wiki - User contributions [en-gb]

sslh

2020-09-05T08:50:33Z

Vincent: Fix stop command

{{DISPLAYTITLE:sslh installation guide}}
{{Debian}}[http://www.rutschle.net/tech/sslh.shtml sslh] is a program that allows you to run several programs on port 443. Mainly it allows your [[SSH|SSH server]] and [[Nginx|web server]] to share the same port.

This guide will show how to install sslh in transparent mode with [[nftables]]. It will also use the lighter <code>sslh-select</code> instead of the simpler <code>sslh-fork</code>. For other modes of operation, refer to [https://github.com/yrutschle/sslh the documentation].

{{Warning|msg=}}Using SSH can be a violation of your corporate internet use policy. Please act responsibly. In particular, '''never ever create a reverse tunnel''' from your company network. Also this tool is not disguising SSH traffic as web but simply changing the port and can be easily detected by your network administrator.

== Prerequisite ==
Before running this guide, you will need:
* [[nftables]]
* [[SSH]]
* [[Nginx]]

== Install ==
<syntaxhighlight lang="console">
$ sudo apt install sslh
</syntaxhighlight>When it ask you how sslh should be run, choose <code>standalone</code>.

== Configure ==
sslh has several modes of operation. In this tutorial, we will use transparent mode with sslh-select.

=== OpenSSH ===
We will start by configuring OpenSSH to listen on a second port. We do that by modifying <code>/etc/ssh/ssd_config</code><syntaxhighlight lang="ini">
# What ports, IPs and protocols we listen for
Port 2200
# Use these options to restrict which interfaces/protocols sshd will bind to
ListenAddress 203.0.113.23:2200 # direct access
ListenAddress 203.0.113.23:2201 # access through sslh
</syntaxhighlight>You can now [[SSH#Restart|restart your SSH server]].

=== Nginx ===
Now we will need to free port 443 so that it can be used by sslh. Edit file <code>/etc/nginx/snippets/listen-https.conf</code> and change the port for IPV4<syntaxhighlight lang="nginx">
listen [2001:db8:3:47d0::2e:7]:443 ssl spdy;
listen 203.0.113.23:4433 ssl spdy;
</syntaxhighlight>Do not restart Nginx yet.

=== Routing ===
Create file <code>/etc/nftables/sslh.conf</code>
<syntaxhighlight lang="shell">
#!/usr/sbin/nft -f

# Use ip as we want to configure sslh only for IPV4
table ip sslh {
chain output {
type route hook output priority -150;
oif eth0 tcp sport { 2201, 4433 } counter mark set 0x4155;
}
}
</syntaxhighlight>

and register it in <code>/etc/nftables.conf</code>
<syntaxhighlight lang="sh">
include "/etc/nftables/sslh.conf"
</syntaxhighlight>

and manually activate it with<syntaxhighlight lang="console">
$ sudo nft -f /etc/nftables/sslh.conf
</syntaxhighlight>

=== sslh ===
Create file <code>/etc/systemd/system/sslh.service.d/override.conf</code> (you will have to create the folder)<syntaxhighlight lang="ini">
[Service]

# Replace the start command and make it use sslh-select
ExecStart=
ExecStart=/usr/sbin/sslh-select --foreground $DAEMON_OPTS

# Run sslh as an user and use capabilities to bind ports
User=sslh
# Systemd 229
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
# Systemd 228 and bellow
#SecureBits=keep-caps
#Capabilities=cap_net_bind_service,cap_net_admin+pie

# Limit access
PrivateTmp=true
PrivateDevices=true
ProtectSystem=full
ProtectHome=true

# Set routing rules automaticaly on script start
PermissionsStartOnly=true

# Check for mark 0x4155 (set by nftables) and forward packet to table 0x4155
ExecStartPre=/sbin/ip rule add fwmark 0x4155 lookup 0x4155
ExecStopPost=/sbin/ip rule del fwmark 0x4155

# Table 0x4155 to route all packets back to loopback interface
ExecStartPre=/sbin/ip route add local 0.0.0.0/0 dev lo table 0x4155
ExecStopPost=/sbin/ip route del local 0.0.0.0/0 dev lo table 0x4155
</syntaxhighlight>If using the <code>Capabilities=</code> rule for systemd 228-, you need to give the binary some capabilities as well<syntaxhighlight lang="console">
$ sudo setcap cap_net_bind_service,cap_net_admin+ei /usr/sbin/sslh-select
</syntaxhighlight>Next edit file <code>/etc/default/sslh</code><syntaxhighlight lang="shell">
# Default options for sslh initscript
# sourced by /etc/init.d/sslh

# Disabled by default, to force yourself
# to read the configuration:
# - /usr/share/doc/sslh/README.Debian (quick start)
# - /usr/share/doc/sslh/README, at "Configuration" section
# - sslh(8) via "man sslh" for more configuration details.
# Once configuration ready, you *must* set RUN to yes here
# and try to start sslh (standalone mode only)

RUN=no

# binary to use: forked (sslh) or single-thread (sslh-select) version
# systemd users: don't forget to modify /lib/systemd/system/sslh.service
DAEMON=/usr/sbin/sslh

DAEMON_OPTS="-n --transparent --listen 203.0.113.23:443 --tls 203.0.113.23:4433 --ssh 203.0.113.23:2201"
</syntaxhighlight>Changes done from the default
* <code>-n</code> Don't resolve domain name of connecting ip in logs. This allow to not loose time doing a DNS lookup for each new client
* <code>--transparent</code> SSH and webserver will see connection as if it where coming directly from the outside. In particular, you will get the correct connecting IP address in the logs.
* <code>--listen 203.0.113.23:443</code> IP and port sslh listen to
* <code>--tls 203.0.113.23:4433</code> IP and port of Nginx
* <code>--ssh 203.0.113.23:2201</code> IP and port of OpenSSH
* Remove <code>--user</code> option. The modification in the systemd script make it run with the correct user from the start.
* Remove <code>--pidfile</code> option. It is useless with systemd.

=== Start ===
You can now restart Nginx and start sslh<syntaxhighlight lang="console">
$ sudo systemctl reload nginx && systemctl start sslh
</syntaxhighlight>
[[Category:Linux Server]]

sslh

2020-09-04T09:59:42Z

Vincent: /* sslh */ default config for systemd >= 229

{{DISPLAYTITLE:sslh installation guide}}
{{Debian}}[http://www.rutschle.net/tech/sslh.shtml sslh] is a program that allows you to run several programs on port 443. Mainly it allows your [[SSH|SSH server]] and [[Nginx|web server]] to share the same port.

This guide will show how to install sslh in transparent mode with [[nftables]]. It will also use the lighter <code>sslh-select</code> instead of the simpler <code>sslh-fork</code>. For other modes of operation, refer to [https://github.com/yrutschle/sslh the documentation].

{{Warning|msg=}}Using SSH can be a violation of your corporate internet use policy. Please act responsibly. In particular, '''never ever create a reverse tunnel''' from your company network. Also this tool is not disguising SSH traffic as web but simply changing the port and can be easily detected by your network administrator.

== Prerequisite ==
Before running this guide, you will need:
* [[nftables]]
* [[SSH]]
* [[Nginx]]

== Install ==
<syntaxhighlight lang="console">
$ sudo apt install sslh
</syntaxhighlight>When it ask you how sslh should be run, choose <code>standalone</code>.

== Configure ==
sslh has several modes of operation. In this tutorial, we will use transparent mode with sslh-select.

=== OpenSSH ===
We will start by configuring OpenSSH to listen on a second port. We do that by modifying <code>/etc/ssh/ssd_config</code><syntaxhighlight lang="ini">
# What ports, IPs and protocols we listen for
Port 2200
# Use these options to restrict which interfaces/protocols sshd will bind to
ListenAddress 203.0.113.23:2200 # direct access
ListenAddress 203.0.113.23:2201 # access through sslh
</syntaxhighlight>You can now [[SSH#Restart|restart your SSH server]].

=== Nginx ===
Now we will need to free port 443 so that it can be used by sslh. Edit file <code>/etc/nginx/snippets/listen-https.conf</code> and change the port for IPV4<syntaxhighlight lang="nginx">
listen [2001:db8:3:47d0::2e:7]:443 ssl spdy;
listen 203.0.113.23:4433 ssl spdy;
</syntaxhighlight>Do not restart Nginx yet.

=== Routing ===
Create file <code>/etc/nftables/sslh.conf</code>
<syntaxhighlight lang="shell">
#!/usr/sbin/nft -f

# Use ip as we want to configure sslh only for IPV4
table ip sslh {
chain output {
type route hook output priority -150;
oif eth0 tcp sport { 2201, 4433 } counter mark set 0x4155;
}
}
</syntaxhighlight>

and register it in <code>/etc/nftables.conf</code>
<syntaxhighlight lang="sh">
include "/etc/nftables/sslh.conf"
</syntaxhighlight>

and manually activate it with<syntaxhighlight lang="console">
$ sudo nft -f /etc/nftables/sslh.conf
</syntaxhighlight>

=== sslh ===
Create file <code>/etc/systemd/system/sslh.service.d/override.conf</code> (you will have to create the folder)<syntaxhighlight lang="ini">
[Service]

# Replace the start command and make it use sslh-select
ExecStart=
ExecStart=/usr/sbin/sslh-select --foreground $DAEMON_OPTS

# Run sslh as an user and use capabilities to bind ports
User=sslh
# Systemd 229
AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_NET_ADMIN
# Systemd 228 and bellow
#SecureBits=keep-caps
#Capabilities=cap_net_bind_service,cap_net_admin+pie

# Limit access
PrivateTmp=true
PrivateDevices=true
ProtectSystem=full
ProtectHome=true

# Set routing rules automaticaly on script start
PermissionsStartOnly=true

# Check for mark 0x4155 (set by nftables) and forward packet to table 0x4155
ExecStartPre=/sbin/ip rule add fwmark 0x4155 lookup 0x4155
ExecStopPost=/sbin/ip rule del fwmark 0x4155

# Table 0x4155 to route all packets back to loopback interface
ExecStartPre=/sbin/ip route add local 0.0.0.0/0 dev lo table 0x4155
ExecStopPost=/sbin/ip route del table 0x4155
</syntaxhighlight>If using the <code>Capabilities=</code> rule for systemd 228-, you need to give the binary some capabilities as well<syntaxhighlight lang="console">
$ sudo setcap cap_net_bind_service,cap_net_admin+ei /usr/sbin/sslh-select
</syntaxhighlight>Next edit file <code>/etc/default/sslh</code><syntaxhighlight lang="shell">
# Default options for sslh initscript
# sourced by /etc/init.d/sslh

# Disabled by default, to force yourself
# to read the configuration:
# - /usr/share/doc/sslh/README.Debian (quick start)
# - /usr/share/doc/sslh/README, at "Configuration" section
# - sslh(8) via "man sslh" for more configuration details.
# Once configuration ready, you *must* set RUN to yes here
# and try to start sslh (standalone mode only)

RUN=no

# binary to use: forked (sslh) or single-thread (sslh-select) version
# systemd users: don't forget to modify /lib/systemd/system/sslh.service
DAEMON=/usr/sbin/sslh

DAEMON_OPTS="-n --transparent --listen 203.0.113.23:443 --tls 203.0.113.23:4433 --ssh 203.0.113.23:2201"
</syntaxhighlight>Changes done from the default
* <code>-n</code> Don't resolve domain name of connecting ip in logs. This allow to not loose time doing a DNS lookup for each new client
* <code>--transparent</code> SSH and webserver will see connection as if it where coming directly from the outside. In particular, you will get the correct connecting IP address in the logs.
* <code>--listen 203.0.113.23:443</code> IP and port sslh listen to
* <code>--tls 203.0.113.23:4433</code> IP and port of Nginx
* <code>--ssh 203.0.113.23:2201</code> IP and port of OpenSSH
* Remove <code>--user</code> option. The modification in the systemd script make it run with the correct user from the start.
* Remove <code>--pidfile</code> option. It is useless with systemd.

=== Start ===
You can now restart Nginx and start sslh<syntaxhighlight lang="console">
$ sudo systemctl reload nginx && systemctl start sslh
</syntaxhighlight>
[[Category:Linux Server]]

KeePassXC

2019-04-05T06:40:17Z

Vincent: /* Browser Configuration */

{{WIP}}

== Install ==
Download and install KeePassXC from https://keepassxc.org/download/

== Create Password Database ==
Click on ''Database'' → ''New Database…''.

You can keep all defaults, you just need to choose the master password.
{{Warning|msg=If you forget this password, you will loose access to all the data.
For security reasons, there is no password recover.
Choose the password wisely.}}

== Configure ==

=== Minimize to tray ===
I like to have KeePassXC always open, but yet not use space in the taskbar

==== Autostart ====

===== Linux =====
create a shortcut in the folder ~/.config/autostart

===== Windows =====
create a shortcut in the folder shell:startup

==== Minimize to tray ====
In KeePassXC go to ''Tools'' → ''Settings'' and change the following[[File:Keepass-Minimize-Settings.png|none|frame]]

=== Browser integration ===

==== KeePassXC configuration ====
In KeePassXC go to ''Tools'' → ''Settings'' and change the following

[[File:keepassxc - browser integration.png|frameless|471x471px]]
 

==== Browser Configuration ====
Install the keepassxc-browser extension for your browser. You can find the link in the settings page above.

== Access your passwords ==

=== Websites ===
 

=== Desktop applications ===
 

=== Others ===

KeePassXC

2019-04-01T15:00:52Z

Vincent: /* Configure */

File:keepassxc - browser integration.png

2019-04-01T14:20:06Z

Vincent:

keepassxc - browser integration

KeePassXC

2019-04-01T14:01:55Z

Vincent:

File:Keepass-Minimize-Settings.png

2019-04-01T14:00:44Z

Vincent: Vincent uploaded a new version of File:Keepass-Minimize-Settings.png

Keepass-Minimize-Settings

File:Keepass-Minimize-Settings.png

2019-04-01T13:59:14Z

Vincent:

Keepass-Minimize-Settings

KeePassXC

2019-04-01T10:13:26Z

Vincent:

KeePassXC

2019-04-01T09:18:28Z

Vincent: Created page with "{{WIP}} = Install = Download and install KeePassXC from https://keepassxc.org/download/ = Create Password Database = Click on ''Database'' → ''New Database…''. You can..."

{{WIP}}

= Install =
Download and install KeePassXC from https://keepassxc.org/download/

= Create Password Database =
Click on ''Database'' → ''New Database…''.

You can keep all defaults, you just need to choose the master password.
{{Warning|msg=If you forget this password, you will loose access to all the data.
For security reasons, there is no password recover.
Choose the password wisely.}}

= Configure =

=== Minimize to tray ===
B

nftables

2018-12-22T06:56:45Z

Vincent: https links

[https://netfilter.org/projects/nftables/ nftables] is the new firewall of the linux kernel. It has several advantages over the existing {ip, ip6, arp,eb}tables:
* Only one command
* Rules that target both IPV4 and IPV6
* More concise syntax
*[https://wiki.nftables.org/wiki-nftables/index.php/Main_differences_with_iptables See details on the official wiki]

== Install ==
<syntaxhighlight lang="console">
$ sudo apt install nftables
</syntaxhighlight>You might also want to remove <code>iptables</code><syntaxhighlight lang="console">
$ sudo apt purge iptables
</syntaxhighlight>

== Configure ==

=== Create main table ===
Create file <code>/etc/nftables/main_config.conf</code><syntaxhighlight lang="sh">
# DNS
add element inet main udp_port_out { 53 }
add element inet main tcp_port_out { 53 }
# Network Time Protocol
add element inet main udp_port_out { 123 }
# OpenPGP HTTP Keyserver
add element inet main tcp_port_out { 11371 }
# SSH
add element inet main tcp_port_in { 2200 }
add element inet main tcp_port_out { 2200 }
# Web
add element inet main tcp_port_out { 80, 443 }
</syntaxhighlight>Create file <code>/etc/nftables/main.conf</code><syntaxhighlight lang="sh">
#!/usr/sbin/nft -f

add table inet main

#Ports open for any IP address
add set inet main tcp_port_out { type inet_service; }
add set inet main tcp_port_in { type inet_service; }
add set inet main udp_port_out { type inet_service; }
add set inet main udp_port_in { type inet_service; }
add set inet main user_out { type uid; }
add set inet main user_in { type uid; }

include "/etc/nftables/main_config.conf"

# Remove spam in logs. Get your top noise whith
# grep Drop_in /var/log/syslog|sed -r 's/.*?PROTO=([A-Z]+).*?DPT=([0-9]+).*/\1 \2/'|sort|uniq -c|sort -rn
add set inet main tcp_scan_ports { type inet_service; }
add set inet main udp_scan_ports { type inet_service; }
add element inet main tcp_scan_ports {
22, # SSH
23, # Telnet
1433, # MS SQL Login
8080, # HTTP Alternate
50661 # Apple Xsan
}
add element inet main udp_scan_ports {
53, # DNS
5060, # SIP
53413 # https://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/
}

chain inet main input {
type filter hook input priority 0;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept
ct state invalid log prefix "Invalid_in " drop

# accept neighbour discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

# accept ping
ip protocol icmp icmp type { echo-request } accept

tcp dport @tcp_port_in ct state new accept
udp dport @udp_port_in ct state new accept
meta skuid @user_in ct state new accept

tcp dport @tcp_scan_ports drop
udp dport @udp_scan_ports drop

# count and drop any other traffic
counter log prefix "Drop_in " drop
}

chain inet main output {
type filter hook output priority 0;

# accept any localhost traffic
oif lo accept

ct state established,related accept
ct state invalid log prefix "Invalid_out " drop

# accept neighbour discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

# accept ping
ip protocol icmp icmp type { echo-request } accept

tcp dport @tcp_port_out ct state new accept
udp dport @udp_port_out ct state new accept
meta skuid @user_out ct state new accept

counter log prefix "Drop_out " drop
}
</syntaxhighlight>{{Warning}}Double check the port for SSH before activating the script.

=== Activation Scripts ===

==== /etc/nftables.conf ====
Edit file <code>/etc/nftables.conf</code><syntaxhighlight lang="sh">
#!/usr/sbin/nft -f

flush ruleset

include "/etc/nftables/main.conf"
</syntaxhighlight>This file is executed when you start nftables. You can also manually execute it without issue.

==== /etc/nftables/reload_main.conf ====
This script is used to reload only the main table without the others. The point is to integrate with tools like [[Fail2Ban]] which are inserting rules in the firewall. By reloading just the main table, you can activate your new rules without impacting Fail2Ban.

Create file <code>/etc/nftables/reload_main.conf</code><syntaxhighlight lang="sh">
#!/usr/sbin/nft -f

delete table inet main

include "/etc/nftables/main.conf"
</syntaxhighlight>and make it executable<syntaxhighlight lang="console">
$ sudo chmod +x /etc/nftables/reload_main.conf
</syntaxhighlight>

== Test ==
Test your firewall with the following command<syntaxhighlight lang="console">
$ sudo -- sh -c 'nft -f /etc/nftables.conf; sleep 30; nft flush ruleset'
</syntaxhighlight>It will activate the firewall and reset it after 30 seconds. It allows you to not lock yourself out of your machine.

== Enable ==
{{Warning}}It is recommended that you test your firewall before enabling it at boot time. An incorrectly configured firewall can lock you out of your machine.<syntaxhighlight lang="console">
$ sudo systemctl enable nftables
</syntaxhighlight>
[[Category:Debian Release]]
[[Category:Linux Desktop]]
[[Category:Linux Server]]
[[Category:nftables]]

Main Page

2018-12-22T06:53:00Z

Vincent: /* Services */ httpS://map.meurisse.org

Welcome to my personal wiki.

== Installation and Configuration Guides ==

These guides are intended as a reference when I need to reinstall a piece of software. However feel free to use them and I will be very glad if they can be useful to anyone.

* [[:Category:Linux Server|Linux servers]]
* [[:Category:Linux Desktop|Linux desktops]]
* [[:Category:Android|Android]]
* [[:Category:Windows|Windows]]

== Services ==

List of open tools that I provide
;https://map.meurisse.org
:Map with a distance calculator. Based on [https://www.openstreetmap.org OpenStreetMap].
;https://ip.meurisse.org
:Your IP address. Pure, simple, nothing more.
:Use https://ipv4.meurisse.org and https://ipv6.meurisse.org for specific protocols.

== Machine List ==

List of the [[Machines|computers/servers/routers/whatever]] that I have or had.

Firefox

2018-12-21T07:57:01Z

Vincent: /* About:config */ add tab restore settings

== Privacy ==

=== 3rd party cookies ===
Cookies are pieces of information that a website can store on your computer. There are two types of cookies:
* First party cookies: these are the cookies from the site you are visiting. They are used for example for the log-in functionality of most websites.
* Third party cookies: they are set by other website. For example, any time you visit a website with a like button from Facebook, Facebook will set a cookie on your computer. This allows them to follow them on most of the website you are going to. This is used by advertiser to know the websites you go to and show you the same advertising on all websites. In practice, very few websites use this for functionalities. It is quite safe to disable them.
Go to Preferences, and then, in the Privacy section, set Accept third-party-cookies to Never.

[[File:Firefox History Settings.png|border]]

=== WebRTC ===
[https://en.wikipedia.org/wiki/WebRTC WebRTC] is a protocol that allows peer to peer communication between browsers. This is for example for audio/video chat. To allow faster connections to computer within the same local network, this protocol allows the browser to share all your local IP addresses.

This has two major problems:
* If a website contain malware, knowing your addresses is helping it to infect your network.
* This can be used to [https://en.wikipedia.org/wiki/Device_fingerprint fingerprint] your device and track you around the web.
To stop the leak, go to <code>about:config</code> and change this setting<syntaxhighlight lang="ini">
media.peerconnection.ice.no_host=true
</syntaxhighlight>

== About:config ==
{| class="wikitable"
!Setting
!Value
!Description
|-
|extensions.pocket.enabled
|false
|Disable the pocket integration
|-
|browser.tabs.closeWindowWithLastTab
|false
|Prevent Firefox from closing when you close last tab
|-
|browser.sessionstore.restore_on_demand
|true
| rowspan="2" |Avoid all tabs reloading at once when you restart Firefox.
Tabs will be loaded on click.
|-
|browser.sessionstore.restore_pinned_tabs_on_demand
|true
|}
[[Category:Android]]
[[Category:Linux Desktop]]
[[Category:Windows]]

MariaDB

2018-08-22T15:20:31Z

Vincent: sudo

{{WIP}}{{Debian}}MariaDB is a drop-in replacement for the well-known MySQL database.

== Installation ==
<syntaxhighlight lang="shell">
apt install mariadb-server
</syntaxhighlight>The installation script will prompt you for root password. This is the password for the super-administrator account of your MariaDB server. It is different from the root account of your Linux machine. Make sure you use something secure and that you remember it.

=== Securing ===
Run the following script as root<syntaxhighlight lang="console">
$ sudo mysql_secure_installation
</syntaxhighlight>The script will start by asking your MariaDB root password. It will then ask if you wand to change it. If you have set a secure password at the previous step, it is safe to answer no.

The script will then propose to you a few configuration changes. Unless you know what you are doing, accept all changes.

=== Testing ===
<syntaxhighlight lang="console">
$ mysql -u root -p
</syntaxhighlight>

== PhpMyAdmin ==
You can now install [[PhpMyAdmin]]. It allows you to view and administrate your databases from your browser.

[[Category:Linux Server]]

Nginx

2018-08-12T13:27:20Z

Vincent: /* snippets */

{{DISPLAYTITLE:Nginx installation guide}}

== Prerequisite ==
This guide is written for Debian Stretch. Other Debian based distributions should work as well.

While not mandatory, the guide makes use of the following programs to enhance the security of the installation
* [[nftables]]
* [[Fail2Ban]]

== Install ==

=== Nginx ===
<syntaxhighlight lang="console">
$ sudo apt install nginx-light libnginx-mod-http-headers-more-filter
</syntaxhighlight>

=== nginx_modsite ===
nginx_modsite is a script that allows to activate or deactivate a site simply, without having to handle symlinks manually. In Debian, it is distributed in source form as part of the <code>nginx-doc</code> package. The easiest is to download it directly from [https://anonscm.debian.org/cgit/collab-maint/nginx.git/tree/debian/help/examples/nginx_modsite the source repository]:<syntaxhighlight lang="console">
$ sudo curl -o /usr/local/sbin/nginx_modsite "https://anonscm.debian.org/cgit/collab-maint/nginx.git/plain/debian/help/examples/nginx_modsite"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4625 100 4625 0 0 12836 0 --:--:-- --:--:-- --:--:-- 12847
$ sudo chmod +x /usr/local/sbin/nginx_modsite
</syntaxhighlight>

== Configure ==
Replace file <code>/etc/nginx/nginx.conf</code> with:<syntaxhighlight lang="nginx">
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;
}

http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

</syntaxhighlight>

=== conf.d ===
The conf.d folder stores shared configuration shared between all the sites hosted on your server.

