Click on the QR code icon next to the created client, then click the QR code to copy it to the clipboard, and paste it into Nekoray/Streisand.
-Click on the QR code icon next to the created client, then click on the QR code to copy it to the clipboard and paste it into Nekoray/Streisand.
apt install fail2ban -y && apt install ufw -y
@@ -1319,7 +1318,7 @@ Final
- 2024-11-25
+ 2024-11-28
diff --git a/404.html b/404.html
old mode 100644
new mode 100755
index 01f3279..eaad87d
--- a/404.html
+++ b/404.html
@@ -14,7 +14,7 @@
-
+
diff --git a/CNAME b/CNAME
old mode 100644
new mode 100755
diff --git a/assets/images/favicon.png b/assets/images/favicon.png
old mode 100644
new mode 100755
diff --git a/assets/javascripts/bundle.83f73b43.min.js b/assets/javascripts/bundle.83f73b43.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/bundle.83f73b43.min.js.map b/assets/javascripts/bundle.83f73b43.min.js.map
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.ar.min.js b/assets/javascripts/lunr/min/lunr.ar.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.da.min.js b/assets/javascripts/lunr/min/lunr.da.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.de.min.js b/assets/javascripts/lunr/min/lunr.de.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.du.min.js b/assets/javascripts/lunr/min/lunr.du.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.el.min.js b/assets/javascripts/lunr/min/lunr.el.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.es.min.js b/assets/javascripts/lunr/min/lunr.es.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.fi.min.js b/assets/javascripts/lunr/min/lunr.fi.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.fr.min.js b/assets/javascripts/lunr/min/lunr.fr.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.he.min.js b/assets/javascripts/lunr/min/lunr.he.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.hi.min.js b/assets/javascripts/lunr/min/lunr.hi.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.hu.min.js b/assets/javascripts/lunr/min/lunr.hu.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.hy.min.js b/assets/javascripts/lunr/min/lunr.hy.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.it.min.js b/assets/javascripts/lunr/min/lunr.it.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.ja.min.js b/assets/javascripts/lunr/min/lunr.ja.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.jp.min.js b/assets/javascripts/lunr/min/lunr.jp.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.kn.min.js b/assets/javascripts/lunr/min/lunr.kn.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.ko.min.js b/assets/javascripts/lunr/min/lunr.ko.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.multi.min.js b/assets/javascripts/lunr/min/lunr.multi.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.nl.min.js b/assets/javascripts/lunr/min/lunr.nl.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.no.min.js b/assets/javascripts/lunr/min/lunr.no.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.pt.min.js b/assets/javascripts/lunr/min/lunr.pt.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.ro.min.js b/assets/javascripts/lunr/min/lunr.ro.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.ru.min.js b/assets/javascripts/lunr/min/lunr.ru.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.sa.min.js b/assets/javascripts/lunr/min/lunr.sa.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.stemmer.support.min.js b/assets/javascripts/lunr/min/lunr.stemmer.support.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.sv.min.js b/assets/javascripts/lunr/min/lunr.sv.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.ta.min.js b/assets/javascripts/lunr/min/lunr.ta.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.te.min.js b/assets/javascripts/lunr/min/lunr.te.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.th.min.js b/assets/javascripts/lunr/min/lunr.th.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.tr.min.js b/assets/javascripts/lunr/min/lunr.tr.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.vi.min.js b/assets/javascripts/lunr/min/lunr.vi.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/min/lunr.zh.min.js b/assets/javascripts/lunr/min/lunr.zh.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/tinyseg.js b/assets/javascripts/lunr/tinyseg.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/lunr/wordcut.js b/assets/javascripts/lunr/wordcut.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/workers/search.6ce7567c.min.js b/assets/javascripts/workers/search.6ce7567c.min.js
old mode 100644
new mode 100755
diff --git a/assets/javascripts/workers/search.6ce7567c.min.js.map b/assets/javascripts/workers/search.6ce7567c.min.js.map
