HighLow Withdrawal Legit Binary Trading Account

Ethereum on ARM. New Eth2.0 Raspberry Pi 4 image for joining the Medalla multi-client testnet. Step-by-step guide for installing and activating a validator (Prysm, Teku, Lighthouse and Nimbus clients included)

TL;DR: Flash your Raspberry Pi 4, plug in an ethernet cable, connect the SSD disk and power up the device to join the Eth2.0 medalla testnet.
The image takes care of all the necessary steps to join the Eth2.0 Medalla multi-client testnet [1], from setting up the environment and formatting the SSD disk to installing, managing and running the Eth1.0 and Eth2.0 clients.
You will only need to choose an Eth2.0 client, start the beacon chain service and activate / run the validator.
Note: this is an update for our previous Raspberry Pi 4 Eth2 image [2] so some of the instructions are directly taken from there.

MAIN FEATURES

SOFTWARE INCLUDED

INSTALLATION GUIDE AND USAGE

RECOMMENDED HARDWARE AND SETUP
STORAGE
You will need an SSD to run the Ethereum clients (without an SSD drive there’s absolutely no chance of syncing the Ethereum blockchain). There are 2 options:
Use an USB portable SSD disk such as the Samsung T5 Portable SSD.
Use an USB 3.0 External Hard Drive Case with a SSD Disk. In our case we used a Inateck 2.5 Hard Drive Enclosure FE2011. Make sure to buy a case with an UASP compliant chip, particularly, one of these: JMicron (JMS567 or JMS578) or ASMedia (ASM1153E).
In both cases, avoid getting low quality SSD disks as it is a key component of your node and it can drastically affect the performance (and sync times). Keep in mind that you need to plug the disk to an USB 3.0 port (in blue).
IMAGE DOWNLOAD AND INSTALLATION
1.- Download the image:
http://www.ethraspbian.com/downloads/ubuntu-20.04.1-preinstalled-server-arm64+raspi-eth2-medalla.img.zip
SHA256 149cb9b020d1c49fcf75c00449c74c6f38364df1700534b5e87f970080597d87
2.- Flash the image
Insert the microSD in your Desktop / Laptop and download the file.
Note: If you are not comfortable with command line or if you are running Windows, you can use Etcher [10]
Open a terminal and check your MicroSD device name running:
sudo fdisk -l
You should see a device named mmcblk0 or sdd. Unzip and flash the image:
unzip ubuntu-20.04.1-preinstalled-server-arm64+raspi-eth2-medalla.img.zip
sudo dd bs=1M if=ubuntu-20.04.1-preinstalled-server-arm64+raspi.img of=/dev/mmcblk0 conv=fdatasync status=progress
3.- Insert de MicroSD into the Raspberry Pi 4. Connect an Ethernet cable and attach the USB SSD disk (make sure you are using a blue port).
4.- Power on the device
The Ubuntu OS will boot up in less than one minute but you will need to wait approximately 7-8 minutes in order to allow the script to perform the necessary tasks to install the Medalla setup (it will reboot again)
5.- Log in
You can log in through SSH or using the console (if you have a monitor and keyboard attached)
User: ethereum Password: ethereum 
You will be prompted to change the password on first login, so you will need to log in twice.
6.- Forward 30303 port in your router (both UDP and TCP). If you don’t know how to do this, google “port forwarding” followed by your router model. You will need to open additional ports as well depending on the Eth2.0 client you’ve chosen.
7.- Getting console output
You can see what’s happening in the background by typing:
sudo tail -f /valog/syslog
8.- Grafana Dashboards
There are 5 Grafana dashboards available to monitor the Medalla node (see section “Grafana Dashboards” below).

The Medalla Eth2.0 multi-client testnet

Medalla is the official Eth2.0 multi-client testnet according to the latest official specification for Eth2.0, the v0.12.2 [11] release (which is aimed to be the final) [12].
In order to run a Medalla Eth 2.0 node you will need 3 components:
The image takes care of the Eth1.0 setup. So, once flashed (and after a first reboot), Geth (Eth1.0 client) starts to sync the Goerli testnet.
Follow these steps to enable your Eth2.0 Ethereum node:
CREATE THE VALIDATOR KEYS AND MAKE THE DEPOSIT
We need to get 32 Goerli ETH (fake ETH) ir order to make the deposit in the Eth2.0 contract and run the validator. The easiest way of getting ETH is by joining Prysm Discord's channel.
Open Metamask [14], select the Goerli Network (top of the window) and copy your ETH Address. Go to:
https://discord.com/invite/YMVYzv6
And open the “request-goerli-eth” channel (on the left)
Type:
!send $YOUR_ETH_ADDRESS (replace it with the one copied on Metamask)
You will receive enough ETH to run 1 validator.
Now it is time to create your validator keys and the deposit information. For your convenience we’ve packaged the official Eth2 launchpad tool [4]. Go to the EF Eth2.0 launchpad site:
https://medalla.launchpad.ethereum.org/
And click “Get started”
Read and accept all warnings. In the next screen, select 1 validator and go to your Raspberry Pi console. Under the ethereum account run:
cd && deposit --num_validators 1 --chain medalla
Choose your mnemonic language and type a password for keeping your keys safe. Write down your mnemonic password, press any key and type it again as requested.
Now you have 2 Json files under the validator_keys directory. A deposit data file for sending the 32 ETH along with your validator public key to the Eth1 chain (goerli testnet) and a keystore file with your validator keys.
Back to the Launchpad website, check "I am keeping my keys safe and have written down my mnemonic phrase" and click "Continue".
It is time to send the 32 ETH deposit to the Eth1 chain. You need the deposit file (located in your Raspberry Pi). You can, either copy and paste the file content and save it as a new file in your desktop or copy the file from the Raspberry to your desktop through SSH.
1.- Copy and paste: Connected through SSH to your Raspberry Pi, type:
cat validator_keys/deposit_data-$FILE-ID.json (replace $FILE-ID with yours)
Copy the content (the text in square brackets), go back to your desktop, paste it into your favourite editor and save it as a json file.
Or
2.- Ssh: From your desktop, copy the file:
scp [email protected]$YOUR_RASPBERRYPI_IP:/home/ethereum/validator_keys/deposit_data-$FILE_ID.json /tmp
Replace the variables with your data. This will copy the file to your desktop /tmp directory.
Upload the deposit file
Now, back to the Launchpad website, upload the deposit_data file and select Metamask, click continue and check all warnings. Continue and click “Initiate the Transaction”. Confirm the transaction in Metamask and wait for the confirmation (a notification will pop up shortly).
The Beacon Chain (which is connected to the Eth1 chain) will detect this deposit (that includes the validator public key) and the Validator will be enabled.
Congrats!, you just started your validator activation process.
CHOOSE AN ETH2.0 CLIENT
Time to choose your Eth2.0 client. We encourage you to run Lighthouse, Teku or Nimbus as Prysm is the most used client by far and diversity is key to achieve a resilient and healthy Eth2.0 network.
Once you have decided which client to run (as said, try to run one with low network usage), you need to set up the clients and start both, the beacon chain and the validator.
These are the instructions for enabling each client (Remember, choose just one Eth2.0 client out of 4):
LIGHTHOUSE ETH2.0 CLIENT
1.- Port forwarding
You need to open the 9000 port in your router (both UDP and TCP)
2.- Start the beacon chain
Under the ethereum account, run:
sudo systemctl enable lighthouse-beacon
sudo systemctl start lighthouse-beacon
3.- Start de validator
We need to import the validator keys. Run under the ethereum account:
lighthouse account validator import --directory=/home/ethereum/validator_keys
Then, type your previously defined password and run:
sudo systemctl enable lighthouse-validator
sudo systemctl start lighthouse-validator
The Lighthouse beacon chain and validator are now enabled

PRYSM ETH2.0 CLIENT
1.- Port forwarding
You need to open the 13000 and 12000 ports in your router (both UDP and TCP)
2.- Start the beacon chain
Under the ethereum account, run:
sudo systemctl enable prysm-beacon
sudo systemctl start prysm-beacon
3.- Start de validator
We need to import the validator keys. Run under the ethereum account:
validator accounts-v2 import --keys-dir=/home/ethereum/validator_keys
Accept the default wallet path and enter a password for your wallet. Now enter the password previously defined.
Lastly, set up your password and start the client:
echo "$YOUR_PASSWORD" > /home/ethereum/validator_keys/prysm-password.txt
sudo systemctl enable prysm-validator
sudo systemctl start prysm-validator
The Prysm beacon chain and the validator are now enabled.

TEKU ETH2.0 CLIENT
1.- Port forwarding
You need to open the 9151 port (both UDP and TCP)
2.- Start the Beacon Chain and the Validator
Under the Ethereum account, check the name of your keystore file:
ls /home/ethereum/validator_keys/keystore*
Set the keystore file name in the teku config file (replace the $KEYSTORE_FILE variable with the file listed above)
sudo sed -i 's/changeme/$KEYSTORE_FILE/' /etc/ethereum/teku.conf
Set the password previously entered:
echo "yourpassword" > validator_keys/teku-password.txt
Start the beacon chain and the validator:
sudo systemctl enable teku
sudo systemctl start teku
The Teku beacon chain and validator are now enabled.

NIMBUS ETH2.0 CLIENT
1.- Port forwarding
You need to open the 19000 port (both UDP and TCP)
2.- Start the Beacon Chain and the Validator
We need to import the validator keys. Run under the ethereum account:
beacon_node deposits import /home/ethereum/validator_keys --data-dir=/home/ethereum/.nimbus --log-file=/home/ethereum/.nimbus/nimbus.log
Enter the password previously defined and run:
sudo systemctl enable nimbus
sudo systemctl start nimbus
The Nimbus beacon chain and validator are now enabled.

WHAT's NEXT
Now you need to wait for the Eth1 blockchain and the beacon chain to get synced. In a few hours the validator will get enabled and put into a queue. These are the validator status that you will see until its final activation:
Finally, it will get activated and the staking process will start.
Congratulations!, you join the Medalla Eth2.0 multiclient testnet!

Grafana Dashboards

We configured 5 Grafana Dashboards to let users monitor both Eth1.0 and Eth2.0 clients. To access the dashboards just open your browser and type your Raspberry IP followed by the 3000 port:
http://replace_with_your_IP:3000 user: admin passwd: ethereum 
There are 5 dashboards available:
Lots of info here. You can see for example if Geth is in sync by checking (in the Blockchain section) if Headers, Receipts and Blocks fields are aligned or find Eth2.0 chain info.

Updating the software

We will be keeping the Eth2.0 clients updated through Debian packages in order to keep up with the testnet progress. Basically, you need to update the repo and install the packages through the apt command. For instance, in order to update all packages you would run:
sudo apt-get update && sudo apt-get install geth teku nimbus prysm-beacon prysm-validator lighthouse-beacon lighthouse-validator
Please follow us on Twitter in order to get regular updates and install instructions.
https://twitter.com/EthereumOnARM

References

  1. https://github.com/goerli/medalla/tree/mastemedalla
  2. https://www.reddit.com/ethereum/comments/hhvi2ethereum_on_arm_new_eth20_raspberry_pi_4_image/
  3. https://github.com/ethereum/go-ethereum/releases/tag/v1.9.20
  4. https://github.com/ethereum/eth2.0-deposit-cli/releases
  5. https://github.com/prysmaticlabs/prysm/releases/tag/v1.0.0-alpha.23
  6. https://github.com/PegaSysEng/teku
  7. https://github.com/sigp/lighthouse/releases/tag/v0.2.8
  8. https://github.com/status-im/nim-beacon-chain
  9. https://grafana.com
  10. https://www.balena.io/etcher
  11. https://github.com/ethereum/eth2.0-specs/releases/tag/v0.12.2
  12. https://blog.ethereum.org/2020/08/03/eth2-quick-update-no-14
  13. https://goerli.net
  14. https://metamask.io
submitted by diglos76 to ethereum [link] [comments]

Ethereum on ARM. New Eth2.0 Raspberry pi 4 image for automatically joining Prylabs Onyx Eth2.0 testnet. Step-by-step guide for installing and activating a validator.

TL;DR: Flash your Raspberry Pi 4, plug in an ethernet cable, connect the SSD disk and power up the device to join the Eth2.0 Onyx testnet.
The image takes care of all the necessary steps to join the Eth2.0 Onyx testnet [1], from setting up the environment and formatting the SSD disk to installing and running the Ethereum Eth1.0 and Eth2.0 clients as well as starting the blockchains synchronization (for both Geth Eth1.0 Goerli [2] and Prysm [3] Eth2.0 Beacon Chain).
You will only need to create a validator account, send the deposit of 32 Goerli ETH to the Onyx contract and start the validator systemd service.
MAIN FEATURES
SOFTWARE INCLUDED

INSTALLATION GUIDE AND USAGE

RECOMMENDED HARDWARE AND SETUP
STORAGE
You will need and SSD to run the Ethereum clients (without an SSD drive there’s absolutely no chance of syncing the Ethereum blockchain). There are 2 options:
In both cases, avoid getting low quality SSD disks as it is a key component of you node and it can drastically affect the performance (and sync times). Keep in mind that you need to plug the disk to an USB 3.0 port (in blue).
IMAGE DOWNLOAD AND INSTALLATION
1.- Download the image:
http://www.ethraspbian.com/downloads/ubuntu-20.04-preinstalled-server-arm64+raspi-eth2-onyx.img.zip
SHA256 13bc7ac4de6e18093b99213511791b2a24b659727b22a8a8d44f583e73a507cc
2.- Flash the image
Insert the microSD in your Desktop / Laptop and download the file:
Note: If you are not comfortable with command line or if you are running Windows, you can use Etcher [8]
Open a terminal and check your MicroSD device name running:
sudo fdisk -l 
You should see a device named mmcblk0 or sdd. Unzip and flash the image:
unzip ubuntu-20.04-preinstalled-server-arm64+raspi-eth2-onyx.img.zip sudo dd bs=1M if=ubuntu-20.04-preinstalled-server-arm64+raspi.img of=/dev/mmcblk0 conv=fdatasync status=progress 
3.- Insert de MicroSD into the Raspberry Pi 4. Connect an Ethernet cable and attach the USB SSD disk (make sure you are using a blue port).
4.- Power on the device
The Ubuntu OS will boot up in less than one minute but you will need to wait approximately 7 minutes in order to allow the script to perform the necessary tasks to join the Onyx testnet (it will reboot again)
5.- Log in
You can log in through SSH or using the console (if you have a monitor and keyboard attached)
User: ethereum Password: ethereum 
You will be prompted to change the password on first login, so you will need to log in twice.
6.- Forward 30303 and 13000 ports in your router (both UDP and TCP). If you don’t know how to do this, google “port forwarding” followed by your router model.
7.- Getting console output
You can see what’s happening in the background by typing:
sudo tail -f /valog/syslog 
7.- Grafana Dashboards
There are 2 Grafana dashboards to monitor the node (see section “Grafana Dashboards below”.
See [9]

