprietary: extract only)
    • How to decompress a rar file
    $ unrar e ~/Downloads/filename.rar ~/Downloads/
    • How to decompress a rar file encrypted
    $ unrar-free -x ~/Downloads/filename.rar ~/Downloads/
    • How to decompress a rar file encrypted parts, only unrar the first part01.rar and it goes itself for the rest. Navigate to the directory containing the file:
    $ cd /path/to/directory/
    $ unrar-free -xp /part01.rar ~/Downloads/

• ZIP (.zip)

https://infozip.sourceforge.net

$ sudo apt install zip unzip

  Commands for .zip archives
    • Add file.txt to z.zip (create z if needed)
    $ zip z file.txt
    • Zip all files in current dir:
    $ zip z *
    • Zip files in current dir and subdirs also:
    $ zip -r z .
    • How to decompress a .zip file:
    $ unzip ~/Downloads/filename.zip
    • How to unzip multiple .zip files:
    $ unzip '*.zip'
    • How to decompress a .zip file to directory:
    $ unzip filename.zip -d /path/to/directory
    $ unzip -d file file.zip
    • Unzip Multiple Files (using single quote or backslash)
    $ unzip '*.zip'
    $ unzip \*.zip
    • Locale encoding name error
    $ unzip -I (encoding) (FILE_PATH) -d (Destination)
    $ unzip -I UTF-8 Desktop.zip

  Commands for encrypted .zip archives
    • How to create an encrypted .zip file
    $ zip -e filename.zip ~/Downloads/
    • How to decompress a encrypted .zip file
    $ unzip ~/Downloads/filename.zip
    • How to decompress a encrypted .zip file to directory
    $ unzip ~/Downloads/filename.zip -d ~/Downloads/

6.12 Sanitation

Visit our repo tree: 2.SECURITY/2.06_Sanitization

Metadata Cleaners

$ sudo apt install exiftool (CLI)
$ sudo apt install metadata-cleaner (GUI)
$ sudo apt install metacam (GUI)

• Exiftool - https://github.com/exiftool/exiftool
• List of metadata TAGS - https://exiftool.org/TagNames/index.html
• Common Mistakes - https://exiftool.org/mistakes.html
• Metacam - https://packages.debian.org/unstable/graphics/metacam

∙ Exiftool

  Commands for exiftool basic commands
    • Remove all metadata from all files possible inside a folder and all its subfolders without backup (take care, might affect the colors)
    $ exiftool -v -all:all= -overwrite_original -r /path/to/files/ 
    • Shows only selected EXIF metadata:
    $ exiftool -v -Model -ImageSize photo.jpg
    • Process all files of specified file type (case insensitive extension)
    $ exiftool -v -Model -ImageSize -ext jpg /path/to/files/
    • recursively process all jpg files under specified directory and sub-directory
    $ exiftool -v -r -Model -ImageSize -ext jpg /path/to/files/

∙ Metadata Cleaner

  Commands 
    $ metadata-cleaner /path/to/file.png

System Sanitation

∙ Bleachbit

$ sudo apt install bleachbit

Prevent recovery

In both user profile and root Bleachbit, go to Options -> Preferences -> General Tab and check "Overwrite contents of files to prevent recovery".

Freeze Bug - Free space erase option

Take care with free space erase in root mode, this has several problems. This can block the system from starting because the disk is full of randomized files.

Commands to debug if your are freeze

• Acess tty (teletype)
CTRL + ALT + {2,3,4,5,6}
• Delete tmp files in root
user:
password:
$ sudo su
user@host /: ls
user@host /: rm -R tmp*
user@host /: sudo reboot
• To find the large files in other folders
$ df -h
$ df -h ~/.cache
$ sudo df -h /mnt
$ find ~/.cache -xdev -type f -size +1G
$ sudo find /root -xdev -type f -size +1G
$ rm ~/.cache/tmp*
$ sudo rm /root/tmp*

∙ Free space erase from CLI

• List system targets
$ sudo bleachbit -l
• Erase space
$ sudo bleachbit --clean system.cache \
system.clipboard \
system.custom \
system.desktop_entry \
system.free_disk_space \
system.localizations \
system.memory \
system.recent_documents \
system.rotated_logs \
system.tmp \
system.trash 

* cron

∙ Locale Purge

Mark your preferred language besides en-US

$ sudo apt install -y localepurge
$ sudo localepurge

In Bleachbit as Administrator, go to Options -> Preferences -> Languages Tab and mark your preferred language besides en-US.Start cleaning, this may take some time.

Full Disk Sanitation

https://wiki.debian.org/SSDOptimization
https://wiki.archlinux.org/title/Solid_state_drive

*Not all SSD support sanitize. To properly way to erase a SSD is using the SSDs manufacturer's software. Other methods might not work, due to wear leveling and over-provisioning.

*If you use SSDs, enable TRIM in your BIOS. Confirm you are using SSD in the BIOS options.

*Consider hardware flaws.

Manufacturers that supply software to update firmware and perform tasks like secure erase

• Corsair SSD Toolbox
• Samsung Magician
• Seagate Seatools
• Lenovo ThinkPad Drive Erase Utility
• Crucial Storage Executive
• Western Digital Dashboard
• HP Secure Erase [ BIOS / UEFI ]
• Trendscend SSD Scope
• Dell Data Wipe function [ BIOS / UEFI ]
• SanDisk SSD Dashboard
• Kingston SSD Manager
• Micron SSD Management
• Intel Memory and Storage Tool

∙ ShredOS

https://github.com/PartialVolume/shredos.x86_64

∙ Nwipe

https://github.com/martijnvanbrummelen/nwipe

$ sudo apt install -y nwipe

∙ Hdparm

$ sudo apt install -y hdparm

• Commands
$ 

6.13 Display

Utilities

Set color temperature of display

Redshift

$ sudo apt install redshift (CLI)
$ sudo apt install redshift-gtk (GUI)

redshift.conf

https://raw.githubusercontent.com/jonls/redshift/master/redshift.conf.sample

$ ~/.config/redshift/redshift.conf
$ redshift -P -O TEMPERATURE
$ redshift -P -O 4000
$ redshift -P -O 6000
$ sudo apt install brightnessctl
$ brightnessctl s 25% && redshift -P -O 4000
$ brightnessctl s 50% && redshift -P -O 6500
$ redshift -l LAT:LONG

6.14 Files and Folders

Synchronize files and folders

$ sudo apt install grsync (GUI)

Duplicated files

(*by name, size, hash)

dupeGuru

$ sudo apt install dupeguru (GUI)

fdupes (slow)

$ sudo apt install fdupes (CLI)

• Command
$ fdupes -r dir
$ fdupes -r -S .

md5sum

https://github.com/pixelb/fslint

$ sudo apt install coreutils (CLI) (BUILT-IN)

• For small files based on hash
$ find . -type f -print0 | xargs -0 md5sum | sort | uniq -w32 --all-repeated=separate
• For large ones based on size
$ find . -type f -size {}c -print0 | xargs -0 md5sum | sort | uniq -w32 --all-repeated=separate
• For large ones based in based on size first and then hash
$ find . -not -empty -type f -printf "%s\n" | sort -rn | uniq -d |\
xargs -I{} -n1 find . -type f -size {}c -print0 | xargs -0 md5sum |\
sort | uniq -w32 --all-repeated=separate

Visualize folder tree

$ sudo apt install tree

• List directories only
$ tree -d
• Control the depth of the tree  
$ tree -d -L 2 .