old mode 100644
new mode 100755
diff --git a/assets/stylesheets/main.0253249f.min.css b/assets/stylesheets/main.0253249f.min.css
old mode 100644
new mode 100755
diff --git a/assets/stylesheets/main.0253249f.min.css.map b/assets/stylesheets/main.0253249f.min.css.map
old mode 100644
new mode 100755
diff --git a/assets/stylesheets/palette.06af60db.min.css b/assets/stylesheets/palette.06af60db.min.css
old mode 100644
new mode 100755
diff --git a/assets/stylesheets/palette.06af60db.min.css.map b/assets/stylesheets/palette.06af60db.min.css.map
old mode 100644
new mode 100755
diff --git a/css/timeago.css b/css/timeago.css
old mode 100644
new mode 100755
diff --git a/discord/index.html b/discord/index.html
old mode 100644
new mode 100755
index 15055d4..3230ec1
--- a/discord/index.html
+++ b/discord/index.html
@@ -20,7 +20,7 @@
-
+
diff --git a/firefox/index.html b/firefox/index.html
old mode 100644
new mode 100755
index 6803310..adccfac
--- a/firefox/index.html
+++ b/firefox/index.html
@@ -20,7 +20,7 @@
-
+
diff --git a/geoblock/index.html b/geoblock/index.html
old mode 100644
new mode 100755
index 766ec46..2a5d252
--- a/geoblock/index.html
+++ b/geoblock/index.html
@@ -20,7 +20,7 @@
-
+
diff --git a/gettingstarted/index.html b/gettingstarted/index.html
old mode 100644
new mode 100755
index 85db8ac..f449743
--- a/gettingstarted/index.html
+++ b/gettingstarted/index.html
@@ -20,7 +20,7 @@
-
+
diff --git a/images/1.png b/images/1.png
old mode 100644
new mode 100755
diff --git a/images/favicon.svg b/images/favicon.svg
old mode 100644
new mode 100755
index d55d922..cd58c99
--- a/images/favicon.svg
+++ b/images/favicon.svg
@@ -1,3 +1,3 @@
-
+
diff --git a/images/logo.svg b/images/logo.svg
old mode 100644
new mode 100755
index d55d922..cd58c99
--- a/images/logo.svg
+++ b/images/logo.svg
@@ -1,3 +1,3 @@
-
+
diff --git a/images/nekoray/nekoraycore1.png b/images/nekoray/nekoraycore1.png
old mode 100644
new mode 100755
diff --git a/images/nekoray/nekorayprofile.png b/images/nekoray/nekorayprofile.png
old mode 100644
new mode 100755
diff --git a/images/nekoray/nekorayproxy.png b/images/nekoray/nekorayproxy.png
old mode 100644
new mode 100755
diff --git a/images/nekoray/nekoraysettingtun.png b/images/nekoray/nekoraysettingtun.png
old mode 100644
new mode 100755
diff --git a/images/nekoray/nekoraysettingtun1.png b/images/nekoray/nekoraysettingtun1.png
old mode 100644
new mode 100755
diff --git a/images/nekoray/nekoraysettingtun2.png b/images/nekoray/nekoraysettingtun2.png
old mode 100644
new mode 100755
diff --git a/images/nekoray/nekoraytunmode.png b/images/nekoray/nekoraytunmode.png
old mode 100644
new mode 100755
diff --git a/images/wush/wush.gif b/images/wush/wush.gif
old mode 100644
new mode 100755
diff --git a/images/wush/wushcp.png b/images/wush/wushcp.png
old mode 100644
new mode 100755
diff --git a/images/wush/wushserve.png b/images/wush/wushserve.png
old mode 100644
new mode 100755
diff --git a/index.html b/index.html
old mode 100644
new mode 100755
index 51afb04..d717094
--- a/index.html
+++ b/index.html
@@ -18,7 +18,7 @@
-
+
diff --git a/iphone/index.html b/iphone/index.html
old mode 100644
new mode 100755
index a75ee6c..bf85c69
--- a/iphone/index.html
+++ b/iphone/index.html
@@ -20,7 +20,7 @@
-
+
diff --git a/jfscan/index.html b/jfscan/index.html
old mode 100644
new mode 100755
index d815c5f..09e3b54
--- a/jfscan/index.html
+++ b/jfscan/index.html
@@ -20,7 +20,7 @@
-
+
diff --git a/js/timeago.min.js b/js/timeago.min.js
old mode 100644
new mode 100755
diff --git a/js/timeago_mkdocs_material.js b/js/timeago_mkdocs_material.js
old mode 100644
new mode 100755
diff --git a/nekoray/index.html b/nekoray/index.html
old mode 100644
new mode 100755
index e504a90..bfebf8e
--- a/nekoray/index.html
+++ b/nekoray/index.html
@@ -20,7 +20,7 @@
-
+
diff --git a/nextcloud/index.html b/nextcloud/index.html
old mode 100644
new mode 100755
index 2614fc8..0022ef6
--- a/nextcloud/index.html
+++ b/nextcloud/index.html
@@ -20,7 +20,7 @@
-
+
diff --git a/nothing/index.html b/nothing/index.html
old mode 100644
new mode 100755
index 93faacd..4158ed6
--- a/nothing/index.html
+++ b/nothing/index.html
@@ -20,7 +20,7 @@
-
+
diff --git a/search/search_index.json b/search/search_index.json
old mode 100644
new mode 100755
index 882fbb5..d571a24
--- a/search/search_index.json
+++ b/search/search_index.json
@@ -1 +1 @@
-{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Welcome to TeamDominant wiki","text":"Little disclaimer. Some information was copied from virtualize.link, because I find information provided by its author useful. Make sure to check the source or star the repo.