The Onyx Eth2.0 testnet

Onyx is an Eth2.0 testnet created by Prylabs according to the latest official specification for Eth2.0, the v0.12.1 [10] release (which is aimed to be the final).
In order to run an Onyx Eth 2.0 node you will need 3 components:
The image takes care of the Eth1.0 Geth and Eth2.0 Beacon Chain configurations and syncs. So, once flashed (and after a first reboot), Geth (Eth1.0 client) starts syncing the Goerli testnet and the Beacon Chain (Eth2.0 client) gets activated through the Prysm client, both as systemd services.
When the Goerli testnet sync is completed, the Beacon Chain starts syncing. Both chains are necessary as the validator needs to communicate with them (as explained below).
Activating the validator
Once Goerli and the Beacon chain are in sync you have just one task left, configure the Validator for enabling the staking process.
The image provides the Prysm validator client for running the staking process. With this validator, you will create an account with 2 keys (public and private) and get an HEX string that needs to be sent to the Eth 1.0 blockchain as data through a 32 ETH transaction.
The Beacon Chain (which is connected to the Eth1 chain) will detect this deposit (which includes the validator public key) and the Validator will be activated.
So, let’s get started. Geth Goerli testnet and the Beacon Chain are already syncing in the background. Goerli will sync in about 1 hour and the Beacon Chain in about 2 hours (so this will take 3 hours overall).
The easiest way to enable a Prysm validator is to use the Prylabs web portal to get Goerli ETH (testnet ETH) and follow their instructions:
https://prylabs.net/participate
Let’s break this down:
Step 1) Get Prysm
Nothing to do here. Prysm is already installed.
Step 2) Get GöETH — Test ETH
We need 32 ETH to stake (it is fake ETH as this is a tesnet). Prylabs created a faucet with a great UI so you can easily get 32.5 Goerli ETH.
You will need a web3 provider to use the faucet. Install Metamask browser extension (if you don’t have it running yet). Create an account and set the network to “Goerli test network” (on the top of the Metamask screen). Now, click once in “Metamask” and then click “Need GoETH?” button. Confirm the transaction.
Once funded, you will see something like this:
You are 0x0b2eFdbFB8EcaF7F4eCF6853cbd5eaD86510d63C and you have 32.5 GöETH. 
Step 3). Generate a validator public / private key
Go to your Raspberry Pi console and run the following command (make sure you are logged in with your ethereum user):
validator accounts create 
Press return to confirm the default path
Enter a password twice (you will need it later to run the validator so write it down and be careful). Once finished, your account will be created (under the /home/ethereum/.eth2validators directory) containing, among other info, your validator keys. Additionally you will get the deposit data as follows (this is an example):
========================Deposit Data======================= 0x22895118000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000000000000000e000000000000000000000000000000000000000000000000000000000000001202f06da05b7e399e151f05d910369779ddd5c4c577ed264fd17040a9931b5adf10000000000000000000000000000000000000000000000000000000000000030affc980d9b2c86d1fb1fa70fd95c56dae34efcaa7bf923e020ac8941519065ff70b6b5ba6644e654ba372473b6b5837100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000a494d8e641d82ea723bc2f83b40bfd7f752ff7143cf16e57ad6627e99f0e590000000000000000000000000000000000000000000000000000000000000060b69dd0e51e68ddf8b2f5ecbdb8112b23b46dc8c7c7a68185652884b162b8000464847308b165a33aa102a00199e9c0800f53c768376fd88a3ba5f11e6d2eb3b5f6a455b97b4abe953faa270ca6e187db9739e047bf6fd51e02ab49b4ba17d376 =================================================================== ***Enter the above deposit data into step 3 on https://prylabs.net/participate*** 
Copy this data (just the hexadecimal part, from 0x to the last number), go back to step 3 of Prylabs website and paste it into the field “Your validator deposit data”.
Step 4) Start your beacon chain & validator clients
Beacon chain is already running in the background so let’s configure the validator. Just edit the /etc/ethereum/prysm-validator.conf file and replace “changeme” string with your password (you can use nano or vim editors). Now run:
sudo systemctl enable prysm-validator && sudo systemctl start prysm-validator 
Check if everything went right by running:
sudo systemctl status prysm-validator 
Step 5) Send a validator deposit
We are almost there. Just click the “Make deposit” button and confirm the transaction.
Done!
Now you need to wait for the validator to get activated. In time, the beacon chain will detect the 32 ETH deposit (which contains the validator public key) and the system will put your validator in queue. These are the validator status that you will see during the activation process:

Grafana Dashboards

We configured 2 Grafana Dashboards to let users monitor both Eth1.0 and Eth2.0 progress. To access the dashboards just open your browser and type your Raspberry IP followed by the 3000 port:
http://replace_with_your_IP:3000 user: admin passwd: ethereum 
There are 3 dashboards available:
Lot of info here. You can see for example if Geth is in sync by checking (in the Blockchain section) if Headers, Receipts and Blocks are aligned or easily find the validator status.

Whats's next

We are planning a new release for a multi testnet Eth2.0 network including Prysm, Teku and Lighthouse client (and hopefully Nimbus).

Gitcoin Grant

Gitcoin Grants round 6 is on!. If you appreciate our work, please consider donating. Even $1 can make the difference!
https://gitcoin.co/grants/384/ethereum-on-arm
Follow us on Twitter. We post regular updates and info you may be interested in!
https://twitter.com/EthereumOnARM

References

  1. https://medium.com/prysmatic-labs/introducing-the-onyx-testnet-6dadbd95d873
  2. https://goerli.net
  3. https://docs.prylabs.network/docs/getting-started/
  4. https://www.reddit.com/ethereum/comments/gf3nhg/ethereum_on_arm_raspberry_pi_4_images_release/
    1. Installation script: https://github.com/diglos/pi-gen/blob/ethraspbian2.0/stage2/04-ethereum/files/rc.local.eth2.onyx
  5. https://github.com/ethereum/go-ethereum/releases/tag/v1.9.15
  6. https://github.com/prysmaticlabs/prysm/releases/tag/v1.0.0-alpha.13
  7. https://grafana.com/
    1. Prysm Dashboard: https://github.com/GuillaumeMiralles/prysm-grafana-dashboard/tree/master
  8. https://etcher.io
  9. https://twitter.com/EthereumOnARM/status/1277184480189517824
  10. https://github.com/ethereum/eth2.0-specs/releases
  11. https://github.com/goerli/altona
submitted by diglos76 to ethereum [link] [comments]

How to start hacking? The ultimate two-path guide to information security. (Repost from r/hacking)

Before I begin - everything about this should be totally and completely ethical at it's core. I'm not saying this as any sort of legal coverage, or to not get somehow sued if any of you screw up, this is genuinely how it should be. The idea here is information security. I'll say it again. information security. The whole point is to make the world a better place. This isn't for your reckless amusement and shot at recognition with your friends. This is for the betterment of human civilisation. Use your knowledge to solve real-world issues.
There's no singular all-determining path to 'hacking', as it comes from knowledge from all areas that eventually coalesce into a general intuition. Although this is true, there are still two common rapid learning paths to 'hacking'. I'll try not to use too many technical terms.
The first is the simple, effortless and result-instant path. This involves watching youtube videos with green and black thumbnails with an occasional anonymous mask on top teaching you how to download well-known tools used by thousands daily - or in other words the 'Kali Linux Copy Pasterino Skidder'. You might do something slightly amusing and gain bit of recognition and self-esteem from your friends. Your hacks will be 'real', but anybody that knows anything would dislike you as they all know all you ever did was use a few premade tools. The communities for this sort of shallow result-oriented field include HowToHack and probably hacking as of now. ​
The second option, however, is much more intensive, rewarding, and mentally demanding. It is also much more fun, if you find the right people to do it with. It involves learning everything from memory interaction with machine code to high level networking - all while you're trying to break into something. This is where Capture the Flag, or 'CTF' hacking comes into play, where you compete with other individuals/teams with the goal of exploiting a service for a string of text (the flag), which is then submitted for a set amount of points. It is essentially competitive hacking. Through CTF you learn literally everything there is about the digital world, in a rather intense but exciting way. Almost all the creators/finders of major exploits have dabbled in CTF in some way/form, and almost all of them have helped solve real-world issues. However, it does take a lot of work though, as CTF becomes much more difficult as you progress through harder challenges. Some require mathematics to break encryption, and others require you to think like no one has before. If you are able to do well in a CTF competition, there is no doubt that you should be able to find exploits and create tools for yourself with relative ease. The CTF community is filled with smart people who can't give two shits about elitist mask wearing twitter hackers, instead they are genuine nerds that love screwing with machines. There's too much to explain, so I will post a few links below where you can begin your journey.
Remember - this stuff is not easy if you don't know much, so google everything, question everything, and sooner or later you'll be down the rabbit hole far enough to be enjoying yourself. CTF is real life and online, you will meet people, make new friends, and potentially find your future.
What is CTF? (this channel is gold, use it) - https://www.youtube.com/watch?v=8ev9ZX9J45A
More on liveoverflow, http://www.liveoverflow.com is hands down one of the best places to learn, along with liveoverflow
CTF compact guide - https://ctf101.org/
Upcoming CTF events online/irl, live team scores - https://ctftime.org/
What is CTF? - https://ctftime.org/ctf-wtf/
Full list of all CTF challenge websites - http://captf.com/practice-ctf/
> be careful of the tool oriented offensivesec oscp ctf's, they teach you hardly anything compared to these ones and almost always require the use of metasploit or some other program which does all the work for you.
http://picoctf.com is very good if you are just touching the water.
and finally,
netsec - where real world vulnerabilities are shared.
submitted by Dezo_Ghoste to hacking4noobs [link] [comments]

How to start hacking? The ultimate two path guide to information security.

Before I begin - everything about this should be totally and completely ethical at it's core. I'm not saying this as any sort of legal coverage, or to not get somehow sued if any of you screw up, this is genuinely how it should be. The idea here is information security. I'll say it again. information security. The whole point is to make the world a better place. This isn't for your reckless amusement and shot at recognition with your friends. This is for the betterment of human civilisation. Use your knowledge to solve real-world issues.

There's no singular all-determining path to 'hacking', as it comes from knowledge from all areas that eventually coalesce into a general intuition. Although this is true, there are still two common rapid learning paths to 'hacking'. I'll try not to use too many technical terms.

The first is the simple, effortless and result-instant path. This involves watching youtube videos with green and black thumbnails with an occasional anonymous mask on top teaching you how to download well-known tools used by thousands daily - or in other words the 'Kali Linux Copy Pasterino Skidder'. You might do something slightly amusing and gain bit of recognition and self-esteem from your friends. Your hacks will be 'real', but anybody that knows anything would dislike you as they all know all you ever did was use a few premade tools. The communities for this sort of shallow result-oriented field include HowToHack and probably hacking as of now. ​
The second option, however, is much more intensive, rewarding, and mentally demanding. It is also much more fun, if you find the right people to do it with. It involves learning everything from memory interaction with machine code to high level networking - all while you're trying to break into something. This is where Capture the Flag, or 'CTF' hacking comes into play, where you compete with other individuals/teams with the goal of exploiting a service for a string of text (the flag), which is then submitted for a set amount of points. It is essentially competitive hacking. Through CTF you learn literally everything there is about the digital world, in a rather intense but exciting way. Almost all the creators/finders of major exploits have dabbled in CTF in some way/form, and almost all of them have helped solve real-world issues. However, it does take a lot of work though, as CTF becomes much more difficult as you progress through harder challenges. Some require mathematics to break encryption, and others require you to think like no one has before. If you are able to do well in a CTF competition, there is no doubt that you should be able to find exploits and create tools for yourself with relative ease. The CTF community is filled with smart people who can't give two shits about elitist mask wearing twitter hackers, instead they are genuine nerds that love screwing with machines. There's too much to explain, so I will post a few links below where you can begin your journey.

Remember - this stuff is not easy if you don't know much, so google everything, question everything, and sooner or later you'll be down the rabbit hole far enough to be enjoying yourself. CTF is real life and online, you will meet people, make new friends, and potentially find your future.

