How to setup Xterminal with Putty and Xming


Our problem was, we wanted to capture packets with wireshark on a remote SPAN PC, to analyze possible network issues during the planning of a new network design.

Because we didn’t want to be always in the network Lab in front of the capture PC, we installed Xming, and used the SSH as an overlay of our traffic.

There are several howto-s on the internet, but this one was working for me only:

Step 1: Download Xming from here.

Step 2: Install it, with default settings.

Step 3: Create a new putty session for the Wireshark PC:


Step 4: Before you save the session, go to Connection -> SSH -> X11, and set the session like that:


Step 5: Open the Xming

Step 6: SSH to the device, and type the application you need. In a few second, an Xming window will appear, and open the application.


That’s all, it works.




Set up DNSmasq on Debian with caching


The only thing what you should do install the package with apt and copy the config file. in the example. I don’t want to explain it deeper, everything is commented:

apt-get install dnsmasq

Open the /etc/dnsmasq.conf file and paste it:

# Add interfaces listen to

## Global settings
expand-hosts   # add domain names to hostfile
# blocks probe-machines attack
no-poll    # prevent dnsmasq from polling the .resolv. file for changes
no-hosts   # Don't allow to resolv from /etc/hosts

## Domain options
domain-needed   # Never forward plain names
bogus-priv              # Never forward addresses in the non-routed address spaces.
all-servers  # dnsmaq will send request to all server, and use the first reply

cache-size=2000   # DNS cache size
neg-ttl=1800    # store the negatice replies until 30min

## Logging


NTP server setup on Debian


It’s not a big task, just install the service and change the config file a little bit.

apt-get install ntp

Then open the /etc/ntp.conf and paste the following:

# Global settings
driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# Serverlist
server iburst
server iburst
server iburst
server iburst

# Use myself as a server as well

# Lie to devices that we are stratum 5
fudge stratum 5

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict ::1

Then you will see, the first server will be the local, until the associations will be complete. To verify the connection use the following command:

ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================     2 u    -   64    1  189.288   41.093   2.411
 services.quadra      3 u    1   64    1  180.550   43.824   0.408
 host2.kingrst.c      2 u    -   64    1  139.681   41.910   3.217
 quirk.faceprint   2 u    1   64    1  110.541   40.208   0.292
*LOCAL(0)        .LOCL.           5 l    5   64    1    0.000    0.000   0.001
ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
+     2 u    5   64    1  189.288   41.093   2.161
-services.quadra      3 u    4   64    1  180.550   43.824   1.011
+host2.kingrst.c      2 u    3   64    1  139.681   41.910   2.517
*quirk.faceprint   2 u    2   64    1  109.673   38.858   1.191
 LOCAL(0)        .LOCL.           5 l   11   64    1    0.000    0.000   0.001

That’ all!

Debian access point with Hostapd and RTL8188CUS/RTL8192CU


I took days(or weeks, I don’t know exactly) to set up an access point on debian. Yeah, it’s not so complicated if you have Atheros chip set in your wifi card.

But I like Murphy, and I didn’t checked the compatibility correctly, as I remember, so I chose a  TL-WN822N v3.0, with RTL8192CU chip set.

I found some post where somebody say it’s impossible to make it work, but I can’t believe and these port made me more determined.

The goal is, we will install the hostapd via apt-get, download another manually, prepare it to work with a different driver, and overload the old binary files.

So, how I got it:

1.) Install the packages

Install the driver and the dependencies:

apt-get install bridge-utils vlan wireless-tools iw wpasupplicant isc-dhcp-server linux-headers-... dkms hostapd
git clone
cd rt8192cu
sudo make install

As you probably noticed, we installed the hostapd via apt.
I did it because we need all files, we will just use different binaries.


2.) Set your country code

iw reg set HU

3.) Patch it up!

Download the latest hostapd manually from there. I used that one.

Then copy all patch files to the hostapd directory where the hostapd and the src folders located:

cp hostapd-rtl871xdrv-master/* hostapd-2.4/hostapd-2.4/
cp hostapd-rtl871xdrv-master/.c* hostapd-2.4/hostapd-2.4/
cd hostapd-2.4/hostapd-2.4/

Now you should be in the folder where the hostapd and the src located. Run the patch:

patch -Np1 -i rtlxdrv.patch

Then copy the driver_rtl.h and driver_rtw.c files into src/drivers directory.