6.15 Renamers

Renamers

File Naming Best Practices

You might consider including some of the following information in your file names, but you can include any information that will allow you to distinguish your files from one another.

• Project or experiment name or acronym
• Location/spatial coordinates
• Researcher name/initials
• Date or date range of experiment
• Type of data
• Conditions
• Version number of file
• Three-letter file extension for application-specific files

_{Another good idea is to include in the directory a readme.txt file that explains your naming format along with any abbreviations or codes you have used.}

Machine readable

• Regular expression and globbing friendly
  • Avoid spaces, punctuation, accented characters, case sensitivity
  • Easy to compute on
• Deliberate use of delimiters

Consider these additional tips as you develop a file naming scheme:

• A good format for date designations is YYYYMMDD or YYMMDD. This format makes sure all of your files stay in chronological order, even over the span of many years.
• Try not to make file names too long, since long file names do not work well with all types of software.
• Special characters such as ~ ! @ # $ % ^ & * ( ) ` ; < > ? , [ ] { } ' " and | should be avoided.
• When using a sequential numbering system, using leading zeros for clarity and to make sure files sort in sequential order. For example, use "001, 002, ...010, 011 ... 100, 101, etc." instead of "1, 2, ...10, 11 ... 100, 101, etc."
• Do not use spaces. Some software will not recognize file names with spaces, and file names with spaces must be enclosed in quotes when using the command line. Other options include:
  • Underscores, e.g. file_name.xxx
  • Dashes, e.g. file-name.xxx
  • No separation, e.g. filename.xxx
  • Camel case, where the first letter of each section of text is capitalized, e.g. FileName.xxx
• Periods can be used in files names but consider these points before doing so and proceed cautiously:
  • Periods are used in regular expressions.
  • Periods at the start of a file name are used to indicate configuration and/or hidden files in a file directory.
  • Periods are used to separate file names from file extensions.

Online regex tools

• Dencode - https://dencode.com
• Commonly Used Software Development Tools - https://ctool.dev
• Text Fixer - https://textfixer.com
• SS64 Syntax Utils - https://ss64.com
• Tools4noobs - https://tools4noobs.com

KRename

$ sudo apt install krename (GUI)

GPRename

$ sudo apt install gprename (GUI)

Case Styles

camelCase PascalCase kebab-case snake_case UPPER_CASE_(SNAKE_CASE)

Bash's built-in commands to rename (Debian/GNU Linux)

  • Commands with move 
    • Simply rename
    $ mv /home/user/oldname /home/user/newname
    • Convert Uppercase to Lowercase Characters #FAIL
    $ for f in *; do mv -T "$f" "$(echo $f | tr [A-Z] [a-z])"; done
    $ for i in $( ls | grep [A-Z] ); do mv -f $i `echo $i | tr 'A-Z' 'a-z'`; done

  • Commands with sed 
    • Convert Camel case to kebab-case
    $ echo "MyDirectoryFileLine" | sed -e 's/\([A-Z]\)/-\L\1/g'
    $ echo "MyDirectoryFileLine" | sed -e 's/\([A-Z]\)/-\L\1/g' -e 's/^-//'
    $ echo "MyDirectoryFileLine" | sed -e 's/\([A-Z]\)/-\1/g' -e 's/^-//'
    $ echo "MyDirectoryFileLine" | sed -e 's/[A-Z]/-\L&/g' -e 's/^-//'
    $ echo "MyDirectoryFileLine" | sed -e 's/[A-Z]/-\l&/g;s/.//'
    $ echo "SomeACRONYMInCamelCaseString" | sed -e 's/\([a-z]\)\([A-Z]\)/\1-\L\2/' | sed -e 's/\(.*\)/\L\1/')
    • 
    $ 
    • 
    $ 
    • 
    $ 

Rename

$ sudo apt install rename (CLI)

  • Commands for rename 
    • Syntax
    $ rename [options] 's/[pattern]/[replacement]/' [file name]
    • Replacing the blank space with an underscore (_)
    $ rename -v 'y/ /\_/' *.pdf
    $ rename -v 'y/ /\_/' ~/Downloads/*
    $ rename -v 'y/ /\_/' ~/Downloads/*.pdf
    $ rename -v 'y/\n/\_/' ~/Downloads/*.pdf
    $ rename -v 'y/\-/\_/' ~/Downloads/*.pdf
    • Commands to rename to numbered order
    $ cd /Files
    • Test the output before (* -n)
    $ rename -n 's/.+/our $i; sprintf("input%03d.png", 1+$i++)/e' *
    • Apply the change
    $ rename 's/.+/our $i; sprintf("input%03d.png", 1+$i++)/e' *
    • Delete a Part of a Filename
    $ rename -v 's/example//' *.pdf
    • Convert Uppercase to Lowercase Characters #FAIL
    $ rename -v 'y/[A-Z]/[a-z]/' *.PDF 
    $ find my_dir -type f -execdir rename 'y/A-Z/a-z/' {} \;
    • Convert Lowercase to Uppercase Characters #FAIL
    $ rename -v 'y/[a-z]/[A-Z]/' *.pdf
    • Convert to Camel case
    $ rename 's/ /_/g' *

Special Symbols

\n is a symbol for new line
\t is a symbol for tab
\r is for 'return'

Note: \n or \t or \r are interpreted inside of <pre> text </pre>

Special HTML codes

Char	Numeric code	Named code	Description
				horizontal tab
	
		line feed
	
		carriage return / enter
	 	 	non-breaking space

6.16 Backup

https://github.com/bit-team/backintime
https://github.com/teejee2008/timeshift
https://github.com/restic/restic

Recover plan

Backup

Folders and Files Backup

GRSYNC (GUI)

$ sudo apt install grsync

GRSYNC is a graphical interface for the rsync command line program. It can be used for local directory synchronization.