What is CTF? (this channel is gold, use it) - https://www.youtube.com/watch?v=8ev9ZX9J45A
More on liveoverflow, http://www.liveoverflow.com is hands down one of the best places to learn, along with liveoverflow
CTF compact guide - https://ctf101.org/
Upcoming CTF events online/irl, live team scores - https://ctftime.org/
What is CTF? - https://ctftime.org/ctf-wtf/
Full list of all CTF challenge websites - http://captf.com/practice-ctf/
> be careful of the tool oriented offensivesec oscp ctf's, they teach you hardly anything compared to these ones and almost always require the use of metasploit or some other program which does all the work for you.

http://picoctf.com is very good if you are just touching the water.
and finally,
netsec - where real world vulnerabilities are shared.
submitted by SlickLibro to hacking [link] [comments]

Part 2: Tools & Info for Sysadmins - Mega List of Tips, Tools, Books, Blogs & More

(continued from part 1)
Unlocker is a tool to help delete those irritating locked files that give you an error message like "cannot delete file" or "access is denied." It helps with killing processes, unloading DLLs, deleting index.dat files, as well as unlocking, deleting, renaming, and moving locked files—typically without requiring a reboot.
IIS Crypto's newest version adds advanced settings; registry backup; new, simpler templates; support for Windows Server 2019 and more. This tool lets you enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows and reorder SSL/TLS cipher suites from IIS, change advanced settings, implement best practices with a single click, create custom templates and test your website. Available in both command line and GUI versions.
RocketDock is an application launcher with a clean interface that lets you drag/drop shortcuts for easy access and minimize windows to the dock. Features running application indicators, multi-monitor support, alpha-blended PNG and ICO icons, auto-hide and popup on mouse over, positioning and layering options. Fully customizable, portable, and compatible with MobyDock, ObjectDock, RK Launcher and Y'z Dock skins. Works even on slower computers and is Unicode compliant. Suggested by lieutenantcigarette: "If you like the dock on MacOS but prefer to use Windows, RocketDock has you covered. A superb and highly customisable dock that you can add your favourites to for easy and elegant access."
Baby FTP Server offers only the basics, but with the power to serve as a foundation for a more-complex server. Features include multi-threading, a real-time server log, support for PASV and non-PASV mode, ability to set permissions for download/upload/rename/delete/create directory. Only allows anonymous connections. Our thanks to FatherPrax for suggesting this one.
Strace is a Linux diagnostic, debugging and instructional userspace tool with a traditional command-line interface. Uses the ptrace kernel feature to monitor and tamper with interactions between processes and the kernel, including system calls, signal deliveries and changes of process state.
exa is a small, fast replacement for ls with more features and better defaults. It uses colors to distinguish file types and metadata, and it recognizes symlinks, extended attributes and Git. All in one single binary. phils_lab describes it as "'ls' on steroids, written in Rust."
rsync is a faster file transfer program for Unix to bring remote files into sync. It sends just the differences in the files across the link, without requiring both sets of files to be present at one of the ends. Suggested by zorinlynx, who adds that "rsync is GODLY for moving data around efficiently. And if an rsync is interrupted, just run it again."
Matter Wiki is a simple WYSIWYG wiki that can help teams store and collaborate. Every article gets filed under a topic, transparently, so you can tell who made what changes to which document and when. Thanks to bciar-iwdc for the recommendation.
LockHunter is a file unlocking tool that enables you to delete files that are being blocked for unknown reasons. Can be useful for fighting malware and other programs that are causing trouble. Deletes files into the recycle bin so you can restore them if necessary. Chucky2401 finds it preferable to Unlocker, "since I am on Windows 7. There are no new updates since July 2017, but the last beta was in June of this year."
aria2 is a lightweight multi-source command-line download utility that supports HTTP/HTTPS, FTP, SFTP, BitTorrent and Metalink. It can be manipulated via built-in JSON-RPC and XML-RPC interfaces. Recommended by jftuga, who appreciates it as a "cross-platform command line downloader (similar to wget or curl), but with the -x option can run a segmented download of a single file to increase throughput."
Free Services
Temp-Mail allows you to receive email at a temporary address that self-destructs after a certain period of time. Outwit all the forums, Wi-Fi owners, websites and blogs that insist you register to use them. Petti-The-Yeti says, "I don't give any company my direct email anymore. If I want to trial something but they ask for an email signup, I just grab a temporary email from here, sign up with it, and wait for the trial link or license info to come through. Then, you just download the file and close the website."
Duck DNS will point a DNS (sub domains of duckdns.org) to an IP of your choice. DDNS is a handy way for you to refer to a serverouter with an easily rememberable name for situations when the server's ip address will likely change. Suggested by xgnarf, who finds it "so much better for the free tier of noip—no 30-day nag to keep your host up."
Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux and iOS for suspicious activities. It performs deep malware analysis and generates comprehensive and detailed reports. The Community Edition of Joe Sandbox Cloud allows you to run a maximum of 6 analyses per month, 3 per day on Windows, Linux and Android with limited analysis output. This one is from dangibbons94, who wanted to "share this cool service ... for malware analysis. I usually use Virus total for URL scanning, but this goes a lot more in depth. I just used basic analysis, which is free and enough for my needs."
Hybrid Analysis is a malware analysis service that detects and analyzes unknown threats for the community. This one was suggested by compupheonix, who adds that it "gets you super detailed reports... it's about the most fleshed out and detailed one I can find."
JustBeamIt is a file-transfer service that allows you to send files of any size via a peer-to-peer streaming model. Simply drag and drop your file and specify the recipient's email address. They will then receive a link that will trigger the download directly from your computer, so the file does not have to be uploaded to the service itself. The link is good for one download and expires after 10 minutes. Thanks to cooljacob204sfw for the recommendation!
ShieldsUP is a quick but powerful internet security checkup and information service. It was created by security researcher Steve Gibson to scan ports and let you know which ones have been opened through your firewalls or NAT routers.
Firefox Send is an encrypted file transfer service that allows you to share files up to 2.5GB from any browser or an Android app. Uses end-to-end encryption to keep data secure and offers security controls you can set. You can determine when your file link expires, the number of downloads, and whether to add a password. Your recipient receives a link to download the file, and they don’t need a Firefox account. This one comes from DePingus, who appreciates the focus on privacy. "They have E2E, expiring links, and a clear privacy policy."
Free DNS is a service where programmers share domain names with one another at no cost. Offers free hosting as well as dynamic DNS, static DNS, subdomain and domain hosting. They can host your domain's DNS as well as allowing you to register hostnames from domains they're hosting already. If you don't have a domain, you can sign up for a free account and create up to 5 subdomains off the domains others have contributed and point these hosts anywhere on the Internet. Thanks to 0x000000000000004C (yes, that's a username) for the suggestion!
ANY.RUN is an interactive malware analysis service for dynamic and static research of the majority of threats in any environment. It can provide a convenient in-depth analysis of new, unidentified malicious objects and help with the investigation of incidents. ImAshtonTurner appreciates it as "a great sandbox tool for viewing malware, etc."
Plik is a scalable, temporary file upload system similar to wetransfer that is written in golang. Thanks go to I_eat_Narwhals for this one!
Free My IP offers free, dynamic DNS. This service comes with no login, no ads, no newsletters, no links to click and no hassle. Kindly suggested by Jack of All Trades.
Mailinator provides free, temporary email inboxes on a receive-only, attachment-free system that requires no sign-up. All @mailinator.com addresses are public, readable and discoverable by anyone at any time—but are automatically deleted after a few hours. Can be a nice option for times when you to give out an address that won't be accessible longterm. Recommended by nachomountain, who's been using it "for years."
Magic Wormhole is a service for sending files directly with no intermediate upload, no web interface and no login. When both parties are online you with the minimal software installed, the wormhole is invoked via command line identifying the file you want to send. The server then provides a speakable, one-time-use password that you give the recipient. When they enter that password in their wormhole console, key exchange occurs and the download begins directly between your computers. rjohnson99 explains, "Magic Wormhole is sort of like JustBeamIt but is open-source and is built on Python. I use it a lot on Linux servers."
EveryCloud's Free Phish is our own, new Phishing Simulator. Once you've filled in the form and logged in, you can choose from lots of email templates (many of which we've coped from what we see in our Email Security business) and landing pages. Run a one-off free phish, then see who clicked or submitted data so you can understand where your organization is vulnerable and act accordingly.
Hardening Guides
CIS Hardening Guides contain the system security benchmarks developed by a global community of cybersecurity experts. Over 140 configuration guidelines are provided to help safeguard systems against threats. Recommended by cyanghost109 "to get a start on looking at hardening your own systems."
Podcasts
Daily Tech News is Tom Merrit's show covering the latest tech issues with some of the top experts in the field. With the focus on daily tech news and analysis, it's a great way to stay current. Thanks to EmoPolarbear for drawing it to our attention.
This Week in Enterprise Tech is a podcast that features IT experts explaining the complicated details of cutting-edge enterprise technology. Join host Lou Maresca on this informative exploration of enterprise solutions, with new episodes recorded every Friday afternoon.
Security Weekly is a podcast where a "bunch of security nerds" get together and talk shop. Topics are greatly varied, and the atmosphere is relaxed and conversational. The show typically tops out at 2 hours, which is perfect for those with a long commute. If you’re fascinated by discussion of deep technical and security-related topics, this may be a nice addition to your podcast repertoire.
Grumpy Old Geeks—What Went Wrong on the Internet and Who's To Blame is a podcast about the internet, technology and geek culture—among other things. The hosts bring their grumpy brand of humor to the "state of the world as they see it" in these roughly hour-long weekly episodes. Recommended by mkaxsnyder, who enjoys it because, "They are a good team that talk about recent and relevant topics from an IT perspective."
The Social-Engineer Podcast is a monthly discussion among the hosts—a group of security experts from SEORG—and a diverse assortment of guests. Topics focus around human behavior and how it affects information security, with new episodes released on the second Monday of every month. Thanks to MrAshRhodes for the suggestion.
The CyberWire podcasts discuss what's happening in cyberspace, providing news and commentary from industry experts. This cyber security-focused news service delivers concise, accessible, and relevant content without the gossip, sensationalism, and the marketing buzz that often distract from the stories that really matter. Appreciation to supermicromainboard for the suggestion.
Malicious Life is a podcast that tells the fascinating—and often unknown—stories of the wildest hacks you can ever imagine. Host Ran Levi, a cybersecurity expert and author, talks with the people who were actually involved to reveal the history of each event in depth. Our appreciation goes to peraphon for the recommendation.
The Broadcast Storm is a podcast for Cisco networking professionals. BluePieceOfPaper suggests it "for people studying for their CCNA/NP. Kevin Wallace is a CCIE Collaboration so he knows his *ishk. Good format for learning too. Most podcasts are about 8-15 mins long and its 'usually' an exam topic. It will be something like "HSPR" but instead of just explaining it super boring like Ben Stein reading a powerpoint, he usually goes into a story about how (insert time in his career) HSPR would have been super useful..."
Software Engineering Radio is a podcast for developers who are looking for an educational resource with original content that isn't recycled from other venues. Consists of conversations on relevant topics with experts from the software engineering world, with new episodes released three to four times per month. a9JDvXLWHumjaC tells us this is "a solid podcast for devs."
Books
System Center 2012 Configuration Manager is a comprehensive technical guide designed to help you optimize Microsoft's Configuration Manager 2012 according to your requirements and then to deploy and use it successfully. This methodical, step-by-step reference covers: the intentions behind the product and its role in the broader System Center product suite; planning, design, and implementation; and details on each of the most-important feature sets. Learn how to leverage the user-centric capabilities to provide anytime/anywhere services & software, while strengthening control and improving compliance.
Network Warrior: Everything You Need to Know That Wasn’t on the CCNA Exam is a practical guide to network infrastructure. Provides an in-depth view of routers and routing, switching (with Cisco Catalyst and Nexus switches as examples), SOHO VoIP and SOHO wireless access point design and configuration, introduction to IPv6 with configuration examples, telecom technologies in the data-networking world (including T1, DS3, frame relay, and MPLS), security, firewall theory and configuration, ACL and authentication, Quality of Service (QoS), with an emphasis on low-latency queuing (LLQ), IP address allocation, Network Time Protocol (NTP) and device failures.
Beginning the Linux Command Line is your ally in mastering Linux from the keyboard. It is intended for system administrators, software developers, and enthusiastic users who want a guide that will be useful for most distributions—i.e., all items have been checked against Ubuntu, Red Hat and SUSE. Addresses administering users and security and deploying firewalls. Updated to the latest versions of Linux to cover files and directories, including the Btrfs file system and its management and systemd boot procedure and firewall management with firewalld.
Modern Operating Systems, 4th Ed. is written for students taking intro courses on Operating Systems and for those who want an OS reference guide for work. The author, an OS researcher, includes both the latest materials on relevant operating systems as well as current research. The previous edition of Modern Operating Systems received the 2010 McGuffey Longevity Award that recognizes textbooks for excellence over time.
Time Management for System Administrators is a guide for organizing your approach to this challenging role in a way that improves your results. Bestselling author Thomas Limoncelli offers a collection of tips and techniques for navigating the competing goals and concurrent responsibilities that go along with working on large projects while also taking care of individual user's needs. The book focuses on strategies to help with daily tasks that will also allow you to handle the critical situations that inevitably require your attention. You'll learn how to manage interruptions, eliminate time wasters, keep an effective calendar, develop routines and prioritize, stay focused on the task at hand and document/automate to speed processes.
The Practice of System and Network Administration, 3rd Edition introduces beginners to advanced frameworks while serving as a guide to best practices in system administration that is helpful for even the most advanced experts. Organized into four major sections that build from the foundational elements of system administration through improved techniques for upgrades and change management to exploring assorted management topics. Covers the basics and then moves onto the advanced things that can be built on top of those basics to wield real power and execute difficult projects.
Learn Windows PowerShell in a Month of Lunches, Third Edition is designed to teach you PowerShell in a month's worth of 1-hour lessons. This updated edition covers PowerShell features that run on Windows 7, Windows Server 2008 R2 and later, PowerShell v3 and later, and it includes v5 features like PowerShellGet. For PowerShell v3 and up, Windows 7 and Windows Server 2008 R2 and later.
Troubleshooting with the Windows Sysinternals Tools is a guide to the powerful Sysinternals tools for diagnosing and troubleshooting issues. Sysinternals creator Mark Russinovich and Windows expert Aaron Margosis provide a deep understanding of Windows core concepts that aren’t well-documented elsewhere along with details on how to use Sysinternals tools to optimize any Windows system’s reliability, efficiency, performance and security. Includes an explanation of Sysinternals capabilities, details on each major tool, and examples of how the tools can be used to solve real-world cases involving error messages, hangs, sluggishness, malware infections and more.
DNS and BIND, 5th Ed. explains how to work with the Internet's distributed host information database—which is responsible for translating names into addresses, routing mail to its proper destination, and listing phone numbers according to the ENUM standard. Covers BIND 9.3.2 & 8.4.7, the what/how/why of DNS, name servers, MX records, subdividing domains (parenting), DNSSEC, TSIG, troubleshooting and more. PEPCK tells us this is "generally considered the DNS reference book (aside from the RFCs of course!)"
Windows PowerShell in Action, 3rd Ed. is a comprehensive guide to PowerShell. Written by language designer Bruce Payette and MVP Richard Siddaway, this volume gives a great introduction to Powershell, including everyday use cases and detailed examples for more-advanced topics like performance and module architecture. Covers workflows and classes, writing modules and scripts, desired state configuration and programming APIs/pipelines.This edition has been updated for PowerShell v6.
Zero Trust Networks: Building Secure Systems in Untrusted Networks explains the principles behind zero trust architecture, along with what's needed to implement it. Covers the evolution of perimeter-based defenses and how they evolved into the current broken model, case studies of zero trust in production networks on both the client and server side, example configurations for open-source tools that are useful for building a zero trust network and how to migrate from a perimeter-based network to a zero trust network in production. Kindly recommended by jaginfosec.
Tips
Here are a couple handy Windows shortcuts:
Here's a shortcut for a 4-pane explorer in Windows without installing 3rd-party software:
(Keep the win key down for the arrows, and no pauses.) Appreciation goes to ZAFJB for this one.
Our recent tip for a shortcut to get a 4-pane explorer in Windows, triggered this suggestion from SevaraB: "You can do that for an even larger grid of Windows by right-clicking the clock in the taskbar, and clicking 'Show windows side by side' to arrange them neatly. Did this for 4 rows of 6 windows when I had to have a quick 'n' dirty "video wall" of windows monitoring servers at our branches." ZAFJB adds that it actually works when you right-click "anywhere on the taskbar, except application icons or start button."
This tip comes courtesy of shipsass: "When I need to use Windows Explorer but I don't want to take my hands off the keyboard, I press Windows-E to launch Explorer and then Ctrl-L to jump to the address line and type my path. The Ctrl-L trick also works with any web browser, and it's an efficient way of talking less-technical people through instructions when 'browse to [location]' stumps them."
Clear browser history/cookies by pressing CTRL-SHIFT-DELETE on most major browsers. Thanks go to synapticpanda, who adds that this "saves me so much time when troubleshooting web apps where I am playing with the cache and such."
To rename a file with F2, while still editing the name of that file: Hit TAB to tab into the renaming of the next file. Thanks to abeeftaco for this one!
Alt-D is a reliable alternative to Ctrl-L for jumping to the address line in a browser. Thanks for this one go to fencepost_ajm, who explains: "Ctrl-L comes from the browser side as a shortcut for Location, Alt-D from the Windows Explorer side for Directory."
Browser shortcut: When typing a URL that ends with dot com, Ctrl + Enter will place the ".com" and take you to the page. Thanks to wpierre for this one!
This tip comes from anynonus, as something that daily that saves a few clicks: "Running a program with ctrl + shift + enter from start menu will start it as administrator (alt + y will select YES to run as admin) ... my user account is local admin [so] I don't feel like that is unsafe"
Building on our PowerShell resources, we received the following suggestion from halbaradkenafin: aka.ms/pskoans is "a way to learn PowerShell using PowerShell (and Pester). It's really cool and a bunch of folks have high praise for it (including a few teams within MSFT)."
Keyboard shortcut: If you already have an application open, hold ctrl + shift and middle click on the application in your task bar to open another instance as admin. Thanks go to Polymira for this one.
Remote Server Tip: "Critical advice. When testing out network configuration changes, prior to restarting the networking service or rebooting, always create a cron job that will restore your original network configuration and then reboot/restart networking on the machine after 5 minutes. If your config worked, you have enough time to remove it. If it didn't, it will fix itself. This is a beautifully simple solution that I learned from my old mentor at my very first job. I've held on to it for a long time." Thanks go to FrigidNox for the tip!
Websites
Deployment Research is the website of Johan Arwidmark, MS MVP in System Center Cloud and Datacenter Management. It is dedicated to sharing information and guidance around System Center, OS deployment, migration and more. The author shares tips and tricks to help improve the quality of IT Pros’ daily work.
Next of Windows is a website on (mostly) Microsoft-related technology. It's the place where Kent Chen—a computer veteran with many years of field experience—and Jonathan Hu—a web/mobile app developer and self-described "cool geek"—share what they know, what they learn and what they find in the hope of helping others learn and benefit.
High Scalability brings together all the relevant information about building scalable websites in one place. Because building a website with confidence requires a body of knowledge that can be slow to develop, the site focuses on moving visitors along the learning curve at a faster pace.
Information Technology Research Library is a great resource for IT-related research, white papers, reports, case studies, magazines, and eBooks. This library is provided at no charge by TradePub.com. GullibleDetective tells us it offers "free PDF files from a WIIIIIIDE variety of topics, not even just IT. Only caveat: as its a vendor-supported publishing company, you will have to give them a bit of information such as name, email address and possibly a company name. You undoubtedly have the ability to create fake information on this, mind you. The articles range from Excel templates, learning python, powershell, nosql etc. to converged architecture."
SS64 is a web-based reference guide for syntax and examples of the most-common database and OS computing commands. Recommended by Petti-The-Yeti, who adds, "I use this site all the time to look up commands and find examples while I'm building CMD and PS1 scripts."
Phishing and Malware Reporting. This website helps you put a stop to scams by getting fraudulent pages blocked. Easily report phishing webpages so they can be added to blacklists in as little as 15 minutes of your report. "Player024 tells us, "I highly recommend anyone in the industry to bookmark this page...With an average of about 10 minutes of work, I'm usually able to take down the phishing pages we receive thanks to the links posted on that website."
A Slack Channel
Windows Admin Slack is a great drive-by resource for the Windows sysadmin. This team has 33 public channels in total that cover different areas of helpful content on Windows administration.
Blogs
KC's Blog is the place where Microsoft MVP and web developer Kent Chen shares his IT insights and discoveries. The rather large library of posts offer helpful hints, how-tos, resources and news of interest to those in the Windows world.
The Windows Server Daily is the ever-current blog of technologist Katherine Moss, VP of open source & community engagement for StormlightTech. Offers brief daily posts on topics related to Windows server, Windows 10 and Administration.
An Infosec Slideshow
This security training slideshow was created for use during a quarterly infosec class. The content is offered generously by shalafi71, who adds, "Take this as a skeleton and flesh it out on your own. Take an hour or two and research the things I talk about. Tailor this to your own environment and users. Make it relevant to your people. Include corporate stories, include your audience, exclude yourself. This ain't about how smart you are at infosec, and I can't stress this enough, talk about how people can defend themselves. Give them things to look for and action they can take. No one gives a shit about your firewall rules."
Tech Tutorials
Tutorialspoint Library. This large collection of tech tutorials is a great resource for online learning. You'll find nearly 150 high-quality tutorials covering a wide array of languages and topics—from fundamentals to cutting-edge technologies. For example, this Powershell tutorial is designed for those with practical experience handling Windows-based Servers who want to learn how to install and use Windows Server 2012.
The Python Tutorial is a nice introduction to many of Python’s best features, enabling you to read and write Python modules and programs. It offers an understanding of the language's style and prepares you to learn more about the various Python library modules described in 'The Python Standard Library.' Kindly suggested by sharjeelsayed.
SysAdmin Humor
Day in the Life of a SysAdmin Episode 5: Lunch Break is an amusing look at a SysAdmin's attempt to take a brief lunch break. We imagine many of you can relate!
Have a fantastic week and as usual, let me know any comments or suggestions.
u/crispyducks
submitted by crispyducks to sysadmin [link] [comments]