Create the following files:
* <code>/etc/nginx/conf.d/dns.conf</code><syntaxhighlight lang="nginx">
# DNS resolver
# It is required for OCSP Stapling. It might also be used if you use a hostname for upstream servers
resolver 127.0.0.1;
# If you don't have a DNS resolver on your machine you can use google public ones instead
#resolver 8.8.8.8 8.8.4.4;
</syntaxhighlight>
* <code>/etc/nginx/conf.d/gzip.conf</code><syntaxhighlight lang="nginx">
gzip on;

# Insert header "Vary: Accept-Encoding" in responses
# https://www.maxcdn.com/blog/accept-encoding-its-vary-important/
gzip_vary on;

gzip_comp_level 6;

gzip_proxied any;

gzip_min_length 500;

gzip_types
application/atom+xml
application/atom_xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/text
application/vnd.geo+json
application/vnd.microsoft.icon
application/vnd.ms-fontobject
application/x-json
application/x-font-opentype
application/x-font-truetype
application/x-font-ttf
application/x-javascript
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
application/xml+rss
font/eot
font/opentype
font/otf
image/bmp
image/svg+xml
image/vnd.microsoft.icon
image/x-icon
text/cache-manifest
text/css
text/javascript
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy
text/xml;
</syntaxhighlight>
* <code>/etc/nginx/conf.d/php.conf</code> See documentation to [[PHP|install PHP]].
* <code>/etc/nginx/conf.d/server_tokens.conf</code><syntaxhighlight lang="nginx">
# Hide nginx version
# This doesn't provides any real security but makes hackers life a bit more difficult
server_tokens off;
more_clear_headers Server;
</syntaxhighlight>

* <code>/etc/nginx/conf.d/ssl.conf</code><syntaxhighlight lang="nginx">
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;

# Cipher list from https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";

# If you have a version of openssl < 1.1.0, you need to remove X25519 from the list
ssl_ecdh_curve X25519:secp256k1:secp384r1;

# Support OSCP Stapling. Check that resolver from in dns.conf is working
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

# Support SSL session cache
ssl_session_timeout 1d;
ssl_session_cache shared:NginxCache:50m;
ssl_session_tickets off; # https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
</syntaxhighlight>

=== snippets ===
The snippets folder allows you to store bits of configuration that you can later include in virtual hosts configuration.This saves a lot of typing and errors when creating a new site.
* <code>/etc/nging/conf.d/acme-challenge.conf</code> See [[Let’s Encrypt]]
* <code>/etc/nging/conf.d/hsts.conf</code><syntaxhighlight lang="nginx">
# The standard add_header from Nginx has two issues:
# - it will result in duplicate headers if the proxied content set it as well
# - if a subblock uses add_header as well, parent block headers are ignored
# Using more_set_headers fixes both issues

# WARNING
# Make sure you have HTTPS correctly setup before including this file.
# Failing to do so will render your site inaccessible.

# Activate HTTP Strict Transport Security
# max-age value is in seconds. 63072000 is 2 years
more_set_headers "Strict-Transport-Security: max-age=63072000; includeSubDomains";

# If subdomains are still using insecure HTTP, remove the includeSubDomains:
# more_set_headers "Strict-Transport-Security: max-age=63072000";
</syntaxhighlight>
* <code>/etc/nginx/snippets/security-headers.conf</code><syntaxhighlight lang="nginx">
# Some safe security headers that can almost always be used

# The standard add_header from Nginx has two issues:
# - it will result in duplicate headers if the proxied content set it as well
# - if a subblock uses add_header as well, parent block headers are ignored
# Using more_set_headers fixes both issues

# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
more_set_headers "X-XSS-Protection: 1; mode=block";
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
more_set_headers "X-Content-Type-Options: nosniff";
# Prevent access from flash and PDF
more_set_headers "X-Permitted-Cross-Domain-Policies: none";
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";

</syntaxhighlight>
* <code>/etc/nginx/snippets/x-frame-options-deny.conf</code> <code>/etc/nginx/snippets/x-frame-options-sameorigin.conf</code><syntaxhighlight lang="nginx">
# The standard add_header from Nginx has two issues:
# - it will result in duplicate headers if the proxied content set it as well
# - if a subblock uses add_header as well, parent block headers are ignored
# Using more_set_headers fixes both issues

# Prevent all usages of the website in an iframe.
# Warning: This might break the site if it uses iframes for internal
# functionalities. You might want to use the less strict
# x-frame-options-sameorigin.conf in that case.
more_set_headers "X-Frame-Options: DENY";

</syntaxhighlight><syntaxhighlight lang="nginx">
# The standard add_header from Nginx has two issues:
# - it will result in duplicate headers if the proxied content set it as well
# - if a subblock uses add_header as well, parent block headers are ignored
# Using more_set_headers fixes both issues

# Prevent usage of the website in an iframe from other domains.
# Warning: This will still allow iframe on your own domain.
# For a more strict policy, use x-frame-options-deny.conf
more_set_headers "X-Frame-Options: SAMEORIGIN";
</syntaxhighlight>
* <code>/etc/nginx/snippets/https-permanent-redirect.conf</code><syntaxhighlight lang="nginx">
# Reply to the browser with a permanent redirect to the secure version of the page
# Wrapped in a location block so that other snippets (acme-challenge.conf) can override that.
location / {
return 301 https://$host$request_uri;
}
</syntaxhighlight>
* <code>/etc/nginx/snippets/listen-http.conf</code> <code>/etc/nginx/snippets/listen-https.conf</code> Obviously, you need to replace the example IP addresses by the one of your server. You can get the IP of your server with the commands <code>curl https://ipv6.meurisse.org</code> and <code>curl https://ipv4.meurisse.org</code>.<syntaxhighlight lang="nginx">
listen [2001:db8:3:47d0::2e:7]:80;
listen 203.0.113.23:80;
</syntaxhighlight><syntaxhighlight lang="nginx">
listen [2001:db8:3:47d0::2e:7]:443 ssl http2;
listen 203.0.113.23:443 ssl http2;
</syntaxhighlight>
* <code>/etc/nginx/snippets/ssl.conf</code><syntaxhighlight lang="nginx">
ssl on;
ssl_stapling on;

# The standard add_header from Nginx has two issues:
# - it will result in duplicate headers if the proxied content set it as well
# - if a subblock uses add_header as well, parent block headers are ignored
# Using more_set_headers fixes both issues

more_set_headers 'Expect-CT: max-age=86400';
</syntaxhighlight>

=== HTTP Auth ===

==== Install ====
<syntaxhighlight lang="console">
$ sudo apt install apache2-utils
</syntaxhighlight>

==== Create Password File ====
If the folder doesn't exist, you need to create it using
<syntaxhighlight lang="console">
$ sudo mkdir /etc/nginx/htpasswd
$ sudo chmod 710 /etc/nginx/htpasswd
$ sudo chown root:www-data /etc/nginx/htpasswd
</syntaxhighlight>

The create the user file
<syntaxhighlight lang="console">
$ sudo touch /etc/nginx/htpasswd/generic.htpasswd
</syntaxhighlight>
If you want different website to have different users, you can create as many password files as you want.

==== Add User ====
<syntaxhighlight lang="console">
$ sudo htpasswd /etc/nginx/htpasswd/generic.htpasswd jdoe
New password:
Re-type new password:
Adding password for user jdoe
</syntaxhighlight>
To update a password user, just run the same command.

Nginx will pick the modified file automatically. There is nothing to restart.

==== Use ====
To restrict access to a site or part of it, add the following lines to a <code>server</code> or <code>location</code> config
<syntaxhighlight lang="nginx">
auth_basic "You shall not pass!";
auth_basic_user_file /etc/nginx/htpasswd/generic.htpasswd;
</syntaxhighlight>

=== Firewall ===
You need to open TCP ports 80 and 443 in your firewall. {{nftables/config|category = Web|tcp_port_out = |udp_port_out = |user_out = |tcp_port_in = 80, 443|udp_port_in = }}

=== httpoxy ===
The [https://httpoxy.org/ httpoxy] security flow is a flow targeting CGI scripts using the ''Proxy'' HTTP header. It is possible to mitigate it by filtering out this header in fastcgi and proxy calls in Nginx.

Edit files <code>/etc/nginx/fastcgi.conf</code> and <code>/etc/nginx/fastcgi_params</code> and add these lines<syntaxhighlight lang="nginx">
# httpoxy.org
fastcgi_param HTTP_PROXY "";
</syntaxhighlight>Also edit file <code>/etc/nginx/proxy_params</code> add add these lines<syntaxhighlight lang="nginx">
# httpoxy.org
proxy_set_header Proxy "";
</syntaxhighlight>

=== /var/www/ permissions ===
Setting the [https://en.wikipedia.org/wiki/Setgid setgid] bit on the <code>/var/www/</code> allows to make sure that new files are readable by Nginx.<syntaxhighlight lang="console">
$ sudo chmod 2750 /var/www/
$ sudo chown root:www-data /var/www/
</syntaxhighlight>This also revoke the default read permission to user outside the <code>www-data</code> group. They don't need it and some data might not be public here.

== New Site ==
This section shows how to create a new website in your Nginx server. Instructions here a very generic and will need to be adapted for your specific case.

In the following sections, we are showing the conf for a site called ''mysite.example.org''. You need to replace all occurrences of ''mysite''.example.org by the name of the site you want to create.

{{Nginx/New Site|domain = mysite.example.org|config = server {
include snippets/listen-http.conf;
server_name mysite.example.org;

access_log /var/log/nginx/mysite.example.org.access.log;
error_log /var/log/nginx/mysite.example.org.error.log info;

include snippets/acme-challenge.conf;
include snippets/https-permanent-redirect.conf;
}

server {
include snippets/listen-https.conf;
server_name mysite.example.org;

access_log /var/log/nginx/mysite.example.org.access.log;
error_log /var/log/nginx/mysite.example.org.error.log info;

include snippets/acme-challenge.conf;
#include snippets/ssl.conf;
#ssl_certificate /etc/letsencrypt/live/mysite.example.org/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/mysite.example.org/privkey.pem;
#include snippets/hsts.conf;

include snippets/security-headers.conf;
include snippets/x-frame-options-deny.conf;

root /var/www/mysite.example.org;
<nowiki>}</nowiki>}}

== Fail2Ban ==
Webservers are usually a good target for hackers. A lot of them contain outdated, insecure and misconfigured software and if your server run languages like PHP, the attacker would be able to execute pretty much any action once he cracked your server.

Warning: The rules described here protect against generic attacks on your webserver. If you install some specific software that has it's own authentication (owncoud, roundcube...) you need to create rules for it.

=== nginx-http-auth ===
First rule is pretty simple simple. It protect against http authentication (the ugly popups asking your password before you enter the site).

Create file <code>/etc/fail2ban/jail.d/nginx-http-auth.conf</code>
<syntaxhighlight lang="ini">
[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/*error.log
</syntaxhighlight>

=== nginx-botsearch ===
This rule match 404 errors when bots try to find unsecure software on your server. While it should generally work fine, you should check ban report to make sure you don't lock out legitimate users.

Create file <code>/etc/fail2ban/jail.d/nginx-botsearch.conf</code>
<syntaxhighlight lang="ini">
[nginx-botsearch]
enabled = true
port = http,https
logpath = /var/log/nginx/*error.log
maxretry = 2
</syntaxhighlight>

[[Category:Debian Release]]
[[Category:Fail2Ban]]
[[Category:Linux Server]]
[[Category:Web Server]]

Nginx

2018-08-12T13:10:17Z

Vincent: Update gzip mime types

{{DISPLAYTITLE:Nginx installation guide}}

== Prerequisite ==
This guide is written for Debian Stretch. Other Debian based distributions should work as well.

While not mandatory, the guide makes use of the following programs to enhance the security of the installation
* [[nftables]]
* [[Fail2Ban]]

== Install ==

=== Nginx ===
<syntaxhighlight lang="console">
$ sudo apt install nginx-light libnginx-mod-http-headers-more-filter
</syntaxhighlight>

=== nginx_modsite ===
nginx_modsite is a script that allows to activate or deactivate a site simply, without having to handle symlinks manually. In Debian, it is distributed in source form as part of the <code>nginx-doc</code> package. The easiest is to download it directly from [https://anonscm.debian.org/cgit/collab-maint/nginx.git/tree/debian/help/examples/nginx_modsite the source repository]:<syntaxhighlight lang="console">
$ sudo curl -o /usr/local/sbin/nginx_modsite "https://anonscm.debian.org/cgit/collab-maint/nginx.git/plain/debian/help/examples/nginx_modsite"
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 4625 100 4625 0 0 12836 0 --:--:-- --:--:-- --:--:-- 12847
$ sudo chmod +x /usr/local/sbin/nginx_modsite
</syntaxhighlight>

== Configure ==
Replace file <code>/etc/nginx/nginx.conf</code> with:<syntaxhighlight lang="nginx">
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
worker_connections 768;
# multi_accept on;
}

http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

</syntaxhighlight>

=== conf.d ===
The conf.d folder stores shared configuration shared between all the sites hosted on your server.

Create the following files:
* <code>/etc/nginx/conf.d/dns.conf</code><syntaxhighlight lang="nginx">
# DNS resolver
# It is required for OCSP Stapling. It might also be used if you use a hostname for upstream servers
resolver 127.0.0.1;
# If you don't have a DNS resolver on your machine you can use google public ones instead
#resolver 8.8.8.8 8.8.4.4;
</syntaxhighlight>
* <code>/etc/nginx/conf.d/gzip.conf</code><syntaxhighlight lang="nginx">
gzip on;

# Insert header "Vary: Accept-Encoding" in responses
# https://www.maxcdn.com/blog/accept-encoding-its-vary-important/
gzip_vary on;

gzip_comp_level 6;

gzip_proxied any;

gzip_min_length 500;

gzip_types
application/atom+xml
application/atom_xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/text
application/vnd.geo+json
application/vnd.microsoft.icon
application/vnd.ms-fontobject
application/x-json
application/x-font-opentype
application/x-font-truetype
application/x-font-ttf
application/x-javascript
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
application/xml+rss
font/eot
font/opentype
font/otf
image/bmp
image/svg+xml
image/vnd.microsoft.icon
image/x-icon
text/cache-manifest
text/css
text/javascript
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy
text/xml;
</syntaxhighlight>
* <code>/etc/nginx/conf.d/php.conf</code> See documentation to [[PHP|install PHP]].
* <code>/etc/nginx/conf.d/server_tokens.conf</code><syntaxhighlight lang="nginx">
# Hide nginx version
# This doesn't provides any real security but makes hackers life a bit more difficult
server_tokens off;
more_clear_headers Server;
</syntaxhighlight>

* <code>/etc/nginx/conf.d/ssl.conf</code><syntaxhighlight lang="nginx">
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;

# Cipher list from https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";

# If you have a version of openssl < 1.1.0, you need to remove X25519 from the list
ssl_ecdh_curve X25519:secp256k1:secp384r1;

# Support OSCP Stapling. Check that resolver from in dns.conf is working
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

# Support SSL session cache
ssl_session_timeout 1d;
ssl_session_cache shared:NginxCache:50m;
ssl_session_tickets off; # https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/
</syntaxhighlight>

=== snippets ===
The snippets folder allows you to store bits of configuration that you can later include in virtual hosts configuration.This saves a lot of typing and errors when creating a new site.
* <code>/etc/nging/conf.d/acme-challenge.conf</code> See [[Let’s Encrypt]]
* <code>/etc/nging/conf.d/hsts.conf</code><syntaxhighlight lang="nginx">
# Activate HTTP Strict Transport Security
# max-age value is in seconds. 31536000 is 1 year

add_header Strict-Transport-Security max-age=31536000 always;
</syntaxhighlight>
* <code>/etc/nginx/snippets/security-headers.conf</code><syntaxhighlight lang="nginx">
# Some safe security headers that can almost be used for any site

# https://stackoverflow.com/a/24998106/1631174
add_header X-XSS-Protection "1; mode=block" always;
# https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#X-Content-Type-Options
add_header X-Content-Type-Options nosniff always;
# Prevent access from flash and PDF
add_header X-Permitted-Cross-Domain-Policies none always;
</syntaxhighlight>
* <code>/etc/nginx/snippets/x-frame-options-deny.conf</code> <code>/etc/nginx/snippets/x-frame-options-sameorigin.conf</code><syntaxhighlight lang="nginx">
# Prevent all usages of the website in an iframe.
# Warning: This might break the site if it uses iframes for internal
# functionalities. You might want to use the less strict
# x-frame-options-sameorigin.conf in that case.

add_header X-Frame-Options DENY always;
</syntaxhighlight><syntaxhighlight lang="nginx">
# Prevent usage of the website in an iframe from other domains.
# Warning: This might break the site if it uses iframes for internal
# functionalities. You might want to use the less strict
# x-frame-options-sameorigin.conf in that case.

add_header X-Frame-Options SAMEORIGIN always;
</syntaxhighlight>
* <code>/etc/nginx/snippets/https-permanent-redirect.conf</code><syntaxhighlight lang="nginx">
# Reply to the browser with a permanent redirect to the secure version of the page
# Wrapped in a location block so that other snippets (acme-challenge.conf) can override that.
location / {
return 301 https://$host$request_uri;
}
</syntaxhighlight>
* <code>/etc/nginx/snippets/listen-http.conf</code> <code>/etc/nginx/snippets/listen-https.conf</code> Obviously, you need to replace the example IP addresses by the one of your server. You can get the IP of your server with the commands <code>curl https://ipv6.meurisse.org</code> and <code>curl https://ipv4.meurisse.org</code>.<syntaxhighlight lang="nginx">
listen [2001:db8:3:47d0::2e:7]:80;
listen 203.0.113.23:80;
</syntaxhighlight><syntaxhighlight lang="nginx">
listen [2001:db8:3:47d0::2e:7]:443 ssl http2;
listen 203.0.113.23:443 ssl http2;
</syntaxhighlight>
* <code>/etc/nginx/snippets/ssl.conf</code><syntaxhighlight lang="nginx">
ssl on;
ssl_stapling on;
</syntaxhighlight>

=== HTTP Auth ===

==== Install ====
<syntaxhighlight lang="console">
$ sudo apt install apache2-utils
</syntaxhighlight>

==== Create Password File ====
If the folder doesn't exist, you need to create it using
<syntaxhighlight lang="console">
$ sudo mkdir /etc/nginx/htpasswd
$ sudo chmod 710 /etc/nginx/htpasswd
$ sudo chown root:www-data /etc/nginx/htpasswd
</syntaxhighlight>

The create the user file
<syntaxhighlight lang="console">
$ sudo touch /etc/nginx/htpasswd/generic.htpasswd
</syntaxhighlight>
If you want different website to have different users, you can create as many password files as you want.

==== Add User ====
<syntaxhighlight lang="console">
$ sudo htpasswd /etc/nginx/htpasswd/generic.htpasswd jdoe
New password:
Re-type new password:
Adding password for user jdoe
</syntaxhighlight>
To update a password user, just run the same command.

Nginx will pick the modified file automatically. There is nothing to restart.

==== Use ====
To restrict access to a site or part of it, add the following lines to a <code>server</code> or <code>location</code> config
<syntaxhighlight lang="nginx">
auth_basic "You shall not pass!";
auth_basic_user_file /etc/nginx/htpasswd/generic.htpasswd;
</syntaxhighlight>

=== Firewall ===
You need to open TCP ports 80 and 443 in your firewall. {{nftables/config|category = Web|tcp_port_out = |udp_port_out = |user_out = |tcp_port_in = 80, 443|udp_port_in = }}

=== httpoxy ===
The [https://httpoxy.org/ httpoxy] security flow is a flow targeting CGI scripts using the ''Proxy'' HTTP header. It is possible to mitigate it by filtering out this header in fastcgi and proxy calls in Nginx.

Edit files <code>/etc/nginx/fastcgi.conf</code> and <code>/etc/nginx/fastcgi_params</code> and add these lines<syntaxhighlight lang="nginx">
# httpoxy.org
fastcgi_param HTTP_PROXY "";
</syntaxhighlight>Also edit file <code>/etc/nginx/proxy_params</code> add add these lines<syntaxhighlight lang="nginx">
# httpoxy.org
proxy_set_header Proxy "";
</syntaxhighlight>

=== /var/www/ permissions ===
Setting the [https://en.wikipedia.org/wiki/Setgid setgid] bit on the <code>/var/www/</code> allows to make sure that new files are readable by Nginx.<syntaxhighlight lang="console">
$ sudo chmod 2750 /var/www/
$ sudo chown root:www-data /var/www/
</syntaxhighlight>This also revoke the default read permission to user outside the <code>www-data</code> group. They don't need it and some data might not be public here.

== New Site ==
This section shows how to create a new website in your Nginx server. Instructions here a very generic and will need to be adapted for your specific case.

In the following sections, we are showing the conf for a site called ''mysite.example.org''. You need to replace all occurrences of ''mysite''.example.org by the name of the site you want to create.

{{Nginx/New Site|domain = mysite.example.org|config = server {
include snippets/listen-http.conf;
server_name mysite.example.org;

access_log /var/log/nginx/mysite.example.org.access.log;
error_log /var/log/nginx/mysite.example.org.error.log info;

include snippets/acme-challenge.conf;
include snippets/https-permanent-redirect.conf;
}

server {
include snippets/listen-https.conf;
server_name mysite.example.org;

access_log /var/log/nginx/mysite.example.org.access.log;
error_log /var/log/nginx/mysite.example.org.error.log info;

include snippets/acme-challenge.conf;
#include snippets/ssl.conf;
#ssl_certificate /etc/letsencrypt/live/mysite.example.org/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/mysite.example.org/privkey.pem;
#include snippets/hsts.conf;

include snippets/security-headers.conf;
include snippets/x-frame-options-deny.conf;

root /var/www/mysite.example.org;
<nowiki>}</nowiki>}}

== Fail2Ban ==
Webservers are usually a good target for hackers. A lot of them contain outdated, insecure and misconfigured software and if your server run languages like PHP, the attacker would be able to execute pretty much any action once he cracked your server.

Warning: The rules described here protect against generic attacks on your webserver. If you install some specific software that has it's own authentication (owncoud, roundcube...) you need to create rules for it.

=== nginx-http-auth ===
First rule is pretty simple simple. It protect against http authentication (the ugly popups asking your password before you enter the site).

Create file <code>/etc/fail2ban/jail.d/nginx-http-auth.conf</code>
<syntaxhighlight lang="ini">
[nginx-http-auth]
enabled = true
port = http,https
logpath = /var/log/nginx/*error.log
</syntaxhighlight>

=== nginx-botsearch ===
This rule match 404 errors when bots try to find unsecure software on your server. While it should generally work fine, you should check ban report to make sure you don't lock out legitimate users.

Create file <code>/etc/fail2ban/jail.d/nginx-botsearch.conf</code>
<syntaxhighlight lang="ini">
[nginx-botsearch]
enabled = true
port = http,https
logpath = /var/log/nginx/*error.log
maxretry = 2
</syntaxhighlight>

[[Category:Debian Release]]
[[Category:Fail2Ban]]
[[Category:Linux Server]]
[[Category:Web Server]]

Exim

2018-05-03T11:29:14Z

Vincent: Update certmanage command

== Prerequisite ==
This article is part of the [[Emails/Complete|emails]] series. It is assumed that you already covered [[Dovecot]].

This guide also uses the following software:
* [[Let’s Encrypt]] or another way to get certificates
* [[nftables]] as a firewall
* [[Fail2Ban]]. Optional but recommended for security.

== Install ==
<syntaxhighlight lang="console">
$ sudo apt install exim4-daemon-heavy
</syntaxhighlight>Note: The heavy version is needed to use Dovecot as an authentication mechanism.

