ADB, Android Debug Bridge, is a command-line utility included with Google's Android SDK. ADB can control your device over USB from a computer, copy files back and forth, install and uninstall apps, run shell commands, and more. ADB is a powerful tool that can be used to control your Android device from a computer. Below are some of the most common commands you can use with ADB and their usage. You can find more information about ADB and its usage by visiting the official website.
adb shell am start -a android.intent.action.VIEW -d URL
Opens URL
adb shell am start -t image/* -a android.intent.action.VIEW
Opens gallery
Comments
\ No newline at end of file
diff --git a/android/apktool/index.html b/android/apktool/index.html
new file mode 100644
index 000000000..95f845e2b
--- /dev/null
+++ b/android/apktool/index.html
@@ -0,0 +1,170 @@
+ Apktool - 3os
A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications. It also makes working with an app easier because of the project like file structure and automation of some repetitive tasks like building apk, etc.
It is NOT intended for piracy and other non-legal uses. It could be used for localizing, adding some features or support for custom platforms, analyzing applications and much more.
In order to install modified APK on Android device, you need to sign it with a certificate. Android APK won't be signed by default. You need to sign it manually.
Install apksigner
aptinstall-yapksigner
+
Create certificate at the same folder you've compiled your modified APK
Enter A password (we will need it to singe the APK), enter any data you wish for the certificate information. At the end enter 'y' at the end to create the certificate.
Now we should have 2 files: your.apk, keystore.jks. The only step left is to singe the APK with new certificate.
apksignersign--kskeystore.jksyour.apk
+
When installing the APK you will be prompted with a warning of "unknown certificate" just hit Install.
Comments
\ No newline at end of file
diff --git a/android/applications/index.html b/android/applications/index.html
new file mode 100644
index 000000000..5062927c9
--- /dev/null
+++ b/android/applications/index.html
@@ -0,0 +1,167 @@
+ PT Application - 3os
List for Android penetration testing applications and tools that can be used to aid in penetration testing. The following are the most commonly used applications. Feel free to suggest new applications and tools at comments section below.
List of Android Penetration Testing Tools and Applications¶
\ No newline at end of file
diff --git a/android/jadx-decompiler/index.html b/android/jadx-decompiler/index.html
new file mode 100644
index 000000000..cfc69e50c
--- /dev/null
+++ b/android/jadx-decompiler/index.html
@@ -0,0 +1,278 @@
+ JADX Decompiler - 3os
After download unpack zip file go to bin directory and run: - jadx - command line version - jadx-gui - UI version
On Windows run .bat files with double-click\ Note: ensure you have installed Java 11 or later 64-bit version. For Windows, you can download it from oracle.com (select x64 Installer).
jadx[-gui] [command] [options] <input files> (.apk, .dex, .jar, .class, .smali, .zip, .aar, .arsc, .aab)
+commands (use '<command> --help' for command options):
+ plugins - manage jadx plugins
+
+options:
+ -d, --output-dir - output directory
+ -ds, --output-dir-src - output directory for sources
+ -dr, --output-dir-res - output directory for resources
+ -r, --no-res - do not decode resources
+ -s, --no-src - do not decompile source code
+ --single-class - decompile a single class, full name, raw or alias
+ --single-class-output - file or dir for write if decompile a single class
+ --output-format - can be 'java' or 'json', default: java
+ -e, --export-gradle - save as android gradle project
+ -j, --threads-count - processing threads count, default: 4
+ -m, --decompilation-mode - code output mode:
+ 'auto' - trying best options (default)
+ 'restructure' - restore code structure (normal java code)
+ 'simple' - simplified instructions (linear, with goto's)
+ 'fallback' - raw instructions without modifications
+ --show-bad-code - show inconsistent code (incorrectly decompiled)
+ --no-imports - disable use of imports, always write entire package name
+ --no-debug-info - disable debug info parsing and processing
+ --add-debug-lines - add comments with debug line numbers if available
+ --no-inline-anonymous - disable anonymous classes inline
+ --no-inline-methods - disable methods inline
+ --no-move-inner-classes - disable move inner classes into parent
+ --no-inline-kotlin-lambda - disable inline for Kotlin lambdas
+ --no-finally - don't extract finally block
+ --no-replace-consts - don't replace constant value with matching constant field
+ --escape-unicode - escape non latin characters in strings (with \u)
+ --respect-bytecode-access-modifiers - don't change original access modifiers
+ --mappings-path - deobfuscation mappings file or directory. Allowed formats: Tiny and Tiny v2 (both '.tiny'), Enigma (.mapping) or Enigma directory
+ --mappings-mode - set mode for handling the deobfuscation mapping file:
+ 'read' - just read, user can always save manually (default)
+ 'read-and-autosave-every-change' - read and autosave after every change
+ 'read-and-autosave-before-closing' - read and autosave before exiting the app or closing the project
+ 'ignore' - don't read or save (can be used to skip loading mapping files referenced in the project file)
+ --deobf - activate deobfuscation
+ --deobf-min - min length of name, renamed if shorter, default: 3
+ --deobf-max - max length of name, renamed if longer, default: 64
+ --deobf-whitelist - space separated list of classes (full name) and packages (ends with '.*') to exclude from deobfuscation, default: android.support.v4.* android.support.v7.* android.support.v4.os.* android.support.annotation.Px androidx.core.os.* androidx.annotation.Px
+ --deobf-cfg-file - deobfuscation mappings file used for JADX auto-generated names (in the JOBF file format), default: same dir and name as input file with '.jobf' extension
+ --deobf-cfg-file-mode - set mode for handling the JADX auto-generated names' deobfuscation map file:
+ 'read' - read if found, don't save (default)
+ 'read-or-save' - read if found, save otherwise (don't overwrite)
+ 'overwrite' - don't read, always save
+ 'ignore' - don't read and don't save
+ --deobf-use-sourcename - use source file name as class name alias
+ --deobf-res-name-source - better name source for resources:
+ 'auto' - automatically select best name (default)
+ 'resources' - use resources names
+ 'code' - use R class fields names
+ --use-kotlin-methods-for-var-names - use kotlin intrinsic methods to rename variables, values: disable, apply, apply-and-hide, default: apply
+ --rename-flags - fix options (comma-separated list of):
+ 'case' - fix case sensitivity issues (according to --fs-case-sensitive option),
+ 'valid' - rename java identifiers to make them valid,
+ 'printable' - remove non-printable chars from identifiers,
+ or single 'none' - to disable all renames
+ or single 'all' - to enable all (default)
+ --integer-format - how integers are displayed:
+ 'auto' - automatically select (default)
+ 'decimal' - use decimal
+ 'hexadecimal' - use hexadecimal
+ --fs-case-sensitive - treat filesystem as case sensitive, false by default
+ --cfg - save methods control flow graph to dot file
+ --raw-cfg - save methods control flow graph (use raw instructions)
+ -f, --fallback - set '--decompilation-mode' to 'fallback' (deprecated)
+ --use-dx - use dx/d8 to convert java bytecode
+ --comments-level - set code comments level, values: error, warn, info, debug, user-only, none, default: info
+ --log-level - set log level, values: quiet, progress, error, warn, info, debug, default: progress
+ -v, --verbose - verbose output (set --log-level to DEBUG)
+ -q, --quiet - turn off output (set --log-level to QUIET)
+ --version - print jadx version
+ -h, --help - print this help
+
+Plugin options (-P<name>=<value>):
+ 1) dex-input: Load .dex and .apk files
+ - dex-input.verify-checksum - verify dex file checksum before load, values: [yes, no], default: yes
+ 2) java-convert: Convert .class, .jar and .aar files to dex
+ - java-convert.mode - convert mode, values: [dx, d8, both], default: both
+ - java-convert.d8-desugar - use desugar in d8, values: [yes, no], default: no
+ 3) kotlin-metadata: Use kotlin.Metadata annotation for code generation
+ - kotlin-metadata.class-alias - rename class alias, values: [yes, no], default: yes
+ - kotlin-metadata.method-args - rename function arguments, values: [yes, no], default: yes
+ - kotlin-metadata.fields - rename fields, values: [yes, no], default: yes
+ - kotlin-metadata.companion - rename companion object, values: [yes, no], default: yes
+ - kotlin-metadata.data-class - add data class modifier, values: [yes, no], default: yes
+ - kotlin-metadata.to-string - rename fields using toString, values: [yes, no], default: yes
+ - kotlin-metadata.getters - rename simple getters to field names, values: [yes, no], default: yes
+ 4) rename-mappings: various mappings support
+ - rename-mappings.format - mapping format, values: [auto, TINY, TINY_2, ENIGMA, ENIGMA_DIR, MCP, SRG, TSRG, TSRG2, PROGUARD], default: auto
+ - rename-mappings.invert - invert mapping, values: [yes, no], default: no
+
+Environment variables:
+ JADX_DISABLE_ZIP_SECURITY - set to 'true' to disable all security checks for zip files
+ JADX_ZIP_MAX_ENTRIES_COUNT - maximum allowed number of entries in zip files (default: 100 000)
+ JADX_TMP_DIR - custom temp directory, using system by default
+
+Examples:
+ jadx -d out classes.dex
+ jadx --rename-flags "none" classes.dex
+ jadx --rename-flags "valid, printable" classes.dex
+ jadx --log-level ERROR app.apk
+ jadx -Pdex-input.verify-checksum=no app.apk
+
These options also worked on jadx-gui running from command line and override options from preferences dialog
You can use jadx in your java projects, check details on wiki page
Comments
\ No newline at end of file
diff --git a/android/mobsf/index.html b/android/mobsf/index.html
new file mode 100644
index 000000000..a31c9994c
--- /dev/null
+++ b/android/mobsf/index.html
@@ -0,0 +1,191 @@
+ MobSF - 3os
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF support mobile app binaries (APK, XAPK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.
Android app establishes an HTTPS connection, it checks the issuer of the server's certificate against the internal list of trusted Android system certificate authorities to make sure it is communicating with a trusted server. This is called SSL Pinning. If the server's certificate is not in the list of trusted certificates, the app won't be able to communicate with the server.
Frida is dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. It is a powerful tool that allows you to modify Android applications and libraries without having to recompile them.
Make sure to download the proper version of Frida Server for your Android cpu architecture. Alwasys use the latest version of Frida Server and frida-tools
Extract and rename the file to frida-server Move the file to the Adnroid Phone to /data/local/tmp/
When building complex infrastructure and managing multiple servers and services using ip addresses is can create a lot of issues and is not always easy to manage. The preferred way is to use a DNS provider that allows you to manage your domain names and their associated IP addresses. DDNS Cloudflare Bash script is a simple bash script that allows you to easily update your Cloudflare's DNS records dinamically regardless of your current IP address. DDNS Cloudflare Bash Script can be used on Linux, Unix, FreeBSD, and macOS with only one requirment of curl
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Comments
\ No newline at end of file
diff --git a/automation/ddns-cloudflare-powershell/index.html b/automation/ddns-cloudflare-powershell/index.html
new file mode 100644
index 000000000..5d5a8154e
--- /dev/null
+++ b/automation/ddns-cloudflare-powershell/index.html
@@ -0,0 +1,172 @@
+ DDNS Cloudflare PowerShell - 3os
When building complex infrastructure and managing multiple servers and services using ip addresses is can create a lot of issues and is not always easy to manage. The preferred way is to use a DNS provider that allows you to manage your domain names and their associated IP addresses. DDNS Cloudflare PowerShell script is a simple PowerShell script that allows you to easily update your Cloudflare's DNS records dinamically regardless of your current IP address. DDNS Cloudflare PowerShell Script can be used on Windows operating systems without any requirements for PowerShell.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Comments
\ No newline at end of file
diff --git a/automation/gmail-mark-archived-mail-as-read/index.html b/automation/gmail-mark-archived-mail-as-read/index.html
new file mode 100644
index 000000000..f29630146
--- /dev/null
+++ b/automation/gmail-mark-archived-mail-as-read/index.html
@@ -0,0 +1,173 @@
+ Gmail Mark Archived as Read - 3os
My preferred method of managing emails in Gmail is Zero Inbox. In short, emails in Inbox work as to-do list. The Inbox may contain important email i need to attend or a digital receipt from a payment I've made a minute ago. Since I know the content of that email the task is done and I archive it. This email will move from Inbox to All Mail or a dedicated label if you have automation rules.
When using the Archive function email which weren't opened or marked as Read will show as number counter in All Mail or Dedicated Label. Since I'm done with those emails I have to manually mark emails as read. This is a tedious task and I don't want to do it manually
Using Google Scripts We can create a personal app that will automatically mark emails as read when they are archived. This is a simple script that will run on Gmail and will mark emails as read when they are no longer in the inbox folder. You can choose how often you want to automatically mark archived email as read in gmail. This solution was tested on personal Gmail accounts and the Google Workspace Gmail accounts (as long you can grunt permission).
Make sure you are logged in to your Google account. Open Google Scripts and create a new project.
You will be prompted with a new windwos. Rename the project to Automatically Mark Archived Email as Read. Copy and repace the following code to the new project.
After saving the project you should be able Run the script.
On the first run the script will ask you to give it the necessary permissions. Click Review permissions to continue.
Since the app is not signed you will be prompted with a warning. I's ok and safe. Click Advanced.
Click Go to Gmail Mark Archived as Read (unsafe) to continue.
At this point you will be prompted to grant the script Automatically Mark Archived Email as Read access to your Gmail account. Click Allow. This will alow the script to perform the actions you need.
If all went well you should see the log of the script as show bellow.
At this point we create a Automatically Mark Archived Email as Read script and grunt it the necessary permissions. NNow we want to automate the process. We can do this by creating a new timed trigger. Head over the Trigger menu
Click Add Trigger.
You will be prompted to select when and how the script will run. The following example will run the script every 5 minutes, and send a failure email report onece a week.
Note
The script may fail onces in a while. This is due to the fact it depends on Gmail's API. Unless you receive an email with hunders of failed attempts, you can ignore the email.
Note
Update: Some people are reporting an error which says "This operation can only be applied to at most 100 threads. (line 3, file "Code")". To fix this, you have to manually do a search for "is:unread" and mark all of them as read before running the script, so that it starts with a clean slate. The script can only process 100 threads per run, so if you give it more than 100 on the first run,
After creating the trigger you screen should look like this:
Now we whant to ensure that the script runs every 5 minutes. We can do this in Execution menu:
When 5 minutes passed from the point the trigger was created, the page log should look like this:
We are done with the installation and the configuration. You should already be able to see that some of the emails are marked as read.
Google's API is limited to 100 threads per request - a single script's run. This means that every 5 minutes it runs it will mark 100 emails as read. Since the script is run every 5 minutes, it won't take long to mark all emails as read automatically. If you aren't able to wait you can do it mark emails as read manually.
I've seen this script working without any issues for months, But suddenly you may receive an email with the Automatically Mark Archived Email as Read failing to run all the time. The reason is that the script lost the Gmail permissions. The solution is to run the script manually and grant the script the necessary permissions as the first time.
Comments
\ No newline at end of file
diff --git a/automation/guides/better-terminal-experience/index.html b/automation/guides/better-terminal-experience/index.html
new file mode 100644
index 000000000..88b53b626
--- /dev/null
+++ b/automation/guides/better-terminal-experience/index.html
@@ -0,0 +1,181 @@
+ Better Terminal Experience - 3os
I have been using terminal for a long time, it's one of my essential tools for my everyday work and hobbies. The default terminal experience is not very user friendly, and I find it sometimes frustrating to use for basic tasks. So I decided to improve my terminal experience for macOS and Linux without too much effort from the user side. This guide will help you to install and configure the **better terminal experience in less than 5 minutes.
Better Terminal Experience guide based on ZSH Shell with Oh My Zsh on top of it. Using built-in theme called Bira, zsh auto suggestions plugin that suggests commands as you type based on history and completions and zsh syntax highlighting plugin that highlighting of commands whilst they are typed at a zsh prompt into an interactive terminal.
Z-shell (Zsh) is a Unix shell that can be used as an interactive login shell and as a shell scripting command interpreter. Zsh is an enhanced Bourne shell with many enhancements, including some Bash, ksh and tcsh features.
The autosuggestions plugin has a bug with copy and paste so there is a workaround for that. Append the following to the end of the config to activate the workaround.
## Fix for Slow zsh-autosuggestions copy&paste
+autoload-Uzbracketed-paste-magic
+zle-Nbracketed-pastebracketed-paste-magic
+zstyle':bracketed-paste-magic'active-widgets'.self-*'
+
Save and exit the file. Open new terminal window and enjoy Better Terminal Experience!
\ No newline at end of file
diff --git a/automation/guides/pihole-doh/index.html b/automation/guides/pihole-doh/index.html
new file mode 100644
index 000000000..a623840be
--- /dev/null
+++ b/automation/guides/pihole-doh/index.html
@@ -0,0 +1,237 @@
+ Pi-hole with DOH on Docker - 3os
Pi-hole is a DNS server that is designed to block ads and trackers. It is a free and open source software project. It's based on blocklists and acts as a DNS sinkhole.
My setup fully depends on pi-hole dns server, that's why I use two servers one as primary DNS Server and the second as secondary DNS server.
I've configured my router as a DNS server for all the DHCP clients with primary and the secondary DNS as my pi-hole servers. This way all the clients requests the router to resolve the DNS and the router forwards the request to the pi-hole servers.
This is not a step by step guide for all the configurations of pihole or how to use docker containers. The following instuctions include only the deployemt of the pi-hole server with DoH providers.
We Will be using docker-compose to deploy the pi-hole server with DoH providers with a single configuration file.
The following docker-compose.yml includes two images: Pi-hole container, and cloudflared container. When you run docker-compose up the containers will be created and started. I't will create internal network for the pihole and two instances of cloudflared. When a request comes in the pihole will forward the request to the cloudflared instances one of them will use Cloudflare DNS servers and the other will use Google's DNS servers. There is no need to configure the pihole's DNS server at the UI since the configuration is done by docker-compose.yml file.
When using this setup two folders will be created on the Host machine for persistent storage of the containers: config, dnsmasq.d. Those folders will be mounted to the containers when its running/restarted/recreated. Those folders will be created at the root folder of the docker-compose.yml file.
Create a folder for the deployment of the containers at your host machine. create a file named docker-compose.yml at the root folder and copy the following content to it:
Now run docker-compose up -d to create the containers. If all went well you should should be able to access the pihole server at http://127.0.0.1.7003 with password ChangeMe from the config above.
Now you need to change your dns server to point to the pihole server. We are done with the installation.
Comments
\ No newline at end of file
diff --git a/automation/pihole-cloudflare-dns-sync/index.html b/automation/pihole-cloudflare-dns-sync/index.html
new file mode 100644
index 000000000..725eedc2a
--- /dev/null
+++ b/automation/pihole-cloudflare-dns-sync/index.html
@@ -0,0 +1,210 @@
+ Pi-hole Cloudflare DNS Sync - 3os
This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details
Comments
\ No newline at end of file
diff --git a/automation/syncthings/index.html b/automation/syncthings/index.html
new file mode 100644
index 000000000..9cfdeff27
--- /dev/null
+++ b/automation/syncthings/index.html
@@ -0,0 +1,272 @@
+ Syncthing - 3os
Syncthing is a continuous file synchronization program. Syncthing is an application that allows you to synchronize files between multiple devices. This means that creating, editing, or deleting files on one computer can be automatically copied to other devices.
Window installation from Syncthing Downloads installs the Syncthing as a service without any system tray icon or menu.
The best way I found is to use SyncTrayzor from SyncTrayzor Github Page. It hosts and wraps Syncthing, making it behave more like a native Windows application and less like a command-line utility with a web browser interface.
You can also instal it win winget with the following command:
In order to install Syncthing, we need to add 3rd party packages to Synology DSM. Synology Community Packages provides packages for Synology-branded NAS devices.
After we added Synology Community Packages you will be able to install Syncthing from the Cummunity tab.
Permissions for the Syncthing service will be handled by the new system user sc-syncthing
The following configuration are the same for all the installation methods. I'm no going to cover the basic configuration, but I will show you some of my personal preferences.
First to configure the Syncthing we need to access it's Web UI. The Default url is http://127.0.0.1:8384
If you are using Syncthing at remote Linux host, you can use SSH tunnel to access the Web UI.
ssh-L8001:127.0.0.1:8384root@192.168.102.6
+
This will forward 127.0.0.1:8384 from the remote host to 127.0.0.1:8001 on the local host.
For security reasons, I like to disable all the Discovery and Repay services.
When you disable the Discovery service, you will have to manually add the connection to other devices.
\ No newline at end of file
diff --git a/blog/index.html b/blog/index.html
new file mode 100644
index 000000000..870a2c45b
--- /dev/null
+++ b/blog/index.html
@@ -0,0 +1,147 @@
+ Blog - News & Updates - 3os
Syncthings is an application that allows you to synchronize files between multiple devices. This means that creating, editing, or deleting files on one computer can be automatically copied to other devices. iGPU Passthrough In Proxmox Server iGPU Split Passthrough In Proxmox Server GPU Passthrough In Proxmox Server Windows SSH Server - configure Windows SSH Server with RSA keys and PowerShell shell.
I've been working on the new design and new features for a while now. Most of the work was done on the backend for this website including CI/CD, and Cloudflare workers. Some of the new features include: Tags and Comments on pages. This feature will be implemented on most of the pages in the future.
Added New Tools to Penetration Testing (24/10/21)¶
Bettercap 1.6.2 tool for man in the middle attack and ssl strip Metasploit Framework Metasploit Framework, a tool for developing and executing exploit code against a remote target machine Wifite Wifite is an automated wireless attack tool
Added ADB CheatSheet page to Penetration Testing - Android. You will find a series of practical example commands for running ADB and getting the most of Android Debug Bridge powerful tool
npm is two things: first and foremost, it is an online repository for the publishing of open-source Node.js projects; second, it is a command-line utility for interacting with said repository that aids in package installation, version management, and dependency management. A plethora of Node.js libraries and applications are published on npm, and many more are added every day.
To see which global packages need to be updated, on the command line, run:
npmoutdated-g--depth=0
+
To update a single global package, on the command line, run:
npmupdate-g<package_name>
+
To update all global packages, on the command line, run:
npmupdate-g
+
Comments
\ No newline at end of file
diff --git a/development/node-npm/pm2/index.html b/development/node-npm/pm2/index.html
new file mode 100644
index 000000000..b76d4103d
--- /dev/null
+++ b/development/node-npm/pm2/index.html
@@ -0,0 +1,187 @@
+ PM2 - Node.js Process Manager - 3os
PM2 is a daemon process manager that will help you manage and keep your application online. Getting started with PM2 is straightforward, it is offered as a simple and intuitive CLI, installable via NPM.
Restarting PM2 with the processes you manage on server boot/reboot is critical. To solve this, just run this command to generate an active startup script:
It's very useful to update PM2 to the latest version specially when you update your Node.js version. Since updating node usually will brake the pm2 process to function properly, you can use the following command to update PM2:
npminstallpm2@latest-g
+
Then update the in-memory PM2:
pm2update
+
You can also create a alias to update PM2 with one command:
Run this command at terminal at the root of the project:
pipfreeze>requirements.txt
+
Comments
\ No newline at end of file
diff --git a/development/python/supervisor/index.html b/development/python/supervisor/index.html
new file mode 100644
index 000000000..2c51ac9b7
--- /dev/null
+++ b/development/python/supervisor/index.html
@@ -0,0 +1,259 @@
+ Supervisor Process Manager - 3os
Supervisor is a client/server system that allows its users to monitor and control a number of processes on UNIX-like operating systems. Official Supervisord Docs.
Example of Supervisord Web UI listening on localhost:9999
The default location of the supervisor configuration file is at /System/Volumes/Data/opt/homebrew/etc/supervisord.conf.
You can use a symbolic link to the configuration file to make it persistent. For example, you can move the configuration file to Dropbox folder and use a symbolic link to it.
Link the configuration file to the Dropbox folder:
Supervisor Configuration File Example With 2 Managed Processes:¶
[unix_http_server]
+file=/opt/homebrew/var/run/supervisor.sock# the path to the socket file
+
+
+[inet_http_server]# inet (TCP) server disabled by default
+port=127.0.0.1:9999# ip_address:port specifier, *:port for all iface
+# username=user # default is no username (open server)
+# password=123 default is no password (open server)
+
+[supervisord]
+logfile=/opt/homebrew/var/log/supervisord.log# main log file# default $CWD/supervisord.log
+logfile_maxbytes=50MB# max main logfile bytes b4 rotation# default 50MB
+logfile_backups=10# # of main logfile backups# 0 means none, default 10
+loglevel=info# log level# default info# others: debug,warn,trace
+pidfile=/opt/homebrew/var/run/supervisord.pid# supervisord pidfile# default supervisord.pid
+nodaemon=false# start in foreground if true# default false
+silent=false# no logs to stdout if true# default false
+minfds=1024# min. avail startup file descriptors# default 1024
+minprocs=200# min. avail process descriptors#default 200
+
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+
+[supervisorctl]
+serverurl=unix:///opt/homebrew/var/run/supervisor.sock
+
+[include]
+files = /opt/homebrew/etc/supervisor.d/*.ini
+
+[program:macos-bt-connect-based-on-ip]
+command=/Users/fire1ce/.pyenv/versions/macos-bt-connect-based-on-ip/bin/python /Users/fire1ce/projects/macos-bt-connect-based-on-ip/macos-bt-connect-based-on-ip.py
+directory=/Users/fire1ce/projects/macos-bt-connect-based-on-ip
+user=fire1ce
+autostart=true
+autorestart=true
+startsecs=2
+startretries=3
+stdout_logfile=/opt/homebrew/var/log/macos-bt-connect-based-on-ip.out.log
+stdout_logfile_maxbytes=1MB# max # logfile bytes b4 rotation (default 50MB)
+stdout_logfile_backups=5# # of stdout logfile backups (0 means none, default 10)
+stderr_logfile=/opt/homebrew/var/log/macos-bt-connect-based-on-ip.err.log
+stderr_logfile_maxbytes=1MB# max # logfile bytes b4 rotation (default 50MB)
+stderr_logfile_backups=5# # of stderr logfile backups (0 means none, default 10)
+
+
+[program:macos-screenlock-api]
+command=/Users/fire1ce/.pyenv/versions/macos-screenlock-api/bin/python /Users/fire1ce/projects/macos-screenlock-api/macos-screenlock-api.py
+directory=/Users/fire1ce/projects/macos-screenlock-api
+user=fire1ce
+autostart=true
+autorestart=true
+startsecs=2
+startretries=3
+stdout_logfile=/opt/homebrew/var/log/macos-screenlock-api.out.log
+stdout_logfile_maxbytes=1MB# max # logfile bytes b4 rotation (default 50MB)
+stdout_logfile_backups=5# # of stdout logfile backups (0 means none, default 10)
+stderr_logfile=/opt/homebrew/var/log/macos-screenlock-api.err.log
+stderr_logfile_maxbytes=1MB# max # logfile bytes b4 rotation (default 50MB)
+stderr_logfile_backups=5# # of stderr logfile backups (0 means none, default 10)
+
Comments
\ No newline at end of file
diff --git a/development/python/virtualenv/index.html b/development/python/virtualenv/index.html
new file mode 100644
index 000000000..d84e46c02
--- /dev/null
+++ b/development/python/virtualenv/index.html
@@ -0,0 +1,173 @@
+ Virtual Environment - 3os
venv is a tool to create isolated Python environments. Since Python 3.3, a subset of it has been integrated into the standard library under the venv module. The venv module provides support for creating lightweight “virtual environments†with their own site directories, optionally isolated from system site directories. Each virtual environment has its own Python binary (which matches the version of the binary that was used to create this environment) and can have its own independent set of installed Python packages in its site directories.
RubyGems is a package manager for the Ruby programming language that provides a standard format for distributing Ruby programs and libraries (in a self-contained format called a "gem"), a tool designed to easily manage the installation of gems, and a server for distributing them.
One of the most handy and important things about gems is that they [should] come with good documentation to allow you to start working with them fast. The simplest way to go with documentation is to run a local server where you will have access to all installed gems’ usage instructions.
Run the following to run a documentation server:
gemserver
+
it will start a server on port 8808.
# Server started at http://0.0.0.0:8808
+
\ No newline at end of file
diff --git a/devops/docker/common-docker-commands/index.html b/devops/docker/common-docker-commands/index.html
new file mode 100644
index 000000000..7b7ded918
--- /dev/null
+++ b/devops/docker/common-docker-commands/index.html
@@ -0,0 +1,187 @@
+ Common Docker Commands - 3os
This is a short summary of the most commonly used Docker commands. If you're new to Docker, or even experienced Docker, it can be helpful to have a quick reference to the most commonly used Docker commands for managing the Docker environment.
Show all Containers Including Running and Stopped¶
Purging All Unused or Dangling Images, Containers, Volumes, and Networks Docker provides a single command that will clean up any resources — images, containers, volumes, and networks — that are dangling (not associated with a container):
dockersystemprune
+
To additionally remove any stopped containers and all unused images (not just dangling images), add the -a flag to the command:
dockersystemprune-a
+
Monitor System Resource Utilization for Running Containers¶
To check the CPU, memory, and network I/O usage of a single container, you can use:
A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.
docker update updates a container's resource limits.
Normally if you run a container without options it will start and stop immediately, if you want keep it running you can use the command, docker run -td container_id this will use the option -t that will allocate a pseudo-TTY session and -d that will detach automatically the container (run container in background and print container ID).
If you want a transient container, docker run --rm will remove the container after it stops.
If you want to map a directory on the host to a docker container, docker run -v $HOSTDIR:$DOCKERDIR. Also see Volumes.
If you want to remove also the volumes associated with the container, the deletion of the container must include the -v switch like in docker rm -v.
There's also a logging driver available for individual containers in docker 1.10. To run docker with a custom log driver (i.e., to syslog), use docker run --log-driver=syslog.
Another useful option is docker run --name yourname docker_image because when you specify the --name inside the run command this will allow you to start and stop a container by calling it with the name the you specified when you created it.
If you want to detach from a running container, use Ctrl + p, Ctrl + q. If you want to integrate a container with a host process manager, start the daemon with -r=false then use docker start -a.
If you want to expose container ports through the host, see the exposing ports section.
Restart policies on crashed docker instances are covered here.
A Docker image is a file used to execute code in a Docker container. Docker images act as a set of instructions to build a Docker container, like a template. Docker images also act as the starting point when using Docker. An image is comparable to a snapshot in virtual machine (VM) environments.
While you can use the docker rmi command to remove specific images, there's a tool called docker-gc that will safely clean up images that are no longer used by any containers. As of docker 1.13, docker image prune is also available for removing unused images. See Prune.
Difference between loading a saved image and importing an exported container as an image¶
Loading an image using the load command creates a new image including its history. Importing a container as an image using the import command creates a new image excluding the history which results in a smaller image size compared to loading an image.
Thanks to @wsargent for creating this cheat sheet.
Comments
\ No newline at end of file
diff --git a/devops/docker/docker-install/index.html b/devops/docker/docker-install/index.html
new file mode 100644
index 000000000..847762689
--- /dev/null
+++ b/devops/docker/docker-install/index.html
@@ -0,0 +1,183 @@
+ Docker Installation - 3os
You can download and install Docker on multiple platforms. The following are the most common ways to install Docker on Linux, Mac, and Windows. You can also install Docker on other platforms if you have the necessary software.
Instructions to install Docker Desktop for Windows can be found here
Once installed, open powershell as administrator and run:
# Display the version of docker installed:
+dockerversion
+
+# Pull, create, and run 'hello-world':
+dockerrunhello-world
+
To continue with this cheat sheet, right click the Docker icon in the system tray, and go to settings. In order to mount volumes, the C:/ drive will need to be enabled in the settings to that information can be passed into the containers (later described in this article).
To switch between Windows containers and Linux containers, right click the icon in the system tray and click the button to switch container operating system Doing this will stop the current containers that are running, and make them unaccessible until the container OS is switched back.
Additionally, if you have WSL or WSL2 installed on your desktop, you might want to install the Linux Kernel for Windows. Instructions can be found here. This requires the Windows Subsystem for Linux feature. This will allow for containers to be accessed by WSL operating systems, as well as the efficiency gain from running WSL operating systems in docker. It is also preferred to use Windows terminal for this.
Follow Microsoft's instructions that can be found here
If using the latest edge version of 2019, be prepared to only work in powershell, as it is only a servercore image (no desktop interface). When starting this machine, it will login and go straight to a powershell window. It is reccomended to install text editors and other tools using Chocolatey.
After installing, these commands will work:
# Display the version of docker installed:
+dockerversion
+
+# Pull, create, and run 'hello-world':
+dockerrunhello-world
+
Windows Server 2016 is not able to run Linux images.
Windows Server Build 2004 is capable of running both linux and windows containers simultaneously through Hyper-V isolation. When running containers, use the --isolation=hyperv command, which will isolate the container using a seperate kernel instance.
It is very important that you always know the current version of Docker you are currently running on at any point in time. This is very helpful because you get to know what features are compatible with what you have running. This is also important because you know what containers to run from the docker store when you are trying to get template containers. That said let see how to know which version of docker we have running currently.
docker version shows which version of docker you have running.
Docker has a networks feature. Docker automatically creates 3 network interfaces when you install it (bridge, host none). A new container is launched into the bridge network by default. To enable communication between multiple containers, you can create a new network and launch containers in it. This enables containers to communicate to each other while being isolated from containers that are not connected to the network. Furthermore, it allows to map container names to their IP addresses. See working with networks for more details.
# create a new bridge network with your subnet and gateway for your ip block
+dockernetworkcreate--subnet203.0.113.0/24--gateway203.0.113.254iptastic
+
+# run a nginx container with a specific ip in that block
+$dockerrun--rm-it--netiptastic--ip203.0.113.2nginx
+
+# curl the ip from any other place (assuming this is a public ip block duh)
+$curl203.0.113.2
+
NOTE: If you want containers to ONLY communicate with each other through links, start the docker daemon with -icc=false to disable inter process communication.
If you have a container with the name CONTAINER (specified by docker run --name CONTAINER) and in the Dockerfile, it has an exposed port:
EXPOSE 1337
+
Then if we create another container called LINKED like so:
Thanks to @wsargent for creating this cheat sheet.
Comments
\ No newline at end of file
diff --git a/devops/docker/docker-security/index.html b/devops/docker/docker-security/index.html
new file mode 100644
index 000000000..66099baf9
--- /dev/null
+++ b/devops/docker/docker-security/index.html
@@ -0,0 +1,175 @@
+ Security & Best Practices - 3os
This is where security tips about Docker go. The Docker security page goes into more detail.
First things first: Docker runs as root. If you are in the docker group, you effectively have root access. If you expose the docker unix socket to a container, you are giving the container root access to the host.
Docker should not be your only defense. You should secure and harden it.
For an understanding of what containers leave exposed, you should read Understanding and Hardening Linux Containers by Aaron Grattafiori. This is a complete and comprehensive guide to the issues involved with containers, with a plethora of links and footnotes leading on to yet more useful content. The security tips following are useful if you've already hardened containers in the past, but are not a substitute for understanding.
For greatest security, you want to run Docker inside a virtual machine. This is straight from the Docker Security Team Lead -- slides / notes. Then, run with AppArmor / seccomp / SELinux / grsec etc to limit the container permissions. See the Docker 1.10 security features for more details.
Docker image ids are sensitive information and should not be exposed to the outside world. Treat them like passwords.
You should start off by using a kernel with unstable patches for grsecurity / pax compiled in, such as Alpine Linux. If you are using grsecurity in production, you should spring for commercial support for the stable patches, same as you would do for RedHat. It's $200 a month, which is nothing to your devops budget.
Since docker 1.11 you can easily limit the number of active processes running inside a container to prevent fork bombs. This requires a linux kernel >= 4.3 with CGROUP_PIDS=y to be in the kernel configuration.
docker run --pids-limit=64
+
Also available since docker 1.11 is the ability to prevent processes from gaining new privileges. This feature have been in the linux kernel since version 3.5. You can read more about it in this blog post.
Thanks to @wsargent for creating this cheat sheet.
Comments
\ No newline at end of file
diff --git a/devops/docker/watchtower/index.html b/devops/docker/watchtower/index.html
new file mode 100644
index 000000000..2d0a539e3
--- /dev/null
+++ b/devops/docker/watchtower/index.html
@@ -0,0 +1,194 @@
+ Watchtower - 3os
With watchtower you can update the running version of your containerized app simply by pushing a new image to the Docker Hub or your own image registry. Watchtower will pull down your new image, gracefully shut down your existing container and restart it with the same options that were used when it was deployed initially. Run the watchtower container with the following command:
Watchtower is an application that will monitor your running Docker containers and watch for changes to the images that those containers were originally started from. If watchtower detects that an image has changed, it will automatically restart the container using the new image.
With watchtower you can update the running version of your containerized app simply by pushing a new image to the Docker Hub or your own image registry. Watchtower will pull down your new image, gracefully shut down your existing container and restart it with the same options that were used when it was deployed initially.
Blow is and example of a docker-compose.yml file that uses watchtower to automatically update your running containers at 3:30 AM every day, sending notifications to Telegram with shoutrrr
\ No newline at end of file
diff --git a/devops/git/delete-commit-history/index.html b/devops/git/delete-commit-history/index.html
new file mode 100644
index 000000000..63540feff
--- /dev/null
+++ b/devops/git/delete-commit-history/index.html
@@ -0,0 +1,173 @@
+ Removing Sensitive Data - 3os
Authors: fire1ce | Created: 2022-02-04 | Last update: 2022-03-24
Removing Sensitive Data from a Repository History¶
As humans, we sometimes make mistakes. One of them is committing sensitive data in our Git repository. If you commit sensitive data, such as a password, SSH key, API tokens, license keys and so on into a Git repository, you can remove it from the history. You can follow the official GitHub instructions to remove sensitive data from the history. It's probably the best and the right way to do it.
Below is a fast way to remove sensitive data from a repository's history but with a few caveats like loosing all the history of the repository.
This will remove your old commit history completely, You can’t recover it again!
Create Orphan Branch – Create a new orphan branch in git repository. The newly created branch will not show in ‘git branch’ command.
gitcheckout--orphantemp_branch
+
Add Files to Branch – Now add all files to newly created branch and commit them using following commands.
gitadd-A
+gitcommit-am"first commit"
+
Delete master/main Branch. Adjust the command according your git repository
gitbranch-Dmain
+
Rename Current Branch – After deleting the master/main branch, let’s rename newly created branch name to master/main.
gitbranch-mmain
+
Push Changes – You have completed the changes to your local git repository. Finally, push your changes to the remote master/main (Github) repository forcefully.
gitpush-foriginmain
+
Comments
\ No newline at end of file
diff --git a/devops/git/git-cli-cheat-sheet/index.html b/devops/git/git-cli-cheat-sheet/index.html
new file mode 100644
index 000000000..ece99284a
--- /dev/null
+++ b/devops/git/git-cli-cheat-sheet/index.html
@@ -0,0 +1,204 @@
+ Git Cli Cheat Sheet - 3os
Git is a free and open source distributed version control system designed to quickly and efficiently manage everything from small to very large projects.
A new repository can either be created locally, or an existing repository can be cloned. When a repository was initialized locally, you have to push it to GitHub afterwards.
The git init command turns an existing directory into a new Git repository inside the folder you are running this command. After using the git init command, link the local repository to an empty GitHub repository using the following command:
gitinit
+
Specifies the remote repository for your local repository. The url points to a repository on GitHub.
gitremoteaddorigin[url]
+
Clone (download) a repository that already exists on GitHub, including all of the files, branches, and commits
Synchronize your local repository with the remote repository on GitHub.com
Downloads all history from the remote tracking branches
gitfetch
+
Combines remote tracking branches into current local branch
gitmerge
+
Uploads all local branch commits to GitHub
gitpush
+
Updates your current local working branch with all new commits from the corresponding remote branch on GitHub. git pull is a combination of git fetch and git merge
Branches are an important part of working with Git. Any commits you make will be made on the branch you’re currently “checked out†to. Use git status to see which branch that is.
Creates a new branch
gitbranch[branch-name]
+
Switches to the specified branch and updates the working directory
gitswitch-c[branch-name]
+
or you can use
gitcheckout-b[branch-name]
+
to both create and switch to the branch simultaneously.
Combines the specified branch’s history into the current branch. This is usually done in pull requests, but is an important Git operation.
Sometimes it may be a good idea to exclude files from being tracked with Git. This is typically done in a special file named .gitignore. You can find helpful templates for .gitignore files at github.com/github/gitignore. If there are certain files (like .vscode or .ide) that should be discluded from all projects, you can create a global .gitignore file to do so.
Untrack Files Already Added to git Repository Based on .gitignore¶
Commit all your changes. Before proceeding, make sure all your changes are committed, including your .gitignore file. Remove everything from the repository. To clear your repo, use:
It's probably easiest if you just start by cloning the gist, so that origin (a "remote" that refers to the original repository) is set up for you. Then you can just do git push origin master. For example:
However, if you don't want to redo your changes, you can do:
cdmygist
+gitremoteaddorigingit@gist.github.com:869085.git
+gitfetchorigin
+# Push your changes, also setting the upstream for master:
+gitpush-uoriginmaster
+
Strictly speaking, the git fetch origin and -u argument to git push origin master are optional, but they will helpfully associate the upstream branch master in origin with your local branch master.
Comments
\ No newline at end of file
diff --git a/devops/git/git-submodules/index.html b/devops/git/git-submodules/index.html
new file mode 100644
index 000000000..3283a3d67
--- /dev/null
+++ b/devops/git/git-submodules/index.html
@@ -0,0 +1,179 @@
+ Submodules Cheat Sheet - 3os
Git submodules allow you to keep a git repository as a subdirectory of another git repository. Git submodules are simply a reference to another repository at a particular snapshot in time. Git submodules enable a Git repository to incorporate and track version history of external code.
Delete the relevant section from the .gitmodules file.
Stage the .gitmodules changes git add .gitmodules
Delete the relevant section from .git/config.
Run git rm --cached path_to_submodule (no trailing slash).
Run rm -rf .git/modules/path_to_submodule (no trailing slash).
Commit git commit -m "Removed submodule"
Delete the now untracked submodule files rm -rf path_to_submodule
Comments
\ No newline at end of file
diff --git a/devops/git/github-cli/index.html b/devops/git/github-cli/index.html
new file mode 100644
index 000000000..949bee21b
--- /dev/null
+++ b/devops/git/github-cli/index.html
@@ -0,0 +1,170 @@
+ GitHub Cli - 3os
The GitHub Cli a is free and open source Cli tool to interact with GitHub repositories. It allows you to work solely from the command line, as well as navigate to remote (web) repositories very easily.
\ No newline at end of file
diff --git a/illustration.svg b/illustration.svg
new file mode 100644
index 000000000..192927fde
--- /dev/null
+++ b/illustration.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/index.html b/index.html
new file mode 100644
index 000000000..303919e68
--- /dev/null
+++ b/index.html
@@ -0,0 +1,402 @@
+ 3os.org - 3os
3os Project
Collocation of technical documentation and guides for devops, developers, pentesters, systems administrators and other IT professionals.
We provide an open-source knowledge base on various topics such as Devops, security, penetration testing, networking and much more.
Contribution
We are welcoming you to contribute your knowledge to this project. Submit git pull requests for new content, or help as fix and maintain the documentation.
Discussion
Feel free to open a discussion on any topic at comments section any time.
Build
This website is based on and built with MkDocs with Material for MkDocs theme and my own modifications.
\ No newline at end of file
diff --git a/information/affiliateDisclosure/index.html b/information/affiliateDisclosure/index.html
new file mode 100644
index 000000000..629fd9bff
--- /dev/null
+++ b/information/affiliateDisclosure/index.html
@@ -0,0 +1,143 @@
+ Affiliate Disclosure - 3os
This website can include advertising, supported content, paid inserts, affiliate links or other types of monetization.
We believe in the authenticity of relationships, views and identities. Compensation received can have an effect on the advertisement material, topics or posts made in this blog. Such content, advertising space or post will be specifically marked as paid or supported content. We will only endorse the products or services that we believe, based on our expertise, are worthy of this endorsement.
Any claim, statistic, quotation or other representation of a product or service should be verified with the manufacturer or supplier. This site does not contain any content that may constitute a conflict of interest.
This website does not provide any representations, warranties or assurances as to the accuracy,
currency or completeness of the content contained on this website or on any website linked to or from this website.
This website is a participant in the Amazon Services LLC Associates Program, aliexpress, an affiliate advertisement program designed to provide a way for websites to receive advertising fees through advertising and links to amazon.com, aliexpress.com.
\ No newline at end of file
diff --git a/information/cookies-policy/index.html b/information/cookies-policy/index.html
new file mode 100644
index 000000000..24b6b931a
--- /dev/null
+++ b/information/cookies-policy/index.html
@@ -0,0 +1,143 @@
+ Cookies Policy - 3os
We use cookies and other similar technologies to help provide our Services, to advertise to you and to analyse how you use our Services and whether advertisements are being viewed. We also allow third parties to use tracking technologies for similar purposes. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. The Help menu on the menu bar of most browsers also tells you how to prevent your browser from accepting new cookies, how to delete old cookies, how to have the browser notify you when you receive a new cookie and how to disable cookies altogether.
A cookie is a small text file which is sent to your computer or mobile device (referred to in this policy as a “deviceâ€) by the web server so that the website can remember some information about your browsing activity on the website. The cookie will collect information relating to your use of our sites, information about your device such as the device’s IP address and browser type, demographic data and, if you arrived at our site via a link from third party site, the URL of the linking page. If you are a registered user or subscriber it may also collect your name and email address, which may be transferred to data processors for registered user or subscriber verification purposes. Cookies record information about your online preferences and help us to tailor our websites to your interests. Information provided by cookies can help us to analyse your use of our sites and help us to provide you with a better user experience. We use tracking technologies for the following purposes:
These cookies are necessary for the website to function and cannot be switched off in our systems. These are used to let you login, to ensure site security and to provide shopping cart functionality. Without this type of technology, our Services won’t work properly or won’t be able to provide certain features and functionalities.
These cookies are used to analyze how visitors use a website, for instance which pages visitors visit most often, in order to provide a better user experience. We also use this technology to check if you have opened our emails, so we can see if they are being delivered correctly and are of interest.
These cookies are used to limit the number of times you see an advertisement, or to customize advertising across our Services and make it more relevant to you and to allow us to measure the effectiveness of advertising campaigns and track whether ads have been properly displayed so we can pay for this. You have the option to change your choices relating to cookies utilized to deliver behaviorally targeted advertising here for EU “Advertising cookies†and here for US Advertising cookies.
Cookies are used by social media services to enable you to share our content with your friends and networks. These cookies may track your browser across other sites and build a profile of your interests, which may impact the content and messages you see on other websites that you visit.
We use Google Analytics for aggregated, anonymized website traffic analysis. In order to track your session usage, Google drops a cookie (_ga) with a randomly-generated ClientID in your browser. This ID is anonymized and contains no identifiable information like email, phone number, name, etc. We also send Google your IP Address. We use GA to track aggregated website behavior, such as what pages you looked at, for how long, and so on. This information is important to us for improving the user experience and determining site effectiveness. If you would like to access what browsing information we have – or ask us to delete any GA data – please delete your _ga cookies, reach out to us via this form, and/or install the Google Analytics Opt-Out Browser Add-On.
If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. The Help menu on the menu bar of most browsers also tells you how to prevent your browser from accepting new cookies, how to delete old cookies, how to have the browser notify you when you receive a new cookie and how to disable cookies altogether. You can also visit https://www.aboutcookies.org for more information on how to manage and remove cookies across a number of different internet browsers. You also have the option to change your choices relating to cookies utilized to deliver behaviorally targeted advertising here for EU “Advertising cookies†and here for US Advertising cookies. If you would like to contact us about cookies please our online feedback form or our contact page.
\ No newline at end of file
diff --git a/information/endorsement/index.html b/information/endorsement/index.html
new file mode 100644
index 000000000..4a85c2636
--- /dev/null
+++ b/information/endorsement/index.html
@@ -0,0 +1,143 @@
+ Website Endorsements - 3os
Adventure is an app that provides you with a simple and intuitive interface to plan your trip. You can choose from a wide range of activities and destinations. We also provide you with a recommendation system that will help you choose the best activity for you. Visit adventure.app!
\ No newline at end of file
diff --git a/information/license/index.html b/information/license/index.html
new file mode 100644
index 000000000..d90d57002
--- /dev/null
+++ b/information/license/index.html
@@ -0,0 +1,143 @@
+ MIT License - 3os
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
\ No newline at end of file
diff --git a/information/portfolio/index.html b/information/portfolio/index.html
new file mode 100644
index 000000000..12ca37d28
--- /dev/null
+++ b/information/portfolio/index.html
@@ -0,0 +1,146 @@
+ Stas Yakobov's Portfolio - 3os
• I'm security researcher - specialized in hardware pentetrations tests
• I like experimenting with technologies, building small projects, automate everything.
• Passionate about security, linux, dockers, electronics(IoT), coding, open-source and knowledge
• I'm the owner and the maintener of a 3os.org knowledge-base website
How To Reach Me
\ No newline at end of file
diff --git a/information/privacy-policy/index.html b/information/privacy-policy/index.html
new file mode 100644
index 000000000..c37152b46
--- /dev/null
+++ b/information/privacy-policy/index.html
@@ -0,0 +1,143 @@
+ Privacy Policy - 3os
Your privacy is very important to us. Accordingly, we have developed this policy in order for you to understand how we collect, use, communicate and make use of personal information. The following outlines our privacy policy.
When accessing this website, will learn certain information about you during your visit.
Similar to other commercial websites, our website utilizes a standard technology called ‘cookies’ (see explanation below) and server logs to collect information about how our site is used. Information gathered through cookies and server logs may include the date and time of visits, the pages viewed, time spent at our site, and the websites visited just before and just after our own, as well as your IP address.
A cookie is a very small text document, which often includes an anonymous unique identifier. When you visit a website, that site’s computer asks your computer for permission to store this file in a part of your hard drive specifically designated for cookies. Each website can send its own cookie to your browser if your browser’s preferences allow it, but (to protect your privacy) your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other sites.
IP addresses are used by your computer every time you are connected to the Internet. Your IP address is a number that is used by computers on the network to identify your computer. IP addresses are automatically collected by our web server as part of demographic and profile data known as “traffic data†so that data (such as the Web pages you request) can be sent to you.
If you choose to correspond with us through email, we may retain the content of your email messages together with your email address and our responses. We provide the same protections for these electronic communications that we employ in the maintenance of information received online, mail and telephone. This also applies when you register for our website, sign up through any of our forms using your email address or make a purchase on this site. For further information see the email policies below.
How Do We Use The Information That You Provide To Us?¶
Broadly speaking, we use personal information for purposes of administering our business activities, providing customer service and making available other items and services to our customers and prospective customers.
will not obtain personally-identifying information about you when you visit our site, unless you choose to provide such information to us, nor will such information be sold or otherwise transferred to unaffiliated third parties without the approval of the user at the time of collection.
We may disclose information when legally compelled to do so, in other words, when we, in good faith, believe that the law requires it or for the protection of our legal rights.
We are committed to keeping your e-mail address confidential. We do not sell, rent, or lease our subscription lists to third parties, and we will not provide your personal information to any third party individual, government agency, or company at any time unless strictly compelled to do so by law.
We will use your e-mail address solely to provide timely information about .
We will maintain the information you send via e-mail in accordance with applicable federal law.
In compliance with the CAN-SPAM Act, all e-mail sent from our organization will clearly state who the e-mail is from and provide clear information on how to contact the sender. In addition, all e-mail messages will also contain concise information on how to remove yourself from our mailing list so that you receive no further e-mail communication from us.
Our site provides users the opportunity to opt-out of receiving communications from us and our partners by reading the unsubscribe instructions located at the bottom of any e-mail they receive from us at anytime.
Users who no longer wish to receive our newsletter or promotional materials may opt-out of receiving these communications by clicking on the unsubscribe link in the e-mail.
This website may contain links to many other websites. cannot guarantee the accuracy of information found at any linked site. Links to or from external sites not owned or controlled by do not constitute an endorsement by or any of its employees of the sponsors of these sites or the products or information presented therein.
By accessing this web site, you are agreeing to be bound by these web site Terms and Conditions of Use, all applicable laws and regulations, and agree that you are responsible for compliance with any applicable local laws. If you do not agree with any of these terms, you are prohibited from using or accessing this site. The materials contained in this web site are protected by applicable copyright and trade mark law.
You agree to use our website only for lawful purposes, and in a way that does not infringe the rights of, restrict or inhibit anyone else’s use and enjoyment of the website. Prohibited behavior includes harassing or causing distress or inconvenience to any other user, transmitting obscene or offensive content or disrupting the normal flow of dialogue within our website.
You must not use our website to send unsolicited commercial communications. You must not use the content on our website for any marketing related purpose without our express written consent.
We may in the future need to restrict access to parts (or all) of our website and reserve full rights to do so. If, at any point, we provide you with a username and password for you to access restricted areas of our website, you must ensure that both your username and password are kept confidential.
In accordance to with the FTC guidelines concerning the use of endorsements and testimonials in advertising, please be aware of the following:
Testimonials that appear on this site are actually received via text, audio or video submission. They are individual experiences, reflecting real life experiences of those who have used our products and/or services in some way. They are individual results and results do vary. We do not claim that they are typical results. The testimonials are not necessarily representative of all of those who will use our products and/or services.
The testimonials displayed in any form on this site (text, audio, video or other) are reproduced verbatim, except for correction of grammatical or typing errors. Some may have been shortened. In other words, not the whole message received by the testimonial writer is displayed when it seems too lengthy or not the whole statement seems relevant for the general public.
We are not responsible for any of the opinions or comments posted on this website. This website is not a forum for testimonials, however provides testimonials as a means for customers to share their experiences with one another. To protect against abuse, all testimonials appear after they have been reviewed by the management . We not share the opinions, views or commentary of any testimonials on this website – the opinions are strictly the views of the testimonial source.
The testimonials are never intended to make claims that our products and/or services can be used to diagnose, treat, cure, mitigate or prevent any disease. Any such claims, implicit or explicit, in any shape or form, have not been clinically tested or evaluated.
How Do We Protect Your Information And Secure Information Transmissions?
Email is not recognized as a secure medium of communication. For this reason, we request that you do not send private information to us by email. However, doing so is allowed, but at your own risk. Some of the information you may enter on our website may be transmitted securely via a secure medium known as Secure Sockets Layer, or SSL. Credit Card information and other sensitive information is never transmitted via email.
We may use software programs to create summary statistics, which are used for such purposes as assessing the number of visitors to the different sections of our site, what information is of most and least interest, determining technical design specifications, and identifying system performance or problem areas.
For site security purposes and to ensure that this service remains available to all users, uses software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage.
We makes no representations, warranties, or assurances as to the accuracy, currency or completeness of the content contain on this website or any sites linked to this site.
All the materials on this site are provided ‘as is’ without any express or implied warranty of any kind, including warranties of merchantability, noninfringement of intellectual property or fitness for any particular purpose. In no event shall or its agents or associates be liable for any damages whatsoever (including, without limitation, damages for loss of profits, business interruption, loss of information, injury or death) arising out of the use of or inability to use the materials, even if has been advised of the possibility of such loss or damages.
We reserve the right to amend this privacy policy at any time with or without notice. However, please be assured that if the privacy policy changes in the future, we will not use the personal information you have submitted to us under this privacy policy in a manner that is materially inconsistent with this privacy policy, without your prior consent.
