Linux – Linux articles

Use To Find Hidden Website Pages

Most companies have an admin portal page, giving their staff access to basic admin controls for day-to-day operations. For a bank, an employee might need to transfer money to and from client accounts. Due to human error or negligence, there may be instances when these pages are not made private, allowing attackers to find hidden pages that show or give access to admin controls or sensitive data.

To begin, type the following command into the terminal to find potentially hidden pages on FakeBank’s website using (a command-line security application).

gobuster -u http://fakebank.thm -w wordlist.txt dir

The command will run and show you an output similar to this:

ubuntu@tryhackme:~/Desktop$ gobuster -u http://fakebank.thm -w wordlist.txt dir

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://fakebank.thm/
[+] Threads      : 10
[+] Wordlist     : wordlist.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2024/05/21 10:04:38 Starting gobuster
=====================================================
/images (Status: 301)
/bank-transfer (Status: 200)
=====================================================
2024/05/21 10:04:44 Finished
=====================================================

How to Create a New WireGuard Client on a Linux Server (Debian/Ubuntu)

Wireguard is a modern, fast, and secure VPN solution.
This guide explains how to create a new WireGuard client on a Linux server
(Debian or Ubuntu) and connect it from a mobile device or desktop.

Prerequisites

A Linux server with WireGuard already installed
Root or sudo access
An existing WireGuard interface (e.g. wg0)

Example network used in this guide:

VPN subnet: 10.0.0.0/24
Server IP: 10.0.0.1
New client IP: 10.0.0.2

Step 1: Generate Client Keys

Navigate to the WireGuard configuration directory and set a secure file creation mask:

cd /etc/wireguard
umask 077

Generate the client private and public keys:

wg genkey | tee client1.key | wg pubkey > client1.pub

This creates:

client1.key — private key (keep secret)
client1.pub — public key

Step 2: Add the Client to the Server Configuration

Edit the server configuration file:

nano /etc/wireguard/wg0.conf

Add a new [Peer] section:

[Peer]
PublicKey = CLIENT1_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

Important: Each client must have a unique IP address.

Step 3: Apply the Configuration

Reload WireGuard without disconnecting active clients:

wg syncconf wg0 <(wg-quick strip wg0)

Or restart the interface:

systemctl restart wg-quick@wg0

Step 4: Create the Client Configuration File

Create a client configuration file:

nano client1.conf

Insert the following configuration:

[Interface]
PrivateKey = CLIENT1_PRIVATE_KEY
Address = 10.0.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = SERVER_PUBLIC_KEY
Endpoint = SERVER_IP:51820
AllowedIPs = 0.0.0.0/0, ::/0
PersistentKeepalive = 25

Step 5: Generate a QR Code (Optional)

For mobile devices, you can generate a QR code:

apt install qrencode
qrencode -t ansiutf8 < client1.conf

Scan the QR code using the WireGuard mobile app to import the tunnel instantly.

Step 6: Verify the Connection

On the server, check the tunnel status:

wg show

If the client is connected, you will see:

Latest handshake timestamp
Data transfer statistics

Common Configuration Variants

Split Tunnel (VPN only for internal network)

AllowedIPs = 10.0.0.0/24

Full Tunnel (all traffic via VPN)

AllowedIPs = 0.0.0.0/0, ::/0

Security Notes

Never reuse client IP addresses
Protect private keys with file permissions (600)
Use PersistentKeepalive = 25 for mobile clients behind NAT

Conclusion

WireGuard makes VPN client management simple and secure.
By following this guide, you can safely add new clients,
generate configuration files, and connect from any modern device.

This setup works equally well for Android, iOS, Linux, Windows, and macOS clients.

Source: AIBlockLab.com

Як підключити USB 3G-модем Huawei E173 до Linux Mint

Huawei E173 — популярний USB 3G-модем, який добре підтримується Linux, але на сучасних версіях Linux Mint часто виникає ситуація, коли ModemManager не бачить модем, навіть якщо драйвери завантажені правильно.

У цій статті показано реальний робочий спосіб підключення Huawei E173 до Linux Mint, включно з діагностикою та стабільним рішенням через wvdial.