If it’s done, then copy the .config file to hostapd directory, and install the daemon:

cp .config ./hostapd/
cd hostapd
make install

Then it will create the binary files somewhere(hostapd, hostapd_cli), you should copy them to /usr/sbin:

cp /usr/sbin/hostapd  /usr/sbin/hostapd-old
cp /usr/sbin/hostapd_cli /usr/sbin/hostapd_cli-old
cp /usr/local/bin/hostapd /usr/sbin/hostapd
cp /usr/local/bin/hostapd_cli /usr/sbin/hostapd_cl

Edit the /etc/default/hostapd file, add the following:


4.) Config the daemon

Open up the /etc/hostapd/hostapd.conf. It should looks like:

## Basic setup



ieee80211n=1    # 802.11n support
wmm_enabled=1   # QoS support
ieee80211d=1          # limit the frequencies used to those allowed in the country

auth_algs=1           # 1=wpa, 2=wep, 3=both

Then, as a last step start the hostapd:

service hostapd start

If you want to tune the power of your wifi card, you can add a line to your /etc/network/interfaces file. Here is mine one as a reference:

## Lan part
allow-hotplug wlan0
iface wlan0 inet manual
iface eth0 inet manual
iface eth0.100 inet manual
  vlan-raw-device eth0
iface eth0.128 inet manual
  vlan-raw-device eth0

# Connection to Home
auto br1
iface br1 inet static
  bridge_ports eth0.128 wlan0
  bridge_stp off
  bridge_waitport 5
  prepend domain-name-servers
  bridge_maxwait 5
  post-up iwconfig wlan0 txpower 12

That should work now as a basic AP.


Install munin to Debian


I would like to write down the installation steps of the munin package, and then I’ll install additional measurements on my server.

Munin is a great monitoring and alarming tool, and it’s absolutely free. But we have to have apache2 installed before! There is another article for apache2, in this one I focus on munin.

So let’s install it to our device:

apt-get install munin munin-node munin-plugins-extra

We should edit the /etc/munin/munin.conf file to make it working. Uncomment the following lines:

dbdir   /var/lib/munin
htmldir /var/cache/munin/www
logdir /var/log/munin
rundir  /var/run/munin

# Where to look for the HTML templates
tmpldir /etc/munin/templates

# Where to look for the static www files
#staticdir /etc/munin/static
includedir /etc/munin/munin-conf.d
# a simple host tree
    use_node_name yes

Save and exit.

In case of apache2.2 or above:
Then edit the /etc/apache2/conf.d/munin file. Uncomment the following things:

# Enable this for template generation
Alias /munin /var/cache/munin/www

# Enable this for cgi-based templates
#Alias /munin-cgi/static /var/cache/munin/www/static
#ScriptAlias /munin-cgi /usr/lib/munin/cgi/munin-cgi-html
#<Location /munin-cgi>
#       Order allow,deny
#       Allow from localhost ::1
#       AuthUserFile /etc/munin/munin-htpasswd
#       AuthName "Munin"
#       AuthType Basic
#       require valid-user

<Directory /var/cache/munin/www>
        Order allow,deny
        #Allow from localhost ::1
        Allow from all
        Options None

        # This file can be used as a .htaccess file, or a part of your apache
        # config file.
        # For the .htaccess file option to work the munin www directory
        # (/var/cache/munin/www) must have "AllowOverride all" or something
        # close to that set.

        # AuthUserFile /etc/munin/munin-htpasswd
        # AuthName "Munin"
        # AuthType Basic
        # require valid-user

        # This next part requires mod_expires to be enabled.

        # Set the default expiration time for files to 5 minutes 10 seconds from
        # their creation (modification) time.  There are probably new files by
        # that time.

    <IfModule mod_expires.c>
        ExpiresActive On
        ExpiresDefault M310



If you have apache2.4 edit the /etc/munin/apache24.conf file, replace the following lines

Require local
Options None

with this

Require all granted
Options FollowSymLinks SymLinksIfOwnerMatch


If you want the dynazoom working, please install this package:

apt-get install libapache2-mod-fcgid

Next, restart the apache2 and the munin, and it’s working.

service apache2 restart
service munin-node restart

To add/delete modules you should link the files from /usr/share/munin/plugins/ to /etc/munin/plugins.

After a restart it will work.

Securing Debian server


I’m working on a home server what will be my router, gateway and firewall as well. After the system and daemon installation I have to make the whole system secure. I achieve that with multiple steps, here is a short description how to implement it.