We are committed to conducting our business in accordance with these principles in order to ensure that the confidentiality of personal information is protected and maintained.
\ No newline at end of file
diff --git a/infrastructure/openwrt/disable-ipv6/index.html b/infrastructure/openwrt/disable-ipv6/index.html
new file mode 100644
index 000000000..84bb3df89
--- /dev/null
+++ b/infrastructure/openwrt/disable-ipv6/index.html
@@ -0,0 +1,184 @@
+ Disable IPV6 - 3os
The following steps will disable IPV6 on your OpenWrt router . All the steps are performed via the command line. You can performe them in the console of the router but the preferred way is via SSH.
Follow the following steps to disable IPV6 on your OpenWrt router:
\ No newline at end of file
diff --git a/infrastructure/openwrt/install-oh-my-zsh/index.html b/infrastructure/openwrt/install-oh-my-zsh/index.html
new file mode 100644
index 000000000..c7efcafe2
--- /dev/null
+++ b/infrastructure/openwrt/install-oh-my-zsh/index.html
@@ -0,0 +1,176 @@
+ oh-my-zsh Install - 3os
You can install oh-my-zsh on OpenWrt, make sure to use the Prevent User Lockout option since many users been locked out of their sessions since the zsh shell was not installed or loaded properly.
Z-shell (Zsh) configuration. is a Unix shell that can be used as an interactive login shell and as a shell scripting command interpreter. Zsh is an enhanced Bourne shell with many enhancements, including some Bash, ksh and tcsh features.
To prevent lock-outs after accidentially removing zsh (thanks to @fox34) (as explained in the wiki you can add a check for zsh and fallback to ash in /etc/rc.local:
# Revert root shell to ash if zsh is not available
+ifgrep-q'^root:.*:/usr/bin/zsh$'/etc/passwd&&[!-x/usr/bin/zsh];then
+# zsh is root shell, but zsh was not found or not executable: revert to default ash
+[-x/usr/bin/logger]&&/usr/bin/logger-s"Reverting root shell to ash, as zsh was not found on the system"
+sed-i--'s:/usr/bin/zsh:/bin/ash:g'/etc/passwd
+fi
+
Comments
\ No newline at end of file
diff --git a/infrastructure/openwrt/snippets/index.html b/infrastructure/openwrt/snippets/index.html
new file mode 100644
index 000000000..6c5a1eca4
--- /dev/null
+++ b/infrastructure/openwrt/snippets/index.html
@@ -0,0 +1,171 @@
+ Snippets - 3os
Cloud images are operating system templates and every instance starts out as an identical clone of every other instance. It is the user data that gives every cloud instance its personality and cloud-init is the tool that applies user data to your instances automatically.
The default storage Proxmox creates for vm is storage1. In my case I use different storage for vm's and templates named storage1. The following commands will utilize the storage1 storage. Change the storage name for your Proxmox server.
Import the downloaded Ubuntu Cloud Image we downloaded before disk to the storage.
Make the cloud init drive bootable and restrict BIOS to boot from disk only
qmset9000--bootc--bootdiskscsi0
+
Add serial console
qmset9000--serial0socket--vgaserial0
+
WARNING: DO NOT START THE VM
Powering on the vm will create a unique ID that will presist with the template. We want to avoid this.
Now had to the Proxmox web interface. Select the new vm and Cloud-Init tab.
Configure the default setting for the cloud image template. This will allow the VM to start with predefined user, password, ssh keys and network configuration.
At this point we configured the VM and we can create a cloud image template from it.
Create a new cloud image template.
qmtemplate9000
+
Now you can use the Cloud Image Template to create new vm instances. You can do it from the Proxmox web interface or from the command line.
Tip
Use Full Clone when creating a new VM from a cloud image template. Linked Clone will privent you from deleting the cloud image template.
Shutdown the VM. Then power it back on. The machine-id will be regenerated.
If the machine-id is not regenerated you can try to fix it by running the following command.
sudosystemd-machine-id-setup
+
Comments
\ No newline at end of file
diff --git a/infrastructure/proxmox/gpu-passthrough/gpu-passthrough-to-vm/index.html b/infrastructure/proxmox/gpu-passthrough/gpu-passthrough-to-vm/index.html
new file mode 100644
index 000000000..8d01caf29
--- /dev/null
+++ b/infrastructure/proxmox/gpu-passthrough/gpu-passthrough-to-vm/index.html
@@ -0,0 +1,227 @@
+ GPU Passthrough to VM - 3os
GPU passthrough is a technology that allows the Linux kernel to present the internal PCI GPU directly to the virtual machine. The device behaves as if it were powered directly by the virtual machine, and the virtual machine detects the PCI device as if it were physically connected. We will cover how to enable GPU passthrough to a virtual machine in Proxmox VE.
The following examples uses SSH connection to the Proxmox server. The editor is nano but feel free to use any other editor. We will be editing the grub configuration file.
Find the PCI address of the GPU Device. The following command will show the PCI address of the GPU devices in Proxmox server:
lspci-nnv|grepVGA
+
Find the GPU you want to passthrough in result ts should be similar to this:
What we are looking is the PCI address of the GPU device. In this case it's 01:00.0. 01:00.0 is only a part of of a group of PCI devices on the GPU. We can list all the devices in the group 01:00 by using the following command:
lspci-s01:00
+
The usual output will include VGA Device and Audio Device. In my case, we have a USB Controller and a Serial bus controller:
If you have multiple VGA, look for the one that has the Intel in the name. Here, the PCI address of the GPU is 01:00.0.
For best performance the VM should be configured the Machine type to q35. This will allow the VM to utilize PCI-Express passthrough.
Open the web gui and navigate to the Hardware tab of the VM you want to add a vGPU. Click Add above the device list and then choose PCI Device
Open the Device dropdown and select the GPU, which you can find using it’s PCI address. This list uses a different format for the PCI addresses id, 01:00.0 is listed as 0000:01:00.0.
Select All Functions, ROM-Bar, Primary GPU, PCI-Express and then click Add.
The Windows Virtual Machine Proxmox Setting should look like this:
Power on the Windows Virtual Machine.
Connect to the VM via Remote Desktop (RDP) or any other remote access protocol you prefer. Install the latest version of GPU Driver for your GPU.
If all when well you should see the following output in Device Manager and GPU-Z:
That's it!
Linux Virtual Machine GPU Passthrough Configuration¶
We will be using Ubuntu Server 20.04 LTS. for this guide.
From Proxmox Terminal find the PCI address of the GPU.
If you have multiple VGA, look for the one that has the Intel in the name. Here, the PCI address of the GPU is 01:00.0.
For best performance the VM should be configured the Machine type to q35. This will allow the VM to utilize PCI-Express passthrough.
Open the Device dropdown and select the GPU, which you can find using it’s PCI address. This list uses a different format for the PCI addresses id, 01:00.0 is listed as 0000:01:00.0.
Select All Functions, ROM-Bar, PCI-Epress and then click Add.
The Ubuntu Virtual Machine Proxmox Setting should look like this:
Boot the VM. To test the GPU passthrough was successful, you can use the following command in the VM:
Now we need to install the GPU Driver. I'll be covering the installation of Nvidia Drivers in the next example.
Search for the latest Nvidia Driver for your GPU.
sudoaptsearchnvidia-driver
+
In the next step we will install the Nvidia Driver v535.
Note
--no-install-recommends is important for Headless Server. nvidia-driver-535 will install xorg (GUI) --no-install-recommends flag will prevent the GUI from being installed.
\ No newline at end of file
diff --git a/infrastructure/proxmox/gpu-passthrough/igpu-passthrough-to-vm/index.html b/infrastructure/proxmox/gpu-passthrough/igpu-passthrough-to-vm/index.html
new file mode 100644
index 000000000..727bf4059
--- /dev/null
+++ b/infrastructure/proxmox/gpu-passthrough/igpu-passthrough-to-vm/index.html
@@ -0,0 +1,202 @@
+ iGPU Passthrough to VM - 3os
Intel Integrated Graphics (iGPU) is a GPU that is integrated into the CPU. The GPU is a part of the CPU and is used to render graphics. Proxmox may be configured to use iGPU passthrough to VM to allow the VM to use the iGPU for hardware acceleration for example using video encoding/decoding and Transcoding for series like Plex and Emby. This guide will show you how to configure Proxmox to use iGPU passthrough to VM.
Your mileage may vary depending on your hardware. The following guide was tested with Intel Gen8 CPU.
There are two ways to use iGPU passthrough to VM. The first way is to use the Full iGPU Passthrough to VM. The second way is to use the iGPU GVT-g technology which allows as to split the iGPU into two parts. We will be covering the Full iGPU Passthrough. If you want to use the split iGPU GVT-g Passthrough you can find the guide here.
The following examples uses SSH connection to the Proxmox server. The editor is nano but feel free to use any other editor. We will be editing the grub configuration file.
Edit the grub configuration file.
nano/etc/default/grub
+
Find the line that starts with GRUB_CMDLINE_LINUX_DEFAULT by default they should look like this:
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
+
We want to allow passthrough and Blacklists known graphics drivers to prevent proxmox from utilizing the iGPU.
Warning
You will loose the ability to use the onboard graphics card to access the Proxmox's console since Proxmox won't be able to use the Intel's gpu
Your GRUB_CMDLINE_LINUX_DEFAULT should look like this:
This will blacklist most of the graphics drivers from proxmox. If you have a specific driver you need to use for Proxmox Host you need to remove it from modprobe.blacklist
Save and exit the editor.
Update the grub configuration to apply the changes the next time the system boots.
update-grub
+
Next we need to add vfio modules to allow PCI passthrough.
If you have multiple VGA, look for the one that has the Intel in the name. Here, the PCI address of the iGPU is 00:02.0.
For best performance the VM should be configured the Machine type to q35. This will allow the VM to utilize PCI-Express passthrough.
Open the web gui and navigate to the Hardware tab of the VM you want to add a vGPU. Click Add above the device list and then choose PCI Device
Open the Device dropdown and select the iGPU, which you can find using it’s PCI address. This list uses a different format for the PCI addresses id, 00:02.0 is listed as 0000:00:02.0.
Select All Functions, ROM-Bar, PCI-Express and then click Add.
Tip
I've found that the most consistent way to utilize the GPU acceleration is to disable Proxmox's Virtual Graphics card of the vm. The drawback of disabling the Virtual Graphics card is that it will not be able to access the vm via proxmox's vnc console. The workaround is to enable Remote Desktop (RDP) on the VM before disabling the Virtual Graphics card and accessing the VM via RDP or use any other remove desktop client. If you loose the ability to access the VM via RDP you can temporarily remove the GPU PCI Device and re-enable the virtual graphics card
The Windows Virtual Machine Proxmox Setting should look like this:
If you have multiple VGA, look for the one that has the Intel in the name. Here, the PCI address of the iGPU is 00:02.0.
Open the Device dropdown and select the iGPU, which you can find using it’s PCI address. This list uses a different format for the PCI addresses id, 00:02.0 is listed as 0000:00:02.0.
Select All Functions, ROM-Bar and then click Add.
The Ubuntu Virtual Machine Proxmox Setting should look like this:
Boot the VM. To test the iGPU passthrough was successful, you can use the following command:
Intel Integrated Graphics (iGPU) is a GPU that is integrated into the CPU. The GPU is a part of the CPU and is used to render graphics. Proxmox may be configured to use iGPU split passthrough to VM to allow the VM to use the iGPU for hardware acceleration for example using video encoding/decoding and Transcoding for series like Plex and Emby. This guide will show you how to configure Proxmox to use iGPU passthrough to VM.
Your mileage may vary depending on your hardware. The following guide was tested with Intel Gen8 CPU.
Supported CPUs
iGPU GVT-g Split Passthrough is supported only on Intel's 5th generation to 10th generation CPUs!
Known supported CPU families:
Broadwell
Skylake
Kaby Lake
Coffee Lake
Comet Lake
There are two ways to use iGPU passthrough to VM. The first way is to use the Full iGPU Passthrough to VM. The second way is to use the iGPU GVT-g technology which allows as to split the iGPU into two parts. We will be covering the Split iGPU Passthrough. If you want to use the split Full iGPU Passthrough you can find the guide here.
Proxmox Configuration for GVT-g Split Passthrough¶
The following examples uses SSH connection to the Proxmox server. The editor is nano but feel free to use any other editor. We will be editing the grub configuration file.
Edit the grub configuration file.
nano/etc/default/grub
+
Find the line that starts with GRUB_CMDLINE_LINUX_DEFAULT by default they should look like this:
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
+
We want to allow passthrough and Blacklists known graphics drivers to prevent proxmox from utilizing the iGPU.
Your GRUB_CMDLINE_LINUX_DEFAULT should look like this:
This will blacklist most of the graphics drivers from proxmox. If you have a specific driver you need to use for Proxmox Host you need to remove it from modprobe.blacklist
Save and exit the editor.
Update the grub configuration to apply the changes the next time the system boots.
update-grub
+
Next we need to add vfio modules to allow PCI passthrough.
Edit the /etc/modules file.
nano/etc/modules
+
Add the following line to the end of the file:
# Modules required for PCI passthrough
+vfio
+vfio_iommu_type1
+vfio_pci
+vfio_virqfd
+
+# Modules required for Intel GVT-g Split
+kvmgt
+
Save and exit the editor.
Update configuration changes made in your /etc filesystem
update-initramfs-u-kall
+
Reboot Proxmox to apply the changes
Verify that IOMMU is enabled
dmesg|grep-eDMAR-eIOMMU
+
There should be a line that looks like DMAR: IOMMU enabled. If there is no output, something is wrong.
If you have multiple VGA, look for the one that has the Intel in the name.
Here, the PCI address of the iGPU is 00:02.0.
For best performance the VM should be configured the Machine type to q35. This will allow the VM to utilize PCI-Express passthrough.
Open the web gui and navigate to the Hardware tab of the VM you want to add a vGPU. Click Add above the device list and then choose PCI Device
Open the Device dropdown and select the iGPU, which you can find using it’s PCI address. This list uses a different format for the PCI addresses id, 00:02.0 is listed as 0000:00:02.0.
Click Mdev Type, You should be presented with a list of the available split passthrough devices choose the better performing one for the vm.
Select ROM-Bar, PCI-Express and then click Add.
The Windows Virtual Machine Proxmox Setting should look like this:
If you have multiple VGA, look for the one that has the Intel in the name.
Here, the PCI address of the iGPU is 00:02.0.
VM should be configured the Machine type to i440fx. Open the web gui and navigate to the Hardware tab of the VM you want to add a vGPU to. Click Add above the device list and then choose PCI Device
Open the Device dropdown and select the iGPU, which you can find using it’s PCI address. This list uses a different format for the PCI addresses id, 00:02.0 is listed as 0000:00:02.0.
Click Mdev Type, You should be presented with a list of the available split passthrough devices choose the better performing one for the vm.
Select ROM-Bar, and then click Add.
The Ubuntu Virtual Machine Proxmox Setting should look like this:
Boot the VM. To test the iGPU passthrough was successful, you can use the following command:
This document serves as a guide to install NVIDIA vGPU host drivers on the latest Proxmox VE version, at time of writing this its pve 8.0.
You can follow this guide if you have a vGPU supported card from this list, or if you are using a consumer GPU from the GeForce series or a non-vGPU qualified Quadro GPU. There are several sections with a title similar to "Have a vGPU supported GPU? Read here" in this document, make sure to read those very carefully as this is where the instructions differ for a vGPU qualified card and a consumer card.
The following consumer/not-vGPU-qualified NVIDIA GPUs can be used with vGPU: - Most GPUs from the Maxwell 2.0 generation (GTX 9xx, Quadro Mxxxx, Tesla Mxx) EXCEPT the GTX 970 - All GPUs from the Pascal generation (GTX 10xx, Quadro Pxxxx, Tesla Pxx) - All GPUs from the Turing generation (GTX 16xx, RTX 20xx, Txxxx)
If you have GPUs from the Ampere and Ada Lovelace generation, you are out of luck, unless you have a vGPU qualified card from this list like the A5000 or RTX 6000 Ada. If you have one of those cards, please consult the NVIDIA documentation for help with setting it up.
!!! THIS MEANS THAT YOUR RTX 30XX or 40XX WILL NOT WORK !!!
This guide and all my tests were done on a RTX 2080 Ti which is based on the Turing architechture.
This tutorial assumes you are using a clean install of Proxmox VE 8.0.
If you are using Proxmox VE 8.0, you MUST use 16.x drivers. Older versions only work with pve 7
If you tried GPU-passthrough before, you absolutely MUST revert all of the steps you did to set that up.
If you only have one GPU in your system with no iGPU, your local monitor will NOT give you any output anymore after the system boots up. Use SSH or a serial connection if you want terminal access to your machine.
Most of the steps can be applied to other linux distributions, however I'm only covering Proxmox VE here.
Are you upgrading from a previous version of this guide?¶
If you are upgrading from a previous version of this guide, you should uninstall the old driver by running nvidia-uninstall first.
Then you also have to make sure that you are using the latest version of vgpu_unlock-rs, otherwise it won't work with the latest driver.
Either delete the folder /opt/vgpu_unlock-rs or enter the folder and run git pull and then recompile the library again using cargo build --release
If you don't have a card like the Tesla P4, or any other gpu from this list, please continue reading at Enabling IOMMU
Disable the unlock part as doing this on a gpu that already supports vgpu, could break things as it introduces unnecessary complexity and more points of possible failure:
Note: Usually this isn't required for vGPU to work, but it doesn't hurt to enable it. You can skip this section, but if you run into problems later on, make sure to enable IOMMU.¶
To enable IOMMU you have to enable it in your BIOS/UEFI first. Due to it being vendor specific, I am unable to provide instructions for that, but usually for Intel systems the option you are looking for is called something like "Vt-d", AMD systems tend to call it "IOMMU".
After enabling it in your BIOS/UEFI, you also have to enable it in your kernel. Depending on how your system is booting, there are two ways to do that.
If you installed your system with ZFS-on-root and in UEFI mode, then you are using systemd-boot, everything else is GRUB. GRUB is way more common so if you are unsure, you are probably using that.
Depending on which system you are using to boot, you have to chose from the following two options:
GRUB Open the file `/etc/default/grub` in your favorite editor
nano/etc/default/grub
+
The kernel parameters have to be appended to the variable `GRUB_CMDLINE_LINUX_DEFAULT`. On a clean installation that line should look like this
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
+
If you are using an Intel system, append this after `quiet`:
intel_iommu=on iommu=pt
+
On AMD systems, append this after `quiet`:
amd_iommu=on iommu=pt
+
The result should look like this (for intel systems):
Proxmox comes with the open source nouveau driver for nvidia gpus, however we have to use our patched nvidia driver to enable vGPU. The next line will prevent the nouveau driver from loading
Note: See section "Enabling IOMMU", this is optional¶
Wait for your server to restart, then type this into a root shell
dmesg|grep-eDMAR-eIOMMU
+
On my Intel system the output looks like this
[ 0.007235] ACPI: DMAR 0x000000009CC98B68 0000B8 (v01 INTEL BDW 00000001 INTL 00000001)
+[ 0.007255] ACPI: Reserving DMAR table memory at [mem 0x9cc98b68-0x9cc98c1f]
+[ 0.020766] DMAR: IOMMU enabled
+[ 0.062294] DMAR: Host address width 39
+[ 0.062296] DMAR: DRHD base: 0x000000fed90000 flags: 0x0
+[ 0.062300] DMAR: dmar0: reg_base_addr fed90000 ver 1:0 cap c0000020660462 ecap f0101a
+[ 0.062302] DMAR: DRHD base: 0x000000fed91000 flags: 0x1
+[ 0.062305] DMAR: dmar1: reg_base_addr fed91000 ver 1:0 cap d2008c20660462 ecap f010da
+[ 0.062307] DMAR: RMRR base: 0x0000009cc18000 end: 0x0000009cc25fff
+[ 0.062309] DMAR: RMRR base: 0x0000009f000000 end: 0x000000af1fffff
+[ 0.062312] DMAR-IR: IOAPIC id 8 under DRHD base 0xfed91000 IOMMU 1
+[ 0.062314] DMAR-IR: HPET id 0 under DRHD base 0xfed91000
+[ 0.062315] DMAR-IR: x2apic is disabled because BIOS sets x2apic opt out bit.
+[ 0.062316] DMAR-IR: Use 'intremap=no_x2apic_optout' to override the BIOS setting.
+[ 0.062797] DMAR-IR: Enabled IRQ remapping in xapic mode
+[ 0.302431] DMAR: No ATSR found
+[ 0.302432] DMAR: No SATC found
+[ 0.302433] DMAR: IOMMU feature pgsel_inv inconsistent
+[ 0.302435] DMAR: IOMMU feature sc_support inconsistent
+[ 0.302436] DMAR: IOMMU feature pass_through inconsistent
+[ 0.302437] DMAR: dmar0: Using Queued invalidation
+[ 0.302443] DMAR: dmar1: Using Queued invalidation
+[ 0.333474] DMAR: Intel(R) Virtualization Technology for Directed I/O
+[ 3.990175] i915 0000:00:02.0: [drm] DMAR active, disabling use of stolen memory
+
Depending on your mainboard and cpu, the output will be different, in my output the important line is the third one: DMAR: IOMMU enabled. If you see something like that, IOMMU is enabled.
This repo contains patches that allow you to use vGPU on not-qualified-vGPU cards (consumer GPUs). Those patches are binary patches, which means that each patch works ONLY for a specific driver version.
I've created patches for the following driver versions: - 16.2 (535.129.03) - Use this if you are on pve 8.0 (kernel 6.2, 6.5 should work too) - 16.1 (535.104.06) - 16.0 (535.54.06) - 15.1 (525.85.07) - 15.0 (525.60.12) - 14.4 (510.108.03) - 14.3 (510.108.03) - 14.2 (510.85.03)
You can choose which of those you want to use, but generally its recommended to use the latest, most up-to-date version (16.2 in this case).
If you have a vGPU qualified GPU, you can use other versions too, because you don't need to patch the driver. However, you still have to make sure they are compatible with your proxmox version and kernel. Also I would not recommend using any older versions unless you have a very specific requirement.
NB: When applying for an eval license, do NOT use your personal email or other email at a free email provider like gmail.com. You will probably have to go through manual review if you use such emails. I have very good experience using a custom domain for my email address, that way the automatic verification usually lets me in after about five minutes.
I've created a small video tutorial to find the right driver version on the NVIDIA Enterprise Portal. In the video I'm downloading the 15.0 driver, if you want a different one just replace 15.0 with the version you want:
After downloading, extract the zip file and then copy the file called NVIDIA-Linux-x86_64-DRIVERVERSION-vgpu-kvm.run (where DRIVERVERSION is a string like 535.129.03) from the Host_Drivers folder to your Proxmox host into the /root/ folder using tools like FileZilla, WinSCP, scp or rsync.
â ï¸ From here on, I will be using the 16.2 driver, but the steps are the same for other driver versions¶
For example when I run a command like chmod +x NVIDIA-Linux-x86_64-535.129.03-vgpu-kvm.run, you should replace 535.129.03 with the driver version you are using (if you are using a different one). You can get the list of version numbers here.
Every step where you potentially have to replace the version name will have this warning emoji next to it: â ï¸
The installer will ask you Would you like to register the kernel module sources with DKMS? This will allow DKMS to automatically build a new module, if you install a different kernel later., answer with Yes.
Depending on your hardware, the installation could take a minute or two.
If everything went right, you will be presented with this message.
Installation of the NVIDIA Accelerated Graphics Driver for Linux-x86_64 (version: 535.129.03) is now complete.
+
If this command doesn't return any output, vGPU unlock isn't working.
Another command you can try to see if your card is recognized as being vgpu enabled is this one:
nvidia-smivgpu
+
If everything worked right with the unlock, the output should be similar to this:
Tue Jan 24 20:21:43 2023
++-----------------------------------------------------------------------------+
+| NVIDIA-SMI 525.85.07 Driver Version: 525.85.07 |
+|---------------------------------+------------------------------+------------+
+| GPU Name | Bus-Id | GPU-Util |
+| vGPU ID Name | VM ID VM Name | vGPU-Util |
+|=================================+==============================+============|
+| 0 NVIDIA GeForce RTX 208... | 00000000:01:00.0 | 0% |
++---------------------------------+------------------------------+------------+
+
However, if you get this output, then something went wrong
No supported devices in vGPU mode
+
If any of those commands give the wrong output, you cannot continue. Please make sure to read everything here very carefully and when in doubt, create an issue or join the discord server and ask for help there.
Further up we have created the file /etc/vgpu_unlock/profile_override.toml and I didn't explain what it was for yet. Using that file you can override lots of parameters for your vGPU instances: For example you can change the maximum resolution, enable/disable the frame rate limiter, enable/disable support for CUDA or change the vram size of your virtual gpus.
If we take a look at the output of mdevctl types we see lots of different types that we can choose from. However, if we for example chose GRID RTX6000-4Q which gives us 4GB of vram in a VM, we are locked to that type for all of our VMs. Meaning we can only have 4GB VMs, its not possible to mix different types to have one 4GB VM, and two 2GB VMs.
Q profiles can give you horrible performance in OpenGL applications/games. To fix that, switch to an equivalent A or B profile (for example GRID RTX6000-4B)
C profiles (for example GRID RTX6000-4C) only work on Linux, don't try using those on Windows, it will not work - at all.
A profiles (for example GRID RTX6000-4A) will NOT work on Linux, they only work on Windows.
All of that changes with the override config file. Technically we are still locked to only using one profile, but now its possible to change the vram of the profile on a VM basis so even though we have three GRID RTX6000-4Q instances, one VM can have 4GB or vram but we can override the vram size for the other two VMs to only 2GB.
Lets take a look at this example config override file (its in TOML format)
[profile.nvidia-259]
+num_displays=1# Max number of virtual displays. Usually 1 if you want a simple remote gaming VM
+display_width=1920# Maximum display width in the VM
+display_height=1080# Maximum display height in the VM
+max_pixels=2073600# This is the product of display_width and display_height so 1920 * 1080 = 2073600
+cuda_enabled=1# Enables CUDA support. Either 1 or 0 for enabled/disabled
+frl_enabled=1# This controls the frame rate limiter, if you enable it your fps in the VM get locked to 60fps. Either 1 or 0 for enabled/disabled
+framebuffer=0x74000000
+framebuffer_reservation=0xC000000# In combination with the framebuffer size
+# above, these two lines will give you a VM
+# with 2GB of VRAM (framebuffer + framebuffer_reservation = VRAM size in bytes).
+# See below for some other sizes
+
+[vm.100]
+frl_enabled=0
+# You can override all the options from above here too. If you want to add more overrides for a new VM, just copy this block and change the VM ID
+
There are two blocks here, the first being [profile.nvidia-259] and the second [vm.100]. The first one applies the overrides to all VM instances of the nvidia-259 type (thats GRID RTX6000-4Q) and the second one applies its overrides only to one specific VM, that one with the proxmox VM ID 100.
The proxmox VM ID is the same number that you see in the proxmox webinterface, next to the VM name.
You don't have to specify all parameters, only the ones you need/want. There are some more that I didn't mention here, you can find them by going through the source code of the vgpu_unlock-rs repo.
For a simple 1080p remote gaming VM I recommend going with something like this
[profile.nvidia-259]# choose the profile you want here
+num_displays=1
+display_width=1920
+display_height=1080
+max_pixels=2073600
+
Go to the proxmox webinterface, go to your VM, then to Hardware, then to Add and select PCI Device. You should be able to choose from a list of pci devices. Choose your GPU there, its entry should say Yes in the Mediated Devices column.
Now you should be able to also select the MDev Type. Choose whatever profile you want, if you don't remember which one you want, you can see the list of all available types with mdevctl types.
Finish by clicking Add, start the VM and install the required drivers. After installing the drivers you can shut the VM down and remove the virtual display adapter by selecting Display in the Hardware section and selecting none (none). ONLY do that if you have some other way to access the Virtual Machine like Parsec or Remote Desktop because the Proxmox Console won't work anymore.
Usually a license is required to use vGPU, but luckily the community found several ways around that. Spoofing the vGPU instance to a Quadro GPU used to be very popular, but I don't recommend it anymore. I've also removed the related sections from this guide. If you still want it for whatever reason, you can go back in the commit history to find the instructions on how to use that.
The recommended way to get around the license is to set up your own license server. Follow the instructions here (or here if the other link is down).
Most problems can be solved by reading the instructions very carefully. For some very common problems, read here:
The nvidia driver won't install/load
If you were using gpu passthrough before, revert ALL of the steps you did or start with a fresh proxmox installation. If you run lspci -knnd 10de: and see vfio-pci under Kernel driver in use: then you have to fix that
Make sure that you are using a supported kernel version (check uname -a)
My OpenGL performance is absolute garbage, what can I do?
If something isn't working, please create an issue or join the Discord server and ask for help in the #proxmox-support channel so that the community can help you.
DO NOT SEND ME A DM, I'M NOT YOUR PERSONAL SUPPORT¶
When asking for help, please describe your problem in detail instead of just saying "vgpu doesn't work". Usually a rough overview over your system (gpu, mainboard, proxmox version, kernel version, ...) and full output of dmesg and/or journalctl --no-pager -b 0 -u nvidia-vgpu-mgr.service (← this only after starting the VM that causes trouble) is helpful. Please also provide the output of uname -a and cat /proc/cmdline
Pull requests are welcome (factual errors, amendments, grammar/spelling mistakes etc).
Comments
\ No newline at end of file
diff --git a/infrastructure/proxmox/lets-encrypt-cloudflare/index.html b/infrastructure/proxmox/lets-encrypt-cloudflare/index.html
new file mode 100644
index 000000000..fb360d541
--- /dev/null
+++ b/infrastructure/proxmox/lets-encrypt-cloudflare/index.html
@@ -0,0 +1,167 @@
+ Let's Encrypt with Cloudflare - 3os
Authors: fire1ce | Created: 2022-04-22 | Last update: 2022-07-18
Proxmox Valid SSL With Let's Encrypt and Cloudflare DNS¶
This is a guide to how to setup a valid SSL certificate with Let's Encrypt and Cloudflare DNS for Proxmox VE. Let's Encrypt will allow you to obtain a valid SSL certificate for your Proxmox VE Server for free for 90 days. In the following steps, we will setup a valid SSL certificate for your Proxmox VE Server using Let's Encrypt and Cloudflare DNS Challenge. The process of renewing the certificate is done automatically by Proxmox VE Server and you do not need to do anything manually to renew the certificate.
The process will be done fully in Proxmox web interface. Login to the Proxmox web interface select Datacenter, find ACME and click on it.
At Account section, click Add. Fill the Account Name and E-Mail. Accept the Terms and Conditions (TOC). Click Register. This will register an account for Let's Encrypt service in order to obtain a certificate.
The output should be something like this:
At Challenge Plugin ection, click Add. Fill the Plugin ID (name), at DNS API choose Cloudflare Managed DNS. CF_Token= and CF_Zone_ID= are the API Tokens and Zone ID for Cloudflare DNS - leave the rest empty.
The final screen should look like this:
Select the Pve Server in my case its name proxmox, under System select Certificates.
At ACME section, click Edit and select the Account we created earlier.
Click Add, select Challenge TypeDNS and Challenge Plugin the plugin we created earlier. Domain is the domain name we want to use for the certificate. Click Create.
Now its time to issue the certificate. Click Order Certificate Now.
At this point Proxmox will try to issue the certificate from Let's Encrypt and validate it with Cloudflare DNS Challenge.
If all goes well, you will see the following:
Now the certificate is installed and ready to use. The renewal process is done automatically by Proxmox VE Server.
Comments
\ No newline at end of file
diff --git a/infrastructure/proxmox/network/disable-ipv6/index.html b/infrastructure/proxmox/network/disable-ipv6/index.html
new file mode 100644
index 000000000..42b1a4c86
--- /dev/null
+++ b/infrastructure/proxmox/network/disable-ipv6/index.html
@@ -0,0 +1,171 @@
+ Disable IPv6 on Proxmox - 3os
By default, Proxmox IPv6 is enabled after installation. This means that the IPv6 stack is active and the host can communicate with other hosts on the same network via IPv6 protocol.
Output of ip addr command:
You can disable IPv6 on Proxmox VE by editing the /etc/default/grub file.
nano/etc/default/grub
+
add ipv6.disable=1 to the end of GRUB_CMDLINE_LINUX_DEFAULT and GRUB_CMDLINE_LINUX line. Don't change the other values at those lines.
Save and exit. Reboot Proxmox Server to apply the changes.
Output of ip addr command after disabling IPv6 on Proxmox VE:
Comments
\ No newline at end of file
diff --git a/infrastructure/proxmox/network/proxmox-networking/index.html b/infrastructure/proxmox/network/proxmox-networking/index.html
new file mode 100644
index 000000000..f1f387065
--- /dev/null
+++ b/infrastructure/proxmox/network/proxmox-networking/index.html
@@ -0,0 +1,267 @@
+ Proxmox Networking - 3os
vmbr0 is a bridge interface. It's used to provision network to virtual machines and containers on Proxmox VE Server. We can assign multiple network interfaces to the bridge interface with bridge-ports option.
Configuring multi network interfaces to the bridge interface will provide you a failover behavior when the network interface is down or disconnected - for example, when specific switch is down.
PVE Kernel Cleaner is a program to compliment Proxmox Virtual Environment which is an open-source server virtualization environment. PVE Kernel Cleaner allows you to purge old/unused kernels filling the /boot directory. As new kernels are released the older ones have to be manually removed frequently to make room for newer ones. This can become quite tedious and require extensive time spent monitoring the system when new kernels are released and when older ones need to be cleared out to make room. With this issue existing, PVE Kernel Cleaner was created to solve it.
PVE Kernel Cleaner checks for updates automatically when you run it. If an update is available, you'll be notified within the program. Simply follow the on-screen instructions to install the update, and you're all set with the latest version!
pvekclean [OPTION1] [OPTION2]...
+
+-k, --keep [number] Keep the specified number of most recent PVE kernels on the system
+ Can be used with -f or --force for non-interactive removal
+-f, --force Force the removal of old PVE kernels without confirm prompts
+-rn, --remove-newer Remove kernels that are newer than the currently running kernel
+-s, --scheduler Have old PVE kernels removed on a scheduled basis
+-v, --version Shows current version of pvekclean
+-r, --remove Uninstall pvekclean from the system
+-i, --install Install pvekclean to the system
+-d, --dry-run Run the program in dry run mode for testing without making system changes
+
Comments
\ No newline at end of file
diff --git a/infrastructure/proxmox/vm-disk-expander/index.html b/infrastructure/proxmox/vm-disk-expander/index.html
new file mode 100644
index 000000000..bb8cc1e72
--- /dev/null
+++ b/infrastructure/proxmox/vm-disk-expander/index.html
@@ -0,0 +1,201 @@
+ VM Disk Expander - 3os
Currently supported only "cloud images" (or single ext4 partition installation) but if you still want to resize regular vm with LVM partition table, you need to extend the LVM partition INSIDE the vm AFTER running the script. Resizing LVM is done like this:
Resize of Ceph disks is currently not supported (PR are welcome!)
Comments
\ No newline at end of file
diff --git a/infrastructure/proxmox/windows-vm-configuration/index.html b/infrastructure/proxmox/windows-vm-configuration/index.html
new file mode 100644
index 000000000..9b2033abb
--- /dev/null
+++ b/infrastructure/proxmox/windows-vm-configuration/index.html
@@ -0,0 +1,168 @@
+ Windows VM Configuration - 3os
This guide will walk you through configuring Windows 10 or Windows 11 Virtual Machines with VirtIO Disks and Networking using Proxmox. This configuration was tested to work with the GPU passthroughs feature from one of the following guides:
The Windows installation process is the same as any other Windows OS installation. The only caveat is that you need to install the drivers for the Storage devices and Network devices.
Windows won't be able to load network drivers while installing. When prompted with something for connecting to the Internet, select I Don't have internet and skip it. We will deal with the network drivers at post installation.
Open the VirtIO CD and run the virtio-win-gt-x64.exe, virtio-win-guest-tools installer. This will install all the missing virtio drivers for the VM and guest OS tools.
After the installtion your Device Manager should look like this without any errors.
[GPU Split Passthrough][gpu-split-passthrough] - Splitting (Nvidia) to Multiple GPUs passthrough to VM guide
Comments
\ No newline at end of file
diff --git a/infrastructure/synology/Install-oh-my-zsh/index.html b/infrastructure/synology/Install-oh-my-zsh/index.html
new file mode 100644
index 000000000..5693b0d62
--- /dev/null
+++ b/infrastructure/synology/Install-oh-my-zsh/index.html
@@ -0,0 +1,174 @@
+ oh-my-zsh on Synology NAS - 3os
Z-shell (Zsh) is a Unix shell that can be used as an interactive login shell and as a shell scripting command interpreter. Zsh is an enhanced Bourne shell with many enhancements, including some Bash, ksh and tcsh features.
In order to install oh-my-zsh, we need to add 3rd party packages to Synology DSM. Synology Community Packages provides packages for Synology-branded NAS devices.
DSM 6 and below:
Log into your NAS as administrator and go to Main Menu → Package Center → Settings and set Trust Level to Synology Inc. and trusted publishers.
In the Package Sources tab, click Add, type SynoCommunity as Name and https://packages.synocommunity.com/ as Location and then press OK to validate.
Go back to the Package Center and enjoy SynoCommunity's packages in the Community tab.
At this point you should have a working oh-my-zsh working on your Synology NAS.
Comments
\ No newline at end of file
diff --git a/infrastructure/synology/Installing-vm-tools-on-virtual-machine/index.html b/infrastructure/synology/Installing-vm-tools-on-virtual-machine/index.html
new file mode 100644
index 000000000..373de6329
--- /dev/null
+++ b/infrastructure/synology/Installing-vm-tools-on-virtual-machine/index.html
@@ -0,0 +1,171 @@
+ Install VM Tools on Virtual Machine - 3os
\ No newline at end of file
diff --git a/infrastructure/synology/auto-dsm-config-backup/index.html b/infrastructure/synology/auto-dsm-config-backup/index.html
new file mode 100644
index 000000000..b7dd14c05
--- /dev/null
+++ b/infrastructure/synology/auto-dsm-config-backup/index.html
@@ -0,0 +1,168 @@
+ Auto DSM Config Backup - 3os
Since synology's dms doesn't provide any auto-backup for it's configuration i've made a smile script that can be run at from the "Task Scheduler". The script invokes synoconfbkp cli command that will dump the config file to provided folder. I use dropbox's folder in my case (This will sync my files to DropBox account). It append a date and hostname. It also checks the same folder for files older of 60 days and deletes them so your storage won't be flooded with files from older than 2 month. I've scheduled the script to run ounces a day with the "Task Scheduler"
To use it create new Task Scheduler choose a scheduler append the script to "Run Command" at "Task Settings" don't forget to change to destinations.
Synology NAS (DSM) is a network storage device, with some additional features like native support for virtualization, and docker support. One of the issues is that the default ports 80 and 443 are used by the web server even if you change the default ports of the Synology's DSM to other ports. In some cases, you want to use these ports for other purposes, such as a reverse proxy as an entry point for the web services. The following steps will help you to free the default ports 80 and 443 on the Synology NAS (DSM) for other purposes.
Configure the Synology NAS (DSM) to Listen on Other Ports¶
First, you need to configure the Synology NAS (DSM) to listen on other ports then 80, 443.
Login to the Synology NAS (DSM) as administrator user open Control Panel and find Login Portal under System
Under DSM tab, change the DSM port (http) to a different port then 80, and the DSM port (https) to a different port then 443.
Click Save to save the changes. Then, re-login to the Synology NAS (DSM) with the new port as administrator user as we did above.
Disable the Synology NAS (DSM) to Listen on 80, 443 Ports¶
Synology NAS (DSM) will listen on 80, 443 ports after each reboot. Therefore, the changes will be lost after each reboot. The workaround is to run the a script to free the ports 80, 443 on each time the Synology NAS (DSM) is boots.
The following one liner will free the ports 80, 443 on Nginx web server of the Synology NAS (DSM), until the Synology NAS (DSM) is rebooted. It removes the port 80, 443 from the Nginx config and restarts the Nginx service.
Suggestion: Select the Notification when the task is terminated abnormally.
Click OK. The new task should be created. You can check the task by clicking Run in the Task Scheduler page. Preferred to reboot the Synology NAS (DSM) to make sure the changes are applied at boot.
Comments
\ No newline at end of file
diff --git a/infrastructure/synology/enable-ssh-root-login/index.html b/infrastructure/synology/enable-ssh-root-login/index.html
new file mode 100644
index 000000000..b1426a6a7
--- /dev/null
+++ b/infrastructure/synology/enable-ssh-root-login/index.html
@@ -0,0 +1,169 @@
+ Enable SSH Root Login - 3os
Synology DSM allows Linux experts to use the SSH terminal. By default you need to log in as a user and then enter "sudo su root" can be inconvenient, but there is the option of logging in as root directly.
First, the DSM Control Panel is called up, Extended mode must be activated so that the required icon Terminal & SNMP appears. Under Terminal & SNMP the SSH-Service just can enable.
Connect to Synology dns with your admin user and password. Change user to root with the command "sudo su" and enter the Admins's password. Set the root user password with the command below:
sudosynouser-setpwroot'new_root_password'
+
Edit the file /etc/ssh/sshd_config and change the line PermitRootLogin no to PermitRootLogin yes.
sudovi/etc/ssh/sshd_config
+
Reboot the Synology NAS to apply the changes.
Comments
\ No newline at end of file
diff --git a/infrastructure/synology/ssh-with-rsa-key/index.html b/infrastructure/synology/ssh-with-rsa-key/index.html
new file mode 100644
index 000000000..ff78fcda9
--- /dev/null
+++ b/infrastructure/synology/ssh-with-rsa-key/index.html
@@ -0,0 +1,175 @@
+ SSH With RSA Keys - 3os
Authors: fire1ce | Created: 2022-04-13 | Last update: 2022-04-24
Synology DSM - Allow Presistent SSH With RSA Keys¶
As a power user, i would like to be able to connect to my Synology DSM vis SSH. The issue is that Synology DSM won't allow you to use SSH with RSA keys out of the box and only allows you to use SSH with password. In order to allow the use of SSH keys we need to perform the following steps:
User Home enable to create a personal home folder for each user, except for guest. This will allow as to create user's .ssh folder and authorized_keys file.
Log into Synology web UI as an administrator user
Control Panel -> User & Groups -> Advanced, scroll down to “User Homeâ€
Check “Enable user home serviceâ€, select an appropriate Location (i.e. volume1)
Log in to the NAS through SSH with the user you want to add key authorization for. The following example shows how to add will work for the active user in the SSH session.
First change the permissins of the users home folder to 700
sudochmod700~
+
Create the .ssh folder and set permissions to 700
mkdir~/.ssh&&chmod700~/.ssh
+
Create the authorized_keys file and set permissions to 644
Synology's DSM SSH server supports RSA and ed25519 keys.
No you need to copy you public keys to authorized_keys file, you can do it manually or use the following command:
echo<public-key-sting>>>~/.ssh/authorized_keys
+
You can do it automatically by using the following command from a client with the ssh key you want to add:
ssh-copy-id-i~/.ssh/id_rsa<user@ip-address>
+
At this point you should be able to connect to Synology DSM via SSH using the key you just added.
Comments
\ No newline at end of file
diff --git a/infrastructure/ubiquiti/edge-router/index.html b/infrastructure/ubiquiti/edge-router/index.html
new file mode 100644
index 000000000..1d55b102c
--- /dev/null
+++ b/infrastructure/ubiquiti/edge-router/index.html
@@ -0,0 +1,316 @@
+ EdgeRouter - 3os
This will change the GUI to port 8443, disable old cyphers, Only will listen on internal Network. assuming your EdgeRouter IP is 192.168.1.1, if not change it accordingly.
From the Dashboard, click Add Interface and select VLAN.
Set up the VLAN ID as You like for this example will use id 1003 and attach it to the physical interface of your LAN. Give it an IP address in the range of a private IP block, but make sure you end it in a /24 to specify the proper subnet (I originally did /32 as I though it was supposed to be the exact IP address).
Click on the Services tab. Click Add DHCP Server. Set it up similar to the image below.
Click on the DNS tab under services. Click Add Listen interface and select the VLAN interface. Make sure you hit save.
At this point, you should be able to connect to your Guest Network and connect to the Internet. However, you’ll be able to access the EdgeRouter as well as other devices on your LAN. Next thing you have to do is secure the VLAN.
Click on Firewall/NAT and then click on Add Ruleset. This is for packets coming into the router destined for somewhere else (not the router). Set up the default policy for Accept. Click Save.
From the Actions menu next to the Ruleset, click Interfaces.
Select your VLAN interface and the in direction.
Click Rules and then Add New Rule. Click on Basic and name it LAN. Select Drop as the Action.
Click Destination and enter 10.0.1.0/24 or whatever your LAN IP range is. Then click Save. This will drop all packets from the VLAN destined for your LAN. Save.
Repeat 1 and 2 above (name it GUEST_LOCAL). From the Interface, select the VLAN interface and the local direction. However, set up the default policy as Drop.
If you want to limit your Guest Users Bandwidth, head over to User Groups and create a new user group called Guest. Enter bandwidth limits that are appropriate for your Internet Speed. I used 6000 down and 2500 up.
Now go to the Wireless Networks section and create a new network called “Guest†or whatever you want to call it.
Make sure it is enabled, give it WiFi security key, check the “Guest Policy†option, enter the VLAN Id you used previously and choose the Guest User Group. Save!
Done. Test Your New Guest Wifi by connecting to the Guest Wifi and browse to a website.
For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.
ssh to the EdgeRouter
Make sure that the date/time is set correctly on the EdgeRouter.
showdate
+ThuDec2814:35:42UTC2017
+
Log in as the root user.
sudosu
+
Generate a Diffie-Hellman (DH) key file and place it in the /config/auth directory. This Will take some time...
openssldhparam-out/config/auth/dh.pem-24096
+
Change the current directory.
cd/usr/lib/ssl/misc
+
Generate a root certificate (replace with your desired passphrase).
./CA.pl-newca
+
exmaple:
PEM Passphrase: Country Name: US
State Or Province Name: New York
Locality Name: New York
Organization Name: Ubiquiti
Organizational Unit Name: Support
Common Name: root
Email Address: support@ubnt.com
NOTE: The Common Name needs to be unique for all certificates.
Copy the newly created certificate + key to the /config/auth directory.
The most suitable place to enable NetFlow is your Default gateway router. UNMS supports NetFlow version 5 and 9. UNMS only record flow data for IP ranges defined below. Whenever UNMS receives any data from a router, the status of NetFlow changes to Active .
\ No newline at end of file
diff --git a/infrastructure/ubiquiti/udm-dream-machine/cli-commands/index.html b/infrastructure/ubiquiti/udm-dream-machine/cli-commands/index.html
new file mode 100644
index 000000000..c1317d6e3
--- /dev/null
+++ b/infrastructure/ubiquiti/udm-dream-machine/cli-commands/index.html
@@ -0,0 +1,171 @@
+ CLI Commands - 3os
This script need to run every time the system is rebooted since the UDM overwrites crons every boot. This can be accomplished with a boot script. Flow this guide: UDM / UDMPro Boot Script
When UDM or UDM PRO reboots or the firmawre is updated the custom changes you made will be lost. This Script will allow you to initialize your custom changes on every boot or firmware update. without losing your custom changes.
Allows you to run a shell script at S95 anytime your UDM starts / reboots
Persists through reboot and firmware updates! It is able to do this because Ubiquiti caches all debian package installs on the UDM in /data, then re-installs them on reset of unifi-os container.
This is a force to install script so will uninstall any previous version and install on_boot keeping your on boot files.
This will also install CNI Plugins & CNI Bridge scripts. If you are using UDMSE/UDR remember that you must install podman manually because there is no podman.
UDM will discard any Authorized Keys for SSH every reboot or firmware upgrade. This script will allow you to persist your SSH keys in the UDM and survive reboots.
This script need to run every time the system is rebooted since the /root/.ssh/authorized_keys overwrites every boot. This can be accomplished with a boot script. Flow this guide: UDM / UDMPro Boot Script
At boot the script with read the $DATA_DIR/ssh/authorized_keys file and add the content to UDM's /root/.ssh/authorized_keys
Manual run:
$DATA_DIR/on_boot.d/99-ssh-keys.sh
+
Comments
\ No newline at end of file
diff --git a/infrastructure/ubiquiti/udm-dream-machine/udm-better-fan-speeds/index.html b/infrastructure/ubiquiti/udm-dream-machine/udm-better-fan-speeds/index.html
new file mode 100644
index 000000000..599ec128f
--- /dev/null
+++ b/infrastructure/ubiquiti/udm-dream-machine/udm-better-fan-speeds/index.html
@@ -0,0 +1,169 @@
+ Better Fan Speeds - 3os
Repository Deprecation Notice: This project is now deprecated and archived due to the release of UniFi's firmware v2.x and v3.x for Dream Machnines, which natively fix the fan speed issues.
This repository only works with firmware 1.x. UDM-PRO Please consider upgrading your firmware for improved functionality.
It stops the build in service that monitors the thermal values, fan speed and connection of a HDD/SSD. After that it sets the thermal/fan chip (adt7475) to automatic mode. Once that is done it changes the thermal and fan threshold values specified in the script. If you like, you can change the values to your own preferences.
This will allow to to span a container with podman to handle DDNS updates for main internet IP address. The container will run the background without any system permissions.
\ No newline at end of file
diff --git a/infrastructure/ubiquiti/udm-dream-machine/wireguard-vpn/index.html b/infrastructure/ubiquiti/udm-dream-machine/wireguard-vpn/index.html
new file mode 100644
index 000000000..0be675d68
--- /dev/null
+++ b/infrastructure/ubiquiti/udm-dream-machine/wireguard-vpn/index.html
@@ -0,0 +1,214 @@
+ Wireguard VPN - 3os
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
The setup script will load the wireguard module, and setup the symbolic links for the wireguard tools (wg-quick and wg). You can run dmesg to verify the kernel module was loaded. You should see something like the following:
The wireguard module and tools included in this package have been tested on the following Ubiquiti devices:
Unifi Dream Machine (UDM) and UDM-Pro 0.5.x, 1.9.x, 1.10.x, 1.11.x.
UDM-SE and Unifi Dream Router (UDR) 2.2.x
UniFi Next-Gen Gateway (UXG-Pro) 1.11.x
Note that for the UDM, UDM Pro, and UXG-Pro, Ubiquiti includes the wireguard module in the official kernel since firmware 1.11.0-14, but doesn't include the WireGuard tools. The setup script in this package will try to load the built-in wireguard module if it exists first.
Read the documentation on WireGuard.com for general WireGuard concepts. Here is a simple example of a wireguard server configuration for UnifiOS.
Create the server and client public/private key pairs by running the following. This will create the files privatekey_server, publickey_server and privatekey_client1, publickey_client1. These contain the public and private keys. Store these files somewhere safe.
On your UDM/UDR, create a wireguard config under /etc/wireguard named wg0.conf. Here is an example server config. Remember to use the correct server private key and the client public key.
Adjust AllowedIPs to set what your client should route through the tunnel. Set to 0.0.0.0/0,::/0 to route all the client's Internet through the tunnel. See the WireGuard documentation for more information.
Note each different client requires their own private/public key pair, and the public key must be added to the server's WireGuard config as a separate Peer.
To bring the tunnel up, run wg-quick up <config>. Verify the tunnel received a handshake by running wg.
wg-quickup/etc/wireguard/wg0.conf
+
To bring down the tunnel, run wg-quick down <config>.
wg-quickdown/etc/wireguard/wg0.conf
+
In your UniFi Network settings, add a WAN_LOCAL (or Internet Local) firewall rule to ACCEPT traffic destined to UDP port 51820 (or your ListenPort if different). Opening this port in the firewall is needed so remote clients can access the WireGuard server.
The AllowedIPs parameter in the wireguard config allows you to specify which destination subnets to route through the tunnel.
If you want to route router-connected clients through the wireguard tunnel based on source subnet or source VLAN, you need to set up policy-based routing. Currently, there is no GUI support for policy-based routing in UnifiOS, but it can be set up in SSH by using ip route to create a custom routing table, and ip rule to select which clients to route through the custom table.
For a script that makes it easy to set-up policy-based routing rules on UnifiOS, see the split-vpn project.
The setup script must be run every time the system is rebooted to link the wireguard tools and load the module. This can be accomplished with a boot script.
For the UDM or UDM Pro, install UDM Utilities on-boot-script by following the instructions here, then create a boot script under /mnt/data/on_boot.d/99-setup-wireguard.sh and fill it with the following contents. Remember to run chmod +x /mnt/data/on_boot.d/99-setup-wireguard.sh afterwards.
For the UDM-SE or UDR, create a systemd boot service to run the setup script at boot. Create a service file under /etc/systemd/system/setup-wireguard.service and fill it with the following contents. After creating the service, run systemctl daemon-reload && systemctl enable setup-wireguard to enable the service on boot. Click here to see the boot service.
Note this only adds the setup script to start at boot. If you also want to bring your wireguard interface up at boot, you will need to add another boot script with your wg-quick up command.
Setup script returns error "Unsupported Kernel version XXX" * The wireguard package does not contain a wireguard module built for your firmware or kernel version, nor is there a built-in module in your kernel. Please open an issue and report your version so we can try to update the module. wg-quick up returns error "unable to initialize table 'raw'" * Your kernel does not have the iptables raw module. The raw module is only required if you use `0.0.0.0/0` or `::/0` in your wireguard config's AllowedIPs. A workaround is to instead set AllowedIPs to `0.0.0.0/1,128.0.0.0/1` for IPv4 or `::/1,8000::/1` for IPv6. These subnets cover the same range but do not invoke wg-quick's use of the iptables raw module.
"WireGuard" and the "WireGuard" logo are registered trademarks of Jason A. Donenfeld.
The built-in gateway DNS does not reply to requests from the WireGuard tunnel¶
The built-in dnsmasq on UnifiOS is configured to only listen for requests from specific interfaces. The wireguard interface name (e.g.: wg0) needs to be added to the dnsmasq config so it can respond to requests from the tunnel. You can run the following to add wg0 to the dnsmasq interface list:
\ No newline at end of file
diff --git a/infrastructure/vmware/vmware-fusion/index.html b/infrastructure/vmware/vmware-fusion/index.html
new file mode 100644
index 000000000..24e880bdc
--- /dev/null
+++ b/infrastructure/vmware/vmware-fusion/index.html
@@ -0,0 +1,172 @@
+ VMware Fusion - 3os
If you use your vm as NAT network "Shared with My Mac" You can forward a port to your host macOS machine.
The network configuration files are stored their respective folders within the VMware Fusion preferences folder.
/Library/Preferences/VMware\ Fusion/
+
In order to find the right network config you can inspect the dhcpd.conf inside of vmnet* folders.
catdhcpd.conf
+
After you found the correct network it should contain a nat.conf file Edit the (with sudo privileges) nat.conf, For UDP protocol edit the section [incomingudp] for TCP protocol edit the [incomingtcp]
In the next example we will forward port 4444 from VM to the 4444 port on the host. You can foreword any port to any port as you like.