"},{"location":"#software","title":"Software","text":" - Discord
- Firefox
- Telegram
"},{"location":"#network","title":"Network","text":" - 3x-ui
- Nekoray
- Streisand
"},{"location":"#server","title":"Server","text":" - Nextcloud
- SWAG
- Geoblock
- Jfscan
"},{"location":"#other","title":"Other","text":" - iPhone
- Nothing Phone
- Setup list
- Wush
"},{"location":"3x-ui/","title":"3x-ui","text":""},{"location":"3x-ui/#setup-used","title":"Setup used","text":"The setup was used in my case:
- OS: Ubuntu 22.04.5
- 3x-ui Version: 2.4.6
- VPS: Aeza
"},{"location":"3x-ui/#installation","title":"Installation","text":"As soon as we log into the system after purchasing a VPS, we execute the following commands:
-
apt update && apt upgrade -y\n
to install all updates -
openssl req -x509 -keyout /etc/ssl/certs/3x-ui.key -out /etc/ssl/certs/3x-ui.pem -newkey rsa:4096 -sha256 -days 3650 -nodes -new\n
where .pem is the public key, and .key is the private key. Just keep pressing Enter, no need to fill anything in. -
bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh)\n
to install the panel itself
"},{"location":"3x-ui/#setting-up","title":"Setting up","text":" -
Would you like to customize the Panel Port settings? (If not, a random port will be applied) we answer \"n\".
-
Click on the link in the \"Access URL\" line to access our panel. Enter the credentials generated for us after the installation.
3.Go to Panel Settings, then to the Authentication section, and change the login details. In the General section, specify the path to the already created Public & Private keys: /etc/ssl/certs/3x-ui.pem and /etc/ssl/certs/3x-ui.key. Scroll up, click Save, and restart the panel.
"},{"location":"3x-ui/#inbound-creation","title":"Inbound creation","text":" - Protocol:
vless - Port:
443 - Client:
Enabled - Email =
email or username - Security:
Reality - uTLS:
chrome/firefox - Dest \u0438 SNI: choose a website with the lowest ping in the country where your VPS is located. You can check it by running the following command in your VPS terminal: ping domain.com. You can ask your VPS support for assistance or simply ask ChatGPT.
If port 443 is occupied, then:
- Port: custom or default
- uTLS: chrome/firefox/random You are supposed to test it yourself because it works differently on each VPS, ISP, and even OS.
- Dest and SNI: you also need to test these yourself.
Click on the QR code icon next to the created client, then click the QR code to copy it to the clipboard, and paste it into Nekoray/Streisand.
Click on the QR code icon next to the created client, then click on the QR code to copy it to the clipboard and paste it into Nekoray/Streisand.
"},{"location":"3x-ui/#securing-and-little-tweaks","title":"Securing and little tweaks","text":""},{"location":"3x-ui/#fail2ban","title":"Fail2ban","text":"apt install fail2ban -y && apt install ufw -y\n
After runnig touch /etc/fail2ban/jail.local && nano /etc/fail2ban/jail.local Copy and paste (ctrl + shift + v):
[sshd]\nenabled = true\nfilter = sshd\naction = iptables[name=SSH, port=ssh, protocol=tcp]\nlogpath = /var/log/auth.log\nfindtime = 600\nmaxretry = 3\nbantime = 43200\n
Press ctrl + x, then y, and hit enter to save and exit.
"},{"location":"3x-ui/#ufw","title":"Ufw","text":" -
nano /etc/ufw/before.rules\n
Look -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT and change ACCEPT to DROP -
apt install net-tools\n
netstat -ntlp | grep LISTEN\n
Open the ports you need (SSH, 3x-ui, 443, and any others if you have additional services). ufw allow 22/tcp && ufw allow 443 && ufw allow {panel_port} && ufw enable\n
ctrl + x, y and enter. -
In the terminal, type
x-ui\n
-
Type 20 (IP Limit Management) and press Enter. Then press 1 to install and type y.
"},{"location":"3x-ui/#bbr","title":"BBR","text":" -
In the terminal, type
x-ui\n
-
Type 23 (Enable BBR) and select 1 (Enable BBR).