1.) Securing SSH

Later, on the firewall all SSH traffic will be enabled from everywhere. But we have to protect our server, so I made a few changes in the /etc/ssh/sshd_config:

PermitRootLogin no
PermitEmptyPasswords no
AllowGroups ssh-group

The most of the attacks are simple brute force attacks. In the most of the cases, the hackers want to log in with root user. So let’s disable root login.

For the same reason we disable Empty password logins.
Then we should create a group expressly for the SSH, and add the relevant users to it. After that we should limit the SSH access only for this group.

Then to limit the login tries, let’s install fail2ban daemon

apt-get install fail2ban

Then check the config file. It should looks like this:

FILE: /etc/fail2ban/fail2ban.conf

loglevel = 3
logtarget = /var/log/fail2ban.log
socket = /var/run/fail2ban/fail2ban.sock

Modify the /etc/fail2ban/jail.conf file. If a user fail the auth within 3 hours, then he will be blocked out for a month:

bantime  = 2678400
maxretry = 5
findtime = 10800

Then restart the daemon:

service fail2ban restart

And if it’s working correctly, then you will see the fail2ban chain in the end of your iptables:

 # iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
Chain fail2ban-ssh (1 references)
target     prot opt source               destination
DROP       all  --       anywhere
DROP       all  --        anywhere

Additional step:

Set up Google authenticator:

With that we can make 3 way authentication.

apt-get install libpam-google-authenticator

Log in as a user and run “google-authenticator” command to generate the key for this user.

During the key generation type “y” and increase the key availability time.

If the key installed, this will be prompted, together with the scratch keys. Please note these keys to a safe place. In case you loose your phone, or any issue happen, you can use these keys for authentication.

Then open the Google authenticator app on your phone, and type the secret key.
Now you get a constantly changing verification code on your phone.

Last step is to activate the authenticator.

Edit the file /etc/pam.d/sshd:

auth required

Add the authenticator to /etc/ssh/sshd_config:

ChallengeResponseAuthentication yes

Finally restart the SSH daemon, and enjoy your new feature.


2. Firewall setup

Strongly recommended to modify the default iptables rules in our system, because it enables everything!

Iptables setup depends on the daemons/services we are running on the server, but I’ve created an example file with some basic services.

Let’s save it to /etc/firewall.rules file:


# Default policies

# Allow connection to/from Loopback interface
 -A INPUT -i lo -p all -j ACCEPT
 -A OUTPUT -o lo -p all -j ACCEPT

# Deny all connections from non-trusted networks, enable only our private IP range
 -A INPUT -s -j DROP
 -A INPUT -s -j DROP
 -A INPUT -s -j DROP
 -A INPUT -s -j DROP
 -A INPUT -s -j DROP
 -A INPUT -s -j DROP
 -A INPUT -s -j DROP
 -A INPUT -s -j DROP
 -A INPUT -s -j DROP
 -A INPUT -s -j DROP
 -A INPUT -s -j DROP
 -A INPUT -s -j DROP
 -A INPUT -s -j DROP

# Allow HTTP and HTTPS connections globally
 -A INPUT -p tcp --dport 80 -j ACCEPT
 -A INPUT -p tcp --dport 443 -j ACCEPT

# Allow all established inbound connections globally

# Allow SSH incoming connections globally
 -A INPUT -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

# Allow Samba ports only from the local LAN
 -A INPUT -s -p udp -m udp --dport 137 -j ACCEPT
 -A INPUT -s -p udp -m udp --dport 138 -j ACCEPT
 -A INPUT -s -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
 -A INPUT -s -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT

# Allow minidlna only from the local LAN
 -A INPUT -s -p udp --dport 1900 -j ACCEPT
 -A INPUT -s -p tcp --dport 8200 -j ACCEPT

# Allow ping only from the local LAN
 -A INPUT -s -p icmp -m icmp --icmp-type 8 -j ACCEPT


First, the default rule is deny incoming, but we enable everything to go out. Packet forwarding has denied as well.