After you saved the configuration nat.conf file you must restart VMware's network services
If you want to test the port forwarding is working as it should here's an example of running simple python webserver on the vm on port 4444 we configured before:
python-mSimpleHTTPServer4444
+
Now you can test it on the Host machine by browsing to http://localhost:4444 or http://127.0.0.1:4444
Comments
\ No newline at end of file
diff --git a/js/timeago.min.js b/js/timeago.min.js
new file mode 100644
index 000000000..a8530a5f7
--- /dev/null
+++ b/js/timeago.min.js
@@ -0,0 +1,2 @@
+/* Taken from https://cdnjs.cloudflare.com/ajax/libs/timeago.js/4.0.2/timeago.min.js */
+!function(s,n){"object"==typeof exports&&"undefined"!=typeof module?n(exports):"function"==typeof define&&define.amd?define(["exports"],n):n((s=s||self).timeago={})}(this,function(s){"use strict";var a=["second","minute","hour","day","week","month","year"];function n(s,n){if(0===n)return["just now","right now"];var e=a[Math.floor(n/2)];return 1=m[t]&&t=m[e]&&e 0) {
+ var locale = nodes[0].getAttribute('locale');
+ timeago.render(nodes, locale);
+ }
+ })
+} else {
+ var nodes = document.querySelectorAll('.timeago');
+ if (nodes.length > 0) {
+ var locale = nodes[0].getAttribute('locale');
+ timeago.render(nodes, locale);
+ }
+}
diff --git a/linux/Network/identify-nics/index.html b/linux/Network/identify-nics/index.html
new file mode 100644
index 000000000..4322bd13a
--- /dev/null
+++ b/linux/Network/identify-nics/index.html
@@ -0,0 +1,198 @@
+ Identify Network Interfaces - 3os
Servers usually have a number of physical network interfaces. The network interfaces names in linux host usually won't tell you much about the which physical network interface corresponds to the interface name. Therefor, it creates a problem when you want to use a specific network interface for a specific purpose but you don't know which physical network interface corresponds to the interface name.
ethtool tool can be used to identify the physical network interface corresponding to a network interface name.
For this method to work, you need a physical accessto host's network cards and the physical network interfaces should have Led indicator lights.
Note
This functionality of ethtool may not be supported by all server or network card hardware.
ethtool usually isn't installed by default on a linux host. You can install it by running the following command (debian example):
aptinstallethtool
+
Find the network interfaces present on the host and run the following command for each network interface:
ipaddr
+
or
ifconfig-a
+
Now you can use the ethtool command to identify the physical network interface corresponding to the network interface name.
Example for eth0 network interface name:
ethtool--identifyeth0
+
This command will run untill you stop it. When it's running, you should see the LED indicator light blinking (usually orange) on the physical network interface corresponding to the network interface name.
To get information about the hardware capabilities of the network interface:
\ No newline at end of file
diff --git a/linux/files-handling/index.html b/linux/files-handling/index.html
new file mode 100644
index 000000000..97425cf49
--- /dev/null
+++ b/linux/files-handling/index.html
@@ -0,0 +1,178 @@
+ Files Handling - 3os
\ No newline at end of file
diff --git a/linux/general-snippets/index.html b/linux/general-snippets/index.html
new file mode 100644
index 000000000..86366cf95
--- /dev/null
+++ b/linux/general-snippets/index.html
@@ -0,0 +1,184 @@
+ General Snippets - 3os
2>&1 redirects channel 2 (stderr/standard error) into channel 1 (stdout/standard output), such that both is written as stdout. It is also directed to the given output file as of the tee command.
Furthermore, if you want to append to the log file, use tee -a as:
\ No newline at end of file
diff --git a/linux/lvm-partitions/index.html b/linux/lvm-partitions/index.html
new file mode 100644
index 000000000..8827f6df0
--- /dev/null
+++ b/linux/lvm-partitions/index.html
@@ -0,0 +1,173 @@
+ LVM Partitions - 3os
Removing LVM Partition and Merging In To / (root partition)¶
Find out the names of the partition with df
df
+
You need to unmount the partition before you can delete them and marge backup the data of the partition you would like to delete this example will use "centos-home" as the partition that will be merged to the root partition.
\ No newline at end of file
diff --git a/linux/services-and-daemons/index.html b/linux/services-and-daemons/index.html
new file mode 100644
index 000000000..bb3942d53
--- /dev/null
+++ b/linux/services-and-daemons/index.html
@@ -0,0 +1,154 @@
+ Services and daemons - 3os
In Linux, a service is a program that runs in the background and performs a specific function. A daemon is a type of service that also runs in the background and often starts at boot time. These processes can be controlled using the systemctl or service command. Services and daemons are an important part of the Linux operating system, as they provide various functions and services that allow the system to run smoothly. There are many different types of services and daemons that can be found on a typical Linux system, and you can find more information about them in the documentation for your specific distribution.
The systemctl command with the grep command will display a list of all running services and daemons on your Linux system. The grep command will search the output of systemctl for the string "running" and only display the lines that contain that string.
systemctl list-unit-files --state=enabled is a command that shows a list of unit files that are currently enabled on the system. The --state option specifies the state of the unit files that you want to see. By using --state=enabled, you will see only unit files that are enabled and will be started automatically when the system boots.
systemctllist-unit-files--state=enabled
+
\ No newline at end of file
diff --git a/linux/smb-mount-autofs/index.html b/linux/smb-mount-autofs/index.html
new file mode 100644
index 000000000..bf97c2a04
--- /dev/null
+++ b/linux/smb-mount-autofs/index.html
@@ -0,0 +1,186 @@
+ SMB Mount With autofs - 3os
If there are no errors, you should test how it works after a reboot. Your remote share should mount automatically.
Comments
\ No newline at end of file
diff --git a/linux/ssh-hardening-with-rsa-keys/index.html b/linux/ssh-hardening-with-rsa-keys/index.html
new file mode 100644
index 000000000..8da68234f
--- /dev/null
+++ b/linux/ssh-hardening-with-rsa-keys/index.html
@@ -0,0 +1,180 @@
+ SSH Hardening with SSH Keys - 3os
\ No newline at end of file
diff --git a/linux/ubuntu-debian/disable-ipv6/index.html b/linux/ubuntu-debian/disable-ipv6/index.html
new file mode 100644
index 000000000..ddd127b0e
--- /dev/null
+++ b/linux/ubuntu-debian/disable-ipv6/index.html
@@ -0,0 +1,171 @@
+ Disable IPv6 via Grub - 3os
Authors: fire1ce | Created: 2022-06-28 | Last update: 2022-07-17
Disable IPv6 on Ubuntu and Debian Linux Permanently¶
By default, Ubuntu/Debian IPv6 is enabled after installation. This means that the IPv6 stack is active and the host can communicate with other hosts on the same network via IPv6 protocol.
You can disable Ubuntu/Debian by editing the /etc/default/grub file.
nano/etc/default/grub
+
add ipv6.disable=1 to the end of GRUB_CMDLINE_LINUX_DEFAULT and GRUB_CMDLINE_LINUX line. Don't change the other values at those lines.
\ No newline at end of file
diff --git a/linux/ubuntu-debian/free-port-53/index.html b/linux/ubuntu-debian/free-port-53/index.html
new file mode 100644
index 000000000..2afcbabaa
--- /dev/null
+++ b/linux/ubuntu-debian/free-port-53/index.html
@@ -0,0 +1,170 @@
+ Free Port 53 on Ubuntu - 3os
When you install Ubuntu (in my case its Server version). It uses systemd-resolved as internal DNS Forwarder.
systemd-resolved is a system service that provides network name resolution to local applications. It implements a caching and validating DNS/DNSSEC stub resolver, as well as an LLMNR resolver and responder.
\ No newline at end of file
diff --git a/linux/ubuntu-debian/remove-snap-store/index.html b/linux/ubuntu-debian/remove-snap-store/index.html
new file mode 100644
index 000000000..b8b960b9d
--- /dev/null
+++ b/linux/ubuntu-debian/remove-snap-store/index.html
@@ -0,0 +1,170 @@
+ Remove Snap Store - 3os
Snap is a cross-platform packaging and deployment system developed by Canonical, the makers of Ubuntu, for the Linux platform. It's compatible with most major Linux distros, including Ubuntu, Debian, Arch Linux, Fedora, CentOS, and Manjaro.
\ No newline at end of file
diff --git a/linux/ubuntu-debian/unattended-upgrades/index.html b/linux/ubuntu-debian/unattended-upgrades/index.html
new file mode 100644
index 000000000..ba4522463
--- /dev/null
+++ b/linux/ubuntu-debian/unattended-upgrades/index.html
@@ -0,0 +1,250 @@
+ Unattended Upgrades - 3os
Unattended-Upgrade::Allowed-Origins {
+"${distro_id}:${distro_codename}";
+"${distro_id}:${distro_codename}-security";
+// Extended Security Maintenance; doesn't necessarily exist for
+// every release and this system may not have it installed, but if
+// available, the policy for updates is such that unattended-upgrades
+// should also install from here by default.
+"${distro_id}ESMApps:${distro_codename}-apps-security";
+"${distro_id}ESM:${distro_codename}-infra-security";
+"${distro_id}:${distro_codename}-updates";
+"${distro_id}:${distro_codename}-proposed";
+// "${distro_id}:${distro_codename}-backports";
+};
+
+Unattended-Upgrade::DevRelease "auto";
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+Unattended-Upgrade::MinimalSteps "true";
+Unattended-Upgrade::InstallOnShutdown "false";
+//Unattended-Upgrade::Mail "";
+//Unattended-Upgrade::MailReport "on-change";
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+Unattended-Upgrade::Automatic-Reboot "true";
+Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+Unattended-Upgrade::Automatic-Reboot-Time "06:00";
+//Acquire::http::Dl-Limit "70";
+// Unattended-Upgrade::SyslogEnable "false";
+// Unattended-Upgrade::SyslogFacility "daemon";
+// Unattended-Upgrade::OnlyOnACPower "true";
+// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
+// Unattended-Upgrade::Verbose "false";
+// Unattended-Upgrade::Debug "false";
+// Unattended-Upgrade::Allow-downgrade "false";
+
Unattended-Upgrade::Origins-Pattern {
+// Codename based matching:
+// This will follow the migration of a release through different
+// archives (e.g. from testing to stable and later oldstable).
+// Software will be the latest available for the named release,
+// but the Debian release itself will not be automatically upgraded.
+"origin=Debian,codename=${distro_codename}-updates";
+// "origin=Debian,codename=${distro_codename}-proposed-updates";
+"origin=Debian,codename=${distro_codename},label=Debian";
+"origin=Debian,codename=${distro_codename},label=Debian-Security";
+
+// Archive or Suite based matching:
+// Note that this will silently match a different release after
+// migration to the specified archive (e.g. testing becomes the
+// new stable).
+// "o=Debian,a=stable";
+// "o=Debian,a=stable-updates";
+// "o=Debian,a=proposed-updates";
+// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
+};
+
+Unattended-Upgrade::DevRelease "auto";
+Unattended-Upgrade::AutoFixInterruptedDpkg "true";
+Unattended-Upgrade::MinimalSteps "true";
+Unattended-Upgrade::InstallOnShutdown "false";
+//Unattended-Upgrade::Mail "";
+//Unattended-Upgrade::MailReport "on-change";
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
+Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
+Unattended-Upgrade::Remove-Unused-Dependencies "true";
+Unattended-Upgrade::Automatic-Reboot "true";
+Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
+Unattended-Upgrade::Automatic-Reboot-Time "06:00";
+// Acquire::http::Dl-Limit "70";
+// Unattended-Upgrade::SyslogEnable "false";
+// Unattended-Upgrade::SyslogFacility "daemon";
+// Unattended-Upgrade::OnlyOnACPower "true";
+// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
+// Unattended-Upgrade::Verbose "false";
+// Unattended-Upgrade::Debug "false";
+// Unattended-Upgrade::Allow-downgrade "false";
+
Automatic call via /etc/apt/apt.conf.d/20auto-upgrades
\ No newline at end of file
diff --git a/logo.jpg b/logo.jpg
new file mode 100644
index 000000000..973a5d0e4
Binary files /dev/null and b/logo.jpg differ
diff --git a/logo/chart-donut-variant.png b/logo/chart-donut-variant.png
new file mode 100644
index 000000000..2d9549e62
Binary files /dev/null and b/logo/chart-donut-variant.png differ
diff --git a/logo/chart-donut-variant.svg b/logo/chart-donut-variant.svg
new file mode 100644
index 000000000..de2d79534
--- /dev/null
+++ b/logo/chart-donut-variant.svg
@@ -0,0 +1 @@
+
\ No newline at end of file
diff --git a/logo/chart-donut-variant_transperent.png b/logo/chart-donut-variant_transperent.png
new file mode 100644
index 000000000..84312f36d
Binary files /dev/null and b/logo/chart-donut-variant_transperent.png differ
diff --git a/mac-os/applications-tweaks/index.html b/mac-os/applications-tweaks/index.html
new file mode 100644
index 000000000..7305b7a5d
--- /dev/null
+++ b/mac-os/applications-tweaks/index.html
@@ -0,0 +1,169 @@
+ Applications Tweaks - 3os
Copy the command to be executed to the Script Editor
doshellscript"open -n <path to application>"
+
Example
do shell script "open -n /Applications/'Visual Studio Code.app'"
File > Export
Use the following settings:
Export As: Your New Application Name
Where: Applications
File Format: Application
Change The Icon of Your New Application:
In Finder got to Applications folder. Right Click on the new Your New Application application we just created and click Get Info. Drug the original application icon (or any other) to the in the left corner of the "get info" menu.
Change The Icon of Your New Firefox Profile Manager Application:
In Finder got to Applications folder. Right Click on the new Firefox Profile Manager application we just created and click Get Info. Drug the original application to the icon in the left corner of the "get info" menu.
Comments
\ No newline at end of file
diff --git a/mac-os/enable-root-user/index.html b/mac-os/enable-root-user/index.html
new file mode 100644
index 000000000..4493a24aa
--- /dev/null
+++ b/mac-os/enable-root-user/index.html
@@ -0,0 +1,167 @@
+ Enable Root User - 3os
Mac administrators can use the root user account to perform tasks that require access to more areas of the system.
The user account named â€root†is a superuser with read and write privileges to more areas of the system, including files in other macOS user accounts. The root user is disabled by default. If you can log in to your Mac with an administrator account, you can enable the root user, then log in as the root user to complete your task.
System Preferences > Users & Groups Click lock icon, enter an administrator name and password. Click Login Options. Click Join at Newotk Account Server.
Click Open Directory Utility.
Click lock icon in the Directory Utility window, then enter an administrator name and password.
From the menu bar in Directory Utility: Choose Edit > Enable Root User, then enter the password that you want to use for the root user. Or choose Edit > Disable Root User.
When the root user is enabled, you have the privileges of the root user only while logged in as the root user.
Logout of your current account, then log in as the root user. user name â€root†and the password you created for the root user.
Comments
\ No newline at end of file
diff --git a/mac-os/homebrew/brewup/index.html b/mac-os/homebrew/brewup/index.html
new file mode 100644
index 000000000..5c13e2be5
--- /dev/null
+++ b/mac-os/homebrew/brewup/index.html
@@ -0,0 +1,175 @@
+ BrewUp - 3os
Brewup script is a Bash script that uses Homebrew - The Missing Package Manager for macOS as it's base. Brewup uses GitHub as a "backup" of a config file which contains all installed Taps, Formulas, Casks and App Store Apps at your macOS. It also allows the use of Github main function of retaining changes so you can always look up for the package that were installed sometime ago and you just forgot what is was exactly.
Visit as at 3os.org for more guides and tips for macOS
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Comments
\ No newline at end of file
diff --git a/mac-os/homebrew/homebrew-snippets/index.html b/mac-os/homebrew/homebrew-snippets/index.html
new file mode 100644
index 000000000..e6ab10226
--- /dev/null
+++ b/mac-os/homebrew/homebrew-snippets/index.html
@@ -0,0 +1,173 @@
+ Brew Snippets - 3os
\ No newline at end of file
diff --git a/mac-os/import-ssh-keys-keychain/index.html b/mac-os/import-ssh-keys-keychain/index.html
new file mode 100644
index 000000000..945fc7ad5
--- /dev/null
+++ b/mac-os/import-ssh-keys-keychain/index.html
@@ -0,0 +1,178 @@
+ SSH Passphrase to Keychain - 3os
The UseKeychain yes is the key part, which tells SSH to look in your macOS keychain for the key passphrase.
That's it! Next time you load any ssh connection, it will try the private keys you've specified, and it will look for their passphrase in the macOS keychain. No passphrase typing required.
Comments
\ No newline at end of file
diff --git a/mac-os/python/pyenv-virtualenv/index.html b/mac-os/python/pyenv-virtualenv/index.html
new file mode 100644
index 000000000..534031b24
--- /dev/null
+++ b/mac-os/python/pyenv-virtualenv/index.html
@@ -0,0 +1,202 @@
+ Pyenv-virtualenv Multi Version - 3os
Using and developing with Python on macOS sometimes may be frustrating...
The reason for that is that macOS uses Python 2 for its core system with pip as a package manager. When Xcode Command Line Tools are installed Python 3 and pip3 package manager will be available at the cli. When using Python2, Python3 and their package managers this way, all the packages will be installed at the system level and my effect the native packages and their dependences , this can break or lead to unwanted bugs in OS.
The right way to use python at macOS is to use Virtual Environments for python. This way all the system related versions of python and their packages won't be affected and use by you.
Installing and configuring pyenv, pyenv-virtualenv¶
In order to use pyenv, pyenv-virtualenv without conflicting with the native macOS python we need to add some configuration to our ~/.zshrc config (for mac os catalina) or your bash config if you are still using bash.
It's very imported to maintain the order of the configuration for the loading order
First of all we need to include your Executable Paths. In the example we added all the common paths, including the paths for pyenv, pyenv-virtualenv. If you have any other path that you use, you can add them at the same line or create a new line below this one.
Second to Executable Paths we will add two if statements that will check if the pyenv,pyenv-virtualenv are installed, if they are it will load them. If they aren't and you are using the same zsh or bash config it will ignore loading them
Third is a fix for brew, brew doctor. When using this method it may conflict with brew as it uses python as well. If you run run brew doctor without the fix, it will show config warnings related to the python configuration files.
Configuration for ~/.zshrc or ~/.zprofile
# Executable Paths
+## Global
+export PATH="/usr/local/bin:/usr/local/sbin:/Users/${USER}/.local/bin:/usr/bin:/usr/sbin:/bin:/sbin:$PATH"
+
+## Curl
+export PATH="/opt/homebrew/opt/curl/bin:$PATH"
+export LDFLAGS="-L/opt/homebrew/opt/curl/lib"
+export CPPFLAGS="-I/opt/homebrew/opt/curl/include"
+export PKG_CONFIG_PATH="/opt/homebrew/opt/curl/lib/pkgconfig"
+
+# pyenv, pyenv-virtualenv
+## Initiating pyenv and fix Brew Doctor: "Warning: "config" scripts exist outside your system or Homebrew directories"
+if which pyenv >/dev/null; then
+ eval "$(pyenv init --path)"
+ alias brew='env PATH=${PATH//$(pyenv root)\/shims:/} brew'
+fi
+
+## Initiating pyenv-virtualenv
+if which pyenv-virtualenv-init >/dev/null; then
+ eval "$(pyenv virtualenv-init -)"
+fi
+
After you saved your configuration the best way to load it is to close your terminal session and open it again. This will load the session with your updated configuration. There should be no errors at the new session.
This will install both pyenv and pyenv-virtualenv
brewinstallpyenv-virtualenv
+
Test if pyenv loaded currently
pyenv-v
+
After the installation we would like to set a system level python version, you can chose the default from the list available from the pyenv
List available Python Version and find the version suited for your needs:
pyenvinstall--list
+
Install Requeued Python Version (Exmaple version 3.9.5) as a default system
pyenvinstall3.9.5
+
Set it as global
pyenvglobal3.9.5
+
You can install multiply versions of python at the same time.
List all installed python versions and virtual environments and their python versions
pyenvversions
+
Now let's test our system Python version we set before, it should be the version you choose as Global before
python-V
+
So far we cleaned your system and installed and configured pyenv, pyenv-virtualenv.
We will list here some basic examples for a quick start and basic understanding
To create a virtualenv for the Python version used with pyenv, run pyenv virtualenv, specifying the Python version you want and the name of the virtualenv directory. For example,
pyenvvirtualenv3.9.5my-project-name
+
This will create a virtualenv based on Python 3.9.5 under $(pyenv root)/versions in a folder called my-project-name
Activating virtualenv automatically for project
The best way we found to activate the virtualenv at your project is to link the projects directory to the virtualenv.
cd to the project's directory and link the virtualenv for example my-project-name virtualenv
pyenvlocalmy-project-name
+
This will activate the linked virtualenv every time you cd to this directory automatically From now you can use pip to install any packages you need for your project, the location of the installed packages will be at $(pyenv root)/versions/
Activating virtualenv manually for project
You can also activate and deactivate a pyenv virtualenv manually:
pyenvactivate<virtualenvname>
+pyenvdeactivate
+
This will alow you to use multiply versions of python or packages for the same project
List existing virtualenvs
pyenvvirtualenvs
+
Delete existing virtualenv
pyenvuninstallmy-virtual-env
+
or
pyenvvirtualenv-deletemy-virtual-env
+
You and your macOS should be ready for using python the right way without conflicting any system or Xcode Command Line Tools (used by brew)
Comments
\ No newline at end of file
diff --git a/mac-os/terminal-snippets/index.html b/mac-os/terminal-snippets/index.html
new file mode 100644
index 000000000..8e01dc5af
--- /dev/null
+++ b/mac-os/terminal-snippets/index.html
@@ -0,0 +1,192 @@
+ Terminal Snippets - 3os
A much safer replacement of shell rm with ALMOST FULL features of the origin rm command.
Initially developed on Mac OS X, then tested on Linux.
Using safe-rm, the files or directories you choose to remove will move to $HOME/.Trash instead of simply deleting them. You could put them back whenever you want manually.
If a file or directory with the same name already exists in the Trash, the name of newly-deleted items will be ended with the current date and time.
Reboot your Mac into Recovery Mode by restarting your computer and holding down Command+R until the Apple logo appears on your screen. Click Utilities > Terminal. In the Terminal window, type in:
Status:
csrutilstatus
+
Disable:
csrutildisable
+
Enable:
csrutilenable
+
Press Enter and restart your Mac.
Installing rbenv (ruby send box) - Ruby alternative to the one that macOS uses¶
Install rbenv with brew
brewinstallrbenv
+
Add eval "$(rbenv init -)" to the end of ~/.zshrc or ~/.bash_profile
Install a ruby version
rbenvinstall2.3.1
+
Select a ruby version by rbenv
rbenvglobal2.3.1
+
Open a new terminal window
Verify that the right gem folder is being used with gem env home(should report something in your user folder not system wide)
List listening Ports and Programs and Users (netstat like)¶
Go to iTerm Preferences → Profiles, select your profile, then the Keys tab. click Load Preset... and choose Natural Text Editing.
Remove the Right Arrow Before the Cursor Line
you can turn it off by going in to Preferences > Profiles > (your profile) > Terminal, scroll down to Shell Integration, and turn off Show mark indicators.
\ No newline at end of file
diff --git a/mac-os/touch-id-for-sudo/index.html b/mac-os/touch-id-for-sudo/index.html
new file mode 100644
index 000000000..a2215374e
--- /dev/null
+++ b/mac-os/touch-id-for-sudo/index.html
@@ -0,0 +1,172 @@
+ TouchID for sudo - 3os
Apple devices such Macbooks and some Apple Magic Keyboards have a fingerprint - Touch ID scanner that can be used to authenticate a user with a touch of a finger. This functionality isn't available when using sudo to run commands. You have to enter your password every time you run commands with high privileges.
We can enable TouchID for sudo with a simple config change. This will allow you to use Touch ID to authenticate with sudo without entering your password including the authentication with Apple Watch.
Display Link - Known Issue
As of the writing of this article, the Display Link Driver will privent the use of Touch ID for sudo when using the Display link device. It will work when the Display Link device isn't connected. This is a known issue.
In order to enable TouchID support in iTerm2, you need to complete the above section and then follow the steps below:
Go to iTerm2 -> Preferences -> Advanced and search for:
Allow session to survive
+
Change Allow session to survive logging out and back in. to No
You can test your TouchID prompt in iTerm2 by opening new session and running:
sudo-l
+
Comments
\ No newline at end of file
diff --git a/mac-os/ui-tweaks/index.html b/mac-os/ui-tweaks/index.html
new file mode 100644
index 000000000..145d003c8
--- /dev/null
+++ b/mac-os/ui-tweaks/index.html
@@ -0,0 +1,179 @@
+ UI Tweaks - 3os
First, we want to set the default view options for all new Finder windows. To do so, open Finder and click on the view setting that you want to use. The settings are four icons and the top of your Finder window. If you don't see the Finder toolbar type:
cmd+option+t
+
After selecting the option you want, type:
cmd+j
+
to open the view options window.
Make sure you check the top two checkboxes that say Always open in list view and Browse in list view. Keep in mind it will reflect whichever view you've selected.
Now click the button at the bottom that says "Use as Defaults".
Chances are you've opened some Finder windows in the past. Individual folder options will override this default setting that we just set.
In order reset your folder settings across the entire machine we have to delete all .DS_Store files. This will ensure that all folders start fresh. Open up the Terminal application (Applications/Utilities/Terminal), and type:
\ No newline at end of file
diff --git a/penetration-testing/cheatsheets/gobuster-cheatsheet/index.html b/penetration-testing/cheatsheets/gobuster-cheatsheet/index.html
new file mode 100644
index 000000000..1c003965f
--- /dev/null
+++ b/penetration-testing/cheatsheets/gobuster-cheatsheet/index.html
@@ -0,0 +1,176 @@
+ Gobuster CheatSheet - 3os
Set the User-Agent string (default "gobuster/3.1.0")
-U
--username string
Username for Basic Auth
Comments
\ No newline at end of file
diff --git a/penetration-testing/cheatsheets/nmap-cheatsheet/index.html b/penetration-testing/cheatsheets/nmap-cheatsheet/index.html
new file mode 100644
index 000000000..93eb066fb
--- /dev/null
+++ b/penetration-testing/cheatsheets/nmap-cheatsheet/index.html
@@ -0,0 +1,180 @@
+ Nmap CheatSheet - 3os
Query the Internal DNS for hosts, list targets only
nmap192.168.1.1-50-sL--dns-server192.168.1.1
+
Comments
\ No newline at end of file
diff --git a/penetration-testing/cheatsheets/xss-cheatsheet/index.html b/penetration-testing/cheatsheets/xss-cheatsheet/index.html
new file mode 100644
index 000000000..c2c8ba6ba
--- /dev/null
+++ b/penetration-testing/cheatsheets/xss-cheatsheet/index.html
@@ -0,0 +1,372 @@
+ XSS CheatSheet - 3os
This article is focused on providing application security testing professionals with a guide to assist in Cross Site Scripting testing. The initial contents of this article were donated to OWASP by RSnake, from his seminal XSS CheatSheet, which was at: http://ha.ckers.org/xss.html. That site now redirects to its new home here, where we plan to maintain and enhance it. The very first OWASP Prevention CheatSheet, the Cross Site Scripting Prevention CheatSheet, was inspired by RSnake's XSS CheatSheet, so we can thank RSnake for our inspiration. We wanted to create short, simple guidelines that developers could follow to prevent XSS, rather than simply telling developers to build apps that could protect against all the fancy tricks specified in rather complex attack CheatSheet, and so the OWASP CheatSheet Series was born.
This CheatSheet lists a series of XSS attacks that can be used to bypass certain XSS defensive filters. Please note that input filtering is an incomplete defense for XSS which these tests can be used to illustrate.
This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here):
The following is a "polygot test XSS payload." This test will execute in multiple contexts including html, script string, js and url. Thank you to Gareth Heyes for this contribution.
Image XSS using the JavaScript directive (IE7.0 doesn't support the JavaScript directive in context of an image, but it does in other contexts, but the following show the principles that would work in other tags as well:
If you need to use both double and single quotes you can use a grave accent to encapsulate the JavaScript string - this is also useful because lots of cross site scripting filters don't know about grave accents:
or Chrome loves to replace missing quotes for you... if you ever get stuck just leave them off and Chrome will put them in the right place and fix your missing quotes on a URL or script.
Originally found by Begeek (but cleaned up and shortened to work in all browsers), this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. I assume this was originally meant to correct sloppy coding. This would make it significantly more difficult to correctly parse apart an HTML tags:
Default SRC Tag to Get Past Filters that Check SRC Domain¶
This will bypass most SRC domain filters. Inserting javascript in an event method will also apply to any HTML tag type injection that uses elements like Form, Iframe, Input, Embed etc. It will also allow any relevant event for the tag type to be substituted like onblur, onclick giving you an extensive amount of variations for many injections listed here. Submitted by David Cross .
All of the XSS examples that use a javascript: directive inside of an <IMG tag will not work in Firefox or Netscape 8.1+ in the Gecko rendering engine mode).
Decimal HTML Character References Without Trailing Semicolons¶
This is often effective in XSS that attempts to look for "&#XX;", since most people don't know about padding - up to 7 numeric characters total. This is also useful against people who decode against strings like \(tmp_string =\~ s/.\*\\&\#(\\d+);.\*/\)1/; which incorrectly assumes a semicolon is required to terminate a html encoded string (I've seen this in the wild):
Hexadecimal HTML Character References Without Trailing Semicolons¶
This is also a viable XSS attack against the above string \(tmp_string=\~ s/.\*\\&\#(\\d+);.\*/\)1/; which assumes that there is a numeric character following the pound symbol - which is not true with hex HTML characters).
Some websites claim that any of the chars 09-13 (decimal) will work for this attack. That is incorrect. Only 09 (horizontal tab), 10 (newline) and 13 (carriage return) work. See the ascii chart for more details. The following four XSS examples illustrate this vector:
(Note: with the above I am making these strings longer than they have to be because the zeros could be omitted. Often I've seen filters that assume the hex and dec encoding has to be two or three characters. The real rule is 1-7 characters.):
Null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy or use %00 in the URL string or if you want to write your own injection tool you can either use vim (^V^@ will produce a null) or the following program to generate it into a text file. Okay, I lied again, older versions of Opera (circa 7.11 on Windows) were vulnerable to one additional char 173 (the soft hypen control char). But the null char %00 is much more useful and helped me bypass certain real world filters with a variation on this example:
Spaces and Meta Chars Before the JavaScript in Images for XSS¶
This is useful if the pattern match doesn't take into account spaces in the word javascript: -which is correct since that won't render- and makes the false assumption that you can't have a space between the quote and the javascript: keyword. The actual reality is you can have any char from 1-32 in decimal:
The Firefox HTML parser assumes a non-alpha-non-digit is not valid after an HTML keyword and therefor considers it to be a whitespace or non-valid token after an HTML tag. The problem is that some XSS filters assume that the tag they are looking for is broken up by whitespace. For example \<SCRIPT\\s != \<SCRIPT/XSS\\s:
Based on the same idea as above, however,expanded on it, using Rnake fuzzer. The Gecko rendering engine allows for any character other than letters, numbers or encapsulation chars (like quotes, angle brackets, etc...) between the event handler and the equals sign, making it easier to bypass cross site scripting blocks. Note that this also applies to the grave accent char as seen here:
Yair Amit brought this to my attention that there is slightly different behavior between the IE and Gecko rendering engines that allows just a slash between the tag and the parameter with no spaces. This could be useful if the system does not allow spaces.
Submitted by Franz Sedlmaier, this XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorythm like Boyer-Moore that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course). The double slash comments out the ending extraneous bracket to supress a JavaScript error:
In Firefox and Netscape 8.1 in the Gecko rendering engine mode you don't actually need the \></SCRIPT> portion of this Cross Site Scripting vector. Firefox assumes it's safe to close the HTML tag and add closing tags for you. How thoughtful! Unlike the next one, which doesn't effect Firefox, this does not require any additional HTML below it. You can add quotes if you need to, but they're not needed generally, although beware, I have no idea what the HTML will end up looking like once this is injected:
This particular variant was submitted by Åukasz Pilorz and was based partially off of Ozh's protocol resolution bypass below. This cross site scripting example works in IE, Netscape in IE rendering mode and Opera if you add in a </SCRIPT> tag at the end. However, this is especially useful where space is an issue, and of course, the shorter your domain, the better. The ".j" is valid, regardless of the encoding type because the browser knows it in context of a SCRIPT tag.
Unlike Firefox the IE rendering engine doesn't add extra data to you page, but it does allow the javascript: directive in images. This is useful as a vector because it doesn't require a close angle bracket. This assumes there is any HTML tag below where you are injecting this cross site scripting vector. Even though there is no close ">" tag the tags below it will close it. A note: this does mess up the HTML, depending on what HTML is beneath it. It gets around the following NIDS regex: /((\\%3D)|(=))\[^\\n\]\*((\\%3C)|\<)\[^\\n\]+((\\%3E)|\>)/ because it doesn't require the end ">". As a side note, this was also affective against a real world XSS filter I came across using an open ended <IFRAME tag instead of an <IMG tag:
Using an open angle bracket at the end of the vector instead of a close angle bracket causes different behavior in Netscape Gecko rendering. Without it, Firefox will work but Netscape won't:
When the application is written to output some user information inside of a JavaScript like the following: <SCRIPT>var a="$ENV{QUERY\_STRING}";</SCRIPT> and you want to inject your own JavaScript into it but the server side application escapes certain quotes you can circumvent that by escaping their escape character. When this gets injected it will read <SCRIPT>var a="\\\\";alert('XSS');//";</SCRIPT> which ends up un-escaping the double quote and causing the Cross Site Scripting vector to fire. The XSS locator uses this method.:
`\";alert('XSS');//`
+
An alternative, if correct JSON or Javascript escaping has been applied to the embedded data but not HTML encoding, is to finish the script block and start your own:
Fairly esoteric issue dealing with embedding images for bulleted lists. This will only work in the IE rendering engine because of the JavaScript directive. Not a particularly useful cross site scripting vector:
Method doesn't require using any variants of javascript: or <SCRIPT... to accomplish the XSS attack). Dan Crowley additionally noted that you can put a space before the equals sign (onload= != onload =):
It can be used in similar XSS attacks to the one above (this is the most comprehensive list on the net, at the time of this writing). Thanks to Rene Ledosquet for the HTML+TIME updates.
FSCommand() (attacker can use this when executed from within an embedded Flash object)
onAbort() (when user aborts the loading of an image)
onActivate() (when object is set as the active element)
onAfterPrint() (activates after user prints or previews print job)
onAfterUpdate() (activates on data object after updating data in the source object)
onBeforeActivate() (fires before the object is set as the active element)
onBeforeCopy() (attacker executes the attack string right before a selection is copied to the clipboard - attackers can do this with the execCommand("Copy") function)
onBeforeCut() (attacker executes the attack string right before a selection is cut)
onBeforeDeactivate() (fires right after the activeElement is changed from the current object)
onBeforeEditFocus() (Fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected)
onBeforePaste() (user needs to be tricked into pasting or be forced into it using the execCommand("Paste") function)
onBeforePrint() (user would need to be tricked into printing or attacker could use the print() or execCommand("Print") function).
onBeforeUnload() (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent)
onBeforeUpdate() (activates on data object before updating data in the source object)
onBegin() (the onbegin event fires immediately when the element's timeline begins)
onBlur() (in the case where another popup is loaded and window looses focus)
onBounce() (fires when the behavior property of the marquee object is set to "alternate" and the contents of the marquee reach one side of the window)
onCellChange() (fires when data changes in the data provider)
onChange() (select, text, or TEXTAREA field loses focus and its value has been modified)
onClick() (someone clicks on a form)
onContextMenu() (user would need to right click on attack area)
onControlSelect() (fires when the user is about to make a control selection of the object)
onCopy() (user needs to copy something or it can be exploited using the execCommand("Copy") command)
onCut() (user needs to copy something or it can be exploited using the execCommand("Cut") command)
onDataAvailable() (user would need to change data in an element, or attacker could perform the same function)
onDataSetChanged() (fires when the data set exposed by a data source object changes)
onDataSetComplete() (fires to indicate that all data is available from the data source object)
onDblClick() (user double-clicks a form element or a link)
onDeactivate() (fires when the activeElement is changed from the current object to another object in the parent document)
onDrag() (requires that the user drags an object)
onDragEnd() (requires that the user drags an object)
onDragLeave() (requires that the user drags an object off a valid location)
onDragEnter() (requires that the user drags an object into a valid location)
onDragOver() (requires that the user drags an object into a valid location)
onDragDrop() (user drops an object (e.g. file) onto the browser window)
onDragStart() (occurs when user starts drag operation)
onDrop() (user drops an object (e.g. file) onto the browser window)
onEnd() (the onEnd event fires when the timeline ends.
onError() (loading of a document or image causes an error)
onErrorUpdate() (fires on a databound object when an error occurs while updating the associated data in the data source object)
onFilterChange() (fires when a visual filter completes state change)
onFinish() (attacker can create the exploit when marquee is finished looping)
onFocus() (attacker executes the attack string when the window gets focus)
onFocusIn() (attacker executes the attack string when window gets focus)
onFocusOut() (attacker executes the attack string when window looses focus)
onHashChange() (fires when the fragment identifier part of the document's current address changed)
onHelp() (attacker executes the attack string when users hits F1 while the window is in focus)
onInput() (the text content of an element is changed through the user interface)
onKeyDown() (user depresses a key)
onKeyPress() (user presses or holds down a key)
onKeyUp() (user releases a key)
onLayoutComplete() (user would have to print or print preview)
onLoad() (attacker executes the attack string after the window loads)
onLoseCapture() (can be exploited by the releaseCapture() method)
onMediaComplete() (When a streaming media file is used, this event could fire before the file starts playing)
onMediaError() (User opens a page in the browser that contains a media file, and the event fires when there is a problem)
onMessage() (fire when the document received a message)
onMouseDown() (the attacker would need to get the user to click on an image)
onMouseEnter() (cursor moves over an object or area)
onMouseLeave() (the attacker would need to get the user to mouse over an image or table and then off again)
onMouseMove() (the attacker would need to get the user to mouse over an image or table)
onMouseOut() (the attacker would need to get the user to mouse over an image or table and then off again)
onMouseOver() (cursor moves over an object or area)
onMouseUp() (the attacker would need to get the user to click on an image)
onMouseWheel() (the attacker would need to get the user to use their mouse wheel)
onMove() (user or attacker would move the page)
onMoveEnd() (user or attacker would move the page)
onMoveStart() (user or attacker would move the page)
onOffline() (occurs if the browser is working in online mode and it starts to work offline)
onOnline() (occurs if the browser is working in offline mode and it starts to work online)
onOutOfSync() (interrupt the element's ability to play its media as defined by the timeline)
onPaste() (user would need to paste or attacker could use the execCommand("Paste") function)
onPause() (the onpause event fires on every element that is active when the timeline pauses, including the body element)
onPopState() (fires when user navigated the session history)
onProgress() (attacker would use this as a flash movie was loading)
onPropertyChange() (user or attacker would need to change an element property)
onReadyStateChange() (user or attacker would need to change an element property)
onRedo() (user went forward in undo transaction history)
onRepeat() (the event fires once for each repetition of the timeline, excluding the first full cycle)
onReset() (user or attacker resets a form)
onResize() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
onResizeEnd() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
onResizeStart() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
onResume() (the onresume event fires on every element that becomes active when the timeline resumes, including the body element)
onReverse() (if the element has a repeatCount greater than one, this event fires every time the timeline begins to play backward)
onRowsEnter() (user or attacker would need to change a row in a data source)
onRowExit() (user or attacker would need to change a row in a data source)
onRowDelete() (user or attacker would need to delete a row in a data source)
onRowInserted() (user or attacker would need to insert a row in a data source)
onScroll() (user would need to scroll, or attacker could use the scrollBy() function)
onSeek() (the onreverse event fires when the timeline is set to play in any direction other than forward)
onSelect() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)
onSelectionChange() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)
onSelectStart() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand("SelectAll");)
onStart() (fires at the beginning of each marquee loop)
onStop() (user would need to press the stop button or leave the webpage)
onStorage() (storage area changed)
onSyncRestored() (user interrupts the element's ability to play its media as defined by the timeline to fire)
onSubmit() (requires attacker or user submits a form)
onTimeError() (user or attacker sets a time property, such as dur, to an invalid value)
onTrackChange() (user or attacker changes track in a playList)
onUndo() (user went backward in undo transaction history)
onUnload() (as the user clicks any link or presses the back button or attacker forces a click)
onURLFlip() (this event fires when an Advanced Streaming Format (ASF) file, played by a HTML+TIME (Timed Interactive Multimedia Extensions) media tag, processes script commands embedded in the ASF file)
seekSegmentTime() (this is a method that locates the specified point on the element's segment time line and begins playing from that point. The segment consists of one repetition of the time line including reverse play using the AUTOREVERSE attribute.)
Using something as simple as a remote style sheet you can include your XSS as the style parameter can be redefined using an embedded expression. This only works in IE and Netscape 8.1+ in IE rendering engine mode. Notice that there is nothing on the page to show that there is included JavaScript. Note: With all of these remote style sheet examples they use the body tag, so it won't work unless there is some content on the page other than the vector itself, so you'll need to add a single letter to the page to make it work if it's an otherwise blank page:
This works the same as above, but uses a <STYLE> tag instead of a <LINK> tag). A slight variation on this vector was used to hack Google Desktop. As a side note, you can remove the end </STYLE> tag if there is HTML immediately after the vector to close it. This is useful if you cannot have either an equals sign or a slash in your cross site scripting attack, which has come up at least once in the real world:
This only works in Opera 8.0 (no longer in 9.x) but is fairly tricky. According to RFC2616 setting a link header is not part of the HTTP1.1 spec, however some browsers still allow it (like Firefox and Opera). The trick here is that I am setting a header (which is basically no different than in the HTTP header saying Link: <http://xss.rocks/xss.css>; REL=stylesheet) and the remote style sheet with my cross site scripting vector is running the JavaScript, which is not supported in FireFox:
This only works in Gecko rendering engines and works by binding an XUL file to the parent page. I think the irony here is that Netscape assumes that Gecko is safer and therefor is vulnerable to this for the vast majority of sites:
This is really a hybrid of the above XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like above this can send IE into a loop:
IE6.0 and Netscape 8.1+ in IE rendering engine mode don't really care if the HTML tag you build exists or not, as long as it starts with an open angle bracket and a letter:
This is a little different than the above two cross site scripting vectors because it uses an .htc file which must be on the same server as the XSS vector. The example file works by pulling in the JavaScript and running it as part of the style attribute:
US-ASCII encoding (found by Kurt Huwig).This uses malformed ASCII encoding with 7 bits instead of 8. This XSS may bypass many content filters but only works if the host transmits in US-ASCII encoding, or if you set the encoding yourself. This is more useful against web application firewall cross site scripting evasion than it is server side filter evasion. Apache Tomcat is the only known server that transmits in US-ASCII encoding.
The odd thing about meta refresh is that it doesn't send a referrer in the header - so it can be used for certain types of attacks where you need to get rid of referring URLs:
Rnaske built a quick XSS fuzzer to detect any erroneous characters that are allowed after the open parenthesis but before the JavaScript directive in IE and Netscape 8.1 in secure site mode. These are in decimal but you can include hex and add padding of course. (Any of the following chars can be used: 1-32, 34, 39, 160, 8192-8.13, 12288, 65279):
Only works in IE5.0 and later and Netscape 8.1 in IE rendering engine mode). Some websites consider anything inside a comment block to be safe and therefore does not need to be removed, which allows our Cross Site Scripting vector. Or the system could add comment tags around something to attempt to render it harmless. As we can see, that probably wouldn't do the job:
Works in IE and Netscape 8.1 in safe mode. You need the // to comment out the next characters so you won't get a JavaScript error and your XSS tag will render. Also, this relies on the fact that the website uses dynamically placed images like images/image.jpg rather than full paths. If the path includes a leading forward slash like /images/image.jpg you can remove one slash from this vector (as long as there are two to begin the comment this will work):
If they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag). The linked file is actually an HTML file that can contain your XSS:
This example only works in Firefox, but it's better than the above vector in Firefox because it does not require the user to have Flash turned on or installed. Thanks to nEUrOO for this one.
Locally hosted XML with embedded JavaScript that is generated using an XML data island¶
This is the same as above but instead referrs to a locally hosted (must be on the same server) XML file that contains your cross site scripting vector. You can see the result here:
This is how Grey Magic hacked Hotmail and Yahoo!. This only works in Internet Explorer and Netscape 8.1 in IE rendering engine mode and remember that you need to be between HTML and BODY tags for this to work:
This requires SSI to be installed on the server to use this XSS vector. I probably don't need to mention this, but if you can run commands on the server there are no doubt much more serious issues:
Requires PHP to be installed on the server to use this XSS vector. Again, if you can run any scripts remotely like this, there are probably much more dire issues:
This works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc.... This is one of the lesser used but more useful XSS vectors:
This is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the image back to a command. So a normal <IMG SRC="httx://badguy.com/a.jpg"> could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this):
Admittedly this is pretty obscure but I have seen a few examples where <META is allowed and you can use it to overwrite cookies. There are other examples of sites where instead of fetching the username from a database it is stored inside of a cookie to be displayed only to the user who visits the page. With these two scenarios combined you can modify the victim's cookie which will be displayed back to them as JavaScript (you can also use this to log people out or change their user states, get them to log in as you, etc...):
If the page that the XSS resides on doesn't provide a page charset header, or any browser that is set to UTF-7 encoding can be exploited with the following (Thanks to Roman Ivanov for this one). Click here for an example (you don't need the charset statement if the user's browser is set to auto-detect and there is no overriding content-types on the page in Internet Explorer and Netscape 8.1 in IE rendering engine mode). This does not work in any modern browser without changing the encoding type which is why it is marked as completely unsupported. Watchfire found this hole in Google's custom 404 script.:
This was tested in IE, your mileage may vary. For performing XSS on sites that allow <SCRIPT> but don't allow <SCRIPT SRC... by way of a regex filter /\<script\[^\>\]+src/i:
For performing XSS on sites that allow <SCRIPT> but don't allow \<script src... by way of a regex filter /\<script((\\s+\\w+(\\s\*=\\s\*(?:"(.)\*?"|'(.)\*?'|\[^'"\>\\s\]+))?)+\\s\*|\\s\*)src/i (this is an important one, because I've seen this regex in the wild):
Yet another XSS to evade the same filter, /\<script((\\s+\\w+(\\s\*=\\s\*(?:"(.)\*?"|'(.)\*?'|\[^'"\>\\s\]+))?)+\\s\*|\\s\*)src/i. I know I said I wasn't goint to discuss mitigation techniques but the only thing I've seen work for this XSS example if you still want to allow <SCRIPT> tags but not remote script is a state machine (and of course there are other ways to get around this if they allow <SCRIPT> tags):
And one last XSS attack to evade, /\<script((\\s+\\w+(\\s\*=\\s\*(?:"(.)\*?"|'(.)\*?'|\[^'"\>\\s\]+))?)+\\s\*|\\s\*)src/i using grave accents (again, doesn't work in Firefox):
Here's an XSS example that bets on the fact that the regex won't catch a matching pair of quotes but will rather find any quotes to terminate a parameter string improperly:
The total size of each number allowed is somewhere in the neighborhood of 240 total characters as you can see on the second digit, and since the hex number is between 0 and F the leading zero on the third hex quotet is not required):
Let's mix and match base encoding and throw in some tabs and newlines - why browsers allow this, I'll never know). The tabs and newlines only work if this is encapsulated with quotes:
// translates to http:// which saves a few more bytes. This is really handy when space is an issue too (two less characters can go a long way) and can easily bypass regex like (ht|f)tp(s)?:// (thanks to Ozh for part of this one). You can also change the // to \\\\. You do need to keep the slashes in place, however, otherwise this will be interpreted as a relative path URL.
Firefox uses Google's "feeling lucky" function to redirect the user to any keywords you type in. So if your exploitable page is the top for some random keyword (as you see here) you can use that feature against any Firefox user. This uses Firefox's keyword: protocol. You can concatenate several keywords by using something like the following keyword:XSS+RSnake for instance. This no longer works within Firefox as of 2.0.
This uses a very tiny trick that appears to work Firefox only, because of it's implementation of the "feeling lucky" function. Unlike the next one this does not work in Opera because Opera believes that this is the old HTTP Basic Auth phishing attack, which it is not. It's simply a malformed URL. If you click okay on the dialogue it will work, but as a result of the erroneous dialogue box I am saying that this is not supported in Opera, and it is no longer supported in Firefox as of 2.0:
This uses a malformed URL that appears to work in Firefox and Opera only, because if their implementation of the "feeling lucky" function. Like all of the above it requires that you are #1 in Google for the keyword in question (in this case "google"):
When combined with the above URL, removing www. will save an additional 4 bytes for a total byte savings of 9 for servers that have this set up properly):
Assuming http://www.google.com/ is programmatically replaced with nothing). I actually used a similar attack vector against a several separate real world XSS filters by using the conversion filter itself (here is an example) to help create the attack vector (IE: java&\#x09;script: was converted into java script:, which renders in IE, Netscape 8.1+ in secure site mode and Opera):
Assume a content sharing flow on a web site is implemented as below. There is a "Content" page which includes some content provided by users and this page also includes a link to "Share" page which enables a user choose their favorite social sharing platform to share it on. Developers HTML encoded the "title" parameter in the "Content" page to prevent against XSS but for some reasons they didn't URL encoded this parameter to prevent from HTTP Parameter Pollution. Finally they decide that since content_type's value is a constant and will always be integer, they didn't encode or validate the content_type in the "Share" page.
<script>
+varcontentType=<%=Request.getParameter("content_type")%>;
+vartitle="<%=Encode.forJavaScript(request.getParameter("title"))%>";
+...
+//some user agreement and sending to server logic might be here
+...
+</script>
+
<script>
+varcontentType=1;alert(1);
+vartitle="This is a regular title";
+…
+//some user agreement and sending to server logic might be here
+…
+</script>
+
As a result, in this example the main flaw is trusting the content_type in the "Share" page without proper encoding or validation. HTTP Parameter Pollution could increase impact of the XSS flaw by promoting it from a reflected XSS to a stored XSS.
All the possible combinations of the character "\<" in HTML and JavaScript. Most of these won't render out of the box, but many of them can get rendered in certain circumstances as seen above.
Bettercap 1.6.2 installs the executable to /usr/local/bin/bettercap
Bettercap 2.x installs the executable to /usr/bin/bettercap
Both Bettercap 1.6.2 and 2.x shares the same executable name. In order to privet any collisions we will rename the Bettercap 1.6.2 executable to bettercap1.6.2.
To find that Bettercap installation from ruby gems:
gemenvironment
+
the path should be under GEM PATHP for example:
/var/lib/gems/2.7.0/gems/bettercap-1.6.2
+
Comments
\ No newline at end of file
diff --git a/penetration-testing/kali-linux/kali-linux/index.html b/penetration-testing/kali-linux/kali-linux/index.html
new file mode 100644
index 000000000..a075a5b48
--- /dev/null
+++ b/penetration-testing/kali-linux/kali-linux/index.html
@@ -0,0 +1,195 @@
+ Kali Linux - 3os
Minimal Headless Kali Linux installation - Works for Cloud VM Installation (NO GUI)¶
This is a simple guide to install Minimal Headless Kali Linux by converting a Debian Linux to Kali Linux distro without any unnecessary tools. Basically you install the tools you need.
\ No newline at end of file
diff --git a/penetration-testing/kali-linux/links/index.html b/penetration-testing/kali-linux/links/index.html
new file mode 100644
index 000000000..69fb9edb0
--- /dev/null
+++ b/penetration-testing/kali-linux/links/index.html
@@ -0,0 +1,167 @@
+ Links and Tools - 3os
Engine to interact with a graphqlr endpoint for penetration-testing purposes.
Comments
\ No newline at end of file
diff --git a/penetration-testing/kali-linux/metasploit/index.html b/penetration-testing/kali-linux/metasploit/index.html
new file mode 100644
index 000000000..185caf098
--- /dev/null
+++ b/penetration-testing/kali-linux/metasploit/index.html
@@ -0,0 +1,172 @@
+ Metasploit Framework - 3os
\ No newline at end of file
diff --git a/penetration-testing/kali-linux/wifite/index.html b/penetration-testing/kali-linux/wifite/index.html
new file mode 100644
index 000000000..1700aefad
--- /dev/null
+++ b/penetration-testing/kali-linux/wifite/index.html
@@ -0,0 +1,177 @@
+ Wifite - 3os
\ No newline at end of file
diff --git a/penetration-testing/proxmark/about-proxmark/index.html b/penetration-testing/proxmark/about-proxmark/index.html
new file mode 100644
index 000000000..6c84979c7
--- /dev/null
+++ b/penetration-testing/proxmark/about-proxmark/index.html
@@ -0,0 +1,167 @@
+ About Proxmark3 - 3os
\ No newline at end of file
diff --git a/penetration-testing/proxmark/cheatsheet/index.html b/penetration-testing/proxmark/cheatsheet/index.html
new file mode 100644
index 000000000..c8684c754
--- /dev/null
+++ b/penetration-testing/proxmark/cheatsheet/index.html
@@ -0,0 +1,167 @@
+ Proxmark3 CheatSheet - 3os
This restores the dumped data onto the new card. Now we just need to give the card the UID we got from the original hf search command
proxmark3>hfmfrestore1
+
Copy the UID of the original card de0f3dcd
proxmark3>hfmfcsetuidde0f3dcd
+
We’re done.
Comments
\ No newline at end of file
diff --git a/penetration-testing/utilities/clickjacking/index.html b/penetration-testing/utilities/clickjacking/index.html
new file mode 100644
index 000000000..647778ec2
--- /dev/null
+++ b/penetration-testing/utilities/clickjacking/index.html
@@ -0,0 +1,167 @@
+ Clickjacking Test Page - 3os
The code was built by Georgy Bunin and cloned from his repository. It was slightly modified to fit this website.
Comments
\ No newline at end of file
diff --git a/psd-src/3os-preview.png b/psd-src/3os-preview.png
new file mode 100644
index 000000000..a30ee7634
Binary files /dev/null and b/psd-src/3os-preview.png differ
diff --git a/psd-src/3os-preview.psd b/psd-src/3os-preview.psd
new file mode 100644
index 000000000..068e48695
Binary files /dev/null and b/psd-src/3os-preview.psd differ
diff --git a/psd-src/3os-preview_v2.psd b/psd-src/3os-preview_v2.psd
new file mode 100644
index 000000000..94dd41344
Binary files /dev/null and b/psd-src/3os-preview_v2.psd differ
diff --git a/raspberry-pi/docker-raspberrypi/index.html b/raspberry-pi/docker-raspberrypi/index.html
new file mode 100644
index 000000000..fc77ff96a
--- /dev/null
+++ b/raspberry-pi/docker-raspberrypi/index.html
@@ -0,0 +1,173 @@
+ Docker on Raspberry Pi - 3os
The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user.
If you don’t want to preface the docker command with sudo, create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.
Warning
The docker group grants privileges equivalent to the root user.
\ No newline at end of file
diff --git a/raspberry-pi/external-power-button/index.html b/raspberry-pi/external-power-button/index.html
new file mode 100644
index 000000000..faddb14d9
--- /dev/null
+++ b/raspberry-pi/external-power-button/index.html
@@ -0,0 +1,171 @@
+ External Power Button - 3os
\ No newline at end of file
diff --git a/raspberry-pi/motion-sensor-display-control/index.html b/raspberry-pi/motion-sensor-display-control/index.html
new file mode 100644
index 000000000..ada33acc1
--- /dev/null
+++ b/raspberry-pi/motion-sensor-display-control/index.html
@@ -0,0 +1,177 @@
+ Motion Sensor Display Control - 3os
To be honest, it's not my first time building a Magic Mirror project. My first magicmirror can be found here. The Magic Mirror 2.0 is based on Raspberry Pi 4 with Docker Container.