Copy files and directories (CLI)

∙ "Full" Backup

$ cp ~/.config/example/ /media/backup

∙ "Incremental" Backup

$ cp -vur ~/.config/example/ /media/backup

_{*This will preserve the files permissions/ownership.}

∙ To get the progress information

$ cp -a ~/.config/example/ /media/backup

∙ Transfer progress and speed when copying files (CLI)

RSYNC

https://wiki.archlinux.org/title/Rsync

$ sudo apt install rsync

• Copying
$ rsync -ah --progress ~/source /backup/destination
$ rsync -ah --info=progress2 ~/source /backup/destination
$ rsync -rah --info=progress2 ~/source /backup/destination
• Moving
$ rsync -ravzP --remove-sent-files ~/source /backup/destination
• Copy a File or Directory from Local to Remote Machine
$ rsync -ravP Directory/ server@192.168.1.56:/home/server

_{*This will preserve the files permissions/ownership.}

DD

$ dd if=~/source of=/backup/destination status=progress

PV

$ sudo apt install pv

$ pv ~/source > /backup/destination

_{*This won't preserve the files permissions/ownership.}

CURL

$ curl -o destination FILE://source

_{*This won't preserve the files permissions/ownership.}

Disk Imaging and Cloning

Clonezilla

The Free and Open Source Software for Disk Imaging and Cloning

https://clonezilla.org//clonezilla-live-doc.php

Changing disk name

$ cnvt-ocs-dev -d /home/partimag 'image' 'sda3' 'sda2'

Data Integrity

https://debian.org/doc/manuals/securing-debian-manual/ch04s17.en.html#check-integ

6.17 Metaverse

Vircadia - Open Source Metaverse Platform

https://vircadia.com

Overte - Open source virtual worlds and social VR

https://overte.org

6.18 Online Utilities

Utilities

• Message Header Analyzer - https://mha.azurewebsites.net
• Message Header Analyzer - https://github.com/microsoft/MHA
• PhishTank - https://phishtank.org
• Simple Email Reputation - https://emailrep.io
• Whois - https://iana.org/whois
• ViewDNS - https://viewdns.info
• WhoisMyDNS - https://whoismydns.com
• NSLookup - https://nslookup.io
• My-Addr - https://my-addr.com
• Malpedia - https://malpedia.caad.fkie.fraunhofer.de
• CVE Details - https://cvedetails.com
• Exploit Database - https://exploit-db.com
• FileInfo - https://fileinfo.co
• xCyclopedia - https://strontic.github.io/xcyclopedia
• The Windows Binary Index - https://winbindex.m417z.com
• Palo Alto Applipedia - https://applipedia.paloaltonetworks.com
• Windows Securitiy Logs - https://ultimatewindowssecurity.com/securitylog/encyclopedia
• Internet Archive (WayBackMachine) - https://web.archive.org
• Archive web content - https://archive.ph
• Internet Archive - https://archive.org
• HTTrack - https://httrack.com
• IPVOID - https://ipvoid.com
• AbuseIPDB - https://abuseipdb.com
• Grabify IP Logger - https://grabify.link/
• IP Logger - https://iplogger.org
• IP Tracker - https://iplogger.org/ip-tracker
• IP Location Tracker - https://iplogger.org/location-tracker
• IP Location - https://iplocation.net
• URL Checker - https://iplogger.org/url_checker
• MAC Address Lookup - https://iplogger.org/mac-checker
• MAC Vendor - https://macvendors.com
• IP API
  - ip-api - https://ip-api.com
  - ipify - https://ipify.org
  - ipapi - https://ipapi.co
  - vpnapi - https://vpnapi.io
  - ipapi - https://ipapi.com
• The ZMap Project - https://zmap.io
• WiGLE - https://wigle.net
• urlscan.io - https://urlscan.io
• Virus Total - https://virustotal.com
• Hybrid Analysis - https://hybrid-analysis.com
• Cuckoo Sandbox - https://cuckoo.cert.ee
• AlienVault OTX - https://otx.alienvault.com
• IBM X-Force Exchange - https://exchange.xforce.ibmcloud.com
• Cisco Talos - https://talosintelligence.com/reputation_center
• Maltiverse - https://maltiverse.com/collection
• GreyNoise - https://greynoise.io
• SANS Internet Storm Center - https://isc.sans.edu
• Intelligence X - https://intelx.io
• MetaDefender Cloud - https://metadefender.opswat.com
• RiskIQ Community Edition - https://community.riskiq.com/home
• Pulsedive - https://pulsedive.com
• Valhalla YARA Rules - https://valhalla.nextron-systems.com
• ANY.RUN - https://any.run
• Binvis - https://binvis.io
• JoeSandbox - https://joesandbox.com
• Verexif - https://verexif.com/en/
• Reverse Shell Generator - https://revshells.com
• Rainbow Tables (Hashes) - https://hashes.com/en/decrypt/hash
• File Signatures ("Magic Numbers") - https://en.wikipedia.org/wiki/Magic_number_(programming)
• List of File Signatures - https://en.wikipedia.org/wiki/List_of_file_signatures
• CyberChef - https://gchq.github.io/CyberChef
• explainshell - https://explainshell.com
• Epoch Converter - https://epochconverter.com
• Regex - https://regex-generator.olafneumann.org
• DeHashed - https://dehashed.com
• Dencode - https://dencode.com
• Commonly Used Software Development Tools - https://ctool.dev
• Text Fixer - https://textfixer.com
• SS64 Syntax Utils - https://ss64.com
• Tools4noobs - https://tools4noobs.com
• Text to ASCII Art Generator - https://patorjk.com/software/taag
• Have I Been Pwned - https://haveibeenpwned.com
• Name OSINT - https://namechk.com
• Breach Directory - https://breachdirectory.org
• MD5 Decrypt - https://md5decrypt.net/en/Sha1
• DeepL - https://deepl.com/translator

6.19 Fun

Steam OS

https://store.steampowered.com/steamos

Linux distribution that transforms devices in consoles

https://batocera.org

6.20 Tips and Tricks

Visualize folder tree

$ sudo apt install tree

• List directories only
$ tree -d
• Control the depth of the tree  
$ tree -d -L 2 .

Schedule a Shutdown in Command Line

Shutdown at specific time

$ sudo shutdown -h 23:59

Shutdown at specific date and time

Since 24 hours (24×60=1440 minutes), you could adapt

$ sudo shutdown +1440

Execute shutdown +60 at a specific time and day:

$ sudo apt install at
$ sudo echo "shutdown +767" | at 08:46am 2024-09-11

Set an Alarm from the Terminal

$ sleep 5m && mpv alarm.mp3

Use Terminal as a Stopwatch

$ time cat
CTRL + C

Commands for you to find large files

$ df -h
$ df -h /home/$USER/Downloads
$ du -h ~/Downloads | sort -rh | head -n 10
$ find ~/Downloads -type f -size +3G -exec du -h {} + | sort -rh
$ find /home/$USER/Downloads -xdev -type f -size +1G
$ find . -size +1M  -printf "%p \t%k kb\n" | sort -k2n

Editig text with sed in terminal

Be cautious of using -ncode> (quiet) with -i (in-place): the former disables aut in-place omatic printing of lines and the latter changes the file in-place without a backup. Make a backup before editing -i.bak .