1. Перевірка визначення модема системою

Після підключення модема до USB перевіримо, чи бачить його система:

lsusb

Очікуваний результат:

Bus 001 Device 010: ID 12d1:1506 Huawei Technologies Co., Ltd. Modem/Networkcard

Важливо: ID 12d1:1506 означає, що модем уже в режимі модема (не CD-ROM), і usb_modeswitch не потрібен.

2. Перевірка портів ttyUSB

Модем Huawei E173 працює через послідовні порти. Перевіримо їх наявність:

ls /dev/ttyUSB*

Нормальний результат:

/dev/ttyUSB0
/dev/ttyUSB1
/dev/ttyUSB2

3. Перевірка драйверів ядра

Переконаємося, що драйвер option завантажений:

lsmod | grep option

Очікувано:

option      69632  1
usb_wwan    24576  1 option
usbserial   57344  4 usb_wwan,option

Це означає, що ядро Linux повністю готове до роботи з модемом.

4. Чому ModemManager не бачить Huawei E173

Команда:

mmcli -L

може повертати:

No modems were found

Це типова проблема на нових версіях Linux Mint. ModemManager орієнтований на LTE / QMI / MBIM і часто ігнорує старі 3G-модеми Huawei.

Рішення — використати перевірений класичний метод через wvdial.

5. Встановлення wvdial

sudo apt update
sudo apt install wvdial

6. Налаштування wvdial

Відкрий конфігураційний файл:

sudo nano /etc/wvdial.conf

Встав наступний конфіг:

[Dialer Defaults]
Init1 = ATZ
Init2 = ATQ0 V1 E1 S0=0 &C1 &D2
Init3 = AT+CGDCONT=1,"IP","internet"
Modem Type = Analog Modem
Phone = *99#
Username = user
Password = pass
Modem = /dev/ttyUSB0
Baud = 460800
Stupid Mode = 1
Auto DNS = 1
Carrier Check = no

APN для українських операторів

Kyivstar — www.kyivstar.net
Vodafone UA — internet
Lifecell — internet

APN змінюється в рядку Init3.

7. Підключення до інтернету

sudo wvdial

Успішне підключення виглядає так:

--> Dialing *99#
--> Starting pppd
--> local  IP address 10.x.x.x
--> remote IP address 10.x.x.x
--> primary   DNS address

Це означає, що з’єднання встановлено і інтернет працює.

Для відключення використовуйте Ctrl + C.

8. Якщо не підключається

Спробуйте змінити порт модема:

Modem = /dev/ttyUSB1

або

Modem = /dev/ttyUSB2

І повторіть команду sudo wvdial.

9. Перевірка мережевого інтерфейсу

Після підключення перевірте:

ip a

Має з’явитися інтерфейс ppp0.

How to Install and Configure WireGuard VPN on Debian 12 and Linux Mint

WireGuard is a modern, fast, and secure VPN protocol that is easy to set up. In this guide, we will show you how to install and configure a WireGuard server on a Debian 12 VPS and connect to it from a Linux Mint client.

Step 1: Update Your Debian Server

First, ensure your server packages are up-to-date:

sudo apt update && sudo apt upgrade -y

Step 2: Install WireGuard on Debian

sudo apt install wireguard -y
modprobe wireguard

Step 3: Generate Server Keys

wg genkey | tee /etc/wireguard/server_private.key | wg pubkey > /etc/wireguard/server_public.key

Step 4: Configure WireGuard Server

Create the server configuration file /etc/wireguard/wg0.conf:

[Interface]
Address = 10.8.0.1/24
ListenPort = 51820
PrivateKey = <SERVER_PRIVATE_KEY>
SaveConfig = false

# Client 1 example
#[Peer]
#PublicKey = <CLIENT1_PUBLIC_KEY>
#AllowedIPs = 10.8.0.2/32

Replace <SERVER_PRIVATE_KEY> with the contents of /etc/wireguard/server_private.key.