I had dead iMac 2011 27" with 2k display. I've managed to use it's LCD panel with this product from AliExpress. It actually a full controller for the specific LCD panel, including the inverter for backlight. Basically, it's a full-fledged LCD Monitor with HDMI we need for the Raspberry Pi 4.
I've decided to test the controller for the LCD Panel inside the original iMac's body.
I've connected raspberry to the new monitor for the magicmirror testing and configuration.
Since my previous experience with my first magicmirror build, I've decided to add a Motion Sensor to the Raspberry Pi to detect the movement of the person infront of the mirror and turn the display on/off accordingly. The second thing i've added is a Power Button to turn the Raspberry Pi on, off and restart it without a physical access to the Raspberry Pi.
I couldn't find any open source projects for the functionality I needed of the power button and the Motion Sensor. So I've decided to create my own solution. Bellow are the scripts that I've created:
Thats how i've tested the functionality of the power button and the motion sensor.
I've order a reflective glass with 4 holes for mounting. It was a challenge to find a suitable reflective glass for the MagicMirror. The product I've found is not perfect - the glass is tinted, but it's a good enough solution and way better then Glass Mirror Films I've used on my first Magic Mirror Project.
After I've done all the proof of concepts that every thing will work as i intended, I've continue to build the frame to house all the components.
I've used scrap wood I had laying around to build the frame and the mounting for the LCD panel, and the glass
For mounting the Magic Mirror to the wall i've used the smallest TV Mount I've found.
After the frame is built, I've added the electronics to the frame.
Performing senity check on the electronics, and display assembly.
Since I when on the floating effect the glass isn't covering the all the frame, all the exposed parts of the glass are needed to be covered to avoid light leaking.
\ No newline at end of file
diff --git a/raspberry-pi/projects/magic-mirror/index.html b/raspberry-pi/projects/magic-mirror/index.html
new file mode 100644
index 000000000..2d58bb4a7
--- /dev/null
+++ b/raspberry-pi/projects/magic-mirror/index.html
@@ -0,0 +1,211 @@
+ Magic Mirror - 3os
\ No newline at end of file
diff --git a/raspberry-pi/snippets/index.html b/raspberry-pi/snippets/index.html
new file mode 100644
index 000000000..b0026d518
--- /dev/null
+++ b/raspberry-pi/snippets/index.html
@@ -0,0 +1,196 @@
+ Snippets - 3os
the shared path must exist: ( if you work via desktop ( HDMI or VNC ) it is very convenient just to read or drop from/to this shared dir ) mkdir /home/pi/Desktop/share
sudoreboot
+
Start samba Server
sudo/usr/sbin/servicesmbdstart
+
Comments
\ No newline at end of file
diff --git a/robots.txt b/robots.txt
new file mode 100644
index 000000000..3fa14834b
--- /dev/null
+++ b/robots.txt
@@ -0,0 +1,4 @@
+User-agent: *
+Allow: /
+
+Sitemap: https://3os.org/sitemap.xml
diff --git a/search/search_index.json b/search/search_index.json
new file mode 100644
index 000000000..c5e25919b
--- /dev/null
+++ b/search/search_index.json
@@ -0,0 +1 @@
+{"config": {"lang": ["en"], "separator": "[\\s\\-]+", "pipeline": ["stopWordFilter"]}, "docs": [{"location": "tags/", "title": "Tags and Categories", "text": ""}, {"location": "tags/#3g-modem", "title": "3g-modem", "text": "
ADB, Android Debug Bridge, is a command-line utility included with Google's Android SDK. ADB can control your device over USB from a computer, copy files back and forth, install and uninstall apps, run shell commands, and more. ADB is a powerful tool that can be used to control your Android device from a computer. Below are some of the most common commands you can use with ADB and their usage. You can find more information about ADB and its usage by visiting the official website.
", "tags": ["android", "adb", "cheat-sheet"]}, {"location": "android/adb-cheat-sheet/#common-adb-commands", "title": "Common ADB Commands", "text": "", "tags": ["android", "adb", "cheat-sheet"]}, {"location": "android/adb-cheat-sheet/#push-a-file-to-download-folder-of-the-android-device", "title": "Push a file to Download folder of the Android Device", "text": "
adb push example.apk /mnt/sdcard/Download/\n
", "tags": ["android", "adb", "cheat-sheet"]}, {"location": "android/adb-cheat-sheet/#lists-all-the-installed-packages-and-get-the-full-paths", "title": "Lists all the installed packages and get the full paths", "text": "
adb shell pm list packages -f\n
", "tags": ["android", "adb", "cheat-sheet"]}, {"location": "android/adb-cheat-sheet/#pulls-a-file-from-android-device", "title": "Pulls a file from android device", "text": "
adb pull /mnt/sdcard/Download/example.apk\n
", "tags": ["android", "adb", "cheat-sheet"]}, {"location": "android/adb-cheat-sheet/#install-apk-from-host-to-android-device", "title": "Install apk from host to Android device", "text": "
adb shell settings put global http_proxy <address>:<port>\n
Disable network proxy
adb shell settings put global http_proxy :0\n
", "tags": ["android", "adb", "cheat-sheet"]}, {"location": "android/adb-cheat-sheet/#adb-basics-commands", "title": "ADB Basics Commands", "text": "Command Description adb devices Lists connected devices adb connect 192.168.2.1 Connects to adb device over network adb root Restarts adbd with root permissions adb start-server Starts the adb server adb kill-server Kills the adb server adb reboot Reboots the device adb devices -l List of devices by product/model adb -s <deviceName> <command> Redirect command to specific device adb \u2013d <command> Directs command to only attached USB device adb \u2013e <command> Directs command to only attached emulator", "tags": ["android", "adb", "cheat-sheet"]}, {"location": "android/adb-cheat-sheet/#logs", "title": "Logs", "text": "Command Description adb logcat [options] [filter] [filter] View device log adb bugreport Print bug reports", "tags": ["android", "adb", "cheat-sheet"]}, {"location": "android/adb-cheat-sheet/#permissions", "title": "Permissions", "text": "Command Description adb shell permissions groups List permission groups definitions adb shell list permissions -g -r List permissions details", "tags": ["android", "adb", "cheat-sheet"]}, {"location": "android/adb-cheat-sheet/#package-installation", "title": "Package Installation", "text": "Command Description adb shell install <apk> Install app adb shell install <path> Install app from phone path adb shell install -r <path> Install app from phone path adb shell uninstall <name> Remove the app", "tags": ["android", "adb", "cheat-sheet"]}, {"location": "android/adb-cheat-sheet/#paths", "title": "Paths", "text": "Command Description /data/data/<package name>/databases App databases /data/data/<package name>/shared_prefs/ Shared preferences /mnt/sdcard/Download/ Download folder /data/app Apk installed by user /system/app Pre-installed APK files /mmt/asec Encrypted apps (App2SD) /mmt/emmc Internal SD Card /mmt/adcard External/Internal SD Card /mmt/adcard/external_sd External SD Card ------- ----------- adb shell ls List directory contents adb shell ls -s Print size of each file adb shell ls -R List subdirectories recursively adb shell pm path <package name> Get full path of a package adb shell pm list packages -f Lists all the packages and full paths", "tags": ["android", "adb", "cheat-sheet"]}, {"location": "android/adb-cheat-sheet/#file-operations", "title": "File Operations", "text": "Command Description adb push <local> <remote> Copy file/dir to device adb pull <remote> <local> Copy file/dir from device run-as <package> cat <file> Access the private package files", "tags": ["android", "adb", "cheat-sheet"]}, {"location": "android/adb-cheat-sheet/#phone-info", "title": "Phone Info", "text": "Command Description adb get-stat\u0435 Print device state adb get-serialno Get the serial number adb shell dumpsys iphonesybinfo Get the IMEI adb shell netstat List TCP connectivity adb shell pwd Print current working directory adb shell dumpsys battery Battery status adb shell pm list features List phone features adb shell service list List all services adb shell dumpsys activity <package>/<activity> Activity info adb shell ps Print process status adb shell wm size Displays the current screen resolution", "tags": ["android", "adb", "cheat-sheet"]}, {"location": "android/adb-cheat-sheet/#package-info", "title": "Package Info", "text": "Command Description adb shell list packages Lists package names adb shell list packages -r Lists package name + path to apks adb shell list packages -3 Lists third party package names adb shell list packages -s Lists only system packages adb shell list packages -u Lists package names + uninstalled adb shell dumpsys package packages Lists info on all apps adb shell dump <name> Lists info on one package adb shell path <package> Path to the apk file", "tags": ["android", "adb", "cheat-sheet"]}, {"location": "android/adb-cheat-sheet/#device-related-commands", "title": "Device Related Commands", "text": "Command Description adb reboot recovery Reboot device into recovery mode adb reboot fastboot Reboot device into recovery mode adb shell screencap -p \"/path/to/screenshot.png\" Capture screenshot adb shell screenrecord \"/path/to/record.mp4\" Record device screen adb backup -apk -all -f backup.ab Backup settings and apps adb backup -apk -shared -all -f backup.ab Backup settings, apps and shared storage adb backup -apk -nosystem -all -f backup.ab Backup only non-system apps adb restore backup.ab Restore a previous backup ------- ----------- adb shell am start -a android.intent.action.VIEW -d URL Opens URL adb shell am start -t image/* -a android.intent.action.VIEW Opens gallery", "tags": ["android", "adb", "cheat-sheet"]}, {"location": "android/apktool/", "title": "Android Apktool for Reverse Engineering", "text": "
A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications. It also makes working with an app easier because of the project like file structure and automation of some repetitive tasks like building apk, etc.
It is NOT intended for piracy and other non-legal uses. It could be used for localizing, adding some features or support for custom platforms, analyzing applications and much more.
", "tags": ["android", "penetration-testing", "reverse-engineering", "apktool"]}, {"location": "android/apktool/#how-to-sign-apk-after-compile", "title": "How to Sign APK After Compile", "text": "
In order to install modified APK on Android device, you need to sign it with a certificate. Android APK won't be signed by default. You need to sign it manually.
Install apksigner
apt install -y apksigner\n
Create certificate at the same folder you've compiled your modified APK
Enter A password (we will need it to singe the APK), enter any data you wish for the certificate information. At the end enter 'y' at the end to create the certificate.
Now we should have 2 files: your.apk, keystore.jks. The only step left is to singe the APK with new certificate.
apksigner sign --ks keystore.jks your.apk\n
When installing the APK you will be prompted with a warning of \"unknown certificate\" just hit Install.
List for Android penetration testing applications and tools that can be used to aid in penetration testing. The following are the most commonly used applications. Feel free to suggest new applications and tools at comments section below.
", "tags": ["android", "application", "penetration-testing"]}, {"location": "android/applications/#list-of-android-penetration-testing-tools-and-applications", "title": "List of Android Penetration Testing Tools and Applications", "text": "
Magisk Manager - Systemless rooting system.
EdXposed Manager - Companion Android application for EdXposed.
BusyBox - Android busyBox.
SQLite Editor Master - SQLite Editor.
Root Explorer File Manager for Root Users (Root Required).
CiLocks - Python script to brute force android lockscreen password.
After download unpack zip file go to bin directory and run: - jadx - command line version - jadx-gui - UI version
On Windows run .bat files with double-click\\ Note: ensure you have installed Java 11 or later 64-bit version. For Windows, you can download it from oracle.com (select x64 Installer).
jadx[-gui] [command] [options] <input files> (.apk, .dex, .jar, .class, .smali, .zip, .aar, .arsc, .aab)\ncommands (use '<command> --help' for command options):\n plugins - manage jadx plugins\n\noptions:\n -d, --output-dir - output directory\n -ds, --output-dir-src - output directory for sources\n -dr, --output-dir-res - output directory for resources\n -r, --no-res - do not decode resources\n -s, --no-src - do not decompile source code\n --single-class - decompile a single class, full name, raw or alias\n --single-class-output - file or dir for write if decompile a single class\n --output-format - can be 'java' or 'json', default: java\n -e, --export-gradle - save as android gradle project\n -j, --threads-count - processing threads count, default: 4\n -m, --decompilation-mode - code output mode:\n 'auto' - trying best options (default)\n 'restructure' - restore code structure (normal java code)\n 'simple' - simplified instructions (linear, with goto's)\n 'fallback' - raw instructions without modifications\n --show-bad-code - show inconsistent code (incorrectly decompiled)\n --no-imports - disable use of imports, always write entire package name\n --no-debug-info - disable debug info parsing and processing\n --add-debug-lines - add comments with debug line numbers if available\n --no-inline-anonymous - disable anonymous classes inline\n --no-inline-methods - disable methods inline\n --no-move-inner-classes - disable move inner classes into parent\n --no-inline-kotlin-lambda - disable inline for Kotlin lambdas\n --no-finally - don't extract finally block\n --no-replace-consts - don't replace constant value with matching constant field\n --escape-unicode - escape non latin characters in strings (with \\u)\n --respect-bytecode-access-modifiers - don't change original access modifiers\n --mappings-path - deobfuscation mappings file or directory. Allowed formats: Tiny and Tiny v2 (both '.tiny'), Enigma (.mapping) or Enigma directory\n --mappings-mode - set mode for handling the deobfuscation mapping file:\n 'read' - just read, user can always save manually (default)\n 'read-and-autosave-every-change' - read and autosave after every change\n 'read-and-autosave-before-closing' - read and autosave before exiting the app or closing the project\n 'ignore' - don't read or save (can be used to skip loading mapping files referenced in the project file)\n --deobf - activate deobfuscation\n --deobf-min - min length of name, renamed if shorter, default: 3\n --deobf-max - max length of name, renamed if longer, default: 64\n --deobf-whitelist - space separated list of classes (full name) and packages (ends with '.*') to exclude from deobfuscation, default: android.support.v4.* android.support.v7.* android.support.v4.os.* android.support.annotation.Px androidx.core.os.* androidx.annotation.Px\n --deobf-cfg-file - deobfuscation mappings file used for JADX auto-generated names (in the JOBF file format), default: same dir and name as input file with '.jobf' extension\n --deobf-cfg-file-mode - set mode for handling the JADX auto-generated names' deobfuscation map file:\n 'read' - read if found, don't save (default)\n 'read-or-save' - read if found, save otherwise (don't overwrite)\n 'overwrite' - don't read, always save\n 'ignore' - don't read and don't save\n --deobf-use-sourcename - use source file name as class name alias\n --deobf-res-name-source - better name source for resources:\n 'auto' - automatically select best name (default)\n 'resources' - use resources names\n 'code' - use R class fields names\n --use-kotlin-methods-for-var-names - use kotlin intrinsic methods to rename variables, values: disable, apply, apply-and-hide, default: apply\n --rename-flags - fix options (comma-separated list of):\n 'case' - fix case sensitivity issues (according to --fs-case-sensitive option),\n 'valid' - rename java identifiers to make them valid,\n 'printable' - remove non-printable chars from identifiers,\n or single 'none' - to disable all renames\n or single 'all' - to enable all (default)\n --integer-format - how integers are displayed:\n 'auto' - automatically select (default)\n 'decimal' - use decimal\n 'hexadecimal' - use hexadecimal\n --fs-case-sensitive - treat filesystem as case sensitive, false by default\n --cfg - save methods control flow graph to dot file\n --raw-cfg - save methods control flow graph (use raw instructions)\n -f, --fallback - set '--decompilation-mode' to 'fallback' (deprecated)\n --use-dx - use dx/d8 to convert java bytecode\n --comments-level - set code comments level, values: error, warn, info, debug, user-only, none, default: info\n --log-level - set log level, values: quiet, progress, error, warn, info, debug, default: progress\n -v, --verbose - verbose output (set --log-level to DEBUG)\n -q, --quiet - turn off output (set --log-level to QUIET)\n --version - print jadx version\n -h, --help - print this help\n\nPlugin options (-P<name>=<value>):\n 1) dex-input: Load .dex and .apk files\n - dex-input.verify-checksum - verify dex file checksum before load, values: [yes, no], default: yes\n 2) java-convert: Convert .class, .jar and .aar files to dex\n - java-convert.mode - convert mode, values: [dx, d8, both], default: both\n - java-convert.d8-desugar - use desugar in d8, values: [yes, no], default: no\n 3) kotlin-metadata: Use kotlin.Metadata annotation for code generation\n - kotlin-metadata.class-alias - rename class alias, values: [yes, no], default: yes\n - kotlin-metadata.method-args - rename function arguments, values: [yes, no], default: yes\n - kotlin-metadata.fields - rename fields, values: [yes, no], default: yes\n - kotlin-metadata.companion - rename companion object, values: [yes, no], default: yes\n - kotlin-metadata.data-class - add data class modifier, values: [yes, no], default: yes\n - kotlin-metadata.to-string - rename fields using toString, values: [yes, no], default: yes\n - kotlin-metadata.getters - rename simple getters to field names, values: [yes, no], default: yes\n 4) rename-mappings: various mappings support\n - rename-mappings.format - mapping format, values: [auto, TINY, TINY_2, ENIGMA, ENIGMA_DIR, MCP, SRG, TSRG, TSRG2, PROGUARD], default: auto\n - rename-mappings.invert - invert mapping, values: [yes, no], default: no\n\nEnvironment variables:\n JADX_DISABLE_ZIP_SECURITY - set to 'true' to disable all security checks for zip files\n JADX_ZIP_MAX_ENTRIES_COUNT - maximum allowed number of entries in zip files (default: 100 000)\n JADX_TMP_DIR - custom temp directory, using system by default\n\nExamples:\n jadx -d out classes.dex\n jadx --rename-flags \"none\" classes.dex\n jadx --rename-flags \"valid, printable\" classes.dex\n jadx --log-level ERROR app.apk\n jadx -Pdex-input.verify-checksum=no app.apk\n
These options also worked on jadx-gui running from command line and override options from preferences dialog", "tags": ["android", "decompiler", "java"]}, {"location": "android/jadx-decompiler/#use-jadx-as-a-library", "title": "Use jadx as a Library", "text": "
You can use jadx in your java projects, check details on wiki page
Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. MobSF support mobile app binaries (APK, XAPK, IPA & APPX) along with zipped source code and provides REST APIs for seamless integration with your CI/CD or DevSecOps pipeline.The Dynamic Analyzer helps you to perform runtime security assessment and interactive instrumented testing.
Follow the projet at github: MobSF/Mobile-Security-Framework-MobSF
Android app establishes an HTTPS connection, it checks the issuer of the server's certificate against the internal list of trusted Android system certificate authorities to make sure it is communicating with a trusted server. This is called SSL Pinning. If the server's certificate is not in the list of trusted certificates, the app won't be able to communicate with the server.
Frida is dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. It is a powerful tool that allows you to modify Android applications and libraries without having to recompile them.
Install Frida framework, objection to your host os.
pip install frida-tools\npip install objection\n
Download the proper version from: Frida Server Downloads
Danger
Make sure to download the proper version of Frida Server for your Android cpu architecture. Alwasys use the latest version of Frida Server and frida-tools
Extract and rename the file to frida-server Move the file to the Adnroid Phone to /data/local/tmp/
When building complex infrastructure and managing multiple servers and services using ip addresses is can create a lot of issues and is not always easy to manage. The preferred way is to use a DNS provider that allows you to manage your domain names and their associated IP addresses. DDNS Cloudflare Bash script is a simple bash script that allows you to easily update your Cloudflare's DNS records dinamically regardless of your current IP address. DDNS Cloudflare Bash Script can be used on Linux, Unix, FreeBSD, and macOS with only one requirment of curl
Source code can be found at DDNS Cloudflare Bash Github Repository.
", "tags": ["automation", "cloudflare", "ddns", "bash"]}, {"location": "automation/ddns-cloudflare-bash/#config-parameters", "title": "Config Parameters", "text": "Option Example Description what_ip internal Which IP should be used for the record: internal/external dns_record ddns.example.com DNS A record which will be updated, you can pass multiple A records separated by comma cloudflare_zone_api_token ChangeMe Cloudflare API Token KEEP IT PRIVATE!!!! zoneid ChangeMe Cloudflare's Zone ID proxied false Use Cloudflare proxy on dns record true/false ttl 120 120-7200 in seconds or 1 for Auto", "tags": ["automation", "cloudflare", "ddns", "bash"]}, {"location": "automation/ddns-cloudflare-bash/#optional-notifications-parameters", "title": "Optional Notifications Parameters", "text": "Option Example Description notify_me_telegram yes Use Telegram notifications yes/no telegram_chat_id ChangeMe Chat ID of the bot telegram_bot_API_Token ChangeMe Telegram's Bot API Token", "tags": ["automation", "cloudflare", "ddns", "bash"]}, {"location": "automation/ddns-cloudflare-bash/#running-the-script", "title": "Running The Script", "text": "
When placed in /usr/local/bin/
update-cloudflare-dns\n
With your config file (need to be placed in same folder)
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
When building complex infrastructure and managing multiple servers and services using ip addresses is can create a lot of issues and is not always easy to manage. The preferred way is to use a DNS provider that allows you to manage your domain names and their associated IP addresses. DDNS Cloudflare PowerShell script is a simple PowerShell script that allows you to easily update your Cloudflare's DNS records dinamically regardless of your current IP address. DDNS Cloudflare PowerShell Script can be used on Windows operating systems without any requirements for PowerShell.
Source code can be found at DDNS Cloudflare PowerShell Github Repository.
DDNS Cloudflare PowerShell script for Windows.
Choose any source IP address to update external or internal (WAN/LAN).
For multiple LAN interfaces like Wifi, Docker Networks and Bridges the script will automatically detect the primary Interface by priority.
Cloudflare's options for proxy and TTL configurable via the parameters.
Update the config parameters inside the update-cloudflare-dns_conf.ps1 by editing accordingly. See below for examples.
Option Example Description what_ip internal Which IP should be used for the record: internal/external dns_record ddns.example.com DNS A record which will be updated cloudflare_zone_api_token ChangeMe Cloudflare API Token KEEP IT PRIVATE!!!! zoneid ChangeMe Cloudflare's Zone ID proxied false Use Cloudflare proxy on dns record true/false ttl 120 120-7200 in seconds or 1 for Auto", "tags": ["automation", "cloudflare", "ddns", "powershell"]}, {"location": "automation/ddns-cloudflare-powershell/#optional-notifications-parameters-for-telegram", "title": "Optional Notifications Parameters for Telegram", "text": "Option Example Description notify_me_telegram yes Use Telegram notifications yes/no telegram_chat_id ChangeMe Chat ID of the bot telegram_bot_API_Token ChangeMe Telegram's Bot API Token", "tags": ["automation", "cloudflare", "ddns", "powershell"]}, {"location": "automation/ddns-cloudflare-powershell/#optional-notification-parameters-for-discord", "title": "Optional Notification Parameters for Discord", "text": "Option Example Description notify_me_discord yes Use Discord notifications yes/no discord_webhook_URL http://WebhookURL.com/asd/ Webhook URL from your Discord server settings
To generate a webhook URL, follow the official Discord instructions.
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
", "tags": ["automation", "cloudflare", "ddns", "powershell"]}, {"location": "automation/gmail-mark-archived-mail-as-read/", "title": "Automatically Mark Archived Email as Read in Gmail", "text": "", "tags": []}, {"location": "automation/gmail-mark-archived-mail-as-read/#background", "title": "Background", "text": "
My preferred method of managing emails in Gmail is Zero Inbox. In short, emails in Inbox work as to-do list. The Inbox may contain important email i need to attend or a digital receipt from a payment I've made a minute ago. Since I know the content of that email the task is done and I archive it. This email will move from Inbox to All Mail or a dedicated label if you have automation rules.
", "tags": []}, {"location": "automation/gmail-mark-archived-mail-as-read/#the-problem", "title": "The Problem", "text": "
When using the Archive function email which weren't opened or marked as Read will show as number counter in All Mail or Dedicated Label. Since I'm done with those emails I have to manually mark emails as read. This is a tedious task and I don't want to do it manually
", "tags": []}, {"location": "automation/gmail-mark-archived-mail-as-read/#the-solution", "title": "The Solution", "text": "
Using Google Scripts We can create a personal app that will automatically mark emails as read when they are archived. This is a simple script that will run on Gmail and will mark emails as read when they are no longer in the inbox folder. You can choose how often you want to automatically mark archived email as read in gmail. This solution was tested on personal Gmail accounts and the Google Workspace Gmail accounts (as long you can grunt permission).
Make sure you are logged in to your Google account. Open Google Scripts and create a new project.
You will be prompted with a new windwos. Rename the project to Automatically Mark Archived Email as Read. Copy and repace the following code to the new project.
After saving the project you should be able Run the script.
On the first run the script will ask you to give it the necessary permissions. Click Review permissions to continue.
Since the app is not signed you will be prompted with a warning. I's ok and safe. Click Advanced.
Click Go to Gmail Mark Archived as Read (unsafe) to continue.
At this point you will be prompted to grant the script Automatically Mark Archived Email as Read access to your Gmail account. Click Allow. This will alow the script to perform the actions you need.
If all went well you should see the log of the script as show bellow.
At this point we create a Automatically Mark Archived Email as Read script and grunt it the necessary permissions. NNow we want to automate the process. We can do this by creating a new timed trigger. Head over the Trigger menu
Click Add Trigger.
You will be prompted to select when and how the script will run. The following example will run the script every 5 minutes, and send a failure email report onece a week.
Note
The script may fail onces in a while. This is due to the fact it depends on Gmail's API. Unless you receive an email with hunders of failed attempts, you can ignore the email.
Note
Update: Some people are reporting an error which says \"This operation can only be applied to at most 100 threads. (line 3, file \"Code\")\". To fix this, you have to manually do a search for \"is:unread\" and mark all of them as read before running the script, so that it starts with a clean slate. The script can only process 100 threads per run, so if you give it more than 100 on the first run,
After creating the trigger you screen should look like this:
Now we whant to ensure that the script runs every 5 minutes. We can do this in Execution menu:
When 5 minutes passed from the point the trigger was created, the page log should look like this:
We are done with the installation and the configuration. You should already be able to see that some of the emails are marked as read.
Google's API is limited to 100 threads per request - a single script's run. This means that every 5 minutes it runs it will mark 100 emails as read. Since the script is run every 5 minutes, it won't take long to mark all emails as read automatically. If you aren't able to wait you can do it mark emails as read manually.
I've seen this script working without any issues for months, But suddenly you may receive an email with the Automatically Mark Archived Email as Read failing to run all the time. The reason is that the script lost the Gmail permissions. The solution is to run the script manually and grant the script the necessary permissions as the first time.
Lightweight Container image based on python:3.9.13-alpine to be used in conjunction with a Pi-hole instance to sync the DNS records from Cloudflare DNS Service to Pi-hole local DNS.
Syncthing is a continuous file synchronization program. Syncthing is an application that allows you to synchronize files between multiple devices. This means that creating, editing, or deleting files on one computer can be automatically copied to other devices.
Window installation from Syncthing Downloads installs the Syncthing as a service without any system tray icon or menu.
The best way I found is to use SyncTrayzor from SyncTrayzor Github Page. It hosts and wraps Syncthing, making it behave more like a native Windows application and less like a command-line utility with a web browser interface.
You can also instal it win winget with the following command:
In order to install Syncthing, we need to add 3rd party packages to Synology DSM. Synology Community Packages provides packages for Synology-branded NAS devices.
After we added Synology Community Packages you will be able to install Syncthing from the Cummunity tab.
Permissions for the Syncthing service will be handled by the new system user sc-syncthing
The following configuration are the same for all the installation methods. I'm no going to cover the basic configuration, but I will show you some of my personal preferences.
First to configure the Syncthing we need to access it's Web UI. The Default url is http://127.0.0.1:8384
If you are using Syncthing at remote Linux host, you can use SSH tunnel to access the Web UI.
ssh -L 8001:127.0.0.1:8384 root@192.168.102.6\n
This will forward 127.0.0.1:8384 from the remote host to 127.0.0.1:8001 on the local host.
For security reasons, I like to disable all the Discovery and Repay services.
When you disable the Discovery service, you will have to manually add the connection to other devices.
I have been using terminal for a long time, it's one of my essential tools for my everyday work and hobbies. The default terminal experience is not very user friendly, and I find it sometimes frustrating to use for basic tasks. So I decided to improve my terminal experience for macOS and Linux without too much effort from the user side. This guide will help you to install and configure the **better terminal experience in less than 5 minutes.
Better Terminal Experience guide based on ZSH Shell with Oh My Zsh on top of it. Using built-in theme called Bira, zsh auto suggestions plugin that suggests commands as you type based on history and completions and zsh syntax highlighting plugin that highlighting of commands whilst they are typed at a zsh prompt into an interactive terminal.
Z-shell (Zsh) is a Unix shell that can be used as an interactive login shell and as a shell scripting command interpreter. Zsh is an enhanced Bourne shell with many enhancements, including some Bash, ksh and tcsh features.
The autosuggestions plugin has a bug with copy and paste so there is a workaround for that. Append the following to the end of the config to activate the workaround.
", "tags": ["macos", "linux", "terminal", "zsh", "oh-my-zsh"]}, {"location": "automation/guides/pihole-doh/", "title": "Pi-hole as DNS Server with DNS over HTTPS (DOH) Based on Docker Containers", "text": "", "tags": ["pi-hole", "doh", "docker", "dns", "dns-over-https"]}, {"location": "automation/guides/pihole-doh/#whats-pi-hole", "title": "What's Pi-hole?", "text": "
Pi-hole Official Website Official Website.
Pi-hole is a DNS server that is designed to block ads and trackers. It is a free and open source software project. It's based on blocklists and acts as a DNS sinkhole.
", "tags": ["pi-hole", "doh", "docker", "dns", "dns-over-https"]}, {"location": "automation/guides/pihole-doh/#whats-dns-over-https-doh", "title": "What's DNS over HTTPS (DOH)?", "text": "
DNS over HTTPS (DoH) is an internet security protocol that communicates domain name server information in an encrypted way over HTTPS connections.
My setup fully depends on pi-hole dns server, that's why I use two servers one as primary DNS Server and the second as secondary DNS server.
I've configured my router as a DNS server for all the DHCP clients with primary and the secondary DNS as my pi-hole servers. This way all the clients requests the router to resolve the DNS and the router forwards the request to the pi-hole servers.
Pi-hole-1 runs on ubuntu server (virtual machine)
Pi-hole-2 runs on Raspberry Pi
Warning
This is not a step by step guide for all the configurations of pihole or how to use docker containers. The following instuctions include only the deployemt of the pi-hole server with DoH providers.
We Will be using docker-compose to deploy the pi-hole server with DoH providers with a single configuration file.
The following docker-compose.yml includes two images: Pi-hole container, and cloudflared container. When you run docker-compose up the containers will be created and started. I't will create internal network for the pihole and two instances of cloudflared. When a request comes in the pihole will forward the request to the cloudflared instances one of them will use Cloudflare DNS servers and the other will use Google's DNS servers. There is no need to configure the pihole's DNS server at the UI since the configuration is done by docker-compose.yml file.
When using this setup two folders will be created on the Host machine for persistent storage of the containers: config, dnsmasq.d. Those folders will be mounted to the containers when its running/restarted/recreated. Those folders will be created at the root folder of the docker-compose.yml file.
Create a folder for the deployment of the containers at your host machine. create a file named docker-compose.yml at the root folder and copy the following content to it:
Now run docker-compose up -d to create the containers. If all went well you should should be able to access the pihole server at http://127.0.0.1.7003 with password ChangeMe from the config above.
Now you need to change your dns server to point to the pihole server. We are done with the installation.
npm is two things: first and foremost, it is an online repository for the publishing of open-source Node.js projects; second, it is a command-line utility for interacting with said repository that aids in package installation, version management, and dependency management. A plethora of Node.js libraries and applications are published on npm, and many more are added every day.
PM2 is a daemon process manager that will help you manage and keep your application online. Getting started with PM2 is straightforward, it is offered as a simple and intuitive CLI, installable via NPM.
Follow the official documentation for installation and usage instructions: PM2 Official Documentation
Restarting PM2 with the processes you manage on server boot/reboot is critical. To solve this, just run this command to generate an active startup script:
It's very useful to update PM2 to the latest version specially when you update your Node.js version. Since updating node usually will brake the pm2 process to function properly, you can use the following command to update PM2:
npm install pm2@latest -g\n
Then update the in-memory PM2:
pm2 update\n
You can also create a alias to update PM2 with one command:
Supervisor is a client/server system that allows its users to monitor and control a number of processes on UNIX-like operating systems. Official Supervisord Docs.
Example of Supervisord Web UI listening on localhost:9999
The default location of the supervisor configuration file is at /System/Volumes/Data/opt/homebrew/etc/supervisord.conf.
You can use a symbolic link to the configuration file to make it persistent. For example, you can move the configuration file to Dropbox folder and use a symbolic link to it.
Link the configuration file to the Dropbox folder:
venv is a tool to create isolated Python environments. Since Python 3.3, a subset of it has been integrated into the standard library under the venv module. The venv module provides support for creating lightweight \u201cvirtual environments\u201d with their own site directories, optionally isolated from system site directories. Each virtual environment has its own Python binary (which matches the version of the binary that was used to create this environment) and can have its own independent set of installed Python packages in its site directories.
In order to install venv, we need to install the following packages:
apt example
sudo apt install python3-venv\n
", "tags": ["python", "venv", "cheat-sheet"]}, {"location": "development/python/virtualenv/#initialization-of-a-virtual-environment", "title": "Initialization of a Virtual Environment", "text": "
Go to the root destination of your project and run the following command:
python3 -m venv .venv\n
This will create a virtual environment in the current directory. The virtual environment folder will be named .venv.
", "tags": ["python", "venv", "cheat-sheet"]}, {"location": "development/python/virtualenv/#activation-of-a-virtual-environment", "title": "Activation of a Virtual Environment", "text": "
In order to activate a virtual environment, from the root directory of your project, run the following command:
source .venv/bin/activate\n
Check if the virtual environment is activated by running the following command:
which python\n
The output should be with ../.venv/bin/python as the output.
Bonus:
You can add an alias to your bash profile to make it easier to activate the virtual environment:
alias activate='source .venv/bin/activate'\n
", "tags": ["python", "venv", "cheat-sheet"]}, {"location": "development/python/virtualenv/#deactivation-of-a-virtual-environment", "title": "Deactivation of a Virtual Environment", "text": "
When you are done with the virtual environment, you can deactivate it by running the following command:
deactivate\n
Or alternatively you can exit the current shell.", "tags": ["python", "venv", "cheat-sheet"]}, {"location": "development/ruby/ruby/", "title": "Ruby Gem Package Manager", "text": "
RubyGems is a package manager for the Ruby programming language that provides a standard format for distributing Ruby programs and libraries (in a self-contained format called a \"gem\"), a tool designed to easily manage the installation of gems, and a server for distributing them.
", "tags": ["ruby", "gem", "package-manager", "cheat-sheet"]}, {"location": "development/ruby/ruby/#finding-installed-and-available-gems", "title": "Finding Installed And Available Gems", "text": "
One of the most handy and important things about gems is that they [should] come with good documentation to allow you to start working with them fast. The simplest way to go with documentation is to run a local server where you will have access to all installed gems\u2019 usage instructions.
This is a short summary of the most commonly used Docker commands. If you're new to Docker, or even experienced Docker, it can be helpful to have a quick reference to the most commonly used Docker commands for managing the Docker environment.
", "tags": ["docker", "cheat-sheet"]}, {"location": "devops/docker/common-docker-commands/#show-all-containers-including-running-and-stopped", "title": "Show all Containers Including Running and Stopped", "text": "
Purging All Unused or Dangling Images, Containers, Volumes, and Networks Docker provides a single command that will clean up any resources \u2014 images, containers, volumes, and networks \u2014 that are dangling (not associated with a container):
docker system prune\n
To additionally remove any stopped containers and all unused images (not just dangling images), add the -a flag to the command:
docker system prune -a\n
", "tags": ["docker", "cheat-sheet"]}, {"location": "devops/docker/common-docker-commands/#monitor-system-resource-utilization-for-running-containers", "title": "Monitor System Resource Utilization for Running Containers", "text": "
To check the CPU, memory, and network I/O usage of a single container, you can use:
A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings.
docker create creates a container but does not start it.
docker rename allows the container to be renamed.
docker run creates and starts a container in one operation.
docker rm deletes a container.
docker update updates a container's resource limits.
Normally if you run a container without options it will start and stop immediately, if you want keep it running you can use the command, docker run -td container_id this will use the option -t that will allocate a pseudo-TTY session and -d that will detach automatically the container (run container in background and print container ID).
If you want a transient container, docker run --rm will remove the container after it stops.
If you want to map a directory on the host to a docker container, docker run -v $HOSTDIR:$DOCKERDIR. Also see Volumes.
If you want to remove also the volumes associated with the container, the deletion of the container must include the -v switch like in docker rm -v.
There's also a logging driver available for individual containers in docker 1.10. To run docker with a custom log driver (i.e., to syslog), use docker run --log-driver=syslog.
Another useful option is docker run --name yourname docker_image because when you specify the --name inside the run command this will allow you to start and stop a container by calling it with the name the you specified when you created it.
docker pause pauses a running container, \"freezing\" it in place.
docker unpause will unpause a running container.
docker wait blocks until running container stops.
docker kill sends a SIGKILL to a running container.
docker attach will connect to a running container.
If you want to detach from a running container, use Ctrl + p, Ctrl + q. If you want to integrate a container with a host process manager, start the daemon with -r=false then use docker start -a.
If you want to expose container ports through the host, see the exposing ports section.
Restart policies on crashed docker instances are covered here.
You can limit CPU, either using a percentage of all CPUs, or by using specific cores.
For example, you can tell the cpu-shares setting. The setting is a bit strange -- 1024 means 100% of the CPU, so if you want the container to take 50% of all CPU cores, you should specify 512. See https://goldmann.pl/blog/2014/09/11/resource-management-in-docker/#_cpu for more:
docker run -it -c 512 agileek/cpuset-test\n
You can also only use some CPU cores using cpuset-cpus. See https://agileek.github.io/docker/2014/08/06/docker-cpuset/ for details and some nice videos:
docker run -it --cpuset-cpus=0,4,6 agileek/cpuset-test\n
Note that Docker can still see all of the CPUs inside the container -- it just isn't using all of them. See https://github.com/docker/docker/issues/20770 for more details.
Linux capabilities can be set by using cap-add and cap-drop. See https://docs.docker.com/engine/reference/run/#/runtime-privilege-and-linux-capabilities for details. This should be used for greater security.
To mount a FUSE based filesystem, you need to combine both --cap-add and --device:
docker run --rm -it --cap-add SYS_ADMIN --device /dev/fuse sshfs\n
Give access to a single device:
docker run -it --device=/dev/ttyUSB0 debian bash\n
Give access to all devices:
docker run -it --privileged -v /dev/bus/usb:/dev/bus/usb debian bash\n
A Docker image is a file used to execute code in a Docker container. Docker images act as a set of instructions to build a Docker container, like a template. Docker images also act as the starting point when using Docker. An image is comparable to a snapshot in virtual machine (VM) environments.
While you can use the docker rmi command to remove specific images, there's a tool called docker-gc that will safely clean up images that are no longer used by any containers. As of docker 1.13, docker image prune is also available for removing unused images. See Prune.
", "tags": ["docker", "cheat-sheet"]}, {"location": "devops/docker/docker-images/#difference-between-loading-a-saved-image-and-importing-an-exported-container-as-an-image", "title": "Difference between loading a saved image and importing an exported container as an image", "text": "
Loading an image using the load command creates a new image including its history. Importing a container as an image using the import command creates a new image excluding the history which results in a smaller image size compared to loading an image.
You can download and install Docker on multiple platforms. The following are the most common ways to install Docker on Linux, Mac, and Windows. You can also install Docker on other platforms if you have the necessary software.
Download and install Docker Community Edition. if you have Homebrew-Cask, just type brew install --cask docker. Or Download and install Docker Toolbox. Docker For Mac is nice, but it's not quite as finished as the VirtualBox install. See the comparison.
NOTE Docker Toolbox is legacy. You should to use Docker Community Edition, See Docker Toolbox.
Once you've installed Docker Community Edition, click the docker icon in Launchpad. Then start up a container:
docker run hello-world\n
That's it, you have a running Docker container.
If you are a complete Docker newbie, you should probably follow the series of tutorials now.
Instructions to install Docker Desktop for Windows can be found here
Once installed, open powershell as administrator and run:
# Display the version of docker installed:\ndocker version\n\n# Pull, create, and run 'hello-world':\ndocker run hello-world\n
To continue with this cheat sheet, right click the Docker icon in the system tray, and go to settings. In order to mount volumes, the C:/ drive will need to be enabled in the settings to that information can be passed into the containers (later described in this article).
To switch between Windows containers and Linux containers, right click the icon in the system tray and click the button to switch container operating system Doing this will stop the current containers that are running, and make them unaccessible until the container OS is switched back.
Additionally, if you have WSL or WSL2 installed on your desktop, you might want to install the Linux Kernel for Windows. Instructions can be found here. This requires the Windows Subsystem for Linux feature. This will allow for containers to be accessed by WSL operating systems, as well as the efficiency gain from running WSL operating systems in docker. It is also preferred to use Windows terminal for this.
Follow Microsoft's instructions that can be found here
If using the latest edge version of 2019, be prepared to only work in powershell, as it is only a servercore image (no desktop interface). When starting this machine, it will login and go straight to a powershell window. It is reccomended to install text editors and other tools using Chocolatey.
After installing, these commands will work:
# Display the version of docker installed:\ndocker version\n\n# Pull, create, and run 'hello-world':\ndocker run hello-world\n
Windows Server 2016 is not able to run Linux images.
Windows Server Build 2004 is capable of running both linux and windows containers simultaneously through Hyper-V isolation. When running containers, use the --isolation=hyperv command, which will isolate the container using a seperate kernel instance.
It is very important that you always know the current version of Docker you are currently running on at any point in time. This is very helpful because you get to know what features are compatible with what you have running. This is also important because you know what containers to run from the docker store when you are trying to get template containers. That said let see how to know which version of docker we have running currently.
docker version shows which version of docker you have running.
Get the server version:
$ docker version --format '{{.Server.Version}}'\n1.8.0\n
You can also dump raw JSON data:
$ docker version --format '{{json .}}'\n{\"Client\":{\"Version\":\"1.8.0\",\"ApiVersion\":\"1.20\",\"GitCommit\":\"f5bae0a\",\"GoVersion\":\"go1.4.2\",\"Os\":\"linux\",\"Arch\":\"am\"}\n
Docker has a networks feature. Docker automatically creates 3 network interfaces when you install it (bridge, host none). A new container is launched into the bridge network by default. To enable communication between multiple containers, you can create a new network and launch containers in it. This enables containers to communicate to each other while being isolated from containers that are not connected to the network. Furthermore, it allows to map container names to their IP addresses. See working with networks for more details.
docker network connect NETWORK CONTAINER Connect a container to a network
docker network disconnect NETWORK CONTAINER Disconnect a container from a network
You can specify a specific IP address for a container:
# create a new bridge network with your subnet and gateway for your ip block\ndocker network create --subnet 203.0.113.0/24 --gateway 203.0.113.254 iptastic\n\n# run a nginx container with a specific ip in that block\n$ docker run --rm -it --net iptastic --ip 203.0.113.2 nginx\n\n# curl the ip from any other place (assuming this is a public ip block duh)\n$ curl 203.0.113.2\n
Links are how Docker containers talk to each other through TCP/IP ports. Atlassian show worked examples. You can also resolve links by hostname.
This has been deprecated to some extent by user-defined networks.
NOTE: If you want containers to ONLY communicate with each other through links, start the docker daemon with -icc=false to disable inter process communication.
If you have a container with the name CONTAINER (specified by docker run --name CONTAINER) and in the Dockerfile, it has an exposed port:
EXPOSE 1337\n
Then if we create another container called LINKED like so:
docker run -d --link CONTAINER:ALIAS --name LINKED user/wordpress\n
Then the exposed ports and aliases of CONTAINER will show up in LINKED with the following environment variables:
Generally, linking between docker services is a subset of \"service discovery\", a big problem if you're planning to use Docker at scale in production. Please read The Docker Ecosystem: Service Discovery and Distributed Configuration Stores for more info.
This is where security tips about Docker go. The Docker security page goes into more detail.
First things first: Docker runs as root. If you are in the docker group, you effectively have root access. If you expose the docker unix socket to a container, you are giving the container root access to the host.
Docker should not be your only defense. You should secure and harden it.
For an understanding of what containers leave exposed, you should read Understanding and Hardening Linux Containers by Aaron Grattafiori. This is a complete and comprehensive guide to the issues involved with containers, with a plethora of links and footnotes leading on to yet more useful content. The security tips following are useful if you've already hardened containers in the past, but are not a substitute for understanding.
For greatest security, you want to run Docker inside a virtual machine. This is straight from the Docker Security Team Lead -- slides / notes. Then, run with AppArmor / seccomp / SELinux / grsec etc to limit the container permissions. See the Docker 1.10 security features for more details.
Docker image ids are sensitive information and should not be exposed to the outside world. Treat them like passwords.
See the Docker Security Cheat Sheet by Thomas Sj\u00f6gren: some good stuff about container hardening in there.
Check out the docker bench security script, download the white papers.
Snyk's 10 Docker Image Security Best Practices cheat sheet
You should start off by using a kernel with unstable patches for grsecurity / pax compiled in, such as Alpine Linux. If you are using grsecurity in production, you should spring for commercial support for the stable patches, same as you would do for RedHat. It's $200 a month, which is nothing to your devops budget.
Since docker 1.11 you can easily limit the number of active processes running inside a container to prevent fork bombs. This requires a linux kernel >= 4.3 with CGROUP_PIDS=y to be in the kernel configuration.
docker run --pids-limit=64\n
Also available since docker 1.11 is the ability to prevent processes from gaining new privileges. This feature have been in the linux kernel since version 3.5. You can read more about it in this blog post.
docker run --security-opt=no-new-privileges\n
From the Docker Security Cheat Sheet (it's in PDF which makes it hard to use, so copying below) by Container Solutions:
With watchtower you can update the running version of your containerized app simply by pushing a new image to the Docker Hub or your own image registry. Watchtower will pull down your new image, gracefully shut down your existing container and restart it with the same options that were used when it was deployed initially. Run the watchtower container with the following command:
docker rundocker-compose.yml
$ docker run -d \\\n--name watchtower \\\n-v /var/run/docker.sock:/var/run/docker.sock \\\ncontainrrr/watchtower\n
Watchtower is an application that will monitor your running Docker containers and watch for changes to the images that those containers were originally started from. If watchtower detects that an image has changed, it will automatically restart the container using the new image.
With watchtower you can update the running version of your containerized app simply by pushing a new image to the Docker Hub or your own image registry. Watchtower will pull down your new image, gracefully shut down your existing container and restart it with the same options that were used when it was deployed initially.
Full documanation can be found at Watchtower Documentation. Github repo can be found at Watchtower Github Repository.
Blow is and example of a docker-compose.yml file that uses watchtower to automatically update your running containers at 3:30 AM every day, sending notifications to Telegram with shoutrrr
", "tags": ["docker", "container", "watchtower"]}, {"location": "devops/git/delete-commit-history/", "title": "Removing Sensitive Data from a Repository History", "text": "
As humans, we sometimes make mistakes. One of them is committing sensitive data in our Git repository. If you commit sensitive data, such as a password, SSH key, API tokens, license keys and so on into a Git repository, you can remove it from the history. You can follow the official GitHub instructions to remove sensitive data from the history. It's probably the best and the right way to do it.
Below is a fast way to remove sensitive data from a repository's history but with a few caveats like loosing all the history of the repository.
", "tags": ["github", "history", "security"]}, {"location": "devops/git/delete-commit-history/#delete-commit-history-in-github-repository", "title": "Delete Commit History in Github Repository", "text": "
Danger
This will remove your old commit history completely, You can\u2019t recover it again!
Create Orphan Branch \u2013 Create a new orphan branch in git repository. The newly created branch will not show in \u2018git branch\u2019 command.
git checkout --orphan temp_branch\n
Add Files to Branch \u2013 Now add all files to newly created branch and commit them using following commands.
git add -A\ngit commit -am \"first commit\"\n
Delete master/main Branch. Adjust the command according your git repository
git branch -D main\n
Rename Current Branch \u2013 After deleting the master/main branch, let\u2019s rename newly created branch name to master/main.
git branch -m main\n
Push Changes \u2013 You have completed the changes to your local git repository. Finally, push your changes to the remote master/main (Github) repository forcefully.
Git is a free and open source distributed version control system designed to quickly and efficiently manage everything from small to very large projects.
A new repository can either be created locally, or an existing repository can be cloned. When a repository was initialized locally, you have to push it to GitHub afterwards.
The git init command turns an existing directory into a new Git repository inside the folder you are running this command. After using the git init command, link the local repository to an empty GitHub repository using the following command:
git init\n
Specifies the remote repository for your local repository. The url points to a repository on GitHub.
git remote add origin [url]\n
Clone (download) a repository that already exists on GitHub, including all of the files, branches, and commits
Synchronize your local repository with the remote repository on GitHub.com
Downloads all history from the remote tracking branches
git fetch\n
Combines remote tracking branches into current local branch
git merge\n
Uploads all local branch commits to GitHub
git push\n
Updates your current local working branch with all new commits from the corresponding remote branch on GitHub. git pull is a combination of git fetch and git merge
Branches are an important part of working with Git. Any commits you make will be made on the branch you\u2019re currently \u201cchecked out\u201d to. Use git status to see which branch that is.
Creates a new branch
git branch [branch-name]\n
Switches to the specified branch and updates the working directory
git switch -c [branch-name]\n
or you can use
git checkout -b [branch-name]\n
to both create and switch to the branch simultaneously.
Combines the specified branch\u2019s history into the current branch. This is usually done in pull requests, but is an important Git operation.
Sometimes it may be a good idea to exclude files from being tracked with Git. This is typically done in a special file named .gitignore. You can find helpful templates for .gitignore files at github.com/github/gitignore. If there are certain files (like .vscode or .ide) that should be discluded from all projects, you can create a global .gitignore file to do so.
", "tags": ["github", "git", "cheat-sheet"]}, {"location": "devops/git/git-cli-cheat-sheet/#untrack-files-already-added-to-git-repository-based-on-gitignore", "title": "Untrack Files Already Added to git Repository Based on .gitignore", "text": "
Commit all your changes. Before proceeding, make sure all your changes are committed, including your .gitignore file. Remove everything from the repository. To clear your repo, use:
It's probably easiest if you just start by cloning the gist, so that origin (a \"remote\" that refers to the original repository) is set up for you. Then you can just do git push origin master. For example:
However, if you don't want to redo your changes, you can do:
cd mygist\ngit remote add origin git@gist.github.com:869085.git\ngit fetch origin\n# Push your changes, also setting the upstream for master:\ngit push -u origin master\n
Strictly speaking, the git fetch origin and -u argument to git push origin master are optional, but they will helpfully associate the upstream branch master in origin with your local branch master.
Git submodules allow you to keep a git repository as a subdirectory of another git repository. Git submodules are simply a reference to another repository at a particular snapshot in time. Git submodules enable a Git repository to incorporate and track version history of external code.
The GitHub Cli a is free and open source Cli tool to interact with GitHub repositories. It allows you to work solely from the command line, as well as navigate to remote (web) repositories very easily.
One of then main devices in my HomeLab is a Synology DS218+ NAS. It purpose mainly for backup and data synchronization tasks.
Synology DS218+ NAS was upgraded to 8GB of RAM. It has two SAMSUNG 870 QVO 4TB SSD, running in redundant mode. The 1GbE network was upgraded with SABRENT USB 5GbE Ethernet and the fan was replaced with Noctua NF-A9 FLX Fan for quieter operation.
This website can include advertising, supported content, paid inserts, affiliate links or other types of monetization.
We believe in the authenticity of relationships, views and identities. Compensation received can have an effect on the advertisement material, topics or posts made in this blog. Such content, advertising space or post will be specifically marked as paid or supported content. We will only endorse the products or services that we believe, based on our expertise, are worthy of this endorsement.
Any claim, statistic, quotation or other representation of a product or service should be verified with the manufacturer or supplier. This site does not contain any content that may constitute a conflict of interest.
This website does not provide any representations, warranties or assurances as to the accuracy,
currency or completeness of the content contained on this website or on any website linked to or from this website.
This website is a participant in the Amazon Services LLC Associates Program, aliexpress, an affiliate advertisement program designed to provide a way for websites to receive advertising fees through advertising and links to amazon.com, aliexpress.com.
We use cookies and other similar technologies to help provide our Services, to advertise to you and to analyse how you use our Services and whether advertisements are being viewed. We also allow third parties to use tracking technologies for similar purposes. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. The Help menu on the menu bar of most browsers also tells you how to prevent your browser from accepting new cookies, how to delete old cookies, how to have the browser notify you when you receive a new cookie and how to disable cookies altogether.
A cookie is a small text file which is sent to your computer or mobile device (referred to in this policy as a \u201cdevice\u201d) by the web server so that the website can remember some information about your browsing activity on the website. The cookie will collect information relating to your use of our sites, information about your device such as the device\u2019s IP address and browser type, demographic data and, if you arrived at our site via a link from third party site, the URL of the linking page. If you are a registered user or subscriber it may also collect your name and email address, which may be transferred to data processors for registered user or subscriber verification purposes. Cookies record information about your online preferences and help us to tailor our websites to your interests. Information provided by cookies can help us to analyse your use of our sites and help us to provide you with a better user experience. We use tracking technologies for the following purposes:
These cookies are necessary for the website to function and cannot be switched off in our systems. These are used to let you login, to ensure site security and to provide shopping cart functionality. Without this type of technology, our Services won\u2019t work properly or won\u2019t be able to provide certain features and functionalities.
These cookies are used to analyze how visitors use a website, for instance which pages visitors visit most often, in order to provide a better user experience. We also use this technology to check if you have opened our emails, so we can see if they are being delivered correctly and are of interest.
These cookies are used to limit the number of times you see an advertisement, or to customize advertising across our Services and make it more relevant to you and to allow us to measure the effectiveness of advertising campaigns and track whether ads have been properly displayed so we can pay for this. You have the option to change your choices relating to cookies utilized to deliver behaviorally targeted advertising here for EU \u201cAdvertising cookies\u201d and here for US Advertising cookies.
Cookies are used by social media services to enable you to share our content with your friends and networks. These cookies may track your browser across other sites and build a profile of your interests, which may impact the content and messages you see on other websites that you visit.
We use Google Analytics for aggregated, anonymized website traffic analysis. In order to track your session usage, Google drops a cookie (_ga) with a randomly-generated ClientID in your browser. This ID is anonymized and contains no identifiable information like email, phone number, name, etc. We also send Google your IP Address. We use GA to track aggregated website behavior, such as what pages you looked at, for how long, and so on. This information is important to us for improving the user experience and determining site effectiveness. If you would like to access what browsing information we have \u2013 or ask us to delete any GA data \u2013 please delete your _ga cookies, reach out to us via this form, and/or install the Google Analytics Opt-Out Browser Add-On.