== Configure ==

=== Base ===
Create file <code>/etc/exim4/conf.d/main/00_local_settings</code><syntaxhighlight lang="properties">
daemon_smtp_ports = smtp : 587
</syntaxhighlight>

=== TLS Certificates ===

==== Create folder ====
Unlike other programs, Exim doesn't read it's certificate as the root user. So it will be unable to read them from the standard let’sencrypt folder. We will create a folder readable by Exim where we can safely drop certificates later<syntaxhighlight lang="console">
$ sudo mkdir -m 710 /etc/exim4/private
$ sudo chgrp Debian-exim /etc/exim4/private
</syntaxhighlight>

==== Get certificate ====
# Edit file <code>/etc/nginx/sites-enabled/noweb</code> an add a <code>server_name</code> line for <code>smtp.example.org</code>
# Activate your new domain in Nginx<syntaxhighlight lang="console">
$ sudo systemctl reload nginx.service
</syntaxhighlight>
# Edit file <code>/usr/local/sbin/renew_certificates</code> and add the following to the config list<syntaxhighlight lang="json">
{
"domains": ["smtp.example.org"],
"reload": [["cp", "--preserve=all", "/etc/letsencrypt/live/smtp.example.org/fullchain.pem", "/etc/letsencrypt/live/smtp.example.org/privkey.pem", "/etc/exim4/private/"], ["/bin/systemctl", "reload", "exim4.service"]]
}
</syntaxhighlight>
# Get Your certificate{{Let’s Encrypt/New Cert Command|domain = smtp.example.org|command = cp --preserve=all /etc/letsencrypt/live/smtp.example.org/{fullchain,privkey}.pem /etc/exim4/private/
/bin/systemctl reload exim4.service}}

==== Use Certificate ====
Edit <code>/etc/exim4/conf.d/main/00_local_settings</code> and add the following lines<syntaxhighlight lang="properties">
MAIN_TLS_ENABLE = true
MAIN_TLS_CERTIFICATE = /etc/exim4/private/fullchain.pem
MAIN_TLS_PRIVATEKEY = /etc/exim4/private/privkey.pem
# GNUTLS ciphers: https://www.gnutls.org/manual/html_node/Priority-Strings.html
# test using: gnutls-cli -l --priority PFS:+RSA:...
tls_require_ciphers = PFS:+RSA:-ARCFOUR-128:-3DES-CBC:-MD5:-SIGN-RSA-MD5:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC:-CURVE-SECP192R1:%SERVER_PRECEDENCE
</syntaxhighlight>

=== Authentication ===
We will use dovecot to verify user login and password. It lets us have only one database of users and share it between the different email infrastructure parts (smtp, imap...)

==== Dovecot ====
First modify the file <code>/etc/dovecot/conf.d/10-master.conf</code>. Find the section <code>service auth</code> and add the following lines<syntaxhighlight lang="properties">
service auth {
...
# Authentication socket used by Exim
unix_listener auth-client {
mode = 0600
user = Debian-exim
}
...
}
</syntaxhighlight>And apply config with<syntaxhighlight lang="console">
$ sudo systemctl restart dovecot.service
</syntaxhighlight>

==== Exim ====
Create file <code>/etc/exim4/conf.d/auth/15_dovecot</code><syntaxhighlight lang="properties">
dovecot_login:
driver = dovecot
public_name = LOGIN
server_socket = /run/dovecot/auth-client
server_set_id = $auth1

dovecot_plain:
driver = dovecot
public_name = PLAIN
server_socket = /run/dovecot/auth-client
server_set_id = $auth1
</syntaxhighlight>

=== Smart catch ===
This is my #1 spam fighting technique. It allows me to have an infinite number of email addresses while still preventing spammers to generate them.

You can check the [[Exim/SmartCatch|installation instructions]].

=== Dovecot Delivery ===
Create file <code>/etc/exim4/conf.d/router/899_dovecot</code><syntaxhighlight lang="properties">
## router/899_dovecot
#################################

dovecot:
debug_print = "R: dovecot for $local_part@$domain"
driver = accept
domains = +local_domains
transport = dovecot_virtual_delivery
cannot_route_message = Unknown user
</syntaxhighlight>Then create <code>/etc/exim4/conf.d/transport/99_dovecot_virtual_delivery</code><syntaxhighlight lang="properties">
dovecot_virtual_delivery:
driver = pipe
command = /usr/lib/dovecot/dovecot-lda -d $local_part -a $original_local_part@$original_domain -f $sender_address -e
message_prefix =
message_suffix =
delivery_date_add
envelope_to_add
return_path_add
log_output
user = vmail
temp_errors = 64 : 69 : 70: 71 : 72 : 73 : 74 : 75 : 78
</syntaxhighlight>

=== Firewall ===
{{nftables/config|category = Exim|tcp_port_in = 25, 587|udp_port_in = |tcp_port_out =25 |udp_port_out = |user_out = }}

=== DKIM ===
[[Exim/DKIM]]

=== Paniclog ===
In case Exim encounter a grave problem (cannot start, lost email…) it will write a log to <code>/var/log/exim4/paniclog</code>. There is a cron job that monitor this file and will send you a daily mail if it is not empty.

It is important to not miss these emails and act on them quickly. I use a [[Dovecot|Sieve]] script to mark them as important:<syntaxhighlight lang="c">
if header :matches "Subject" "exim paniclog on * has non-zero size" {
addflag "\\Flagged";
}
</syntaxhighlight>Also note that this log file is never rotated. So you will get the same email over and over until you do it manually. It can be done with:<syntaxhighlight lang="console">
$ sudo logrotate -f /etc/logrotate.d/exim4-paniclog
</syntaxhighlight>To have this rotation done automatically (and thus receive the email only once), edit <code>/etc/default/exim4</code><syntaxhighlight lang="shell">
# Rotate /var/log/exim4/paniclog after email is sent to admin
E4BCD_WATCH_PANICLOG='once'
</syntaxhighlight>

== Fail2Ban ==
The filter for Exim is already included in Debian, we just need to activate it. It will filter people trying to log on your server, trying to make it relay spam, and sending nonsense command.

Create file <code>/etc/fail2ban/jail.d/exim.conf</code>
<syntaxhighlight lang="ini">
[exim]
enabled = true
port = 25,587
logpath = %(exim_main_log)s
</syntaxhighlight>

[[Category:Email Server]]
[[Category:Fail2Ban]]
[[Category:Linux Server]]

Spamassassin

2018-05-03T06:22:24Z

Vincent: `pyzor discover` command was removed https://github.com/SpamExperts/pyzor/commit/50f2bf5aa47ed863de78c413ff7114f5e54f5a9b

SpamAssassin is a spam detection software intended to be run on your mail server. It rank mail using several criteria criteria that can be put in the following families
* DNS Whitelist/Blacklist: does the server that sent you the email sent spam before?
* URI Blacklist: does the body of the message contain links to some bad sites?
* Distributed Spam Hashes: does someone reported the same message as spam already?
* Bayesian Filter: compare email to your past spam and ham
* SPF/DKIM: check is the ''from'' email address that you see is legitimate
* Static Rules: a lot of manually crafted rules by SpamAssassin contributors

== Prerequisites ==
This article is part of the [[Emails/Complete|emails]] series. It is assumed that you already covered [[Dovecot]] and [[Exim]].

Optional prerequisites:
* [[nftables]] is used as a firewall here. You can however replace it by any firewall you use.
* [[Munin]] allows you to monitor the spam/ham ratio of your installation.

== Install ==

<syntaxhighlight lang="console">
$ sudo apt install spamassassin
</syntaxhighlight>

== Configure ==

After changing config in <code>/etc/spamassassin/</code>, don't forget tell SpamAssassin to reload config
<syntaxhighlight lang="console">
$ sudo service spamassassin reload
</syntaxhighlight>

=== Bayesian filter ===

To reach a good efficiency, SpamAssassin Bayesian filter need to be trained with both spam and ham messages. You can use your actual mailbox for that but note the following points:
* Be sure that the folders you use for training contain only spam or ham. If a folder contain a mix of them, SpamAssassin will learn wrong info and produce bad quality results
* To be effective you need between 1000 and 5000 messages each of both spam and ham.
* You need to have more ham than spam to train. Otherwise, SpamAssassin might become biased toward spam.

<syntaxhighlight lang="console">
$ sudo -u vmail sa-learn --spam --progress --dir /var/maildir/<username>/Maildir/.Spam/cur/
$ sudo -u vmail sa-learn --ham --progress --dir /var/maildir/<username>/Maildir/cur/
</syntaxhighlight>

To check the status of the database, you can run

<syntaxhighlight lang="console">
$ sudo -u vmail sa-learn --dump magic
</syntaxhighlight>

=== Pyzor ===

==== Install ====
<syntaxhighlight lang="console">
$ sudo apt install pyzor
</syntaxhighlight>

==== Firewall ====
{{nftables/config|category=Pyzor (Spamassassin)|tcp_port_in=|udp_port_in=|tcp_port_out=24441|udp_port_out=24441|user_out=}}

=== Razor ===

==== Install ====
<syntaxhighlight lang="console">
$ sudo apt install razor
</syntaxhighlight>

==== Firewall ====
{{nftables/config|category=Razor (Spamassassin)|tcp_port_in=|udp_port_in=|tcp_port_out=2703|udp_port_out=|user_out=}}

==== Configure ====
<syntaxhighlight lang="console">
$ sudo -u vmail razor-admin -create
$ sudo -u vmail razor-admin -register
Register successful. Identity stored in /var/maildir/.razor/identity-xo4OkrHieL
</syntaxhighlight>

=== Report Headers ===

SpamAssassin can had headers in the messages it scan. It will help you investigate things in case you get false-positive are false-negative.

Add the following lines to <code>/etc/spamassassin/local.cf</code>
<syntaxhighlight lang="shell">
# The status header is used by other programs to read the spam status. Don't modify the part before tests=...
add_header all Status _YESNO_, hits=_HITS_ required=_REQD_ tests=_TESTSSCORES(,)_ autolearn=_AUTOLEARN_
add_header all Details version=_VERSION_ _REPORT_
add_header all Pyzor _PYZOR_
</syntaxhighlight>

=== Configure service ===
Edit file <code>/etc/default/spamassassin</code> and change the following line<syntaxhighlight lang="shell">
OPTIONS="--create-prefs --max-children 5 -u vmail --listen /run/spamd.socket"
</syntaxhighlight>Create file <code>/etc/spamassassin/spamc.conf</code> with the following content<syntaxhighlight lang="text">
--socket /run/spamd.socket
</syntaxhighlight>It's now time to enable the Spamassassin service<syntaxhighlight lang="console">
$ sudo systemctl enable spamassassin.service
$ sudo systemctl start spamassassin.service
</syntaxhighlight>

=== Cron ===
Spamassassin authors publish updated rules on a daily basis. To stay up-to-date, edit file <code>/etc/default/spamassassin</code> and set option<syntaxhighlight lang="shell">
CRON=1
</syntaxhighlight>
== Integrate with exim ==

<syntaxhighlight lang="console">
$ sudo apt install sa-exim
</syntaxhighlight>

Configuration is stored in <code>/etc/exim4/sa-exim.conf</code>.

Edit the following setting
<syntaxhighlight lang="properties">
SAspamcUser: vmail
</syntaxhighlight>

By defauld ''sa-exim'' is disabled. Remove the following lines to enable it
<syntaxhighlight lang="properties">
#----------------------------------------------------------------------
# Remove or comment out the following line to enable sa-exim
SAEximRunCond: 0
#----------------------------------------------------------------------
</syntaxhighlight>Other parameter that I change<syntaxhighlight lang="properties">
SApermreject: 10.0
</syntaxhighlight>You can now restart exim to take you settings into account
<syntaxhighlight lang="console">
$ sudo systemctl restart exim4.service
</syntaxhighlight>

== Integrate with dovecot ==

SpamAssassin is able to learn from it's mistakes. By using the plugin ''dovecot-antispam'', we train SpamAssassin by just moving email in or out of the spam folder.

First install it with this command
<syntaxhighlight lang="console">
$ sudo apt install dovecot-antispam
</syntaxhighlight>

Then in file <code>/etc/dovecot/conf.d/20-imap.conf</code>, modify the option ''mail_plugins'' and add ''antispam'' to the list
<syntaxhighlight lang="shell">
protocol imap {
# Space separated list of plugins to load (default is global mail_plugins).
mail_plugins = $mail_plugins antispam
}
</syntaxhighlight>

Create file <code>/etc/dovecot/conf.d/90-antispam.conf</code>
<syntaxhighlight lang="shell">
plugin {
##################
# GENERIC OPTIONS

# Debugging options
# Uncomment to get the desired debugging behaviour.
# Note that in some cases stderr debugging will not be as
# verbose as syslog debugging due to internal limitations.
#
# antispam_debug_target = syslog
# antispam_debug_target = stderr
# antispam_verbose_debug = 1

antispam_backend = pipe

antispam_trash_pattern_ignorecase = trash;Deleted Items;Deleted Messages
antispam_spam_pattern_ignorecase = Spam;Junk

###########################
# BACKEND SPECIFIC OPTIONS
#

#=====================
# pipe plugin
#

# temporary directory
antispam_pipe_tmpdir = /tmp

# spam/not-spam argument (default unset which will is not what you want)
antispam_pipe_program_spam_arg = -r
antispam_pipe_program_notspam_arg = -k

# binary to pipe mail to
antispam_pipe_program = /usr/bin/spamassassin
}
</syntaxhighlight>

And finally, reload Dovecot
<syntaxhighlight lang="console">
$ sudo systemctl restart dovecot.service
</syntaxhighlight>

== Integrate in Munin ==
There is a plugin in [[Munin]] to get statistics on the ham/spam values from Spamassassin. To activate it, run the following command<syntaxhighlight lang="console">
$ sudo ln -s /usr/share/munin/plugins/spamstats /etc/munin/plugins/
</syntaxhighlight>Then create file <code>/etc/munin/plugin-conf.d/spamstats</code><syntaxhighlight lang="ini">
[spamstats]
group adm
env.logfile mail.log
</syntaxhighlight>Finally, restart the Munin node<syntaxhighlight lang="console">
$ sudo systemctl restart munin-node.service
</syntaxhighlight>After 5 minutes, you should see your new graph in Munin.
[[Category:Email Server]]
[[Category:Linux Server]]
[[Category:Munin]]

SSH

2018-01-25T06:28:26Z

Vincent: Ed25519 keys always use the new private key format

{{Debian}}

== Server ==

=== Install ===
<syntaxhighlight lang="console">
# apt install openssh-server
</syntaxhighlight>

=== Configure ===

The settings of these section need to be writen in file <code>/etc/ssh/sshd_config</code>

==== Custom port ====

SSH server are a common target for hackers. Changing the port away from the default will greatly reduce the noise in your logs.
<syntaxhighlight lang="apache">
Port 2200
</syntaxhighlight>

==== Authentication ====

Let's limit the users that have access to the server using ssh.
<syntaxhighlight lang="apache">
AllowUsers myusername
PermitRootLogin no
# Make sure you have setup authentication using keys before disabling passwords
PasswordAuthentication no
ChallengeResponseAuthentication no
</syntaxhighlight>

==== Crypo ====

These settings are derived from [https://stribika.github.io/2015/01/04/secure-secure-shell.html secure secure shell].
<syntaxhighlight lang="apache">
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
</syntaxhighlight>

==== Sandbox ====
<syntaxhighlight lang="apache">
UsePrivilegeSeparation sandbox
</syntaxhighlight>

==== KeepAlive ====

To make sure connections do not freeze in case of inactivity.
<syntaxhighlight lang="apache">
ClientAliveInterval 60
</syntaxhighlight>

==== Generate server keys ====
<syntaxhighlight lang="console">
# cd /etc/ssh
# rm ssh_host_*key*
# ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ""
# ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N ""
</syntaxhighlight>

Modify file <code>/etc/ssh/sshd_config</code> and make sure that the only lines to contains ''HostKey'' are:
<syntaxhighlight lang="apache">
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
</syntaxhighlight>

==== Publish server keys ====
It is possible to publish the fingerprint of your ssh server keys in a DNS server. It allows to not have to blindly trust the key on first connection.

To get the records to publish in your dns server, run
<syntaxhighlight lang="console">
$ cd /etc/ssh
$ ssh-keygen -r $(hostname)
myserver.example.org IN SSHFP 1 1 1c47eee032179719595c8461adba051d4a00dc8f
myserver.example.org IN SSHFP 1 2 7371839b62ce52ede97a9598eea0f253e1d58f88f45a8a40e05c34a846dc2e81
myserver.example.org IN SSHFP 4 1 80aae333ad47851f788d3d9bddd87e489f8c18f8
myserver.example.org IN SSHFP 4 2 5d0511b19fcd0c2793eeda983f0a8ee70cc4868b98b6d2e67f3b97df8e480762
</syntaxhighlight>

Once published, you can check you records with
<syntaxhighlight lang="console">
$ dig +short -t SSHFP myserver.example.org | sort
1 1 1C47EEE032179719595C8461ADBA051D4A00DC8F
1 2 7371839B62CE52EDE97A9598EEA0F253E1D58F88F45A8A40E05C34A8 46DC2E81
4 1 80AAE333AD47851F788D3D9BDDD87E489F8C18F8
4 2 5D0511B19FCD0C2793EEDA983F0A8EE70CC4868B98B6D2E67F3B97DF 8E480762
</syntaxhighlight>

Now you can configure your client to [[#Verify published server key|use your published keys]].

==== issue.net ====
One of the danger when doing remote administration is to mechanically log in to a machine, type a few command and realise after that you where on the wrong server.

This doesn't happen with physical computers as they look different on first sight (either the machine itself or the place it is). The solution, make your remote servers look different.

This can be done by uncommenting this line in <code>/etc/ssh/sshd_config</code>
<syntaxhighlight lang="apache">
Banner /etc/issue.net
</syntaxhighlight>

Then edit the file <code>/etc/issue.net</code> and make it as distinctive as possible.

Some examples:

************ ********** *********** **********
************ ************ ************ ************
*** *** *** *** *** *** ***
*** *** *** *** *** *** ***
******* *** *** ************ *** ***
******* *** *** *********** *** ***
*** *** *** *** *** *** ***
*** *** *** *** *** *** ***
*** ************ *** *** ************
*** ********** *** *** **********

########## ### ### ### ### ###########
############ #### ### ### ### ###########
### ### ##### ### ### ### ###
### ### ###### ### ### ### ###
############ ### ### ### ### ### #######
############ ### ### ### ### ### #######
### ### ### ###### ### ### ###
### ### ### ##### ### ### ### ###
### ### ### #### ### ### ### ###########
### ### ### ### ######## ### ###########

Note that they are 3 files quite similar for this
* <code>/etc/issue</code>: Displayed before login prompt on the physical consoles of the machines
* <code>/etc/issue.net</code>: Displayed before login prompt for remote login
* <code>/etc/motd</code>: Displayed after login (local and remote)

<code>/etc/issue</code> and <code>/etc/motd</code> don't need any setup before being used. Just modify the content and you are ok to go.

==== Other ====
If you are using OpenSSH < 7.2 or are not using X11 forwarding, you can disable it with<syntaxhighlight lang="apache">
X11Forwarding no
</syntaxhighlight>

=== Restart ===
Restarting the SSH server while connected through SSH is usually safe. However, you need to take some precautions to avoid being locked out of your server. Make sue you do that from a stable internet connection: in case your SSH server doesn't restart correctly, you don't want your active SSH connection to drop while you fix the issue.<syntaxhighlight lang="console">
# systemctl restart ssh
</syntaxhighlight>If you are connected through SSH, test that your server restarting correctly by opening a second connection<syntaxhighlight lang="console">
$ ssh -o "ControlMaster=yes" myserver.example.org
</syntaxhighlight>The <code>-o "ControlMaster=yes"</code> option prevents the SSH client from reusing your active connection in case you have multiplexing enabled.

=== Fail2Ban ===
[[Fail2Ban]] configuration for SSH is active by default in Debian. However, if you changed the listening port of your server, you must reflect that in Fail2Ban. To do so, create file <code>/etc/fail2ban/jail.d/sshd.conf</code> with the following content
<syntaxhighlight lang="ini">
[sshd]
enabled = true
port = 2200 ; <= Set the port here
</syntaxhighlight>

== Client ==

=== Install ===
<syntaxhighlight lang="console">
# apt install openssh-client
</syntaxhighlight>

=== Configure ===

The settings of these section need to be written in file <code>/etc/ssh/ssh_config</code>. Unless they contains a <code>Host</code>, they must be set under the existing <code>Host *</code> section.

==== Shortcuts ====

When it comes to typing, my motto is ''less is more''. The following setting allows you to type <code>ssh server1</code> instead of <code>ssh server1.example.org</code>
<syntaxhighlight lang="apache">
Host server1 server2
CanonicalDomains example.org
CanonicalizeFallbackLocal no
CanonicalizeHostname yes
</syntaxhighlight>

==== Port ====

If you changed the port of your servers, this settings allows you client to use the correct port automatically.
<syntaxhighlight lang="apache">
Host *.example.org
Port 2200
</syntaxhighlight>

==== Crypo ====

These settings are derived from [https://stribika.github.io/2015/01/04/secure-secure-shell.html secure secure shell].
<syntaxhighlight lang="apache">
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
</syntaxhighlight>

==== Generate user keys ====
This needs to be run by all users. It is strongly recommended to set a password to your keys. A passwordless keyfile is as secure as a post-it on the wall with your password. If a script need unattended access to another machine, create dedicated accounts and key for that usage.
<syntaxhighlight lang="console">
$ ssh-keygen -t ed25519 -a 100
$ ssh-keygen -t rsa -b 4096 -o -a 100
</syntaxhighlight>

==== Verify published server key ====
Make sure your server has some [[#Publish server keys|published keys]].

Edit file <code>/etc/ssh/ssh_config</code> and add the line
<syntaxhighlight lang="apache">
VerifyHostKeyDNS yes
</syntaxhighlight>

== ssh-agent ==
ssh-agent is a program that can keep your ssh keys in memory and avoid you to type your password several time.

'''Warning:''' Anybody which can run command as your user or as root on your machine can reuse or eve steal your keys. Don't run ssh-agent on a machine unless you trust it 100%.

=== Run the agent ===
By default Debian and Ubuntu start <code>ssh-agent</code> when you log into a graphical session. However, the way it is done doesn't allow passing options to the agent.

To disable the default <code>ssh-agent</code> startup script, edit file <code>/etc/X11/Xsession.options</code> and remove line <code>use-ssh-agent</code>.

Add the following line to <code>~/.xsessionrc</code> (create the file is it doesn't exist). This need to be done for each user that wants to run <code>ssh-agent</code>.<syntaxhighlight lang="shell">
STARTUP="/usr/bin/ssh-agent -t 3600 ${TMPDIR:+env TMPDIR=$TMPDIR} $STARTUP"
</syntaxhighlight>

=== Add keys to agent ===
''Note'': You need OpenSSH version 7.2 or above for this to work.

SSH client is able to add keys to ssh-agent automatically. To do this, edit file <code>~/.ssh/config</code> and add<syntaxhighlight lang="apache">
Host *
AddKeysToAgent yes
</syntaxhighlight>

=== Forward agent ===
If you want to be able to connect from machine A to machine B and then from machine B to machine C without typing password twice, you can use a feature called agent forwarding. With this feature machine B will be able to use the keys from the agent running on machine A.

'''Warning:''' As for running the agent, you must only forward your agent to a machine that you trust 100%. Anybody with access to root or the account you use on machine B will be able to use your keys.

To enable the feature, add this to <code>~/.ssh/config</code><syntaxhighlight lang="apache">
Host machineB.example.org machineD.example.org
ForwardAgent yes
</syntaxhighlight>

== Reference Documents ==
[https://wiki.mozilla.org/Security/Guidelines/OpenSSH Mozilla Guidelines]

[https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure Secure Shell][[Category:Linux Server]]
[[Category:Fail2Ban]]
[[Category:Debian Release]]

KeePass

2017-12-29T22:52:06Z

Vincent: Use KeePassXC

== Install ==

=== Linux/Windows ===
Follow instruction from [https://keepassxc.org/download KeePassXC website].

=== Android ===
Install [https://play.google.com/store/apps/details?id=keepass2android.keepass2android Keepass2Android].

[[Category:Linux Desktop]]
[[Category:Windows]]
[[Category:Android]]

Calibre

2017-12-03T13:19:44Z

Vincent: Fix table display

Calibre is an ebook management software.

== Prerequisite ==
* A Window or Linux computer. MacOs should work as well but was not tested.
* A Kobo eReader. The instructions should work for any Kobo of the Touch, Glo, Mini and Aura families.

== Install ==

=== Download ===
When the firmware of your Kobo is updated, you usually need an up-to-date Calibre to be able to synchronise your eBooks. For this reason, it is recommended to not install from your Linux distribution but directly from their website.

To install, go to https://calibre-ebook.com/download and follow instructions.

=== First-run ===
The first time you run calibre you will be asked a few question. The most important is the location of your library. Calibre will use this folder to store al the eBooks that you add to it.

== Kobo Setup ==
Calibre will allow you to send ebooks to your Kobo without any configuration. However, the following plugins will enhance your experience.

To install them, go to ''Preferences'' → ''Plug-ins'' → ''Get new plug-ins'', select the plugin in the list and click ''Install''.

=== KePub Metadata Reader / KePub Metadata Writer ===
These two plugins don't provide any features. They are just used as dependency by ''KePub Output'' and ''KoboTouch Extended''.