Built a control panel over 16 years, free lifetime release

Site Admin demoSource
16 years ago I stumbled into hosting with Ensim WEBppliance, which was a clusterfuck of a control panel necessitating a bunch of bugfixes. Those bugfixes spawned a control panel, apnscp, that I've continued to develop to this day. v3 is the first public release of apnscp and to celebrate I'm giving away 400 free lifetime licenses on webhosting each good for 1 server.
Visit apnscp.com/activate/webhosting-lt to get started customizing the installer. Database + PHP are vendor agnostic. apnscp supports any-version Node/Ruby/Python/Go. I'm interested in feedback, if not bugs then certainly ideas for improvement.
apnscp ships with integrated Route 53/CF DNS support in addition to Linode, DO, and Vultr. Additional providers are easy to create. apnscp includes 1-click install/updates for Wordpress, Drupal, Laravel, Ghost, Discourse, and Magento. Enabling Passenger, provided you have at least 2 GB memory, opens the door to use any-version Ruby, Node, and Python on your server.

Minimum requirements

Features

apnscp won't fix all of your woes; you still need to be smart about whom you host and what you host, but it is a step in the right direction. apnscp is not a replacement for a qualified system administrator. It is however a much better alternative to emerging panels in this market.

Installation

Use apnscp Customizer to configure your server as you'd like. See INSTALL.md for installation + usage.
Monitoring installation
apnscp will provision your server and this takes around 45 minutes to 2 hours to complete the first time. You can monitor installation real-time from the terminal:
tail -f /root/apnscp-bootstrapper.log
Post Install
If you entered an email address while customizing (apnscp_admin_email) and the server isn't in a RBL, then you will receive an email with your login information. If you don't get an email after 2 hours, log into the server and check the status:
tail -n30 /root/apnscp-bootstrapper.log
The last line should be similar to: 2019-01-30 18:39:02,923 p=3534 u=root | localhost : ok=3116 changed=1051 unreachable=0 failed=0
If failed=0, everything is set! You can reset the password and refer back to the login information to access the panel or reset your credentials. Post-install will welcome you with a list of helpful commands to get started as well. You may want to change -n30 to -n50!
If failed=n where n > 0, send me a PM, email ([email protected]), get in touch on the forums, or Discord.
Shoot me a PM if you have a question or hop on Discord chat. Either way feedback makes this process tick. Enjoy!

Installation FAQ

Resources

License information

Licenses are tied to the server but may be transferred to a new server. Once transferred from the server apnscp will become deactivated on the server, which means your sites will continue to operate but apnscp can no longer help you manage your server, as well as deploy automatic updates. A copy of the license can be made either by copying /uslocal/apnscp/config/license.pem or License > Download License in the top-right corner. Likewise to install the license on a new machine just replace config/license.pem with your original copy.
Update: v3.0.17 released. Thank you everyone for your exotic build environments and feedback thus far!
submitted by tsammons to webhosting [link] [comments]

Built a hosting platform over 16 years, giving away free lifetime licenses

Site Admin demoSource
16 years ago I stumbled into hosting with Ensim WEBppliance, which was a clusterfuck of a control panel necessitating a bunch of bugfixes. Those bugfixes spawned a control panel, apnscp, that I've continued to develop to this day. v3 is the first public release of apnscp and to celebrate I'm giving away 200 free lifetime licenses on webdev each good for 1 server.
Visit apnscp.com/activate/webdev-license-lt to get started customizing the installer. Database + PHP are vendor agnostic. apnscp supports any-version Node/Ruby/Python/Go. I'm interested in feedback, if not bugs then certainly ideas for improvement. This has gone through several stages of polish, please do your best to break it!
apnscp ships with integrated Route 53/CF DNS support in addition to Linode, DO, and Vultr. Additional providers are easy to create. apnscp includes 1-click install/updates for Wordpress, Drupal, Laravel, Ghost, Discourse, and Magento. Enabling Passenger, provided you have at least 2 GB memory, opens the door to use any-version Ruby, Node, and Python on your server.

Minimum requirements

Features

apnscp won't fix all of your woes; you still need to be smart about whom you host and what you host, but it is a step in the right direction. apnscp is not a replacement for a qualified system administrator. It is however a much better alternative to emerging panels in this market.

Installation

Use apnscp Customizer to configure your server as you'd like. See INSTALL.md for installation + usage.
Monitoring installation
apnscp will provision your server and this takes around 45 minutes to 2 hours to complete the first time. You can monitor installation real-time from the terminal:
tail -f /root/apnscp-bootstrapper.log
Post Install
If you entered an email address while customizing (apnscp_admin_email) and the server isn't in a RBL, then you will receive an email with your login information. If you don't get an email after 2 hours, log into the server and check the status:
tail -n30 /root/apnscp-bootstrapper.log
The last line should be similar to: 2019-01-30 18:39:02,923 p=3534 u=root | localhost : ok=3116 changed=1051 unreachable=0 failed=0
If failed=0, everything is set! You can reset the password and refer back to the login information to access the panel or reset your credentials. Post-install will welcome you with a list of helpful commands to get started as well. You may want to change -n30 to -n50!
If failed=n where n > 0, send me a PM, email ([email protected]), get in touch on the forums, or Discord.
Shoot me a PM if you have a question or hop on Discord chat. Either way feedback makes this process tick. Enjoy!

Installation FAQ

Resources

License information

Licenses are tied to the server but may be transferred to a new server. Once transferred from the server apnscp will become deactivated on the server, which means your sites will continue to operate but apnscp can no longer help you manage your server, as well as deploy automatic updates. A copy of the license can be made either by copying /uslocal/apnscp/config/license.pem or License > Download License in the top-right corner. Likewise to install the license on a new machine just replace config/license.pem with your original copy.
submitted by tsammons to webdev [link] [comments]