If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. The Help menu on the menu bar of most browsers also tells you how to prevent your browser from accepting new cookies, how to delete old cookies, how to have the browser notify you when you receive a new cookie and how to disable cookies altogether. You can also visit https://www.aboutcookies.org for more information on how to manage and remove cookies across a number of different internet browsers. You also have the option to change your choices relating to cookies utilized to deliver behaviorally targeted advertising here for EU \u201cAdvertising cookies\u201d and here for US Advertising cookies. If you would like to contact us about cookies please our online feedback form or our contact page.
Adventure is an app that provides you with a simple and intuitive interface to plan your trip. You can choose from a wide range of activities and destinations. We also provide you with a recommendation system that will help you choose the best activity for you. Visit adventure.app!
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Your privacy is very important to us. Accordingly, we have developed this policy in order for you to understand how we collect, use, communicate and make use of personal information. The following outlines our privacy policy.
When accessing this website, will learn certain information about you during your visit.
Similar to other commercial websites, our website utilizes a standard technology called \u2018cookies\u2019 (see explanation below) and server logs to collect information about how our site is used. Information gathered through cookies and server logs may include the date and time of visits, the pages viewed, time spent at our site, and the websites visited just before and just after our own, as well as your IP address.
A cookie is a very small text document, which often includes an anonymous unique identifier. When you visit a website, that site\u2019s computer asks your computer for permission to store this file in a part of your hard drive specifically designated for cookies. Each website can send its own cookie to your browser if your browser\u2019s preferences allow it, but (to protect your privacy) your browser only permits a website to access the cookies it has already sent to you, not the cookies sent to you by other sites.
IP addresses are used by your computer every time you are connected to the Internet. Your IP address is a number that is used by computers on the network to identify your computer. IP addresses are automatically collected by our web server as part of demographic and profile data known as \u201ctraffic data\u201d so that data (such as the Web pages you request) can be sent to you.
If you choose to correspond with us through email, we may retain the content of your email messages together with your email address and our responses. We provide the same protections for these electronic communications that we employ in the maintenance of information received online, mail and telephone. This also applies when you register for our website, sign up through any of our forms using your email address or make a purchase on this site. For further information see the email policies below.
", "tags": ["information", "privacy policy"]}, {"location": "information/privacy-policy/#how-do-we-use-the-information-that-you-provide-to-us", "title": "How Do We Use The Information That You Provide To Us?", "text": "
Broadly speaking, we use personal information for purposes of administering our business activities, providing customer service and making available other items and services to our customers and prospective customers.
will not obtain personally-identifying information about you when you visit our site, unless you choose to provide such information to us, nor will such information be sold or otherwise transferred to unaffiliated third parties without the approval of the user at the time of collection.
We may disclose information when legally compelled to do so, in other words, when we, in good faith, believe that the law requires it or for the protection of our legal rights.
We are committed to keeping your e-mail address confidential. We do not sell, rent, or lease our subscription lists to third parties, and we will not provide your personal information to any third party individual, government agency, or company at any time unless strictly compelled to do so by law.
We will use your e-mail address solely to provide timely information about .
We will maintain the information you send via e-mail in accordance with applicable federal law.
In compliance with the CAN-SPAM Act, all e-mail sent from our organization will clearly state who the e-mail is from and provide clear information on how to contact the sender. In addition, all e-mail messages will also contain concise information on how to remove yourself from our mailing list so that you receive no further e-mail communication from us.
Our site provides users the opportunity to opt-out of receiving communications from us and our partners by reading the unsubscribe instructions located at the bottom of any e-mail they receive from us at anytime.
Users who no longer wish to receive our newsletter or promotional materials may opt-out of receiving these communications by clicking on the unsubscribe link in the e-mail.
This website may contain links to many other websites. cannot guarantee the accuracy of information found at any linked site. Links to or from external sites not owned or controlled by do not constitute an endorsement by or any of its employees of the sponsors of these sites or the products or information presented therein.
By accessing this web site, you are agreeing to be bound by these web site Terms and Conditions of Use, all applicable laws and regulations, and agree that you are responsible for compliance with any applicable local laws. If you do not agree with any of these terms, you are prohibited from using or accessing this site. The materials contained in this web site are protected by applicable copyright and trade mark law.
You agree to use our website only for lawful purposes, and in a way that does not infringe the rights of, restrict or inhibit anyone else\u2019s use and enjoyment of the website. Prohibited behavior includes harassing or causing distress or inconvenience to any other user, transmitting obscene or offensive content or disrupting the normal flow of dialogue within our website.
You must not use our website to send unsolicited commercial communications. You must not use the content on our website for any marketing related purpose without our express written consent.
We may in the future need to restrict access to parts (or all) of our website and reserve full rights to do so. If, at any point, we provide you with a username and password for you to access restricted areas of our website, you must ensure that both your username and password are kept confidential.
In accordance to with the FTC guidelines concerning the use of endorsements and testimonials in advertising, please be aware of the following:
Testimonials that appear on this site are actually received via text, audio or video submission. They are individual experiences, reflecting real life experiences of those who have used our products and/or services in some way. They are individual results and results do vary. We do not claim that they are typical results. The testimonials are not necessarily representative of all of those who will use our products and/or services.
The testimonials displayed in any form on this site (text, audio, video or other) are reproduced verbatim, except for correction of grammatical or typing errors. Some may have been shortened. In other words, not the whole message received by the testimonial writer is displayed when it seems too lengthy or not the whole statement seems relevant for the general public.
We are not responsible for any of the opinions or comments posted on this website. This website is not a forum for testimonials, however provides testimonials as a means for customers to share their experiences with one another. To protect against abuse, all testimonials appear after they have been reviewed by the management . We not share the opinions, views or commentary of any testimonials on this website \u2013 the opinions are strictly the views of the testimonial source.
The testimonials are never intended to make claims that our products and/or services can be used to diagnose, treat, cure, mitigate or prevent any disease. Any such claims, implicit or explicit, in any shape or form, have not been clinically tested or evaluated.
How Do We Protect Your Information And Secure Information Transmissions?
Email is not recognized as a secure medium of communication. For this reason, we request that you do not send private information to us by email. However, doing so is allowed, but at your own risk. Some of the information you may enter on our website may be transmitted securely via a secure medium known as Secure Sockets Layer, or SSL. Credit Card information and other sensitive information is never transmitted via email.
We may use software programs to create summary statistics, which are used for such purposes as assessing the number of visitors to the different sections of our site, what information is of most and least interest, determining technical design specifications, and identifying system performance or problem areas.
For site security purposes and to ensure that this service remains available to all users, uses software programs to monitor network traffic to identify unauthorized attempts to upload or change information, or otherwise cause damage.
", "tags": ["information", "privacy policy"]}, {"location": "information/privacy-policy/#disclaimer-and-limitation-of-liability", "title": "Disclaimer And Limitation Of Liability", "text": "
We makes no representations, warranties, or assurances as to the accuracy, currency or completeness of the content contain on this website or any sites linked to this site.
All the materials on this site are provided \u2018as is\u2019 without any express or implied warranty of any kind, including warranties of merchantability, noninfringement of intellectual property or fitness for any particular purpose. In no event shall or its agents or associates be liable for any damages whatsoever (including, without limitation, damages for loss of profits, business interruption, loss of information, injury or death) arising out of the use of or inability to use the materials, even if has been advised of the possibility of such loss or damages.
We reserve the right to amend this privacy policy at any time with or without notice. However, please be assured that if the privacy policy changes in the future, we will not use the personal information you have submitted to us under this privacy policy in a manner that is materially inconsistent with this privacy policy, without your prior consent.
We are committed to conducting our business in accordance with these principles in order to ensure that the confidentiality of personal information is protected and maintained.
The following steps will disable IPV6 on your OpenWrt router . All the steps are performed via the command line. You can performe them in the console of the router but the preferred way is via SSH.
Follow the following steps to disable IPV6 on your OpenWrt router:
uci set 'network.lan.ipv6=0'\nuci set 'network.wan.ipv6=0'\nuci set 'dhcp.lan.dhcpv6=disabled'\n/etc/init.d/odhcpd disable\nuci commit\n
Disable RA and DHCPv6 so no IPv6 IPs are handed out:
You can install oh-my-zsh on OpenWrt, make sure to use the Prevent User Lockout option since many users been locked out of their sessions since the zsh shell was not installed or loaded properly.
Z-shell (Zsh) configuration. is a Unix shell that can be used as an interactive login shell and as a shell scripting command interpreter. Zsh is an enhanced Bourne shell with many enhancements, including some Bash, ksh and tcsh features.
To prevent lock-outs after accidentially removing zsh (thanks to @fox34) (as explained in the wiki you can add a check for zsh and fallback to ash in /etc/rc.local:
# Revert root shell to ash if zsh is not available\nif grep -q '^root:.*:/usr/bin/zsh$' /etc/passwd && [ ! -x /usr/bin/zsh ]; then\n# zsh is root shell, but zsh was not found or not executable: revert to default ash\n[ -x /usr/bin/logger ] && /usr/bin/logger -s \"Reverting root shell to ash, as zsh was not found on the system\"\nsed -i -- 's:/usr/bin/zsh:/bin/ash:g' /etc/passwd\nfi\n
Cloud images are operating system templates and every instance starts out as an identical clone of every other instance. It is the user data that gives every cloud instance its personality and cloud-init is the tool that applies user data to your instances automatically.
The default storage Proxmox creates for vm is storage1. In my case I use different storage for vm's and templates named storage1. The following commands will utilize the storage1 storage. Change the storage name for your Proxmox server.
Import the downloaded Ubuntu Cloud Image we downloaded before disk to the storage.
Attach the new disk to the vm as a scsi drive on the scsi controller
qm set 9000 --scsihw virtio-scsi-pci --scsi0 storage1:vm-9000-disk-0\n
Add cloud init drive
qm set 9000 --ide2 storage1:cloudinit\n
Make the cloud init drive bootable and restrict BIOS to boot from disk only
qm set 9000 --boot c --bootdisk scsi0\n
Add serial console
qm set 9000 --serial0 socket --vga serial0\n
WARNING: DO NOT START THE VM
Powering on the vm will create a unique ID that will presist with the template. We want to avoid this.
Now had to the Proxmox web interface. Select the new vm and Cloud-Init tab.
Configure the default setting for the cloud image template. This will allow the VM to start with predefined user, password, ssh keys and network configuration.
At this point we configured the VM and we can create a cloud image template from it.
Create a new cloud image template.
qm template 9000\n
Now you can use the Cloud Image Template to create new vm instances. You can do it from the Proxmox web interface or from the command line.
Tip
Use Full Clone when creating a new VM from a cloud image template. Linked Clone will privent you from deleting the cloud image template.
Shutdown the VM. Then power it back on. The machine-id will be regenerated.
If the machine-id is not regenerated you can try to fix it by running the following command.
sudo systemd-machine-id-setup\n
", "tags": ["proxmox", "virtualization"]}, {"location": "infrastructure/proxmox/lets-encrypt-cloudflare/", "title": "Proxmox Valid SSL With Let's Encrypt and Cloudflare DNS", "text": "
This is a guide to how to setup a valid SSL certificate with Let's Encrypt and Cloudflare DNS for Proxmox VE. Let's Encrypt will allow you to obtain a valid SSL certificate for your Proxmox VE Server for free for 90 days. In the following steps, we will setup a valid SSL certificate for your Proxmox VE Server using Let's Encrypt and Cloudflare DNS Challenge. The process of renewing the certificate is done automatically by Proxmox VE Server and you do not need to do anything manually to renew the certificate.
The process will be done fully in Proxmox web interface. Login to the Proxmox web interface select Datacenter, find ACME and click on it.
At Account section, click Add. Fill the Account Name and E-Mail. Accept the Terms and Conditions (TOC). Click Register. This will register an account for Let's Encrypt service in order to obtain a certificate.
The output should be something like this:
At Challenge Plugin ection, click Add. Fill the Plugin ID (name), at DNS API choose Cloudflare Managed DNS. CF_Token= and CF_Zone_ID= are the API Tokens and Zone ID for Cloudflare DNS - leave the rest empty.
The final screen should look like this:
Select the Pve Server in my case its name proxmox, under System select Certificates.
At ACME section, click Edit and select the Account we created earlier.
Click Add, select Challenge TypeDNS and Challenge Plugin the plugin we created earlier. Domain is the domain name we want to use for the certificate. Click Create.
Now its time to issue the certificate. Click Order Certificate Now.
At this point Proxmox will try to issue the certificate from Let's Encrypt and validate it with Cloudflare DNS Challenge.
If all goes well, you will see the following:
Now the certificate is installed and ready to use. The renewal process is done automatically by Proxmox VE Server.
PVE Kernel Cleaner is a program to compliment Proxmox Virtual Environment which is an open-source server virtualization environment. PVE Kernel Cleaner allows you to purge old/unused kernels filling the /boot directory. As new kernels are released the older ones have to be manually removed frequently to make room for newer ones. This can become quite tedious and require extensive time spent monitoring the system when new kernels are released and when older ones need to be cleared out to make room. With this issue existing, PVE Kernel Cleaner was created to solve it.
PVE Kernel Cleaner checks for updates automatically when you run it. If an update is available, you'll be notified within the program. Simply follow the on-screen instructions to install the update, and you're all set with the latest version!
pvekclean [OPTION1] [OPTION2]...\n\n-k, --keep [number] Keep the specified number of most recent PVE kernels on the system\n Can be used with -f or --force for non-interactive removal\n-f, --force Force the removal of old PVE kernels without confirm prompts\n-rn, --remove-newer Remove kernels that are newer than the currently running kernel\n-s, --scheduler Have old PVE kernels removed on a scheduled basis\n-v, --version Shows current version of pvekclean\n-r, --remove Uninstall pvekclean from the system\n-i, --install Install pvekclean to the system\n-d, --dry-run Run the program in dry run mode for testing without making system changes\n
\u256d\u2500root@proxmox ~\n\u2570\u2500# bash <(curl -s https://raw.githubusercontent.com/bermanboris/proxmox-vm-disk-expander/main/expand.sh) 1 \u21b5\n VMID NAME STATUS MEM(MB) BOOTDISK(GB) PID\n 100 vm100 running 4096 40.20 1113\n101 test stopped 2048 2.20 0\n9000 ubuntu22-04-cloud stopped 2048 2.20 0\nEnter the VM ID to be expanded: 101\nEnter the size to be expanded in GB (example: 10G): 5G\nVM ID 101 disk storage1 will be expanded by 5G\nWarning: There is currently no way to downsize the disk!\nAre you sure you want to expand the disk? (yes/no): yes\n\nExpanding the disk... Size of logical volume storage1/vm-101-disk-0 changed from <2.20 GiB (563 extents) to <7.20 GiB (1843 extents).\n Logical volume storage1/vm-101-disk-0 successfully resized.\nGPT:Primary header thinks Alt. header is not at the end of the disk.\nGPT:Alternate GPT header not at the end of the disk.\nGPT: Use GNU Parted to correct GPT errors.\nadd map storage1-vm--101--disk--0p1 (253:12): 0 4384735 linear 253:11 227328\nadd map storage1-vm--101--disk--0p14 (253:13): 0 8192 linear 253:11 2048\nadd map storage1-vm--101--disk--0p15 (253:14): 0 217088 linear 253:11 10240\nWarning: The kernel is still using the old partition table.\nThe new table will be used at the next reboot or after you\nrun partprobe(8) or kpartx(8)\nThe operation has completed successfully.\n
Currently supported only \"cloud images\" (or single ext4 partition installation) but if you still want to resize regular vm with LVM partition table, you need to extend the LVM partition INSIDE the vm AFTER running the script. Resizing LVM is done like this:
This guide will walk you through configuring Windows 10 or Windows 11 Virtual Machines with VirtIO Disks and Networking using Proxmox. This configuration was tested to work with the GPU passthroughs feature from one of the following guides:
GPU Passthrough to VM - Full GPU passthrough to VM guide
iGPU Passthrough to VM - Cpu's GPU passthrough to VM guide (Intel)
iGPU Split Passthrough - Splitting (CPU's GPU) to Multiple GPUs passthrough to VM guide
The Windows installation process is the same as any other Windows OS installation. The only caveat is that you need to install the drivers for the Storage devices and Network devices.
Windows won't be able to load network drivers while installing. When prompted with something for connecting to the Internet, select I Don't have internet and skip it. We will deal with the network drivers at post installation.
Open the VirtIO CD and run the virtio-win-gt-x64.exe, virtio-win-guest-tools installer. This will install all the missing virtio drivers for the VM and guest OS tools.
After the installtion your Device Manager should look like this without any errors.
", "tags": ["Proxmox", "Windows Virtual Machines", "VirtIO"]}, {"location": "infrastructure/proxmox/windows-vm-configuration/#remove-the-virtio-cddvd-and-windows-iso", "title": "Remove the VirtIO CD/DVD and Windows iso", "text": "
Power off the VM.
Remove the added CD/DVD for VirtIO iso.
Select Do nor use any media on the CD/DVD with the Windows iso.
At this point we are done with the installation of the Windows VM.
Follow those guides for utilizing a GPU passthrough to VM:
GPU Passthrough to VM - Full GPU passthrough to VM guide
iGPU Passthrough to VM - Cpu's GPU passthrough to VM guide (Intel)
[GPU Split Passthrough][gpu-split-passthrough] - Splitting (Nvidia) to Multiple GPUs passthrough to VM guide
GPU passthrough is a technology that allows the Linux kernel to present the internal PCI GPU directly to the virtual machine. The device behaves as if it were powered directly by the virtual machine, and the virtual machine detects the PCI device as if it were physically connected. We will cover how to enable GPU passthrough to a virtual machine in Proxmox VE.
The following examples uses SSH connection to the Proxmox server. The editor is nano but feel free to use any other editor. We will be editing the grub configuration file.
Find the PCI address of the GPU Device. The following command will show the PCI address of the GPU devices in Proxmox server:
lspci -nnv | grep VGA\n
Find the GPU you want to passthrough in result ts should be similar to this:
What we are looking is the PCI address of the GPU device. In this case it's 01:00.0. 01:00.0 is only a part of of a group of PCI devices on the GPU. We can list all the devices in the group 01:00 by using the following command:
lspci -s 01:00\n
The usual output will include VGA Device and Audio Device. In my case, we have a USB Controller and a Serial bus controller:
01:00.0 VGA compatible controller: NVIDIA Corporation TU104 [GeForce RTX 2080 SUPER] (rev a1)\n01:00.1 Audio device: NVIDIA Corporation TU104 HD Audio Controller (rev a1)\n01:00.2 USB controller: NVIDIA Corporation TU104 USB 3.1 Host Controller (rev a1)\n01:00.3 Serial bus controller [0c80]: NVIDIA Corporation TU104 USB Type-C UCSI Controller (rev a1)\n
Now we need to get the id's of those devices. We can do this by using the following command:
Next we need to add vfio modules to allow PCI passthrough.
Edit the /etc/modules file.
nano /etc/modules\n
Add the following line to the end of the file:
# Modules required for PCI passthrough\nvfio\nvfio_iommu_type1\nvfio_pci\nvfio_virqfd\n
Save and exit the editor.
Update configuration changes made in your /etc filesystem
update-initramfs -u -k all\n
Reboot Proxmox to apply the changes
Verify that IOMMU is enabled
dmesg | grep -e DMAR -e IOMMU\n
There should be a line that looks like DMAR: IOMMU enabled. If there is no output, something is wrong.
[0.000000] Warning: PCIe ACS overrides enabled; This may allow non-IOMMU protected peer-to-peer DMA\n[0.067203] DMAR: IOMMU enabled\n[2.573920] pci 0000:00:00.2: AMD-Vi: IOMMU performance counters supported\n[2.580393] pci 0000:00:00.2: AMD-Vi: Found IOMMU cap 0x40\n[2.581776] perf/amd_iommu: Detected AMD IOMMU #0 (2 banks, 4 counters/bank).\n
Check that the GPU is in a separate IOMMU Group by using the following command:
#!/bin/bash\nshopt -s nullglob\nfor g in $(find /sys/kernel/iommu_groups/* -maxdepth 0 -type d | sort -V); do\necho \"IOMMU Group ${g##*/}:\"\nfor d in $g/devices/*; do\necho -e \"\\t$(lspci -nns ${d##*/})\"\ndone;\ndone;\n
Now your Proxmox host should be ready to GPU passthrough!
If you have multiple VGA, look for the one that has the Intel in the name. Here, the PCI address of the GPU is 01:00.0.
For best performance the VM should be configured the Machine type to q35. This will allow the VM to utilize PCI-Express passthrough.
Open the web gui and navigate to the Hardware tab of the VM you want to add a vGPU. Click Add above the device list and then choose PCI Device
Open the Device dropdown and select the GPU, which you can find using it\u2019s PCI address. This list uses a different format for the PCI addresses id, 01:00.0 is listed as 0000:01:00.0.
Select All Functions, ROM-Bar, Primary GPU, PCI-Express and then click Add.
The Windows Virtual Machine Proxmox Setting should look like this:
Power on the Windows Virtual Machine.
Connect to the VM via Remote Desktop (RDP) or any other remote access protocol you prefer. Install the latest version of GPU Driver for your GPU.
If all when well you should see the following output in Device Manager and GPU-Z:
If you have multiple VGA, look for the one that has the Intel in the name. Here, the PCI address of the GPU is 01:00.0.
For best performance the VM should be configured the Machine type to q35. This will allow the VM to utilize PCI-Express passthrough.
Open the Device dropdown and select the GPU, which you can find using it\u2019s PCI address. This list uses a different format for the PCI addresses id, 01:00.0 is listed as 0000:01:00.0.
Select All Functions, ROM-Bar, PCI-Epress and then click Add.
The Ubuntu Virtual Machine Proxmox Setting should look like this:
Boot the VM. To test the GPU passthrough was successful, you can use the following command in the VM:
Now we need to install the GPU Driver. I'll be covering the installation of Nvidia Drivers in the next example.
Search for the latest Nvidia Driver for your GPU.
sudo apt search nvidia-driver\n
In the next step we will install the Nvidia Driver v535.
Note
--no-install-recommends is important for Headless Server. nvidia-driver-535 will install xorg (GUI) --no-install-recommends flag will prevent the GUI from being installed.
Dbug Messages - Shows Hardware initialization and errors
dmesg -w\n
Display PCI devices information
lspci\n
Display Driver in use for PCI devices
lspci -k\n
Display IOMMU Groups the PCI devices are assigned to
#!/bin/bash\nshopt -s nullglob\nfor g in $(find /sys/kernel/iommu_groups/* -maxdepth 0 -type d | sort -V); do\necho \"IOMMU Group ${g##*/}:\"\nfor d in $g/devices/*; do\necho -e \"\\t$(lspci -nns ${d##*/})\"\ndone;\ndone;\n
Intel Integrated Graphics (iGPU) is a GPU that is integrated into the CPU. The GPU is a part of the CPU and is used to render graphics. Proxmox may be configured to use iGPU passthrough to VM to allow the VM to use the iGPU for hardware acceleration for example using video encoding/decoding and Transcoding for series like Plex and Emby. This guide will show you how to configure Proxmox to use iGPU passthrough to VM.
Your mileage may vary depending on your hardware. The following guide was tested with Intel Gen8 CPU.
There are two ways to use iGPU passthrough to VM. The first way is to use the Full iGPU Passthrough to VM. The second way is to use the iGPU GVT-g technology which allows as to split the iGPU into two parts. We will be covering the Full iGPU Passthrough. If you want to use the split iGPU GVT-g Passthrough you can find the guide here.
", "tags": ["proxmox", "igpu", "passthrough"]}, {"location": "infrastructure/proxmox/gpu-passthrough/igpu-passthrough-to-vm/#proxmox-configuration-for-igpu-full-passthrough", "title": "Proxmox Configuration for iGPU Full Passthrough", "text": "
The following examples uses SSH connection to the Proxmox server. The editor is nano but feel free to use any other editor. We will be editing the grub configuration file.
Edit the grub configuration file.
nano /etc/default/grub\n
Find the line that starts with GRUB_CMDLINE_LINUX_DEFAULT by default they should look like this:
GRUB_CMDLINE_LINUX_DEFAULT=\"quiet\"\n
We want to allow passthrough and Blacklists known graphics drivers to prevent proxmox from utilizing the iGPU.
Warning
You will loose the ability to use the onboard graphics card to access the Proxmox's console since Proxmox won't be able to use the Intel's gpu
Your GRUB_CMDLINE_LINUX_DEFAULT should look like this:
This will blacklist most of the graphics drivers from proxmox. If you have a specific driver you need to use for Proxmox Host you need to remove it from modprobe.blacklist
Save and exit the editor.
Update the grub configuration to apply the changes the next time the system boots.
update-grub\n
Next we need to add vfio modules to allow PCI passthrough.
Edit the /etc/modules file.
nano /etc/modules\n
Add the following line to the end of the file:
# Modules required for PCI passthrough\nvfio\nvfio_iommu_type1\nvfio_pci\nvfio_virqfd\n
Update configuration changes made in your /etc filesystem
update-initramfs -u -k all\n
Save and exit the editor.
Reboot Proxmox to apply the changes
Verify that IOMMU is enabled
dmesg | grep -e DMAR -e IOMMU\n
There should be a line that looks like DMAR: IOMMU enabled. If there is no output, something is wrong.
[0.000000] Warning: PCIe ACS overrides enabled; This may allow non-IOMMU protected peer-to-peer DMA\n[0.067203] DMAR: IOMMU enabled\n[2.573920] pci 0000:00:00.2: AMD-Vi: IOMMU performance counters supported\n[2.580393] pci 0000:00:00.2: AMD-Vi: Found IOMMU cap 0x40\n[2.581776] perf/amd_iommu: Detected AMD IOMMU #0 (2 banks, 4 counters/bank).\n
If you have multiple VGA, look for the one that has the Intel in the name. Here, the PCI address of the iGPU is 00:02.0.
For best performance the VM should be configured the Machine type to q35. This will allow the VM to utilize PCI-Express passthrough.
Open the web gui and navigate to the Hardware tab of the VM you want to add a vGPU. Click Add above the device list and then choose PCI Device
Open the Device dropdown and select the iGPU, which you can find using it\u2019s PCI address. This list uses a different format for the PCI addresses id, 00:02.0 is listed as 0000:00:02.0.
Select All Functions, ROM-Bar, PCI-Express and then click Add.
Tip
I've found that the most consistent way to utilize the GPU acceleration is to disable Proxmox's Virtual Graphics card of the vm. The drawback of disabling the Virtual Graphics card is that it will not be able to access the vm via proxmox's vnc console. The workaround is to enable Remote Desktop (RDP) on the VM before disabling the Virtual Graphics card and accessing the VM via RDP or use any other remove desktop client. If you loose the ability to access the VM via RDP you can temporarily remove the GPU PCI Device and re-enable the virtual graphics card
The Windows Virtual Machine Proxmox Setting should look like this:
Power on the Windows Virtual Machine.
Connect to the VM via Remote Desktop (RDP) or any other remote access protocol you prefer. Install the latest version of Intel's Graphics Driver or use the Intel Driver & Support Assistant installer.
If all when well you should see the following output in Device Manager and GPU-Z:
If you have multiple VGA, look for the one that has the Intel in the name. Here, the PCI address of the iGPU is 00:02.0.
Open the Device dropdown and select the iGPU, which you can find using it\u2019s PCI address. This list uses a different format for the PCI addresses id, 00:02.0 is listed as 0000:00:02.0.
Select All Functions, ROM-Bar and then click Add.
The Ubuntu Virtual Machine Proxmox Setting should look like this:
Boot the VM. To test the iGPU passthrough was successful, you can use the following command:
Dbug Messages - Shows Hardware initialization and errors
dmesg -w\n
Display PCI devices information
lspci\n
Display Driver in use for PCI devices
lspci -k\n
Display IOMMU Groups the PCI devices are assigned to
#!/bin/bash\nshopt -s nullglob\nfor g in $(find /sys/kernel/iommu_groups/* -maxdepth 0 -type d | sort -V); do\necho \"IOMMU Group ${g##*/}:\"\nfor d in $g/devices/*; do\necho -e \"\\t$(lspci -nns ${d##*/})\"\ndone;\ndone;\n
Intel Integrated Graphics (iGPU) is a GPU that is integrated into the CPU. The GPU is a part of the CPU and is used to render graphics. Proxmox may be configured to use iGPU split passthrough to VM to allow the VM to use the iGPU for hardware acceleration for example using video encoding/decoding and Transcoding for series like Plex and Emby. This guide will show you how to configure Proxmox to use iGPU passthrough to VM.
Your mileage may vary depending on your hardware. The following guide was tested with Intel Gen8 CPU.
Supported CPUs
iGPU GVT-g Split Passthrough is supported only on Intel's 5th generation to 10th generation CPUs!
Known supported CPU families:
Broadwell
Skylake
Kaby Lake
Coffee Lake
Comet Lake
There are two ways to use iGPU passthrough to VM. The first way is to use the Full iGPU Passthrough to VM. The second way is to use the iGPU GVT-g technology which allows as to split the iGPU into two parts. We will be covering the Split iGPU Passthrough. If you want to use the split Full iGPU Passthrough you can find the guide here.
The following examples uses SSH connection to the Proxmox server. The editor is nano but feel free to use any other editor. We will be editing the grub configuration file.
Edit the grub configuration file.
nano /etc/default/grub\n
Find the line that starts with GRUB_CMDLINE_LINUX_DEFAULT by default they should look like this:
GRUB_CMDLINE_LINUX_DEFAULT=\"quiet\"\n
We want to allow passthrough and Blacklists known graphics drivers to prevent proxmox from utilizing the iGPU.
Your GRUB_CMDLINE_LINUX_DEFAULT should look like this:
This will blacklist most of the graphics drivers from proxmox. If you have a specific driver you need to use for Proxmox Host you need to remove it from modprobe.blacklist
Save and exit the editor.
Update the grub configuration to apply the changes the next time the system boots.
update-grub\n
Next we need to add vfio modules to allow PCI passthrough.
Edit the /etc/modules file.
nano /etc/modules\n
Add the following line to the end of the file:
# Modules required for PCI passthrough\nvfio\nvfio_iommu_type1\nvfio_pci\nvfio_virqfd\n\n# Modules required for Intel GVT-g Split\nkvmgt\n
Save and exit the editor.
Update configuration changes made in your /etc filesystem
update-initramfs -u -k all\n
Reboot Proxmox to apply the changes
Verify that IOMMU is enabled
dmesg | grep -e DMAR -e IOMMU\n
There should be a line that looks like DMAR: IOMMU enabled. If there is no output, something is wrong.
[0.000000] Warning: PCIe ACS overrides enabled; This may allow non-IOMMU protected peer-to-peer DMA\n[0.067203] DMAR: IOMMU enabled\n[2.573920] pci 0000:00:00.2: AMD-Vi: IOMMU performance counters supported\n[2.580393] pci 0000:00:00.2: AMD-Vi: Found IOMMU cap 0x40\n[2.581776] perf/amd_iommu: Detected AMD IOMMU #0 (2 banks, 4 counters/bank).\n
If you have multiple VGA, look for the one that has the Intel in the name.
Here, the PCI address of the iGPU is 00:02.0.
For best performance the VM should be configured the Machine type to q35. This will allow the VM to utilize PCI-Express passthrough.
Open the web gui and navigate to the Hardware tab of the VM you want to add a vGPU. Click Add above the device list and then choose PCI Device
Open the Device dropdown and select the iGPU, which you can find using it\u2019s PCI address. This list uses a different format for the PCI addresses id, 00:02.0 is listed as 0000:00:02.0.
Click Mdev Type, You should be presented with a list of the available split passthrough devices choose the better performing one for the vm.
Select ROM-Bar, PCI-Express and then click Add.
The Windows Virtual Machine Proxmox Setting should look like this:
Power on the Windows Virtual Machine.
Open the VM's Console. Install the latest version of Intel's Graphics Driver or use the Intel Driver & Support Assistant installer.
If all when well you should see the following output in Device Manager and GPU-Z:
That's it! You should now be able to use the iGPU for hardware acceleration inside the VM and still have proxmox's output on the screen.
If you have multiple VGA, look for the one that has the Intel in the name.
Here, the PCI address of the iGPU is 00:02.0.
VM should be configured the Machine type to i440fx. Open the web gui and navigate to the Hardware tab of the VM you want to add a vGPU to. Click Add above the device list and then choose PCI Device
Open the Device dropdown and select the iGPU, which you can find using it\u2019s PCI address. This list uses a different format for the PCI addresses id, 00:02.0 is listed as 0000:00:02.0.
Click Mdev Type, You should be presented with a list of the available split passthrough devices choose the better performing one for the vm.
Select ROM-Bar, and then click Add.
The Ubuntu Virtual Machine Proxmox Setting should look like this:
Boot the VM. To test the iGPU passthrough was successful, you can use the following command:
Dbug Messages - Shows Hardware initialization and errors
dmesg -w\n
Display PCI devices information
lspci\n
Display Driver in use for PCI devices
lspci -k\n
Display IOMMU Groups the PCI devices are assigned to
#!/bin/bash\nshopt -s nullglob\nfor g in $(find /sys/kernel/iommu_groups/* -maxdepth 0 -type d | sort -V); do\necho \"IOMMU Group ${g##*/}:\"\nfor d in $g/devices/*; do\necho -e \"\\t$(lspci -nns ${d##*/})\"\ndone;\ndone;\n
Thanks to @polloloco for creating and maintaining this guide.
Official GitLab repository: polloloco/vgpu-proxmox
", "tags": ["proxmox", "vgpu", "passthrough"]}, {"location": "infrastructure/proxmox/gpu-passthrough/vgpu-split-passthrough/#nvidia-vgpu-with-the-grid", "title": "NVIDIA vGPU with the GRID", "text": "
This document serves as a guide to install NVIDIA vGPU host drivers on the latest Proxmox VE version, at time of writing this its pve 8.0.
You can follow this guide if you have a vGPU supported card from this list, or if you are using a consumer GPU from the GeForce series or a non-vGPU qualified Quadro GPU. There are several sections with a title similar to \"Have a vGPU supported GPU? Read here\" in this document, make sure to read those very carefully as this is where the instructions differ for a vGPU qualified card and a consumer card.
The following consumer/not-vGPU-qualified NVIDIA GPUs can be used with vGPU: - Most GPUs from the Maxwell 2.0 generation (GTX 9xx, Quadro Mxxxx, Tesla Mxx) EXCEPT the GTX 970 - All GPUs from the Pascal generation (GTX 10xx, Quadro Pxxxx, Tesla Pxx) - All GPUs from the Turing generation (GTX 16xx, RTX 20xx, Txxxx)
If you have GPUs from the Ampere and Ada Lovelace generation, you are out of luck, unless you have a vGPU qualified card from this list like the A5000 or RTX 6000 Ada. If you have one of those cards, please consult the NVIDIA documentation for help with setting it up.
!!! THIS MEANS THAT YOUR RTX 30XX or 40XX WILL NOT WORK !!!
This guide and all my tests were done on a RTX 2080 Ti which is based on the Turing architechture.
This tutorial assumes you are using a clean install of Proxmox VE 8.0.
If you are using Proxmox VE 8.0, you MUST use 16.x drivers. Older versions only work with pve 7
If you tried GPU-passthrough before, you absolutely MUST revert all of the steps you did to set that up.
If you only have one GPU in your system with no iGPU, your local monitor will NOT give you any output anymore after the system boots up. Use SSH or a serial connection if you want terminal access to your machine.
Most of the steps can be applied to other linux distributions, however I'm only covering Proxmox VE here.
", "tags": ["proxmox", "vgpu", "passthrough"]}, {"location": "infrastructure/proxmox/gpu-passthrough/vgpu-split-passthrough/#are-you-upgrading-from-a-previous-version-of-this-guide", "title": "Are you upgrading from a previous version of this guide?", "text": "
If you are upgrading from a previous version of this guide, you should uninstall the old driver by running nvidia-uninstall first.
Then you also have to make sure that you are using the latest version of vgpu_unlock-rs, otherwise it won't work with the latest driver.
Either delete the folder /opt/vgpu_unlock-rs or enter the folder and run git pull and then recompile the library again using cargo build --release
If you don't have a card like the Tesla P4, or any other gpu from this list, please continue reading at Enabling IOMMU
Disable the unlock part as doing this on a gpu that already supports vgpu, could break things as it introduces unnecessary complexity and more points of possible failure:
", "tags": ["proxmox", "vgpu", "passthrough"]}, {"location": "infrastructure/proxmox/gpu-passthrough/vgpu-split-passthrough/#enabling-iommu", "title": "Enabling IOMMU", "text": "", "tags": ["proxmox", "vgpu", "passthrough"]}, {"location": "infrastructure/proxmox/gpu-passthrough/vgpu-split-passthrough/#note-usually-this-isnt-required-for-vgpu-to-work-but-it-doesnt-hurt-to-enable-it-you-can-skip-this-section-but-if-you-run-into-problems-later-on-make-sure-to-enable-iommu", "title": "Note: Usually this isn't required for vGPU to work, but it doesn't hurt to enable it. You can skip this section, but if you run into problems later on, make sure to enable IOMMU.", "text": "
To enable IOMMU you have to enable it in your BIOS/UEFI first. Due to it being vendor specific, I am unable to provide instructions for that, but usually for Intel systems the option you are looking for is called something like \"Vt-d\", AMD systems tend to call it \"IOMMU\".
After enabling it in your BIOS/UEFI, you also have to enable it in your kernel. Depending on how your system is booting, there are two ways to do that.
If you installed your system with ZFS-on-root and in UEFI mode, then you are using systemd-boot, everything else is GRUB. GRUB is way more common so if you are unsure, you are probably using that.
Depending on which system you are using to boot, you have to chose from the following two options:
GRUB Open the file `/etc/default/grub` in your favorite editor
nano /etc/default/grub\n
The kernel parameters have to be appended to the variable `GRUB_CMDLINE_LINUX_DEFAULT`. On a clean installation that line should look like this
GRUB_CMDLINE_LINUX_DEFAULT=\"quiet\"\n
If you are using an Intel system, append this after `quiet`:
intel_iommu=on iommu=pt\n
On AMD systems, append this after `quiet`:
amd_iommu=on iommu=pt\n
The result should look like this (for intel systems):
Proxmox comes with the open source nouveau driver for nvidia gpus, however we have to use our patched nvidia driver to enable vGPU. The next line will prevent the nouveau driver from loading
I'm not sure if this is needed, but it doesn't hurt :)
update-initramfs -u -k all\n
...and reboot
reboot\n
", "tags": ["proxmox", "vgpu", "passthrough"]}, {"location": "infrastructure/proxmox/gpu-passthrough/vgpu-split-passthrough/#check-if-iommu-is-enabled", "title": "Check if IOMMU is enabled", "text": "", "tags": ["proxmox", "vgpu", "passthrough"]}, {"location": "infrastructure/proxmox/gpu-passthrough/vgpu-split-passthrough/#note-see-section-enabling-iommu-this-is-optional", "title": "Note: See section \"Enabling IOMMU\", this is optional", "text": "
Wait for your server to restart, then type this into a root shell
dmesg | grep -e DMAR -e IOMMU\n
On my Intel system the output looks like this
[ 0.007235] ACPI: DMAR 0x000000009CC98B68 0000B8 (v01 INTEL BDW 00000001 INTL 00000001)\n[ 0.007255] ACPI: Reserving DMAR table memory at [mem 0x9cc98b68-0x9cc98c1f]\n[ 0.020766] DMAR: IOMMU enabled\n[ 0.062294] DMAR: Host address width 39\n[ 0.062296] DMAR: DRHD base: 0x000000fed90000 flags: 0x0\n[ 0.062300] DMAR: dmar0: reg_base_addr fed90000 ver 1:0 cap c0000020660462 ecap f0101a\n[ 0.062302] DMAR: DRHD base: 0x000000fed91000 flags: 0x1\n[ 0.062305] DMAR: dmar1: reg_base_addr fed91000 ver 1:0 cap d2008c20660462 ecap f010da\n[ 0.062307] DMAR: RMRR base: 0x0000009cc18000 end: 0x0000009cc25fff\n[ 0.062309] DMAR: RMRR base: 0x0000009f000000 end: 0x000000af1fffff\n[ 0.062312] DMAR-IR: IOAPIC id 8 under DRHD base 0xfed91000 IOMMU 1\n[ 0.062314] DMAR-IR: HPET id 0 under DRHD base 0xfed91000\n[ 0.062315] DMAR-IR: x2apic is disabled because BIOS sets x2apic opt out bit.\n[ 0.062316] DMAR-IR: Use 'intremap=no_x2apic_optout' to override the BIOS setting.\n[ 0.062797] DMAR-IR: Enabled IRQ remapping in xapic mode\n[ 0.302431] DMAR: No ATSR found\n[ 0.302432] DMAR: No SATC found\n[ 0.302433] DMAR: IOMMU feature pgsel_inv inconsistent\n[ 0.302435] DMAR: IOMMU feature sc_support inconsistent\n[ 0.302436] DMAR: IOMMU feature pass_through inconsistent\n[ 0.302437] DMAR: dmar0: Using Queued invalidation\n[ 0.302443] DMAR: dmar1: Using Queued invalidation\n[ 0.333474] DMAR: Intel(R) Virtualization Technology for Directed I/O\n[ 3.990175] i915 0000:00:02.0: [drm] DMAR active, disabling use of stolen memory\n
Depending on your mainboard and cpu, the output will be different, in my output the important line is the third one: DMAR: IOMMU enabled. If you see something like that, IOMMU is enabled.
This repo contains patches that allow you to use vGPU on not-qualified-vGPU cards (consumer GPUs). Those patches are binary patches, which means that each patch works ONLY for a specific driver version.
I've created patches for the following driver versions: - 16.2 (535.129.03) - Use this if you are on pve 8.0 (kernel 6.2, 6.5 should work too) - 16.1 (535.104.06) - 16.0 (535.54.06) - 15.1 (525.85.07) - 15.0 (525.60.12) - 14.4 (510.108.03) - 14.3 (510.108.03) - 14.2 (510.85.03)
You can choose which of those you want to use, but generally its recommended to use the latest, most up-to-date version (16.2 in this case).
If you have a vGPU qualified GPU, you can use other versions too, because you don't need to patch the driver. However, you still have to make sure they are compatible with your proxmox version and kernel. Also I would not recommend using any older versions unless you have a very specific requirement.
NVIDIA doesn't let you freely download vGPU drivers like they do with GeForce or normal Quadro drivers, instead you have to download them through the NVIDIA Licensing Portal (see: https://www.nvidia.com/en-us/drivers/vgpu-software-driver/). You can sign up for a free evaluation to get access to the download page.
NB: When applying for an eval license, do NOT use your personal email or other email at a free email provider like gmail.com. You will probably have to go through manual review if you use such emails. I have very good experience using a custom domain for my email address, that way the automatic verification usually lets me in after about five minutes.
I've created a small video tutorial to find the right driver version on the NVIDIA Enterprise Portal. In the video I'm downloading the 15.0 driver, if you want a different one just replace 15.0 with the version you want:
After downloading, extract the zip file and then copy the file called NVIDIA-Linux-x86_64-DRIVERVERSION-vgpu-kvm.run (where DRIVERVERSION is a string like 535.129.03) from the Host_Drivers folder to your Proxmox host into the /root/ folder using tools like FileZilla, WinSCP, scp or rsync.
", "tags": ["proxmox", "vgpu", "passthrough"]}, {"location": "infrastructure/proxmox/gpu-passthrough/vgpu-split-passthrough/#from-here-on-i-will-be-using-the-162-driver-but-the-steps-are-the-same-for-other-driver-versions", "title": "\u26a0\ufe0f From here on, I will be using the 16.2 driver, but the steps are the same for other driver versions", "text": "
For example when I run a command like chmod +x NVIDIA-Linux-x86_64-535.129.03-vgpu-kvm.run, you should replace 535.129.03 with the driver version you are using (if you are using a different one). You can get the list of version numbers here.
Every step where you potentially have to replace the version name will have this warning emoji next to it: \u26a0\ufe0f
The installer will ask you Would you like to register the kernel module sources with DKMS? This will allow DKMS to automatically build a new module, if you install a different kernel later., answer with Yes.
Depending on your hardware, the installation could take a minute or two.
If everything went right, you will be presented with this message.
Installation of the NVIDIA Accelerated Graphics Driver for Linux-x86_64 (version: 535.129.03) is now complete.\n
If this command doesn't return any output, vGPU unlock isn't working.
Another command you can try to see if your card is recognized as being vgpu enabled is this one:
nvidia-smi vgpu\n
If everything worked right with the unlock, the output should be similar to this:
Tue Jan 24 20:21:43 2023\n+-----------------------------------------------------------------------------+\n| NVIDIA-SMI 525.85.07 Driver Version: 525.85.07 |\n|---------------------------------+------------------------------+------------+\n| GPU Name | Bus-Id | GPU-Util |\n| vGPU ID Name | VM ID VM Name | vGPU-Util |\n|=================================+==============================+============|\n| 0 NVIDIA GeForce RTX 208... | 00000000:01:00.0 | 0% |\n+---------------------------------+------------------------------+------------+\n
However, if you get this output, then something went wrong
No supported devices in vGPU mode\n
If any of those commands give the wrong output, you cannot continue. Please make sure to read everything here very carefully and when in doubt, create an issue or join the discord server and ask for help there.
Further up we have created the file /etc/vgpu_unlock/profile_override.toml and I didn't explain what it was for yet. Using that file you can override lots of parameters for your vGPU instances: For example you can change the maximum resolution, enable/disable the frame rate limiter, enable/disable support for CUDA or change the vram size of your virtual gpus.
If we take a look at the output of mdevctl types we see lots of different types that we can choose from. However, if we for example chose GRID RTX6000-4Q which gives us 4GB of vram in a VM, we are locked to that type for all of our VMs. Meaning we can only have 4GB VMs, its not possible to mix different types to have one 4GB VM, and two 2GB VMs.
All of that changes with the override config file. Technically we are still locked to only using one profile, but now its possible to change the vram of the profile on a VM basis so even though we have three GRID RTX6000-4Q instances, one VM can have 4GB or vram but we can override the vram size for the other two VMs to only 2GB.
Lets take a look at this example config override file (its in TOML format)
[profile.nvidia-259]\nnum_displays = 1 # Max number of virtual displays. Usually 1 if you want a simple remote gaming VM\ndisplay_width = 1920 # Maximum display width in the VM\ndisplay_height = 1080 # Maximum display height in the VM\nmax_pixels = 2073600 # This is the product of display_width and display_height so 1920 * 1080 = 2073600\ncuda_enabled = 1 # Enables CUDA support. Either 1 or 0 for enabled/disabled\nfrl_enabled = 1 # This controls the frame rate limiter, if you enable it your fps in the VM get locked to 60fps. Either 1 or 0 for enabled/disabled\nframebuffer = 0x74000000\nframebuffer_reservation = 0xC000000 # In combination with the framebuffer size\n# above, these two lines will give you a VM\n# with 2GB of VRAM (framebuffer + framebuffer_reservation = VRAM size in bytes).\n# See below for some other sizes\n\n[vm.100]\nfrl_enabled = 0\n# You can override all the options from above here too. If you want to add more overrides for a new VM, just copy this block and change the VM ID\n
There are two blocks here, the first being [profile.nvidia-259] and the second [vm.100]. The first one applies the overrides to all VM instances of the nvidia-259 type (thats GRID RTX6000-4Q) and the second one applies its overrides only to one specific VM, that one with the proxmox VM ID 100.
The proxmox VM ID is the same number that you see in the proxmox webinterface, next to the VM name.
You don't have to specify all parameters, only the ones you need/want. There are some more that I didn't mention here, you can find them by going through the source code of the vgpu_unlock-rs repo.
For a simple 1080p remote gaming VM I recommend going with something like this
[profile.nvidia-259] # choose the profile you want here\nnum_displays = 1\ndisplay_width = 1920\ndisplay_height = 1080\nmax_pixels = 2073600\n
Q profiles can give you horrible performance in OpenGL applications/games. To fix that, switch to an equivalent A or B profile (for example GRID RTX6000-4B)
C profiles (for example GRID RTX6000-4C) only work on Linux, don't try using those on Windows, it will not work - at all.
A profiles (for example GRID RTX6000-4A) will NOT work on Linux, they only work on Windows.
framebuffer and framebuffer_reservation will always equal the VRAM size in bytes when added together.
", "tags": ["proxmox", "vgpu", "passthrough"]}, {"location": "infrastructure/proxmox/gpu-passthrough/vgpu-split-passthrough/#adding-a-vgpu-to-a-proxmox-vm", "title": "Adding a vGPU to a Proxmox VM", "text": "
Go to the proxmox webinterface, go to your VM, then to Hardware, then to Add and select PCI Device. You should be able to choose from a list of pci devices. Choose your GPU there, its entry should say Yes in the Mediated Devices column.
Now you should be able to also select the MDev Type. Choose whatever profile you want, if you don't remember which one you want, you can see the list of all available types with mdevctl types.
Finish by clicking Add, start the VM and install the required drivers. After installing the drivers you can shut the VM down and remove the virtual display adapter by selecting Display in the Hardware section and selecting none (none). ONLY do that if you have some other way to access the Virtual Machine like Parsec or Remote Desktop because the Proxmox Console won't work anymore.
Usually a license is required to use vGPU, but luckily the community found several ways around that. Spoofing the vGPU instance to a Quadro GPU used to be very popular, but I don't recommend it anymore. I've also removed the related sections from this guide. If you still want it for whatever reason, you can go back in the commit history to find the instructions on how to use that.
The recommended way to get around the license is to set up your own license server. Follow the instructions here (or here if the other link is down).
Most problems can be solved by reading the instructions very carefully. For some very common problems, read here:
The nvidia driver won't install/load
If you were using gpu passthrough before, revert ALL of the steps you did or start with a fresh proxmox installation. If you run lspci -knnd 10de: and see vfio-pci under Kernel driver in use: then you have to fix that
Make sure that you are using a supported kernel version (check uname -a)
My OpenGL performance is absolute garbage, what can I do?
Read here
mdevctl types doesn't output anything, how to fix it?
Make sure that you don't have unlock disabled if you have a consumer gpu (more information)
If something isn't working, please create an issue or join the Discord server and ask for help in the #proxmox-support channel so that the community can help you.
When asking for help, please describe your problem in detail instead of just saying \"vgpu doesn't work\". Usually a rough overview over your system (gpu, mainboard, proxmox version, kernel version, ...) and full output of dmesg and/or journalctl --no-pager -b 0 -u nvidia-vgpu-mgr.service (\u2190 this only after starting the VM that causes trouble) is helpful. Please also provide the output of uname -a and cat /proc/cmdline
", "tags": ["proxmox", "vgpu", "passthrough"]}, {"location": "infrastructure/proxmox/gpu-passthrough/vgpu-split-passthrough/#do-not-send-me-a-dm-im-not-your-personal-support", "title": "DO NOT SEND ME A DM, I'M NOT YOUR PERSONAL SUPPORT", "text": "", "tags": ["proxmox", "vgpu", "passthrough"]}, {"location": "infrastructure/proxmox/gpu-passthrough/vgpu-split-passthrough/#feed-my-coffee-addiction", "title": "Feed my coffee addiction \u2615", "text": "
If you found this guide helpful and want to support me, please feel free to buy me a coffee. Thank you very much!
Thanks to all these people (in no particular order) for making this project possible - DualCoder for his original vgpu_unlock repo with the kernel hooks - mbilker for the rust version, vgpu_unlock-rs - KrutavShah for the wiki - HiFiPhile for the C version of vgpu unlock - rupansh for the original twelve.patch to patch the driver on kernels >= 5.12 - mbuchel#1878 on the GPU Unlocking discord for fourteen.patch to patch the driver on kernels >= 5.14 - erin-allison for the nvidia-smi wrapper script - LIL'pingu#9069 on the GPU Unlocking discord for his patch to nop out code that NVIDIA added to prevent usage of drivers with a version 460 - 470 with consumer cards
If I forgot to mention someone, please create an issue or let me know otherwise.
By default, Proxmox IPv6 is enabled after installation. This means that the IPv6 stack is active and the host can communicate with other hosts on the same network via IPv6 protocol.
Output of ip addr command:
You can disable IPv6 on Proxmox VE by editing the /etc/default/grub file.
nano /etc/default/grub\n
add ipv6.disable=1 to the end of GRUB_CMDLINE_LINUX_DEFAULT and GRUB_CMDLINE_LINUX line. Don't change the other values at those lines.
", "tags": ["proxmox", "network"]}, {"location": "infrastructure/proxmox/network/proxmox-networking/#example-of-multi-network-interface-server", "title": "Example of Multi Network Interface Server", "text": "
The next examples will be based on the following network nics, ip addr output:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000\nlink/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00\n inet 127.0.0.1/8 scope host lo\n valid_lft forever preferred_lft forever\n2: enp7s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\nlink/ether 18:c0:4d:00:9f:b7 brd ff:ff:ff:ff:ff:ff\n3: enp6s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\nlink/ether 18:c0:4d:00:9f:b9 brd ff:ff:ff:ff:ff:ff\n4: enp12s0f4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master vmbr0 state UP group default qlen 1000\nlink/ether 00:07:43:29:42:c0 brd ff:ff:ff:ff:ff:ff\n5: enp12s0f4d1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\nlink/ether 00:07:43:29:42:c8 brd ff:ff:ff:ff:ff:ff\n6: enp12s0f4d2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\nlink/ether 00:07:43:29:42:d0 brd ff:ff:ff:ff:ff:ff\n7: enp12s0f4d3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\nlink/ether 00:07:43:29:42:d8 brd ff:ff:ff:ff:ff:ff\n8: wlp5s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000\nlink/ether 8c:c6:81:f0:a6:9a brd ff:ff:ff:ff:ff:ff\n9: vmbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000\nlink/ether 00:07:43:29:42:c0 brd ff:ff:ff:ff:ff:ff\n inet 192.168.100.12/24 scope global vmbr0\n valid_lft forever preferred_lft forever\n
In order Identify physical network interfaces corresponding to Network Interfaces name in Proxmox you can follow this guide
Breakdown of the ip addr output:
lo is a loopback interface.
enp7s0 is a 2.5G network interface.
enp6s0 is a 1G network interface.
enp12s0f4 is a 10G network interface.
enp12s0f4d1 is a 10G network interface.
enp12s0f4d2 is a 10G network interface.
enp12s0f4d3 is a 10G network interface.
wlp5s0 is a Wifi network interface
vmbr0 is a bridge interface.
The content of the /etc/network/interfaces after fresh installation:
vmbr0 is a bridge interface. It's used to provision network to virtual machines and containers on Proxmox VE Server. We can assign multiple network interfaces to the bridge interface with bridge-ports option.
Configuring multi network interfaces to the bridge interface will provide you a failover behavior when the network interface is down or disconnected - for example, when specific switch is down.
", "tags": ["proxmox", "network"]}, {"location": "infrastructure/proxmox/network/proxmox-networking/#static-ip-bridge-with-vlan-aware-configuration", "title": "Static IP Bridge with VLAN Aware Configuration", "text": "
The following example shows a static IP as above but with VLAN Aware bridge.
Z-shell (Zsh) is a Unix shell that can be used as an interactive login shell and as a shell scripting command interpreter. Zsh is an enhanced Bourne shell with many enhancements, including some Bash, ksh and tcsh features.
In order to install oh-my-zsh, we need to add 3rd party packages to Synology DSM. Synology Community Packages provides packages for Synology-branded NAS devices.