=== KePub Output ===
Kobo readers are using [https://wiki.mobileread.com/wiki/Kepub Kepub] files. Those are similar to standard Epub files but support additional functionalities.

This plugin allows conversion of ebooks to the kepub format.

=== KoboTouch Extended ===
This plugin replace the kobo driver that comes with Calibre, it allows the conversion to Kepub format transparently when you synchronise with a Kobo eReader.

After installing it, it is recommended to disable the default in plug-in to avoid Calibre choosing the wrong plugin. Go to ''Preferences'' → ''Plug-ins → Device Interface plug-ins'' and disable ''KoboTouch''.
[[File:KoboTouch Extended - plugin list.png|center|frameless|737x737px]]

=== Kobo Utilities ===
As its name says, this pugin provide various utilities to use with your Kobo eReader

==== Setup ====
* Plug your Kobo eReader to your computer
* Click the ''KoboUtilities'' button
* Select the ''Devices'' tab
* Click the ''Add connected device''

==== Read Percent ====
This allow to store reading status from your eReader to you Calibre library.

First step is to create columns in you library to store the data.
* Go to Preferences → Add your own columns
* Add the following columns
{| class="wikitable"
! Column header !! Lookup name !! Type !! Description
|-
|Complete || complete || Integers || Percent of the book that is read on device
|-
| Read || read || Date || Last date where the book was read on device
|}
* Validate & restart Calibre
Now you can configure KoboUtilities
* Click on KoboUtilities
* In the Profiles tab, set the ''Custom columns'' and ''Store on connect'' sections[[File:Calibre - Read columns.png|center|frameless|585x585px]]

==== Backups ====
The plugin can do backups of the database on your eReader. In case something goes wrong with your device, this might come handy.

Click the ''KoboUtilities'' button, select the ''Devices'' tab and setup the backup section.
[[File:Calibre backup settings.png|center|frameless|589x589px]]

==== Block Analytics ====
The kobo eReaders are including an analytics feature. In particular, they collect the infos on all the books that you put on your reader — including the ones that you didn't purchase from them.

This plugins allows to block analytics events
* Connect your eReader to your computer
* Click on the arrow near the KoboUtilities icon and select ''Database'' → ''Block Analytics Event''
* In the window that opened, select ''Create or change trigger'' and click ''Ok''

== eBooks with DRM ==
When you buy an eBook from most major online book stores, they are likely to be protected by DRM. This has two major consequences.
* You won't be able to convert your eBooks to the Kepub format. This mean that advanced features not be available unless you buy your books on the Kobo store
* You might not be able to read the book on the device of your choice
* If the book store ever stop its operations, you might not be able to read your eBook at all
Fortunately it is possible to remove DRM from books allo.ing you to use the file that you legally purchased.
{{Warning|msg=Removing DRM from the eBooks you purchased is illegal in some countries. Check the law before doing it. Do not share your eBooks illegally. Tagging technologies allow publishers to find the original purchaser of an eBook. You have been warned!}}

=== eBooks from Kobo ===

==== Install Plugin ====
Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/Obok_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Use ====
Simply click the ''Obok DeDRM'' button. The plugin will import and strip DRM from files.

Depending if your eReader is connected to your computer, the obok plugin will try to load book either from the eReader or the Kobo Desktop application.

=== eBooks From Other Book Stores ===
You can buy eBook from any book store that sell them in ePub. When those books are protected with DRM, you will need to use Adobe Digital Edition to download them.

==== Adobe ID ====
The first thing you need is an Adobe ID. If you don't have one, you can create one on https://accounts.adobe.com/.

==== Install Adobe Digital Edition ====
{{Warning|msg=}}You need to use version 1.7 or 2.0. https://github.com/apprenticeharper/DeDRM_tools/blob/master/FAQs.md#i-registered-adobe-digital-editions-30-or-later-with-an-adobe-id-before-downloading-but-my-epub-or-pdf-still-has-drm
'''Linux:''' Run the following commands <syntaxhighlight lang="console">
$ sudo apt install wine32 winetricks
$ winetricks adobe_diged
</syntaxhighlight>'''Windows:''' Download version 2.0 from http://download.adobe.com/pub/adobe/digitaleditions/ADE_2.0_Installer.exe

==== Authorize Adobe Digital Edition ====
Before opening a book in Adobe Digital Edition, you need to authorize it.

To authorise the computer go to ''Library'' → ''Authorize Computer'' (1.7) or ''Help'' → ''Authorize Computer'' (2.0).

Select Adobe ID as provider, and enter your adobe account info.

==== Install DeDRM Plugin ====
'''Linux Only:''' Check [https://raw.githubusercontent.com/apprenticeharper/DeDRM_tools/master/DeDRM_calibre_plugin/DeDRM_plugin_ReadMe.txt official instructions], section ''Linux Systems Only''. You don't need to install ''Adobe Digital Editions'' since you just did it. You can also skip anything related to Kindle unless you want to buy books on Amazon.

'''All:''' Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/DeDRM_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Import Books ====
'''Note:''' You can test the procedure using [https://www.adobe.com/uk/solutions/ebook/digital-editions/sample-ebook-library.html sample files from Adobe]. Make sure you test files with acsm extension.

When you buy an eBook protected by Adobe DRM, the file you download is not the eBook but a license file with the acsm extension.

The first thing to do is to open this acsm file in ''Adobe Digital Edition'' to retrieve the actual eBook.

To import the eBook in Calibre and remove the DRM, simply click the ''Add books'' buttons. The files are in a folder named ''My Digital Editions'' in you ''Home'' or ''My Documents'' folder.

To make sure that the DRM where correctly removed, right-click on the book in Calibre and choose ''view''. If the book displays, there is no more DRM.

== Configuration ==

=== Icons ===
The default icon theme is not very consistent in terms of colour / style.

To change it, go to ''Preferences'' → ''Look & feel'' → ''Change icon theme''. I recommand the Monstre theme which is quite complete and look nice.
[[Category:Linux Desktop]]
[[Category:Windows]]

Calibre

2017-12-03T13:06:11Z

Vincent: /* Configuration */ Add Count Pages plugin

Calibre is an eBook management software. It allows you to copy you books from / to your eReader, edit metadata, search your library…

== Prerequisite ==
* A Window or Linux computer. MacOs should work as well but was not tested.
* A Kobo eReader. While Calibre will work with any eReader or even as a standalone, this page assume that you are using this one. The instructions should work for any Kobo of the Touch, Glo, Mini and Aura families.

== Install ==

=== Download ===
When the firmware of your Kobo is updated, you usually need an up-to-date Calibre to be able to synchronise your eBooks. For this reason, it is recommended to not install from your Linux distribution but directly from their website.

To install, go to https://calibre-ebook.com/download and follow instructions.

=== First-run ===
The first time you run calibre you will be asked a few question. The most important is the location of your library. Calibre will use this folder to store al the eBooks that you add to it.

I recommend creating a folder named ''calibre'' somewhere in your computer and inside this one create a folder named ''library'' and use this last one as library location. There are two reasons for this. First Calibre will use the name of the folder as the name of the library in the interface. Having your library called library make things easier. Secondlly, Calibre will complain if you add any file to it's library folder. The parent folder allows you to store additional files related to Calibre.

== Kobo Setup ==
Calibre will allow you to send ebooks to your Kobo without any configuration. However, the following plugins will enhance your experience.

To install them, go to ''Preferences'' → ''Plug-ins'' → ''Get new plug-ins'', select the plugin in the list and click ''Install''.

=== KePub Metadata Reader / KePub Metadata Writer ===
These two plugins don't provide any features. They are just used as dependency by ''KePub Output'' and ''KoboTouch Extended''.

=== KePub Output ===
Kobo readers are using [https://wiki.mobileread.com/wiki/Kepub Kepub] files. Those are similar to standard Epub files but support additional functionalities.

This plugin allows conversion of ebooks to the kepub format.

=== KoboTouch Extended ===
This plugin replace the kobo driver that comes with Calibre, it allows the conversion to Kepub format transparently when you synchronise with a Kobo eReader.

After installing it, it is recommended to disable the default in plug-in to avoid Calibre choosing the wrong plugin. Go to ''Preferences'' → ''Plug-ins → Device Interface plug-ins'' and disable ''KoboTouch''.
[[File:KoboTouch Extended - plugin list.png|center|frameless|737x737px]]

=== Kobo Utilities ===
As its name says, this pugin provide various utilities to use with your Kobo eReader

==== Setup ====
* Plug your Kobo eReader to your computer
* Click the ''KoboUtilities'' button
* Select the ''Devices'' tab
* Click the ''Add connected device''

==== Read Percent ====
This allow to store reading status from your eReader to you Calibre library.

First step is to create columns in you library to store the data.
* Go to Preferences → Add your own columns
* Add the following columns {| class="wikitable" !Column header !Lookup name !Type !Description |- |Complete |complete |Integers |Percent of the book that is read on device |- |Read |read |Date |Last date where the book was read on device |}
* Validate & restart Calibre
Now you can configure KoboUtilities
* Click on KoboUtilities
* In the Profiles tab, set the ''Custom columns'' and ''Store on connect'' sections[[File:Calibre - Read columns.png|center|frameless|585x585px]]

==== Backups ====
The plugin can do backups of the database on your eReader. In case something goes wrong with your device, this might come handy.

Click the ''KoboUtilities'' button, select the ''Devices'' tab and setup the backup section.
[[File:Calibre backup settings.png|center|frameless|589x589px]]

==== Block Analytics ====
The kobo eReaders are including an analytics feature. In particular, they collect the infos on all the books that you put on your reader — including the ones that you didn't purchase from them.

This plugins allows to block analytics events
* Connect your eReader to your computer
* Click on the arrow near the KoboUtilities icon and select ''Database'' → ''Block Analytics Event''
* In the window that opened, select ''Create or change trigger'' and click ''Ok''

== eBooks with DRM ==
When you buy an eBook from most major online book stores, they are likely to be protected by DRM. This has two major consequences.
* You won't be able to convert your eBooks to the Kepub format. This mean that advanced features not be available unless you buy your books on the Kobo store
* You might not be able to read the book on the device of your choice
* If the book store ever stop its operations, you might not be able to read your eBook at all
Fortunately it is possible to remove DRM from books allo.ing you to use the file that you legally purchased.
{{Warning|msg=Removing DRM from the eBooks you purchased is illegal in some countries. Check the law before doing it. Do not share your eBooks illegally. Tagging technologies allow publishers to find the original purchaser of an eBook. You have been warned!}}

=== eBooks from Kobo ===

==== Install Plugin ====
Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/Obok_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Use ====
Simply click the ''Obok DeDRM'' button. The plugin will import and strip DRM from files.

Depending if your eReader is connected to your computer, the obok plugin will try to load book either from the eReader or the Kobo Desktop application.

=== eBooks From Other Book Stores ===
You can buy eBook from any book store that sell them in ePub. When those books are protected with DRM, you will need to use Adobe Digital Edition to download them.

==== Adobe ID ====
The first thing you need is an Adobe ID. If you don't have one, you can create one on https://accounts.adobe.com/.

==== Install Adobe Digital Edition ====
{{Warning|msg=}}You need to use version 1.7 or 2.0. https://github.com/apprenticeharper/DeDRM_tools/blob/master/FAQs.md#i-registered-adobe-digital-editions-30-or-later-with-an-adobe-id-before-downloading-but-my-epub-or-pdf-still-has-drm
'''Linux:''' Run the following commands <syntaxhighlight lang="console">
$ sudo apt install wine32 winetricks
$ winetricks adobe_diged
</syntaxhighlight>'''Windows:''' Download version 2.0 from http://download.adobe.com/pub/adobe/digitaleditions/ADE_2.0_Installer.exe

==== Authorize Adobe Digital Edition ====
Before opening a book in Adobe Digital Edition, you need to authorize it.

To authorise the computer go to ''Library'' → ''Authorize Computer'' (1.7) or ''Help'' → ''Authorize Computer'' (2.0).

Select Adobe ID as provider, and enter your adobe account info.

==== Install DeDRM Plugin ====
'''Linux Only:''' Check [https://raw.githubusercontent.com/apprenticeharper/DeDRM_tools/master/DeDRM_calibre_plugin/DeDRM_plugin_ReadMe.txt official instructions], section ''Linux Systems Only''. You don't need to install ''Adobe Digital Editions'' since you just did it. You can also skip anything related to Kindle unless you want to buy books on Amazon.

'''All:''' Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/DeDRM_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Import Books ====
'''Note:''' You can test the procedure using [https://www.adobe.com/uk/solutions/ebook/digital-editions/sample-ebook-library.html sample files from Adobe]. Make sure you test files with acsm extension.

When you buy an eBook protected by Adobe DRM, the file you download is not the eBook but a license file with the acsm extension.

The first thing to do is to open this acsm file in ''Adobe Digital Edition'' to retrieve the actual eBook.

To import the eBook in Calibre and remove the DRM, simply click the ''Add books'' buttons. The files are in a folder named ''My Digital Editions'' in you ''Home'' or ''My Documents'' folder.

To make sure that the DRM where correctly removed, right-click on the book in Calibre and choose ''view''. If the book displays, there is no more DRM.

== Configuration ==

=== Icons ===
The default icon theme is not very consistent in terms of colour / style.

To change it, go to ''Preferences'' → ''Look & feel'' → ''Change icon theme''. I recommand the Monstre theme which is quite complete and look nice.

=== Show pages / words count ===

==== Install plugin ====
Go to ''Preferences'' → ''Plug-ins'' → ''Get new plug-ins'', and install plugin ''Count Pages''. When asked, you don't need to restart calibre.

==== Add Column ====
Go to ''Preferences'' → ''Add your own columns'', and click on ''Add custom column''.

Fill the info:
* Lookup name: words
* Column heading: Words
* Column type: Integer
* Description: Number of words in book
* Format for numbers: {0:n}
Click OK, repeat for page count and restart calibre.

==== Configure plugin ====
You should now have a ''Count Pages'' icon in the main toolbar. Click on the down arrow next to it ans select ''Customize plug-in…''.

In the ''Statistics'' tab, select the columns that you just created.

In the ''Other'' tab, untick ''Prompt to save counts''. If you want to make sure that all your book pages are computed the same way, you can also untick everything in the ''Download options'' section.

==== Count pages / words ====
Select the books for which you want to count pages and click the ''Count Pages'' button.

== Buy Books ==
Calibre allows you to search and buy books directly from the interface. This has a few advantages:
* Calibre will search several shops and compare prices
* Some shops are paying back a percentage from your purchase to Calibre developers. You can sponsor development without paying more.

=== Setup ===
Right click on ''Get books'' and go to ''Choose stores.'' In the list of stores unselect the ones the don't sell in ePub format (Amazon & Barnes and Noble). Also unselect the stores that are in languages that you don't speak (while they might have interesting books, you will need to go to their website to complete the purchase).

=== Buy Books ===
* Click the ''Get books'' icon.
* Enter search criteria and click on ''Search''
* Double click the book you want to buy
* Process to payment and download on the shop website
* If you downloaded a .acsm file see the section on DRM above
* Otherwise, in Calibre, click on ''Add Books'' select the file on your disk
[[Category:Linux Desktop]]
[[Category:Windows]]

Let’s Encrypt/stats

2017-11-30T07:54:43Z

Vincent: update stats

= Official stats =
Let’s Encrypt provide some [https://letsencrypt.org/stats/ official statistics] on the number of certificate that they deliver.

== Ranking ==
[https://censys.io Censys] allows to get some statistics on the usage of Let’s Encrypt among the [https://support.alexa.com/hc/en-us/articles/200449834-Does-Alexa-have-a-list-of-its-top-ranked-websites- top 1 million websites].

Reports are build by querying the raw domain name. Some website are know to serve different certificates for the raw domain and the www prefix.

=== HTTPS ===
{| class="wikitable"
!Date
!Number
!Percent
!Rank
!Total Number
|-
|26-03-2016
|7 590
|1.08%
|19*
|705 166
|-
|20-05-2016
|12 823
|1.5%
|11
|643 604
|-
|04-06-2016
|15 367
|2.3%
|10
|669 582
|-
|20-06-2016
|15 969
|2.41%
|9
|663 851
|-
|14-07-2016
|22 159
|3.85%
|6
|575 599
|-
|21-08-2016
|29 104
|4.64%
|5
|626 616
|-
|25-09-2016
|23 880
|4.43%
|5
|539 594
|-
|30-09-2016
|39 072
|5.80%
|5
|674 019
|-
|03-12-2016
|59 547
|8.01%
|3
|743 081
|-
|22-01-2017
|67 413
|9.70%
|3
|695 015
|-
|14-05-2017
|84 129
|13.87%
|2
|606 661
|-
|30-11-2017
|128 435
|19.14%
|2
|670 882
|}
https://censys.io/domain/report?q=*&field=443.https.tls.certificate.parsed.issuer.organization.raw&max_buckets=

'''*''': Old report based on intermediate certificate name. This affect rank as some authorities have multiple intermediates.

=== SMTP ===
{| class="wikitable"
!Date
!Number
!Percent
!Rank
!Total Number
|-
|26-03-2016
|926
|0.15%
|50*
|623 943
|-
|20-05-2016
|1 367
|0.24%
|39
|581 296
|-
|04-06-2016
|1 662
|0.27%
|32
|612 866
|-
|20-06-2016
|1 716
|0.29%
|30
|599 019
|-
|14-07-2016
|2 787
|0.48%
|24
|579 564
|-
|21-08-2016
|2 767
|0.48%
|24
|566 076
|-
|25-09-2016
|1 798
|0.39%
|24
|465 238
|-
|30-09-2016
|5 092
|0.81%
|18
|630 310
|-
|03-12-2016
|8 417
|1.27%
|18
|663 072
|-
|22-01-2016
|10 200
|1.78%
|12
|574 194
|-
|14-05-2017
|11 187
|2.13%
|10
|524 491
|-
|30-11-2017
|15 059
|2.78%
|9
|540 797
|}
https://censys.io/domain/report?q=*&field=25.smtp.starttls.tls.certificate.parsed.issuer.organization.raw&max_buckets=

'''*''': Old report based on intermediate certificate name. This affect rank as some authorities have multiple intermediates.

Kernel from Jessie Backports

2017-11-12T21:40:46Z

Vincent:

Debian Jessie offer the quite old kernel 3.16. Backports offer the newer 4.3.

Among other, it contains important changes to Btrfs and nftables.

To install it, simply run<syntaxhighlight lang="console">
$ sudo apt install linux-image-amd64/jessie-backports
</syntaxhighlight>and then reboot your server.
[[Category:Linux Server]]
[[Category:Debian Release]]
[[Category:Noindexed pages]]

nftables

2017-11-12T21:39:21Z

Vincent:

[https://netfilter.org/projects/nftables/ nftables] is the new firewall of the linux kernel. It has several advantages over the existing {ip, ip6, arp,eb}tables:
* Only one command
* Rules that target both IPV4 and IPV6
* More concise syntax
* [http://wiki.nftables.org/wiki-nftables/index.php/Main_differences_with_iptables See details on the official wiki]

== Install ==
<syntaxhighlight lang="console">
$ sudo apt install nftables
</syntaxhighlight>You might also want to remove <code>iptables</code><syntaxhighlight lang="console">
$ sudo apt purge iptables
</syntaxhighlight>

== Configure ==

=== Create main table ===
Create file <code>/etc/nftables/main_config.conf</code><syntaxhighlight lang="sh">
# DNS
add element inet main udp_port_out { 53 }
add element inet main tcp_port_out { 53 }
# Network Time Protocol
add element inet main udp_port_out { 123 }
# OpenPGP HTTP Keyserver
add element inet main tcp_port_out { 11371 }
# SSH
add element inet main tcp_port_in { 2200 }
add element inet main tcp_port_out { 2200 }
# Web
add element inet main tcp_port_out { 80, 443 }
</syntaxhighlight>Create file <code>/etc/nftables/main.conf</code><syntaxhighlight lang="sh">
#!/usr/sbin/nft -f

add table inet main

#Ports open for any IP address
add set inet main tcp_port_out { type inet_service; }
add set inet main tcp_port_in { type inet_service; }
add set inet main udp_port_out { type inet_service; }
add set inet main udp_port_in { type inet_service; }
add set inet main user_out { type uid; }
add set inet main user_in { type uid; }

include "/etc/nftables/main_config.conf"

# Remove spam in logs. Get your top noise whith
# grep Drop_in /var/log/syslog|sed -r 's/.*?PROTO=([A-Z]+).*?DPT=([0-9]+).*/\1 \2/'|sort|uniq -c|sort -rn
add set inet main tcp_scan_ports { type inet_service; }
add set inet main udp_scan_ports { type inet_service; }
add element inet main tcp_scan_ports {
22, # SSH
23, # Telnet
1433, # MS SQL Login
8080, # HTTP Alternate
50661 # Apple Xsan
}
add element inet main udp_scan_ports {
53, # DNS
5060, # SIP
53413 # http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/
}

chain inet main input {
type filter hook input priority 0;

# accept any localhost traffic
iif lo accept

# accept traffic originated from us
ct state established,related accept
ct state invalid log prefix "Invalid_in " drop

# accept neighbour discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

# accept ping
ip protocol icmp icmp type { echo-request } accept

tcp dport @tcp_port_in ct state new accept
udp dport @udp_port_in ct state new accept
meta skuid @user_in ct state new accept

tcp dport @tcp_scan_ports drop
udp dport @udp_scan_ports drop

# count and drop any other traffic
counter log prefix "Drop_in " drop
}

chain inet main output {
type filter hook output priority 0;

# accept any localhost traffic
oif lo accept

ct state established,related accept
ct state invalid log prefix "Invalid_out " drop

# accept neighbour discovery otherwise IPv6 connectivity breaks.
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

# accept ping
ip protocol icmp icmp type { echo-request } accept

tcp dport @tcp_port_out ct state new accept
udp dport @udp_port_out ct state new accept
meta skuid @user_out ct state new accept

counter log prefix "Drop_out " drop
}
</syntaxhighlight>{{Warning}}Double check the port for SSH before activating the script.

=== Activation Scripts ===

==== /etc/nftables.conf ====
Edit file <code>/etc/nftables.conf</code><syntaxhighlight lang="sh">
#!/usr/sbin/nft -f

flush ruleset

include "/etc/nftables/main.conf"
</syntaxhighlight>This file is executed when you start nftables. You can also manually execute it without issue.

==== /etc/nftables/reload_main.conf ====
This script is used to reload only the main table without the others. The point is to integrate with tools like [[Fail2Ban]] which are inserting rules in the firewall. By reloading just the main table, you can activate your new rules without impacting Fail2Ban.

Create file <code>/etc/nftables/reload_main.conf</code><syntaxhighlight lang="sh">
#!/usr/sbin/nft -f

delete table inet main

include "/etc/nftables/main.conf"
</syntaxhighlight>and make it executable<syntaxhighlight lang="console">
$ sudo chmod +x /etc/nftables/reload_main.conf
</syntaxhighlight>

== Test ==
Test your firewall with the following command<syntaxhighlight lang="console">
$ sudo -- sh -c 'nft -f /etc/nftables.conf; sleep 30; nft flush ruleset'
</syntaxhighlight>It will activate the firewall and reset it after 30 seconds. It allows you to not lock yourself out of your machine.

== Enable ==
{{Warning}}It is recommended that you test your firewall before enabling it at boot time. An incorrectly configured firewall can lock you out of your machine.<syntaxhighlight lang="console">
$ sudo systemctl enable nftables
</syntaxhighlight>
[[Category:Debian Release]]
[[Category:Linux Desktop]]
[[Category:Linux Server]]
[[Category:nftables]]

Btrfs

2017-11-12T21:38:46Z

Vincent:

{{Warning|msg = Btrfs is still a new filesystem. While many (including myself) find it stable enough for everyday use, don't use it for critical services and be prepared to use you backups. 
See [https://btrfs.wiki.kernel.org/index.php/Status status page] on Btrfs wiki for up-to-date info.}}

== Install ==
To create and manipulate Btrfs volumes, you will need to install<syntaxhighlight lang="console">
$ sudo apt install btrfs-progs
</syntaxhighlight>

== Create a filesystem ==

=== mkfs ===

==== Single Disk ====
<syntaxhighlight lang="console">
$ sudo mkfs.btrfs /dev/sdb
</syntaxhighlight>

==== Raid 1 ====
<syntaxhighlight lang="console">
$ sudo mkfs.btrfs -mraid1 -draid1 /dev/sdb /dev/sdc
</syntaxhighlight>

==== Raid 0 ====
<syntaxhighlight lang="console">
$ sudo mkfs.btrfs -mraid1 -draid0 /dev/sdb /dev/sdc
</syntaxhighlight>

=== Mount ===
<syntaxhighlight lang="console">
$ sudo mount /dev/sdb /mnt
</syntaxhighlight>When mounting raid disks, only one of the disks need to be specified in the command. Btrfs will find the other one automatically.