$ sed --options [optional SCRIPT] [INPUT STREAM]

• Append line after match
$ sed  '/\option/a Hello World' *.txt
• Insert line before match
$ sed  '/\option\/i Hello World' *.txt
• Append text after a line for the specific match only
$ sed  '0,/\option\/a Hello World' *.txt 
• Append text before a line for the specific match only
$ sed  '0,/\option\/i Hello World' *.txt
• Inserting a text file

$ sed -i -e '1r text1' text2.txt
• If you want to append string in a multiline text
$ sed -i '/pattern/ r snippet.txt' filename
• Batch inserting specific text after pattern in .txt files
$ sed -i '/SearchPattern/aNew Text' *.txt
$ find . -name '*.txt' -exec sed -i -e 's/textp1/textp2\ text.txt/g' {} \;

• Replacement syntax
$ sed s/regexp/replacement/[flags]
• Replace closed with open on lines containing code
$ sed '/code/ s/closed/open/' text.txt 
• Replace all closed with open on lines containing code
$ sed '/code/ s/closed/open/g' text.txt
• Replace all occurrences of ‘hello’ to ‘world’ in the file input.txt:
$ sed ’s/hello/world/’ input.txt > output.txt

• Batch removing specific text in .txt files,
  the –i option tells to sed make the change
  in place, inside the file itself
$ sed -i 's/text//' *.txt
• Batch making a backup before editing the file,
  by specifying a suffix when using –i
$ sed -i.bak 's/word//' *.txt

• Convert Lowercase to Uppercase Characters
$ sed -i -e '/UPPERCASe/,$s/.*/\U&/' text.txt
$ sed 's/[a-z]/\U&/g' < ./myfile.txt
$ echo "HELLO WORLD " | sed 's/[A-Z]/\L&/g'
• Convert Uppercase to Lowercase  Characters
$ echo "hello world" | sed 's/[a-z]/\U&/g'
• Remove leading spaces and tabs from line
$ sed 's/^[ \t]*//' text.txt
• Remove all digits in a range
$ sed 's/\([a-z]*\).*/\1/' text.txt

*Note, in terminal:
Alt + u	Make uppercase from the cursor position to the end of the word.
Alt + l	Make lowercase from the cursor position to the end of the word/text.

• 
$ 
• 
$ 

Reopen maximized browser

To open maximized browser window use "--start-maximized" as a parameter.

$ nano /home/user/Desktop/browser.desktop

[Desktop Entry]
Exec=/usr/bin/browser --start-maximized %U

Geting windows sizes in shell

$ wmctrl -lG

Change default editor for visudo

By default, Linux systems use the $VISUAL or $EDITOR environment variables (usually defined in your ~/.bashrc file or /etc/profile) as the default editor the visudo command. If you'd prefer to use a different editor, such as nano, you can use either of these methods.

1. To temporarily use a different editor, run:

   
   $ sudo EDITOR=/path/to/editor visudo
   
   

   For example, to use nano, you would run:

   $ sudo EDITOR=nano visudo
   

2. To permanently change the default editor, edit the /etc/sudoers file (you can use the temporary method above!) and add the following line to the file near the top, but after Defaults env_reset:

   Defaults editor=/path/to/editor
   

Reference: https://unix.stackexchange.com/questions/4408/how-to-set-visudo-to-use-a-different-editor-than-the-default-on-fedora

Test if a bash shell built-in command or external program package

http://www.gnu.org/software/bash/manual/html_node/Bash-Builtins.html https://www.gnu.org/software/bash/manual/html_node/Shell-Builtin-Commands.html
http://pubs.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html#tag_02_04
https://en.wikipedia.org/wiki/POSIX
https://packages.debian.org/stable
http://www.gsp.com/cgi-bin/man.cgi?section=1&topic=zshbuiltins

• Use type command
$ type -t cd
$ type -t ls
$ type -t test
$ type -t echo
$ type -t apt
$ type -t grep
$ type -t for
• Use builtin command 
$ builtin cd
$ builtin ls
$ builtin test
$ builtin echo
$ builtin apt
$ builtin grep
$ builtin for
• You can use the builtin command enable to show the list of builtin commands and their activation state
$ enable -a

Why use the built-in command? It does not depend on granting permissions to install packages, work on reduced sets like linux embedded hardwares (IoTs), reduces the attack surface and has better performance.

Changing terminal command output language

• For just a single command, from native language to english 
$ LC_ALL=C man ls
$ LC_ALL=C sudo apt update

Grep - Global regular expression search

• Commands
$ man find | grep -A 4 -- '-size'
• 
$ man find | grep -e '-size'
• 
$ 
• 
$ 
• 
$ 

---

7. DEV SETUP

👷🛠️UNDER CONSTRUCTION🚧🏗

7.01 System Tweaks

Visit our repo tree: 5.DEVELOPMENT

Sytem Tweaks

∙ Terminal

∙ Window Shortcuts

∙ Passwords

Mananger

SSH

∙ Interface

7.02 IDEs

IDEs

• NeoVim

https://neovim.io
https://neovim.io/doc/user/starting.html
https://neovim.io/doc/user/usr_01.html#vimtutor
https://github.com/neovim/nvim-lspconfig#suggested-configuration
https://youtube.com/watch?v=RZ4p-saaQkc
https://github.com/rockerBOO/awesome-neovim
https://reddit.com/r/neovim

∙ Setups

https://github.com/nvim-lua/kickstart.nvim
https://github.com/LazyVim/LazyVim
https://github.com/LunarVim/LunarVim
https://github.com/NvChad/NvChad
https://spacevim.org/

∙ Plugins

https://siddharta.me/configuring-neovim-as-a-python-ide-2023.html
https://thevaluable.dev/vim-php-ide/

• VSCodium

https://github.com/VSCodium/vscodium
https://reddit.com/r/vscodium

∙ Extensions

• Sublime-text ®

https://sublimetext.com/docs/linux_repositories.html
https://reddit.com/r/sublimetext

7.03 Git & GitHub

Git & GitHub

•

7.04 Languages

Languages

• Python

• Go

• PHP

• Ruby

7.05 Others

Others

• Deploy

• Database

• Projects Folder

• Team

---

8. SYSADMIN

👷🛠️UNDER CONSTRUCTION🚧🏗

8.01 Sysadmin

Visit our repo tree: 6.SYSADMIN

---

9. TROUBLESHOOTING

👷🛠️UNDER CONSTRUCTION🚧🏗

9.01 Linux Community

Linux Community

https://forums.debian.net
https://forum.linuxfoundation.org
https://docs.kernel.org
https://linuxquestions.org
https://superuser.com
https://stackoverflow.com
https://howtoforge.com
https://unix.stackexchange.com
https://security.stackexchange.com
https://data.stackexchange.com
https://elinux.org
https://hardforum.com
https://askubuntu.com
https://snbforums.com
https://reddit.com/r/debian
https://reddit.com/r/linuxquestions
https://reddit.com/r/sysadmin

9.02 Audit Logs

Audit Logs

$ sudo dmesg --since -5m
$ sudo dmesg -w
$ sudo dmesg | grep iwl
$ sudo dmesg | grep rtw
$ sudo dmesg | grep ath
$ sudo dmesg -w
$ sudo dmesg -T | grep xhci
$ sudo dmesg -T | grep xhci
$ sudo journalctl -k -b -1
$ sudo journalctl -p 3 -xb
$ sudo journalctl -b | grep -i net
$ sudo journalctl -S -1h00m
$ sudo journalctl -S today
$ sudo journalctl -S today -u name.service
$ sudo journalctl -S "2024-01-01 00:00:00"
$ sudo journalctl -S "2024-01-01 00:00:00" > ~/journal.txt
$ sudo tail /var/log/syslog
$ sudo tail -n20 /var/log/syslog
$ sudo tail -f /var/log/syslog
$ head /home/pat/file.txt
$ head -n20 /home/pat/file.txt

Terminal output in English

To only run a single command in English, you can write the LANG=C directly in front of the command itself, e.g.