DSM 6 and below:
Log into your NAS as administrator and go to Main Menu \u2192 Package Center \u2192 Settings and set Trust Level to Synology Inc. and trusted publishers.
In the Package Sources tab, click Add, type SynoCommunity as Name and https://packages.synocommunity.com/ as Location and then press OK to validate.
Go back to the Package Center and enjoy SynoCommunity's packages in the Community tab.
Since synology's dms doesn't provide any auto-backup for it's configuration i've made a smile script that can be run at from the \"Task Scheduler\". The script invokes synoconfbkp cli command that will dump the config file to provided folder. I use dropbox's folder in my case (This will sync my files to DropBox account). It append a date and hostname. It also checks the same folder for files older of 60 days and deletes them so your storage won't be flooded with files from older than 2 month. I've scheduled the script to run ounces a day with the \"Task Scheduler\"
To use it create new Task Scheduler choose a scheduler append the script to \"Run Command\" at \"Task Settings\" don't forget to change to destinations.
", "tags": ["synology"]}, {"location": "infrastructure/synology/disable-dms-listening-on-80-443-ports/", "title": "Free 80,443 Ports On Synology NAS (DSM)", "text": "
Synology NAS (DSM) is a network storage device, with some additional features like native support for virtualization, and docker support. One of the issues is that the default ports 80 and 443 are used by the web server even if you change the default ports of the Synology's DSM to other ports. In some cases, you want to use these ports for other purposes, such as a reverse proxy as an entry point for the web services. The following steps will help you to free the default ports 80 and 443 on the Synology NAS (DSM) for other purposes.
", "tags": ["synology", "NAS", "ports"]}, {"location": "infrastructure/synology/disable-dms-listening-on-80-443-ports/#configure-the-synology-nas-dsm-to-listen-on-other-ports", "title": "Configure the Synology NAS (DSM) to Listen on Other Ports", "text": "
First, you need to configure the Synology NAS (DSM) to listen on other ports then 80, 443.
Login to the Synology NAS (DSM) as administrator user open Control Panel and find Login Portal under System
Under DSM tab, change the DSM port (http) to a different port then 80, and the DSM port (https) to a different port then 443.
Click Save to save the changes. Then, re-login to the Synology NAS (DSM) with the new port as administrator user as we did above.
", "tags": ["synology", "NAS", "ports"]}, {"location": "infrastructure/synology/disable-dms-listening-on-80-443-ports/#disable-the-synology-nas-dsm-to-listen-on-80-443-ports", "title": "Disable the Synology NAS (DSM) to Listen on 80, 443 Ports", "text": "
Synology NAS (DSM) will listen on 80, 443 ports after each reboot. Therefore, the changes will be lost after each reboot. The workaround is to run the a script to free the ports 80, 443 on each time the Synology NAS (DSM) is boots.
The following one liner will free the ports 80, 443 on Nginx web server of the Synology NAS (DSM), until the Synology NAS (DSM) is rebooted. It removes the port 80, 443 from the Nginx config and restarts the Nginx service.
Suggestion: Select the Notification when the task is terminated abnormally.
Click OK. The new task should be created. You can check the task by clicking Run in the Task Scheduler page. Preferred to reboot the Synology NAS (DSM) to make sure the changes are applied at boot.
Synology DSM allows Linux experts to use the SSH terminal. By default you need to log in as a user and then enter \"sudo su root\" can be inconvenient, but there is the option of logging in as root directly.
First, the DSM Control Panel is called up, Extended mode must be activated so that the required icon Terminal & SNMP appears. Under Terminal & SNMP the SSH-Service just can enable.
Connect to Synology dns with your admin user and password. Change user to root with the command \"sudo su\" and enter the Admins's password. Set the root user password with the command below:
sudo synouser -setpw root 'new_root_password'\n
Edit the file /etc/ssh/sshd_config and change the line PermitRootLogin no to PermitRootLogin yes.
As a power user, i would like to be able to connect to my Synology DSM vis SSH. The issue is that Synology DSM won't allow you to use SSH with RSA keys out of the box and only allows you to use SSH with password. In order to allow the use of SSH keys we need to perform the following steps:
I will assume you have already have SSH keys generated, SSH server configured on Synology DSM
Generated SSH keys
SSH server configured on Synology DSM
", "tags": ["synology", "dsm", "ssh", "rsa-keys"]}, {"location": "infrastructure/synology/ssh-with-rsa-key/#allow-user-home-at-dsm-level", "title": "Allow User Home at DSM Level", "text": "
User Home enable to create a personal home folder for each user, except for guest. This will allow as to create user's .ssh folder and authorized_keys file.
Log into Synology web UI as an administrator user
Control Panel -> User & Groups -> Advanced, scroll down to \u201cUser Home\u201d
Check \u201cEnable user home service\u201d, select an appropriate Location (i.e. volume1)
Log in to the NAS through SSH with the user you want to add key authorization for. The following example shows how to add will work for the active user in the SSH session.
First change the permissins of the users home folder to 700
sudo chmod 700 ~\n
Create the .ssh folder and set permissions to 700
mkdir ~/.ssh && chmod 700 ~/.ssh\n
Create the authorized_keys file and set permissions to 644
This will change the GUI to port 8443, disable old cyphers, Only will listen on internal Network. assuming your EdgeRouter IP is 192.168.1.1, if not change it accordingly.
SSH to the Edge Router
configure\nset service gui listen-address 192.168.100.1\nset service gui https-port 8443\nset service gui older-ciphers disable\nset service ssh listen-address 192.168.100.1\nset service ssh protocol-version v2\nset service ubnt-discover disable\ncommit ; save\n
configure\n\nset system offload ipv4 forwarding enable\nset system offload ipv4 gre enable\nset system offload ipv4 pppoe enable\nset system offload ipv4 vlan enable\n\nset system offload ipv6 forwarding enable\nset system offload ipv6 pppoe enable\nset system offload ipv6 vlan enable\n\nset system offload ipsec enable\n\ncommit ; save\n
Disable IPv4/IPv6 and ipsec offloading.
configure\n\nset system offload ipv4 forwarding disable\nset system offload ipv4 gre disable\nset system offload ipv4 pppoe disable\nset system offload ipv4 vlan disable\n\nset system offload ipv6 forwarding disable\nset system offload ipv6 pppoe disable\nset system offload ipv6 vlan disable\n\nset system offload ipsec disable\n\ncommit ; save\n
From the Dashboard, click Add Interface and select VLAN.
Set up the VLAN ID as You like for this example will use id 1003 and attach it to the physical interface of your LAN. Give it an IP address in the range of a private IP block, but make sure you end it in a /24 to specify the proper subnet (I originally did /32 as I though it was supposed to be the exact IP address).
Click on the Services tab. Click Add DHCP Server. Set it up similar to the image below.
Click on the DNS tab under services. Click Add Listen interface and select the VLAN interface. Make sure you hit save.
At this point, you should be able to connect to your Guest Network and connect to the Internet. However, you\u2019ll be able to access the EdgeRouter as well as other devices on your LAN. Next thing you have to do is secure the VLAN.
Click on Firewall/NAT and then click on Add Ruleset. This is for packets coming into the router destined for somewhere else (not the router). Set up the default policy for Accept. Click Save.
From the Actions menu next to the Ruleset, click Interfaces.
Select your VLAN interface and the in direction.
Click Rules and then Add New Rule. Click on Basic and name it LAN. Select Drop as the Action.
Click Destination and enter 10.0.1.0/24 or whatever your LAN IP range is. Then click Save. This will drop all packets from the VLAN destined for your LAN. Save.
Repeat 1 and 2 above (name it GUEST_LOCAL). From the Interface, select the VLAN interface and the local direction. However, set up the default policy as Drop.
If you want to limit your Guest Users Bandwidth, head over to User Groups and create a new user group called Guest. Enter bandwidth limits that are appropriate for your Internet Speed. I used 6000 down and 2500 up.
Now go to the Wireless Networks section and create a new network called \u201cGuest\u201d or whatever you want to call it.
Make sure it is enabled, give it WiFi security key, check the \u201cGuest Policy\u201d option, enter the VLAN Id you used previously and choose the Guest User Group. Save!
Done. Test Your New Guest Wifi by connecting to the Guest Wifi and browse to a website.
This Guide is based on Original guide form ubnt support with modifications to the VPN port and protocol
For the purpose of this article, it is assumed that the routing and interface configurations are already in place and that reachability has been tested.
ssh to the EdgeRouter
Make sure that the date/time is set correctly on the EdgeRouter.
show date\nThu Dec 28 14:35:42 UTC 2017\n
Log in as the root user.
sudo su\n
Generate a Diffie-Hellman (DH) key file and place it in the /config/auth directory. This Will take some time...
If EdgeRouter's Interface is on port 433, you must change it.
set service gui https-port 8443\ncommit ; save\n
Add a firewall rule for the OpenVPN traffic to the local firewall policy.
set firewall name WAN_LOCAL rule 30 action accept\nset firewall name WAN_LOCAL rule 30 description OpenVPN\nset firewall name WAN_LOCAL rule 30 destination port 443\nset firewall name WAN_LOCAL rule 30 protocol tcp\n
Configure the OpenVPN virtual tunnel interface. push-route - the router for vpn connection name-server - default gateway of the route above
", "tags": ["ubiquiti", "edgerouter"]}, {"location": "infrastructure/ubiquiti/edge-router/#edgerouter-free-up-space-by-cleaning-old-firmware", "title": "EdgeRouter Free Up space by Cleaning Old Firmware", "text": "
", "tags": ["ubiquiti", "edgerouter"]}, {"location": "infrastructure/ubiquiti/edge-router/#enable-netflow-on-edgerouter-to-unms", "title": "Enable NetFlow on EdgeRouter to UNMS", "text": "
The most suitable place to enable NetFlow is your Default gateway router. UNMS supports NetFlow version 5 and 9. UNMS only record flow data for IP ranges defined below. Whenever UNMS receives any data from a router, the status of NetFlow changes to Active .
To show interfaces and pick the right interface:\\
show interfaces\n
Example configuration for EdgeRouter:
configure\nset system flow-accounting interface pppoe0\nset system flow-accounting ingress-capture post-dnat\nset system flow-accounting disable-memory-table\nset system flow-accounting netflow server 192.168.1.10 port 2055\nset system flow-accounting netflow version 9\nset system flow-accounting netflow engine-id 0\nset system flow-accounting netflow enable-egress engine-id 1\nset system flow-accounting netflow timeout expiry-interval 60\nset system flow-accounting netflow timeout flow-generic 60\nset system flow-accounting netflow timeout icmp 60\nset system flow-accounting netflow timeout max-active-life 60\nset system flow-accounting netflow timeout tcp-fin 10\nset system flow-accounting netflow timeout tcp-generic 60\nset system flow-accounting netflow timeout tcp-rst 10\nset system flow-accounting netflow timeout udp 60\ncommit\nsave\n
Collection of commands for your Unifi Dream Machine or Dream Machine Pro.
Description UDM/UDM-P SSH Command show DHCP leases (to NSname) cat /mnt/data/udapi-config/dnsmasq.lease show version info show system hardware and installed software ubnt-device-info summary show cpu tempeture ubnt-systool cputemp show fan speed ubnt-fan-speed show uptime uptime show ip route netstat -rt -n show ppp summery pppstats show current user whoami show log cat /var/log/messages show interface summary ifstat show interfaces ifconfig show other Ubiquiti devices on local LAN segment (ubnt-discovery) ubnt-tools ubnt-discover show config (wireless) cat /mnt/data/udapi-config/unifi packet capture tcpdump shutdown poweroff reload reboot show ipsec sa ipsec statusall factory reset factory-reset.sh show system burnt in MAC address ubnt-tools hwaddr show unifi server logs cat /mnt/data/unifi-os/unifi/logs/server.log show unifi server setttings cat /mnt/data/unifi-os/unifi-core/config/settings.yaml show unifi server http logs cat /mnt/data/unifi-os/unifi-core/logs/http.log show unifi server http logs (errors) cat /mnt/data/unifi-os/unifi-core/logs/errors.log show unifi server discovery log cat /mnt/data/unifi-os/unifi-core/logs/discovery.log show unifi system logs cat /mnt/data/unifi-os/unifi-core/logs/system.log Restarts the UnifiOS Web interface /etc/init.d/S95unifios restart show ip arp (show arp) and IPv6 neighbours arp -a OR ip neigh show tunnel interfaces ip tunnel show Show Sensors information sensors Open shell to unifi podman container unifi-os shell tcpdump tcpdump -w", "tags": ["udm", "ubiquiti", "unifi"]}, {"location": "infrastructure/ubiquiti/udm-dream-machine/failover-telegram-notifications/", "title": "UDM WAN Failover Telegram Notifications", "text": "
This script will send a message to a Telegram chat when WAN connection is changed to failover and back to normal.
This script need to run every time the system is rebooted since the UDM overwrites crons every boot. This can be accomplished with a boot script. Flow this guide: UDM / UDMPro Boot Script
", "tags": ["udm", "ubiquiti", "unifi"]}, {"location": "infrastructure/ubiquiti/udm-dream-machine/failover-telegram-notifications/#config", "title": "Config", "text": "Parameters Description telegram_bot_API_Token Telegram Bot API Token telegram_chat_id Chat ID of the Telegram Bot echo_server_ip IP of a server to test what interface is active (Default 1.1.1.1) run_interval Interval to run a failover check (Default 60 seconds)", "tags": ["udm", "ubiquiti", "unifi"]}, {"location": "infrastructure/ubiquiti/udm-dream-machine/failover-telegram-notifications/#uninstall", "title": "Uninstall", "text": "
Delete the UDMP-Failover-Telegram-Notifications folder
When UDM or UDM PRO reboots or the firmawre is updated the custom changes you made will be lost. This Script will allow you to initialize your custom changes on every boot or firmware update. without losing your custom changes.
Allows you to run a shell script at S95 anytime your UDM starts / reboots
Persists through reboot and firmware updates! It is able to do this because Ubiquiti caches all debian package installs on the UDM in /data, then re-installs them on reset of unifi-os container.
This is a force to install script so will uninstall any previous version and install on_boot keeping your on boot files.
This will also install CNI Plugins & CNI Bridge scripts. If you are using UDMSE/UDR remember that you must install podman manually because there is no podman.
UDM will discard any Authorized Keys for SSH every reboot or firmware upgrade. This script will allow you to persist your SSH keys in the UDM and survive reboots.
This script need to run every time the system is rebooted since the /root/.ssh/authorized_keys overwrites every boot. This can be accomplished with a boot script. Flow this guide: UDM / UDMPro Boot Script
Repository Deprecation Notice: This project is now deprecated and archived due to the release of UniFi's firmware v2.x and v3.x for Dream Machnines, which natively fix the fan speed issues.
This repository only works with firmware 1.x. UDM-PRO Please consider upgrading your firmware for improved functionality.
It stops the build in service that monitors the thermal values, fan speed and connection of a HDD/SSD. After that it sets the thermal/fan chip (adt7475) to automatic mode. Once that is done it changes the thermal and fan threshold values specified in the script. If you like, you can change the values to your own preferences.
This will allow to to span a container with podman to handle DDNS updates for main internet IP address. The container will run the background without any system permissions.
WireGuard\u00ae is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It aims to be faster, simpler, leaner, and more useful than IPsec, while avoiding the massive headache. It intends to be considerably more performant than OpenVPN. WireGuard is designed as a general purpose VPN for running on embedded interfaces and super computers alike, fit for many different circumstances. Initially released for the Linux kernel, it is now cross-platform (Windows, macOS, BSD, iOS, Android) and widely deployable. It is currently under heavy development, but already it might be regarded as the most secure, easiest to use, and simplest VPN solution in the industry.
Github Repository: wireguard-vyatta-ubnt
A guide on installing and using the WireGuard kernel module and tools on Ubiquiti UnifiOS routers (UDM, UDR, and UXG).
Extract the files to your data directory and run the setup script.
For the UDM/P or UXG-Pro, extract the files into /mnt/data/wireguard
tar -C /mnt/data -xvf UnifiOS-wireguard.tar.gz\n/mnt/data/wireguard/setup_wireguard.sh\n
For the UDM-SE or UDR, extract the files into /data/wireguard
tar -C /data -xvf UnifiOS-wireguard.tar.gz\n/data/wireguard/setup_wireguard.sh\n
The setup script will load the wireguard module, and setup the symbolic links for the wireguard tools (wg-quick and wg). You can run dmesg to verify the kernel module was loaded. You should see something like the following:
[13540.520120] wireguard: WireGuard 1.0.20210219 loaded. See www.wireguard.com for information.\n[13540.520126] wireguard: Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.\n
Now you should be able to create a wireguard interface. Please see usage below.
The wireguard module and tools included in this package have been tested on the following Ubiquiti devices:
Unifi Dream Machine (UDM) and UDM-Pro 0.5.x, 1.9.x, 1.10.x, 1.11.x.
UDM-SE and Unifi Dream Router (UDR) 2.2.x
UniFi Next-Gen Gateway (UXG-Pro) 1.11.x
Note that for the UDM, UDM Pro, and UXG-Pro, Ubiquiti includes the wireguard module in the official kernel since firmware 1.11.0-14, but doesn't include the WireGuard tools. The setup script in this package will try to load the built-in wireguard module if it exists first.
Read the documentation on WireGuard.com for general WireGuard concepts. Here is a simple example of a wireguard server configuration for UnifiOS.
Create the server and client public/private key pairs by running the following. This will create the files privatekey_server, publickey_server and privatekey_client1, publickey_client1. These contain the public and private keys. Store these files somewhere safe.
wg genkey | tee privatekey_server | wg pubkey > publickey_server\nwg genkey | tee privatekey_client1 | wg pubkey > publickey_client1\n
On your UDM/UDR, create a wireguard config under /etc/wireguard named wg0.conf. Here is an example server config. Remember to use the correct server private key and the client public key.
Adjust AllowedIPs to set what your client should route through the tunnel. Set to 0.0.0.0/0,::/0 to route all the client's Internet through the tunnel. See the WireGuard documentation for more information.
Note each different client requires their own private/public key pair, and the public key must be added to the server's WireGuard config as a separate Peer.
To bring the tunnel up, run wg-quick up <config>. Verify the tunnel received a handshake by running wg.
wg-quick up /etc/wireguard/wg0.conf\n
To bring down the tunnel, run wg-quick down <config>.
wg-quick down /etc/wireguard/wg0.conf\n
In your UniFi Network settings, add a WAN_LOCAL (or Internet Local) firewall rule to ACCEPT traffic destined to UDP port 51820 (or your ListenPort if different). Opening this port in the firewall is needed so remote clients can access the WireGuard server.
The AllowedIPs parameter in the wireguard config allows you to specify which destination subnets to route through the tunnel.
If you want to route router-connected clients through the wireguard tunnel based on source subnet or source VLAN, you need to set up policy-based routing. Currently, there is no GUI support for policy-based routing in UnifiOS, but it can be set up in SSH by using ip route to create a custom routing table, and ip rule to select which clients to route through the custom table.
For a script that makes it easy to set-up policy-based routing rules on UnifiOS, see the split-vpn project.
The setup script must be run every time the system is rebooted to link the wireguard tools and load the module. This can be accomplished with a boot script.
For the UDM or UDM Pro, install UDM Utilities on-boot-script by following the instructions here, then create a boot script under /mnt/data/on_boot.d/99-setup-wireguard.sh and fill it with the following contents. Remember to run chmod +x /mnt/data/on_boot.d/99-setup-wireguard.sh afterwards.
For the UDM-SE or UDR, create a systemd boot service to run the setup script at boot. Create a service file under /etc/systemd/system/setup-wireguard.service and fill it with the following contents. After creating the service, run systemctl daemon-reload && systemctl enable setup-wireguard to enable the service on boot. Click here to see the boot service.
[Unit]\nDescription=Run wireguard setup script\nWants=network.target\nAfter=network.target\n\n[Service]\nType=oneshot\nExecStart=sh -c 'WGDIR=\"$(find /mnt/data/wireguard /data/wireguard -maxdepth 1 -type d -name \"wireguard\" 2>/dev/null | head -n1)\"; \"$WGDIR/setup_wireguard.sh\"'\n\n[Install]\nWantedBy=multi-user.target\n
Note this only adds the setup script to start at boot. If you also want to bring your wireguard interface up at boot, you will need to add another boot script with your wg-quick up command.
", "tags": ["udm", "ubiquiti", "unifi", "wireguard"]}, {"location": "infrastructure/ubiquiti/udm-dream-machine/wireguard-vpn/#troubleshooting", "title": "Troubleshooting", "text": "Setup script returns error \"Unsupported Kernel version XXX\" * The wireguard package does not contain a wireguard module built for your firmware or kernel version, nor is there a built-in module in your kernel. Please open an issue and report your version so we can try to update the module. wg-quick up returns error \"unable to initialize table 'raw'\" * Your kernel does not have the iptables raw module. The raw module is only required if you use `0.0.0.0/0` or `::/0` in your wireguard config's AllowedIPs. A workaround is to instead set AllowedIPs to `0.0.0.0/1,128.0.0.0/1` for IPv4 or `::/1,8000::/1` for IPv6. These subnets cover the same range but do not invoke wg-quick's use of the iptables raw module.", "tags": ["udm", "ubiquiti", "unifi", "wireguard"]}, {"location": "infrastructure/ubiquiti/udm-dream-machine/wireguard-vpn/#credits", "title": "Credits", "text": "
Original work to compile WireGuard on UnifiOS by @tusc (wireguard-kmod).
\"WireGuard\" and the \"WireGuard\" logo are registered trademarks of Jason A. Donenfeld.
", "tags": ["udm", "ubiquiti", "unifi", "wireguard"]}, {"location": "infrastructure/ubiquiti/udm-dream-machine/wireguard-vpn/#the-built-in-gateway-dns-does-not-reply-to-requests-from-the-wireguard-tunnel", "title": "The built-in gateway DNS does not reply to requests from the WireGuard tunnel", "text": "
The built-in dnsmasq on UnifiOS is configured to only listen for requests from specific interfaces. The wireguard interface name (e.g.: wg0) needs to be added to the dnsmasq config so it can respond to requests from the tunnel. You can run the following to add wg0 to the dnsmasq interface list:
If you use your vm as NAT network \"Shared with My Mac\" You can forward a port to your host macOS machine.
The network configuration files are stored their respective folders within the VMware Fusion preferences folder.
/Library/Preferences/VMware\\ Fusion/\n
In order to find the right network config you can inspect the dhcpd.conf inside of vmnet* folders.
cat dhcpd.conf\n
After you found the correct network it should contain a nat.conf file Edit the (with sudo privileges) nat.conf, For UDP protocol edit the section [incomingudp] for TCP protocol edit the [incomingtcp]
In the next example we will forward port 4444 from VM to the 4444 port on the host. You can foreword any port to any port as you like.
After you saved the configuration nat.conf file you must restart VMware's network services
If you want to test the port forwarding is working as it should here's an example of running simple python webserver on the vm on port 4444 we configured before:
python -m SimpleHTTPServer 4444\n
Now you can test it on the Host machine by browsing to http://localhost:4444 or http://127.0.0.1:4444
Ncdu is a disk usage analyzer with an ncurses interface.
apt-get install ncdu\n
", "tags": ["linux", "files-handling"]}, {"location": "linux/files-handling/#delete-large-file-list-argument-list-too-long", "title": "Delete Large File List - Argument list too long", "text": "
find . -name '*'|xargs rm\n
", "tags": ["linux", "files-handling"]}, {"location": "linux/files-handling/#change-permissions-chmod-to-folders-and-files", "title": "Change permissions (chmod) to folders and files", "text": "
find . -type d -exec chmod 755 {} +\nfind . -type f -exec chmod 644 {} +\n
", "tags": ["linux", "files-handling"]}, {"location": "linux/files-handling/#recursively-chown-user-and-group", "title": "Recursively chown user and group", "text": "
^ ^ ^ ^ adds write to group\n | | | adds write to user\n | | adds read to all and execute to all folders (which controls access)\n| sets all to `000`\n
To change sudo password timeout limit in Linux, run:
sudo visudo\n
This command will open the\u00a0/etc/sudoers\u00a0file in\u00a0nano\u00a0editor.
Find the following line:
Defaults env_reset\n
Change it like below the 30 is the number of minutes you want to set the timeout to.
Defaults env_reset, timestamp_timeout=30\n
", "tags": ["linux", "snippets"]}, {"location": "linux/general-snippets/#redirect-output-to-a-file-and-stdout-with-tee", "title": "Redirect Output to a File and Stdout With tee", "text": "
The command you want is named tee:
foo | tee output.file\n
For example, if you only care about stdout:
ls -a | tee output.file\n
If you want to include stderr, do:
program [arguments...] 2>&1 | tee outfile\n
2>&1 redirects channel 2 (stderr/standard error) into channel 1 (stdout/standard output), such that both is written as stdout. It is also directed to the given output file as of the tee command.
Furthermore, if you want to append to the log file, use tee -a as:
less `ls -dx1tr /usr/local/cpanel/logs/cpbackup/*|tail -1`\n
", "tags": ["linux", "snippets"]}, {"location": "linux/general-snippets/#kill-process-that-runs-more-than-x-time", "title": "Kill Process That Runs More Than X Time", "text": "
Kill cgi after 30 secs:
for i in `ps -eo pid,etime,cmd|grep cgi|awk '$2 > \"00:30\" {print $1}'`; do kill $i; done\n
Set the Locale, Find the en_US.UTF-8 in the list and select it, at the following screen select it.
dpkg-reconfigure locales\n
", "tags": ["linux", "locales", "timezone"]}, {"location": "linux/locales-time-zone/#set-system-time-with-time-zone-timedatectl-ntp", "title": "Set System Time With Time Zone (timedatectl ntp)", "text": "
Find your time zone with timedatectl list-timezones use grep for easier results:
", "tags": ["linux", "locales", "timezone"]}, {"location": "linux/lvm-partitions/", "title": "LVM Partitions", "text": "", "tags": ["linux", "lvm"]}, {"location": "linux/lvm-partitions/#removing-lvm-partition-and-merging-in-to-root-partition", "title": "Removing LVM Partition and Merging In To / (root partition)", "text": "
Find out the names of the partition with df
df\n
You need to unmount the partition before you can delete them and marge backup the data of the partition you would like to delete this example will use \"centos-home\" as the partition that will be merged to the root partition.
In Linux, a service is a program that runs in the background and performs a specific function. A daemon is a type of service that also runs in the background and often starts at boot time. These processes can be controlled using the systemctl or service command. Services and daemons are an important part of the Linux operating system, as they provide various functions and services that allow the system to run smoothly. There are many different types of services and daemons that can be found on a typical Linux system, and you can find more information about them in the documentation for your specific distribution.
The systemctl command with the grep command will display a list of all running services and daemons on your Linux system. The grep command will search the output of systemctl for the string \"running\" and only display the lines that contain that string.
systemctl list-unit-files --state=enabled is a command that shows a list of unit files that are currently enabled on the system. The --state option specifies the state of the unit files that you want to see. By using --state=enabled, you will see only unit files that are enabled and will be started automatically when the system boots.
systemctl list-unit-files --state=enabled\n
"}, {"location": "linux/smb-mount-autofs/", "title": "SMB Mount With autofs", "text": "
Install autofs cifs-utils
apt install -y autofs cifs-utils\n
Eddit auto.cifs file
nano /etc/auto.cifs\n
Add this to the file: (\"media\" - is any name for your mount)
media -fstype=cifs,rw,noperm,vers=3.0,credentials=/etc/.credentials.txt ://oscar.3os.re/active-share/media\n
Create credentials file
nano /etc/.credentials.txt\n
Add you credentials for the smb mount:
username=YourUser\npassword=YourPassword\n
Exit and save:
nano /etc/auto.master\n
At the end of the file add: (\"/mnt\" - mount location, /etc/auto.cifs your config for mounting the SMB Share)
/mnt /etc/auto.cifs --timeout=600 --ghost\n
Save end exit. Test the mounting.
systemctl start autofs\ncd /mnt/media/\nls\n
You should see the mount over there. Enable autofs on boot:
systemctl enable autofs\n
", "tags": ["smb", "share", "autofs", "mount"]}, {"location": "linux/smb-mount-autofs/#smb-mount-on-linux-with-credentials", "title": "SMB Mount on Linux With Credentials", "text": "
Servers usually have a number of physical network interfaces. The network interfaces names in linux host usually won't tell you much about the which physical network interface corresponds to the interface name. Therefor, it creates a problem when you want to use a specific network interface for a specific purpose but you don't know which physical network interface corresponds to the interface name.
ethtool tool can be used to identify the physical network interface corresponding to a network interface name.
For this method to work, you need a physical accessto host's network cards and the physical network interfaces should have Led indicator lights.
Note
This functionality of ethtool may not be supported by all server or network card hardware.
ethtool usually isn't installed by default on a linux host. You can install it by running the following command (debian example):
apt install ethtool\n
Find the network interfaces present on the host and run the following command for each network interface:
ip addr\n
or
ifconfig -a\n
Now you can use the ethtool command to identify the physical network interface corresponding to the network interface name.
Example for eth0 network interface name:
ethtool --identify eth0\n
This command will run untill you stop it. When it's running, you should see the LED indicator light blinking (usually orange) on the physical network interface corresponding to the network interface name.
To get information about the hardware capabilities of the network interface:
ethtool eth0\n
output example:
ethtool enp12s0f4\n\nSettings for enp12s0f4:\n Supported ports: [ FIBRE ]\nSupported link modes: 1000baseT/Full\n 10000baseT/Full\n Supported pause frame use: Symmetric Receive-only\n Supports auto-negotiation: No\n Supported FEC modes: None\n Advertised link modes: 10000baseT/Full\n Advertised pause frame use: Symmetric\n Advertised auto-negotiation: No\n Advertised FEC modes: None\n Link partner advertised link modes: Not reported\n Link partner advertised pause frame use: Symmetric\n Link partner advertised auto-negotiation: No\n Link partner advertised FEC modes: None\n Speed: 10000Mb/s\n Duplex: Full\n Auto-negotiation: off\n Port: Direct Attach Copper\n PHYAD: 255\nTransceiver: internal\n Current message level: 0x000000ff (255)\ndrv probe link timer ifdown ifup rx_err tx_err\n Link detected: yes\n
", "tags": ["linux", "network"]}, {"location": "linux/ubuntu-debian/disable-ipv6/", "title": "Disable IPv6 on Ubuntu and Debian Linux Permanently", "text": "
By default, Ubuntu/Debian IPv6 is enabled after installation. This means that the IPv6 stack is active and the host can communicate with other hosts on the same network via IPv6 protocol.
You can disable Ubuntu/Debian by editing the /etc/default/grub file.
nano /etc/default/grub\n
add ipv6.disable=1 to the end of GRUB_CMDLINE_LINUX_DEFAULT and GRUB_CMDLINE_LINUX line. Don't change the other values at those lines.
", "tags": ["ubuntu", "debian", "ipv6"]}, {"location": "linux/ubuntu-debian/free-port-53/", "title": "Free Port 53 on Ubuntu", "text": "", "tags": ["Ubuntu", "dns"]}, {"location": "linux/ubuntu-debian/free-port-53/#whats-using-port-53", "title": "What's Using Port 53?", "text": "
When you install Ubuntu (in my case its Server version). It uses systemd-resolved as internal DNS Forwarder.
systemd-resolved is a system service that provides network name resolution to local applications. It implements a caching and validating DNS/DNSSEC stub resolver, as well as an LLMNR resolver and responder.
", "tags": ["Ubuntu", "dns"]}, {"location": "linux/ubuntu-debian/free-port-53/#how-to-free-port-53-on-ubuntu", "title": "How to Free Port 53 on Ubuntu", "text": "
If we want to use port 53 for other purposes, we need to free it for example a Pihole DNS server.
We can do it with the following commands:
sudo sed -r -i.orig 's/#?DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf\nsudo sh -c 'rm /etc/resolv.conf && ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf'\nsudo systemctl restart systemd-resolved\n
", "tags": ["Ubuntu", "dns"]}, {"location": "linux/ubuntu-debian/remove-snap-store/", "title": "Remove Snap Store from Ubuntu", "text": "", "tags": ["ubuntu"]}, {"location": "linux/ubuntu-debian/remove-snap-store/#what-is-snap", "title": "What Is Snap?", "text": "
Snap is a cross-platform packaging and deployment system developed by Canonical, the makers of Ubuntu, for the Linux platform. It's compatible with most major Linux distros, including Ubuntu, Debian, Arch Linux, Fedora, CentOS, and Manjaro.
Unattended-Upgrade::Allowed-Origins {\n\"${distro_id}:${distro_codename}\";\n\"${distro_id}:${distro_codename}-security\";\n// Extended Security Maintenance; doesn't necessarily exist for\n// every release and this system may not have it installed, but if\n// available, the policy for updates is such that unattended-upgrades\n// should also install from here by default.\n\"${distro_id}ESMApps:${distro_codename}-apps-security\";\n\"${distro_id}ESM:${distro_codename}-infra-security\";\n\"${distro_id}:${distro_codename}-updates\";\n\"${distro_id}:${distro_codename}-proposed\";\n// \"${distro_id}:${distro_codename}-backports\";\n};\n\nUnattended-Upgrade::DevRelease \"auto\";\nUnattended-Upgrade::AutoFixInterruptedDpkg \"true\";\nUnattended-Upgrade::MinimalSteps \"true\";\nUnattended-Upgrade::InstallOnShutdown \"false\";\n//Unattended-Upgrade::Mail \"\";\n//Unattended-Upgrade::MailReport \"on-change\";\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";\nUnattended-Upgrade::Remove-New-Unused-Dependencies \"true\";\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\nUnattended-Upgrade::Automatic-Reboot \"true\";\nUnattended-Upgrade::Automatic-Reboot-WithUsers \"true\";\nUnattended-Upgrade::Automatic-Reboot-Time \"06:00\";\n//Acquire::http::Dl-Limit \"70\";\n// Unattended-Upgrade::SyslogEnable \"false\";\n// Unattended-Upgrade::SyslogFacility \"daemon\";\n// Unattended-Upgrade::OnlyOnACPower \"true\";\n// Unattended-Upgrade::Skip-Updates-On-Metered-Connections \"true\";\n// Unattended-Upgrade::Verbose \"false\";\n// Unattended-Upgrade::Debug \"false\";\n// Unattended-Upgrade::Allow-downgrade \"false\";\n
Unattended-Upgrade::Origins-Pattern {\n// Codename based matching:\n// This will follow the migration of a release through different\n// archives (e.g. from testing to stable and later oldstable).\n// Software will be the latest available for the named release,\n// but the Debian release itself will not be automatically upgraded.\n\"origin=Debian,codename=${distro_codename}-updates\";\n// \"origin=Debian,codename=${distro_codename}-proposed-updates\";\n\"origin=Debian,codename=${distro_codename},label=Debian\";\n\"origin=Debian,codename=${distro_codename},label=Debian-Security\";\n\n// Archive or Suite based matching:\n// Note that this will silently match a different release after\n// migration to the specified archive (e.g. testing becomes the\n// new stable).\n// \"o=Debian,a=stable\";\n// \"o=Debian,a=stable-updates\";\n// \"o=Debian,a=proposed-updates\";\n// \"o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports\";\n};\n\nUnattended-Upgrade::DevRelease \"auto\";\nUnattended-Upgrade::AutoFixInterruptedDpkg \"true\";\nUnattended-Upgrade::MinimalSteps \"true\";\nUnattended-Upgrade::InstallOnShutdown \"false\";\n//Unattended-Upgrade::Mail \"\";\n//Unattended-Upgrade::MailReport \"on-change\";\nUnattended-Upgrade::Remove-Unused-Kernel-Packages \"true\";\nUnattended-Upgrade::Remove-New-Unused-Dependencies \"true\";\nUnattended-Upgrade::Remove-Unused-Dependencies \"true\";\nUnattended-Upgrade::Automatic-Reboot \"true\";\nUnattended-Upgrade::Automatic-Reboot-WithUsers \"true\";\nUnattended-Upgrade::Automatic-Reboot-Time \"06:00\";\n// Acquire::http::Dl-Limit \"70\";\n// Unattended-Upgrade::SyslogEnable \"false\";\n// Unattended-Upgrade::SyslogFacility \"daemon\";\n// Unattended-Upgrade::OnlyOnACPower \"true\";\n// Unattended-Upgrade::Skip-Updates-On-Metered-Connections \"true\";\n// Unattended-Upgrade::Verbose \"false\";\n// Unattended-Upgrade::Debug \"false\";\n// Unattended-Upgrade::Allow-downgrade \"false\";\n
Automatic call via /etc/apt/apt.conf.d/20auto-upgrades
", "tags": ["ubuntu"]}, {"location": "mac-os/applications-tweaks/", "title": "Applications Tweaks", "text": "", "tags": ["macOS"]}, {"location": "mac-os/applications-tweaks/#running-multi-instances-of-an-application", "title": "Running Multi Instances of an Application", "text": "
Launch the Script Editor choose temporary folder
Copy the command to be executed to the Script Editor
do shell script \"open -n <path to application>\"\n
Example
do shell script \"open -n /Applications/'Visual Studio Code.app'\"
File > Export
Use the following settings:
Export As: Your New Application Name
Where: Applications
File Format: Application
Change The Icon of Your New Application:
In Finder got to Applications folder. Right Click on the new Your New Application application we just created and click Get Info. Drug the original application icon (or any other) to the in the left corner of the \"get info\" menu.
Copy the command to be executed to the Script Editor
do shell script \"/Applications/Firefox.app/Contents/MacOS/firefox -ProfileManager &> /dev/null &\"\n
File > Export
Use the following settings:
Save As: Firefox Profile Manager
Where: Applications
File Format: Application
Change The Icon of Your New Firefox Profile Manager Application:
In Finder got to Applications folder. Right Click on the new Firefox Profile Manager application we just created and click Get Info. Drug the original application to the icon in the left corner of the \"get info\" menu.
", "tags": ["macOS"]}, {"location": "mac-os/enable-root-user/", "title": "Enable or Disable the Root User on macOS", "text": "
Mac administrators can use the root user account to perform tasks that require access to more areas of the system.
The user account named \u201droot\u201d is a superuser with read and write privileges to more areas of the system, including files in other macOS user accounts. The root user is disabled by default. If you can log in to your Mac with an administrator account, you can enable the root user, then log in as the root user to complete your task.
", "tags": ["macOS"]}, {"location": "mac-os/enable-root-user/#how-to-enable-the-root-user", "title": "How to Enable the Root User", "text": "
System Preferences > Users & Groups Click lock icon, enter an administrator name and password. Click Login Options. Click Join at Newotk Account Server.
Click Open Directory Utility.
Click lock icon in the Directory Utility window, then enter an administrator name and password.
From the menu bar in Directory Utility: Choose Edit > Enable Root User, then enter the password that you want to use for the root user. Or choose Edit > Disable Root User.
", "tags": ["macOS"]}, {"location": "mac-os/enable-root-user/#how-to-disable-the-root-user", "title": "How to Disable the Root User", "text": "
To Disable the Root User repeat the steps above, but change the last step to Disable Root User.
", "tags": ["macOS"]}, {"location": "mac-os/enable-root-user/#login-as-the-root-user", "title": "Login as The Root User", "text": "
When the root user is enabled, you have the privileges of the root user only while logged in as the root user.
Logout of your current account, then log in as the root user. user name \u201droot\u201d and the password you created for the root user.
First, you need to add the keys to the keychain with the following steps:
Copy your ed25519, ed25519.pub / id_rsa, id_rsa.pub to ~/.ssh/ folder
Store the key in the MacOS Keychain
ed25519 KeyRSA Key
ssh-add --apple-use-keychain ~/.ssh/ed25519\n
ssh-add --apple-use-keychain ~/.ssh/id_rsa\n
Enter your key passphrase. You won't be asked for it again.
List all keys in the keychain:
ssh-add -l\n
", "tags": ["macos"]}, {"location": "mac-os/import-ssh-keys-keychain/#configure-ssh-to-always-use-the-keychain", "title": "Configure SSH to always use the keychain", "text": "
If you haven't already, create an ~/.ssh/config file. In other words, in the .ssh directory in your home dir, make a file called config.
At ~/.ssh/config file, add the following lines at the top of the config:
The UseKeychain yes is the key part, which tells SSH to look in your macOS keychain for the key passphrase.
That's it! Next time you load any ssh connection, it will try the private keys you've specified, and it will look for their passphrase in the macOS keychain. No passphrase typing required.
A much safer replacement of shell rm with ALMOST FULL features of the origin rm command.
Initially developed on Mac OS X, then tested on Linux.
Using safe-rm, the files or directories you choose to remove will move to $HOME/.Trash instead of simply deleting them. You could put them back whenever you want manually.
If a file or directory with the same name already exists in the Trash, the name of newly-deleted items will be ended with the current date and time.
Reboot your Mac into Recovery Mode by restarting your computer and holding down Command+R until the Apple logo appears on your screen. Click Utilities > Terminal. In the Terminal window, type in:
Status:
csrutil status\n
Disable:
csrutil disable\n
Enable:
csrutil enable\n
Press Enter and restart your Mac.
", "tags": ["macos"]}, {"location": "mac-os/terminal-snippets/#installing-rbenv-ruby-send-box-ruby-alternative-to-the-one-that-macos-uses", "title": "Installing rbenv (ruby send box) - Ruby alternative to the one that macOS uses", "text": "
Install rbenv with brew
brew install rbenv\n
Add eval \"$(rbenv init -)\" to the end of ~/.zshrc or ~/.bash_profile
Install a ruby version
rbenv install 2.3.1\n
Select a ruby version by rbenv
rbenv global 2.3.1\n
Open a new terminal window
Verify that the right gem folder is being used with gem env home(should report something in your user folder not system wide)
", "tags": ["macos"]}, {"location": "mac-os/terminal-snippets/#list-listening-ports-and-programs-and-users-netstat-like", "title": "List listening Ports and Programs and Users (netstat like)", "text": "
Go to iTerm Preferences \u2192 Profiles, select your profile, then the Keys tab. click Load Preset... and choose Natural Text Editing.
Remove the Right Arrow Before the Cursor Line
you can turn it off by going in to Preferences > Profiles > (your profile) > Terminal, scroll down to Shell Integration, and turn off Show mark indicators.
Apple devices such Macbooks and some Apple Magic Keyboards have a fingerprint - Touch ID scanner that can be used to authenticate a user with a touch of a finger. This functionality isn't available when using sudo to run commands. You have to enter your password every time you run commands with high privileges.
We can enable TouchID for sudo with a simple config change. This will allow you to use Touch ID to authenticate with sudo without entering your password including the authentication with Apple Watch.
Display Link - Known Issue
As of the writing of this article, the Display Link Driver will privent the use of Touch ID for sudo when using the Display link device. It will work when the Display Link device isn't connected. This is a known issue.
", "tags": ["macOS"]}, {"location": "mac-os/ui-tweaks/#set-the-same-view-options-for-all-finder-windows", "title": "Set the Same View Options for all Finder windows", "text": "
First, we want to set the default view options for all new Finder windows. To do so, open Finder and click on the view setting that you want to use. The settings are four icons and the top of your Finder window. If you don't see the Finder toolbar type:
cmd + option + t\n
After selecting the option you want, type:
cmd + j\n
to open the view options window.
Make sure you check the top two checkboxes that say Always open in list view and Browse in list view. Keep in mind it will reflect whichever view you've selected.
Now click the button at the bottom that says \"Use as Defaults\".
", "tags": ["macOS"]}, {"location": "mac-os/ui-tweaks/#delete-all-ds_store-files-on-your-computer", "title": "Delete all .DS_Store files on your computer", "text": "
Chances are you've opened some Finder windows in the past. Individual folder options will override this default setting that we just set.
In order reset your folder settings across the entire machine we have to delete all .DS_Store files. This will ensure that all folders start fresh. Open up the Terminal application (Applications/Utilities/Terminal), and type:
Brewup script is a Bash script that uses Homebrew - The Missing Package Manager for macOS as it's base. Brewup uses GitHub as a \"backup\" of a config file which contains all installed Taps, Formulas, Casks and App Store Apps at your macOS. It also allows the use of Github main function of retaining changes so you can always look up for the package that were installed sometime ago and you just forgot what is was exactly.
Visit as at 3os.org for more guides and tips for macOS
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the \"Software\"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Using and developing with Python on macOS sometimes may be frustrating...
The reason for that is that macOS uses Python 2 for its core system with pip as a package manager. When Xcode Command Line Tools are installed Python 3 and pip3 package manager will be available at the cli. When using Python2, Python3 and their package managers this way, all the packages will be installed at the system level and my effect the native packages and their dependences , this can break or lead to unwanted bugs in OS.
The right way to use python at macOS is to use Virtual Environments for python. This way all the system related versions of python and their packages won't be affected and use by you.
In order to use pyenv, pyenv-virtualenv without conflicting with the native macOS python we need to add some configuration to our ~/.zshrc config (for mac os catalina) or your bash config if you are still using bash.
It's very imported to maintain the order of the configuration for the loading order
First of all we need to include your Executable Paths. In the example we added all the common paths, including the paths for pyenv, pyenv-virtualenv. If you have any other path that you use, you can add them at the same line or create a new line below this one.
Second to Executable Paths we will add two if statements that will check if the pyenv,pyenv-virtualenv are installed, if they are it will load them. If they aren't and you are using the same zsh or bash config it will ignore loading them
Third is a fix for brew, brew doctor. When using this method it may conflict with brew as it uses python as well. If you run run brew doctor without the fix, it will show config warnings related to the python configuration files.
Configuration for ~/.zshrc or ~/.zprofile
# Executable Paths\n## Global\nexport PATH=\"/usr/local/bin:/usr/local/sbin:/Users/${USER}/.local/bin:/usr/bin:/usr/sbin:/bin:/sbin:$PATH\"\n\n## Curl\nexport PATH=\"/opt/homebrew/opt/curl/bin:$PATH\"\nexport LDFLAGS=\"-L/opt/homebrew/opt/curl/lib\"\nexport CPPFLAGS=\"-I/opt/homebrew/opt/curl/include\"\nexport PKG_CONFIG_PATH=\"/opt/homebrew/opt/curl/lib/pkgconfig\"\n\n# pyenv, pyenv-virtualenv\n## Initiating pyenv and fix Brew Doctor: \"Warning: \"config\" scripts exist outside your system or Homebrew directories\"\nif which pyenv >/dev/null; then\n eval \"$(pyenv init --path)\"\n alias brew='env PATH=${PATH//$(pyenv root)\\/shims:/} brew'\nfi\n\n## Initiating pyenv-virtualenv\nif which pyenv-virtualenv-init >/dev/null; then\n eval \"$(pyenv virtualenv-init -)\"\nfi\n
After you saved your configuration the best way to load it is to close your terminal session and open it again. This will load the session with your updated configuration. There should be no errors at the new session.
This will install both pyenv and pyenv-virtualenv
brew install pyenv-virtualenv\n
Test if pyenv loaded currently
pyenv -v\n
After the installation we would like to set a system level python version, you can chose the default from the list available from the pyenv
List available Python Version and find the version suited for your needs:
pyenv install --list\n
Install Requeued Python Version (Exmaple version 3.9.5) as a default system
pyenv install 3.9.5\n
Set it as global
pyenv global 3.9.5\n
You can install multiply versions of python at the same time.
List all installed python versions and virtual environments and their python versions
pyenv versions\n
Now let's test our system Python version we set before, it should be the version you choose as Global before
python -V\n
So far we cleaned your system and installed and configured pyenv, pyenv-virtualenv.
", "tags": ["maco", "python"]}, {"location": "mac-os/python/pyenv-virtualenv/#how-to-use-pyenv-virtualenv", "title": "How to use pyenv-virtualenv", "text": "
Now let's understand how to use Python Virtual Environment with pyenv-virtualenv
Full documentation can be found at the original repo at git hub: pyenv-virtualenv github
We will list here some basic examples for a quick start and basic understanding
To create a virtualenv for the Python version used with pyenv, run pyenv virtualenv, specifying the Python version you want and the name of the virtualenv directory. For example,
pyenv virtualenv 3.9.5 my-project-name\n
This will create a virtualenv based on Python 3.9.5 under $(pyenv root)/versions in a folder called my-project-name
Activating virtualenv automatically for project
The best way we found to activate the virtualenv at your project is to link the projects directory to the virtualenv.
cd to the project's directory and link the virtualenv for example my-project-name virtualenv
pyenv local my-project-name\n
This will activate the linked virtualenv every time you cd to this directory automatically From now you can use pip to install any packages you need for your project, the location of the installed packages will be at $(pyenv root)/versions/
Activating virtualenv manually for project
You can also activate and deactivate a pyenv virtualenv manually:
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/gobuster-cheatsheet/#available-modes", "title": "Available Modes", "text": "Switch Description dir the classic directory brute-forcing mode dns DNS subdomain brute-forcing mode s3 Enumerate open S3 buckets and look for existence and bucket listings vhost irtual host brute-forcing mode (not the same as DNS!)", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/gobuster-cheatsheet/#global-flags", "title": "Global Flags", "text": "Short Switch Long Switch Description -z --no-progress Don't display progress -o --output string Output file to write results to (defaults to stdout) -q --quiet Don't print the banner and other noise -t --threads int Number of concurrent threads (default 10) -i --show-ips Show IP addresses --delay duration DNS resolver timeout (default 1s) -v, --verbose Verbose output (errors) -w --wordlist string Path to the wordlist", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/gobuster-cheatsheet/#dns-mode-options", "title": "DNS Mode Options", "text": "Short Switch Long Switch Description -h, --help help for dns -d, --domain string The target domain -r, --resolver string Use custom DNS server (format server.com or server.com:port) -c, --show-cname Show CNAME records (cannot be used with '-i' option) -i, --show-ips Show IP addresses --timeout duration DNS resolver timeout (default 1s)", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/gobuster-cheatsheet/#dir-mode-options", "title": "DIR Mode Options", "text": "Short Switch Long Switch Description -h, --help help for dir -f, --add-slash Append / to each request -c, --cookies string Cookies to use for the requests -e, --expanded Expanded mode, print full URLs -x, --extensions string File extension(s) to search for -r, --follow-redirect Follow redirects -H, --headers stringArray Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2' -l, --include-length Include the length of the body in the output -k, --no-tls-validation Skip TLS certificate verification -n, --no-status Don't print status codes -P, --password string Password for Basic Auth -p, --proxy string Proxy to use for requests [http(s)://host:port] -s, --status-codes string Positive status codes (will be overwritten with status-codes-blacklist if set) (default \"200,204,301,302,307,401,403\") -b, --status-codes-blacklist string Negative status codes (will override status-codes if set) --timeout duration HTTP Timeout (default 10s) -u, --url string The target URL -a, --useragent string Set the User-Agent string (default \"gobuster/3.1.0\") -U, --username string Username for Basic Auth -d, --discover-backup Upon finding a file search for backup files --wildcard Force continued operation when wildcard found", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/gobuster-cheatsheet/#vhost-mode-options", "title": "vhost Mode Options", "text": "Short Switch Long Switch Description -h --help help for vhost -c --cookies string Cookies to use for the requests -r --follow-redirect Follow redirects -H --headers stringArray Specify HTTP headers, -H 'Header1: val1' -H 'Header2: val2' -k --no-tls-validation Skip TLS certificate verification -P --password string Password for Basic Auth -p --proxy string Proxy to use for requests [http(s)://host:port] --timeout duration HTTP Timeout (default 10s) -u --url string The target URL -a --useragent string Set the User-Agent string (default \"gobuster/3.1.0\") -U --username string Username for Basic Auth", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/nmap-cheatsheet/", "title": "Nmap CheatSheet", "text": "", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/nmap-cheatsheet/#common-nmap-commands", "title": "Common Nmap Commands", "text": "
Aggressive scan, single host, TCP SYN, :
nmap -n -sS -p- -T4 -Pn -A -v 192.168.1.1\n
Ping Scan - Host discovery in subnet
nmap -sn -v 192.168.0.0/24\n
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/nmap-cheatsheet/#target-specification", "title": "Target Specification", "text": "Switch Description Example nmap 192.168.1.1 Scan a single IP nmap 192.168.1.1 192.168.2.1 Scan specific IPs nmap scanme.nmap.org Scan a range nmap scanme.nmap.org Scan a domain nmap 192.168.1.0/24 Scan using CIDR notation -iL nmap -iL targets.txt Scan targets from a file -iR nmap -iR 100 Scan 100 random hosts --exclude nmap --exclude 192.168.1.1 Exclude listed hosts", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/nmap-cheatsheet/#scan-techniques", "title": "Scan Techniques", "text": "Switch Example Description -sS nmap 192.168.1.1 -sS TCP SYN port scan (Default) -sT nmap 192.168.1.1 -sT TCP connect port scan (Default without root privilege) -sU nmap 192.168.1.1 -sU UDP port scan -sA nmap 192.168.1.1 -sA TCP ACK port scan -sW nmap 192.168.1.1 -sW TCP Window port scan -sM nmap 192.168.1.1 -sM TCP Maimon port scan", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/nmap-cheatsheet/#host-discovery", "title": "Host Discovery", "text": "Switch Description Example -sL nmap 192.168.1.1-3 -sL No Scan. List targets only -sn nmap 192.168.1.1/24 -sn Disable port scanning. Host discovery only. -Pn nmap 192.168.1.1-5 -Pn Disable host discovery. Port scan only. -PS nmap 192.168.1.1-5 -PS22-25,80 TCP SYN discovery on port x.Port 80 by default -PA nmap 192.168.1.1-5 -PA22-25,80 TCP ACK discovery on port x.Port 80 by default -PU nmap 192.168.1.1-5 -PU53 UDP discovery on port x.Port 40125 by default -PR nmap 192.168.1.1-1/24 -PR ARP discovery on local network -n nmap 192.168.1.1 -n Never do DNS resolution", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/nmap-cheatsheet/#port-specification", "title": "Port Specification", "text": "Switch Description Example -p nmap 192.168.1.1 -p 21 Port scan for port x -p nmap 192.168.1.1 -p 21-100 Port range -p nmap 192.168.1.1 -p U:53,T:21-25,80 Port scan multiple TCP and UDP ports -p nmap 192.168.1.1 -p- Port scan all ports -p nmap 192.168.1.1 -p http,https Port scan from service name -F nmap 192.168.1.1 -F Fast port scan (100 ports) --top-ports nmap 192.168.1.1 --top-ports 2000 Port scan the top x ports -p-65535 nmap 192.168.1.1 -p-65535 Leaving off initial port in range makes the scan start at port 1 -p0- nmap 192.168.1.1 -p0- Leaving off end port in rangemakes the scan go through to port 65535", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/nmap-cheatsheet/#service-and-version-detection", "title": "Service and Version Detection", "text": "Switch Description Example -sV nmap 192.168.1.1 -sV Attempts to determine the version of the service running on port -sV --version-intensity nmap 192.168.1.1 -sV --version-intensity 8 Intensity level 0 to 9. Higher number increases possibility of correctness -sV --version-light nmap 192.168.1.1 -sV --version-light Enable light mode. Lower possibility of correctness. Faster -sV --version-all nmap 192.168.1.1 -sV --version-all Enable intensity level 9. Higher possibility of correctness. Slower -A nmap 192.168.1.1 -A Enables OS detection, version detection, script scanning, and traceroute", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/nmap-cheatsheet/#os-detection", "title": "OS Detection", "text": "Switch Description Example -O nmap 192.168.1.1 -O Remote OS detection using TCP/IP stack fingerprinting -O --osscan-limit nmap 192.168.1.1 -O --osscan-limit If at least one open and one closed TCP port are not found it will not try OS detection against host -O --osscan-guess nmap 192.168.1.1 -O --osscan-guess Makes Nmap guess more aggressively -O --max-os-tries nmap 192.168.1.1 -O --max-os-tries 1 Set the maximum number x of OS detection tries against a target -A nmap 192.168.1.1 -A Enables OS detection, version detection, script scanning, and traceroute", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/nmap-cheatsheet/#timing-and-performance", "title": "Timing and Performance", "text": "Switch Description Example -T0 nmap 192.168.1.1 -T0 Paranoid (0) Intrusion DetectionSystem evasion -T1 nmap 192.168.1.1 -T1 Sneaky (1) Intrusion Detection Systemevasion -T2 nmap 192.168.1.1 -T2 Polite (2) slows down the scan to useless bandwidth and use less target machine resources -T3 nmap 192.168.1.1 -T3 Normal (3) which is default speed -T4 nmap 192.168.1.1 -T4 Aggressive (4) speeds scans; assumes you are on a reasonably fast and reliable network -T5 nmap 192.168.1.1 -T5 Insane (5) speeds scan; assumes you are on an extraordinarily fast network -------- -------- ------------------------------------------------------------------------------------------- --host-timeout 1s; 4m; 2h Give up on target after this long --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout 1s; 4m; 2h Specifies probe round trip time --min-hostgroup/max-hostgroup <size 50; 1024 Parallel host scan group sizes --min-parallelism/max-parallelism 10; 1 Probe parallelization --scan-delay/--max-scan-delay 20ms; 2s; 4m; 5h Adjust delay between probes --max-retries 3 Specify the maximum number of port scan probe retransmissions --min-rate 100 Send packets no slower than per second --max-rate 100 Send packets no faster than per second", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/nmap-cheatsheet/#nse-scripts", "title": "NSE Scripts", "text": "Switch Description Example -sC nmap 192.168.1.1 -sC Scan with default NSE scripts. Considered useful for discovery and safe --script default nmap 192.168.1.1 --script default Scan with default NSE scripts. Considered useful for discovery and safe --script nmap 192.168.1.1 --script=banner Scan with a single script. Example banner --script nmap 192.168.1.1 --script=http* Scan with a wildcard. Example http --script nmap 192.168.1.1 --script=http,banner Scan with two scripts. Example http and banner --script nmap 192.168.1.1 --script \"not intrusive\" Scan default, but remove intrusive scripts --script-args nmap --script snmp-sysdescr --script-args snmpcommunity=admin 192.168.1.1 NSE script with arguments", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/nmap-cheatsheet/#useful-nse-script-examples", "title": "Useful NSE Script Examples", "text": "Command Description nmap -Pn --script=http-sitemap-generator scanme.nmap.org http site map generator nmap -n -Pn -p 80 --open -sV -vvv --script banner,http-title -iR 1000 Fast search for random web servers nmap -Pn --script=dns-brute domain.com Brute forces DNS hostnames guessing subdomains nmap -n -Pn -vv -O -sV --script smb-enum,smb-ls,smb-mbenum,smb-os-discovery,smb-s,smb-vuln,smbv2 -vv 192.168.1.1 Safe SMB scripts to run nmap --script whois* domain.com Whois query nmap -p80 --script http-unsafe-output-escaping scanme.nmap.org Detect cross site scripting vulnerabilities nmap -p80 --script http-sql-injection scanme.nmap.org Check for SQL injections", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/nmap-cheatsheet/#firewall-ids-evasion-and-spoofing", "title": "Firewall / IDS Evasion and Spoofing", "text": "Switch Description Example -f nmap 192.168.1.1 -f Requested scan (including ping scans) use tiny fragmented IP packets. Harder for packet filters --mtu nmap 192.168.1.1 --mtu 32 Set your own offset size -D nmap -D 192.168.1.101,192.168.1.102, 192.168.1.103,192.168.1.23 192.168.1.1 Send scans from spoofed IPs -D nmap -D decoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip Above example explained -S nmap -S www.microsoft.com www.facebook.com Scan Facebook from Microsoft (-e eth0 -Pn may be required) -g nmap -g 53 192.168.1.1 Use given source port number --proxies nmap --proxies http://192.168.1.1:8080, http://192.168.1.2:8080 192.168.1.1 Relay connections through HTTP/SOCKS4 proxies --data-length nmap --data-length 200 192.168.1.1 Appends random data to sent packets", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/nmap-cheatsheet/#example-ids-evasion-command", "title": "Example IDS Evasion command", "text": "
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/nmap-cheatsheet/#output", "title": "Output", "text": "Switch Description Example -oN nmap 192.168.1.1 -oN normal.file Normal output to the file normal.file -oX nmap 192.168.1.1 -oX xml.file XML output to the file xml.file -oG nmap 192.168.1.1 -oG grep.file Grepable output to the file grep.file -oA nmap 192.168.1.1 -oA results Output in the three major formats at once -oG - nmap 192.168.1.1 -oG - Grepable output to screen. -oN -, -oX - also usable --append-output nmap 192.168.1.1 -oN file.file --append-output Append a scan to a previous scan file -v nmap 192.168.1.1 -v Increase the verbosity level (use -vv or more for greater effect) -d nmap 192.168.1.1 -d Increase debugging level (use -dd or more for greater effect) --reason nmap 192.168.1.1 --reason Display the reason a port is in a particular state, same output as -vv --open nmap 192.168.1.1 --open Only show open (or possibly open) ports --packet-trace nmap 192.168.1.1 -T4 --packet-trace Show all packets sent and received --iflist nmap --iflist Shows the host interfaces and routes --resume nmap --resume results.file Resume a scan", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/nmap-cheatsheet/#helpful-nmap-output-examples", "title": "Helpful Nmap Output examples", "text": "
Scan for web servers and grep to show which IPs are running web servers
This article is focused on providing application security testing professionals with a guide to assist in Cross Site Scripting testing. The initial contents of this article were donated to OWASP by RSnake, from his seminal XSS CheatSheet, which was at: http://ha.ckers.org/xss.html. That site now redirects to its new home here, where we plan to maintain and enhance it. The very first OWASP Prevention CheatSheet, the Cross Site Scripting Prevention CheatSheet, was inspired by RSnake's XSS CheatSheet, so we can thank RSnake for our inspiration. We wanted to create short, simple guidelines that developers could follow to prevent XSS, rather than simply telling developers to build apps that could protect against all the fancy tricks specified in rather complex attack CheatSheet, and so the OWASP CheatSheet Series was born.