Tools & Info for MSPs #2 - Mega List of Tips, Tools, Books, Blogs & More

(continued from part #1)
Unlocker is a tool to help delete those irritating locked files that give you an error message like "cannot delete file" or "access is denied." It helps with killing processes, unloading DLLs, deleting index.dat files, as well as unlocking, deleting, renaming, and moving locked files—typically without requiring a reboot.
IIS Crypto's newest version adds advanced settings; registry backup; new, simpler templates; support for Windows Server 2019 and more. This tool lets you enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows and reorder SSL/TLS cipher suites from IIS, change advanced settings, implement best practices with a single click, create custom templates and test your website. Available in both command line and GUI versions.
RocketDock is an application launcher with a clean interface that lets you drag/drop shortcuts for easy access and minimize windows to the dock. Features running application indicators, multi-monitor support, alpha-blended PNG and ICO icons, auto-hide and popup on mouse over, positioning and layering options. Fully customizable, portable, and compatible with MobyDock, ObjectDock, RK Launcher and Y'z Dock skins. Works even on slower computers and is Unicode compliant. Suggested by lieutenantcigarette: "If you like the dock on MacOS but prefer to use Windows, RocketDock has you covered. A superb and highly customisable dock that you can add your favourites to for easy and elegant access."
Baby FTP Server offers only the basics, but with the power to serve as a foundation for a more-complex server. Features include multi-threading, a real-time server log, support for PASV and non-PASV mode, ability to set permissions for download/upload/rename/delete/create directory. Only allows anonymous connections. Our thanks to FatherPrax for suggesting this one.
Strace is a Linux diagnostic, debugging and instructional userspace tool with a traditional command-line interface. Uses the ptrace kernel feature to monitor and tamper with interactions between processes and the kernel, including system calls, signal deliveries and changes of process state.
exa is a small, fast replacement for ls with more features and better defaults. It uses colors to distinguish file types and metadata, and it recognizes symlinks, extended attributes and Git. All in one single binary. phils_lab describes it as "'ls' on steroids, written in Rust."
rsync is a faster file transfer program for Unix to bring remote files into sync. It sends just the differences in the files across the link, without requiring both sets of files to be present at one of the ends. Suggested by zorinlynx, who adds that "rsync is GODLY for moving data around efficiently. And if an rsync is interrupted, just run it again."
Matter Wiki is a simple WYSIWYG wiki that can help teams store and collaborate. Every article gets filed under a topic, transparently, so you can tell who made what changes to which document and when. Thanks to bciar-iwdc for the recommendation.
LockHunter is a file unlocking tool that enables you to delete files that are being blocked for unknown reasons. Can be useful for fighting malware and other programs that are causing trouble. Deletes files into the recycle bin so you can restore them if necessary. Chucky2401 finds it preferable to Unlocker, "since I am on Windows 7. There are no new updates since July 2017, but the last beta was in June of this year."
aria2 is a lightweight multi-source command-line download utility that supports HTTP/HTTPS, FTP, SFTP, BitTorrent and Metalink. It can be manipulated via built-in JSON-RPC and XML-RPC interfaces. Recommended by jftuga, who appreciates it as a "cross-platform command line downloader (similar to wget or curl), but with the -x option can run a segmented download of a single file to increase throughput."
Free Services
Temp-Mail allows you to receive email at a temporary address that self-destructs after a certain period of time. Outwit all the forums, Wi-Fi owners, websites and blogs that insist you register to use them. Petti-The-Yeti says, "I don't give any company my direct email anymore. If I want to trial something but they ask for an email signup, I just grab a temporary email from here, sign up with it, and wait for the trial link or license info to come through. Then, you just download the file and close the website."
Duck DNS will point a DNS (sub domains of duckdns.org) to an IP of your choice. DDNS is a handy way for you to refer to a serverouter with an easily rememberable name for situations when the server's ip address will likely change. Suggested by xgnarf, who finds it "so much better for the free tier of noip—no 30-day nag to keep your host up."
Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux and iOS for suspicious activities. It performs deep malware analysis and generates comprehensive and detailed reports. The Community Edition of Joe Sandbox Cloud allows you to run a maximum of 6 analyses per month, 3 per day on Windows, Linux and Android with limited analysis output. This one is from dangibbons94, who wanted to "share this cool service ... for malware analysis. I usually use Virus total for URL scanning, but this goes a lot more in depth. I just used basic analysis, which is free and enough for my needs."
Hybrid Analysis is a malware analysis service that detects and analyzes unknown threats for the community. This one was suggested by compupheonix, who adds that it "gets you super detailed reports... it's about the most fleshed out and detailed one I can find."
JustBeamIt is a file-transfer service that allows you to send files of any size via a peer-to-peer streaming model. Simply drag and drop your file and specify the recipient's email address. They will then receive a link that will trigger the download directly from your computer, so the file does not have to be uploaded to the service itself. The link is good for one download and expires after 10 minutes. Thanks to cooljacob204sfw for the recommendation!
ShieldsUP is a quick but powerful internet security checkup and information service. It was created by security researcher Steve Gibson to scan ports and let you know which ones have been opened through your firewalls or NAT routers.
Firefox Send is an encrypted file transfer service that allows you to share files up to 2.5GB from any browser or an Android app. Uses end-to-end encryption to keep data secure and offers security controls you can set. You can determine when your file link expires, the number of downloads, and whether to add a password. Your recipient receives a link to download the file, and they don’t need a Firefox account. This one comes from DePingus, who appreciates the focus on privacy. "They have E2E, expiring links, and a clear privacy policy."
Free DNS is a service where programmers share domain names with one another at no cost. Offers free hosting as well as dynamic DNS, static DNS, subdomain and domain hosting. They can host your domain's DNS as well as allowing you to register hostnames from domains they're hosting already. If you don't have a domain, you can sign up for a free account and create up to 5 subdomains off the domains others have contributed and point these hosts anywhere on the Internet. Thanks to 0x000000000000004C (yes, that's a username) for the suggestion!
ANY.RUN is an interactive malware analysis service for dynamic and static research of the majority of threats in any environment. It can provide a convenient in-depth analysis of new, unidentified malicious objects and help with the investigation of incidents. ImAshtonTurner appreciates it as "a great sandbox tool for viewing malware, etc."
Plik is a scalable, temporary file upload system similar to wetransfer that is written in golang. Thanks go to I_eat_Narwhals for this one!
Free My IP offers free, dynamic DNS. This service comes with no login, no ads, no newsletters, no links to click and no hassle. Kindly suggested by Jack of All Trades.
Mailinator provides free, temporary email inboxes on a receive-only, attachment-free system that requires no sign-up. All @mailinator.com addresses are public, readable and discoverable by anyone at any time—but are automatically deleted after a few hours. Can be a nice option for times when you to give out an address that won't be accessible longterm. Recommended by nachomountain, who's been using it "for years."
Magic Wormhole is a service for sending files directly with no intermediate upload, no web interface and no login. When both parties are online you with the minimal software installed, the wormhole is invoked via command line identifying the file you want to send. The server then provides a speakable, one-time-use password that you give the recipient. When they enter that password in their wormhole console, key exchange occurs and the download begins directly between your computers. rjohnson99 explains, "Magic Wormhole is sort of like JustBeamIt but is open-source and is built on Python. I use it a lot on Linux servers."
EveryCloud's Free Phish is our own, new Phishing Simulator. Once you've filled in the form and logged in, you can choose from lots of email templates (many of which we've coped from what we see in our Email Security business) and landing pages. Run a one-off free phish, then see who clicked or submitted data so you can understand where your organization is vulnerable and act accordingly.
Hardening Guides
CIS Hardening Guides contain the system security benchmarks developed by a global community of cybersecurity experts. Over 140 configuration guidelines are provided to help safeguard systems against threats. Recommended by cyanghost109 "to get a start on looking at hardening your own systems."
Podcasts
Daily Tech News is Tom Merrit's show covering the latest tech issues with some of the top experts in the field. With the focus on daily tech news and analysis, it's a great way to stay current. Thanks to EmoPolarbear for drawing it to our attention.
This Week in Enterprise Tech is a podcast that features IT experts explaining the complicated details of cutting-edge enterprise technology. Join host Lou Maresca on this informative exploration of enterprise solutions, with new episodes recorded every Friday afternoon.
Security Weekly is a podcast where a "bunch of security nerds" get together and talk shop. Topics are greatly varied, and the atmosphere is relaxed and conversational. The show typically tops out at 2 hours, which is perfect for those with a long commute. If you’re fascinated by discussion of deep technical and security-related topics, this may be a nice addition to your podcast repertoire.
Grumpy Old Geeks—What Went Wrong on the Internet and Who's To Blame is a podcast about the internet, technology and geek culture—among other things. The hosts bring their grumpy brand of humor to the "state of the world as they see it" in these roughly hour-long weekly episodes. Recommended by mkaxsnyder, who enjoys it because, "They are a good team that talk about recent and relevant topics from an IT perspective."
The Social-Engineer Podcast is a monthly discussion among the hosts—a group of security experts from SEORG—and a diverse assortment of guests. Topics focus around human behavior and how it affects information security, with new episodes released on the second Monday of every month. Thanks to MrAshRhodes for the suggestion.
The CyberWire podcasts discuss what's happening in cyberspace, providing news and commentary from industry experts. This cyber security-focused news service delivers concise, accessible, and relevant content without the gossip, sensationalism, and the marketing buzz that often distract from the stories that really matter. Appreciation to supermicromainboard for the suggestion.
Malicious Life is a podcast that tells the fascinating—and often unknown—stories of the wildest hacks you can ever imagine. Host Ran Levi, a cybersecurity expert and author, talks with the people who were actually involved to reveal the history of each event in depth. Our appreciation goes to peraphon for the recommendation.
The Broadcast Storm is a podcast for Cisco networking professionals. BluePieceOfPaper suggests it "for people studying for their CCNA/NP. Kevin Wallace is a CCIE Collaboration so he knows his *ishk. Good format for learning too. Most podcasts are about 8-15 mins long and its 'usually' an exam topic. It will be something like "HSPR" but instead of just explaining it super boring like Ben Stein reading a powerpoint, he usually goes into a story about how (insert time in his career) HSPR would have been super useful..."
Software Engineering Radio is a podcast for developers who are looking for an educational resource with original content that isn't recycled from other venues. Consists of conversations on relevant topics with experts from the software engineering world, with new episodes released three to four times per month. a9JDvXLWHumjaC tells us this is "a solid podcast for devs."
Books
System Center 2012 Configuration Manager is a comprehensive technical guide designed to help you optimize Microsoft's Configuration Manager 2012 according to your requirements and then to deploy and use it successfully. This methodical, step-by-step reference covers: the intentions behind the product and its role in the broader System Center product suite; planning, design, and implementation; and details on each of the most-important feature sets. Learn how to leverage the user-centric capabilities to provide anytime/anywhere services & software, while strengthening control and improving compliance.
Network Warrior: Everything You Need to Know That Wasn’t on the CCNA Exam is a practical guide to network infrastructure. Provides an in-depth view of routers and routing, switching (with Cisco Catalyst and Nexus switches as examples), SOHO VoIP and SOHO wireless access point design and configuration, introduction to IPv6 with configuration examples, telecom technologies in the data-networking world (including T1, DS3, frame relay, and MPLS), security, firewall theory and configuration, ACL and authentication, Quality of Service (QoS), with an emphasis on low-latency queuing (LLQ), IP address allocation, Network Time Protocol (NTP) and device failures.
Beginning the Linux Command Line is your ally in mastering Linux from the keyboard. It is intended for system administrators, software developers, and enthusiastic users who want a guide that will be useful for most distributions—i.e., all items have been checked against Ubuntu, Red Hat and SUSE. Addresses administering users and security and deploying firewalls. Updated to the latest versions of Linux to cover files and directories, including the Btrfs file system and its management and systemd boot procedure and firewall management with firewalld.
Modern Operating Systems, 4th Ed. is written for students taking intro courses on Operating Systems and for those who want an OS reference guide for work. The author, an OS researcher, includes both the latest materials on relevant operating systems as well as current research. The previous edition of Modern Operating Systems received the 2010 McGuffey Longevity Award that recognizes textbooks for excellence over time.
Time Management for System Administrators is a guide for organizing your approach to this challenging role in a way that improves your results. Bestselling author Thomas Limoncelli offers a collection of tips and techniques for navigating the competing goals and concurrent responsibilities that go along with working on large projects while also taking care of individual user's needs. The book focuses on strategies to help with daily tasks that will also allow you to handle the critical situations that inevitably require your attention. You'll learn how to manage interruptions, eliminate time wasters, keep an effective calendar, develop routines and prioritize, stay focused on the task at hand and document/automate to speed processes.
The Practice of System and Network Administration, 3rd Edition introduces beginners to advanced frameworks while serving as a guide to best practices in system administration that is helpful for even the most advanced experts. Organized into four major sections that build from the foundational elements of system administration through improved techniques for upgrades and change management to exploring assorted management topics. Covers the basics and then moves onto the advanced things that can be built on top of those basics to wield real power and execute difficult projects.
Learn Windows PowerShell in a Month of Lunches, Third Edition is designed to teach you PowerShell in a month's worth of 1-hour lessons. This updated edition covers PowerShell features that run on Windows 7, Windows Server 2008 R2 and later, PowerShell v3 and later, and it includes v5 features like PowerShellGet. For PowerShell v3 and up, Windows 7 and Windows Server 2008 R2 and later.
Troubleshooting with the Windows Sysinternals Tools is a guide to the powerful Sysinternals tools for diagnosing and troubleshooting issues. Sysinternals creator Mark Russinovich and Windows expert Aaron Margosis provide a deep understanding of Windows core concepts that aren’t well-documented elsewhere along with details on how to use Sysinternals tools to optimize any Windows system’s reliability, efficiency, performance and security. Includes an explanation of Sysinternals capabilities, details on each major tool, and examples of how the tools can be used to solve real-world cases involving error messages, hangs, sluggishness, malware infections and more.
DNS and BIND, 5th Ed. explains how to work with the Internet's distributed host information database—which is responsible for translating names into addresses, routing mail to its proper destination, and listing phone numbers according to the ENUM standard. Covers BIND 9.3.2 & 8.4.7, the what/how/why of DNS, name servers, MX records, subdividing domains (parenting), DNSSEC, TSIG, troubleshooting and more. PEPCK tells us this is "generally considered the DNS reference book (aside from the RFCs of course!)"
Windows PowerShell in Action, 3rd Ed. is a comprehensive guide to PowerShell. Written by language designer Bruce Payette and MVP Richard Siddaway, this volume gives a great introduction to Powershell, including everyday use cases and detailed examples for more-advanced topics like performance and module architecture. Covers workflows and classes, writing modules and scripts, desired state configuration and programming APIs/pipelines.This edition has been updated for PowerShell v6.
Zero Trust Networks: Building Secure Systems in Untrusted Networks explains the principles behind zero trust architecture, along with what's needed to implement it. Covers the evolution of perimeter-based defenses and how they evolved into the current broken model, case studies of zero trust in production networks on both the client and server side, example configurations for open-source tools that are useful for building a zero trust network and how to migrate from a perimeter-based network to a zero trust network in production. Kindly recommended by jaginfosec.
Tips
Here are a couple handy Windows shortcuts:
Here's a shortcut for a 4-pane explorer in Windows without installing 3rd-party software:
(Keep the win key down for the arrows, and no pauses.) Appreciation goes to ZAFJB for this one.
Our recent tip for a shortcut to get a 4-pane explorer in Windows, triggered this suggestion from SevaraB: "You can do that for an even larger grid of Windows by right-clicking the clock in the taskbar, and clicking 'Show windows side by side' to arrange them neatly. Did this for 4 rows of 6 windows when I had to have a quick 'n' dirty "video wall" of windows monitoring servers at our branches." ZAFJB adds that it actually works when you right-click "anywhere on the taskbar, except application icons or start button."
This tip comes courtesy of shipsass: "When I need to use Windows Explorer but I don't want to take my hands off the keyboard, I press Windows-E to launch Explorer and then Ctrl-L to jump to the address line and type my path. The Ctrl-L trick also works with any web browser, and it's an efficient way of talking less-technical people through instructions when 'browse to [location]' stumps them."
Clear browser history/cookies by pressing CTRL-SHIFT-DELETE on most major browsers. Thanks go to synapticpanda, who adds that this "saves me so much time when troubleshooting web apps where I am playing with the cache and such."
To rename a file with F2, while still editing the name of that file: Hit TAB to tab into the renaming of the next file. Thanks to abeeftaco for this one!
Alt-D is a reliable alternative to Ctrl-L for jumping to the address line in a browser. Thanks for this one go to fencepost_ajm, who explains: "Ctrl-L comes from the browser side as a shortcut for Location, Alt-D from the Windows Explorer side for Directory."
Browser shortcut: When typing a URL that ends with dot com, Ctrl + Enter will place the ".com" and take you to the page. Thanks to wpierre for this one!
This tip comes from anynonus, as something that daily that saves a few clicks: "Running a program with ctrl + shift + enter from start menu will start it as administrator (alt + y will select YES to run as admin) ... my user account is local admin [so] I don't feel like that is unsafe"
Building on our PowerShell resources, we received the following suggestion from halbaradkenafin: aka.ms/pskoans is "a way to learn PowerShell using PowerShell (and Pester). It's really cool and a bunch of folks have high praise for it (including a few teams within MSFT)."
Keyboard shortcut: If you already have an application open, hold ctrl + shift and middle click on the application in your task bar to open another instance as admin. Thanks go to Polymira for this one.
Remote Server Tip: "Critical advice. When testing out network configuration changes, prior to restarting the networking service or rebooting, always create a cron job that will restore your original network configuration and then reboot/restart networking on the machine after 5 minutes. If your config worked, you have enough time to remove it. If it didn't, it will fix itself. This is a beautifully simple solution that I learned from my old mentor at my very first job. I've held on to it for a long time." Thanks go to FrigidNox for the tip!
Websites
Deployment Research is the website of Johan Arwidmark, MS MVP in System Center Cloud and Datacenter Management. It is dedicated to sharing information and guidance around System Center, OS deployment, migration and more. The author shares tips and tricks to help improve the quality of IT Pros’ daily work.
Next of Windows is a website on (mostly) Microsoft-related technology. It's the place where Kent Chen—a computer veteran with many years of field experience—and Jonathan Hu—a web/mobile app developer and self-described "cool geek"—share what they know, what they learn and what they find in the hope of helping others learn and benefit.
High Scalability brings together all the relevant information about building scalable websites in one place. Because building a website with confidence requires a body of knowledge that can be slow to develop, the site focuses on moving visitors along the learning curve at a faster pace.
Information Technology Research Library is a great resource for IT-related research, white papers, reports, case studies, magazines, and eBooks. This library is provided at no charge by TradePub.com. GullibleDetective tells us it offers "free PDF files from a WIIIIIIDE variety of topics, not even just IT. Only caveat: as its a vendor-supported publishing company, you will have to give them a bit of information such as name, email address and possibly a company name. You undoubtedly have the ability to create fake information on this, mind you. The articles range from Excel templates, learning python, powershell, nosql etc. to converged architecture."
SS64 is a web-based reference guide for syntax and examples of the most-common database and OS computing commands. Recommended by Petti-The-Yeti, who adds, "I use this site all the time to look up commands and find examples while I'm building CMD and PS1 scripts."
Phishing and Malware Reporting. This website helps you put a stop to scams by getting fraudulent pages blocked. Easily report phishing webpages so they can be added to blacklists in as little as 15 minutes of your report. "Player024 tells us, "I highly recommend anyone in the industry to bookmark this page...With an average of about 10 minutes of work, I'm usually able to take down the phishing pages we receive thanks to the links posted on that website."
A Slack Channel
Windows Admin Slack is a great drive-by resource for the Windows sysadmin. This team has 33 public channels in total that cover different areas of helpful content on Windows administration.
Blogs
KC's Blog is the place where Microsoft MVP and web developer Kent Chen shares his IT insights and discoveries. The rather large library of posts offer helpful hints, how-tos, resources and news of interest to those in the Windows world.
The Windows Server Daily is the ever-current blog of technologist Katherine Moss, VP of open source & community engagement for StormlightTech. Offers brief daily posts on topics related to Windows server, Windows 10 and Administration.
An Infosec Slideshow
This security training slideshow was created for use during a quarterly infosec class. The content is offered generously by shalafi71, who adds, "Take this as a skeleton and flesh it out on your own. Take an hour or two and research the things I talk about. Tailor this to your own environment and users. Make it relevant to your people. Include corporate stories, include your audience, exclude yourself. This ain't about how smart you are at infosec, and I can't stress this enough, talk about how people can defend themselves. Give them things to look for and action they can take. No one gives a shit about your firewall rules."
Tech Tutorials
Tutorialspoint Library. This large collection of tech tutorials is a great resource for online learning. You'll find nearly 150 high-quality tutorials covering a wide array of languages and topics—from fundamentals to cutting-edge technologies. For example, this Powershell tutorial is designed for those with practical experience handling Windows-based Servers who want to learn how to install and use Windows Server 2012.
The Python Tutorial is a nice introduction to many of Python’s best features, enabling you to read and write Python modules and programs. It offers an understanding of the language's style and prepares you to learn more about the various Python library modules described in 'The Python Standard Library.' Kindly suggested by sharjeelsayed.
SysAdmin Humor
Day in the Life of a SysAdmin Episode 5: Lunch Break is an amusing look at a SysAdmin's attempt to take a brief lunch break. We imagine many of you can relate!
Have a fantastic week and as usual, let me know any comments.
Graham | CEO | EveryCloud
Fyi - I've set up a subreddit /itprotuesday, where we feature / encourage posts of some additional tools, tips etc. throughout the week. Pop over and subscribe if you’re interested.
submitted by crispyducks to msp [link] [comments]