"},{"location":"3x-ui/#final","title":"Final","text":"Finally, clean up, reboot, and you're ready to use it.
apt update && apt upgrade -y && apt autoclean -y && apt clean -y && apt autoremove -y && reboot\n
"},{"location":"discord/","title":"Discord","text":""},{"location":"discord/#pc","title":"PC","text":" - OpenAsar \u2014 perfomance tweak
- Vencord \u2014 better alternative of BetterDiscord w/ OpenAsar (recommended)
- Vesktop \u2014 Vencord, but w/ perfomance of web Discord (Linux, not sure about macOS)
"},{"location":"discord/#ios","title":"iOS","text":" - BunnyTweak \u2014 Get prebuilt rootful and rootless
.deb files or the prepatched .ipa
"},{"location":"discord/#android","title":"Android","text":" - BunnyXposed \u2014 Root with Xposed
- BunnyManager \u2014 Non-root
"},{"location":"discord/#plugins-themes","title":"Plugins & Themes","text":"Check out Vendetta Discord server.
IMPORTANT As of 06/02/24, Vendetta has been discontinued.
"},{"location":"geoblock/","title":"Geoblock","text":"Little disclaimer. Some information was copied from virtualize.link, because I find information provided by its author useful. Make sure to check the source or star the repo.
"},{"location":"geoblock/#vps","title":"VPS","text":"I've been dealing with constant attacks on a mail server on a VPS coming from 2 specific countries, the only solution that worked was completely blocking these countries.
There are 2 popular geoblock providers, Maxmind and DP-IP, we can utilize them using a python library called geoipsets.
"},{"location":"geoblock/#installation","title":"Installation","text":"Install the following packages:
sudo apt install python3 python3.12 python3-pip python3-venv ipset\n
Create a python virtual environment:
python3 -m venv .venv\n
Verify that it works:
source .venv/bin/activate\n
"},{"location":"geoblock/#geoblock-config","title":"Geoblock Config","text":"Create a geoblock config according to the geoipsets documentation.
For example /home/user/geoipsets.conf:
[general]\nprovider=dbip\nfirewall=iptables\naddress-family=ipv4,ipv6\n\n[countries]\nRU\nCN\n
Verify that it works:
source .venv/bin/activate\ngeoipsets -o /home/user -c /home/user/geoipsets.conf\n
"},{"location":"geoblock/#geoblock-script","title":"Geoblock Script","text":"Create a script to refresh the geoblock ipsets and recreate the iptables rules.
For example /home/user/geoblock.sh:
#!/bin/bash\n\noutput_path=\"/home/user\"\nvenv_path=\"/home/user/.venv/bin/activate\"\nconfig_path=\"/home/user/geoipsets.conf\"\nlog=\"/home/user/geoblock.log\"\n\necho \"Updating Blocklist $(date)\" >> $log\nsource $venv_path\ngeoipsets -o $output_path -c $config_path >> $log\n\nfor i in $(find \"${output_path}/geoipsets\" -name \"*.ipv*\");\ndo\n name=$(basename $i)\n echo $name >> $log\n /usr/sbin/ipset flush $name >> $log\n /usr/sbin/ipset restore --exist --file $i >> $log\n command=$(if [[ $name == *ipv4 ]]; then echo \"/usr/sbin/iptables\"; else echo \"/usr/sbin/ip6tables\"; fi)\n $command -D FORWARD -m set --match-set $name src -j DROP &>/dev/null\n $command -D INPUT -m set --match-set $name src -j DROP &>/dev/null\n $command -D DOCKER-USER -m set --match-set $name src -j DROP &>/dev/null\n $command -I DOCKER-USER 1 -m set --match-set $name src -j DROP >> $log\n $command -I INPUT 1 -m set --match-set $name src -j DROP >> $log\n $command -I FORWARD 1 -m set --match-set $name src -j DROP >> $log\ndone\n
Verify that it works and the ipsets have been filled:
chmod +x /home/user/geoblock.sh\nsudo /home/user/geoblock.sh\nsudo ipset list RU.ipv4\n
"},{"location":"geoblock/#cron-scheduling","title":"Cron Scheduling","text":""},{"location":"geoblock/#warning-make-sure-youre-not-accidentally-blocking-your-own-access-to-the-vps-before-proceeding","title":"Warning - make sure you're not accidentally blocking your own access to the VPS before proceeding.","text":"Run the geoblock script on reboot and weekly.
For example, add the following to sudo crontab -e:
20 0 * * 2 /home/user/geoblock.sh\n@reboot sleep 120 && /home/user/geoblock.sh\n
Verify that it runs on reboot and weekly. There's a 2 minute delay before it applies after reboots, to give you enough time to fix a lockout.