This CheatSheet lists a series of XSS attacks that can be used to bypass certain XSS defensive filters. Please note that input filtering is an incomplete defense for XSS which these tests can be used to illustrate.
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/xss-cheatsheet/#basic-xss-test-without-filter-evasion", "title": "Basic XSS Test Without Filter Evasion", "text": "
This is a normal XSS JavaScript injection, and most likely to get caught but I suggest trying it first (the quotes are not required in any modern browser so they are omitted here):
The following is a \"polygot test XSS payload.\" This test will execute in multiple contexts including html, script string, js and url. Thank you to Gareth Heyes for this contribution.
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/xss-cheatsheet/#image-xss-using-the-javascript-directive", "title": "Image XSS Using the JavaScript Directive", "text": "
Image XSS using the JavaScript directive (IE7.0 doesn't support the JavaScript directive in context of an image, but it does in other contexts, but the following show the principles that would work in other tags as well:
<img src=\"javascript:alert('XSS');\" />\n
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/xss-cheatsheet/#no-quotes-and-no-semicolon", "title": "No Quotes and no Semicolon", "text": "
If you need to use both double and single quotes you can use a grave accent to encapsulate the JavaScript string - this is also useful because lots of cross site scripting filters don't know about grave accents:
or Chrome loves to replace missing quotes for you... if you ever get stuck just leave them off and Chrome will put them in the right place and fix your missing quotes on a URL or script.
Originally found by Begeek (but cleaned up and shortened to work in all browsers), this XSS vector uses the relaxed rendering engine to create our XSS vector within an IMG tag that should be encapsulated within quotes. I assume this was originally meant to correct sloppy coding. This would make it significantly more difficult to correctly parse apart an HTML tags:
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/xss-cheatsheet/#default-src-tag-to-get-past-filters-that-check-src-domain", "title": "Default SRC Tag to Get Past Filters that Check SRC Domain", "text": "
This will bypass most SRC domain filters. Inserting javascript in an event method will also apply to any HTML tag type injection that uses elements like Form, Iframe, Input, Embed etc. It will also allow any relevant event for the tag type to be substituted like onblur, onclick giving you an extensive amount of variations for many injections listed here. Submitted by David Cross .
<img src=\"#\" onmouseover=\"alert('xxs')\" />\n
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/xss-cheatsheet/#default-src-tag-by-leaving-it-empty", "title": "Default SRC Tag by Leaving it Empty", "text": "
<img src=\"onmouseover\" =\"alert('xxs')\" />\n
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/xss-cheatsheet/#default-src-tag-by-leaving-it-out-entirely", "title": "Default SRC Tag by Leaving it out Entirely", "text": "
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/xss-cheatsheet/#decimal-html-character-references", "title": "Decimal HTML Character References", "text": "
All of the XSS examples that use a javascript: directive inside of an <IMG tag will not work in Firefox or Netscape 8.1+ in the Gecko rendering engine mode).
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/xss-cheatsheet/#decimal-html-character-references-without-trailing-semicolons", "title": "Decimal HTML Character References Without Trailing Semicolons", "text": "
This is often effective in XSS that attempts to look for \"&#XX;\", since most people don't know about padding - up to 7 numeric characters total. This is also useful against people who decode against strings like \\(tmp_string =\\~ s/.\\*\\\\&\\#(\\\\d+);.\\*/\\)1/; which incorrectly assumes a semicolon is required to terminate a html encoded string (I've seen this in the wild):
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/xss-cheatsheet/#hexadecimal-html-character-references-without-trailing-semicolons", "title": "Hexadecimal HTML Character References Without Trailing Semicolons", "text": "
This is also a viable XSS attack against the above string \\(tmp_string=\\~ s/.\\*\\\\&\\#(\\\\d+);.\\*/\\)1/; which assumes that there is a numeric character following the pound symbol - which is not true with hex HTML characters).
Some websites claim that any of the chars 09-13 (decimal) will work for this attack. That is incorrect. Only 09 (horizontal tab), 10 (newline) and 13 (carriage return) work. See the ascii chart for more details. The following four XSS examples illustrate this vector:
(Note: with the above I am making these strings longer than they have to be because the zeros could be omitted. Often I've seen filters that assume the hex and dec encoding has to be two or three characters. The real rule is 1-7 characters.):
Null chars also work as XSS vectors but not like above, you need to inject them directly using something like Burp Proxy or use %00 in the URL string or if you want to write your own injection tool you can either use vim (^V^@ will produce a null) or the following program to generate it into a text file. Okay, I lied again, older versions of Opera (circa 7.11 on Windows) were vulnerable to one additional char 173 (the soft hypen control char). But the null char %00 is much more useful and helped me bypass certain real world filters with a variation on this example:
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/xss-cheatsheet/#spaces-and-meta-chars-before-the-javascript-in-images-for-xss", "title": "Spaces and Meta Chars Before the JavaScript in Images for XSS", "text": "
This is useful if the pattern match doesn't take into account spaces in the word javascript: -which is correct since that won't render- and makes the false assumption that you can't have a space between the quote and the javascript: keyword. The actual reality is you can have any char from 1-32 in decimal:
The Firefox HTML parser assumes a non-alpha-non-digit is not valid after an HTML keyword and therefor considers it to be a whitespace or non-valid token after an HTML tag. The problem is that some XSS filters assume that the tag they are looking for is broken up by whitespace. For example \\<SCRIPT\\\\s != \\<SCRIPT/XSS\\\\s:
Based on the same idea as above, however,expanded on it, using Rnake fuzzer. The Gecko rendering engine allows for any character other than letters, numbers or encapsulation chars (like quotes, angle brackets, etc...) between the event handler and the equals sign, making it easier to bypass cross site scripting blocks. Note that this also applies to the grave accent char as seen here:
Yair Amit brought this to my attention that there is slightly different behavior between the IE and Gecko rendering engines that allows just a slash between the tag and the parameter with no spaces. This could be useful if the system does not allow spaces.
Submitted by Franz Sedlmaier, this XSS vector could defeat certain detection engines that work by first using matching pairs of open and close angle brackets and then by doing a comparison of the tag inside, instead of a more efficient algorythm like Boyer-Moore that looks for entire string matches of the open angle bracket and associated tag (post de-obfuscation, of course). The double slash comments out the ending extraneous bracket to supress a JavaScript error:
In Firefox and Netscape 8.1 in the Gecko rendering engine mode you don't actually need the \\></SCRIPT> portion of this Cross Site Scripting vector. Firefox assumes it's safe to close the HTML tag and add closing tags for you. How thoughtful! Unlike the next one, which doesn't effect Firefox, this does not require any additional HTML below it. You can add quotes if you need to, but they're not needed generally, although beware, I have no idea what the HTML will end up looking like once this is injected:
This particular variant was submitted by \u0141ukasz Pilorz and was based partially off of Ozh's protocol resolution bypass below. This cross site scripting example works in IE, Netscape in IE rendering mode and Opera if you add in a </SCRIPT> tag at the end. However, this is especially useful where space is an issue, and of course, the shorter your domain, the better. The \".j\" is valid, regardless of the encoding type because the browser knows it in context of a SCRIPT tag.
Unlike Firefox the IE rendering engine doesn't add extra data to you page, but it does allow the javascript: directive in images. This is useful as a vector because it doesn't require a close angle bracket. This assumes there is any HTML tag below where you are injecting this cross site scripting vector. Even though there is no close \">\" tag the tags below it will close it. A note: this does mess up the HTML, depending on what HTML is beneath it. It gets around the following NIDS regex: /((\\\\%3D)|(=))\\[^\\\\n\\]\\*((\\\\%3C)|\\<)\\[^\\\\n\\]+((\\\\%3E)|\\>)/ because it doesn't require the end \">\". As a side note, this was also affective against a real world XSS filter I came across using an open ended <IFRAME tag instead of an <IMG tag:
Using an open angle bracket at the end of the vector instead of a close angle bracket causes different behavior in Netscape Gecko rendering. Without it, Firefox will work but Netscape won't:
When the application is written to output some user information inside of a JavaScript like the following: <SCRIPT>var a=\"$ENV{QUERY\\_STRING}\";</SCRIPT> and you want to inject your own JavaScript into it but the server side application escapes certain quotes you can circumvent that by escaping their escape character. When this gets injected it will read <SCRIPT>var a=\"\\\\\\\\\";alert('XSS');//\";</SCRIPT> which ends up un-escaping the double quote and causing the Cross Site Scripting vector to fire. The XSS locator uses this method.:
`\\\";alert('XSS');//`\n
An alternative, if correct JSON or Javascript escaping has been applied to the embedded data but not HTML encoding, is to finish the script block and start your own:
Fairly esoteric issue dealing with embedding images for bulleted lists. This will only work in the IE rendering engine because of the JavaScript directive. Not a particularly useful cross site scripting vector:
Method doesn't require using any variants of javascript: or <SCRIPT... to accomplish the XSS attack). Dan Crowley additionally noted that you can put a space before the equals sign (onload= != onload =):
It can be used in similar XSS attacks to the one above (this is the most comprehensive list on the net, at the time of this writing). Thanks to Rene Ledosquet for the HTML+TIME updates.
FSCommand() (attacker can use this when executed from within an embedded Flash object)
onAbort() (when user aborts the loading of an image)
onActivate() (when object is set as the active element)
onAfterPrint() (activates after user prints or previews print job)
onAfterUpdate() (activates on data object after updating data in the source object)
onBeforeActivate() (fires before the object is set as the active element)
onBeforeCopy() (attacker executes the attack string right before a selection is copied to the clipboard - attackers can do this with the execCommand(\"Copy\") function)
onBeforeCut() (attacker executes the attack string right before a selection is cut)
onBeforeDeactivate() (fires right after the activeElement is changed from the current object)
onBeforeEditFocus() (Fires before an object contained in an editable element enters a UI-activated state or when an editable container object is control selected)
onBeforePaste() (user needs to be tricked into pasting or be forced into it using the execCommand(\"Paste\") function)
onBeforePrint() (user would need to be tricked into printing or attacker could use the print() or execCommand(\"Print\") function).
onBeforeUnload() (user would need to be tricked into closing the browser - attacker cannot unload windows unless it was spawned from the parent)
onBeforeUpdate() (activates on data object before updating data in the source object)
onBegin() (the onbegin event fires immediately when the element's timeline begins)
onBlur() (in the case where another popup is loaded and window looses focus)
onBounce() (fires when the behavior property of the marquee object is set to \"alternate\" and the contents of the marquee reach one side of the window)
onCellChange() (fires when data changes in the data provider)
onChange() (select, text, or TEXTAREA field loses focus and its value has been modified)
onClick() (someone clicks on a form)
onContextMenu() (user would need to right click on attack area)
onControlSelect() (fires when the user is about to make a control selection of the object)
onCopy() (user needs to copy something or it can be exploited using the execCommand(\"Copy\") command)
onCut() (user needs to copy something or it can be exploited using the execCommand(\"Cut\") command)
onDataAvailable() (user would need to change data in an element, or attacker could perform the same function)
onDataSetChanged() (fires when the data set exposed by a data source object changes)
onDataSetComplete() (fires to indicate that all data is available from the data source object)
onDblClick() (user double-clicks a form element or a link)
onDeactivate() (fires when the activeElement is changed from the current object to another object in the parent document)
onDrag() (requires that the user drags an object)
onDragEnd() (requires that the user drags an object)
onDragLeave() (requires that the user drags an object off a valid location)
onDragEnter() (requires that the user drags an object into a valid location)
onDragOver() (requires that the user drags an object into a valid location)
onDragDrop() (user drops an object (e.g. file) onto the browser window)
onDragStart() (occurs when user starts drag operation)
onDrop() (user drops an object (e.g. file) onto the browser window)
onEnd() (the onEnd event fires when the timeline ends.
onError() (loading of a document or image causes an error)
onErrorUpdate() (fires on a databound object when an error occurs while updating the associated data in the data source object)
onFilterChange() (fires when a visual filter completes state change)
onFinish() (attacker can create the exploit when marquee is finished looping)
onFocus() (attacker executes the attack string when the window gets focus)
onFocusIn() (attacker executes the attack string when window gets focus)
onFocusOut() (attacker executes the attack string when window looses focus)
onHashChange() (fires when the fragment identifier part of the document's current address changed)
onHelp() (attacker executes the attack string when users hits F1 while the window is in focus)
onInput() (the text content of an element is changed through the user interface)
onKeyDown() (user depresses a key)
onKeyPress() (user presses or holds down a key)
onKeyUp() (user releases a key)
onLayoutComplete() (user would have to print or print preview)
onLoad() (attacker executes the attack string after the window loads)
onLoseCapture() (can be exploited by the releaseCapture() method)
onMediaComplete() (When a streaming media file is used, this event could fire before the file starts playing)
onMediaError() (User opens a page in the browser that contains a media file, and the event fires when there is a problem)
onMessage() (fire when the document received a message)
onMouseDown() (the attacker would need to get the user to click on an image)
onMouseEnter() (cursor moves over an object or area)
onMouseLeave() (the attacker would need to get the user to mouse over an image or table and then off again)
onMouseMove() (the attacker would need to get the user to mouse over an image or table)
onMouseOut() (the attacker would need to get the user to mouse over an image or table and then off again)
onMouseOver() (cursor moves over an object or area)
onMouseUp() (the attacker would need to get the user to click on an image)
onMouseWheel() (the attacker would need to get the user to use their mouse wheel)
onMove() (user or attacker would move the page)
onMoveEnd() (user or attacker would move the page)
onMoveStart() (user or attacker would move the page)
onOffline() (occurs if the browser is working in online mode and it starts to work offline)
onOnline() (occurs if the browser is working in offline mode and it starts to work online)
onOutOfSync() (interrupt the element's ability to play its media as defined by the timeline)
onPaste() (user would need to paste or attacker could use the execCommand(\"Paste\") function)
onPause() (the onpause event fires on every element that is active when the timeline pauses, including the body element)
onPopState() (fires when user navigated the session history)
onProgress() (attacker would use this as a flash movie was loading)
onPropertyChange() (user or attacker would need to change an element property)
onReadyStateChange() (user or attacker would need to change an element property)
onRedo() (user went forward in undo transaction history)
onRepeat() (the event fires once for each repetition of the timeline, excluding the first full cycle)
onReset() (user or attacker resets a form)
onResize() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
onResizeEnd() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
onResizeStart() (user would resize the window; attacker could auto initialize with something like: <SCRIPT>self.resizeTo(500,400);</SCRIPT>)
onResume() (the onresume event fires on every element that becomes active when the timeline resumes, including the body element)
onReverse() (if the element has a repeatCount greater than one, this event fires every time the timeline begins to play backward)
onRowsEnter() (user or attacker would need to change a row in a data source)
onRowExit() (user or attacker would need to change a row in a data source)
onRowDelete() (user or attacker would need to delete a row in a data source)
onRowInserted() (user or attacker would need to insert a row in a data source)
onScroll() (user would need to scroll, or attacker could use the scrollBy() function)
onSeek() (the onreverse event fires when the timeline is set to play in any direction other than forward)
onSelect() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand(\"SelectAll\");)
onSelectionChange() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand(\"SelectAll\");)
onSelectStart() (user needs to select some text - attacker could auto initialize with something like: window.document.execCommand(\"SelectAll\");)
onStart() (fires at the beginning of each marquee loop)
onStop() (user would need to press the stop button or leave the webpage)
onStorage() (storage area changed)
onSyncRestored() (user interrupts the element's ability to play its media as defined by the timeline to fire)
onSubmit() (requires attacker or user submits a form)
onTimeError() (user or attacker sets a time property, such as dur, to an invalid value)
onTrackChange() (user or attacker changes track in a playList)
onUndo() (user went backward in undo transaction history)
onUnload() (as the user clicks any link or presses the back button or attacker forces a click)
onURLFlip() (this event fires when an Advanced Streaming Format (ASF) file, played by a HTML+TIME (Timed Interactive Multimedia Extensions) media tag, processes script commands embedded in the ASF file)
seekSegmentTime() (this is a method that locates the specified point on the element's segment time line and begins playing from that point. The segment consists of one repetition of the time line including reverse play using the AUTOREVERSE attribute.)
Using something as simple as a remote style sheet you can include your XSS as the style parameter can be redefined using an embedded expression. This only works in IE and Netscape 8.1+ in IE rendering engine mode. Notice that there is nothing on the page to show that there is included JavaScript. Note: With all of these remote style sheet examples they use the body tag, so it won't work unless there is some content on the page other than the vector itself, so you'll need to add a single letter to the page to make it work if it's an otherwise blank page:
This works the same as above, but uses a <STYLE> tag instead of a <LINK> tag). A slight variation on this vector was used to hack Google Desktop. As a side note, you can remove the end </STYLE> tag if there is HTML immediately after the vector to close it. This is useful if you cannot have either an equals sign or a slash in your cross site scripting attack, which has come up at least once in the real world:
This only works in Opera 8.0 (no longer in 9.x) but is fairly tricky. According to RFC2616 setting a link header is not part of the HTTP1.1 spec, however some browsers still allow it (like Firefox and Opera). The trick here is that I am setting a header (which is basically no different than in the HTTP header saying Link: <http://xss.rocks/xss.css>; REL=stylesheet) and the remote style sheet with my cross site scripting vector is running the JavaScript, which is not supported in FireFox:
This only works in Gecko rendering engines and works by binding an XUL file to the parent page. I think the irony here is that Netscape assumes that Gecko is safer and therefor is vulnerable to this for the vast majority of sites:
This is really a hybrid of the above XSS vectors, but it really does show how hard STYLE tags can be to parse apart, like above this can send IE into a loop:
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/xss-cheatsheet/#anonymous-html-with-style-attribute", "title": "Anonymous HTML with STYLE Attribute", "text": "
IE6.0 and Netscape 8.1+ in IE rendering engine mode don't really care if the HTML tag you build exists or not, as long as it starts with an open angle bracket and a letter:
This is a little different than the above two cross site scripting vectors because it uses an .htc file which must be on the same server as the XSS vector. The example file works by pulling in the JavaScript and running it as part of the style attribute:
US-ASCII encoding (found by Kurt Huwig).This uses malformed ASCII encoding with 7 bits instead of 8. This XSS may bypass many content filters but only works if the host transmits in US-ASCII encoding, or if you set the encoding yourself. This is more useful against web application firewall cross site scripting evasion than it is server side filter evasion. Apache Tomcat is the only known server that transmits in US-ASCII encoding.
The odd thing about meta refresh is that it doesn't send a referrer in the header - so it can be used for certain types of attacks where you need to get rid of referring URLs:
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/xss-cheatsheet/#div-background-image-plus-extra-characters", "title": "DIV Background-image Plus Extra Characters", "text": "
Rnaske built a quick XSS fuzzer to detect any erroneous characters that are allowed after the open parenthesis but before the JavaScript directive in IE and Netscape 8.1 in secure site mode. These are in decimal but you can include hex and add padding of course. (Any of the following chars can be used: 1-32, 34, 39, 160, 8192-8.13, 12288, 65279):
Only works in IE5.0 and later and Netscape 8.1 in IE rendering engine mode). Some websites consider anything inside a comment block to be safe and therefore does not need to be removed, which allows our Cross Site Scripting vector. Or the system could add comment tags around something to attempt to render it harmless. As we can see, that probably wouldn't do the job:
Works in IE and Netscape 8.1 in safe mode. You need the // to comment out the next characters so you won't get a JavaScript error and your XSS tag will render. Also, this relies on the fact that the website uses dynamically placed images like images/image.jpg rather than full paths. If the path includes a leading forward slash like /images/image.jpg you can remove one slash from this vector (as long as there are two to begin the comment this will work):
If they allow objects, you can also inject virus payloads to infect the users, etc. and same with the APPLET tag). The linked file is actually an HTML file that can contain your XSS:
This example only works in Firefox, but it's better than the above vector in Firefox because it does not require the user to have Flash turned on or installed. Thanks to nEUrOO for this one.
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/xss-cheatsheet/#locally-hosted-xml-with-embedded-javascript-that-is-generated-using-an-xml-data-island", "title": "Locally hosted XML with embedded JavaScript that is generated using an XML data island", "text": "
This is the same as above but instead referrs to a locally hosted (must be on the same server) XML file that contains your cross site scripting vector. You can see the result here:
This is how Grey Magic hacked Hotmail and Yahoo!. This only works in Internet Explorer and Netscape 8.1 in IE rendering engine mode and remember that you need to be between HTML and BODY tags for this to work:
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/xss-cheatsheet/#assuming-you-can-only-fit-in-a-few-characters-and-it-filters-against-js", "title": "Assuming you can only fit in a few characters and it filters against .js", "text": "
You can rename your JavaScript file to an image as an XSS vector:
This requires SSI to be installed on the server to use this XSS vector. I probably don't need to mention this, but if you can run commands on the server there are no doubt much more serious issues:
Requires PHP to be installed on the server to use this XSS vector. Again, if you can run any scripts remotely like this, there are probably much more dire issues:
This works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc.... This is one of the lesser used but more useful XSS vectors:
This is more scary because there are absolutely no identifiers that make it look suspicious other than it is not hosted on your own domain. The vector uses a 302 or 304 (others work too) to redirect the image back to a command. So a normal <IMG SRC=\"httx://badguy.com/a.jpg\"> could actually be an attack vector to run commands as the user who views the image link. Here is the .htaccess (under Apache) line to accomplish the vector (thanks to Timo for part of this):
Admittedly this is pretty obscure but I have seen a few examples where <META is allowed and you can use it to overwrite cookies. There are other examples of sites where instead of fetching the username from a database it is stored inside of a cookie to be displayed only to the user who visits the page. With these two scenarios combined you can modify the victim's cookie which will be displayed back to them as JavaScript (you can also use this to log people out or change their user states, get them to log in as you, etc...):
If the page that the XSS resides on doesn't provide a page charset header, or any browser that is set to UTF-7 encoding can be exploited with the following (Thanks to Roman Ivanov for this one). Click here for an example (you don't need the charset statement if the user's browser is set to auto-detect and there is no overriding content-types on the page in Internet Explorer and Netscape 8.1 in IE rendering engine mode). This does not work in any modern browser without changing the encoding type which is why it is marked as completely unsupported. Watchfire found this hole in Google's custom 404 script.:
", "tags": ["penetration-testing", "tools", "cheatsheet"]}, {"location": "penetration-testing/cheatsheets/xss-cheatsheet/#xss-using-html-quote-encapsulation", "title": "XSS Using HTML Quote Encapsulation", "text": "
This was tested in IE, your mileage may vary. For performing XSS on sites that allow <SCRIPT> but don't allow <SCRIPT SRC... by way of a regex filter /\\<script\\[^\\>\\]+src/i:
For performing XSS on sites that allow <SCRIPT> but don't allow \\<script src... by way of a regex filter /\\<script((\\\\s+\\\\w+(\\\\s\\*=\\\\s\\*(?:\"(.)\\*?\"|'(.)\\*?'|\\[^'\"\\>\\\\s\\]+))?)+\\\\s\\*|\\\\s\\*)src/i (this is an important one, because I've seen this regex in the wild):
Another XSS to evade the same filter, /\\<script((\\\\s+\\\\w+(\\\\s\\*=\\\\s\\*(?:\"(.)\\*?\"|'(.)\\*?'|\\[^'\"\\>\\\\s\\]+))?)+\\\\s\\*|\\\\s\\*)src/i:
Yet another XSS to evade the same filter, /\\<script((\\\\s+\\\\w+(\\\\s\\*=\\\\s\\*(?:\"(.)\\*?\"|'(.)\\*?'|\\[^'\"\\>\\\\s\\]+))?)+\\\\s\\*|\\\\s\\*)src/i. I know I said I wasn't goint to discuss mitigation techniques but the only thing I've seen work for this XSS example if you still want to allow <SCRIPT> tags but not remote script is a state machine (and of course there are other ways to get around this if they allow <SCRIPT> tags):
And one last XSS attack to evade, /\\<script((\\\\s+\\\\w+(\\\\s\\*=\\\\s\\*(?:\"(.)\\*?\"|'(.)\\*?'|\\[^'\"\\>\\\\s\\]+))?)+\\\\s\\*|\\\\s\\*)src/i using grave accents (again, doesn't work in Firefox):
Here's an XSS example that bets on the fact that the regex won't catch a matching pair of quotes but will rather find any quotes to terminate a parameter string improperly:
The total size of each number allowed is somewhere in the neighborhood of 240 total characters as you can see on the second digit, and since the hex number is between 0 and F the leading zero on the third hex quotet is not required):
Let's mix and match base encoding and throw in some tabs and newlines - why browsers allow this, I'll never know). The tabs and newlines only work if this is encapsulated with quotes:
// translates to http:// which saves a few more bytes. This is really handy when space is an issue too (two less characters can go a long way) and can easily bypass regex like (ht|f)tp(s)?:// (thanks to Ozh for part of this one). You can also change the // to \\\\\\\\. You do need to keep the slashes in place, however, otherwise this will be interpreted as a relative path URL.
Firefox uses Google's \"feeling lucky\" function to redirect the user to any keywords you type in. So if your exploitable page is the top for some random keyword (as you see here) you can use that feature against any Firefox user. This uses Firefox's keyword: protocol. You can concatenate several keywords by using something like the following keyword:XSS+RSnake for instance. This no longer works within Firefox as of 2.0.
This uses a very tiny trick that appears to work Firefox only, because of it's implementation of the \"feeling lucky\" function. Unlike the next one this does not work in Opera because Opera believes that this is the old HTTP Basic Auth phishing attack, which it is not. It's simply a malformed URL. If you click okay on the dialogue it will work, but as a result of the erroneous dialogue box I am saying that this is not supported in Opera, and it is no longer supported in Firefox as of 2.0:
This uses a malformed URL that appears to work in Firefox and Opera only, because if their implementation of the \"feeling lucky\" function. Like all of the above it requires that you are #1 in Google for the keyword in question (in this case \"google\"):
When combined with the above URL, removing www. will save an additional 4 bytes for a total byte savings of 9 for servers that have this set up properly):
Assuming http://www.google.com/ is programmatically replaced with nothing). I actually used a similar attack vector against a several separate real world XSS filters by using the conversion filter itself (here is an example) to help create the attack vector (IE: java&\\#x09;script: was converted into java script:, which renders in IE, Netscape 8.1+ in secure site mode and Opera):
Assume a content sharing flow on a web site is implemented as below. There is a \"Content\" page which includes some content provided by users and this page also includes a link to \"Share\" page which enables a user choose their favorite social sharing platform to share it on. Developers HTML encoded the \"title\" parameter in the \"Content\" page to prevent against XSS but for some reasons they didn't URL encoded this parameter to prevent from HTTP Parameter Pollution. Finally they decide that since content_type's value is a constant and will always be integer, they didn't encode or validate the content_type in the \"Share\" page.
<script>\nvar contentType = <%=Request.getParameter(\"content_type\")%>;\nvar title = \"<%=Encode.forJavaScript(request.getParameter(\"title\"))%>\";\n...\n//some user agreement and sending to server logic might be here\n...\n</script>\n
In this case if attacker set untrusted content title as \u201cThis is a regular title&content_type=1;alert(1)\u201d the link in \"Content\" page would be this:
<a href=\"/share?content_type=1&title=This is a regular title&content_type=1;alert(1)\">Share</a>\n
<script>\nvar contentType = 1; alert(1);\nvar title = \"This is a regular title\";\n\u2026\n//some user agreement and sending to server logic might be here\n\u2026\n</script>\n
As a result, in this example the main flaw is trusting the content_type in the \"Share\" page without proper encoding or validation. HTTP Parameter Pollution could increase impact of the XSS flaw by promoting it from a reflected XSS to a stored XSS.
All the possible combinations of the character \"\\<\" in HTML and JavaScript. Most of these won't render out of the box, but many of them can get rendered in certain circumstances as seen above.
Bettercap 1.6.2 installs the executable to /usr/local/bin/bettercap
Bettercap 2.x installs the executable to /usr/bin/bettercap
Both Bettercap 1.6.2 and 2.x shares the same executable name. In order to privet any collisions we will rename the Bettercap 1.6.2 executable to bettercap1.6.2.
To find that Bettercap installation from ruby gems:
gem environment\n
the path should be under GEM PATHP for example:
/var/lib/gems/2.7.0/gems/bettercap-1.6.2\n
", "tags": ["penetration-testing", "tools"]}, {"location": "penetration-testing/kali-linux/kali-linux/", "title": "Kali Linux", "text": "", "tags": ["penetration-testing", "kali-linux", "kali"]}, {"location": "penetration-testing/kali-linux/kali-linux/#minimal-headless-kali-linux-installation-works-for-cloud-vm-installation-no-gui", "title": "Minimal Headless Kali Linux installation - Works for Cloud VM Installation (NO GUI)", "text": "
This is a simple guide to install Minimal Headless Kali Linux by converting a Debian Linux to Kali Linux distro without any unnecessary tools. Basically you install the tools you need.
Platforms Minimum Monthly Price DigitalOcean.com 5$ (This link provides 100$ for 60 days)
First of all we will need a clean Debian Linux local or at any cloud provider with ssh access
Let's convert! We will install two packages which allow as to replace Debian's repo to kali repo
", "tags": ["penetration-testing", "kali-linux", "kali"]}, {"location": "penetration-testing/kali-linux/links/", "title": "Links for Penetration Testing Tools", "text": "", "tags": ["pt", "tools"]}, {"location": "penetration-testing/kali-linux/links/#usefully-tools-for-pentesters", "title": "Usefully Tools for Pentesters", "text": "Links Description Eicar Files Files With Virus Signature Credit Card Generator PayPal Credit Card Generator - Login Required ipleak.net Displays Information About Your IP mxtoolbox Network Tools Related to DNS jwt.io Allows You to Decode, Verify and Generate Json Web Tokens DNS Dumpster Domain Research Tool That Can Discover Hosts Related to a Domain SSL-Lab Deep Analysis of The Configuration of any SSL Web Server GraphQLmap Engine to interact with a graphqlr endpoint for penetration-testing purposes.", "tags": ["pt", "tools"]}, {"location": "penetration-testing/kali-linux/metasploit/", "title": "Metasploit Framework", "text": "", "tags": ["pt", "tools", "metasploit"]}, {"location": "penetration-testing/kali-linux/metasploit/#installation", "title": "Installation", "text": "
The Proxmark is an RFID swiss-army tool, allowing for both high and low level interactions with the vast majority of RFID tags and systems world-wide.
There are few Promark Devices, and you can find them at the offical website. I personally use the device at the picture above, you can get one at
Proxmark3 - Amazon
Proxmark3 - Aliexpress
it's cheap and suites my needs
The RFID tags i use are duel band tags 13.56Mhz and 125KHz
RFID tags - Amazon
RFID tags - Aliexpress
Useful Links:
Official Proxmark Website
Official Proxmark3 Github Repo
Andprox - Android client
", "tags": ["pt", "tools", "rfid"]}, {"location": "penetration-testing/proxmark/cheatsheet/", "title": "Proxmark3 CheatSheet", "text": "", "tags": ["pt", "tools", "rfid"]}, {"location": "penetration-testing/proxmark/cheatsheet/#basics", "title": "Basics", "text": "Command Description hf search Identify High Frequency cards lf search Identify Low Frequency cards hw tune Measure antenna characteristics, LF/HF voltage should be around 20-45+ V hw version Check version hw status Check overall status", "tags": ["pt", "tools", "rfid"]}, {"location": "penetration-testing/proxmark/mifare-tags/", "title": "Clone Mifare Classic 1K ISO14443A", "text": "", "tags": ["pt", "tools", "rfid"]}, {"location": "penetration-testing/proxmark/mifare-tags/#read-mifare-iso14443a-basic-information", "title": "Read Mifare ISO14443A Basic Information", "text": "
proxmark3> hf search\n
Which results in a response along the lines of:
#db# DownloadFPGA(len: 42096)\nUID : de 0f 3d cd\nATQA : 00 04\nSAK : 08 [2]\nTYPE : NXP MIFARE CLASSIC 1k | Plus 2k SL1\nproprietary non iso14443-4 card found, RATS not supported\nNo chinese magic backdoor command detected\nPrng detection: HARDENED (hardnested)\nValid ISO14443A Tag Found - Quiting Search\n
As we can see the output ISO14443A Tag Found it's Mifare 1k card.
This also shows us the UID de0f3dcd of the card, which we\u2019ll need later.
", "tags": ["pt", "tools", "rfid"]}, {"location": "penetration-testing/proxmark/mifare-tags/#find-and-extract-the-32-keys-from-the-mifare-iso14443a", "title": "Find and Extract the 32 Keys From The Mifare ISO14443A", "text": "
From there we can find keys in use by checking against a list of default keys (hopefully one of these has been used)
proxmark3> hf mf chk * ?\n
This should show us the key we require looking something like
", "tags": ["docker", "raspberry-pi", "docker-compose"]}, {"location": "raspberry-pi/docker-raspberrypi/#manage-docker-as-a-non-root-user", "title": "Manage Docker as a non-root user", "text": "
The Docker daemon binds to a Unix socket instead of a TCP port. By default that Unix socket is owned by the user root and other users can only access it using sudo. The Docker daemon always runs as the root user.
If you don\u2019t want to preface the docker command with sudo, create a Unix group called docker and add users to it. When the Docker daemon starts, it creates a Unix socket accessible by members of the docker group.
Warning
The docker group grants privileges equivalent to the root user.
", "tags": ["raspberry-pi"]}, {"location": "raspberry-pi/external-power-button/#default-behavior", "title": "Default Behavior", "text": "Button Press (Raspberry Pi is ON) Behavior Single Nothing Double Reboot Long press and releases (above 3 seconds) Power off Button Press (Raspberry Pi is OFF) Behavior Single Power On", "tags": ["raspberry-pi"]}, {"location": "raspberry-pi/external-power-button/#check-if-service-is-running", "title": "Check if service is running", "text": "
", "tags": ["raspberry-pi", "motion-sensor", "automation"]}, {"location": "raspberry-pi/motion-sensor-display-control/#default-behavior", "title": "Default Behavior", "text": "Condition Behavior Motion while display is off Turns on display for 60 sec Motion while display is on Resets the timer for another 60 sec No motion > 60 sec Turns off the display", "tags": ["raspberry-pi", "motion-sensor", "automation"]}, {"location": "raspberry-pi/motion-sensor-display-control/#config", "title": "Config", "text": "
File
/usr/local/bin/motion-display-control.py\n
You can change Data Pin of the PIR Sensor at gpio_pin value You can change Delay at display_delay value
", "tags": ["raspberry-pi", "motion-sensor", "automation"]}, {"location": "raspberry-pi/motion-sensor-display-control/#check-if-service-is-running", "title": "Check if service is running", "text": "
sudo systemctl status motion-display-control.service\n
Thanks to Boris Berman for the script rewrite from function to classes
", "tags": ["raspberry-pi", "motion-sensor", "automation"]}, {"location": "raspberry-pi/snippets/", "title": "Snippets", "text": "", "tags": ["raspberry-pi"]}, {"location": "raspberry-pi/snippets/#enable-ssh-on-raspberry-pi-without-a-screen", "title": "Enable SSH on Raspberry Pi Without a Screen", "text": "
Put the micro SD card into your computer You'll have to locate the boot directory at your SD card
for example:
cd /Volumes/boot\n
All you have to do is create an empty file called ssh.
touch ssh\n
That's it. Insert the SD card to the Pi. You should have enabled SSH at boot.
", "tags": ["raspberry-pi"]}, {"location": "raspberry-pi/snippets/#default-user-and-password-after-installation", "title": "Default User and Password After Installation", "text": "
sudo apt-get update\nsudo apt-get install -y samba samba-common-bin smbclient cifs-utils\nsudo smbpasswd -a pi ( my-pi-samba-remote-password )\nsudo nano /etc/samba/smb.conf\n
change:
workgroup = YOUR WINDOWS WORKGROUP NAME\n
add at end:
[share]\npath = /home/pi/Desktop/share\n available = yes\n valid users = pi\n read only = no\n browsable = yes\n public = yes\n writable = yes\n
the shared path must exist: ( if you work via desktop ( HDMI or VNC ) it is very convenient just to read or drop from/to this shared dir ) mkdir /home/pi/Desktop/share
After reboot you should connet to the new static ip
", "tags": ["raspberry-pi", "3g-modem"]}, {"location": "raspberry-pi/guides/3g-modem-host/#lets-route-all-the-trafic-to-new-interface-with-iptables", "title": "Lets route all the trafic to new interface with Iptables", "text": "
To be honest, it's not my first time building a Magic Mirror project. My first magicmirror can be found here. The Magic Mirror 2.0 is based on Raspberry Pi 4 with Docker Container.
I had dead iMac 2011 27\" with 2k display. I've managed to use it's LCD panel with this product from AliExpress. It actually a full controller for the specific LCD panel, including the inverter for backlight. Basically, it's a full-fledged LCD Monitor with HDMI we need for the Raspberry Pi 4.
I've decided to test the controller for the LCD Panel inside the original iMac's body.
I've connected raspberry to the new monitor for the magicmirror testing and configuration.
Since my previous experience with my first magicmirror build, I've decided to add a Motion Sensor to the Raspberry Pi to detect the movement of the person infront of the mirror and turn the display on/off accordingly. The second thing i've added is a Power Button to turn the Raspberry Pi on, off and restart it without a physical access to the Raspberry Pi.
I couldn't find any open source projects for the functionality I needed of the power button and the Motion Sensor. So I've decided to create my own solution. Bellow are the scripts that I've created:
External Power Button Wake/Power Off/Restart
Motion Sensor Display Control
Thats how i've tested the functionality of the power button and the motion sensor.
I've order a reflective glass with 4 holes for mounting. It was a challenge to find a suitable reflective glass for the MagicMirror. The product I've found is not perfect - the glass is tinted, but it's a good enough solution and way better then Glass Mirror Films I've used on my first Magic Mirror Project.
After I've done all the proof of concepts that every thing will work as i intended, I've continue to build the frame to house all the components.
I've used scrap wood I had laying around to build the frame and the mounting for the LCD panel, and the glass
For mounting the Magic Mirror to the wall i've used the smallest TV Mount I've found.
After the frame is built, I've added the electronics to the frame.
Performing senity check on the electronics, and display assembly.
Since I when on the floating effect the glass isn't covering the all the frame, all the exposed parts of the glass are needed to be covered to avoid light leaking.
This htpasswd password encryption applet is written in JavaScript, so the entire process runs within your browser.Nothing is transmitted to any server, we take your privacy and securityserious.
The code was built by macminiosx and cloned from his repository. It was slightly modified to fit this website.
", "tags": ["htpasswd"]}, {"location": "utilities/useful-links-tools/", "title": "Useful Links & Tools", "text": "Services Description Mail-Tester.com Tests the quality of emails ipleak.net Shows Information About Your IP sslLabs.com Test Your SSL Certification ifconfig.io curl ifconfig.io DSL Reports.com Speedtest For QoS Best Configuration Hurricane Electric Free DNS Hosting Free DNS & DDNS Service freedns.afraid.org Free DNS & DDNS Service", "tags": ["utilities"]}, {"location": "utilities/wifiQrGenerator/", "title": "Wifi QR Image Generator", "text": "", "tags": ["utilities"]}, {"location": "utilities/wifiQrGenerator/#description", "title": "Description", "text": "
This will generate a QR code what can be used with any iOS/Android device to access a given Wifi without manually adding a network and password. Just scan the QR Code and you are connected. This is a fully static code - no data is send to any server!
This code was taken from this site qistoph Github Page. It was fully reviewed for any malicious code or functionality and slightly modified to fit this site
Chrome Extensions Description 1Password Password Manager (Desktop App Required) Clear Browsing Data Clear Browsing Data HTTPS Everywhere Automatically use HTTPS Pushbullet Connectivity App uBlock Origin Ad Block EditThisCookie Edit cookie per page Wappalyzer Uncovers the technologies used on websites IP Address and Domain Information Find detailed information about each IP address JSON viewer Pretty print / display JSON content in the browser", "tags": ["chrome", "extensions"]}, {"location": "utilities/browsers-extensions/firefox/", "title": "Firefox Extensions", "text": "
List of extensions for Firefox browser.
Firefox Extensions Description FoxyProxy Proxy Management Wappalyzer Identifies software on websites Clear Browsing Data Delete browsing data 1Password Password Manager", "tags": ["firefox", "extensions"]}, {"location": "utilities/markdown-cheatsheet/about/", "title": "About Markdown", "text": "
Markdown is a lightweight markup language with plain text formatting syntax. It is designed so that it can be converted to HTML and many other formats using a tool by the same name. Markdown is often used to format readme files, for writing messages in online discussion forums, and to create rich text using a plain text editor. As the initial description of Markdown contained ambiguities and unanswered questions, many implementations and extensions of Markdown appeared over the years to answer these issues.
This Page is fully written with Markdown Language and converted to HTML
This website is built with MkDocs. MkDocs is a static site generator that can be used to generate websites with a clean and simple user interface. It is a free and open source project.
Warning
Most of the advanced features used to generate this website and the Markdown syntax used from Material Theme for MkDocs and may not apply to other websites.
Admonitions, also known as call-outs, are an excellent choice for including side content without significantly interrupting the document flow. Material for MkDocs provides several different types of admonitions and allows for the inclusion and nesting of arbitrary content.
Admonitions follow a simple syntax: a block starts with !!!, followed by a single keyword used as a [type qualifier]. The content of the block follows on the next line, indented by four spaces:
Admonition
!!! note\n\n Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod\n nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor\n massa, nec semper lorem quam in massa.\n
Note
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
By default, the title will equal the type qualifier in titlecase. However, it can be changed by adding a quoted string containing valid Markdown (including links, formatting, ...) after the type qualifier:
Admonition with custom title
!!! note \"Phasellus posuere in sem ut cursus\"\n\n Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod\n nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor\n massa, nec semper lorem quam in massa.\n
Phasellus posuere in sem ut cursus
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
Similar to [changing the title], the icon and title can be omitted entirely by adding an empty string directly after the type qualifier. Note that this will not work for [collapsible blocks]:
Admonition without title
!!! note \"\"\n\n Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod\n nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor\n massa, nec semper lorem quam in massa.\n
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
When [Details] is enabled and an admonition block is started with ??? instead of !!!, the admonition is rendered as a collapsible block with a small toggle on the right side:
Admonition, collapsible
??? note\n\n Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod\n nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor\n massa, nec semper lorem quam in massa.\n
Note
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
Adding a + after the ??? token renders the block expanded:
Admonition, collapsible and initially expanded
???+ note\n\n Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod\n nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor\n massa, nec semper lorem quam in massa.\n
Note
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
Following is a list of type qualifiers provided by Material for MkDocs, whereas the default type, and thus fallback for unknown type qualifiers, is note:
note
Note
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
abstract, summary, tldr
Abstract
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
info, todo
Info
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
tip, hint, important
Tip
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
success, check, done
Success
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
question, help, faq
Question
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
warning, caution, attention
Warning
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
failure, fail, missing
Failure
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
danger, error
Danger
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
bug
Bug
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
example
Example
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
quote, cite
Quote
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
An MkDocs plugin that simplifies configuring page titles and their order
The awesome-pages plugin allows you to customize how your pages show up the navigation of your MkDocs without having to configure the full structure in your mkdocs.yml. It gives you detailed control using a small configuration file directly placed in the relevant directory of your documentation. MkDocs Awesome Pages Plugin Github Repository
Create a file named .pages in a directory and use the nav attribute to customize the navigation on that level. List the files and subdirectories in the order that they should appear in the navigation.
Pages or sections that are not mentioned in the list will not appear in the navigation. However, you may include a ... entry to specify where all remaining items should be inserted.
nav:\n- introduction.md\n- ...\n- summary.md\n
Furthermore, it is possible to filter the remaining items using glob patterns or regular expressions. For example to match only the Markdown files starting with introduction-.
Create a file named .pages in a directory and set the order_by attribute to filename or title to change the order of navigation items.
order_by: title\n
This can be combined with order and/or sort_type above. If order is not set it will order ascending. If no preference is set, it will order by filename.
If you only want to collapse certain pages, create a file called .pages in the directory and set collapse_single_pages to true:
collapse_single_pages: true\n
You may also enable collapsing globally using the plugin option and then use the .pages file to prevent certain sub-sections from being collapsed by setting collapse_single_pages to false.
Note: This feature works recursively. That means it will also collapse multiple levels of single pages.
", "tags": ["template", "markdown"]}, {"location": "utilities/markdown-cheatsheet/awesome-pages/#for-a-single-page", "title": "For a single page", "text": "
If you want to enable or disable collapsing of a single page, without applying the setting recursively, create a file called .pages in the directory and set collapse to true or false:
Create a file named .pages in a directory and set the hide attribute to true to hide the directory, including all sub-pages and sub-sections, from the navigation:
hide: true\n
Note: This option only hides the section from the navigation. It will still be included in the build and can be accessed under its URL.
Deprecated: arrange will be removed in the next major release - Use nav instead.
Create a file named .pages in a directory and set the arrange attribute to change the order of how child pages appear in the navigation. This works for actual pages as well as subdirectories.
MkDocs gives you two ways to define the structure of your navigation. Either create a custom navigation manually in mkdocs.yml or use the file structure to generate the navigation. This feature makes it possible to combine both methods. Allowing you to manually define parts of your navigation without having to list all files.
Note: You can freely combine this with all the other features of this plugin. However they will only affect the part of the navigation that is not defined manually.
Use the nav entry in mkdocs.yml to define the custom part of your navigation. Include a ... entry where you want the navigation tree of all remaining pages to be inserted.
The following examples are based on this file structure:
The ... entry can also be placed at a deeper level:
nav:\n- page1.md\n- Rest:\n- ...\n
Which would result in the following navigation:
Page 1
Rest
Introduction
Page 2
Folder
Introduction
Page 3
Page 4
Furthermore, it is possible to filter the remaining items using glob patterns or regular expressions. For example to match only files named introduction.md.
The filter only operates on remaining items. This means it will not include items that are explicitly listed in the navigation or items that are matched by another filter that appears earlier in the configuration.
You may also include a rest entry without filter to act as a catch-all, inserting everything that is not matched by a filter.
Unless the filter starts with regex= it is interpreted as glob pattern, however you may also explicitly say so using glob=. The spaces around ... are optional but recommended for readability.
Note: Depending on the characters in your filter, you might also need to use quotes around the whole entry.
Markdown makes it easy to format messages. Type a message as you normally would, then use these the following formatting syntax to render the message a specific way
Markdown Syntax Result **bold** bold _italic_ italic ==highlight== highlight ~~strike through~~ strike through ^^underline^^ underline `Inline Code`Inline Code==_you_ **can** ^^combine^^ `too`== you can combine too", "tags": ["markdown-cheatsheet", "mkdocs", "headings", "text-highlighting", "horizontal-line"]}, {"location": "utilities/markdown-cheatsheet/basic-formatting/#horizontal-line", "title": "Horizontal Line", "text": "Horizontal Line Example
To create a heading, add number signs (#) in front of a word or phrase. The number of number signs you use should correspond to the heading level. For example, to create a heading level three (h3), use three number signs (e.g., ### My Header).
Headings from h1 through h6 are constructed with a # for each level:
Code blocks and examples are an essential part of technical project documentation. Material for MkDocs provides different ways to set up syntax highlighting for code blocks, either during build time using [Pygments] or during runtime using a JavaScript syntax highlighter.
In order to provide additional context, a custom title can be added to a code block by using the title=\"<custom title>\" option directly after the shortcode, e.g. to display the name of a file:
Example:
Code block with title
```py title=\"bubble_sort.py\"\ndef bubble_sort(items):\n for i in range(len(items)):\n for j in range(len(items) - 1 - i):\n if items[j] > items[j + 1]:\n items[j], items[j + 1] = items[j + 1], items[j]\n```\n
Result:
bubble_sort.py
def bubble_sort(items):\n for i in range(len(items)):\n for j in range(len(items) - 1 - i):\n if items[j] > items[j + 1]:\n items[j], items[j + 1] = items[j + 1], items[j]\n
", "tags": ["markdown-cheatsheet", "mkdocs", "code-blocks"]}, {"location": "utilities/markdown-cheatsheet/code-blocks/#adding-line-numbers-to-code-block", "title": "Adding Line Numbers To Code Block", "text": "
Example:
Line numbers can be added to a code block by using the linenums=\"<start>\" option directly after the shortcode, whereas <start> represents the starting line number. A code block can start from a line number other than 1, which allows to split large code blocks for readability:
Code block with line numbers
```py linenums=\"1\"\ndef bubble_sort(items):\n for i in range(len(items)):\n for j in range(len(items) - 1 - i):\n if items[j] > items[j + 1]:\n items[j], items[j + 1] = items[j + 1], items[j]\n```\n
Result:
def bubble_sort(items):\nfor i in range(len(items)):\nfor j in range(len(items) - 1 - i):\nif items[j] > items[j + 1]:\nitems[j], items[j + 1] = items[j + 1], items[j]\n
Specific lines can be highlighted by passing the line numbers to the hl_lines argument placed right after the language shortcode. Note that line counts start at 1.