Then let’s activate our brand new firewall rules:

iptables-restore < /etc/firewall.rules

Please check if all services are working fine! If yes, then make the firewall permanent:

vi /etc/network/if-pre-up.d/firewall

iptables-restore < /etc/firewall.rules

Save and exit. Test if the firewall is working after a reboot.

iptables -nL


3. Limit user access

We would like to limit the simple user accesses to a few simple commands.
For that I’ll use “rbash” restricted shell. It’s easy to set up:

cd /bin
ln -s bash rbash

Create a directory where you will paste the allowed commands:

mkdir /var/limited-commands
chown root  /var/limited-commands
chmod 755 /var/limited-commands

Link the ping command to this folder:

ln -s /bin/ping  /var/limited-commands
chown root /var/limited-commands/ping
chmod 755 /var/limited-commands/ping

Then add the following line to .profile, and .bashrc of the user:


Finally limit the access to these files:

chown root /home/$User/.profile
chown root /home/$User/.bashrc
chmod 755 /home/$User/.profile
chmod 755 /home/$User/.bashr

As a last step deny/allow the crontab access to this user. Create the /etc/cron.d/cron.allow file and add all users which you would like to allow to access to the cronjob:


For other users won’t be allowed to use the crontab.

IPv6 basics for Debian


I’ve started to play with IPv6, I want to set it up to my home users.

I booked an IP range from Hurricane Electric, and I got the IPv6 connectivity to my server.
It’s a free system, where you can book IPv6 address, domain names, and you can learn about IPv6. For more info visit this site:

If you successfully get connected to the IPv6 cloud, you can start to play.
I’ve booked a /48 subnet as well to my LAN devices.

First you have to get the the IPv6 connectivity from HE. It’s only working if you are globally reachable from the internet with the IP protocol 41. So your server have to be the edge of your network of if it’s behind NAT, you have to play with your firewall. If you have a sophisticated one, you can enable on it, but if not, you just need to put your server to the DMZ.

Then you will be able to set up your 6to4 tunnel interface(/etc/network/interfaces):

auto he-ipv6
iface he-ipv6 inet6 v4tunnel
  address 2001:470:<your prefix>
  netmask 64
  endpoint <Chosen He endpoint>
  local <Your local address>
  ttl 255
  gateway 2001:470:<He IP from your prefix>

Next step, you should check if the IPv6 is enabled globally:

modprobe ipv6
echo "ipv6" >> /etc/modules

Next step, enable the necessary things on your local firewall(iptables).

# Allow IP protocol 41 for 6to4 tunnel from HE
iptables -I INPUT -s -p 41 -j ACCEPT
iptables -I OUTPUT -s -p 41 -j ACCEPT
# Allow ping only from HE
iptables -A INPUT -s -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Allow ipv6 ping only from HE
iptables -A INPUT -s -p ipv6

Don’t forget to edit the IPv6 firewall as well! By default everything is enabled on it!!!

Later on, you have a chance to disable IPv6. It could be useful to save your server’s resources:

echo "net.ipv6.conf.all.disable_ipv6=1" > /etc/sysctl.d/disableipv6.conf
echo 'blacklist ipv6' >> /etc/modprobe.d/blacklist
sed -i '/::/s%^%#%g' /etc/hosts
sed -i 's/ipv6//g' /etc/module

But now, we don’t want to do it, we’ve just enabled IPv6, set up our interface, and as a last step, reload the server.


Wait until the server come back, and try to ping the HE. It should work (If not, there is a problem with the server’s global connectivity or the local firewall).

That’s it!

All-in-one home server. Part1 – Begining


That will be a little bit bigger topic, what I’ve started today 30.10.2014. I have 1 router, 1AP+switch and 1 Raspberry Pi for the server functions at the moment. I decided to replace these devices with one simple PC. Why? Because it’s easier to manage only 1 device, and it’s much more powerful than the RPI.

So I bring my old PC and put 2 network to the PCI slot of it. The setup looks like:

  • CPU: DualCore AMD Athlon 64 X2, 2600 MHz (13 x 200) 5000+
  • 2GB DDR2 800Mhz memory
  • LAN interfaces(2 option):
    • First time, I’ll have less wired connected device, so no additional switch is necessary. I’ll use 2 PCI Gigabit module, with 2 port on that.(4Gigabit ports)
    • Later on, if I need more ports, I’ll use a Nortel Baystack425 or a Cisco 3550 (1 Gigabit port to server, 24Fast ethernet for the hosts). Because the uplink is less than 100Mbit we don’t need to use Gigabit interfaces(Just if we would like to copy big files internally)
  • WAN side: 1x100Mbit interaface
  • Wireless LAN:
  • 128GB SSD for system
  • 1 HDD for data partition, and a copy from the OS(for safety sake)

What functions should it do?