Step 5: Enable IP Forwarding

echo "net.ipv4.ip_forward=1" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Step 6: Configure NAT

sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo apt install iptables-persistent -y
sudo netfilter-persistent save

Step 7: Start WireGuard Server

sudo systemctl enable wg-quick@wg0
sudo systemctl start wg-quick@wg0
sudo wg

Step 8: Install WireGuard on Linux Mint Client

sudo apt update
sudo apt install wireguard -y
wg --version

Step 9: Generate Client Keys

wg genkey | tee client_private.key | wg pubkey > client_public.key

Step 10: Add Client to Server

Edit /etc/wireguard/wg0.conf on the server:

[Peer]
PublicKey = <CLIENT_PUBLIC_KEY>
AllowedIPs = 10.8.0.2/32

Replace <CLIENT_PUBLIC_KEY> with the contents of client_public.key from the Linux Mint client.

Step 11: Create Client Configuration

Create /etc/wireguard/wg0.conf on Linux Mint:

[Interface]
PrivateKey = <CLIENT_PRIVATE_KEY>
Address = 10.8.0.2/32
DNS = 1.1.1.1

[Peer]
PublicKey = <SERVER_PUBLIC_KEY>
Endpoint = <SERVER_PUBLIC_IP>:51820
AllowedIPs = 0.0.0.0/0
PersistentKeepalive = 25

Step 12: Start WireGuard Client

sudo wg-quick up wg0

To stop the client:

sudo wg-quick down wg0

Step 13: Automatic Start (Optional)

sudo systemctl enable wg-quick@wg0

Step 14: Verify Connection

sudo wg
ip a

Now your Linux Mint client should be connected securely to the WireGuard server on Debian 12.

Note: Make sure to replace all placeholders like <SERVER_PRIVATE_KEY>, <CLIENT_PRIVATE_KEY>, <CLIENT_PUBLIC_KEY>, and <SERVER_PUBLIC_IP> with the real values from your setup.

Working with crontab in Linux

1. Show list of all tasks

Display all cron jobs for the current user:

crontab -l

2. Add a new task

Edit your crontab file:

crontab -e

Add the following line at the end of the file to run a command every day at midnight:

0 0 * * * php /full/path/to/index.php

Replace /full/path/to/index.php with the actual path to your script.

3. Edit a task

Run:

crontab -e

Then modify the desired line in the editor.

4. Delete a task

Also via:

crontab -e

Just delete the task line and save changes.

To delete all cron jobs at once:

crontab -r

Warning: This removes all crontab entries for the user without confirmation.

Useful Examples

Every 5 minutes:

*/5 * * * * php /home/user/script.php

Every day at 6:30 AM:

30 6 * * * php /home/user/script.php

Every Monday at 7:00 AM:

0 7 * * 1 php /home/user/script.php

Log output to file:

0 0 * * * php /home/user/index.php >> /home/user/logs/cron.log 2>&1

>> appends output; 2>&1 combines stderr and stdout.

Check if cron is running

systemctl status cron

If stopped, start it:

sudo systemctl start cron

Other tips

Edit crontab for another user:

sudo crontab -u username -e

System-wide cron jobs:

/etc/crontab
/etc/cron.daily/
/etc/cron.hourly/
/etc/cron.weekly/
/etc/cron.monthly/

Source: https://aiblocklab.com/en/articles/linux-server-tutorials/working-with-crontab-in-linux

🔐 How to Securely Encrypt and Decrypt Any File in Linux

In today’s digital world, ensuring the confidentiality of your sensitive data is more important than ever. Whether you’re backing up documents, transferring files, or protecting personal information, encrypting your files is a critical security step. In this article, we’ll explore how to securely encrypt and decrypt any file using the Linux terminal — leveraging robust, open-source tools like gpg and openssl.

🔧 Symmetric Encryption with `gpg`

The simplest and most effective method for encrypting files locally is symmetric encryption, where the same password is used for both encryption and decryption.

🔒 Encrypt a File with a Password

gpg -c myfile.txt

You’ll be prompted to enter a passphrase. The resulting file will be myfile.txt.gpg.

🔓 Decrypt the File

gpg -o myfile_decrypted.txt -d myfile.txt.gpg

You’ll be prompted for the same passphrase to decrypt the file.

✅ Best For: Local file protection or sharing with someone you trust enough to share a password with.