Detached LUKS header full disk encryption with encrypted keyfile inside a passphrase-protected bootable keydisk using direct UEFI secure boot, encrypted swap, unbound with DNSCrypt and DNSSEC, and system hardening

EDIT: added parts to Arch Wiki

I.   Installation

General tips and notes:
 
I. Part I: Preparing the devices
Before you begin, go to your EFI settings (commonly referred to as BIOS settings although technically it's EFI now) at boot time using the designated function key. On my laptop that's F10 but you should google yours. Now go to Boot options and disable Secure Boot, then clear keys, this will leave the TPM in a receptive state for when we enroll our custom keys later. Note the clear keys option should be on the same page as the secure boot option, and it is not the separate TPM keys option which is something different. When you save changes and exit you may have to hit a key combination and press enter to verify.
Make sure to run 'lsblk' to find out what your block device mappings are, don't copy this blindly. We're overwriting all the data, so if there's files you need copy them or image them with Clonezilla to a different drive and leave that one unplugged.
dd if=/dev/urandom of=/dev/sda bs=4096 
#hard drive (just wait, a 500gb HDD took around 2.5 hours)
dd if=/dev/urandom of=/dev/sdb bs=4096 
#USB
 
I. Part II: Preparing the USB key
gdisk /dev/sdb 
n
1
2048
+512M
EF00
n is new partition, L shows all hex codes for filesystems (EF00, 8300), t allows you to change a filesystem after creating a partition
n
2
(Hit enter to accept the automatic start value here)
+250M
8300
Write changes with 'w', 'q' is quit.
cryptsetup --hash=sha512 --cipher=twofish-xts-plain64 --key-size=512 -i 30000 luksFormat /dev/sdb2 
 
Note: the -i is for iteration time in milliseconds for the key derivation function pbkdf, it should be at least 5000 (5 seconds), but preferably put it as high as you can stand. For me, that's about 30 seconds.
 
cryptsetup open /dev/sdb2 cryptboot 
 
mkfs.ext2 /dev/mappecryptboot 
 
Note: I picked ext2 for simplicity and to avoid journaling since it's just a usb drive
 
mount /dev/mappecryptboot /mnt 
 
cd /mnt 
 
dd if=/dev/urandom of=key.img bs=20M count=1 
 
cryptsetup --align-payload=1 --hash=sha512 --cipher=serpent-xts-plain64 --key-size=512 -i 30000 luksFormat key.img 
 
cryptsetup open key.img lukskey 
 
Note: You should make the file larger than 8192 bytes (the maximum keyfile size for cryptsetup) since the encrypted loop device will be a little smaller than the file's size.
20M might be a little too big for you, but 1) With a big file, we'll use --keyfile-offset=X and --keyfile-size=8192 to navigate to the correct position and 2) having too small of a file will get you a nasty 'Requested offset is beyond real size of device /dev/loop0' error.
Shoutout to the Gentoo Wiki for showing me how to do this easily and this thread from the Arch Linux forums for the inspiration. And the Gentoo Wiki again for explaining the size issue.
Now you should have 'lukskey' opened in a loop device (underneath /dev/loop1), mapped as /dev/mappelukskey
 
I. Part III: The main drive
truncate -s 2M header.img 
 
cryptsetup --hash=sha512 --cipher=serpent-xts-plain64 --key-size=512 --key-file=/dev/mappelukskey --keyfile-offset=X --keyfile-size=8192 luksFormat /dev/sda --align-payload 4096 --header header.img 
 
Pick an offset, and a number of milliseconds you can wait for
 
cryptsetup open --header header.img --key-file=/dev/mappelukskey --keyfile-offset=X --keyfile-size=8192 /dev/sda enc 
 
cd / 
 
cryptsetup close lukskey 
 
umount /mnt 
(if it complains about being busy make sure lukskey container is closed then "ps -efw" to find hanged processes and their PIDs to kill with "kill -9 "
 
pvcreate /dev/mappeenc 
 
vgcreate store /dev/mappeenc 
 
lvcreate -L 20G store -n root 
 
lvcreate -L 4G store -n swap 
 
lvcreate -l 100%FREE store -n home 
 
You can name "store" anything you want, the number of GB is up to you (note my root partition is currently using 3.9GB if you're looking for a rough minimum), swap space doesn't have to be twice your RAM unless you have a machine with very low RAM. Some people do the size of their RAM, some do half of their RAM, some do less. If you plan on suspending and hibernating, which I don't recommend (it's more proper to shutdown so the encryption keys are wiped from memory) then you would do at least the size of your RAM.
 
mkfs.ext4 /dev/store/root 
 
mkfs.ext4 /dev/store/home 
 
mount /dev/store/root /mnt 
 
mkdir /mnt/home 
 
mount /dev/store/home /mnt/home 
 
mkswap /dev/store/swap 
 
swapon /dev/store/swap 
 
mkdir /mnt/boot 
 
mount /dev/mappecryptboot /mnt/boot 
 
mkfs.fat -F32 /dev/sdb1 
 
mkdir /mnt/boot/efi 
 
mount /dev/sdb1 /mnt/boot/efi 
 
I. Part IV: The actual installation procedure and custom encrypt hook
After reading the "pacstrap" command and other tips below, follow the Installation Guide up to the "mkinitcpio" step but don't do it yet. You will skip "Partition the disks", "Format the partitions", and "Mount the file systems" as we've already done that. If you use a regular US keymap layout skip "Set the keyboard layout" as well. I skipped "Hostname" and "Network configuration" because I don't need a hostname and I prefer to start [email protected].service manually.
tl;dr quick network connection:
ip link set  up 
 
systemctl start [email protected].service 
This is my quick way to get https mirrors in order of speed (adjust for your country):
grep -i -A1 "United States" /etc/pacman.d/mirrorlist | grep -iP "^Server" | grep -vP "^--$" | sed 's/http/https/gi' > /etc/pacman.d/mirrorlist2 
#The accuracy of this grep statement could change depending on the format in the future, you may need to adjust.
 
rankmirrors -n 0 /etc/pacman.d/mirrorlist2 > /etc/pacman.d/mirrorlist 
 
Refreshing the package keys and a basic pacstrap command for our guide (if you need any other packages add them to the end or do a "pacman -S package" anytime after the chroot step):
pacman-key --refresh-keys 
 
pacstrap /mnt base base-devel linux-hardened efibootmgr sudo 
 
Now you should be at the "mkinitcpio" step and chrooted into your system. In order to get our encrypted setup to work, we will need to build our own hook, which is thankfully easy to do and I have the code you need. You will have to run "ls -lth /dev/disk/by-id" to figure out your own ID values for usb and main hard drive (they're linked -> to sda or sdb) then to get them into the file: "ls -lth /dev/disk/by-id | grep -iP 'PATTERNYOUWANT' | awk '{print $9}' >> /etc/initcpio/hooks/customencrypthook". You should be using those ids instead of just sda or sdb because sdX can change and this ensures it's the correct device.
You can name "customencrypthook" anything you want, and note that /etc/initcpio is the folder for hooks you create. Keep a backup of both files ("cp" them over to the /home directory or your user's home directory after you make one). /usbin/ash is not a typo.
/etc/initcpio/initcpio/hooks/customencrypthook
#!/usbin/ash 
 
run_hook() { 
 
modprobe -a -q dm-crypt >/dev/null 2>&1 
 
modprobe loop 
 
[ "${quiet}" = "y" ] && CSQUIET=">/dev/null" 
 
while [ ! -L '/dev/disk/by-id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX-part2' ]; do 
#the Xs represent your USB drive id found by "ls -lth /dev/disk/by-id"
 
 echo 'Waiting for USB' 
 
 sleep 1 
 
done 
 
 cryptsetup open /dev/disk/by-id/XXXXXXXXXXXXXXXXXXXXXXXX-part2 cryptboot 
 
 mkdir -p /mnt 
 
 mount /dev/mappecryptboot /mnt 
 
 cd /mnt 
 
 cryptsetup open key.img lukskey 
 
 cryptsetup --header header.img --key-file=/dev/mappelukskey --keyfile-offset=N --keyfile-size=8192 open /dev/disk/by-id/YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY enc 
#the Ys represent your main hard drive found by "ls -lth /dev/disk/by-id", N is your offset
 
 cd / 
 
 cryptsetup close lukskey 
 
 umount /mnt 
 
} 
#Note: I could also close cryptboot, but I want it to be easier to mount for updating and signing the kernel (which happens automatically during kernel updates), and regenerating the initramfs with mkinitcpio. You can close it using "cryptsetup close cryptboot", but then you would have to reenter the password before you mount it after booting into the system.
 
/etc/initcpio/install/customencrypthook
#!/bin/bash 
 
build() { 
 
local mod 
 
add_module dm-crypt 
 
if [[ $CRYPTO_MODULES ]]; then 
 
 for mod in $CRYPTO_MODULES; do 
 
 add_module "$mod" 
 
 done 
 
else 
 
 add_all_modules '/crypto/' 
 
fi 
 
add_binary "cryptsetup" 
 
add_binary "dmsetup" 
 
add_file "/uslib/udev/rules.d/10-dm.rules" 
 
add_file "/uslib/udev/rules.d/13-dm-disk.rules" 
 
add_file "/uslib/udev/rules.d/95-dm-notify.rules" 
 
add_file "/uslib/initcpio/udev/11-dm-initramfs.rules" "/uslib/udev/rules.d/11-dm-initramfs.rules" 
 
add_runscript 
 
} 
 
/etc/mkinitcpio.conf (edit this only don't replace it, these are just excerpts of the necessary parts)
MODULES=(loop) 
 
HOOKS=(base udev autodetect modconf block customencrypthook lvm2 filesystems keyboard fsck) 
#Note: the files=() and binaries=() arrays are empty, and you shouldn't have to replace HOOKS=(...) array entirely just edit in "customencrypthook lvm2" after block and before filesystems, and make sure "systemd", "sd-lvm2", and "encrypt" are removed.
 