"},{"location":"geoblock/#opnsense","title":"OPNSense","text":""},{"location":"geoblock/#alias","title":"Alias","text":"Navigate to Firewall > Aliases > GeoIP settings and add a link to a geoblock database with your license key:
https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=your-license-key&suffix=zip\n
Navigate to Firewall > Aliases and create aliases with the countries you want to block or whitelist a specific country:
Name: Geoblock\nType: GeoIP (IPv4, IPv6)\nContent: Select all the countries you want to block\n
Name: UK\nType: GeoIP (IPv4, IPv6)\nContent: Select UK\n
"},{"location":"geoblock/#firewall","title":"Firewall","text":"Navigate to Firewall > Rules > WAN and create firewall rules:
Action: Block\nInterface: WAN\nDirection: in\nTCP/IP Version: IPv4+IPv6\nProtocol: any\nSource: Geoblock\nDestination: any\nDescription: Blocks specific countries\n
Action: Pass\nInterface: WAN\nDirection: in\nTCP/IP Version: IPv4+IPv6\nProtocol: TCP\nSource: UK\nDestination: WAN address\nDestination port range: 443\nDescription: Whitelist UK on port 443\n
"},{"location":"geoblock/#cron","title":"Cron","text":"Create a cron job to automatically update the blocklists every day.
Navigate to System > Settings > Cron and add the following job:
Eabled: checked\nMinutes: 0\nHours: 0\nDay of the month: *\nMonths: *\nDays of the week: *\nCommand: Update and reload firewall aliases\n
"},{"location":"gettingstarted/","title":"Getting Started","text":""},{"location":"gettingstarted/#about","title":"About","text":"Welcome to docs, which created by my personal experience in EVERYTHING me and my mates and team face nowadays and faced during our lifes.
"},{"location":"gettingstarted/#language-barrier","title":"Language barrier","text":"To be honest, I don't care. It would be too easy if all the data was presented to you like a dish in a restaurant. I want the reader to understand the problem he is dealing with and \"dive\" in the topic.
"},{"location":"iphone/","title":"iPhone usage notes","text":""},{"location":"jfscan/","title":"Jfscan","text":"https://github.com/nullt3r/jfscan
"},{"location":"nekoray/","title":"Nekoray","text":"Before we begin, note that there are two installation options depending on your needs:
- If you only need the proxy to work in a browser, any version of Nekoray will do.
- If you need to proxy specific applications, we recommend using versions 3.24 or 3.25.
This is because in version 3.26, the \"Whitelist Mode\" in Tun Mode settings does not work. As a result, you won\u2019t be able to proxy only specific applications.
"},{"location":"nekoray/#1-install","title":"1. Install","text":"Installing and Configuring Nekoray
Here is a list of all available download links for Nekoray, categorized by operating system:
-
Nekoray for Windows (64-bit) - Download 3.26 - Download 3.25 - Download 3.24
-
Nekoray for linux (64-bit, archive) - Download 3.26 - Download 3.25 - Download 3.24
-
Nekoray for Linux (AppImage) - Download 3.26 - Download 3.25 - Download 3.24
-
Nekoray for Debian/Ubuntu (64-bit, package .deb) - Download 3.26 - Download 3.25 - Download 3.24
-
Nekoray for Android - Download 1.3.2 arm64-v8a - Download 1.3.2 armeabi-v7a
"},{"location":"nekoray/#2-installing-nekoray-on-windows","title":"2. Installing Nekoray on Windows","text":"Next, we will look at the installation process for Nekoray on Windows. Some steps may vary depending on the system, but the overall process remains the same.
Step 1: Download Nekoray
Step 2: fter the download is complete, follow these steps:
- Locate the downloaded file:
nekoray-3.26-2023-12-09-windows64.zip.
- Right-click on the file and select \"Extract All\u2026\", or use an archiving tool like WinRAR or 7-Zip to extract the contents to a convenient location on your computer.
Step 3: Launching the Program
- Open the folder with the extracted files.
- Locate the file
nekoray.exe. - Double-click it to launch the program.
The program works out of the box. No installation is required.
"},{"location":"nekoray/#3-initial-setup-of-nekoray","title":"3. Initial Setup of Nekoray","text":" - Core Selection:
When you launch the program for the first time, make sure to select the sing-box core.
This is necessary for proper functionality. If you were not given this choice or selected something other than sing-box, you can check or change it in the settings:
- Click on Settings
- General Settings
- Navigate to the Core tab
- Select
sing-box.
-
Adding a Profile
-
Copy the profile link for the VPN connection.
- Paste it into Nekoray using the shortcut Ctrl + V or through the menu: - Click on the Server button. - Select the option Add Profile from Clipboard.