  • SSH server, reachable from the Internet
  • Web server, to copy my wordpress to it
  • Deluge server – necessary for downloading
  • Samba server – store all information in one central place, just stream the films etc.
  • Munin server to monitor my local network
  • VPN server, just because it’s fancy, and I like to play from my own network
  • Routing features
    • If the primary link fails, this machine can use 3G connection as a backup path(only IPv4, no outside connection)
    • IPv4 LAN/WAN
    • IPv6 WAN

Apache2 with HTTPS and SSL + shellinabox

Hello and Welcome,


Some cases, if you are in the workplace for example, you’ll be a part of a fully filtered network, with firewall and IDS-s, and the most of the cases the SSH is not enabled. If the local IT guy are not so clever, they just filter the port 22. In this case it’s easy to connect to your server on a different port.

But when the firewall guys are clever enough to filter the SSH protocol completely, they will kill your connection as well.

Here is a workaround how to use another (encrypted) way to connect to your server.

It’s called shellinabox. It’s a web based SSH access to your server.

Combine it with apache and openSSL, and you will get a secured SSH connection via browser.


Install the necessary daemons:

apt-get install apache2 shellinabox

Test if apache2 works:


Activate the SSL Module

The next step is to enable SSL.

a2enmod ssl

Follow up by restarting Apache.

service apache2 restart


Create Self Signed SSL Certificate

mkdir /etc/apache2/ssl
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/apache.key -out /etc/apache2/ssl/apache.crt

With this command, you will create the self-signed SSL certificate and the server key that protects it, and placing both of them into the new directory.

The most important part of the key generation is the “Common Name (e.g. server FQDN or YOUR name)” you should put your domain name or public IP address to this field.



Set Up the Certificate


OK, our new certificates are ready, next step would be to set up the virtual hosts to display the new certificate. Open up the SSL config file:

vi /etc/apache2/sites-available/default-ssl


Within the section that begins with <VirtualHost _default_:443>, quickly make the following changes. Add a line with your server name right below the Server Admin email:



Replace with your DNS/IP approved domain name or server IP address (it should be the same as the common name on the certificate). Find the following three lines, and make sure that they match the extensions below:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/apache.key


Activate the New Virtual Host

a2ensite default-ssl


Restart the apache2 again.

service apache2 restart


Configure shellinabox


First edit the init.d config file:

vi /etc/default/shellinabox

Add this line to the end of the file:



It should looks like:

# Should shellinaboxd start automatically

# TCP port that shellinboxd's webserver listens on

# Parameters that are managed by the system and usually should not need
# changing:
# SHELLINABOX_DATADIR=/var/lib/shellinabox
# SHELLINABOX_USER=shellinabox

# Any optional arguments (e.g. extra service definitions).  Make sure
# that that argument is quoted.
#   Beeps are disabled because of reports of the VLC plugin crashing
#   Firefox on Linux/x86_64.


Enable some apache proxy modules:

a2enmod proxy
a2enmod proxy_http


Make things easier

Open the following file for editing

vi /etc/apache2/sites-available/default-ssl

AFTER the VirtualHost, but before the end of IfModule put something like this:

<Location /shell>
ProxyPass http://localhost:4200/


That means you will be able to reach the server with /shell subdomain.

Restart shellinabox and then restart apache.

service shellinabox restart
service apache2 restart




SSH PKI authentication to a Unix/Linux system

Hi There,

I always prefer to use PKI authentication to my devices, if I have a chance to configure that.


– We don’t have to type password every time, it decreases the risk to type your passwd to the chat window for example.
– It’s much more stronger than the your dog’s name or your date of birth 🙂
– Not necessary to change it periodically

So if we have a possibility, I recommend to use PKI authentication.

First we have to generate a private/public keypair locally:

On windows(with putty):

Download the putty keygen from here, and run it:


On Linux machines:

ssh-keygen -t rsa

It will create 2 files in the ~/.ssh/ dir.
id_rsa           : identification (private) key    : public key

We get the keypair in both cases, we have to copy that to the remote machine.

Create the necessary directory, if it doesn’t exist:

mkdir .ssh
cd .ssh

And create the file for the public keys:

touch authorized_keys

In this file, we will store our public keys (!!!1 key in 1 line)
If you copy the public key correctly, then you will able to log in without password.