== Subvolumes ==
To create a subvolume just use the command<syntaxhighlight lang="console">
$ sudo btrfs subvolume create /<path>
</syntaxhighlight>To create a snapshot use<syntaxhighlight lang="console">
$ sudo btrfs subvolume snapshot /<source-path> /<destination-path>
</syntaxhighlight>
[[Category:Linux Desktop]]
[[Category:Linux Server]]
[[Category:Debian Release]]

Btrfs

2017-11-04T11:05:31Z

Vincent: remove debian jessie

{{Warning|msg = Btrfs is still a new filesystem. While many (including myself) find it stable enough for everyday use, don't use it for critical services and be prepared to use you backups. 
See [https://btrfs.wiki.kernel.org/index.php/Status status page] on Btrfs wiki for up-to-date info.}}

== Install ==
To create and manipulate Btrfs volumes, you will need to install<syntaxhighlight lang="console">
$ sudo apt install btrfs-progs
</syntaxhighlight>

== Create a filesystem ==

=== Single Disk ===
<syntaxhighlight lang="console">
$ sudo mkfs.btrfs /dev/sdb
</syntaxhighlight>

=== Raid 1 ===
<syntaxhighlight lang="console">
$ sudo mkfs.btrfs -mraid1 -draid1 /dev/sdb /dev/sdc
</syntaxhighlight>

=== Raid 0 ===
<syntaxhighlight lang="console">
$ sudo mkfs.btrfs -mraid1 -draid0 /dev/sdb /dev/sdc
</syntaxhighlight>

== Subvolumes ==
To create a subvolume just use the command<syntaxhighlight lang="console">
$ sudo btrfs subvolume create /<path>
</syntaxhighlight>To create a snapshot use<syntaxhighlight lang="console">
$ sudo btrfs subvolume snapshot /<source-path> /<destination-path>
</syntaxhighlight>
[[Category:Linux Desktop]]
[[Category:Linux Server]]
[[Category:Debian Release]]

Apt

2017-10-10T07:35:39Z

Vincent: maintenance scripts

== Configure ==

=== HTTPS ===

By default, Apt is able to use http sources but not https ones. This might cause problem with some external repositories.
<syntaxhighlight lang="console">
$ sudo apt install apt-transport-https
</syntaxhighlight>

=== sources.list ===
Here is the <code>/etc/apt/sources.list</code> for a Debian Jessie distribution.

The file is referencing versions names instead of the ''stable'' and ''testing'' aliases. The reason is that we don't want a massive uncontrolled upgrade on the day of the release of the next stable.
<syntaxhighlight lang="sources.list">
# Standard Debian repository
deb https://deb.debian.org/debian stretch main contrib non-free
deb-src https://deb.debian.org/debian stretch main contrib non-free

# Security updates
# No mirror is used here to avoid issues with propagation delay
deb https://security.debian.org/ stretch/updates main contrib non-free
deb-src https://security.debian.org/ stretch/updates main contrib non-free

# stable-updates repo
# Contain some package that are known to change frequently like antivirus or timezone data
deb https://deb.debian.org/debian stretch-updates main contrib non-free
deb-src https://deb.debian.org/debian stretch-updates main contrib non-free

# Backport repo
# Contains packages from the next release that where modified to work on the current one
# Note that security is not assured by security team so updates might be slower than for other packages
deb https://deb.debian.org/debian stretch-backports main contrib non-free
deb-src https://deb.debian.org/debian stretch-backports main contrib non-free

# Testing
# For package that are not backported but where you want the new version
# Be very careful when installing these as they might bring incompatibility with the rest of the system
# Security is the lowest of the sources here. No security team, and updates might get blocked waiting for other migrations
deb https://deb.debian.org/debian buster main contrib non-free
deb-src https://deb.debian.org/debian buster main contrib non-free
</syntaxhighlight>

=== apt.conf ===
The file <code>/etc/apt/apt.conf</code> stores settings of apt. You can create the file if it doesn't exist.
<syntaxhighlight lang="properties">
# Select the default release. Check /etc/apt/preference for more flexibility
# Only needed when non-standard sources are present like backport or testing
APT::Default-Release "stretch";

# When adding new sources in sources.list, you can hit the APT cache limit
# This line increases its size
APT::Cache-Limit "100000000";
</syntaxhighlight>

=== Pinning ===

==== Setup ====
Create file <code>/etc/apt/preferences</code>
<syntaxhighlight lang="properties">
Explanation: This priority correspond to the default set by "APT::Default-Release"
Explanation: We make it explicit
Package: *
Pin: release o=Debian, n=stretch
Pin-Priority: 990

Explanation: Assign the same priority than stable release so these are picked if they are newer
Package: *
Pin: release o=Debian, n=stretch-updates
Pin-Priority: 990

Explanation: Lower than stable as we don't want them installed by default.
Explanation: Higher than testing, we prefer to install from backports than testing.
Package: *
Pin: release o=Debian Backports, n=stretch-backports
Pin-Priority: 900

Explanation: Lower than others
Explanation: Higher than 500 so it's still preferred over external sources
Package: *
Pin: release o=Debian, n=buster
Pin-Priority: 700
</syntaxhighlight>

==== Debugging ====

By default, it might be hard to understand why a particular version of a package is chosen for updates. Thankfully, <code>apt-cache</code> can help us with that.
<syntaxhighlight lang="console">
$ apt-cache policy | grep -Ev Translation-..$
Package files:
100 /var/lib/dpkg/status
release a=now
700 http://httpredir.debian.org/debian/ stretch/non-free amd64 Packages
release o=Debian,a=testing,n=stretch,l=Debian,c=non-free
origin httpredir.debian.org
700 http://httpredir.debian.org/debian/ stretch/contrib amd64 Packages
release o=Debian,a=testing,n=stretch,l=Debian,c=contrib
origin httpredir.debian.org
700 http://httpredir.debian.org/debian/ stretch/main amd64 Packages
release o=Debian,a=testing,n=stretch,l=Debian,c=main
origin httpredir.debian.org
900 http://httpredir.debian.org/debian/ jessie-backports/non-free amd64 Packages
release o=Debian Backports,a=jessie-backports,n=jessie-backports,l=Debian Backports,c=non-free
origin httpredir.debian.org
900 http://httpredir.debian.org/debian/ jessie-backports/contrib amd64 Packages
release o=Debian Backports,a=jessie-backports,n=jessie-backports,l=Debian Backports,c=contrib
origin httpredir.debian.org
900 http://httpredir.debian.org/debian/ jessie-backports/main amd64 Packages
release o=Debian Backports,a=jessie-backports,n=jessie-backports,l=Debian Backports,c=main
origin httpredir.debian.org
990 http://httpredir.debian.org/debian/ jessie-updates/non-free amd64 Packages
release o=Debian,a=stable-updates,n=jessie-updates,l=Debian,c=non-free
origin httpredir.debian.org
990 http://httpredir.debian.org/debian/ jessie-updates/contrib amd64 Packages
release o=Debian,a=stable-updates,n=jessie-updates,l=Debian,c=contrib
origin httpredir.debian.org
990 http://httpredir.debian.org/debian/ jessie-updates/main amd64 Packages
release o=Debian,a=stable-updates,n=jessie-updates,l=Debian,c=main
origin httpredir.debian.org
990 http://security.debian.org/ jessie/updates/non-free amd64 Packages
release v=8,o=Debian,a=stable,n=jessie,l=Debian-Security,c=non-free
origin security.debian.org
990 http://security.debian.org/ jessie/updates/contrib amd64 Packages
release v=8,o=Debian,a=stable,n=jessie,l=Debian-Security,c=contrib
origin security.debian.org
990 http://security.debian.org/ jessie/updates/main amd64 Packages
release v=8,o=Debian,a=stable,n=jessie,l=Debian-Security,c=main
origin security.debian.org
990 http://httpredir.debian.org/debian/ jessie/non-free amd64 Packages
release v=8.3,o=Debian,a=stable,n=jessie,l=Debian,c=non-free
origin httpredir.debian.org
990 http://httpredir.debian.org/debian/ jessie/contrib amd64 Packages
release v=8.3,o=Debian,a=stable,n=jessie,l=Debian,c=contrib
origin httpredir.debian.org
990 http://httpredir.debian.org/debian/ jessie/main amd64 Packages
release v=8.3,o=Debian,a=stable,n=jessie,l=Debian,c=main
origin httpredir.debian.org
Pinned packages:
</syntaxhighlight>

<syntaxhighlight lang="console">
$ apt-cache policy linux-image-amd64
linux-image-amd64:
Installed: 4.3+70~bpo8+1
Candidate: 4.3+70~bpo8+1
Version table:
4.3+70 0
700 http://httpredir.debian.org/debian/ stretch/main amd64 Packages
*** 4.3+70~bpo8+1 0
900 http://httpredir.debian.org/debian/ jessie-backports/main amd64 Packages
100 /var/lib/dpkg/status
3.16+63 0
990 http://httpredir.debian.org/debian/ jessie/main amd64 Packages
</syntaxhighlight>

== Tools ==

=== needrestart ===
After a successful upgrade, needrestart will check if any daemon need to be restarted. If so, it will show a dialog where you can choose which ones should be restarted automatically.

It will also warn you in case the system need to be restarted.
<syntaxhighlight lang="console">
$ sudo apt install needrestart
</syntaxhighlight>

=== reboot-notifier ===
Sends you a daily email in case your server need to be restarted

'''Important:''' Your server needs be able to [[Emails|send Emails]] before you install this.

<syntaxhighlight lang="console">
$ sudo apt install reboot-notifier
</syntaxhighlight>
You can configure the destination email address in <code>/etc/default/reboot-notifier</code>.

=== apt-listchanges ===
Parse changelogs when you upgrade a package and display it. It will also send a copy by email so you can have a look latter in case you missed something.<syntaxhighlight lang="console">
$ sudo apt install apt-listchanges
</syntaxhighlight>

=== apticron ===
Apticron will check for updates and send you emails with changelogs

'''Important:''' Your server needs be able to [[Emails|send Emails]] before you install this.

<syntaxhighlight lang="console">
$ sudo apt install apticron
</syntaxhighlight>
To configure apticron, edit <code>/etc/apticron/apticron.conf</code> and changes the following settings<syntaxhighlight lang="ini">
EMAIL="youremail@example.org"
NOTIFY_HOLDS="0"
NOTIFY_NEW="0"
</syntaxhighlight>

== System Maintenance ==

=== Manually installed packages ===
Both apt and aptitude can automatically remove packages that are not used any more. This allows to keep a clean system over time. However it requires the system to know which packages were automatically installed.

To list packages that are marked as manually installed, you can use<syntaxhighlight lang="console">
$ apt-mark showmanual
</syntaxhighlight>

=== Remove useless configuration files ===
When deinstalling a package, configuration files are kept in case you need to reinstall it latter. Overtime, this can led to a lot of useless files in <code>/etc</code>.

To list the removed packages that still have configuration files, you can use:<syntaxhighlight lang="console">
$ aptitude search ?config-files
</syntaxhighlight>After inspection of the list, this command will remove them<syntaxhighlight lang="console">
$ sudo aptitude purge ?config-files
</syntaxhighlight>
[[Category:Debian Release]]
[[Category:Linux Server]]

SSH

2017-10-08T14:13:26Z

Vincent: disable root login

{{Debian}}

== Server ==

=== Install ===
<syntaxhighlight lang="console">
# apt install openssh-server
</syntaxhighlight>

=== Configure ===

The settings of these section need to be writen in file <code>/etc/ssh/sshd_config</code>

==== Custom port ====

SSH server are a common target for hackers. Changing the port away from the default will greatly reduce the noise in your logs.
<syntaxhighlight lang="apache">
Port 2200
</syntaxhighlight>

==== Authentication ====

Let's limit the users that have access to the server using ssh.
<syntaxhighlight lang="apache">
AllowUsers myusername
PermitRootLogin no
# Make sure you have setup authentication using keys before disabling passwords
PasswordAuthentication no
ChallengeResponseAuthentication no
</syntaxhighlight>

==== Crypo ====

These settings are derived from [https://stribika.github.io/2015/01/04/secure-secure-shell.html secure secure shell].
<syntaxhighlight lang="apache">
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
</syntaxhighlight>

==== Sandbox ====
<syntaxhighlight lang="apache">
UsePrivilegeSeparation sandbox
</syntaxhighlight>

==== KeepAlive ====

To make sure connections do not freeze in case of inactivity.
<syntaxhighlight lang="apache">
ClientAliveInterval 60
</syntaxhighlight>

==== Generate server keys ====
<syntaxhighlight lang="console">
# cd /etc/ssh
# rm ssh_host_*key*
# ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ""
# ssh-keygen -t rsa -b 4096 -f ssh_host_rsa_key -N ""
</syntaxhighlight>

Modify file <code>/etc/ssh/sshd_config</code> and make sure that the only lines to contains ''HostKey'' are:
<syntaxhighlight lang="apache">
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
</syntaxhighlight>

==== Publish server keys ====
It is possible to publish the fingerprint of your ssh server keys in a DNS server. It allows to not have to blindly trust the key on first connection.

To get the records to publish in your dns server, run
<syntaxhighlight lang="console">
$ cd /etc/ssh
$ ssh-keygen -r $(hostname)
myserver.example.org IN SSHFP 1 1 1c47eee032179719595c8461adba051d4a00dc8f
myserver.example.org IN SSHFP 1 2 7371839b62ce52ede97a9598eea0f253e1d58f88f45a8a40e05c34a846dc2e81
myserver.example.org IN SSHFP 4 1 80aae333ad47851f788d3d9bddd87e489f8c18f8
myserver.example.org IN SSHFP 4 2 5d0511b19fcd0c2793eeda983f0a8ee70cc4868b98b6d2e67f3b97df8e480762
</syntaxhighlight>

Once published, you can check you records with
<syntaxhighlight lang="console">
$ dig +short -t SSHFP myserver.example.org | sort
1 1 1C47EEE032179719595C8461ADBA051D4A00DC8F
1 2 7371839B62CE52EDE97A9598EEA0F253E1D58F88F45A8A40E05C34A8 46DC2E81
4 1 80AAE333AD47851F788D3D9BDDD87E489F8C18F8
4 2 5D0511B19FCD0C2793EEDA983F0A8EE70CC4868B98B6D2E67F3B97DF 8E480762
</syntaxhighlight>

Now you can configure your client to [[#Verify published server key|use your published keys]].

==== issue.net ====
One of the danger when doing remote administration is to mechanically log in to a machine, type a few command and realise after that you where on the wrong server.

This doesn't happen with physical computers as they look different on first sight (either the machine itself or the place it is). The solution, make your remote servers look different.

This can be done by uncommenting this line in <code>/etc/ssh/sshd_config</code>
<syntaxhighlight lang="apache">
Banner /etc/issue.net
</syntaxhighlight>

Then edit the file <code>/etc/issue.net</code> and make it as distinctive as possible.

Some examples:

************ ********** *********** **********
************ ************ ************ ************
*** *** *** *** *** *** ***
*** *** *** *** *** *** ***
******* *** *** ************ *** ***
******* *** *** *********** *** ***
*** *** *** *** *** *** ***
*** *** *** *** *** *** ***
*** ************ *** *** ************
*** ********** *** *** **********

########## ### ### ### ### ###########
############ #### ### ### ### ###########
### ### ##### ### ### ### ###
### ### ###### ### ### ### ###
############ ### ### ### ### ### #######
############ ### ### ### ### ### #######
### ### ### ###### ### ### ###
### ### ### ##### ### ### ### ###
### ### ### #### ### ### ### ###########
### ### ### ### ######## ### ###########

Note that they are 3 files quite similar for this
* <code>/etc/issue</code>: Displayed before login prompt on the physical consoles of the machines
* <code>/etc/issue.net</code>: Displayed before login prompt for remote login
* <code>/etc/motd</code>: Displayed after login (local and remote)

<code>/etc/issue</code> and <code>/etc/motd</code> don't need any setup before being used. Just modify the content and you are ok to go.

==== Other ====
If you are using OpenSSH < 7.2 or are not using X11 forwarding, you can disable it with<syntaxhighlight lang="apache">
X11Forwarding no
</syntaxhighlight>

=== Restart ===
Restarting the SSH server while connected through SSH is usually safe. However, you need to take some precautions to avoid being locked out of your server. Make sue you do that from a stable internet connection: in case your SSH server doesn't restart correctly, you don't want your active SSH connection to drop while you fix the issue.<syntaxhighlight lang="console">
# systemctl restart ssh
</syntaxhighlight>If you are connected through SSH, test that your server restarting correctly by opening a second connection<syntaxhighlight lang="console">
$ ssh -o "ControlMaster=yes" myserver.example.org
</syntaxhighlight>The <code>-o "ControlMaster=yes"</code> option prevents the SSH client from reusing your active connection in case you have multiplexing enabled.

=== Fail2Ban ===
[[Fail2Ban]] configuration for SSH is active by default in Debian. However, if you changed the listening port of your server, you must reflect that in Fail2Ban. To do so, create file <code>/etc/fail2ban/jail.d/sshd.conf</code> with the following content
<syntaxhighlight lang="ini">
[sshd]
enabled = true
port = 2200 ; <= Set the port here
</syntaxhighlight>

== Client ==

=== Install ===
<syntaxhighlight lang="console">
# apt install openssh-client
</syntaxhighlight>

=== Configure ===

The settings of these section need to be written in file <code>/etc/ssh/ssh_config</code>. Unless they contains a <code>Host</code>, they must be set under the existing <code>Host *</code> section.

==== Shortcuts ====

When it comes to typing, my motto is ''less is more''. The following setting allows you to type <code>ssh server1</code> instead of <code>ssh server1.example.org</code>
<syntaxhighlight lang="apache">
Host server1 server2
CanonicalDomains example.org
CanonicalizeFallbackLocal no
CanonicalizeHostname yes
</syntaxhighlight>

==== Port ====

If you changed the port of your servers, this settings allows you client to use the correct port automatically.
<syntaxhighlight lang="apache">
Host *.example.org
Port 2200
</syntaxhighlight>

==== Crypo ====

These settings are derived from [https://stribika.github.io/2015/01/04/secure-secure-shell.html secure secure shell].
<syntaxhighlight lang="apache">
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,ssh-rsa
</syntaxhighlight>

==== Generate user keys ====
This needs to be run by all users. It is strongly recommended to set a password to your keys. A passwordless keyfile is as secure as a post-it on the wall with your password. If a script need unattended access to another machine, create dedicated accounts and key for that usage.
<syntaxhighlight lang="console">
$ ssh-keygen -t ed25519 -o -a 100
$ ssh-keygen -t rsa -b 4096 -o -a 100
</syntaxhighlight>

==== Verify published server key ====
Make sure your server has some [[#Publish server keys|published keys]].

Edit file <code>/etc/ssh/ssh_config</code> and add the line
<syntaxhighlight lang="apache">
VerifyHostKeyDNS yes
</syntaxhighlight>

== ssh-agent ==
ssh-agent is a program that can keep your ssh keys in memory and avoid you to type your password several time.

'''Warning:''' Anybody which can run command as your user or as root on your machine can reuse or eve steal your keys. Don't run ssh-agent on a machine unless you trust it 100%.

=== Run the agent ===
By default Debian and Ubuntu start <code>ssh-agent</code> when you log into a graphical session. However, the way it is done doesn't allow passing options to the agent.

To disable the default <code>ssh-agent</code> startup script, edit file <code>/etc/X11/Xsession.options</code> and remove line <code>use-ssh-agent</code>.

Add the following line to <code>~/.xsessionrc</code> (create the file is it doesn't exist). This need to be done for each user that wants to run <code>ssh-agent</code>.<syntaxhighlight lang="shell">
STARTUP="/usr/bin/ssh-agent -t 3600 ${TMPDIR:+env TMPDIR=$TMPDIR} $STARTUP"
</syntaxhighlight>

=== Add keys to agent ===
''Note'': You need OpenSSH version 7.2 or above for this to work.

SSH client is able to add keys to ssh-agent automatically. To do this, edit file <code>~/.ssh/config</code> and add<syntaxhighlight lang="apache">
Host *
AddKeysToAgent yes
</syntaxhighlight>

=== Forward agent ===
If you want to be able to connect from machine A to machine B and then from machine B to machine C without typing password twice, you can use a feature called agent forwarding. With this feature machine B will be able to use the keys from the agent running on machine A.

'''Warning:''' As for running the agent, you must only forward your agent to a machine that you trust 100%. Anybody with access to root or the account you use on machine B will be able to use your keys.

To enable the feature, add this to <code>~/.ssh/config</code><syntaxhighlight lang="apache">
Host machineB.example.org machineD.example.org
ForwardAgent yes
</syntaxhighlight>

== Reference Documents ==
[https://wiki.mozilla.org/Security/Guidelines/OpenSSH Mozilla Guidelines]

[https://stribika.github.io/2015/01/04/secure-secure-shell.html Secure Secure Shell][[Category:Linux Server]]
[[Category:Fail2Ban]]
[[Category:Debian Release]]

PHP

2017-10-05T20:07:02Z

Vincent: fix colouring

== Prerequisite ==

To use this guide, you will need [[Nginx]] installed and configured.

== Installation ==
<syntaxhighlight lang="console">
$ sudo apt install php-cli php-fpm php-apcu
</syntaxhighlight>

== Configuration ==
{{Warning|msg=Each version of php has different configuration files. You might need to adapt the 7.0 below to your actual php version. You will also need to redo this after php updates.}}

=== Common configuration ===

In Debian, the different flavor of PHP have their own configuration file. This allow fine grained configuration but makes it harder to have common behavior.

Let’s create a common file read by all PHP interpreters.<syntaxhighlight lang="console">
$ echo -e '; Commmon configuration for all PHP interpreters\n; priority=99\n' | sudo tee /etc/php/7.0/mods-available/local-common.ini > /dev/null
$ sudo phpenmod -v 7.0 local-common
</syntaxhighlight>Unless specified, all the settings bellow should go to <code>/etc/php/7.0/mods-available/local-common.ini</code>

=== PHP-FPM ===

==== Integrate with Nginx ====
Create file <code>/etc/nginx/conf.d/php.conf</code>
<syntaxhighlight lang="nginx">
upstream php {
server unix:/run/php/php7.0-fpm.sock;
}
</syntaxhighlight>

==== Configure Processes ====
PHP-FPM create processes to handle incoming requests. If it runs out of available processes, new requests will be put in queue and the users will experience delays.

The number of processes to use will heavily depend on the traffic on your websites and on the available RAM/CPU on your server. To find optimal values check the log file <code>/var/log/php7.0-fpm.log</code>. It will contains warnings when the number of processes need adjustment.

The values to change are present in <code>/etc/php/7.0/fpm/pool.d/www.conf</code>. A good start point can be<syntaxhighlight lang="ini">
pm = dynamic
pm.max_children = 30
pm.start_servers = 10
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 500

</syntaxhighlight>

=== Security ===

PHP is known to have a particularly poor track record in term of security. Although things are improving, it is recommended to harden you installation.

==== Hide PHP ====

It is generally a bad idea to give information on the technologies used by your system. This setting make sure that PHP is not exposed.
<syntaxhighlight lang="ini">
; Name of the sessionid cookie. Hide PHP and get a smaller cookie
session.name = sid
; Don't add script name in emails
mail.add_x_header = 0
</syntaxhighlight>

==== Session IDs ====

By default PHP session IDs are not very random. Let's get some more entropy
<syntaxhighlight lang="ini">
; By default, PHP session IDs are not very random
; http://samy.pl/phpwn/ reduce session entropy down to 20 bits
; The settings bellow uses 256 bits of entropy from /dev/urandom
session.entropy_length = 32
; Default is md5
session.hash_function = sha256
; Not security related. Make the session ID cookie a bit shorter
session.hash_bits_per_character = 6
</syntaxhighlight>

Prevent session fixation attacks
<syntaxhighlight lang="ini">
; Don't allow client to choose their session id
session.use_strict_mode = 1
; Hide session cookie from JavaScript
session.cookie_httponly = 1
; Make session cookie work only with HTTPS
; Warning: it might break you application if you don't use HTTPS
session.cookie_secure = 1
</syntaxhighlight>

==== Limit File Access ====

By default, PHP allow scripts to read any file on the machine including sensible files like <code>/etc/passwd</code>.