Now we have three scenarios:
-
If you only need to proxy the browser. This works for any version.
-
If you need everything to be proxied, select \"TUN Mode\". We\u2019ll go into more detail about configuring this below. This is only relevant for version 3.26.
-
This scenario involves configuring TUN Mode for specific programs. This is only relevant for versions 3.24 and 3.25.
"},{"location":"nekoray/#scenario-1-enable-your-profile","title":"Scenario 1: Enable your profile.","text":"System Proxy mode
- Right-click on the profile.
- Select Start.
- At the top, you will see System Proxy Mode \u2014 turn it on.
Done.
"},{"location":"nekoray/#scenario-2","title":"Scenario 2:","text":"For 3.26 version
- Go to the Settings tab.
- Open TUN Mode Settings.
- Configure the following: - Stack: Mixed - MTU: 1500 (you can leave it at 9000, but we recommend 1500). - Mode TUN: Turn off. - Enable Whitelist Mode (although in version 3.26, it doesn\u2019t work properly \u2014 or at all).
Next:
- Right-click on the profile.
- Select Start.
- At the top, you will see TUN Mode \u2014 turn it on. You will be prompted to restart the program as an administrator. Confirm.
Done.
"},{"location":"nekoray/#scenario-3","title":"Scenario 3:","text":" - Go to the Settings tab.
- Open TUN Mode Settings.
- Configure the following: - Stack:
Mixed - MTU: 1500 (you can leave it at 9000, but we recommend setting to 1500). - Mode TUN: Turn off. - Enable Whitelist Mode.
Now, in the second column, Proxy Processes, enter the processes you want to proxy.
Example: Discord.exe Updater.exe (for Discord) firefox.exe etc.
Next:
- Right-click on the profile.
- Select Start.
- At the top, you will see TUN Mode \u2014 turn it on. You will be prompted to restart the program as an administrator. Confirm.
Done.
"},{"location":"nekoray/#processes-of-popular-browsers","title":"Processes of popular browsers ;","text":" - Google Chrome:
chrome.exe
- Yandex Browser:
browser.exe
- Mozilla Firefox:
firefox.exe
- Microsoft Edge:
msedge.exe
- Opera Browser:
opera.exe
- Safari (Windows):
safari.exe
- Brave Browser:
brave.exe
"},{"location":"nekoray/#_1","title":"Nekoray","text":"Source - A\u00e9za
"},{"location":"nextcloud/","title":"Optimizing Nextcloud","text":"Little disclaimer. Some information was copied from virtualize.link, because I find information provided by its author useful. Make sure to check the source or star the repo.
The following is a collection of ways to optimize Nextcloud's performance and responsiveness.
"},{"location":"nextcloud/#optimization-steps","title":"Optimization Steps","text":" - Use the LSIO image, not the official
- Use the latest tag which includes php8
- Enable redis
- Use mariadb (alpine) or postgres
- Use nextcloud v22 or higher
- Use imaginary to speed up thumbnail creation
- Add the following to
/config/php/php-local.ini
memory_limit = -1\nopcache.enable = 1\nopcache.enable_cli = 1\nopcache.interned_strings_buffer = 16\nopcache.max_accelerated_files = 130987\nopcache.memory_consumption = 256\nopcache.save_comments = 1\nopcache.revalidate_freq = 1\n
- Add the following to
/config/php/www2.conf pm = dynamic\npm.max_children = 120\npm.start_servers = 12\npm.min_spare_servers = 6\npm.max_spare_servers = 18\n
- Disable Dark Reader extension on it, if you use it
- For Nextcloud to identify filesystem changes, add the following to the config:
'filesystem_check_changes' => 1,\n
- Move
/config to a fast disk such as nvme and mount it from there - After the initial run move
/data/appdata_INSTANCEID to a fast disk such as nvme and mount it from there, add the following under volumes:: (the ID in the directory names will be different) - /path/to/appdata/appdata_ocytnd8b2l1b:/data/appdata_ocytnd8b2l1b\n
"},{"location":"nextcloud/#example-nextcloud-config","title":"Example Nextcloud Config","text":"Located in /config/www/nextcloud/config/config.php