LANG=C sudo apt-get update

All program output will be in English. You can add a line

export LANG=C

to the end of your ~/.bashrc file and restart the terminal.

9.03 System Boot

https://wiki.debian.org/KernelHeaders

Grub

The simplest way to display your Grub is to press and hold the shift button while booting.

System Boot

∙ Rescue Mode

Debian Live in Rescue Mode

∙ rEFInd (GUI)

Download rEFInd rescue media

https://rodsbooks.com/refind/getting.html

∙ Grub customizer (GUI)

$ sudo apt install grub-customizer

∙ Restoring grub

$ sudo cp /usr/share/grub/default/grub /etc/default/grub
$ sudo update-grub
$ sudo apt -f install

∙ Menuentries debug

$ sudo ls /boot
$ sudo ls -l /vmlinuz
$ sudo ls /boot | grep vmlinuz
$ sudo dpkg -l | grep grub
$ sudo dpkg -l | grep linux-image
$ sudo dpkg -l | grep linux-headers
$ sudo ls /sys/firmware
$ sudo cat /etc/default/grub
$ sudo cat /boot/grub/grub.cfg
$ sudo cat /boot/grub/grub.cfg | grep menuentry
$ sudo cat /boot/grub/grub.cfg | grep submenu
$ sudo cat /etc/grub.d
$ sudo cat /etc/grub.d/40_custom

∙ Chroot

$ sudo

∙ Grub Issues

Removable Medium Boot

$ sudo grub-install /dev/sdX -v --force-extra-removable

Cryptab

$ sudo nano /boot/grub/grub.cfg

GRUB_DISABLE_OS_PROBER=false

GRUB_ENABLE_CRYPTODISK=y

$ sudo update-grub

Remove Old Kernels

An easy way to remove old kernels is to use Synaptic Package Manager to search for "linux-image" and "linux-headers" and remove all except the version you are currently using.

Not recommended

$ sudo dpkg -l | grep linux-image
$ sudo dpkg -l | grep linux-headers
$ sudo rm /boot/-4.18.0-{15,17}-
$ sudo dpkg --configure -a
$ sudo apt install -f
$ sudo update-grub
$ sudo apt autoremove
$ sudo apt upgrade

9.04 Display Manager and Monitors

Display Manager and Monitors

https://wiki.archlinux.org/title/Display_manager
https://baeldung.com/linux/display-managers-install-uninstall
https://github.com/sddm/sddm/releases

Brightness

$ sudo apt install -y brightnessctl
$ brightnessctl s 100%
$ brightnessctl s 70%
$ brightnessctl s 50%

Environment variables

Qt applications can be scaled with the following environment variables, note that many applications are hard-coding sizing and font and thus the result on such app may not be as expected.

$ export QT_AUTO_SCREEN_SET_FACTOR=0
$ export QT_SCALE_FACTOR=1
$ export QT_FONT_DPI=96

Monitor and resolution

https://dpi.lv

$ sudo apt install arandr (GUI)
$ sudo apt install xserver-xorg-input-all

Debug commands

$ sudo apt install inxi
$ sudo inxi -G
$ sudo inxi -Fxxrzc0

$ sudo xrandr --output eDP-1 --primary
$ sudo xrandr --output DP2 --auto --left-to DP1
$ sudo xrandr --output LVDS1 --panning 1920x1080 --scale 1.406x1.406
$ sudo xrandr --output LVDS1 --panning 1366x768 --scale 1x1

You can make this change permanent for a specific user by adding this to the startup applications:

$ /usr/bin/xrandr --output LVDS1 --panning 1920x1080 --scale 1.406x1.406

*Firefox and Thunderbird - Advanced Settings

layout.css.devPixelsPerPx 0.8

SSDM

Debug commands

$ sudo systemctl status default.target
$ sudo systemctl status sddm.service
$ sudo systemctl list-unit-files | grep sddm
$ sudo ls -la /etc/systemd/system/display-manager.service
$ cat /proc/cmdline
$ sudo dpkg-reconfigure sddm

9.05 Network

https://wiki.ubuntu.com/X/Debugging/WirelessWithoutX
https://wireless.wiki.kernel.org/en/users/drivers/iwlwifi
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/intel
https://intel.com/content/www/us/en/support/articles/000005511/network-and-io/wireless.html
https://wiki.archlinux.org/title/Power_management#USB_autosuspend
https://docs.kernel.org/driver-api/usb/power-management.html

Troubleshooting a network using OSI model, starting from physical to application layer.

First things first:

$ sudo apt install firmware-realtek or $ sudo apt install firmware-iwlwifi or $ sudo apt install firmware-atheros

• Network

∙ Debug WiFi

$ ip link
$ nmcli device show
$ nmcli dev wifi
$ ping localhost
$ ping 8.8.8.8
$ traceroute 8.8.8.8
$ sudo ifconfig wlan0
$ sudo iwconfig wlan0
$ sudo dmesg | grep iwl
$ sudo dmesg | grep rtw
$ sudo dmesg | grep ath
$ sudo journalctl -b | grep -i net

Power up

$ sudo ifconfig eth0 up

∙ Debug Hardware

$ sudo lspci
$ sudo lspci -v -k
$ sudo lspci -v | grep Ethernet
$ sudo lspci -Knn | grep Net -A2
$ sudo lsusb
$ sudo apt install lshw
$ sudo lshw -C network
$ sudo apt install inxi
$ sudo inxi -Fxxz

*PCI vs USB - Kernel - Integrated chip - Need to investigate

Listing modules

$ sudo lsmod
$ sudo lsmod | grep iwl
$ sudo lsmod | grep rtw
$ sudo lsmod | grep ath

Module info

$ sudo modinfo rtw_8723d

∙ Rfkill

$ sudo apt install rfkill

  Commands 
   $ sudo rfkill list
   $ sudo rfkill unblock wifi

∙ Deactivating and Activating WiFi Firmware

Deactivating module

$ sudo modprobe -vr rtw_8723d
$ sudo modprobe -vr rtw_core

Activating module

$ sudo modprobe -v rtw_core
$ sudo modprobe -v rtw_8723d

∙ Power and suspend control

$ sudo ls /etc/NetworkManager/conf.d
$ sudo touch /etc/NetworkManager/conf.d/default-wifi-powersave-on.conf
$ sudo nano /etc/NetworkManager/conf.d/default-wifi-powersave-on.conf
$ wifi.powersave = 2

or

$ sudo sed -i 's/3/2/' /etc/NetworkManager/conf.d/default-wifi-powersave-on.conf

Notes:
pcie_aspm.policy=powersasave
pcie_aspm.policy=performance
usbcore

∙ Wifi stops workin after resume

$ sudo touch /etc/modprobe.d/50-rtw-core.conf
$ sudo nano /etc/modprobe.d/50-rtw-core.conf
options rtw_core
$ sudo sudo modprobe -rv rtw_9999xy && sudo modprobe -v rtw_6666wz