Code block with highlighted lines
```py hl_lines=\"2 3\"\ndef bubble_sort(items):\n for i in range(len(items)):\n for j in range(len(items) - 1 - i):\n if items[j] > items[j + 1]:\n items[j], items[j + 1] = items[j + 1], items[j]\n```\n
Result:
def bubble_sort(items):\nfor i in range(len(items)):\nfor j in range(len(items) - 1 - i):\nif items[j] > items[j + 1]:\nitems[j], items[j + 1] = items[j + 1], items[j]\n
When InlineHilite is enabled, syntax highlighting can be applied to inline code blocks by prefixing them with a shebang, i.e. #!, directly followed by the corresponding language shortcode
Example:
Inline code block
The `#!python range()` function is used to generate a sequence of numbers.\n
Result:
The range() function is used to generate a sequence of numbers.
Sometimes, it's desirable to group alternative content under different tabs, e.g. when describing how to access an API from different languages or environments. Material for MkDocs allows for beautiful and functional tabs, grouping code blocks and other content.
Code blocks are one of the primary targets to be grouped, and can be considered a special case of content tabs, as tabs with a single code block are always rendered without horizontal spacing:
When a content tab contains more than one code block, it is rendered with horizontal spacing. Vertical spacing is never added, but can be achieved by nesting tabs in other blocks:
Example:
Content tabs
=== \"Unordered list\"\n\n * Sed sagittis eleifend rutrum\n * Donec vitae suscipit est\n * Nulla tempor lobortis orci\n\n=== \"Ordered list\"\n\n 1. Sed sagittis eleifend rutrum\n 2. Donec vitae suscipit est\n 3. Nulla tempor lobortis orci\n
When [SuperFences] is enabled, content tabs can contain arbitrary nested content, including further content tabs, and can be nested in other blocks like [admonitions] or blockquotes:
Example:
Content tabs in admonition
!!! example\n\n === \"Unordered List\"\n\n ``` markdown\n * Sed sagittis eleifend rutrum\n * Donec vitae suscipit est\n * Nulla tempor lobortis orci\n ```\n\n === \"Ordered List\"\n\n ``` markdown\n 1. Sed sagittis eleifend rutrum\n 2. Donec vitae suscipit est\n 3. Nulla tempor lobortis orci\n ```\n
Result:
Example
Unordered ListOrdered List
* Sed sagittis eleifend rutrum\n* Donec vitae suscipit est\n* Nulla tempor lobortis orci\n
1. Sed sagittis eleifend rutrum\n2. Donec vitae suscipit est\n3. Nulla tempor lobortis orci\n
Diagrams help to communicate complex relationships and interconnections between different technical components, and are a great addition to project documentation. Material for MkDocs integrates with Mermaid.js, a very popular and flexible solution for drawing diagrams.
Flowcharts are diagrams that represent workflows or processes. The steps are rendered as nodes of various kinds and are connected by edges, describing the necessary order of steps:
Flow chart
```mermaid\ngraph LR\n A[Start] --> B{Error?};\n B -->|Yes| C[Hmm...];\n C --> D[Debug];\n D --> B;\n B ---->|No| E[Yay!];\n```\n
Result:
graph LR\n A[Start] --> B{Error?};\n B -->|Yes| C[Hmm...];\n C --> D[Debug];\n D --> B;\n B ---->|No| E[Yay!];
Sequence diagrams describe a specific scenario as sequential interactions between multiple objects or actors, including the messages that are exchanged between those actors:
Sequence diagram
```mermaid\nsequenceDiagram\n Alice->>John: Hello John, how are you?\n loop Healthcheck\n John->>John: Fight against hypochondria\n end\n Note right of John: Rational thoughts!\n John-->>Alice: Great!\n John->>Bob: How about you?\n Bob-->>John: Jolly good!\n```\n
Result:
sequenceDiagram\n Alice->>John: Hello John, how are you?\n loop Healthcheck\n John->>John: Fight against hypochondria\n end\n Note right of John: Rational thoughts!\n John-->>Alice: Great!\n John->>Bob: How about you?\n Bob-->>John: Jolly good!
State diagrams are a great tool to describe the behavior of a system, decomposing it into a finite number of states, and transitions between those states:
Class diagrams are central to object oriented programing, describing the structure of a system by modelling entities as classes and relationships between them:
Class diagram
```mermaid\nclassDiagram\n Person <|-- Student\n Person <|-- Professor\n Person : +String name\n Person : +String phoneNumber\n Person : +String emailAddress\n Person: +purchaseParkingPass()\n Address \"1\" <-- \"0..1\" Person:lives at\n class Student{\n +int studentNumber\n +int averageMark\n +isEligibleToEnrol()\n +getSeminarsTaken()\n }\n class Professor{\n +int salary\n }\n class Address{\n +String street\n +String city\n +String state\n +int postalCode\n +String country\n -validate()\n +outputAsLabel()\n }\n```\n
Result:
classDiagram\n Person <|-- Student\n Person <|-- Professor\n Person : +String name\n Person : +String phoneNumber\n Person : +String emailAddress\n Person: +purchaseParkingPass()\n Address \"1\" <-- \"0..1\" Person:lives at\n class Student{\n +int studentNumber\n +int averageMark\n +isEligibleToEnrol()\n +getSeminarsTaken()\n }\n class Professor{\n +int salary\n }\n class Address{\n +String street\n +String city\n +String state\n +int postalCode\n +String country\n -validate()\n +outputAsLabel()\n }
An entity-relationship diagram is composed of entity types and specifies relationships that exist between entities. It describes inter-related things in a specific domain of knowledge:
Entity-relationship diagram
```mermaid\nerDiagram\n CUSTOMER ||--o{ ORDER : places\n ORDER ||--|{ LINE-ITEM : contains\n CUSTOMER }|..|{ DELIVERY-ADDRESS : uses\n```\n
Result:
erDiagram\n CUSTOMER ||--o{ ORDER : places\n ORDER ||--|{ LINE-ITEM : contains\n CUSTOMER }|..|{ DELIVERY-ADDRESS : uses
MkDocs Embed External Markdown plugin that allows to inject section or full markdown content from a given url. The goal is to embed different markdown from different sources inside your MkDocs project.
For more detailed inforation follow the link: Mkdocs Embed External Markdown Plugin
One of the best features of Material for MkDocs is the possibility to use more then with thousands of emojis in your project documentation with practically zero additional effort. Use Mkdocs Material Icon Search to find the icons and emojis you need.
:fontawesome-regular-bell: - Fontawesome Icon: Bell \n:material-bell: - Material Icon: Bell \n:octicons-bell-24: - Octicons Icon: Bell \n:bell: - Emoji: Bell\n
Result:
- Fontawesome Icon: Bell - Material Icon: Bell - Octicons Icon: Bell - Emoji: Bell
Markdown is a text format so naturally you can type in the Markdown representation of an image using examples below to put an image reference directly into the editor.
Warning
This site uses the Material Design for MkDocs theme with the following CSS overrides there for the results in your case may differ.
[Jumps to section in page][internal-anchor-link]\n\n[internal-anchor-link]: /utilities/markdown-cheatsheet/tables-lists-quotes/#lists 'Internal Anchor Links'\n
Result:
Jumps to section in page
", "tags": ["markdown-cheatsheet", "mkdocs", "links"]}, {"location": "utilities/markdown-cheatsheet/links/#image-with-links", "title": "Image With Links", "text": "Image With Links Example
[![This is Image with link][image-link]][url-link]{target=\\_blank}\n\n[image-link]: /assets/images/markdown-cheatsheet/minion200x200.png 'Minion'\n[url-link]: https://github.com/fire1ce 'Go to Github'\n
Result:
", "tags": ["markdown-cheatsheet", "mkdocs", "links"]}, {"location": "utilities/markdown-cheatsheet/links/#mailto-link", "title": "Mailto Link", "text": "Mailto Link Example
A table in Markdown consists of two parts: the header and the rows of data in the table. As per the Markdown spec:
pipe (|) character separates the individual columns in a table.
(-) hyphens act as a delimiter row to separate the header row from the body.
(:) colon to align cell contents.
Table Example
| **Option** | **Description** |\n| ---------- | ------------------------------------------ |\n| data | path to data files to supply the data. |\n| engine | engine to be used for processing templates |\n| ext | extension to be used for dest files. |\n
Result:
Option Description data path to data files to supply the data. engine engine to be used for processing templates ext extension to be used for dest files.", "tags": ["markdown-cheatsheet", "mkdocs", "tables", "lists", "quotes"]}, {"location": "utilities/markdown-cheatsheet/tables-lists-quotes/#column-alignment", "title": "Column Alignment", "text": "
If you want to align a specific column to the left, center or right, you can use the [regular Markdown syntax] placing : characters at the beginning and/or end of the divider.
LeftCenterRight Data table, columns aligned to left
Bullet point lists can be created by starting each line with an asterisk followed by a space before the content of the bullet point. Note that the space is important and should not be forgotten.
Example:
Unordered List Example
- Lorem ipsum dolor sit amet\n- Consectetur adipiscing elit\n- Integer molestie lorem at massa\n- Facilisis in pretium nisl aliquet\n
Similarly, numbered lists can be created by starting each line with a number followed by a space and then the relevant text.
Ordered List Example
1. Lorem ipsum dolor sit amet\n2. Consectetur adipiscing elit\n3. Integer molestie lorem at massa\n4. Faucibus porta lacus fringilla vel\n5. Aenean sit amet erat nunc\n6. Eget porttitor lorem\n
Result:
Lorem ipsum dolor sit amet
Consectetur adipiscing elit
Integer molestie lorem at massa
Faucibus porta lacus fringilla vel
Aenean sit amet erat nunc
Eget porttitor lorem
", "tags": ["markdown-cheatsheet", "mkdocs", "tables", "lists", "quotes"]}, {"location": "utilities/markdown-cheatsheet/tables-lists-quotes/#blocks-list", "title": "Blocks List", "text": "Blocks List Example
A task list is a set of tasks that each render on a separate line with a clickable checkbox. You can select or deselect the checkboxes to mark the tasks as complete or incomplete.
You can use Markdown to create a task list in any comment on GitHub. If you reference an issue, pull request, or discussion in a task list, the reference will unfurl to show the title and state.
Example:
Task List Example
- [x] Lorem ipsum dolor sit amet, consectetur adipiscing elit\n- [ ] Vestibulum convallis sit amet nisi a tincidunt\n - [x] In hac habitasse platea dictumst\n - [x] In scelerisque nibh non dolor mollis congue sed et metus\n - [ ] Praesent sed risus massa\n- [ ] Aenean pretium efficitur erat, donec pharetra, ligula non scelerisque\n
Result:
Lorem ipsum dolor sit amet, consectetur adipiscing elit
Vestibulum convallis sit amet nisi a tincidunt
In hac habitasse platea dictumst
In scelerisque nibh non dolor mollis congue sed et metus
Praesent sed risus massa
Aenean pretium efficitur erat, donec pharetra, ligula non scelerisque
For quoting blocks of content from another source within your document.
Add > before any text you want to quote.
Quoting Blocks Example
> Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer posuere erat a ante.\n> Donec massa lacus, ultricies a ullamcorper in, fermentum sed augue.\n
Result:
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer posuere erat a ante. Donec massa lacus, ultricies a ullamcorper in, fermentum sed augue.
> Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer posuere erat a ante.\n> Donec massa lacus, ultricies a ullamcorper in, fermentum sed augue.\n>\n> > Sed adipiscing elit vitae augue consectetur a gravida nunc vehicula. Donec auctorodio\n> > non est accumsan facilisis. Aliquam id turpis in dolor tincidunt mollis ac eu diam.\n
Result:
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer posuere erat a ante. Donec massa lacus, ultricies a ullamcorper in, fermentum sed augue.
Sed adipiscing elit vitae augue consectetur a gravida nunc vehicula. Donec auctorodio non est accumsan facilisis. Aliquam id turpis in dolor tincidunt mollis ac eu diam.
Sometime you need to connect to a remote server via SSH. Usually it's the main connection to linux servers. But you can also connect to a windows server via SSH. At this guide we will show you how to install and configure a windows ssh server, including SSH Keys authentication.
", "tags": ["windows", "ssh-server", "powershell", "rsa-keys"]}, {"location": "windows/ssh-server/#ssh-server-installation-on-windows", "title": "SSH Server Installation on Windows", "text": "
We will be using PowerShell to install the SSH server inculding the SSH client.
Open PowerShell Terminal as Administrator.
Run the following commands to install the SSH server and client.
Test the SSH connection to the Windows server from remote machine with the SSH Key. You should be able to connect to the Windows server with your SSH key
Create a .ssh directory in the home directory of the user.
```path\nC:\\Users\\<username>\\.ssh\\\n
Create the file: authorized_keys at the following location:
C:\\Users\\<username>\\.ssh\\authorized_keys\n
Edit the file and add you SSH public key to the file.
Test the SSH connection to the Windows server from remote machine with the SSH Key. You should be able to connect with non-administrator user to the Windows server with your SSH key
", "tags": ["windows", "ssh-server", "powershell", "rsa-keys"]}, {"location": "windows/ssh-server/#powershell-as-default-shell-for-ssh", "title": "PowerShell as Default Shell for SSH", "text": "
By default the SSH client uses the Windows command prompt as the default shell.
We can change the default shell to PowerShell running the following PowerShell command:
", "tags": ["utilities", "windows"]}, {"location": "windows/useful-software/#list-of-useful-software", "title": "List of Useful Software", "text": "Application Description MAS Windows & Office Activation Windows Tweaker 4 for Windows 10 Windows Tweaker Defender Control Windows Defender control Link Shell Extension Symlinks For Windows Winaero Tweaker Winaero Tweaker Autologon Autologon at boot", "tags": ["utilities", "windows"]}, {"location": "windows/windows-servers/", "title": "Windows Servers", "text": "", "tags": ["utilities", "windows", "servers"]}, {"location": "windows/windows-servers/#basic-setup", "title": "Basic Setup", "text": "
At Server Manager click Configure this local server
Computer name - rename the server's name
Remote Desktop - allow RDP
Ethernet instance - disable IPV6
Feedback & Diagnostics - set Feedback frequency to Never
IE Enhanced Security Configuration - Off
Time zone - set the current timezone, At Internet Time tab chanche time.windwos.com to time.nist.gov
Open gpedit.msc with Run
Local Computer Policy -> Administrative Templates -> System -> Display Shutdown Even Tracker - Disable
Local Computer Policy -> Windows Settings -> Security Settings -> Local Policies -> Security Options ->Interactive logon: Do not require CTRL+ALT+DEL - Enable
", "tags": ["utilities", "windows", "servers"]}, {"location": "windows/windows-servers/#convert-evaluation-copy-to-full-version", "title": "Convert Evaluation Copy to Full Version", "text": "
When using the Evaluation version of Windows Server, the desktop displays the current build and the time until the end of the grace period (Windows License valid for 180 days).
", "tags": ["utilities", "windows", "servers"]}, {"location": "windows/windows-ssh-agent-with-keys/", "title": "Windows SSH Client with ed25519 Keys for Secure Connections", "text": "
In the modern digital age, ensuring the security of your connections is critical. This guide will walk you through the steps to configure the SSH client and SSH agent on Windows using ed25519 keys, allowing for secure connections to services like Git and remote servers.
", "tags": ["SSH", "Windows", "ed25519", "OpenSSH", "Git", "Security"]}, {"location": "windows/windows-ssh-agent-with-keys/#introduction-to-ssh-and-ed25519-keys", "title": "Introduction to SSH and ed25519 Keys", "text": "
SSH, or Secure Shell, is a cryptographic network protocol for secure communication over an unsecured network. It is particularly used for secure logins, file transfers, and command-line operations.
ed25519 is a public-key signature system that is renowned for high security with relatively short key lengths. This makes it faster and more efficient compared to older algorithms such as RSA.
This command generates an ed25519 key pair. The default location for the keys is C:\\Users\\<YourUsername>\\.ssh. The private key is named id_ed25519 and the public key is named id_ed25519.pub.
Adding the ed25519 SSH Key to the SSH Agent:
ssh-add $env:USERPROFILE\\.ssh\\id_ed25519\n
If your keys are stored in a different location or have a different name, you can specify the full path to the key file as an argument to ssh-add. For example:
If you already have an existing pair of ed25519 SSH keys that you would like to use, you can import them into your SSH Agent.
Note
The above below should be performed in PowerShell with regular user privileges.
Copy your existing private key to the default SSH folder. The default folder for SSH keys is typically C:\\Users\\<YourUsername>\\.ssh. Make sure the private key file you are copying is named id_ed25519.
Add the existing ed25519 SSH Key to the SSH Agent:
ssh-add $env:USERPROFILE\\.ssh\\id_ed25519\n
Note: If your private key file is located in a different path or has a different name, you can specify the full path to the key file as an argument to ssh-add. For example:
ssh-add C:\\path\\to\\your\\private-key-file\n
Copy your existing public key to the servers or services you want to connect to. This typically involves appending the contents of your public key file to the ~/.ssh/authorized_keys file on the server.
", "tags": ["SSH", "Windows", "ed25519", "OpenSSH", "Git", "Security"]}, {"location": "windows/windows-ssh-agent-with-keys/#step-5-using-ssh-with-ed25519-keys-for-secure-connections", "title": "Step 5: Using SSH with ed25519 Keys for Secure Connections", "text": "
Now that you have your ed25519 SSH keys generated or imported, and added to the SSH Agent, you can use SSH to connect to remote servers or services like Git securely.
For example, to connect to a remote server:
ssh username@remote_host\n
Using SSH keys will also allow you to interact with Git repositories securely, which is especially helpful when dealing with private repositories or pushing code changes.
By following this guide, you have configured the SSH client and SSH agent on your Windows system using ed25519 keys. This configuration ensures secure communication with services like Git and remote servers, safeguarding the integrity and security of your data.
", "tags": ["Windwos", "Tweeks"]}, {"location": "windows/windows-tweaks/#enable-the-legacy-context-menu-in-windows-11", "title": "Enable the Legacy Context Menu in Windows 11", "text": "
To enable the context menu that appeared in Windows 10 and earlier, you can use the following PowerShell snippet.
", "tags": ["Windwos", "Tweeks"]}, {"location": "windows/windows-tweaks/#add-program-to-startup-windows-7810-servers", "title": "Add Program to Startup - Windows 7,8,10 & Servers", "text": "
Hit WIN+R or from start menu search run and press enter. At run dialog enter shell:common startup:
Create shortcut for the program you want to auto startup when Windows boots.
Move the shortcut to the Startup folder that opened before.
", "tags": ["Windwos", "Tweeks"]}, {"location": "windows/windows-tweaks/#reboot-or-shutdown-windows-from-command-line-cmd", "title": "Reboot or Shutdown Windows From Command Line (CMD)", "text": "
Reboot windows computer This command will set a time out of 10 seconds to close the applications. After 10 seconds, windows reboot will start.
shutdown /r /t 10\n
Force reboot
shutdown /r /f /t 0\n
Force Shutdown
shutdown /s /f /t 0\n
", "tags": ["Windwos", "Tweeks"]}, {"location": "windows/guides/declare-locations/", "title": "Declare Locations as \"Inside Your Local Network\"", "text": "
Warning
The Intranet Zone is the most trusted and least protected zone. DO NOT put any subnets or IP addresses in this zone unless they are TOTALLY under YOUR control. That includes ANY public server, web site, subnet, or IP address.
Select 'Control Panel'/'Internet Properties'/'Security' tab. (Alternatively, open Internet Explorer and select 'Tools'/'Internet Options'/'Security' tab.)
Highlight 'Local Intranet' and click 'Sites'.
Set the following: Uncheck 'Automatically detect intranet network'.Check 'Include all local (intranet) sites not listed in other zones'.Uncheck 'Include all sites that bypass the proxy server'.Check 'Include all network paths (UNCs)'.\u200b
Click 'Advanced'
Uncheck 'Require server verification (https:) for all sites in this zone'.
In the field labeled 'Add this web site to the zone:', add your local, private subnet using an asterisk for a network mask and click 'Add'. E.g. If your home (local) network is 192.168.25.0 with a mask of 255.255.255.0, enter '192.168.25.*' (without the quotes).
Note
Entries can be:\u200b
* Individual IP addresses (e.g. '192.168.5.25', etc.),\n* Class C subnets (e.g. '192.168.27.*'),\n* Class B subnets (e.g. '172.16.*.*'), or\n* Class A subnets (e.g. '10.*.*.*')\u200b\n
You can add as many addresses as you need to the list It can be handy add the address of a VPN subnet to the list if it is also private and you TOTALLY trust it.\u200b
Close out with 'Close'/'OK'/'OK' and close the Control Panel (or Internet Explorer).
", "tags": ["utilities", "network", "windows"]}, {"location": "windows/guides/email-from-task-scheduler/", "title": "Send Emails From The Windows Task Scheduler", "text": "
First, download SendEmail, a free (and open source) tool for sending emails from the command line. Extract the downloaded archive into a folder on your computer.
Next, launch the Windows Task Scheduler and create a new task \u2013 consult our guide to creating scheduled tasks for more information. You can create a task that automatically sends an email at a specific time or a task that sends an email in response to a specific event.
When you reach the Action window, select Start a program instead of Send an e-mail.
In the Program/script box, use the Browse button and navigate to the SendEmail.exe file on your computer.
Finally, you\u2019ll have to add the arguments required to authenticate with your SMTP server and construct your email. Here\u2019s a list of the options you can use with SendEmail:
-t EMAIL \u2013 The destination email address. You can send an email to multiple addresses by including a space between each address after the -t option.
-cc EMAIL \u2013 Any addresses you\u2019d like to CC on the email. You can specify multiple addresses by placing a space between each email address, just as with the -t command above.
-bcc EMAIL \u2013 The BCC version of the CC option above.
-m BODY \u2013 The message body text of your email.
-a ATTACHMENT \u2013 The path of a file you\u2019d like to attach. This is optional.
For example, let\u2019s say your email address is example@gmail.com and you\u2019d like to send an email to person@example.com. You\u2019d use the following options:
-f example@gmail.com -t person@example.com -u Subject -m This is the body text! -s smtp.gmail.com:587 -xu example@gmail.com -xp password -o tls=yes\n
Once you\u2019ve put together your options, copy and paste them into the Add arguments box.
Save your task and you\u2019re done. Your task will automatically send email on the schedule (or in response to the event) you specified.
\ No newline at end of file
diff --git a/utilities/browsers-extensions/chrome/index.html b/utilities/browsers-extensions/chrome/index.html
new file mode 100644
index 000000000..b2d5f5ac0
--- /dev/null
+++ b/utilities/browsers-extensions/chrome/index.html
@@ -0,0 +1,167 @@
+ Chrome Extensions - 3os
Pretty print / display JSON content in the browser
Comments
\ No newline at end of file
diff --git a/utilities/browsers-extensions/firefox/index.html b/utilities/browsers-extensions/firefox/index.html
new file mode 100644
index 000000000..1d433ef2f
--- /dev/null
+++ b/utilities/browsers-extensions/firefox/index.html
@@ -0,0 +1,167 @@
+ Firefox Extensions - 3os
This htpasswd password encryption applet is written in JavaScript, so the entire process runs within your browser.Nothing is transmitted to any server, we take your privacy and securityserious.
The code was built by macminiosx and cloned from his repository. It was slightly modified to fit this website.
Comments
\ No newline at end of file
diff --git a/utilities/markdown-cheatsheet/about/index.html b/utilities/markdown-cheatsheet/about/index.html
new file mode 100644
index 000000000..66ce24bb0
--- /dev/null
+++ b/utilities/markdown-cheatsheet/about/index.html
@@ -0,0 +1,143 @@
+ About Markdown - 3os
Markdown is a lightweight markup language with plain text formatting syntax. It is designed so that it can be converted to HTML and many other formats using a tool by the same name. Markdown is often used to format readme files, for writing messages in online discussion forums, and to create rich text using a plain text editor. As the initial description of Markdown contained ambiguities and unanswered questions, many implementations and extensions of Markdown appeared over the years to answer these issues.
This Page is fully written with Markdown Language and converted to HTML
This website is built with MkDocs. MkDocs is a static site generator that can be used to generate websites with a clean and simple user interface. It is a free and open source project.
Warning
Most of the advanced features used to generate this website and the Markdown syntax used from Material Theme for MkDocs and may not apply to other websites.
\ No newline at end of file
diff --git a/utilities/markdown-cheatsheet/admonition/index.html b/utilities/markdown-cheatsheet/admonition/index.html
new file mode 100644
index 000000000..587e3082a
--- /dev/null
+++ b/utilities/markdown-cheatsheet/admonition/index.html
@@ -0,0 +1,168 @@
+ Admonitions - 3os
Admonitions, also known as call-outs, are an excellent choice for including side content without significantly interrupting the document flow. Material for MkDocs provides several different types of admonitions and allows for the inclusion and nesting of arbitrary content.
Admonitions follow a simple syntax: a block starts with !!!, followed by a single keyword used as a [type qualifier]. The content of the block follows on the next line, indented by four spaces:
Admonition
!!! note
+
+ Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod
+ nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor
+ massa, nec semper lorem quam in massa.
+
Note
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
By default, the title will equal the type qualifier in titlecase. However, it can be changed by adding a quoted string containing valid Markdown (including links, formatting, ...) after the type qualifier:
Admonition with custom title
!!! note "Phasellus posuere in sem ut cursus"
+
+ Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod
+ nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor
+ massa, nec semper lorem quam in massa.
+
Phasellus posuere in sem ut cursus
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
Similar to [changing the title], the icon and title can be omitted entirely by adding an empty string directly after the type qualifier. Note that this will not work for [collapsible blocks]:
Admonition without title
!!! note ""
+
+ Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod
+ nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor
+ massa, nec semper lorem quam in massa.
+
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
When [Details] is enabled and an admonition block is started with ??? instead of !!!, the admonition is rendered as a collapsible block with a small toggle on the right side:
Admonition, collapsible
??? note
+
+ Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod
+ nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor
+ massa, nec semper lorem quam in massa.
+
Note
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
Adding a + after the ??? token renders the block expanded:
Admonition, collapsible and initially expanded
???+ note
+
+ Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod
+ nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor
+ massa, nec semper lorem quam in massa.
+
Note
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
Following is a list of type qualifiers provided by Material for MkDocs, whereas the default type, and thus fallback for unknown type qualifiers, is note:
note
Note
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
abstract, summary, tldr
Abstract
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
info, todo
Info
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
tip, hint, important
Tip
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
success, check, done
Success
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
question, help, faq
Question
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
warning, caution, attention
Warning
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
failure, fail, missing
Failure
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
danger, error
Danger
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
bug
Bug
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
example
Example
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
quote, cite
Quote
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla et euismod nulla. Curabitur feugiat, tortor non consequat finibus, justo purus auctor massa, nec semper lorem quam in massa.
\ No newline at end of file
diff --git a/utilities/markdown-cheatsheet/awesome-pages/index.html b/utilities/markdown-cheatsheet/awesome-pages/index.html
new file mode 100644
index 000000000..e0138226f
--- /dev/null
+++ b/utilities/markdown-cheatsheet/awesome-pages/index.html
@@ -0,0 +1,265 @@
+ Awesome Pages Plugin - 3os
An MkDocs plugin that simplifies configuring page titles and their order
The awesome-pages plugin allows you to customize how your pages show up the navigation of your MkDocs without having to configure the full structure in your mkdocs.yml. It gives you detailed control using a small configuration file directly placed in the relevant directory of your documentation. MkDocs Awesome Pages Plugin Github Repository
Create a file named .pages in a directory and use the nav attribute to customize the navigation on that level. List the files and subdirectories in the order that they should appear in the navigation.
Pages or sections that are not mentioned in the list will not appear in the navigation. However, you may include a ... entry to specify where all remaining items should be inserted.
nav:
+-introduction.md
+-...
+-summary.md
+
Furthermore, it is possible to filter the remaining items using glob patterns or regular expressions. For example to match only the Markdown files starting with introduction-.
Create a file named .pages in a directory and set the order_by attribute to filename or title to change the order of navigation items.
order_by:title
+
This can be combined with order and/or sort_type above. If order is not set it will order ascending. If no preference is set, it will order by filename.
If you only want to collapse certain pages, create a file called .pages in the directory and set collapse_single_pages to true:
collapse_single_pages:true
+
You may also enable collapsing globally using the plugin option and then use the .pages file to prevent certain sub-sections from being collapsed by setting collapse_single_pages to false.
Note: This feature works recursively. That means it will also collapse multiple levels of single pages.
If you want to enable or disable collapsing of a single page, without applying the setting recursively, create a file called .pages in the directory and set collapse to true or false:
Create a file named .pages in a directory and set the hide attribute to true to hide the directory, including all sub-pages and sub-sections, from the navigation:
hide:true
+
Note: This option only hides the section from the navigation. It will still be included in the build and can be accessed under its URL.
Deprecated:arrange will be removed in the next major release - Use nav instead.
Create a file named .pages in a directory and set the arrange attribute to change the order of how child pages appear in the navigation. This works for actual pages as well as subdirectories.
title:Page Title
+arrange:
+-page1.md
+-page2.md
+-subdirectory
+
If you only specify some pages, they will be positioned at the beginning, followed by the other pages in their original order.
You may also include a ... entry at some position to specify where the rest of the pages should be inserted:
arrange:
+-introduction.md
+-...
+-summary.md
+
In this example introduction.md is positioned at the beginning, summary.md at the end, and any other pages in between.
MkDocs gives you two ways to define the structure of your navigation. Either create a custom navigation manually in mkdocs.yml or use the file structure to generate the navigation. This feature makes it possible to combine both methods. Allowing you to manually define parts of your navigation without having to list all files.
Note: You can freely combine this with all the other features of this plugin. However they will only affect the part of the navigation that is not defined manually.
Use the nav entry in mkdocs.yml to define the custom part of your navigation. Include a ... entry where you want the navigation tree of all remaining pages to be inserted.
The following examples are based on this file structure:
The ... entry can also be placed at a deeper level:
nav:
+-page1.md
+-Rest:
+-...
+
Which would result in the following navigation:
Page 1
Rest
Introduction
Page 2
Folder
Introduction
Page 3
Page 4
Furthermore, it is possible to filter the remaining items using glob patterns or regular expressions. For example to match only files named introduction.md.
The filter only operates on remaining items. This means it will not include items that are explicitly listed in the navigation or items that are matched by another filter that appears earlier in the configuration.
You may also include a rest entry without filter to act as a catch-all, inserting everything that is not matched by a filter.
Unless the filter starts with regex= it is interpreted as glob pattern, however you may also explicitly say so using glob=. The spaces around ... are optional but recommended for readability.
Note: Depending on the characters in your filter, you might also need to use quotes around the whole entry.
Global fallback values for the Meta attributes. Default is None or filename.
Comments
\ No newline at end of file
diff --git a/utilities/markdown-cheatsheet/basic-formatting/index.html b/utilities/markdown-cheatsheet/basic-formatting/index.html
new file mode 100644
index 000000000..358e5b065
--- /dev/null
+++ b/utilities/markdown-cheatsheet/basic-formatting/index.html
@@ -0,0 +1,162 @@
+ Basic Formatting - 3os
Markdown makes it easy to format messages. Type a message as you normally would, then use these the following formatting syntax to render the message a specific way
To create a heading, add number signs (#) in front of a word or phrase. The number of number signs you use should correspond to the heading level. For example, to create a heading level three (h3), use three number signs (e.g., ### My Header).
Headings from h1 through h6 are constructed with a # for each level:
\ No newline at end of file
diff --git a/utilities/markdown-cheatsheet/code-blocks/index.html b/utilities/markdown-cheatsheet/code-blocks/index.html
new file mode 100644
index 000000000..ed299f5ad
--- /dev/null
+++ b/utilities/markdown-cheatsheet/code-blocks/index.html
@@ -0,0 +1,180 @@
+ Code Blocks - 3os
Code blocks and examples are an essential part of technical project documentation. Material for MkDocs provides different ways to set up syntax highlighting for code blocks, either during build time using [Pygments] or during runtime using a JavaScript syntax highlighter.
In order to provide additional context, a custom title can be added to a code block by using the title="<custom title>" option directly after the shortcode, e.g. to display the name of a file:
Example:
Code block with title
```py title="bubble_sort.py"
+def bubble_sort(items):
+ for i in range(len(items)):
+ for j in range(len(items) - 1 - i):
+ if items[j] > items[j + 1]:
+ items[j], items[j + 1] = items[j + 1], items[j]
+```
+
Line numbers can be added to a code block by using the linenums="<start>" option directly after the shortcode, whereas <start> represents the starting line number. A code block can start from a line number other than 1, which allows to split large code blocks for readability:
Code block with line numbers
```py linenums="1"
+def bubble_sort(items):
+ for i in range(len(items)):
+ for j in range(len(items) - 1 - i):
+ if items[j] > items[j + 1]:
+ items[j], items[j + 1] = items[j + 1], items[j]
+```
+
Specific lines can be highlighted by passing the line numbers to the hl_lines argument placed right after the language shortcode. Note that line counts start at 1.
Code block with highlighted lines
```py hl_lines="2 3"
+def bubble_sort(items):
+ for i in range(len(items)):
+ for j in range(len(items) - 1 - i):
+ if items[j] > items[j + 1]:
+ items[j], items[j + 1] = items[j + 1], items[j]
+```
+
When InlineHilite is enabled, syntax highlighting can be applied to inline code blocks by prefixing them with a shebang, i.e. #!, directly followed by the corresponding language shortcode
Example:
Inline code block
The `#!python range()` function is used to generate a sequence of numbers.
+
Result:
The range() function is used to generate a sequence of numbers.
\ No newline at end of file
diff --git a/utilities/markdown-cheatsheet/content-tabs/index.html b/utilities/markdown-cheatsheet/content-tabs/index.html
new file mode 100644
index 000000000..818ed7f8d
--- /dev/null
+++ b/utilities/markdown-cheatsheet/content-tabs/index.html
@@ -0,0 +1,210 @@
+ Content Tabs - 3os
Sometimes, it's desirable to group alternative content under different tabs, e.g. when describing how to access an API from different languages or environments. Material for MkDocs allows for beautiful and functional tabs, grouping code blocks and other content.
Code blocks are one of the primary targets to be grouped, and can be considered a special case of content tabs, as tabs with a single code block are always rendered without horizontal spacing:
When a content tab contains more than one code block, it is rendered with horizontal spacing. Vertical spacing is never added, but can be achieved by nesting tabs in other blocks:
Example:
Content tabs
=== "Unordered list"
+
+ * Sed sagittis eleifend rutrum
+ * Donec vitae suscipit est
+ * Nulla tempor lobortis orci
+
+=== "Ordered list"
+
+ 1. Sed sagittis eleifend rutrum
+ 2. Donec vitae suscipit est
+ 3. Nulla tempor lobortis orci
+
When [SuperFences] is enabled, content tabs can contain arbitrary nested content, including further content tabs, and can be nested in other blocks like [admonitions] or blockquotes:
Example:
Content tabs in admonition
!!! example
+
+ === "Unordered List"
+
+ ``` markdown
+ * Sed sagittis eleifend rutrum
+ * Donec vitae suscipit est
+ * Nulla tempor lobortis orci
+ ```
+
+ === "Ordered List"
+
+ ``` markdown
+ 1. Sed sagittis eleifend rutrum
+ 2. Donec vitae suscipit est
+ 3. Nulla tempor lobortis orci
+ ```
+
Result:
Example
*Sed sagittis eleifend rutrum
+*Donec vitae suscipit est
+*Nulla tempor lobortis orci
+
1. Sed sagittis eleifend rutrum
+2. Donec vitae suscipit est
+3. Nulla tempor lobortis orci
+
\ No newline at end of file
diff --git a/utilities/markdown-cheatsheet/diagrams/index.html b/utilities/markdown-cheatsheet/diagrams/index.html
new file mode 100644
index 000000000..62a436fe8
--- /dev/null
+++ b/utilities/markdown-cheatsheet/diagrams/index.html
@@ -0,0 +1,260 @@
+ Diagrams - 3os
Diagrams help to communicate complex relationships and interconnections between different technical components, and are a great addition to project documentation. Material for MkDocs integrates with Mermaid.js, a very popular and flexible solution for drawing diagrams.
Flowcharts are diagrams that represent workflows or processes. The steps are rendered as nodes of various kinds and are connected by edges, describing the necessary order of steps:
Flow chart
```mermaid
+graph LR
+ A[Start] --> B{Error?};
+ B -->|Yes| C[Hmm...];
+ C --> D[Debug];
+ D --> B;
+ B ---->|No| E[Yay!];
+```
+
Result:
graph LR
+ A[Start] --> B{Error?};
+ B -->|Yes| C[Hmm...];
+ C --> D[Debug];
+ D --> B;
+ B ---->|No| E[Yay!];
Sequence diagrams describe a specific scenario as sequential interactions between multiple objects or actors, including the messages that are exchanged between those actors:
Sequence diagram
```mermaid
+sequenceDiagram
+ Alice->>John: Hello John, how are you?
+ loop Healthcheck
+ John->>John: Fight against hypochondria
+ end
+ Note right of John: Rational thoughts!
+ John-->>Alice: Great!
+ John->>Bob: How about you?
+ Bob-->>John: Jolly good!
+```
+
Result:
sequenceDiagram
+ Alice->>John: Hello John, how are you?
+ loop Healthcheck
+ John->>John: Fight against hypochondria
+ end
+ Note right of John: Rational thoughts!
+ John-->>Alice: Great!
+ John->>Bob: How about you?
+ Bob-->>John: Jolly good!
State diagrams are a great tool to describe the behavior of a system, decomposing it into a finite number of states, and transitions between those states:
Class diagrams are central to object oriented programing, describing the structure of a system by modelling entities as classes and relationships between them:
Class diagram
```mermaid
+classDiagram
+ Person <|-- Student
+ Person <|-- Professor
+ Person : +String name
+ Person : +String phoneNumber
+ Person : +String emailAddress
+ Person: +purchaseParkingPass()
+ Address "1" <-- "0..1" Person:lives at
+ class Student{
+ +int studentNumber
+ +int averageMark
+ +isEligibleToEnrol()
+ +getSeminarsTaken()
+ }
+ class Professor{
+ +int salary
+ }
+ class Address{
+ +String street
+ +String city
+ +String state
+ +int postalCode
+ +String country
+ -validate()
+ +outputAsLabel()
+ }
+```
+
Result:
classDiagram
+ Person <|-- Student
+ Person <|-- Professor
+ Person : +String name
+ Person : +String phoneNumber
+ Person : +String emailAddress
+ Person: +purchaseParkingPass()
+ Address "1" <-- "0..1" Person:lives at
+ class Student{
+ +int studentNumber
+ +int averageMark
+ +isEligibleToEnrol()
+ +getSeminarsTaken()
+ }
+ class Professor{
+ +int salary
+ }
+ class Address{
+ +String street
+ +String city
+ +String state
+ +int postalCode
+ +String country
+ -validate()
+ +outputAsLabel()
+ }
An entity-relationship diagram is composed of entity types and specifies relationships that exist between entities. It describes inter-related things in a specific domain of knowledge:
MkDocs Embed External Markdown plugin that allows to inject section or full markdown content from a given url. The goal is to embed different markdown from different sources inside your MkDocs project.
One of the best features of Material for MkDocs is the possibility to use more then with thousands of emojis in your project documentation with practically zero additional effort. Use Mkdocs Material Icon Search to find the icons and emojis you need.
:fontawesome-regular-bell: - Fontawesome Icon: Bell
+:material-bell: - Material Icon: Bell
+:octicons-bell-24: - Octicons Icon: Bell
+:bell: - Emoji: Bell
+
Result:
- Fontawesome Icon: Bell - Material Icon: Bell - Octicons Icon: Bell - Emoji: Bell
\ No newline at end of file
diff --git a/utilities/markdown-cheatsheet/images/index.html b/utilities/markdown-cheatsheet/images/index.html
new file mode 100644
index 000000000..05a64ed4f
--- /dev/null
+++ b/utilities/markdown-cheatsheet/images/index.html
@@ -0,0 +1,161 @@
+ Images - 3os
Markdown is a text format so naturally you can type in the Markdown representation of an image using examples below to put an image reference directly into the editor.
Warning
This site uses the Material Design for MkDocs theme with the following CSS overrides there for the results in your case may differ.
![minion][internal-source]{: style="width:200px"}
+
+[internal-source]: /assets/images/markdown-cheatsheet/minion.png 'Title of the image'
+
Result:
\ No newline at end of file
diff --git a/utilities/markdown-cheatsheet/links/index.html b/utilities/markdown-cheatsheet/links/index.html
new file mode 100644
index 000000000..86821bd8f
--- /dev/null
+++ b/utilities/markdown-cheatsheet/links/index.html
@@ -0,0 +1,159 @@
+ Links - 3os
[![This is Image with link][image-link]][url-link]{target=\_blank}
+
+[image-link]: /assets/images/markdown-cheatsheet/minion200x200.png 'Minion'
+[url-link]: https://github.com/fire1ce 'Go to Github'
+
\ No newline at end of file
diff --git a/utilities/markdown-cheatsheet/tables-lists-quotes/index.html b/utilities/markdown-cheatsheet/tables-lists-quotes/index.html
new file mode 100644
index 000000000..82ba2275b
--- /dev/null
+++ b/utilities/markdown-cheatsheet/tables-lists-quotes/index.html
@@ -0,0 +1,188 @@
+ Tables, Lists and Quotes - 3os
A table in Markdown consists of two parts: the header and the rows of data in the table. As per the Markdown spec:
pipe (|) character separates the individual columns in a table.
(-) hyphens act as a delimiter row to separate the header row from the body.
(:) colon to align cell contents.
Table Example
| **Option** | **Description** |
+| ---------- | ------------------------------------------ |
+| data | path to data files to supply the data. |
+| engine | engine to be used for processing templates |
+| ext | extension to be used for dest files. |
+
If you want to align a specific column to the left, center or right, you can use the [regular Markdown syntax] placing : characters at the beginning and/or end of the divider.
Bullet point lists can be created by starting each line with an asterisk followed by a space before the content of the bullet point. Note that the space is important and should not be forgotten.
Example:
Unordered List Example
-Lorem ipsum dolor sit amet
+-Consectetur adipiscing elit
+-Integer molestie lorem at massa
+-Facilisis in pretium nisl aliquet
+
Similarly, numbered lists can be created by starting each line with a number followed by a space and then the relevant text.
Ordered List Example
1. Lorem ipsum dolor sit amet
+2. Consectetur adipiscing elit
+3. Integer molestie lorem at massa
+4. Faucibus porta lacus fringilla vel
+5. Aenean sit amet erat nunc
+6. Eget porttitor lorem
+
A task list is a set of tasks that each render on a separate line with a clickable checkbox. You can select or deselect the checkboxes to mark the tasks as complete or incomplete.
You can use Markdown to create a task list in any comment on GitHub. If you reference an issue, pull request, or discussion in a task list, the reference will unfurl to show the title and state.
Example:
Task List Example
- [x] Lorem ipsum dolor sit amet, consectetur adipiscing elit
+- [ ] Vestibulum convallis sit amet nisi a tincidunt
+- [x] In hac habitasse platea dictumst
+- [x] In scelerisque nibh non dolor mollis congue sed et metus
+- [ ] Praesent sed risus massa
+- [ ] Aenean pretium efficitur erat, donec pharetra, ligula non scelerisque
+
Result:
Lorem ipsum dolor sit amet, consectetur adipiscing elit
Vestibulum convallis sit amet nisi a tincidunt
In hac habitasse platea dictumst
In scelerisque nibh non dolor mollis congue sed et metus
Praesent sed risus massa
Aenean pretium efficitur erat, donec pharetra, ligula non scelerisque
For quoting blocks of content from another source within your document.
Add > before any text you want to quote.
Quoting Blocks Example
> Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer posuere erat a ante.
+> Donec massa lacus, ultricies a ullamcorper in, fermentum sed augue.
+
Result:
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer posuere erat a ante. Donec massa lacus, ultricies a ullamcorper in, fermentum sed augue.
> Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer posuere erat a ante.
+> Donec massa lacus, ultricies a ullamcorper in, fermentum sed augue.
+>
+> > Sed adipiscing elit vitae augue consectetur a gravida nunc vehicula. Donec auctorodio
+> > non est accumsan facilisis. Aliquam id turpis in dolor tincidunt mollis ac eu diam.
+
Result:
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer posuere erat a ante. Donec massa lacus, ultricies a ullamcorper in, fermentum sed augue.
Sed adipiscing elit vitae augue consectetur a gravida nunc vehicula. Donec auctorodio non est accumsan facilisis. Aliquam id turpis in dolor tincidunt mollis ac eu diam.
\ No newline at end of file
diff --git a/utilities/useful-links-tools/index.html b/utilities/useful-links-tools/index.html
new file mode 100644
index 000000000..a2b89f8f7
--- /dev/null
+++ b/utilities/useful-links-tools/index.html
@@ -0,0 +1,167 @@
+ Useful Links & Tools - 3os
\ No newline at end of file
diff --git a/utilities/wifiQrGenerator/index.html b/utilities/wifiQrGenerator/index.html
new file mode 100644
index 000000000..2f123b6c6
--- /dev/null
+++ b/utilities/wifiQrGenerator/index.html
@@ -0,0 +1,167 @@
+ Wifi QR Image Generator - 3os
This will generate a QR code what can be used with any iOS/Android device to access a given Wifi without manually adding a network and password. Just scan the QR Code and you are connected. This is a fully static code - no data is send to any server!
This code was taken from this site qistoph Github Page. It was fully reviewed for any malicious code or functionality and slightly modified to fit this site
Comments
\ No newline at end of file
diff --git a/windows/guides/declare-locations/index.html b/windows/guides/declare-locations/index.html
new file mode 100644
index 000000000..2b236620a
--- /dev/null
+++ b/windows/guides/declare-locations/index.html
@@ -0,0 +1,171 @@
+ Declare Locations as "Inside Your Local Network" - 3os
The Intranet Zone is the most trusted and least protected zone. DO NOT put any subnets or IP addresses in this zone unless they are TOTALLY under YOUR control. That includes ANY public server, web site, subnet, or IP address.
Select 'Control Panel'/'Internet Properties'/'Security' tab. (Alternatively, open Internet Explorer and select 'Tools'/'Internet Options'/'Security' tab.)
Highlight 'Local Intranet' and click 'Sites'.
Set the following: Uncheck 'Automatically detect intranet network'.Check 'Include all local (intranet) sites not listed in other zones'.Uncheck 'Include all sites that bypass the proxy server'.Check 'Include all network paths (UNCs)'.​
Click 'Advanced'
Uncheck 'Require server verification (https:) for all sites in this zone'.
In the field labeled 'Add this web site to the zone:', add your local, private subnet using an asterisk for a network mask and click 'Add'. E.g. If your home (local) network is 192.168.25.0 with a mask of 255.255.255.0, enter '192.168.25.*' (without the quotes).
Note
Entries can be:​
* Individual IP addresses (e.g. '192.168.5.25', etc.),
+* Class C subnets (e.g. '192.168.27.*'),
+* Class B subnets (e.g. '172.16.*.*'), or
+* Class A subnets (e.g. '10.*.*.*')​
+
You can add as many addresses as you need to the list It can be handy add the address of a VPN subnet to the list if it is also private and you TOTALLY trust it.​
Close out with 'Close'/'OK'/'OK' and close the Control Panel (or Internet Explorer).
Comments
\ No newline at end of file
diff --git a/windows/guides/email-from-task-scheduler/index.html b/windows/guides/email-from-task-scheduler/index.html
new file mode 100644
index 000000000..49fb122d9
--- /dev/null
+++ b/windows/guides/email-from-task-scheduler/index.html
@@ -0,0 +1,168 @@
+ Send Emails From The Windows Task Scheduler - 3os
First, download SendEmail, a free (and open source) tool for sending emails from the command line. Extract the downloaded archive into a folder on your computer.
Next, launch the Windows Task Scheduler and create a new task – consult our guide to creating scheduled tasks for more information. You can create a task that automatically sends an email at a specific time or a task that sends an email in response to a specific event.
When you reach the Action window, select Start a program instead of Send an e-mail.
In the Program/script box, use the Browse button and navigate to the SendEmail.exe file on your computer.
Finally, you’ll have to add the arguments required to authenticate with your SMTP server and construct your email. Here’s a list of the options you can use with SendEmail:
-t EMAIL – The destination email address. You can send an email to multiple addresses by including a space between each address after the -t option.
-cc EMAIL – Any addresses you’d like to CC on the email. You can specify multiple addresses by placing a space between each email address, just as with the -t command above.
-bcc EMAIL – The BCC version of the CC option above.
-a ATTACHMENT – The path of a file you’d like to attach. This is optional.
For example, let’s say your email address is example@gmail.com and you’d like to send an email to person@example.com. You’d use the following options:
-f example@gmail.com -t person@example.com -u Subject -m This is the body text! -s smtp.gmail.com:587 -xu example@gmail.com -xp password -o tls=yes
+
Once you’ve put together your options, copy and paste them into the Add arguments box.
Save your task and you’re done. Your task will automatically send email on the schedule (or in response to the event) you specified.
Comments
\ No newline at end of file
diff --git a/windows/ssh-server/index.html b/windows/ssh-server/index.html
new file mode 100644
index 000000000..c8124f625
--- /dev/null
+++ b/windows/ssh-server/index.html
@@ -0,0 +1,179 @@
+ Windows SSH Server - 3os
Sometime you need to connect to a remote server via SSH. Usually it's the main connection to linux servers. But you can also connect to a windows server via SSH. At this guide we will show you how to install and configure a windows ssh server, including SSH Keys authentication.
if(!(Get-NetFirewallRule-Name"OpenSSH-Server-In-TCP"-ErrorActionSilentlyContinue|Select-ObjectName,Enabled)){Write-Output"Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..."New-NetFirewallRule-Name'OpenSSH-Server-In-TCP'-DisplayName'OpenSSH Server (sshd)'-EnabledTrue-DirectionInbound-ProtocolTCP-ActionAllow-LocalPort22}else{Write-Output"Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists."}
+
At this point you should be able to connect via SSH to the Windows server with your username and password.
Test the SSH connection to the Windows server from remote machine with the SSH Key. You should be able to connect to the Windows server with your SSH key
Create a .ssh directory in the home directory of the user.
```path
+C:\Users\<username>\.ssh\
+
Create the file: authorized_keys at the following location:
C:\Users\<username>\.ssh\authorized_keys
+
Edit the file and add you SSH public key to the file.
Test the SSH connection to the Windows server from remote machine with the SSH Key. You should be able to connect with non-administrator user to the Windows server with your SSH key
Next to you connet to the Windows SSG server it should start the PowerShell shell.
It should look something like this:
Comments
\ No newline at end of file
diff --git a/windows/useful-software/index.html b/windows/useful-software/index.html
new file mode 100644
index 000000000..758774b77
--- /dev/null
+++ b/windows/useful-software/index.html
@@ -0,0 +1,167 @@
+ Useful Software - 3os
\ No newline at end of file
diff --git a/windows/windows-servers/index.html b/windows/windows-servers/index.html
new file mode 100644
index 000000000..d341d89cd
--- /dev/null
+++ b/windows/windows-servers/index.html
@@ -0,0 +1,171 @@
+ Windows Servers - 3os
At Server Manager click Configure this local server
Computer name - rename the server's name
Remote Desktop - allow RDP
Ethernet instance - disable IPV6
Feedback & Diagnostics - set Feedback frequency to Never
IE Enhanced Security Configuration - Off
Time zone - set the current timezone, At Internet Time tab chanche time.windwos.com to time.nist.gov
Open gpedit.msc with Run
Local Computer Policy -> Administrative Templates -> System -> Display Shutdown Even Tracker - Disable
Local Computer Policy -> Windows Settings -> Security Settings -> Local Policies -> Security Options ->Interactive logon: Do not require CTRL+ALT+DEL - Enable
When using the Evaluation version of Windows Server, the desktop displays the current build and the time until the end of the grace period (Windows License valid for 180 days).
\ No newline at end of file
diff --git a/windows/windows-ssh-agent-with-keys/index.html b/windows/windows-ssh-agent-with-keys/index.html
new file mode 100644
index 000000000..a37222394
--- /dev/null
+++ b/windows/windows-ssh-agent-with-keys/index.html
@@ -0,0 +1,187 @@
+ Windows SSH with ed25519 Keys - 3os
Authors: fire1ce | Created: 2023-07-05 | Last update: 2023-07-05
Windows SSH Client with ed25519 Keys for Secure Connections¶
In the modern digital age, ensuring the security of your connections is critical. This guide will walk you through the steps to configure the SSH client and SSH agent on Windows using ed25519 keys, allowing for secure connections to services like Git and remote servers.
SSH, or Secure Shell, is a cryptographic network protocol for secure communication over an unsecured network. It is particularly used for secure logins, file transfers, and command-line operations.
ed25519 is a public-key signature system that is renowned for high security with relatively short key lengths. This makes it faster and more efficient compared to older algorithms such as RSA.
The above below should be performed in PowerShell with regular user privileges.
Generate ed25519 SSH keys:
ssh-keygen-ted25519-C"your_email@example.com"
+
This command generates an ed25519 key pair. The default location for the keys is C:\Users\<YourUsername>\.ssh. The private key is named id_ed25519 and the public key is named id_ed25519.pub.
Adding the ed25519 SSH Key to the SSH Agent:
ssh-add$env:USERPROFILE\.ssh\id_ed25519
+
If your keys are stored in a different location or have a different name, you can specify the full path to the key file as an argument to ssh-add. For example:
If you already have an existing pair of ed25519 SSH keys that you would like to use, you can import them into your SSH Agent.
Note
The above below should be performed in PowerShell with regular user privileges.
Copy your existing private key to the default SSH folder. The default folder for SSH keys is typically C:\Users\<YourUsername>\.ssh. Make sure the private key file you are copying is named id_ed25519.
Add the existing ed25519 SSH Key to the SSH Agent:
ssh-add$env:USERPROFILE\.ssh\id_ed25519
+
Note: If your private key file is located in a different path or has a different name, you can specify the full path to the key file as an argument to ssh-add. For example:
ssh-addC:\path\to\your\private-key-file
+
Copy your existing public key to the servers or services you want to connect to. This typically involves appending the contents of your public key file to the ~/.ssh/authorized_keys file on the server.
Step 5: Using SSH with ed25519 Keys for Secure Connections¶
Now that you have your ed25519 SSH keys generated or imported, and added to the SSH Agent, you can use SSH to connect to remote servers or services like Git securely.
For example, to connect to a remote server:
sshusername@remote_host
+
Using SSH keys will also allow you to interact with Git repositories securely, which is especially helpful when dealing with private repositories or pushing code changes.
By following this guide, you have configured the SSH client and SSH agent on your Windows system using ed25519 keys. This configuration ensures secure communication with services like Git and remote servers, safeguarding the integrity and security of your data.
Comments
\ No newline at end of file
diff --git a/windows/windows-tweaks/index.html b/windows/windows-tweaks/index.html
new file mode 100644
index 000000000..fe1e899ec
--- /dev/null
+++ b/windows/windows-tweaks/index.html
@@ -0,0 +1,177 @@
+ Windwos 10/11 Tweeks - 3os
Repository Deprecation Notice: This project is now deprecated and archived due to the release of UniFi's firmware v2.x and v3.x for Dream Machnines, which natively fix the fan speed issues.
This Page is fully written with Markdown Language and converted to HTML
- Emoji: Bell
In the Program/script box, use the Browse button and navigate to the SendEmail.exe file on your computer.