The setting bellow limit that. Of course when new sites are added, the list of folder need to be extended.
<syntaxhighlight lang="ini">
; Column separated list of folder to allow inclusion from.
; Eg. "/usr/share/php/:/usr/share/phpmyadmin/"
open_basedir = "/usr/share/php/"
</syntaxhighlight>
[[Category:Linux Server]]
[[Category:Web Server]]

Nextcloud

2017-10-04T07:37:51Z

Vincent: Update Nginx conf for Nextcloud 12

= Prerequisite =
* [[Nginx]]
* [[PHP]]
* [[MariaDB]]

== Install ==

=== Download ===
Download Nextcloud from https://nextcloud.com/install/#instructions-server and extract the archive in <code>/var/www/nextcloud</code>.

Fix file permissions using<syntaxhighlight lang="console">
$ sudo chown -r www-data: /var/www/nextcloud/
</syntaxhighlight>

=== Configure PHP ===
{{PHP/open_basedir|folders=/var/www/nextcloud/:/dev/:/var/log/nextcloud/}}

=== Configure Webserver ===
{{Nginx/New Site|domain=nextcloud.example.org|config=server {
include snippets/listen-http.conf;
server_name nextcloud.example.org;

access_log /var/log/nginx/nextcloud.example.org.access.log;
error_log /var/log/nginx/nextcloud.example.org.error.log;

include snippets/https-permanent-redirect.conf;
}

server {
include snippets/listen-https.conf;
server_name nextcloud.example.org;

access_log /var/log/nginx/nextcloud.example.org.access.log;
error_log /var/log/nginx/nextcloud.example.org.error.log;

include snippets/acme-challenge.conf;
#include snippets/ssl.conf;
#ssl_certificate /etc/letsencrypt/live/nextcloud.example.org/fullchain.pem;
#ssl_certificate_key /etc/letsencrypt/live/nextcloud.example.org/privkey.pem;
#include snippets/hsts.conf;

# Protect web interface during initial setup
# The following two lines must be removed after initial configuration
auth_basic "You shall not pass!";
auth_basic_user_file /etc/nginx/htpasswd/generic.htpasswd;

include snippets/security-headers.conf;
# Using more_set_headers instead of add_header to be cascaded in sub location
more_set_headers "X-Robots-Tag: none";
more_set_headers "X-Download-Options: noopen";

# Path to the root of your installation
root /var/www/nextcloud/;

location = /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location = /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}

client_max_body_size 10G; # set max upload size
fastcgi_buffers 64 4K;

location / {
rewrite ^ /index.php$uri;
}

location ~ ^/(?:build{{!}}tests{{!}}config{{!}}lib{{!}}3rdparty{{!}}templates{{!}}data)/ {
deny all;
}
location ~ ^/(?:\.{{!}}autotest{{!}}occ{{!}}issue{{!}}indie{{!}}db_{{!}}console) {
deny all;
}

location ~ ^/(?:index{{!}}remote{{!}}public{{!}}cron{{!}}core/ajax/update{{!}}status{{!}}ocs/v[12]{{!}}updater/.+{{!}}ocs-provider/.+)\.php(?:${{!}}/) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
fastcgi_param front_controller_active true;
fastcgi_pass php;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}

location ~ ^/(?:updater{{!}}ocs-provider)(?:${{!}}/) {
try_files $uri/ =404;
index index.php;
}

# Adding the cache control header for js and css files
# Make sure it is BELOW the PHP block
location ~* \.(?:css{{!}}js{{!}}woff{{!}}svg{{!}}gif)$ {
try_files $uri /index.php$uri$is_args$args;
add_header Cache-Control "public, max-age=15778463";
}

location ~* \.(?:png{{!}}html{{!}}ttf{{!}}ico{{!}}jpg{{!}}jpeg)$ {
try_files $uri /index.php$uri$is_args$args;
}
<nowiki>}</nowiki>
}}

=== Configure Nextcloud ===
//config.php<syntaxhighlight lang="console">
$ sudo tee "/usr/local/bin/occ" > /dev/null << EOF
> !/bin/sh
> sudo -u www-data /usr/bin/php /var/www/nextcloud/occ "\$@"
> EOF
$ sudo chmod +x /usr/local/bin/occ
</syntaxhighlight>

=== Logs ===
First you need to create a folder for the logs<syntaxhighlight lang="console">
$ sudo mkdir /var/log/nextcloud
$ sudo chmod 750 /var/log/nextcloud
$ sudo chown www-data:adm /var/log/nextcloud
</syntaxhighlight>Create file <code>/etc/logrotate.d/nextcloud</code> with the following content<syntaxhighlight lang="text">
/var/log/nextcloud/nextcloud.log {
rotate 6
monthly
compress
delaycompress
missingok
notifempty
create 640 www-data adm
}

</syntaxhighlight>Finally activate the new log location. Edit <code>/var/www/nextcloud/config/config.php</code> and add/edit the <code>logfile</code> line<syntaxhighlight lang="php">
'logfile' => '/var/log/nextcloud/nextcloud.log',
</syntaxhighlight>

=== Cron ===
Create file <code>/etc/cron.d/nextcloud</code><syntaxhighlight lang="text">
*/15 * * * * www-data /usr/bin/php -f /var/www/nextcloud/cron.php
</syntaxhighlight>Now open Nextcloud in your browser and go to the admin section and activate cron

[[File:owncloud cron.png|border|frameless|540x540px]]

== Test ==

=== Security ===
Nextcloud is providing a [https://scan.nextcloud.com/ security scanning service] for public instances. Scan your instance to find configuration issues.

[[Category:Debian Release]]
[[Category:Linux Server]]

Browser Extensions

2017-09-29T07:09:53Z

Vincent: /* KeePassHttp-Connector */ add chrome link

=== KeePassHttp-Connector ===
'''Links:''' [https://addons.mozilla.org/en-US/firefox/addon/keepasshttp-connector/ Firefox] [https://chrome.google.com/webstore/detail/keepasshttp-connector/dafgdjggglmmknipkhngniifhplpcldb Chrome]

== Privacy ==

=== Cookie AutoDelete ===
'''Links:''' [https://github.com/Cookie-AutoDelete/Cookie-AutoDelete Cookie-AutoDelete]

=== Decentraleyes ===
'''Links:''' [https://decentraleyes.org/ Decentraleyes]

=== HTTPS Everywhere ===
'''Links:''' [https://www.eff.org/https-everywhere HTTPS Everywhere]

=== Privacy Badger ===
Links: [https://www.eff.org/privacybadger Privacy Badger]

Browser Extensions

2017-09-28T09:54:53Z

Vincent: KeePassHttp-Connector

=== KeePassHttp-Connector ===
'''Links:''' [https://addons.mozilla.org/en-US/firefox/addon/keepasshttp-connector/ Firefox]

== Privacy ==

=== Cookie AutoDelete ===
'''Links:''' [https://github.com/Cookie-AutoDelete/Cookie-AutoDelete Cookie-AutoDelete]

=== Decentraleyes ===
'''Links:''' [https://decentraleyes.org/ Decentraleyes]

=== HTTPS Everywhere ===
'''Links:''' [https://www.eff.org/https-everywhere HTTPS Everywhere]

=== Privacy Badger ===
Links: [https://www.eff.org/privacybadger Privacy Badger]

Browser Extensions

2017-09-27T06:18:50Z

Vincent: Created page with "== Privacy == === Cookie AutoDelete === '''Links:''' [https://github.com/Cookie-AutoDelete/Cookie-AutoDelete Cookie-AutoDelete] === Decentraleyes === '''Links:''' [https://d..."

== Privacy ==

=== Cookie AutoDelete ===
'''Links:''' [https://github.com/Cookie-AutoDelete/Cookie-AutoDelete Cookie-AutoDelete]

=== Decentraleyes ===
'''Links:''' [https://decentraleyes.org/ Decentraleyes]

=== HTTPS Everywhere ===
'''Links:''' [https://www.eff.org/https-everywhere HTTPS Everywhere]

=== Privacy Badger ===
Links: [https://www.eff.org/privacybadger Privacy Badger]

Firefox

2017-09-26T22:51:41Z

Vincent: New settings

== Privacy ==

=== 3rd party cookies ===
Cookies are pieces of information that a website can store on your computer. There are two types of cookies:
* First party cookies: these are the cookies from the site you are visiting. They are used for example for the log-in functionality of most websites.
* Third party cookies: they are set by other website. For example, any time you visit a website with a like button from Facebook, Facebook will set a cookie on your computer. This allows them to follow them on most of the website you are going to. This is used by advertiser to know the websites you go to and show you the same advertising on all websites. In practice, very few websites use this for functionalities. It is quite safe to disable them.
Go to Preferences, and then, in the Privacy section, set Accept third-party-cookies to Never.

[[File:Firefox History Settings.png|border]]

=== WebRTC ===
[https://en.wikipedia.org/wiki/WebRTC WebRTC] is a protocol that allows peer to peer communication between browsers. This is for example for audio/video chat. To allow faster connections to computer within the same local network, this protocol allows the browser to share all your local IP addresses.

This has two major problems:
* If a website contain malware, knowing your addresses is helping it to infect your network.
* This can be used to [https://en.wikipedia.org/wiki/Device_fingerprint fingerprint] your device and track you around the web.
To stop the leak, go to <code>about:config</code> and change this setting<syntaxhighlight lang="ini">
media.peerconnection.ice.no_host=true
</syntaxhighlight>

== About:config ==
{| class="wikitable"
!Setting
!Value
!Description
|-
|extensions.pocket.enabled
|false
|Disable the pocket integration
|-
|browser.tabs.closeWindowWithLastTab
|false
|Prevent Firefox from closing when you close last tab
|}
[[Category:Android]]
[[Category:Linux Desktop]]
[[Category:Windows]]

Calibre

2017-09-03T18:49:37Z

Vincent:

Calibre is an eBook management software. It allows you to copy you books from / to your eReader, edit metadata, search your library…

== Prerequisite ==
* A Window or Linux computer. MacOs should work as well but was not tested.
* A Kobo eReader. While Calibre will work with any eReader or even as a standalone, this page assume that you are using this one. The instructions should work for any Kobo of the Touch, Glo, Mini and Aura families.

== Install ==

=== Download ===
When the firmware of your Kobo is updated, you usually need an up-to-date Calibre to be able to synchronise your eBooks. For this reason, it is recommended to not install from your Linux distribution but directly from their website.

To install, go to https://calibre-ebook.com/download and follow instructions.

=== First-run ===
The first time you run calibre you will be asked a few question. The most important is the location of your library. Calibre will use this folder to store al the eBooks that you add to it.

I recommend creating a folder named ''calibre'' somewhere in your computer and inside this one create a folder named ''library'' and use this last one as library location. There are two reasons for this. First Calibre will use the name of the folder as the name of the library in the interface. Having your library called library make things easier. Secondlly, Calibre will complain if you add any file to it's library folder. The parent folder allows you to store additional files related to Calibre.

== Kobo Setup ==
Calibre will allow you to send ebooks to your Kobo without any configuration. However, the following plugins will enhance your experience.

To install them, go to ''Preferences'' → ''Plug-ins'' → ''Get new plug-ins'', select the plugin in the list and click ''Install''.

=== KePub Metadata Reader / KePub Metadata Writer ===
These two plugins don't provide any features. They are just used as dependency by ''KePub Output'' and ''KoboTouch Extended''.

=== KePub Output ===
Kobo readers are using [https://wiki.mobileread.com/wiki/Kepub Kepub] files. Those are similar to standard Epub files but support additional functionalities.

This plugin allows conversion of ebooks to the kepub format.

=== KoboTouch Extended ===
This plugin replace the kobo driver that comes with Calibre, it allows the conversion to Kepub format transparently when you synchronise with a Kobo eReader.

After installing it, it is recommended to disable the default in plug-in to avoid Calibre choosing the wrong plugin. Go to ''Preferences'' → ''Plug-ins → Device Interface plug-ins'' and disable ''KoboTouch''.
[[File:KoboTouch Extended - plugin list.png|center|frameless|737x737px]]

=== Kobo Utilities ===
As its name says, this pugin provide various utilities to use with your Kobo eReader

==== Setup ====
* Plug your Kobo eReader to your computer
* Click the ''KoboUtilities'' button
* Select the ''Devices'' tab
* Click the ''Add connected device''

==== Read Percent ====
This allow to store reading status from your eReader to you Calibre library.

First step is to create columns in you library to store the data.
* Go to Preferences → Add your own columns
* Add the following columns {| class="wikitable" !Column header !Lookup name !Type !Description |- |Complete |complete |Integers |Percent of the book that is read on device |- |Read |read |Date |Last date where the book was read on device |}
* Validate & restart Calibre
Now you can configure KoboUtilities
* Click on KoboUtilities
* In the Profiles tab, set the ''Custom columns'' and ''Store on connect'' sections[[File:Calibre - Read columns.png|center|frameless|585x585px]]

==== Backups ====
The plugin can do backups of the database on your eReader. In case something goes wrong with your device, this might come handy.

Click the ''KoboUtilities'' button, select the ''Devices'' tab and setup the backup section.
[[File:Calibre backup settings.png|center|frameless|589x589px]]

==== Block Analytics ====
The kobo eReaders are including an analytics feature. In particular, they collect the infos on all the books that you put on your reader — including the ones that you didn't purchase from them.

This plugins allows to block analytics events
* Connect your eReader to your computer
* Click on the arrow near the KoboUtilities icon and select ''Database'' → ''Block Analytics Event''
* In the window that opened, select ''Create or change trigger'' and click ''Ok''

== eBooks with DRM ==
When you buy an eBook from most major online book stores, they are likely to be protected by DRM. This has two major consequences.
* You won't be able to convert your eBooks to the Kepub format. This mean that advanced features not be available unless you buy your books on the Kobo store
* You might not be able to read the book on the device of your choice
* If the book store ever stop its operations, you might not be able to read your eBook at all
Fortunately it is possible to remove DRM from books allo.ing you to use the file that you legally purchased.
{{Warning|msg=Removing DRM from the eBooks you purchased is illegal in some countries. Check the law before doing it. Do not share your eBooks illegally. Tagging technologies allow publishers to find the original purchaser of an eBook. You have been warned!}}

=== eBooks from Kobo ===

==== Install Plugin ====
Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/Obok_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Use ====
Simply click the ''Obok DeDRM'' button. The plugin will import and strip DRM from files.

Depending if your eReader is connected to your computer, the obok plugin will try to load book either from the eReader or the Kobo Desktop application.

=== eBooks From Other Book Stores ===
You can buy eBook from any book store that sell them in ePub. When those books are protected with DRM, you will need to use Adobe Digital Edition to download them.

==== Adobe ID ====
The first thing you need is an Adobe ID. If you don't have one, you can create one on https://accounts.adobe.com/.

==== Install Adobe Digital Edition ====
{{Warning|msg=}}You need to use version 1.7 or 2.0. https://github.com/apprenticeharper/DeDRM_tools/blob/master/FAQs.md#i-registered-adobe-digital-editions-30-or-later-with-an-adobe-id-before-downloading-but-my-epub-or-pdf-still-has-drm
'''Linux:''' Run the following commands <syntaxhighlight lang="console">
$ sudo apt install wine32 winetricks
$ winetricks adobe_diged
</syntaxhighlight>'''Windows:''' Download version 2.0 from http://download.adobe.com/pub/adobe/digitaleditions/ADE_2.0_Installer.exe

==== Authorize Adobe Digital Edition ====
Before opening a book in Adobe Digital Edition, you need to authorize it.

To authorise the computer go to ''Library'' → ''Authorize Computer'' (1.7) or ''Help'' → ''Authorize Computer'' (2.0).

Select Adobe ID as provider, and enter your adobe account info.

==== Install DeDRM Plugin ====
'''Linux Only:''' Check [https://raw.githubusercontent.com/apprenticeharper/DeDRM_tools/master/DeDRM_calibre_plugin/DeDRM_plugin_ReadMe.txt official instructions], section ''Linux Systems Only''. You don't need to install ''Adobe Digital Editions'' since you just did it. You can also skip anything related to Kindle unless you want to buy books on Amazon.

'''All:''' Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/DeDRM_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Import Books ====
'''Note:''' You can test the procedure using [https://www.adobe.com/uk/solutions/ebook/digital-editions/sample-ebook-library.html sample files from Adobe]. Make sure you test files with acsm extension.

When you buy an eBook protected by Adobe DRM, the file you download is not the eBook but a license file with the acsm extension.

The first thing to do is to open this acsm file in ''Adobe Digital Edition'' to retrieve the actual eBook.

To import the eBook in Calibre and remove the DRM, simply click the ''Add books'' buttons. The files are in a folder named ''My Digital Editions'' in you ''Home'' or ''My Documents'' folder.

To make sure that the DRM where correctly removed, right-click on the book in Calibre and choose ''view''. If the book displays, there is no more DRM.

== Configuration ==

=== Icons ===
The default icon theme is not very consistent in terms of colour / style.

To change it, go to ''Preferences'' → ''Look & feel'' → ''Change icon theme''. I recommand the Monstre theme which is quite complete and look nice.

== Buy Books ==
Calibre allows you to search and buy books directly from the interface. This has a few advantages:
* Calibre will search several shops and compare prices
* Some shops are paying back a percentage from your purchase to Calibre developers. You can sponsor development without paying more.

=== Setup ===
Right click on ''Get books'' and go to ''Choose stores.'' In the list of stores unselect the ones the don't sell in ePub format (Amazon & Barnes and Noble). Also unselect the stores that are in languages that you don't speak (while they might have interesting books, you will need to go to their website to complete the purchase).

=== Buy Books ===
* Click the ''Get books'' icon.
* Enter search criteria and click on ''Search''
* Double click the book you want to buy
* Process to payment and download on the shop website
* If you downloaded a .acsm file see the section on DRM above
* Otherwise, in Calibre, click on ''Add Books'' select the file on your disk
[[Category:Linux Desktop]]
[[Category:Windows]]

Calibre

2017-09-02T16:35:26Z

Vincent:

Calibre is an eBook management software. It allows you to copy you books from / to your eReader, edit metadata, search your library…

== Prerequisite ==
* A Window or Linux computer. MacOs should work as well but was not tested.
* A Kobo eReader. While Calibre will work with any eReader or even as a standalone, this page assume that you are using one. The instructions should work for any Kobo of the Touch, Glo, Mini and Aura families.

== Install ==

=== Download ===
When the firmware of your Kobo is updated, you usually need an up-to-date Calibre to be able to synchronise your eBooks. For this reason, it is recommended to not install from your Linux distribution but directly from their website.

To install, go to https://calibre-ebook.com/download and follow instructions.

=== First-run ===
The first time you run calibre you will be asked a few question. The most important is the location of your library. Calibre will use this folder to store al the eBooks that you add to it.

== Kobo Setup ==
Calibre will allow you to send ebooks to your Kobo without any configuration. However, the following plugins will enhance your experience.

To install them, go to ''Preferences'' → ''Plug-ins'' → ''Get new plug-ins'', select the plugin in the list and click ''Install''.

=== KePub Metadata Reader / KePub Metadata Writer ===
These two plugins don't provide any features. They are just used as dependency by ''KePub Output'' and ''KoboTouch Extended''.

=== KePub Output ===
Kobo readers are using [https://wiki.mobileread.com/wiki/Kepub Kepub] files. Those are similar to standard Epub files but support additional functionalities.

This plugin allows conversion of ebooks to the kepub format.

=== KoboTouch Extended ===
This plugin replace the kobo driver that comes with Calibre, it allows the conversion to Kepub format transparently when you synchronise with a Kobo eReader.

After installing it, it is recommended to disable the default in plug-in to avoid Calibre choosing the wrong plugin. Go to ''Preferences'' → ''Plug-ins → Device Interface plug-ins'' and disable ''KoboTouch''.
[[File:KoboTouch Extended - plugin list.png|center|frameless|737x737px]]

=== Kobo Utilities ===
As its name says, this pugin provide various utilities to use with your Kobo eReader

==== Setup ====
* Plug your Kobo eReader to your computer
* Click the ''KoboUtilities'' button
* Select the ''Devices'' tab
* Click the ''Add connected device''

==== Read Percent ====
This allow to store reading status from your eReader to you Calibre library.

First step is to create columns in you library to store the data.
* Go to Preferences → Add your own columns
* Add the following columns {| class="wikitable" !Column header !Lookup name !Type !Description |- |Complete |complete |Integers |Percent of the book that is read on device |- |Read |read |Date |Last date where the book was read on device |}
* Validate & restart Calibre
Now you can configure KoboUtilities
* Click on KoboUtilities
* In the Profiles tab, set the ''Custom columns'' and ''Store on connect'' sections[[File:Calibre - Read columns.png|center|frameless|585x585px]]

==== Backups ====
The plugin can do backups of the database on your eReader. In case something goes wrong with your device, this might come handy.

Click the ''KoboUtilities'' button, select the ''Devices'' tab and setup the backup section.
[[File:Calibre backup settings.png|center|frameless|589x589px]]

==== Block Analytics ====
The kobo eReaders are including an analytics feature. In particular, they collect the infos on all the books that you put on your reader — including the ones that you didn't purchase from them.

This plugins allows to block analytics events
* Connect your eReader to your computer
* Click on the arrow near the KoboUtilities icon and select ''Database'' → ''Block Analytics Event''
* In the window that opened, select ''Create or change trigger'' and click ''Ok''

== eBooks with DRM ==
When you buy an eBook from most major online book stores, they are likely to be protected by DRM. This has two major consequences.
* You won't be able to convert your eBooks to the Kepub format. This mean that advanced features not be available unless you buy your books on the Kobo store
* You might not be able to read the book on the device of your choice
* If the book store ever stop its operations, you might not be able to read your eBook at all
Fortunately it is possible to remove DRM from books allo.ing you to use the file that you legally purchased.
{{Warning|msg=Removing DRM from the eBooks you purchased is illegal in some countries. Check the law before doing it. Do not share your eBooks illegally. Tagging technologies allow publishers to find the original purchaser of an eBook. You have been warned!}}

=== eBooks from Kobo ===

==== Install Plugin ====
Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/Obok_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Use ====
Simply click the ''Obok DeDRM'' button. The plugin will import and strip DRM from files.

Depending if your eReader is connected to your computer, the obok plugin will try to load book either from the eReader or the Kobo Desktop application.

=== eBooks From Other Book Stores ===
You can buy eBook from any book store that sell them in ePub. When those books are protected with DRM, you will need to use Adobe Digital Edition to download them.

==== Adobe ID ====
The first thing you need is an Adobe ID. If you don't have one, you can create one on https://accounts.adobe.com/.

==== Install Adobe Digital Edition ====
{{Warning|msg=}}You need to use version 1.7 or 2.0. https://github.com/apprenticeharper/DeDRM_tools/blob/master/FAQs.md#i-registered-adobe-digital-editions-30-or-later-with-an-adobe-id-before-downloading-but-my-epub-or-pdf-still-has-drm
'''Linux:''' Run the following commands <syntaxhighlight lang="console">
$ sudo apt install wine32 winetricks
$ winetricks adobe_diged
</syntaxhighlight>'''Windows:''' Download version 2.0 from http://download.adobe.com/pub/adobe/digitaleditions/ADE_2.0_Installer.exe

==== Authorize Adobe Digital Edition ====
Before opening a book in Adobe Digital Edition, you need to authorize it.

To authorise the computer go to ''Library'' → ''Authorize Computer'' (1.7) or ''Help'' → ''Authorize Computer'' (2.0).

Select Adobe ID as provider, and enter your adobe account info.

==== Install DeDRM Plugin ====
'''Linux Only:''' Check [https://raw.githubusercontent.com/apprenticeharper/DeDRM_tools/master/DeDRM_calibre_plugin/DeDRM_plugin_ReadMe.txt official instructions], section ''Linux Systems Only''. You don't need to install ''Adobe Digital Editions'' since you just did it. You can also skip anything related to Kindle unless you want to buy books on Amazon.

'''All:''' Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/DeDRM_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Import Books ====
'''Note:''' You can test the procedure using [https://www.adobe.com/uk/solutions/ebook/digital-editions/sample-ebook-library.html sample files from Adobe]. Make sure you test files with acsm extension.

When you buy an eBook protected by Adobe DRM, the file you download is not the eBook but a license file with the acsm extension.

The first thing to do is to open this acsm file in ''Adobe Digital Edition'' to retrieve the actual eBook.

To import the eBook in Calibre and remove the DRM, simply click the ''Add books'' buttons. The files are in a folder named ''My Digital Editions'' in you ''Home'' or ''My Documents'' folder.

To make sure that the DRM where correctly removed, right-click on the book in Calibre and choose ''view''. If the book displays, there is no more DRM.

== Configuration ==

=== Icons ===
The default icon theme is not very consistent in terms of colour / style.

To change it, go to ''Preferences'' → ''Look & feel'' → ''Change icon theme''. I recommand the Monstre theme which is quite complete and look nice.