I. Part V: Setting up sudo and a user
First, we need to change the root password and then add a user.
passwd 
 
useradd -m -G wheel -s /bin/bash USERNAMEHERE 
 
passwd USERNAMEHERE 
 
EDITOR=nano 
 
 visudo 
and make these edits:
at the top:
## See the sudoers man page for the details on how to write a sudoers file.
##
Defaults env_reset
Defaults editor=/usbin/nano, !env_editor
Defaults timestamp_timeout=0
Note: env_reset resets environment variables to prevent somebody from selecting a different program as their "editor" using the EDITOR environment variable, your default in the second line can be vi or another editor instead of nano, and timestamp_timeout=0 disables the sudo cache because I want to type the password every time. I recommend following these because even in a single-user scenario, potential malware could take advantage if you have those vulnerabilities open. The first two lines are from Sudo - Arch Wiki.
 
and near the bottom:
## User privilege specification
root ALL=(ALL) ALL
USERNAMEHERE ALL=(ALL) ALL
The owner and group for the sudoers file must both be root. The file permissions must be set to 0440.
ls -lth /etc/sudoers and make sure it looks like this:
-r--r----- 1 root root
If it doesn't then:
chown -c root:root /etc/sudoers 
 
chmod -c 0440 /etc/sudoers 
Now "su -l USERNAMEHERE" and run "sudo -i" and see if you can login as sudo, it should change your terminal to "[email protected]" instead of your username. Once you see it works, disable the direct root login and then exit.
passwd -l root 
 
exit 
From now on, you will use "sudo -e file" to safely edit files that require you to be root to edit them as it uses temporary files and is considered to be the proper form.
Also, while you should always use sudo to become root, if you ever use "su" for any user, use "su -l". This changes home directory and environment variables for safety as discussed here
 
I. Part VI: Direct UEFI using secure boot
 
We need to get cryptboot and sbupdate git from the AUR, then untar, read the pkgbuild, and "makepkg -si" inside the folder, for each. Yes, the program "cryptboot" has the same name as what we named our encrypted usb drive, but know that there's no relation here besides the implied meaning of "encrypted boot" and you can use any name for your encrypted usb drive.
These are the AUR links: cryptboot and sbupdate for reference. However, we'll be downloading a snapshot .tar.gz directly.
As of December 2017, the snapshot links are:
https://aur.archlinux.org/cgit/aur.git/snapshot/cryptboot.tar.gz
https://aur.archlinux.org/cgit/aur.git/snapshot/sbupdate-git.tar.gz
 
Important note: Don't do this as root and don't use sudo, add a user first and do it as the user.
su -l USERNAMEHERE 
 
If you're not already in the user's home directory:
cd ~ 
 
curl -o cryptboot.tar.gz https://aur.archlinux.org/cgit/aur.git/snapshot/cryptboot.tar.gz 
At this point I used my phone to copy and paste the .tar.gz "Download Snapshot" link from https://aur.archlinux.org/packages/cryptboot/ into VirusTotal.com and then used "sha256sum cryptboot.tar.gz" on the computer to get a checksum and compared it with the value on my phone.
 
tar xvf cryptboot.tar.gz 
 
cd cryptboot 
 
less PKGBUILD 
Read the package build and make sure nothing malicious has been snuck in there, to the best of your ability.
 
makepkg -si 
 
According to the Arch Linux wiki, this will download the code, resolve the dependencies with pacman, compile it, package it, and ask you for your sudo password to install the package.
Now we make our keys:
First prepare crypttab temporarily to be compatible with cryptboot.
Use "sudo -i" to become root.
sudo -e /etc/crypttab 
cryptboot /dev/disk/by-uuid/ZZZZZZZZZZZZZZZZZZZZZZZZZZZ none luks
You will have to find Z by running "ls -lth /dev/disk/by-uuid" and see which one links to sdb2 or whichever is the encrypted boot partition of your usb drive. Then "ls -lth /dev/disk/by-uuid | grep -iP 'PATTERNYOUWANT' | awk '{print $9}' >> /etc/crypttab".
sudo -e /etc/cryptboot.conf 
BOOT_CRYPT_NAME="cryptboot"
BOOT_DIR="/boot"
EFI_DIR="/boot/efi"
EFI_KEYS_DIR="/boot/efikeys"
 
cryptboot-efikeys create 
 
cryptboot-efikeys enroll 
 
Hopefully if you cleared your secure boot keys beforehand and properly configured the cryptboot.conf and your /boot partition is mounted, it should be successful. Delete the temporary entry we created from your crypttab.
Remember that generating keys only has to be done once. I guess you could do it again if you're worried that your keys have been compromised (don't forget to rename DB.* files back to db.*, see efikeys below), but it only needs to be done once and sbupdate will use the same keys to sign your new images every time you update your kernel.
Now we must prepare the system for sbupdate. Use "sudo -i" to become root.
cd /boot/efikeys 
"ls" to get a list of files and change all the "db.*" files to "DB" like this: mv db.file DB.file
Switch back to regular user "su -l USERNAMEHERE". Repeat the curl, tar, less, makepkg procedure done above for cryptboot except this time do it for sbupdate.
sudo -e /etc/default/sbupdate 
KEY_DIR="/boot/efikeys"
ESP_DIR="/boot/efi"
CMDLINE_DEFAULT="/vmlinuz-linux-hardened root=/dev/mappestore-root rw quiet"
The CMDLINE_DEFAULT is really important here, without it your efi will not boot. If you're curious what these files are and where they come from, vmlinuz is the compressed kernel image which is part of the package for linux-hardened. It's installed to the mounted /boot directory. In the same directory, initramfs-*.img files are created by mkinitcpio when we run the command.
now "sudo -i" into root and run:
mkinitcpio -p linux && mkinitcpio -p linux-hardened && sbupdate 
It should generate the initramfs image, and generate a signed UEFI image of your kernel and initramfs that we will be able to boot from. There should be a few "missing firmware" errors which should be harmless
 
Note: I keep the linux kernel as a backup in case anything goes wrong with linux-hardened after an update and I need to boot
 
Now we need a boot option for the signed efi file.
First run "lsblk" and look for the usb device and the 512M EFI partition. Mine is sdb1.
The Gentoo Wiki gives us a good example:
efibootmgr -c -d /dev/sdb -p 1 -L "Arch Linux Hardened Signed" -l "EFI\Arch\linux-hardened-signed.efi" 
-c create, -d disk, -p partition, -L label, and -l loader
Make sure the boot order puts "Arch Linux Hardened Signed" first. If not change it with "efibootmgr -o XXXX,YYYY,ZZZZ"
Finally, exit the chroot (keep running exit until it says [email protected] without brackets [] and the "lsblk" shows boot as "/mnt/boot" and not "/boot") and umount devices, then reboot
exit 
 
cd / 
 
umount -R /mnt 
 
reboot 
 
Now you will have to press the button for your EFI settings (BIOS settings) and enable secure boot, disable legacy boot and cd boot, and set up an administrator or power on password to prevent access. You'll need the usb key to boot and you'll have to enter two passwords, one for the usb key and another for the keyfile. Then the keyfile unlocks the main hard drive. You should probably run 'pacman -Syu' to update the system.
I. Part VII: Graphics and audio
First check your graphics driver here. I'm using radeon. Newer AMD cards use amdgpu (xf86-video-amdgpu). Nvidia and Intel should check the wiki for info.
pacman -S xorg-server xf86-video-ati xfce4 mousepad 
Check your ~/.local/share/xorg/Xorg.0.log and make sure it got loaded properly. For example, radeon will have lines that say "RADEON(0):". If it didn't load your driver it may say "MODESETTING(0):" which is the fallback driver as explained here Xorg - ArchWiki.
Also check your driver's wiki page to find out about enabling "TearFree" which prevents the horizontal lines when playing video (you'll have to create a minimal Xorg Configuration first with a "Device" section containing "Driver" and "Identifier").
Ctrl + F this page for "Prevent Xorg" and do that now, plus "Run Xorg Rootless".
Now for the audio:
pacman -S pulseaudio pavucontrol xfce4-pulseaudio-plugin 
Controversial, but pulseaudio indeed "just works" and you need it to hear sound on Firefox.

II.   Firewall

https://aur.archlinux.org/cgit/aur.git/snapshot/arno-iptables-firewall.tar.gz
You know the AUR drill we used for cryptboot and sbupdate by now, just curl -o the snapshot, verify the checksum matches the one online with VirusTotal, tar xvf, less pkgbuild, then makepkg -si. Remember to do it all as a regular user, not root so don't use sudo. Then:
 cd ~/arno-*/src/aif* sudo ./install.sh 
 
sudo -e /etc/arno-iptables-firewall/firewall.conf 
EXT_IF=""
EXT_IF_DHCP_IP=1
If you use a static ip you would leave the dhcp setting at 0.
sudo systemctl enable arno-iptables-firewall.service 
 
sudo systemctl start arno-iptables-firewall.service 

III.   System Hardening

Encrypted Swap
sudo -e /etc/crypttab 
swap /dev/mappestore-swap /dev/urandom swap,cipher=twofish-xts-plain64,hash=sha512,size=512,nofail
sudo -e /etc/fstab 
/dev/mappeswap none swap defaults 0 0
The entry for fstab replaces the old swap entry, you could just edit the old one to look like this.
Umask
sudo -e /etc/profile 
# Set our umask
umask 077
The way it was explained to me is that before the umask is applied, linux permissions for files you create start off as 0777. Umask 077 is the same as 0077. Thus, subtract 0777 - 0077 = 0700
The order is 0 (setuid, setgid, sticky bit), 7 (user), 0 (group), 0 (others)
This means that only the user who created or root will be able to read, write, and execute the file or directory (only directories create as exec). A umask of "177" would prevent the executable bit from being set so the default file permissions for directories you create would be "-rw-------".
The first 0 is for setuid, setgid, and sticky bit. Setuid and setgid allow a user to become other users or groups like root or wheel. Sticky bit allows your user to write or change a file, but prevent the change or deletion of your files by other users. This is useful for group or world-writable settings where people have the same permissions in a folder but you want to prevent destructive behavior.
Know that root can violate any permissions it wants unless you write a specific rule in SELinux which is a out of scope for this guide, unforunately. There are good books on it written by a guy named "Vermeulen".
Permissions
You may want to consider running: chmod -R g-rwx,o-rwx /boot
What this does is - (subtracts) all permissions (rwx) from group (g) and others (o). Leaving only root and the owner of the file with permissions.
chmod 000 /boot/key.img
chmod 000 /boot/header.img
#Note that obviously root will still be able to override this, but it means that no user can access it so the files can only be read or written to by root.
Pluggable Authentication Modules PAM rules
sudo -e /etc/pam.d/system-login 
#auth required pam_tally.so onerr=succeed file=/valog/faillog
auth required pam_tally.so deny=2 unlock_time=600 onerr=succeed file=/valog/faillog
Note you have to comment the first line so failed attempts are not counted twice, then the second line sets 2 denials (wrong passwords) and a 10 minute lockout. onerr=succeed counts the number of attempts. The file=* is a failure log.
sudo -e /etc/pam.d/su 
auth required pam_wheel.so use_uid
sudo -e /etc/pam.d/su-l 
auth required pam_wheel.so use_uid
TCP IP Hardening
sudo -e 50-dmesg-restrict.conf 
kernel.dmesg_restrict = 1
sudo -e 51-net.conf 
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.secure_redirects = 1
net.ipv4.conf.default.send_redirects = 0
net.ipv4.icmp_echo_ignore_all = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.ip_forward = 0
net.ipv4.tcp_rfc1337 = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_timestamps = 0
sudo -e 40-ipv6.conf 
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.eno1.use_tempaddr = 2
net.ipv6.conf.lo.accept_redirects = 0
net.ipv6.conf.wlo1.use_tempaddr = 2
To apply changes,
sudo sysctl --system 
I've intentionally left out logging martian packets (people sending you packets with a spoofed or misconfigured addresses), but if you want you can log those to track down malicious activity.
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
Disabling Root login
We already ran "passwd -l root" after we set up sudo.
sudo -e /etc/securetty 
Comment out all the lines in this file, you'll still be able to use sudo.
Hardening fstab
For cryptboot and the usb EFI partition add this to the fourth field comma-separated values:
noauto,nodev,nosuid,noexec
For /dev/store/home or /dev/mappestore-home:
nodev,nosuid
Hidepid
sudo -e /etc/fstab 
proc /proc proc nosuid,nodev,noexec,hidepid=2,gid=proc 0 0
For Xorg to work, an exception needs to be added for systemd-logind:
sudo -e /etc/systemd/system/systemd-logind.service.d/hidepid.conf 
[Service]
SupplementaryGroups=proc
Prevent coredumps
sudo -i /etc/systemd/coredump.conf 
Storage=none
Check Pacman SigLevel and PGP keyring keys
grep -i siglevel /etc/pacman.conf 
SigLevel = Required DatabaseOptional
Update the keys manually:
pacman-key --refresh-keys 
Today is January 02, 2018. As of today, the "archlinux-keyring" was last updated on "2017-12-15 12:23 UTC". In a scenario where a key is no longer valid or goes rogue, it would be helpful to have the latest keys.
Safe mounting of external disks (sdc1 is an example)
sudo mount -o nodev,nosuid,noexec /dev/sdc1 /mnt 
This prevents executables, programs running with different user privileges than the user has, and nodev prevents character or block devices from being interpreted on the drive to prevent malicious exploits.
Browser cache permissions
edit: Updated to chromium
~/.config/chromium and ~/.cache/chromium files are "-rw-------" (chmod 600) and folders are "drwx------" (chmod 700). The point is to check permissions frequently and prevent executable files in the cache.
TTY Timeout
sudo -e /etc/profile.d/shell-timeout.sh 
TMOUT="$(( 60*10 ))";
[ -z "$DISPLAY" ] && export TMOUT;
case $( /usbin/tty ) in
/dev/tty[0-9]*) export TMOUT;;
esac
You can also block tty access all together but I prefer having it so I can switch over if I want or need to get away from Xorg.
Prevent Xorg from being run on a different terminal besides the one you logged in
sudo -e ~/.xserverrc 
#!/bin/sh
exec /usbin/Xorg -nolisten tcp -nolisten local "[email protected]" vt$XDG_VTNR
-nolisten local disables abstract sockets of X11. Which are supposed to be a risk if a keylogger or screenshotter attached itself to them. This blog gives some history on the subject.
Startx will execute this when you start up your desktop. You can autostart X at login but I prefer to do it manually. I use xfce so it's "exec startxfce4" after I login.
Run Xorg rootless
sudo -e /etc/X11/Xwrapper.config 
set needs_root_rights = no