$ sudo
$ sudo
$ sudo

∙ DNS Issues

$ ping -c 4 duckduckgo.com
$ nslookup duckduckgo.com
$ dig +trace +nodnssec duckduckgo.com
$ host duckduckgo.com

$ sudo resolvectl status
$ sudo cat /etc/resolv.conf
$ sudo cat /var/run/NetworkManager/resolv.conf
nmcli device show wlan0 | grep IP4.DNS

$ sudo apt install resolvconf
$ sudo resolvconf --list
$ sudo resolvconf --enable-updates
$ sudo resolvconf -u

$ sudo apt install iproute2
$ sudo ss -nlup
$ sudo

• Syntax checks
$ sudo dnsmasq --test
• Print errors
$ sudo grep -c dnsmasq /var/log/*
$ sudo grep -c dnsmasq /var/log/syslog
$ sudo dnsmasq --no-daemon --log-queries=extra --log-dhcp --log-debug -C /etc/dnsmasq.conf

*Conflicts between dnsmasq and systemd-resolved

∙ DHCP Issues

$ sudo apt install tcpdump

$ sudo apt install nmap

$ sudo apt install wireshark

9.06 USB Devices

https://wiki.ubuntu.com/Kernel/Debugging/USB
https://wiki.archlinux.org/title/Power_management#USB_autosuspend
https://docs.kernel.org/driver-api/usb/power-management.html
https://wiki.debian.org/HowToIdentifyADevice/USB
https://wiki.debian.org/HowToIdentifyADevice/PCI
https://kernel.org/doc/html/latest/usb/index.html
https://kernel.org/doc/html/v4.16/driver-api/usb/power-management.html
UAS Issues - https://forums.raspberrypi.com/viewtopic.php?t=245931

Bug - xhci_hcd 0000:15:00.0: WARN Set TR Deq Ptr cmd failed due to incorrect slot or ep state - https://bugzilla.kernel.org/show_bug.cgi?id=202541
Bug - CPU hard lockup related to xhci/dma - https://bugzilla.kernel.org/show_bug.cgi?id=217242
Bug - Debootstrap is very slow. Please use eatmydata to fix this. - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700633

Tip: If you are transferring large amounts of data via a problematic USB, use grsync as a manager.

USB debug

$ lsusb -t
$ lsusb -v
$ lsusb -v | grep 1111
$ usb-devices
$ sudo dmesg -w
$ sudo dmesg -T | grep xhci
$ sudo lspci -v | grep xhci
$ sudo grep -i xhci /boot/config-$(uname -r)

See usb device getting plugged in

$ sudo dmesg -wH

Firmware

$ sudo modinfo xhci_hcd
$ sudo modinfo ehci_hcd
$ sudo modinfo btusb
$ sudo modprobe -v ohci-pci
$ sudo modprobe -v ehci-hcd
$ sudo modprobe -v xhci-hcd
$ sudo modprobe -v xhci-pci

You may try to force your system to use USB 2.0 insted of USB 1.1:

$ sudo modprobe -vr ohci-pci
$ sudo modprobe -v ehci-hcd

Deactivate

$ sudo modprobe -vr xhci-hcd
$ sudo modprobe -vr xhci-pci

Activate

$ sudo modprobe -v xhci-hcd
$ sudo modprobe -v xhci-pci

Power and suspend control

$ sudo cat /etc/tlp.conf $ grep . /sys/bus/usb/devices//power/autosuspend
$ grep . /sys/bus/usb/devices//power/control
$ grep . /sys/bus/usb/devices/*/power/wakeup

If your keyboard and mouse, etc stop working sometimes, see if power manager is affecting you, execute this command:

$ cat /sys/module/usbcore/parameters/autosuspend

You're affected If you get back a "2". To disable it simply writing a -1 to that file, as root:

$ sudo su

# echo -1 > /sys/module/usbcore/parameters/autosuspend

To make the change permanent, edit

$ sudo nano /etc/default/grub

and add

usbcore.autosuspend=-1

to the end of the command in GRUB_CMDLINE_LINUX_DEFAULT

GRUB_CMDLINE_LINUX_DEFAULT="quiet usbcore.autosuspend=-1"

and update grub

$ sudo update-grub

Alternativelly:

$ sudo perl -p -i.bak -n -e '{GRUB_CMDLINE_LINUX_DEFAULT} s/"$/ usbcore.autosuspend=-1"/' /etc/default/grub

$ sudo update-grub

UAS Issues

https://forums.raspberrypi.com/viewtopic.php?t=245931

Symptoms of a misbehaving UAS device

• Slow transference
• Frequent disconnects-reconnects
• Dmesg reports errors relating to a UAS device.

Solving

Plug in the USB device(s) and run the command dmesg

$ sudo dmesg --since -2m

Take note of the VID (idVendor) and PID (idProduct) of your USB device(s)

(...)
[ 4906.696463] usb 2-1: New USB device found, idVendor=1111, idProduct=2222, bcdDevice=c3.33
(...)

Add the quirks to /boot/cmdline.txt

$ sudo nano /boot/cmdline.txt

Add the text with your idVendor and idProduct, respectively.

usb-storage.quirks=1111:2222:u

usb-storage.quirks=4444:5555:u,6666:7777:u.,8888:9999:u

Reboot

$ sudo reboot

Check

$ sudo dmesg | grep usb-storage

udisks2.service

$ sudo systemctl status udisks2.service
$ sudo apt install libblockdev-crypto2 libblockdev-mdraid2 --no-install-recommends

intel_iommu=off

legacy USB

Into bios, have usb 3.0 turned on, an any other options turned on, but turn off legacy usb option.But think that after legacy USB disabling, in some cases, you could lost ability to enter your BIOS, if you have USB keyboard, because your keyboard will not work at the moment when you need to press DEL or F2 or whatever.