🔐 Asymmetric Encryption (Using Key Pairs)

For secure communication or file exchange between users, asymmetric encryption is recommended. This method uses a pair of keys: a public key for encryption and a private key for decryption.

Step 1: Generate a Key Pair

gpg --full-generate-key

Choose:

Key type: RSA and RSA
Key size: 4096 bits (recommended)
Expiration: Set if desired
User information: Name and email

Step 2: List Available Keys

gpg --list-keys

Step 3: Encrypt a File for a Specific User

gpg -e -r "User Name or Email" myfile.txt

This command will create myfile.txt.gpg, encrypted with the recipient’s public key.

Step 4: Decrypt the File

gpg -d myfile.txt.gpg > myfile_decrypted.txt

The recipient’s private key must be available on the system to decrypt.

✅ Best For: Secure communication and file exchange between multiple parties.

🔧 Alternative: Using `openssl`

For those who prefer OpenSSL, here’s how to use AES-256 encryption:

🔒 Encrypt

openssl enc -aes-256-cbc -salt -in myfile.txt -out myfile.txt.enc

🔓 Decrypt

openssl enc -d -aes-256-cbc -in myfile.txt.enc -out myfile_decrypted.txt

You’ll be asked to provide the same password for decryption.

🛡️ Security Tips

Use strong, unique passphrases — at least 12+ characters with a mix of letters, numbers, and symbols.
Avoid storing passphrases in plaintext.
When sharing files, prefer asymmetric encryption over symmetric if possible.
Back up your private keys in a secure location.

📦 Conclusion

Encrypting files via the Linux terminal is both powerful and straightforward with tools like gpg and openssl. Whether you’re an individual protecting personal data or a business sharing confidential documents, these methods help ensure your information stays safe.

How to test server for vulnerabilities

To check open ports on the server use Nmap program. To install Nmap use command:

sudo apt install nmap

This command check server IP for open ports:

sudo nmap -sC -sV -v IP_ADDRESS

For fast scan all ports with Nmap use command:

sudo nmap -sS -v IP_ADDRESS -p-

Scan directories on host:

ffuf -w ~/SecLists/Discovery/Web-Content/directory-lists-lowercase-2.3-small.txt:FUZZ -u "http://IP_ADDRESS/FUZZ" -ic -c -e .php

Scan Subdomains:

ffuf -w ~/SecLists/Discovery/Web-Content/directory-lists-lowercase-2.3-small.txt:FUZZ -u "http://DOMAIN.COM/" -H 'Host: FUZZ.DOMAIN.COM' -fw SIZE

-fw – filter words 522

-fs – filter size SIZE

Install Bitwarden to your server

Bitwarden is an open-source password manager that helps you store, manage, and share your login credentials securely. You can use it personally or as a team/organization.

To install Bitwarden on your server use next steps:

1. Update your server

sudo apt update && sudo apt upgrade -y

2. Install Docker + Docker Compose

sudo apt install docker.io docker-compose -y
sudo systemctl enable --now docker

3. Add your current user to docker group

sudo usermod -aG docker $USER

4. Go to Bitwarden Github repository: https://github.com/bitwarden/server and copy and run installation commands on your server:

curl -s -L -o bitwarden.sh \
    "https://func.bitwarden.com/api/dl/?app=self-host&platform=linux" \
    && chmod +x bitwarden.sh
./bitwarden.sh install
./bitwarden.sh start

Configure DKIM, SPF and DMARC in Hestia CP

DKIM (DomainKeys Identified Mail) is an E-mail authentication method designed to detect spoofing of email messages

DKIM technology combines several existing anti-phishing and anti-spam methods to improve the classification and identification of legitimate email

Instead of a traditional IP address, DKIM adds a digital signature associated with the organization’s domain name to identify the sender of the message. The signature is automatically verified at the recipient’s end, after which whitelists and blacklists are applied to determine the sender’s reputation.

DKIM is configured for each domain, so you will have the option to enable it when you create a domain, as shown in the figure below.

Once the domain has been created, you must now create a text (TXT) record for the domain using its DKIM public key.