IV.   Unbound + Dnscrypt + DNSSEC

edit: The new dnscrypt-proxy automatically updates the sources (servers list) so I've simplified this section.
 
sudo pacman -S unbound expat dnscrypt-proxy ldns 
 
sudo -e /etc/dhcpcd.conf 
Add anywhere:
static domain_name_servers=127.0.0.1
sudo systemctl edit dnscrypt-proxy.service 
edit: After the update on 5/18/2018 dnscrypt-proxy needs CAP_NET_BIND_SERVICE capability.
[Service]
DynamicUser=yes
CapabilityBoundingSet=CAP_IPC_LOCK CAP_SETGID CAP_SETUID CAP_NET_BIND_SERVICE
ProtectSystem=strict
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
PrivateTmp=true
PrivateDevices=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
RestrictRealtime=true
RestrictAddressFamilies=AF_INET
SystemCallArchitectures=native
[email protected] @cpu-emulation @debug @keyring @ipc @module @mount @obsolete @raw-io
Above is from DNSCrypt - ArchWiki
sudo -e /etc/dnscrypt-proxy/dnscrypt-proxy.toml 
listen_addresses = []
require_dnnssec = true
cache = false
Cache is disabled because we are using DNSCrypt as a forwarder for the unbound cache. I still use Unbound because it has a better way of actually testing and validating that DNSSEC is working.
sudo -e /etc/unbound/unbound.conf 
server:
use-syslog: yes
username: "unbound"
directory: "/etc/unbound"
trust-anchor-file: trusted-key.key
port:53
do-not-query-localhost: no
forward-zone:
  name: "."
  forward-addr: [email protected]
sudo -e /etc/resolv.conf 
nameserver 127.0.0.1
options edns0 single-request-reopen
systemctl edit dnscrypt-proxy.socket 
[Socket]
ListenStream=
ListenDatagram=
ListenStream=127.0.0.1:5138
ListenDatagram=127.0.0.1:5138
The port number is larger than 1024 so dnscrypt-proxy is not required to be run by root. So pick a number from 1025-65535, or run this command "shuf -n 1 -i 1025-65535".
For DNSCrypt with Unbound, only unbound and dnscrypt-proxy.socket need to be started and enabled.
 systemctl enable dnscrypt-proxy.socket 
 
 systemctl enable unbound.service 
 
 systemctl start dnscrypt-proxy.socket 
 
 systemctl start unbound.service 
 
Now test it out
 drill -DT sigfail.verteiltesysteme.net 
 
 drill -DT sigok.verteiltesysteme.net 
 
 unbound-host -C /etc/unbound/unbound.conf -v sigok.verteiltesysteme.net 
 
 unbound-host -C /etc/unbound/unbound.conf -v sigfail.verteiltesysteme.net 
Root Hints
sudo curl -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache 
 
sudo chmod 644 /etc/unbound/root.hints 
 
sudo -e /etc/unbound/unbound.conf 
Under "server:":
root-hints: "/etc/unbound/root.hints"
 
sudo systemctl restart unbound 
 
Root Hints script (Optional, probably unnecessary)
This optional script creates a service that updates root hints automatically. is your internet device from "ip link", usually eno1 or wlo1. If you don't use dhcpcd then change it to the service that gets your internet working. Once the timer goes off each month, the script will retry every 20 minutes until the internet is on then update the root hints. If a timer is missed it will keep trying. The 2 minute predelay is to give dnscrypt time to resolve fingerprints and the certificate.
sudo -e /etc/systemd/system/roothints.service 
 
[Unit]
Description=Update root hints for unbound
[email protected].service
[Service]
TimeoutStartSec=0
Restart=on-failure
RestartSec=1200
ExecStartPre=/bin/sleep 120
ExecStart=/usbin/bash -c 'isitalive=$(/usbin/systemctl is-active [email protected].service); if [ "$isitalive" == "active" ]; then /usbin/curl -v -o /etc/unbound/root.hints https://www.internic.net/domain/named.cache; fi; if [ "$isitalive" == "inactive" ]; then exit 1; fi'
 
sudo -e /etc/systemd/system/roothints.timer 
[Unit]
Description=Run root.hints monthly
[Timer]
OnCalendar=monthly
Persistent=true
[Install]
WantedBy=timers.target
You can use a custom date like this: "OnCalendar=*-*-12 12:00:00". That would run the job on the 12th of every month at 12pm local time.
sudo systemctl enable roothints.timer 
 
sudo systemctl start roothints.timer 
 
sudo systemctl status roothints.timer 
Testing our script
From the wiki on Timers you can check the calendar time until the next run:
systemd-analyze calendar "*-*-12 12:00:00" 
 
systemd-analyze calendar monthly 
If you have other timers also, you may want to consider setting them to separate, specific times or using "RandomizedDelaySec" in the .timer file under [Timer]
 
systemctl daemon-reload 
To reload units after making changes on disk.
sudo systemctl start roothints 
Wait a little and then check the systemctl status.
 
Troubleshooting
If you can't resolve hosts try:
  • Setting "verbosity=5" under "server:" in /etc/unbound/unbound.conf and check "journalctl -u unbound.service". You should see some pretty detailed output that shows if it's working.
  • If you just want to get your internet working again, # comment out the forwardings section ("forward-zone:", "name:", "forward-addr:") and "trust-anchor-file" in unbound.conf, systemctl stop dnscrypt-proxy.socket and dnscrypt-proxy.service, then stop and start unbound to fix the internet.
  • If you're using unbound, make sure /etc/dnscrypt-proxy/dnscrypt-proxy.toml 'cache' is disabled.
Sometimes, fixing the internet is as simple as using "ip link set down", "ip link set up", then stop and start [email protected].service. Or restarting unbound.service. Also check "systemctl status dnscrypt*" to make sure the socket is running and that the proxy service received its certificate and fingerprints from the server.

V.   Firejail:

pacman -S firejail chromium xorg-server-xephyr openbox 
Edit: changed to Chromium
Xephyr and openbox will allow us to enable X11 sandboxing and resize the browser window, respectively.
sudo -e /etc/firejail/firejail.config 
xephyr-screen WIDTHxHEIGHT
Width and Height are in pixels.
To open the sandbox and browser:
firejail --x11 --profile=/etc/firejail/chromium.profile openbox --startup 'chromium' 
You should be able to adjust the window or maximize it, and the internet should work automatically since unbound is handling our dns.

VI.   Afternotes:

  • Be careful with your LUKS header and any backups of it, the proper disposal is to "shred", "wipe", or dd it with random data multiple times before deleting it Securely Wipe Disk - Arch Wiki.
    If an attacker gets a hold of your old LUKS header (after you changed the passphrase) and they figured out the old passphrase or keyfile, they can use the old header to get access to your system. Check out the cryptsetup FAQ for more details.
    A way to mitigate this is to use "cryptsetup-reencrypt" which will generate a new master key (volume key) and make the old header ineffective even when they have the compromised passphrase or keyfile, but read the man page first.
  • You can use dd to backup the whole usb drive as an image, or the partitions (assuming it's sdb):
    dd if=/dev/sdb1 of=backup.img bs=4M
    dd if=/dev/sdb2 of=backup2.img bs=4M
  • The LUKS keyfile can be changed like this:
    cryptsetup --header /boot/header.img --key-file=/dev/mappelukskey --keyfile-offset=X --keyfile-size=8192 luksChangeKey /dev/mappeenc /dev/mappelukskey2 --new-keyfile-size=8192 --new-keyfile-offset=Y 
Afterwards, "cryptsetup close lukskey" and "shred" or "dd" the old keyfile with random data before deleting it, then make sure that the new keyfile is renamed to the same name of the old one "key.img" or other name.
  • For some reason sysctl doesn't seem to be loading my /etc/sysctl.d/51-net.conf file on boot so I have to run "sysctl --reload" to get it working.
  • Read General Recommendations on the Arch Wiki, mainly "System Administration" and "Package Management"
  • Consider blacklisting usb devices with USBGuard
  • Check permissions, ownership, and sticky bits everywhere you can.
    find / -path /proc -prune -o -type f \( -perm -4000 -o -perm -2000 \) | xargs ls
    #look for setuid or setgid bits
    chmod u-s /path/to/file
    #unset a setsuid bit for a file (user id)
    chmod g-s /path/to/file
    #unset a setguid bit for a file (group id)
    find / -nouser -o -nogroup | xargs ls
    #unowned abandoned orphaned files
    find / -path /proc -prune -o -perm -2 ! -type l | xargs ls
    #world-writable files
  • Anti virus or anti malware such as clamav and rkhunter
  • Intrusion detection, scanning, and security auditing tools such as lynis, nmap, aide, snort, yasat. You can find more recommendations here
  • Implementing access control security policies such as SELinux, Tomoyo, AppArmor, Smack, and I'm sure there's more.
submitted by wincraft71 to archlinux [link] [comments]

HighLow Review 2020 by Binary Today - YouTube Binary Options Strategy 2020  100% WIN GUARANTEED ... Binary.com - Secret Higher/Lower - Binary Options Strategy ... Binary Options Trading Robot Trades HighLow.Net And Win! Indicators on Highlow binary options login You Should Know ... Free Signals $ high low binary options review - YouTube High ITM strategy for Binary options that works Guide ║ highlow binary options login - YouTube HighLow Binary Robot 2018 ⭐️⭐️⭐️⭐️⭐️ - YouTube Guide ║ high low binary options review - YouTube

Broker Details. HighLow Markets pty ltd. is a licensed broker based in Australia. They are regulated by ASIC (Australian Securities and Investment Commission.) they believe that they are ideal for trading veterans as well as the beginners given their instant withdrawals, high-profile platform, and mobile app as well as full regulation.. They have a minimum deposit of $50USD/$10AUD with a ... With the High/Low Spread binary options at HighLow, you need to make up the spread. Example: The current market price on the UK100 is 7389.2. You are presented with 7389.5 to go higher and 7388.9 to go lower. The construction makes it possible for HighLow to offer bigger payouts on High/Low Spread options that finnish in the money; some of them pay 200% of the purchase price! Underlyings ... High/Low is the most basic type of binary options trade. Turbo is the short-term version of it. You will also notice that there are additional tree types called High/Low Spread and Turbo Spread. These are essentially the same, except that as the name implies, you pay a spread when you place these trades. Doing so allows you to receive a higher payout should you win—up to 200%. These high ... High/Low – They had to offer these didn’t they? The standard binary trade – will the asset value finish higher or lower than the current price. Expiries range from 15 minutes up to ‘End of Day’ expiries. High/Low Spread – As above, but the difference is in the payout and strike price. Payouts on the ‘spread’ options are 100% ... High Low Binary Options Login. Learn more about Responsible Trading. Date septembre, 02nd, 2020. With Binary.com binary options brokerage platform you can do tick trade for 5 ticks & 10 ticks. high low binary options login 3 Bars High Or Low Binary Options Trading Strategy is a combination of Metatrader 4 (MT4) indicator(s) and template. High Low Binary Options Login. Our tiered commission structure offers up-to $400 for each conversion, and with our sophisticated marketing tools and eye-catching creatives, the power to make money is all yours Binary Option Robot is the best automated software to trade binary options online. > BINARY: Up to 93% Payouts in as low as 60 seconds > FOREX: Low spreads and fast execution > Free DEMO ... HighLow binary options broker is one of the most popular Australian binary options service providers since it opened gates in 2014. even though this broker is not one of the long term Fair Binary Options partners, for now, it seems to provide an excellent service for all its customers, as all our readers can see in our HighLow review. We have tested most of the important aspects of this broker ... The return rate on Highlow can be as high as 180% – 200% for winning trades. Is HighLow a Scam? No. Highlow is in fact the most trustworthy binary options broker in Australia. Company: HighLow Markets Pty Ltd: Address: Level 10, 20 Martin Place, Sydney, NSW 2000, Australia: Phone Support: 1300-870-442: Regulation and License: ASIC with license #364264: Australian Company Number (ACN ... While High-Low is a regulated binary options broker in Australia, it is worth noting that their regulatory oversight does not include non-Australian citizens. Hence, if you are planning to open an account with this Australian broker as an international client, you may not be covered by rules that are valid for Australian citizens. However, HighLow.net is conducting business in several ... High/Low – Obviously! These are standard binary options – Decide if the asset value will finish higher or lower than the current strike price. Expiry times of these go from 15 minutes up to ‘End of Day’ expiries. High/Low Spread – Spread options differ in the payout and strike price. The basics remain the same as a standard High/Low ...

[index] [26887] [17143] [1908] [374] [13267] [28943] [10291] [14979] [27227] [20112]

HighLow Review 2020 by Binary Today - YouTube

Try This Out: https://bit.ly/3hLzKpe - Indicators on Highlow binary options login You Should Know Anticipate if the market will stay in between or go outside... Binary.com - Secret Higher/Lower - Binary Options Strategy You Can Download The Latest Bot / Signal Vfxalert Please Click on The link below! Contact Telegram... Hello everyone!:) My name is Anastasia, but it's too hard to pronounce, that's why you may call me just ANA. I'm a pro trader for more than 2 years already a... Hello everyone!:) My name is Anastasia, but it's too hard to pronounce, that's why you may call me just ANA. I'm a pro trader for more than 2 years already a... HighLow is my #1 binary options broker currently. I recommend checking it out here. https://binarytoday.com/broker-review-highlow-demo-withdrawal-payouts-etc... Binary Options Trading Robot Trades www.highlow.net And Win! 100% Automated Binary Options Robot! Profitable, Reliable, Safety Based On Neural Networks Algor... The aim of this video is to teach you how to become profitable in Binary options and earn money without falling in the scam. It is No loss style. You will always make profit at the end of the day ... 👨🏽‍💻 IQ Option $ The best broker 2020: - https://bit.ly/3hMNU9b I'll show you 100% winning iq option strategy 7 win VS 0 loss The road to success through trading IQ option Best Bot Reviews Iq Option 2020 ,We make videos using this softwhere bot which aims to make it easier for you t... HighLow Binary Robot 2018 trades binary options for binary options broker https://en.highlow.net/ or https://js.highlow.net/ https://www.altredo.com/binary_o...

http://arab-binary-option.daydispmicchatap.tk