Mouse

https://github.com/sriemer/fix-linux-mouse

9.07 Bluetooth

Bluetooth

https://wiki.archlinux.org/title/Bluetooth
https://wiki.archlinux.org/title/Bluetooth#Troubleshooting
https://wiki.debian.org/BluetoothUser
https://wiki.debian.org/Bluetooth/Alsa
https://github.com/Arkq/bluez-alsa

First things first:

$ sudo apt install firmware-realtek
or $ sudo apt install firmware-iwlwifi
or $ sudo apt install firmware-atheros

Audio compatibility

$ sudo apt install pulseaudio-module-bluetooth
or $ sudo apt install bluez-alsa-utils

Debug

$ sudo service bluetooth status
$ hciconfig -a
$ hciconfig hci0
$ sudo dmesg | grep Bluetooth
$ sudo dmesg | grep iwl
$ sudo dmesg | grep rtl
$ sudo dmesg | grep ath

Connecting Bluetooth

  Commands 
    • Connecting bluetooth manualy with Bluez
    $ bluetoothctl
    [bluetooth]# scan on
    [bluetooth]# pair xx:xx:xx
    [bluetooth]# connect xx:xx:xx 
    [bluetooth]# trust xx:xx:xx 
    [bluetooth]# block yy:yy:yy

Bluetooth Managment

  Commands 
    • Bluetooth managment
    $ btmgmt
    [btmgmt]# info

Bluetooth Audio ALSA Backend (bluealsa)

https://github.com/arkq/bluez-alsa/wiki/Bluetooth-Pairing-And-Connecting

$ sudo apt install bluez-alsa-utils

Mouse

https://github.com/sriemer/fix-linux-mouse

9.08 Sound

https://wiki.ubuntu.com/DebuggingSoundProblems
https://wiki.archlinux.org/title/Advanced_Linux_Sound_Architecture
https://wiki.archlinux.org/title/PulseAudio/Troubleshooting
https://thesofproject.github.io/latest/getting_started/intel_debug/suggestions.html
https://wiki.debian.org/Sound
https://wiki.debian.org/SoundConfiguration
https://alsa-project.org
https://github.com/thesofproject/sof/issues
https://github.com/thesofproject

First things first:

$ sudo apt install firmware-sof-signed $ sudo apt install firmware-intel-sound

Debug commands

List of PLAYBACK Hardware Devices

$ aplay -l
$ lspci |grep -i audio
$ cat /proc/asound/cards
$ cat /proc/asound/card*/id

List of CAPTURE Hardware Devices

$ arecord -l

Testing

$ speaker-test

Other debug commands

$ cat /proc/asound/cards
$ cat /proc/asound/modules
$ lspci -v | grep Audio
$ lsusb
$ lsmod | grep snd
$ aplay -lL
$ amixer
$ amixer -c0
$ sudo dpkg-reconfigure linux-sound-base
$ sudo alsa-info

ALSA

The "Advanced Linux Sound Architecture" (ALSA) is a part of the Linux kernel. PulseAudio is a sound server that sits between ALSA and user applications, aiming to provide easy automatic sound configuration for users. PulseAudio controls underlying ALSA-level volume controls.

$ sudo apt install alsa-utils
$ alsamixer
$ amixer -c 0 set Master 100%
$ amixer -c 1 set Speaker 50%
$ amixer -c 1 set Speaker 3db
$ amixer -c 1 set Speaker 2db+
$ amixer -c 0 set Mic unmute
$ sudo nano /etc/pulse/default.pa

PulseAudio Volume Control

Allows you to control both the volume of hardware devices and of each playback stream separately. It also allows you to redirect a playback stream to another output device.

$ sudo apt install pavucontrol

Advanced solution

Install the SOF firmware binaries from the source: https://github.com/thesofproject/sof-bin

Clone the repository:

$ git clone https://github.com/thesofproject/sof-bin.git

Change to directory:

$ cd sof-bin

Follow: https://github.com/thesofproject/sof-bin#install-process-with-installsh

$ sudo mv /lib/firmware/intel/sof* some_backup_location/

$ sudo mv /usr/local/bin/sof-* some_backup_location/ # optional

$ sudo ./install.sh v2.2.x/v2.2

Reboot

$ sudo reboot

"Apollo Lake" platform

https://thesofproject.github.io/latest/getting_started/intel_debug/suggestions.html#es8336-support

Check your kernel configuration, typically available as a /boot/config-*. These options below will allow you to use Sound Open Firmware, start with:

$ grep SND_SOC_INTEL_APL /boot/config-*

For your system you could select:

ALSA for SoC audio support (CONFIG_SND_SOC=m)
Intel ASoC SST drivers (CONFIG_SND_SOC_INTEL_SST_TOPLEVEL=y)
and the appropriate platform option, which in your case would be "Broxton/ApolloLake platforms" (CONFIG_SND_SOC_INTEL_APL=m)

Others options:

Sound Open Firmware support (CONFIG_SND_SOC_SOF_TOPLEVEL=y)
SOF support for Intel Audio DSPs (CONFIG_SND_SOC_SOF_INTEL_TOPLEVEL=y)
SOF PCI enumeration support (CONFIG_SND_SOC_SOF_PCI=m)
SOF support for Apollolake (CONFIG_SND_SOC_SOF_APOLLOLAKE_SUPPORT=m)
SOF support for HDA Links (HDA/HDMI) (CONFIG_SND_SOC_SOF_HDA_LINK=y)
SOF support for HDAudio codecs (CONFIG_SND_SOC_SOF_HDA_AUDIO_CODEC=y)

9.09 Printers

Printers

https://wiki.debian.org/SystemPrinting
https://wiki.ubuntu.com/DebuggingPrintingProblems

∙ HP

https://developers.hp.com/hp-linux-imaging-and-printing/install/manual/distros/debian
https://wiki.debian.org/InstallingDebianOn/HP
https://developers.hp.com/hp-linux-imaging-and-printing

$ sudo apt install hplip

∙ EPSON

https://epson.com/Support/wa00821

$ sudo apt install

∙ Wireless Firewall Ports

$

9.10 Keyboard

https://pubs.opengroup.org/onlinepubs/7908799/xbd/envvar.html#tag_002_002

Keyboard debug

$ locale
$ locale -a

Reset Layout

$ sudo dpkg-reconfigure keyboard-configuration
$ sudo service keyboard-setup restart
$ sudo update-initramfs -u

Accents not working

Can't type accented letters in certain programs.

$

Assign Home and End to Fn + Arrows

https://superuser.com/questions/428945/defining-keyboard-shortcuts-involving-the-fn-key

https://superuser.com/questions/1069211/assign-home-and-end-to-fnarrows

$

Remap Apple Magic Keyboard

https://github.com/dongjinleekr/hid-apple-numberless-ko
https://github.com/isakhauge/nor-apple-keyboard-xmodmap

9.11 Locales and Time/Date

https://man7.org/linux/man-pages/man1/locale.1.html
https://linuxfromscratch.org/lfs/view/stable-systemd/chapter09/locale.html
https://pubs.opengroup.org/onlinepubs/7908799/xbd/envvar.html#tag_002_002

Locales

$ locale
$ sudo apt reinstall locales
$ sudo locale-gen
$ sudo locale-gen en_US.UTF-8
$ sudo dpkg-reconfigure locales
*Logoff

If locale-gen had not results

$ locale
$ export LANGUAGE=en_US.UTF-8
$ export LC_ALL=en_US.UTF-8
$ export LANG=en_US.UTF-8
$ export LC_CTYPE=en_US.UTF-8

Even no results

$ export LC_ALL="C.UTF-8"
$ sudo dpkg-reconfigure locales

Even no results

In /etc/locale.gen, uncommenting the line:
en_US.UTF-8 UTF-8 then running:
locale-gen

Switch terminal command output

UNDER TEST! NOT FULL TESTED!

http://manpages.ubuntu.com/manpages/trusty/man7/locale.7.html

• Defitenelly change output language from native language to english $ env $ env | egrep -e 'LC_ALL|LANG' $ cat ~/.bashrc $ cat ~/.bash_profile $ LANG=en_US.UTF-8 LC_ALL=en_US.UTF-8 LANGUAGE=en_US.UTF-8 $SHELL

Bash function for terminal

Switching between DE and EN locales. Put it in your ~/.bashrc (or ~/.bash_profile).