'dbname' => 'nextcloud',\n 'dbhost' => 'mariadb',\n 'dbport' => '',\n 'dbtableprefix' => 'oc_',\n 'mysql.utf8mb4' => true,\n 'dbuser' => 'nextcloud_user',\n 'dbpassword' => 'DATABASE_PASSWORD',\n 'trusted_proxies' => ['172.16.0.0/12'],\n 'filesystem_check_changes' => 1,\n 'memcache.local' => '\\\\OC\\\\Memcache\\\\APCu',\n 'memcache.distributed' => '\\\\OC\\\\Memcache\\\\Redis',\n 'memcache.locking' => '\\\\OC\\\\Memcache\\\\Redis',\n 'enable_previews' => true,\n 'enabledPreviewProviders' => \n array (\n 0 => 'OC\\\\Preview\\\\Imaginary',\n 1 => 'OC\\\\Preview\\\\Movie',\n 2 => 'OC\\\\Preview\\\\MP4',\n ),\n 'preview_imaginary_url' => 'http://imaginary:9000',\n 'redis' => \n array (\n 'host' => 'redis',\n 'port' => 6379,\n ),\n
"},{"location":"nextcloud/#example-compose","title":"Example Compose","text":" nextcloud:\n image: ghcr.io/linuxserver/nextcloud:latest\n container_name: nextcloud\n environment:\n - PUID=1000\n - PGID=1000\n - TZ=Europe/London\n volumes:\n - /path/to/appdata:/config\n - /path/to/data:/data\n - /path/to/appdata/appdata_ocytnd8b2l1b:/data/appdata_ocytnd8b2l1b\n restart: unless-stopped\n depends_on:\n - mariadb\n - redis\n - imaginary\n imaginary:\n image: nextcloud/aio-imaginary:latest\n container_name: imaginary\n restart: unless-stopped\n redis:\n image: redis:alpine\n container_name: redis\n restart: unless-stopped\n mariadb:\n image: ghcr.io/linuxserver/mariadb\n container_name: mariadb\n environment:\n - PUID=1000\n - PGID=1000\n - TZ=Europe/London\n - MYSQL_DATABASE=nextcloud\n - MYSQL_USER=nextcloud_user\n - MYSQL_PASSWORD=DATABASE_PASSWORD\n - MYSQL_ROOT_PASSWORD=ROOT_ACCESS_PASSWORD\n volumes:\n - /path/to/appdata:/config\n restart: unless-stopped\n
"},{"location":"nothing/","title":"Here you will find: tips, programs, and fixes for Nothing Phone issues.","text":"Test menu: ##0##
"},{"location":"nothing/#battery-drain","title":"Battery Drain","text":"If you have recently purchased the Nothing Phone 1, it might be running a very old firmware version, possibly as outdated as 1.0.2. Increased battery consumption may occur until you update to the latest version.
We also recommend doing the following:
- Clear the cache and storage of the Nothing Launcher.
- Clear the cache and delete the data of Google Play Services.
- Clear the cache of Google Play Services for AR.
- Set the battery usage mode for Nothing Launcher to \"RESTRICTED.\"
- Disable notification access for Nothing Launcher.
- Restart and fully charge your phone.
"},{"location":"nothing/#chargers","title":"Chargers","text":"The phones support Quick Charge 4.0 and Power Delivery 3.0 charging protocols.
- Nothing Phone 1 - 33 Watts
- Nothing Phone 2, 2a - 45 Watts
All phones support Qi standard wireless charging with up to 15 Watts. Recommended GaN charger brands:
- Baseus
- Anker
- Ugreen
The author has been using the Baseus GaN5 Pro 2C+U charger for a year.
There are no exact recommendations\u2014choose a charger based on your needs, such as the number of ports, size, power, etc. Simply research and pick the one that suits your functionality requirements best.
"},{"location":"nothing/#disabling-call-recording-notification-during-a-call","title":"Disabling Call Recording Notification During a Call","text":"To disable the voice notification that call recording has started, follow these steps:
- Install
TTSLexx from Google Play. - In your phone settings, search for
Text-to-Speech and open it. - In the Text-to-Speech settings, select
Default Text-to-Speech Engine and choose TTSLexx. - Go to Apps in the settings, find the Phone app, and open it. Tap Clear Cache and Clear Storage. Your contacts will remain safe (this is confirmed for the Google Phone app).
IMPORTANT: The notification about call recording will appear during the first call, but it will not occur in subsequent calls
"},{"location":"secure/","title":"Securing SWAG","text":"Little disclaimer. Some information was copied from virtualize.link, because I find information provided by its author useful. Make sure to check the source or star the repo.
SWAG - Secure Web Application Gateway (formerly known as linuxserver/letsencrypt) is a full fledged web server and reverse proxy with Nginx, PHP7, Certbot (Let's Encrypt\u2122 client) and Fail2Ban built in. SWAG allows you to expose applications to the internet, doing so comes with a risk and there are security measures that help reduce that risk. This article details how to configure SWAG and enhance it's security.