== Buy Books ==
Calibre allows you to search and buy books directly from the interface. This has a few advantages:
* Calibre will search several shops and compare prices
* Some shops are paying back a percentage from your purchase to Calibre developers. You can sponsor development without paying more.

=== Setup ===
Right click on ''Get books'' and go to ''Choose stores.'' In the list of stores unselect the ones the don't sell in ePub format (Amazon & Barnes and Noble). Also unselect the stores that are in languages that you don't speak (while they might have interesting books, you will need to go to their website to complete the purchase).

=== Buy Books ===
* Click the ''Get books'' icon.
* Enter search criteria and click on ''Search''
* Double click the book you want to buy
* Process to payment and download on the shop website
* If you downloaded a .acsm file see the section on DRM above
* Otherwise, in Calibre, click on ''Add Books'' select the file on your disk
[[Category:Linux Desktop]]
[[Category:Windows]]

Calibre

2017-09-02T16:20:29Z

Vincent: Buy books

Calibre is an ebook management software.

== Prerequisite ==
* A Window or Linux computer. MacOs should work as well but was not tested.
* A Kobo eReader. The instructions should work for any Kobo of the Touch, Glo, Mini and Aura families.

== Install ==

=== Download ===
When the firmware of your Kobo is updated, you usually need an up-to-date Calibre to be able to synchronise your eBooks. For this reason, it is recommended to not install from your Linux distribution but directly from their website.

To install, go to https://calibre-ebook.com/download and follow instructions.

=== First-run ===
The first time you run calibre you will be asked a few question. The most important is the location of your library. Calibre will use this folder to store al the eBooks that you add to it.

== Kobo Setup ==
Calibre will allow you to send ebooks to your Kobo without any configuration. However, the following plugins will enhance your experience.

To install them, go to ''Preferences'' → ''Plug-ins'' → ''Get new plug-ins'', select the plugin in the list and click ''Install''.

=== KePub Metadata Reader / KePub Metadata Writer ===
These two plugins don't provide any features. They are just used as dependency by ''KePub Output'' and ''KoboTouch Extended''.

=== KePub Output ===
Kobo readers are using [https://wiki.mobileread.com/wiki/Kepub Kepub] files. Those are similar to standard Epub files but support additional functionalities.

This plugin allows conversion of ebooks to the kepub format.

=== KoboTouch Extended ===
This plugin replace the kobo driver that comes with Calibre, it allows the conversion to Kepub format transparently when you synchronise with a Kobo eReader.

After installing it, it is recommended to disable the default in plug-in to avoid Calibre choosing the wrong plugin. Go to ''Preferences'' → ''Plug-ins → Device Interface plug-ins'' and disable ''KoboTouch''.
[[File:KoboTouch Extended - plugin list.png|center|frameless|737x737px]]

=== Kobo Utilities ===
As its name says, this pugin provide various utilities to use with your Kobo eReader

==== Setup ====
* Plug your Kobo eReader to your computer
* Click the ''KoboUtilities'' button
* Select the ''Devices'' tab
* Click the ''Add connected device''

==== Read Percent ====
This allow to store reading status from your eReader to you Calibre library.

First step is to create columns in you library to store the data.
* Go to Preferences → Add your own columns
* Add the following columns {| class="wikitable" !Column header !Lookup name !Type !Description |- |Complete |complete |Integers |Percent of the book that is read on device |- |Read |read |Date |Last date where the book was read on device |}
* Validate & restart Calibre
Now you can configure KoboUtilities
* Click on KoboUtilities
* In the Profiles tab, set the ''Custom columns'' and ''Store on connect'' sections[[File:Calibre - Read columns.png|center|frameless|585x585px]]

==== Backups ====
The plugin can do backups of the database on your eReader. In case something goes wrong with your device, this might come handy.

Click the ''KoboUtilities'' button, select the ''Devices'' tab and setup the backup section.
[[File:Calibre backup settings.png|center|frameless|589x589px]]

==== Block Analytics ====
The kobo eReaders are including an analytics feature. In particular, they collect the infos on all the books that you put on your reader — including the ones that you didn't purchase from them.

This plugins allows to block analytics events
* Connect your eReader to your computer
* Click on the arrow near the KoboUtilities icon and select ''Database'' → ''Block Analytics Event''
* In the window that opened, select ''Create or change trigger'' and click ''Ok''

== eBooks with DRM ==
When you buy an eBook from most major online book stores, they are likely to be protected by DRM. This has two major consequences.
* You won't be able to convert your eBooks to the Kepub format. This mean that advanced features not be available unless you buy your books on the Kobo store
* You might not be able to read the book on the device of your choice
* If the book store ever stop its operations, you might not be able to read your eBook at all
Fortunately it is possible to remove DRM from books allo.ing you to use the file that you legally purchased.
{{Warning|msg=Removing DRM from the eBooks you purchased is illegal in some countries. Check the law before doing it. Do not share your eBooks illegally. Tagging technologies allow publishers to find the original purchaser of an eBook. You have been warned!}}

=== eBooks from Kobo ===

==== Install Plugin ====
Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/Obok_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Use ====
Simply click the ''Obok DeDRM'' button. The plugin will import and strip DRM from files.

Depending if your eReader is connected to your computer, the obok plugin will try to load book either from the eReader or the Kobo Desktop application.

=== eBooks From Other Book Stores ===
You can buy eBook from any book store that sell them in ePub. When those books are protected with DRM, you will need to use Adobe Digital Edition to download them.

==== Adobe ID ====
The first thing you need is an Adobe ID. If you don't have one, you can create one on https://accounts.adobe.com/.

==== Install Adobe Digital Edition ====
{{Warning|msg=}}You need to use version 1.7 or 2.0. https://github.com/apprenticeharper/DeDRM_tools/blob/master/FAQs.md#i-registered-adobe-digital-editions-30-or-later-with-an-adobe-id-before-downloading-but-my-epub-or-pdf-still-has-drm
'''Linux:''' Run the following commands <syntaxhighlight lang="console">
$ sudo apt install wine32 winetricks
$ winetricks adobe_diged
</syntaxhighlight>'''Windows:''' Download version 2.0 from http://download.adobe.com/pub/adobe/digitaleditions/ADE_2.0_Installer.exe

==== Authorize Adobe Digital Edition ====
Before opening a book in Adobe Digital Edition, you need to authorize it.

To authorise the computer go to ''Library'' → ''Authorize Computer'' (1.7) or ''Help'' → ''Authorize Computer'' (2.0).

Select Adobe ID as provider, and enter your adobe account info.

==== Install DeDRM Plugin ====
'''Linux Only:''' Check [https://raw.githubusercontent.com/apprenticeharper/DeDRM_tools/master/DeDRM_calibre_plugin/DeDRM_plugin_ReadMe.txt official instructions], section ''Linux Systems Only''. You don't need to install ''Adobe Digital Editions'' since you just did it. You can also skip anything related to Kindle unless you want to buy books on Amazon.

'''All:''' Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/DeDRM_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Import Books ====
'''Note:''' You can test the procedure using [https://www.adobe.com/uk/solutions/ebook/digital-editions/sample-ebook-library.html sample files from Adobe]. Make sure you test files with acsm extension.

When you buy an eBook protected by Adobe DRM, the file you download is not the eBook but a license file with the acsm extension.

The first thing to do is to open this acsm file in ''Adobe Digital Edition'' to retrieve the actual eBook.

To import the eBook in Calibre and remove the DRM, simply click the ''Add books'' buttons. The files are in a folder named ''My Digital Editions'' in you ''Home'' or ''My Documents'' folder.

To make sure that the DRM where correctly removed, right-click on the book in Calibre and choose ''view''. If the book displays, there is no more DRM.

== Configuration ==

=== Icons ===
The default icon theme is not very consistent in terms of colour / style.

To change it, go to ''Preferences'' → ''Look & feel'' → ''Change icon theme''. I recommand the Monstre theme which is quite complete and look nice.

== Buy Books ==
Calibre allows you to search and buy books directly from the interface. This has a few advantages:
* Calibre will search several shops and compare prices
* Some shops are paying back a percentage from your purchase to Calibre developers. You can sponsor development without paying more.

=== Setup ===
Right click on ''Get books'' and go to ''Choose stores.'' In the list of stores unselect the ones the don't sell in ePub format (Amazon & Barnes and Noble). Also unselect the stores that are in languages that you don't speak (while they might have interesting books, you will need to go to their website to complete the purchase).

=== Buy Books ===
* Click the ''Get books'' icon.
* Enter search criteria and click on ''Search''
* Double click the book you want to buy
* Process to payment and download on the shop website
* If you downloaded a .acsm file see the section on DRM above
* Otherwise, in Calibre, click on ''Add Books'' select the file on your disk
[[Category:Linux Desktop]]
[[Category:Windows]]

Calibre

2017-09-02T15:20:39Z

Vincent: /* Read Percent */

Calibre is an ebook management software.

== Prerequisite ==
* A Window or Linux computer. MacOs should work as well but was not tested.
* A Kobo eReader. The instructions should work for any Kobo of the Touch, Glo, Mini and Aura families.

== Install ==

=== Download ===
When the firmware of your Kobo is updated, you usually need an up-to-date Calibre to be able to synchronise your eBooks. For this reason, it is recommended to not install from your Linux distribution but directly from their website.

To install, go to https://calibre-ebook.com/download and follow instructions.

=== First-run ===
The first time you run calibre you will be asked a few question. The most important is the location of your library. Calibre will use this folder to store al the eBooks that you add to it.

== Kobo Setup ==
Calibre will allow you to send ebooks to your Kobo without any configuration. However, the following plugins will enhance your experience.

To install them, go to ''Preferences'' → ''Plug-ins'' → ''Get new plug-ins'', select the plugin in the list and click ''Install''.

=== KePub Metadata Reader / KePub Metadata Writer ===
These two plugins don't provide any features. They are just used as dependency by ''KePub Output'' and ''KoboTouch Extended''.

=== KePub Output ===
Kobo readers are using [https://wiki.mobileread.com/wiki/Kepub Kepub] files. Those are similar to standard Epub files but support additional functionalities.

This plugin allows conversion of ebooks to the kepub format.

=== KoboTouch Extended ===
This plugin replace the kobo driver that comes with Calibre, it allows the conversion to Kepub format transparently when you synchronise with a Kobo eReader.

After installing it, it is recommended to disable the default in plug-in to avoid Calibre choosing the wrong plugin. Go to ''Preferences'' → ''Plug-ins → Device Interface plug-ins'' and disable ''KoboTouch''.
[[File:KoboTouch Extended - plugin list.png|center|frameless|737x737px]]

=== Kobo Utilities ===
As its name says, this pugin provide various utilities to use with your Kobo eReader

==== Setup ====
* Plug your Kobo eReader to your computer
* Click the ''KoboUtilities'' button
* Select the ''Devices'' tab
* Click the ''Add connected device''

==== Read Percent ====
This allow to store reading status from your eReader to you Calibre library.

First step is to create columns in you library to store the data.
* Go to Preferences → Add your own columns
* Add the following columns {| class="wikitable" !Column header !Lookup name !Type !Description |- |Complete |complete |Integers |Percent of the book that is read on device |- |Read |read |Date |Last date where the book was read on device |}
* Validate & restart Calibre
Now you can configure KoboUtilities
* Click on KoboUtilities
* In the Profiles tab, set the ''Custom columns'' and ''Store on connect'' sections[[File:Calibre - Read columns.png|center|frameless|585x585px]]

==== Backups ====
The plugin can do backups of the database on your eReader. In case something goes wrong with your device, this might come handy.

Click the ''KoboUtilities'' button, select the ''Devices'' tab and setup the backup section.
[[File:Calibre backup settings.png|center|frameless|589x589px]]

==== Block Analytics ====
The kobo eReaders are including an analytics feature. In particular, they collect the infos on all the books that you put on your reader — including the ones that you didn't purchase from them.

This plugins allows to block analytics events
* Connect your eReader to your computer
* Click on the arrow near the KoboUtilities icon and select ''Database'' → ''Block Analytics Event''
* In the window that opened, select ''Create or change trigger'' and click ''Ok''

== eBooks with DRM ==
When you buy an eBook from most major online book stores, they are likely to be protected by DRM. This has two major consequences.
* You won't be able to convert your eBooks to the Kepub format. This mean that advanced features not be available unless you buy your books on the Kobo store
* You might not be able to read the book on the device of your choice
* If the book store ever stop its operations, you might not be able to read your eBook at all
Fortunately it is possible to remove DRM from books allo.ing you to use the file that you legally purchased.
{{Warning|msg=Removing DRM from the eBooks you purchased is illegal in some countries. Check the law before doing it. Do not share your eBooks illegally. Tagging technologies allow publishers to find the original purchaser of an eBook. You have been warned!}}

=== eBooks from Kobo ===

==== Install Plugin ====
Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/Obok_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Use ====
Simply click the ''Obok DeDRM'' button. The plugin will import and strip DRM from files.

Depending if your eReader is connected to your computer, the obok plugin will try to load book either from the eReader or the Kobo Desktop application.

=== eBooks From Other Book Stores ===
You can buy eBook from any book store that sell them in ePub. When those books are protected with DRM, you will need to use Adobe Digital Edition to download them.

==== Adobe ID ====
The first thing you need is an Adobe ID. If you don't have one, you can create one on https://accounts.adobe.com/.

==== Install Adobe Digital Edition ====
{{Warning|msg=}}You need to use version 1.7 or 2.0. https://github.com/apprenticeharper/DeDRM_tools/blob/master/FAQs.md#i-registered-adobe-digital-editions-30-or-later-with-an-adobe-id-before-downloading-but-my-epub-or-pdf-still-has-drm
'''Linux:''' Run the following commands <syntaxhighlight lang="console">
$ sudo apt install wine32 winetricks
$ winetricks adobe_diged
</syntaxhighlight>'''Windows:''' Download version 2.0 from http://download.adobe.com/pub/adobe/digitaleditions/ADE_2.0_Installer.exe

==== Authorize Adobe Digital Edition ====
Before opening a book in Adobe Digital Edition, you need to authorize it.

To authorise the computer go to ''Library'' → ''Authorize Computer'' (1.7) or ''Help'' → ''Authorize Computer'' (2.0).

Select Adobe ID as provider, and enter your adobe account info.

==== Install DeDRM Plugin ====
'''Linux Only:''' Check [https://raw.githubusercontent.com/apprenticeharper/DeDRM_tools/master/DeDRM_calibre_plugin/DeDRM_plugin_ReadMe.txt official instructions], section ''Linux Systems Only''. You don't need to install ''Adobe Digital Editions'' since you just did it. You can also skip anything related to Kindle unless you want to buy books on Amazon.

'''All:''' Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/DeDRM_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Import Books ====
'''Note:''' You can test the procedure using [https://www.adobe.com/uk/solutions/ebook/digital-editions/sample-ebook-library.html sample files from Adobe]. Make sure you test files with acsm extension.

When you buy an eBook protected by Adobe DRM, the file you download is not the eBook but a license file with the acsm extension.

The first thing to do is to open this acsm file in ''Adobe Digital Edition'' to retrieve the actual eBook.

To import the eBook in Calibre and remove the DRM, simply click the ''Add books'' buttons. The files are in a folder named ''My Digital Editions'' in you ''Home'' or ''My Documents'' folder.

To make sure that the DRM where correctly removed, right-click on the book in Calibre and choose ''view''. If the book displays, there is no more DRM.

== Configuration ==

=== Icons ===
The default icon theme is not very consistent in terms of colour / style.

To change it, go to ''Preferences'' → ''Look & feel'' → ''Change icon theme''. I recommand the Monstre theme which is quite complete and look nice.
[[Category:Linux Desktop]]
[[Category:Windows]]

File:Calibre - Read columns.png

2017-09-02T15:18:09Z

Vincent:

Calibre - Read columns

Calibre

2017-09-02T14:18:49Z

Vincent: Add categories

{{WIP}}

Calibre is an ebook management software.

== Prerequisite ==
* A Window or Linux computer. MacOs should work as well but was not tested.
* A Kobo eReader. The instructions should work for any Kobo of the Touch, Glo, Mini and Aura families.

== Install ==

=== Download ===
When the firmware of your Kobo is updated, you usually need an up-to-date Calibre to be able to synchronise your eBooks. For this reason, it is recommended to not install from your Linux distribution but directly from their website.

To install, go to https://calibre-ebook.com/download and follow instructions.

=== First-run ===
The first time you run calibre you will be asked a few question. The most important is the location of your library. Calibre will use this folder to store al the eBooks that you add to it.

== Kobo Setup ==
Calibre will allow you to send ebooks to your Kobo without any configuration. However, the following plugins will enhance your experience.

To install them, go to ''Preferences'' → ''Plug-ins'' → ''Get new plug-ins'', select the plugin in the list and click ''Install''.

=== KePub Metadata Reader / KePub Metadata Writer ===
These two plugins don't provide any features. They are just used as dependency by ''KePub Output'' and ''KoboTouch Extended''.

=== KePub Output ===
Kobo readers are using [https://wiki.mobileread.com/wiki/Kepub Kepub] files. Those are similar to standard Epub files but support additional functionalities.

This plugin allows conversion of ebooks to the kepub format.

=== KoboTouch Extended ===
This plugin replace the kobo driver that comes with Calibre, it allows the conversion to Kepub format transparently when you synchronise with a Kobo eReader.

After installing it, it is recommended to disable the default in plug-in to avoid Calibre choosing the wrong plugin. Go to ''Preferences'' → ''Plug-ins → Device Interface plug-ins'' and disable ''KoboTouch''.
[[File:KoboTouch Extended - plugin list.png|center|frameless|737x737px]]

=== Kobo Utilities ===
As its name says, this pugin provide various utilities to use with your Kobo eReader

==== Setup ====
* Plug your Kobo eReader to your computer
* Click the ''KoboUtilities'' button
* Select the ''Devices'' tab
* Click the ''Add connected device''

==== Read Percent ====

==== Backups ====
Click the ''KoboUtilities'' button, select the ''Devices'' tab and setup the backup section.
[[File:Calibre backup settings.png|center|frameless|589x589px]]

==== Block Analytics ====
The kobo eReaders are including an analytics feature. In particular, they collect the infos on all the books that you put on your reader — including the ones that you didn't purchase from them.

This plugins allows to block analytics events
* Connect your eReader to your computer
* Click on the arrow near the KoboUtilities icon and select ''Database'' → ''Block Analytics Event''
* In the window that opened, select ''Create or change trigger'' and click ''Ok''

== eBooks with DRM ==
When you buy an eBook from most major online book stores, they are likely to be protected by DRM. This has two major consequences.
* You won't be able to convert your eBooks to the Kepub format. This mean that advanced features not be available unless you buy your books on the Kobo store
* You might not be able to read the book on the device of your choice
* If the book store ever stop its operations, you might not be able to read your eBook at all
Fortunately it is possible to remove DRM from books allo.ing you to use the file that you legally purchased.
{{Warning|msg=Removing DRM from the eBooks you purchased is illegal in some countries. Check the law before doing it. Do not share your eBooks illegally. Tagging technologies allow publishers to find the original purchaser of an eBook. You have been warned!}}

=== eBooks from Kobo ===

==== Install Plugin ====
Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/Obok_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Use ====
Simply click the ''Obok DeDRM'' button. The plugin will import and strip DRM from files.

Depending if your eReader is connected to your computer, the obok plugin will try to load book either from the eReader or the Kobo Desktop application.

=== eBooks From Other Book Stores ===
You can buy eBook from any book store that sell them in ePub. When those books are protected with DRM, you will need to use Adobe Digital Edition to download them.

==== Adobe ID ====
The first thing you need is an Adobe ID. If you don't have one, you can create one on https://accounts.adobe.com/.

==== Install Adobe Digital Edition ====
{{Warning|msg=}}You need to use version 1.7 or 2.0. https://github.com/apprenticeharper/DeDRM_tools/blob/master/FAQs.md#i-registered-adobe-digital-editions-30-or-later-with-an-adobe-id-before-downloading-but-my-epub-or-pdf-still-has-drm
'''Linux:''' Run the following commands <syntaxhighlight lang="console">
$ sudo apt install wine32 winetricks
$ winetricks adobe_diged
</syntaxhighlight>'''Windows:''' Download version 2.0 from http://download.adobe.com/pub/adobe/digitaleditions/ADE_2.0_Installer.exe

==== Authorize Adobe Digital Edition ====
Before opening a book in Adobe Digital Edition, you need to authorize it.

To authorise the computer go to ''Library'' → ''Authorize Computer'' (1.7) or ''Help'' → ''Authorize Computer'' (2.0).

Select Adobe ID as provider, and enter your adobe account info.

==== Install DeDRM Plugin ====
'''Linux Only:''' Check [https://raw.githubusercontent.com/apprenticeharper/DeDRM_tools/master/DeDRM_calibre_plugin/DeDRM_plugin_ReadMe.txt official instructions], section ''Linux Systems Only''. You don't need to install ''Adobe Digital Editions'' since you just did it. You can also skip anything related to Kindle unless you want to buy books on Amazon.

'''All:''' Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/DeDRM_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Import Books ====
'''Note:''' You can test the procedure using [https://www.adobe.com/uk/solutions/ebook/digital-editions/sample-ebook-library.html sample files from Adobe]. Make sure you test files with acsm extension.

When you buy an eBook protected by Adobe DRM, the file you download is not the eBook but a license file with the acsm extension.

The first thing to do is to open this acsm file in ''Adobe Digital Edition'' to retrieve the actual eBook.

To import the eBook in Calibre and remove the DRM, simply click the ''Add books'' buttons. The files are in a folder named ''My Digital Editions'' in you ''Home'' or ''My Documents'' folder.

To make sure that the DRM where correctly removed, right-click on the book in Calibre and choose ''view''. If the book displays, there is no more DRM.

== Configuration ==

=== Icons ===
The default icon theme is not very consistent in terms of colour / style.

To change it, go to ''Preferences'' → ''Look & feel'' → ''Change icon theme''. I recommand the Monstre theme which is quite complete and look nice.
[[Category:Linux Desktop]]
[[Category:Windows]]

Calibre

2017-09-02T14:17:38Z

Vincent: /* Configuration */ KoboUtilities

File:Calibre backup settings.png

2017-09-02T14:15:16Z

Vincent:

Calibre backup settings

Calibre

2017-08-31T18:41:43Z

Vincent: /* Setup */ Change icon theme

{{WIP}}

Calibre is an ebook management software.

== Prerequisite ==
* A Window or Linux computer. MacOs should work as well but was not tested.
* A Kobo eReader. The instructions should work for any Kobo of the Touch, Glo, Mini and Aura families.

== Install ==

=== Download ===
When the firmware of your Kobo is updated, you usually need an up-to-date Calibre to be able to synchronise your eBooks. For this reason, it is recommended to not install from your Linux distribution but directly from their website.

To install, go to https://calibre-ebook.com/download and follow instructions.

=== First-run ===
The first time you run calibre you will be asked a few question. The most important is the location of your library. Calibre will use this folder to store al the eBooks that you add to it.

== Kobo Setup ==
Calibre will allow you to send ebooks to your Kobo without any configuration. However, the following plugins will enhance your experience.

To install them, go to ''Preferences'' → ''Plug-ins'' → ''Get new plug-ins'', select the plugin in the list and click ''Install''.

=== KePub Metadata Reader / KePub Metadata Writer ===
These two plugins don't provide any features. They are just used as dependency by ''KePub Output'' and ''KoboTouch Extended''.

=== KePub Output ===
Kobo readers are using [https://wiki.mobileread.com/wiki/Kepub Kepub] files. Those are similar to standard Epub files but support additional functionalities.

This plugin allows conversion of ebooks to the kepub format.

=== KoboTouch Extended ===
This plugin replace the kobo driver that comes with Calibre, it allows the conversion to Kepub format transparently when you synchronise with a Kobo eReader.

After installing it, it is recommended to disable the default in plug-in to avoid Calibre choosing the wrong plugin. Go to ''Preferences'' → ''Plug-ins → Device Interface plug-ins'' and disable ''KoboTouch''.
[[File:KoboTouch Extended - plugin list.png|center|frameless|737x737px]]

=== Kobo Utilities ===
As its name says, this pugin provide various utilities to use with your Kobo eReader

==== Setup ====

==== Read Percent ====

==== Backups ====

==== Block Analytics ====
The kobo eReaders are including an analytics feature. In particular, they collect the infos on all the books that you put on your reader — including the ones that you didn't purchase from them.