Call it with _configure_locale EN to switch to English.

function _configure_locale() { # [profile]
    local profile=${1:-EN}
    case ${profile} in
      DE|DE_DE|de_DE)
          LC_ALL="de_DE.UTF-8"
          LANG="de_DE.UTF-8"
          LANGUAGE="de_DE:de:en_US:en"
          ;;
      EN|EN_US|en|en_US)
          LC_ALL="en_US.UTF-8"
          LANG="en_US.UTF-8"
          LANGUAGE="en_US:en"
          ;;
      *)
          echo "ALERT" "${FUNCNAME}: unknown profile '${profile}'"
          ;;
      esac
      LC_PAPER="de_DE.UTF-8"; # independent from locale
      LESSCHARSET="utf-8";    # independent from locale
      MM_CHARSET="utf-8"      # independent from locale
      echo "locale settings" "${LANG}";
      export LC_ALL LANG LANGUAGE LC_PAPER LESSCHARSET MM_CHARSET
}

Time and Date

Control the system time and date

$ timedatectl
$ tzselect

How Reconfigure time and date

$ sudo dpkg-reconfigure tzdata

NTP

$ sudo apt install ntpdate && ntpdate in.pool.ntp.org && dpkg-reconfigure tzdata

∙ Coordinated Universal Time - UTC-00:00

$

∙ Greenwich Mean Time - GMT

$

9.12 Torrenting

General debug

1. Resetting qBittorrent / trying another torrent client
2. Trying another device on same network
3. Trying ethernet instead of Wi-Fi
4. Trying downloading to external storage rather than SSD
5. Stopping all running apps/services in background
6. Running speed tests to see if it also happens outside torrenting

Download speed fluctuations and near zero uploading, speed spikes

Possible causes

1. Your external disk case, awful flash drive or internal SSD just not being able to handle the simultaneous writes and reads.
2. Your VPN limiting you bandwidth.
3. Your ISP throttling. Torrent traffic throttled even through a VPN.

Possible solutions

Disk Benchmarks Test

$ sudo apt install gnome-disk-utility

For your ISP throttle, try your VPN Obfuscated Servers or P2P Servers.

Do a Leak Test

∙ DNSLeakTest.com (run the "Extended test")
∙ IPLeak.net

curl ipleak.net/json/
curl ipinfo.io

Alternativelly, begin to VPN+Torrent on PC, wait until throttling begins. Try to play back a 1080p video on your smartphone, try to choose one where you can see the quality difference (for example one with many text elements such as computer hardware benchmarks). A 1080p video needs about 1-2Mbps (250KB/s) bandwidth.

Instead you can try to download something on the phone. This is to find out if it's an issue VPN server/software or with your ISP line as a whole. It's possible for your ISP to only throttle the connection to the VPN server and leave the rest alone.

Problem 2

$ sudo

9.13 Disks

https://wiki.debian.org/SSDOptimization
https://wiki.archlinux.org/title/Solid_state_drive

Disk managers

GParted

$ sudo apt install gparted

Gnome Disk - "Disks"

$ sudo apt install gnome-disk-utility

Disk manager with LVM support

KDE Partition Manager

$ sudo apt install partitionmanager

Disk debug

$ dmesg -T | grep xhci
$ lsusb -tv

  Commands for fdisk
    • EXT - Badblock:
    $ sudo fdisk -l /dev/sdb
    • *NTFS - Badblock:
    $ sudo e2fsck -p /dev/sde1
    $ sudo e2fsck -c
    $ sudo e2fsck -l /dev/sdb1 /badblock/file

Disk Utilities

TESTDISK

https://cgsecurity.org/wiki/TestDisk

SMARTMONTOOLS

$ sudo apt install smartmontools

  Commands for smartmontools
    • How to :
    $ sudo smartctl -a /dev/sda

HDPARM

$ sudo apt install hdparm

  Commands for hdparm
    • How to :
    $ sudo hdparm -I /dev/sda

KDISKMARK

$ sudo apt install -y kdiskmark

DEBUGFS

$ sudo debugfs

9.14 Hardware

Hardware Utilities

$ sudo apt install lshw
$ sudo apt install inxi
$ sudo apt install cpu-x
$ sudo apt install hardinfo
$ sudo apt install s-tui stress

---

10. OTHERS

10.01 Some Links

Links

https://creativecommons.org
https://fsf.org
https://fsfe.org
https://gnu.org
https://iec.ch/cyber-security
https://iso.org/standards.html
https://linuxfoundation.org
https://linuxfromscratch.org
https://man7.org
https://nist.gov/standards
https://opengroup.org
https://opensource.com
https://opensource.org
https://todogroup.org

YouTube Links

https://youtube.com/@DebConfVideos
https://youtube.com/@BlackHatOfficialYT
https://youtube.com/@DEFCONConference
https://youtube.com/@mediacccde
https://youtube.com/@DFRWS
https://youtube.com/@44contv
https://youtube.com/@secwestnet
https://youtube.com/@EkopartyConference
https://youtube.com/@reconmtl
https://youtube.com/@TROOPERScon

Linux Blogs

https://0pointer.net/blog/
https://blog.carsoncheng.ca
https://dwarmstrong.org
https://fabianlee.org
https://itsfoss.com
https://lwn.net
https://linux-tips.us
https://linuxcnf.com
https://linuxconfig.org
https://linuxhandbook.com
https://linuxiac.com
https://linuxinsider.com
https://linuxsecurity.com
https://ostechnix.com
https://programmerall.com
https://slant.co
https://techviewleo.com
https://tqdev.com
https://vitux.com

Others

• https://en.wikiversity.org/wiki/Open_Educational_Resources/Open_Courses
• https://en.wikiversity.org/wiki/Open_Educational_Resources/Open_Textbooks
• https://freecomputerbooks.com
• http://www.freetechbooks.com
• https://www.ibiblio.org/kuphaldt/electricCircuits
• https://www.electronics-tutorials.ws
• https://riptutorial.com/ebook
• https://shellcheck.net
• https://shellscript.sh
• https://shellhacks.com
• https://explainshell.com
• https://regular-expressions.info
• https://notrace.how
• https://anarsec.guide
• https://0x00sec.org

Back to Top ⬆

Made with ♥