Using SSH and the command you need to get the DKIM public key.

v-list-mail-domain-dkim USER DOMAIN [FORMAT]

Which will take the name of the user in which the domain was created and the domain itself as arguments, you can get private and public keys

The bottom part of the output will be the public key of the DKIM domain.

mail._domainkey – entered in the Host field.

"v=DKIM1; k=rsa; p=PUBLIC_KEY"

NOTE: the key must be a single line – if there are line breaks, you must copy the key into notepad and remove them to make one long line.

SPF (Sender Policy Framework) is an extension for the SMTP e-mail sending protocol.

SPF allows the owner of a domain, in a TXT record corresponding to the domain name, to specify a list of servers authorized to send e-mail messages with return addresses in that domain. Mail transfer agents that receive mail messages can query SPF information with a simple DNS query, thus verifying the sender’s server. SPF allows you to specify servers and IP addresses that are allowed to send mail from your domains. This feature is designed to block outgoing unwanted messages.

The SPF record is written in the TXT record of the domain. Actually you need to add a TXT record and put the SPF record in its value. In the SPF record you have to specify the server IP from which the messages will be sent. Instead of 111.11.11.111, write the IP address of your server:

"v=spf1 +a +mx +ip4:111.11.11.111 ~all"

DMARC (Domain-based Message Authentication, Reporting, and Conformance) — a standard that adds an additional layer of email verification and protection against phishing and spoofing.

DMARC allows a domain owner to specify, via a TXT record, the verification rules for messages and the actions that should be performed by mail systems when receiving a message on behalf of the domain. The main purpose of DMARC is to help recipient mail servers recognize fake emails and decide how to handle them.

The DMARC system defines:

Verification Policy (p parameter), which indicates what to do with emails that fail authentication (e.g., none for gathering reports, quarantine for moving to spam, or reject to deny delivery).
Addresses for Reports (rua and ruf parameters), which specify where the data on checks and failures should be sent for analysis by the sender.

DMARC works in tandem with SPF and DKIM, allowing determination of whether messages are authentic. If a message fails SPF and/or DKIM checks, the DMARC policy will decide whether to block it, mark it as spam, or simply send a report to the domain owner.

In the Hestia panel, select the domain for which you want to set up the DMARC policy and go to the DNS Records section.

_dmarc – entered in the Host field.

"v=DMARC1; p=quarantine; pct=100"

Entered in the Value field, you can leave the double quotes for convenience.

How to fix error: The repository is not updated and the previous index files will be used in Debian

The error “The repository is not updated and the previous index files will be used. GPG error: https://nginx.org/packages/mainline/debian bullseye InRelease: The following signatures were invalid” suggests that the GPG key for the Nginx repository is either missing, expired, or invalid. Here’s how to fix it in Debian 11 GNU Linux (Bullseye):

1. Remove Old Nginx GPG Keys

Old or conflicting keys can cause issues, so remove them first:

sudo rm -rf /etc/apt/keyrings/nginx*
sudo rm -rf /usr/share/keyrings/nginx-archive-keyring.gpg

2. Add the Correct Nginx GPG Key

Run the following command to download and add the updated signing key:

curl -fsSL https://nginx.org/keys/nginx_signing.key | sudo gpg --dearmor -o /usr/share/keyrings/nginx-archive-keyring.gpg

Verify that the key was added:

gpg --show-keys /usr/share/keyrings/nginx-archive-keyring.gpg

3. Update the Repository Configuration

Ensure your /etc/apt/sources.list.d/nginx.list contains the correct repository entry:

echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian bullseye nginx" | sudo tee /etc/apt/sources.list.d/nginx.list

4. Update Package Lists

Now, refresh the package lists:

sudo apt update

If the update runs without errors, you can proceed with installation:

sudo apt install nginx

To fix error “The repository is not updated and the previous index files will be used. GPG error: https://packages.sury.org/apache2 bullseye InRelease: The following signatures were invalid” use commands:

curl -sSlo /usr/share/keyrings/sury-keyring.gpg https://packages.sury.org/php/apt.gpg
curl -sSlo /usr/share/keyrings/apache2-keyring.gpg https://packages.sury.org/apache2/apt.gpg