This plugins allows to block analytics events
* Connect your eReader to your computer
* Click on the arrow near the KoboUtilities icon and select ''Database'' → ''Block Analytics Event''
* In the window that opened, select ''Create or change trigger'' and click ''Ok''

== eBooks with DRM ==
When you buy an eBook from most major online book stores, they are likely to be protected by DRM. This has two major consequences.
* You won't be able to convert your eBooks to the Kepub format. This mean that advanced features not be available unless you buy your books on the Kobo store
* You might not be able to read the book on the device of your choice
* If the book store ever stop its operations, you might not be able to read your eBook at all
Fortunately it is possible to remove DRM from books allo.ing you to use the file that you legally purchased.
{{Warning|msg=Removing DRM from the eBooks you purchased is illegal in some countries. Check the law before doing it. Do not share your eBooks illegally. Tagging technologies allow publishers to find the original purchaser of an eBook. You have been warned!}}

=== eBooks from Kobo ===

==== Install Plugin ====
Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/Obok_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Use ====
Simply click the ''Obok DeDRM'' button. The plugin will import and strip DRM from files.

Depending if your eReader is connected to your computer, the obok plugin will try to load book either from the eReader or the Kobo Desktop application.

=== eBooks From Other Book Stores ===
You can buy eBook from any book store that sell them in ePub. When those books are protected with DRM, you will need to use Adobe Digital Edition to download them.

==== Adobe ID ====
The first thing you need is an Adobe ID. If you don't have one, you can create one on https://accounts.adobe.com/.

==== Install Adobe Digital Edition ====
{{Warning|msg=}}You need to use version 1.7 or 2.0. https://github.com/apprenticeharper/DeDRM_tools/blob/master/FAQs.md#i-registered-adobe-digital-editions-30-or-later-with-an-adobe-id-before-downloading-but-my-epub-or-pdf-still-has-drm
'''Linux:''' Run the following commands <syntaxhighlight lang="console">
$ sudo apt install wine32 winetricks
$ winetricks adobe_diged
</syntaxhighlight>'''Windows:''' Download version 2.0 from http://download.adobe.com/pub/adobe/digitaleditions/ADE_2.0_Installer.exe

==== Authorize Adobe Digital Edition ====
Before opening a book in Adobe Digital Edition, you need to authorize it.

To authorise the computer go to ''Library'' → ''Authorize Computer'' (1.7) or ''Help'' → ''Authorize Computer'' (2.0).

Select Adobe ID as provider, and enter your adobe account info.

==== Install DeDRM Plugin ====
'''Linux Only:''' Check [https://raw.githubusercontent.com/apprenticeharper/DeDRM_tools/master/DeDRM_calibre_plugin/DeDRM_plugin_ReadMe.txt official instructions], section ''Linux Systems Only''. You don't need to install ''Adobe Digital Editions'' since you just did it. You can also skip anything related to Kindle unless you want to buy books on Amazon.

'''All:''' Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/DeDRM_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Import Books ====
'''Note:''' You can test the procedure using [https://www.adobe.com/uk/solutions/ebook/digital-editions/sample-ebook-library.html sample files from Adobe]. Make sure you test files with acsm extension.

When you buy an eBook protected by Adobe DRM, the file you download is not the eBook but a license file with the acsm extension.

The first thing to do is to open this acsm file in ''Adobe Digital Edition'' to retrieve the actual eBook.

To import the eBook in Calibre and remove the DRM, simply click the ''Add books'' buttons. The files are in a folder named ''My Digital Editions'' in you ''Home'' or ''My Documents'' folder.

To make sure that the DRM where correctly removed, right-click on the book in Calibre and choose ''view''. If the book displays, there is no more DRM.

== Configuration ==

=== Icons ===
The default icon theme is not very consistent in terms of colour / style.

To change it, go to ''Preferences'' → ''Look & feel'' → ''Change icon theme''. I recommand the Monstre theme which is quite complete and look nice.

Calibre

2017-08-31T14:50:39Z

Vincent:

{{WIP}}

Calibre is an ebook management software.

== Prerequisite ==
* A Window or Linux computer. MacOs should work as well but was not tested.
* A Kobo eReader. The instructions should work for any Kobo of the Touch, Glo, Mini and Aura families.

== Install ==

=== Download ===
When the firmware of your Kobo is updated, you usually need an up-to-date Calibre to be able to synchronise your eBooks. For this reason, it is recommended to not install from your Linux distribution but directly from their website.

To install, go to https://calibre-ebook.com/download and follow instructions.

=== First-run ===
The first time you run calibre you will be asked a few question. The most important is the location of your library. Calibre will use this folder to store al the eBooks that you add to it.

== Kobo Setup ==
Calibre will allow you to send ebooks to your Kobo without any configuration. However, the following plugins will enhance your experience.

To install them, go to ''Preferences'' → ''Plug-ins'' → ''Get new plug-ins'', select the plugin in the list and click ''Install''.

=== KePub Metadata Reader / KePub Metadata Writer ===
These two plugins don't provide any features. They are just used as dependency by ''KePub Output'' and ''KoboTouch Extended''.

=== KePub Output ===
Kobo readers are using [https://wiki.mobileread.com/wiki/Kepub Kepub] files. Those are similar to standard Epub files but support additional functionalities.

This plugin allows conversion of ebooks to the kepub format.

=== KoboTouch Extended ===
This plugin replace the kobo driver that comes with Calibre, it allows the conversion to Kepub format transparently when you synchronise with a Kobo eReader.

After installing it, it is recommended to disable the default in plug-in to avoid Calibre choosing the wrong plugin. Go to ''Preferences'' → ''Plug-ins → Device Interface plug-ins'' and disable ''KoboTouch''.
[[File:KoboTouch Extended - plugin list.png|center|frameless|737x737px]]

=== Kobo Utilities ===
As its name says, this pugin provide various utilities to use with your Kobo eReader

==== Setup ====

==== Read Percent ====

==== Backups ====

==== Block Analytics ====
The kobo eReaders are including an analytics feature. In particular, they collect the infos on all the books that you put on your reader — including the ones that you didn't purchase from them.

This plugins allows to block analytics events
* Connect your eReader to your computer
* Click on the arrow near the KoboUtilities icon and select ''Database'' → ''Block Analytics Event''
* In the window that opened, select ''Create or change trigger'' and click ''Ok''

== eBooks with DRM ==
When you buy an eBook from most major online book stores, they are likely to be protected by DRM. This has two major consequences.
* You won't be able to convert your eBooks to the Kepub format. This mean that advanced features not be available unless you buy your books on the Kobo store
* You might not be able to read the book on the device of your choice
* If the book store ever stop its operations, you might not be able to read your eBook at all
Fortunately it is possible to remove DRM from books allo.ing you to use the file that you legally purchased.
{{Warning|msg=Removing DRM from the eBooks you purchased is illegal in some countries. Check the law before doing it. Do not share your eBooks illegally. Tagging technologies allow publishers to find the original purchaser of an eBook. You have been warned!}}

=== eBooks from Kobo ===

==== Install Plugin ====
Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/Obok_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Use ====
Simply click the ''Obok DeDRM'' button. The plugin will import and strip DRM from files.

Depending if your eReader is connected to your computer, the obok plugin will try to load book either from the eReader or the Kobo Desktop application.

=== eBooks From Other Book Stores ===
You can buy eBook from any book store that sell them in ePub. When those books are protected with DRM, you will need to use Adobe Digital Edition to download them.

==== Adobe ID ====
The first thing you need is an Adobe ID. If you don't have one, you can create one on https://accounts.adobe.com/.

==== Install Adobe Digital Edition ====
{{Warning|msg=}}You need to use version 1.7 or 2.0. https://github.com/apprenticeharper/DeDRM_tools/blob/master/FAQs.md#i-registered-adobe-digital-editions-30-or-later-with-an-adobe-id-before-downloading-but-my-epub-or-pdf-still-has-drm
'''Linux:''' Run the following commands <syntaxhighlight lang="console">
$ sudo apt install wine32 winetricks
$ winetricks adobe_diged
</syntaxhighlight>'''Windows:''' Download version 2.0 from http://download.adobe.com/pub/adobe/digitaleditions/ADE_2.0_Installer.exe

==== Authorize Adobe Digital Edition ====
Before opening a book in Adobe Digital Edition, you need to authorize it.

To authorise the computer go to ''Library'' → ''Authorize Computer'' (1.7) or ''Help'' → ''Authorize Computer'' (2.0).

Select Adobe ID as provider, and enter your adobe account info.

==== Install DeDRM Plugin ====
'''Linux Only:''' Check [https://raw.githubusercontent.com/apprenticeharper/DeDRM_tools/master/DeDRM_calibre_plugin/DeDRM_plugin_ReadMe.txt official instructions], section ''Linux Systems Only''. You don't need to install ''Adobe Digital Editions'' since you just did it. You can also skip anything related to Kindle unless you want to buy books on Amazon.

'''All:''' Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/DeDRM_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Import Books ====
'''Note:''' You can test the procedure using [https://www.adobe.com/uk/solutions/ebook/digital-editions/sample-ebook-library.html sample files from Adobe]. Make sure you test files with acsm extension.

When you buy an eBook protected by Adobe DRM, the file you download is not the eBook but a license file with the acsm extension.

The first thing to do is to open this acsm file in ''Adobe Digital Edition'' to retrieve the actual eBook.

To import the eBook in Calibre and remove the DRM, simply click the ''Add books'' buttons. The files are in a folder named ''My Digital Editions'' in you ''Home'' or ''My Documents'' folder.

To make sure that the DRM where correctly removed, right-click on the book in Calibre and choose ''view''. If the book displays, there is no more DRM.

Calibre

2017-08-31T14:30:38Z

Vincent:

{{WIP}}

Calibre is an ebook management software.

== Prerequisite ==
* A Window or Linux computer. MacOs should work as well but was not tested.
* A Kobo eReader. The instructions should work for any Kobo of the touch, Glo, Mini and Aura families.

== Install ==

=== Download ===
When the firmware of your Kobo is updated, you usually need an up-to-date Calibre to be able to synchronise your eBooks. For this reason, it is recommended to not install from your Linux distribution but directly from their website.

To install, go to https://calibre-ebook.com/download and follow instructions.

=== First-run ===
The first time you run calibre you will be asked a few question. The most important is the location of your library. Calibre will use this folder to store al the eBooks that you add to it.

== Kobo Setup ==
Calibre will allow you to send ebooks to your Kobo without any configuration. However, the following plugins will enhance your experience.

To install them, go to ''Preferences'' → ''Plug-ins'' → ''Get new plug-ins'', select the plugin in the list and click ''Install''.

=== KePub Metadata Reader / KePub Metadata Writer ===
These two plugins don't provide any features. They are just used as dependency by ''KePub Output'' and ''KoboTouch Extended''.

=== KePub Output ===
Kobo readers are using [https://wiki.mobileread.com/wiki/Kepub Kepub] files. Those are similar to standard Epub files but support additional functionalities.

This plugin allows conversion of ebooks to the kepub format.

=== KoboTouch Extended ===
This plugin replace the kobo driver that comes with Calibre, it allows the conversion to Kepub format transparently when you synchronise with a Kobo eReader.

After installing it, it is recommended to disable the default in plug-in to avoid Calibre choosing the wrong plugin. Go to ''Preferences'' → ''Plug-ins → Device Interface plug-ins'' and disable ''KoboTouch''.
[[File:KoboTouch Extended - plugin list.png|center|frameless|737x737px]]

=== Kobo Utilities ===

==== Block Analytics ====
The kobo eReaders are including an analytics feature. In particular, they collect the infos on all the books that you put on your reader — including the ones that you didn't purchase from them.

This plugins allows to block analytics events
* Connect your eReader to your computer
* Click on the arrow near the KoboUtilities icon and select ''Database'' → ''Block Analytics Event''
* In the window that opened, select ''Create or change trigger'' and click ''Ok''

== eBooks with DRM ==
When you buy an eBook from most major online book stores, they are likely to be protected by DRM. This has two major consequences.
* You won't be able to convert your eBooks to the Kepub format. This mean that advanced features not be available unless you buy your books on the Kobo store
* You might not be able to read the book on the device of your choice
* If the book store ever stop its operations, you might not be able to read your eBook at all
Fortunately it is possible to remove DRM from books allo.ing you to use the file that you legally purchased.
{{Warning|msg=Removing DRM from the eBooks you purchased is illegal in some countries. Check the law before doing it. Do not share your eBooks illegally. Tagging technologies allow publishers to find the original purchaser of an eBook. You have been warned!}}

=== eBooks from Kobo ===

==== Install Plugin ====
Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/Obok_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Use ====
Simply click the ''Obok DeDRM'' button. The plugin will import and strip DRM from files.

Depending if your eReader is connected to your computer, the obok plugin will try to load book either from the eReader or the Kobo Desktop application.

=== eBooks From Other Book Stores ===
You can buy eBook from any book store that sell them in ePub. When those books are protected with DRM, you will need to use Adobe Digital Edition to download them.

==== Adobe ID ====
The first thing you need is an Adobe ID. If you don't have one, you can create one on https://accounts.adobe.com/.

==== Install Adobe Digital Edition ====
{{Warning|msg=}}You need to use version 1.7 or 2.0. https://github.com/apprenticeharper/DeDRM_tools/blob/master/FAQs.md#i-registered-adobe-digital-editions-30-or-later-with-an-adobe-id-before-downloading-but-my-epub-or-pdf-still-has-drm
'''Linux:''' Run the following commands <syntaxhighlight lang="console">
$ sudo apt install wine32 winetricks
$ winetricks adobe_diged
</syntaxhighlight>'''Windows:''' Download version 2.0 from http://download.adobe.com/pub/adobe/digitaleditions/ADE_2.0_Installer.exe

==== Authorize Adobe Digital Edition ====
Before opening a book in Adobe Digital Edition, you need to authorize it.

To authorise the computer go to ''Library'' → ''Authorize Computer'' (1.7) or ''Help'' → ''Authorize Computer'' (2.0).

Select Adobe ID as provider, and enter your adobe account info.

==== Install DeDRM Plugin ====
'''Linux Only:''' Check [https://raw.githubusercontent.com/apprenticeharper/DeDRM_tools/master/DeDRM_calibre_plugin/DeDRM_plugin_ReadMe.txt official instructions], section ''Linux Systems Only''. You don't need to install ''Adobe Digital Editions'' since you just did it. You can also skip anything related to Kindle unless you want to buy books on Amazon.

'''All:''' Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/DeDRM_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Import Books ====
'''Note:''' You can test the procedure using [https://www.adobe.com/uk/solutions/ebook/digital-editions/sample-ebook-library.html sample files from Adobe]. Make sure you test files with acsm extension.

When you buy an eBook protected by Adobe DRM, the file you download is not the eBook but a license file with the acsm extension.

The first thing to do is to open this acsm file in ''Adobe Digital Edition'' to retrieve the actual eBook.

To import the eBook in Calibre and remove the DRM, simply click the ''Add books'' buttons. The files are in a folder named ''My Digital Editions'' in you ''Home'' or ''My Documents'' folder.

To make sure that the DRM where correctly removed, right-click on the book in Calibre and choose ''view''. If the book displays, there is no more DRM.

File:KoboTouch Extended - plugin list.png

2017-08-31T14:27:15Z

Vincent:

Disable other plugins when KoboTouch Extended is installed

Calibre

2017-08-31T13:35:23Z

Vincent: /* Install DeDRM Plugin */ Install DeDRM Plugin

{{WIP}}

Calibre is an ebook management software.

== Prerequisite ==
* A Window or Linux computer. MacOs should work as well but was not tested.
* A Kobo eReader. The instructions should work for any Kobo of the touch, Glo, Mini and Aura families.

== Install ==

=== Download ===
When the firmware of your Kobo is updated, you usually need an up-to-date Calibre to be able to synchronise your eBooks. For this reason, it is recommended to not install from your Linux distribution but directly from their website.

To install, go to https://calibre-ebook.com/download and follow instructions.

=== First-run ===
The first time you run calibre you will be asked a few question. The most important is the location of your library. Calibre will use this folder to store al the eBooks that you add to it.

== Kobo Setup ==
Calibre will allow you to send ebooks to your Kobo without any configuration. However, the following plugins will enhance your experience.

To install them, go to ''Preferences'' → ''Plug-ins'' → ''Get new plug-ins'', select the plugin in the list and click ''Install''.

=== KePub Metadata Reader / KePub Metadata Writer ===
These two plugins don't provide any features. They are just used as dependency by ''KePub Output'' and ''KoboTouch Extended''.

=== KePub Output ===
Kobo readers are using [https://wiki.mobileread.com/wiki/Kepub Kepub] files. Those are similar to standard Epub files but support additional functionalities.

This plugin allows conversion of ebooks to the kepub format.

=== KoboTouch Extended ===
This plugin replace the kobo driver that comes with Calibre, it allows the conversion to Kepub format transparently when you synchronise with a Kobo eReader.

=== Kobo Utilities ===

==== Block Analytics ====
The kobo eReaders are including an analytics feature. In particular, they collect the infos on all the books that you put on your reader — including the ones that you didn't purchase from them.

This plugins allows to block analytics events
* Connect your eReader to your computer
* Click on the arrow near the KoboUtilities icon and select ''Database'' → ''Block Analytics Event''
* In the window that opened, select ''Create or change trigger'' and click ''Ok''

== eBooks with DRM ==
When you buy an eBook from most major online book stores, they are likely to be protected by DRM. This has two major consequences.
* You won't be able to convert your eBooks to the Kepub format. This mean that advanced features not be available unless you buy your books on the Kobo store
* You might not be able to read the book on the device of your choice
* If the book store ever stop its operations, you might not be able to read your eBook at all
Fortunately it is possible to remove DRM from books allo.ing you to use the file that you legally purchased.
{{Warning|msg=Removing DRM from the eBooks you purchased is illegal in some countries. Check the law before doing it. Do not share your eBooks illegally. Tagging technologies allow publishers to find the original purchaser of an eBook. You have been warned!}}

=== eBooks from Kobo ===

==== Install Plugin ====
Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/Obok_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Use ====
Simply click the ''Obok DeDRM'' button. The plugin will import and strip DRM from files.

Depending if your eReader is connected to your computer, the obok plugin will try to load book either from the eReader or the Kobo Desktop application.

=== eBooks From Other Book Stores ===
You can buy eBook from any book store that sell them in ePub. When those books are protected with DRM, you will need to use Adobe Digital Edition to download them.

==== Adobe ID ====
The first thing you need is an Adobe ID. If you don't have one, you can create one on https://accounts.adobe.com/.

==== Install Adobe Digital Edition ====
{{Warning|msg=}}You need to use version 1.7 or 2.0. https://github.com/apprenticeharper/DeDRM_tools/blob/master/FAQs.md#i-registered-adobe-digital-editions-30-or-later-with-an-adobe-id-before-downloading-but-my-epub-or-pdf-still-has-drm
'''Linux:''' <syntaxhighlight lang="console">
$ sudo apt install wine32 winetricks
$ winetricks adobe_diged
</syntaxhighlight>'''Windows:''' Download version 2.0 from http://download.adobe.com/pub/adobe/digitaleditions/ADE_2.0_Installer.exe

==== Authorize Adobe Digital Edition ====

==== Install DeDRM Plugin ====
'''Linux Only:''' Check [https://raw.githubusercontent.com/apprenticeharper/DeDRM_tools/master/DeDRM_calibre_plugin/DeDRM_plugin_ReadMe.txt official instructions], section ''Linux Systems Only''. You don't need to install ''Adobe Digital Editions'' since you just did it. You can also skip anything related to Kindle unless you want to buy books on Amazon.

'''All:''' Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/DeDRM_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Import Books ====
'''Note:''' You can test the procedure using [https://www.adobe.com/uk/solutions/ebook/digital-editions/sample-ebook-library.html sample files from Adobe]. Make sure you test files with acsm extension.

When you buy an eBook protected by Adobe DRM, the file you download is not the eBook but a license file with the acsm extension.

The first thing to do is to open this acsm file in ''Adobe Digital Edition'' to retrieve the actual eBook.

To import the eBook in Calibre and remove the DRM, simply click the ''Add books'' buttons. The files are in a folder named ''My Digital Editions'' in you ''Home'' or ''My Documents'' folder.

Calibre

2017-08-31T13:26:14Z

Vincent: /* eBooks From Other Book Stores */

{{WIP}}

Calibre is an ebook management software.

== Prerequisite ==
* A Window or Linux computer. MacOs should work as well but was not tested.
* A Kobo eReader. The instructions should work for any Kobo of the touch, Glo, Mini and Aura families.

== Install ==

=== Download ===
When the firmware of your Kobo is updated, you usually need an up-to-date Calibre to be able to synchronise your eBooks. For this reason, it is recommended to not install from your Linux distribution but directly from their website.

To install, go to https://calibre-ebook.com/download and follow instructions.

=== First-run ===
The first time you run calibre you will be asked a few question. The most important is the location of your library. Calibre will use this folder to store al the eBooks that you add to it.

== Kobo Setup ==
Calibre will allow you to send ebooks to your Kobo without any configuration. However, the following plugins will enhance your experience.

To install them, go to ''Preferences'' → ''Plug-ins'' → ''Get new plug-ins'', select the plugin in the list and click ''Install''.

=== KePub Metadata Reader / KePub Metadata Writer ===
These two plugins don't provide any features. They are just used as dependency by ''KePub Output'' and ''KoboTouch Extended''.

=== KePub Output ===
Kobo readers are using [https://wiki.mobileread.com/wiki/Kepub Kepub] files. Those are similar to standard Epub files but support additional functionalities.

This plugin allows conversion of ebooks to the kepub format.

=== KoboTouch Extended ===
This plugin replace the kobo driver that comes with Calibre, it allows the conversion to Kepub format transparently when you synchronise with a Kobo eReader.

=== Kobo Utilities ===

==== Block Analytics ====
The kobo eReaders are including an analytics feature. In particular, they collect the infos on all the books that you put on your reader — including the ones that you didn't purchase from them.

This plugins allows to block analytics events
* Connect your eReader to your computer
* Click on the arrow near the KoboUtilities icon and select ''Database'' → ''Block Analytics Event''
* In the window that opened, select ''Create or change trigger'' and click ''Ok''

== eBooks with DRM ==
When you buy an eBook from most major online book stores, they are likely to be protected by DRM. This has two major consequences.
* You won't be able to convert your eBooks to the Kepub format. This mean that advanced features not be available unless you buy your books on the Kobo store
* You might not be able to read the book on the device of your choice
* If the book store ever stop its operations, you might not be able to read your eBook at all
Fortunately it is possible to remove DRM from books allo.ing you to use the file that you legally purchased.
{{Warning|msg=Removing DRM from the eBooks you purchased is illegal in some countries. Check the law before doing it. Do not share your eBooks illegally. Tagging technologies allow publishers to find the original purchaser of an eBook. You have been warned!}}

=== eBooks from Kobo ===

==== Install Plugin ====
Download the zip file from https://github.com/apprenticeharper/DeDRM_tools/tree/master/Obok_calibre_plugin.

In Calibre go to ''Preferences'' → ''Plug-ins → Load plug-in from file'', select the file that you just downloaded and validate.

==== Use ====
Simply click the ''Obok DeDRM'' button. The plugin will import and strip DRM from files.

Depending if your eReader is connected to your computer, the obok plugin will try to load book either from the eReader or the Kobo Desktop application.

=== eBooks From Other Book Stores ===
You can buy eBook from any book store that sell them in ePub. When those books are protected with DRM, you will need to use Adobe Digital Edition to download them.

==== Adobe ID ====
The first thing you need is an Adobe ID. If you don't have one, you can create one on https://accounts.adobe.com/.

==== Install Adobe Digital Edition ====
{{Warning|msg=}}You need to use version 1.7 or 2.0. https://github.com/apprenticeharper/DeDRM_tools/blob/master/FAQs.md#i-registered-adobe-digital-editions-30-or-later-with-an-adobe-id-before-downloading-but-my-epub-or-pdf-still-has-drm
'''Linux:''' <syntaxhighlight lang="console">
$ sudo apt install wine32 winetricks
$ winetricks adobe_diged
</syntaxhighlight>'''Windows:''' Download version 2.0 from http://download.adobe.com/pub/adobe/digitaleditions/ADE_2.0_Installer.exe

==== Authorize Adobe Digital Edition ====

==== Install DeDRM Plugin ====

==== Import Books ====
'''Note:''' You can test the procedure using [https://www.adobe.com/uk/solutions/ebook/digital-editions/sample-ebook-library.html sample files from Adobe]. Make sure you test files with acsm extension.

When you buy an eBook protected by Adobe DRM, the file you download is not the eBook but a license file with the acsm extension.

The first thing to do is to open this acsm file in ''Adobe Digital Edition'' to retrieve the actual eBook.

To import the eBook in Calibre and remove the DRM, simply click the ''Add books'' buttons. The files are in a folder named ''My Digital Editions'' in you ''Home'' or ''My Documents'' folder.

Calibre

2017-08-31T07:07:46Z

Vincent: WIP