"},{"location":"secure/#requirements","title":"Requirements","text":" - A working instance of SWAG
"},{"location":"secure/#monitor-swag","title":"Monitor SWAG","text":"Use monitoring solutions such as SWAG Dashboard to keep an eye on the traffic going through SWAG and check for suspicious activity such as:
- A lot of hits from a country unrelated to your users
- A lot of requests to a specific page or static file
- Referers that shouldn't refer to your domain
- A lot of hits on status codes that are not 2xx
"},{"location":"secure/#internal-applications","title":"Internal Applications","text":"Internal applications can be proxied through SWAG in order to use app.mydomain.com instead of ip:port, and block them externally so only your local network could access them.
Create a file called nginx/internal.conf with the following configuration:
allow 192.168.1.0/24; #Replace with your LAN subnet\ndeny all;\n
Utilize the lan filter in your configuration by adding the following line inside every location block for every application you want to protect.
include /config/nginx/internal.conf;\n
Example:
server {\n listen 443 ssl;\n listen [::]:443 ssl;\n\n server_name collabora.*;\n include /config/nginx/ssl.conf;\n client_max_body_size 0;\n\n location / {\n include /config/nginx/internal.conf;\n include /config/nginx/proxy.conf;\n include /config/nginx/resolver.conf;\n set $upstream_app collabora;\n set $upstream_port 9980;\n set $upstream_proto https;\n proxy_pass $upstream_proto://$upstream_app:$upstream_port;\n }\n}\n
Repeat the process for all internal applications and for every location block.
One way to securely access internal applications from the internet is through a VPN, for example WireGuard:
WireGuard Container
WireGuard on OPNSense
"},{"location":"secure/#fail2ban","title":"Fail2Ban","text":"Fail2Ban is an intrusion prevention software that protects external applications from brute-force attacks. Attackers that fail to login to your applications a certain number of times will get blocked from accessing all of your applications. Fail2Ban looks for failed login attempts in log files, counts the failed attempts in a short period, and bans the IP address of the attacker.
Mount the application logs to SWAG's container by adding a volume for the log to the compose yaml:
- /path/to/nextcloud/nextcloud.log:/nextcloud/nextcloud.log:ro\n
If the application has multiple log files with dates, mount the entire folder: - /path/to/jellyfin/log:/jellyfin:ro\n
Recreate the container with the log mount, then create a file called nextcloud.local under fail2ban/filter.d: [Definition]\nfailregex=^.*Login failed: '?.*'? \\(Remote IP: '?<ADDR>'?\\).*$\n ^.*\\\"remoteAddr\\\":\\\"<ADDR>\\\".*Trusted domain error.*$\nignoreregex =\n
The configuration file containes a pattern by which failed login attempts are matched. Test the pattern by failing to login to nextcloud and look for the entry corresponding to your failed attempt. {\"reqId\":\"k5j5H7K3eskXt3hCLSc4i\",\"level\":2,\"time\":\"2020-10-14T22:56:14+00:00\",\"remoteAddr\":\"1.2.3.4\",\"user\":\"--\",\n\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: username (Remote IP: 5.5.5.5)\",\n\"userAgent\":\"Mozilla/5.0 (Linux; Android 11; Pixel 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/5.6.7.8 Mobile \nSafari/537.36\",\"version\":\"19.0.4.2\"}\n
Test the pattern in nextcloud.local by running the following command on the docker host: docker exec swag fail2ban-regex /nextcloud/nextcloud.log /config/fail2ban/filter.d/nextcloud.local\n
If the pattern works, you will see matches corresponding to the amount of failed login attempts: Lines: 92377 lines, 0 ignored, 2 matched, 92375 missed\n[processed in 7.51 sec]\n
The final step is to activate the jail, add the following to fail2ban/jail.local: [nextcloud]\nenabled = true\nport = http,https\nfilter = nextcloud\nlogpath = /nextcloud/nextcloud.log\naction = iptables-allports[name=nextcloud]\n
The logpath is slightly different for applications that have multiple log files with dates: [jellyfin]\nenabled = true\nfilter = jellyfin\nport = http,https\nlogpath = /jellyfin/log*.log\naction = iptables-allports[name=jellyfin]\n
Repeat the process for every external application, you can find Fail2Ban configurations for most applications on the internet.
If you need to unban an IP address that was blocked, run the following command on the docker host:
docker exec swag fail2ban-client unban <ip address>\n
This great mod sends a discord notification when Fail2Ban blocks an attack: f2bdiscord.
"},{"location":"secure/#geoblock","title":"Geoblock","text":"Geoblock reduces the attack surface of SWAG by restricting access based on countries.
Enable geoblock using either DBIP mod or Maxmind mod, follow the mod's instructions to set it up.
The mods come with 3 definitions for $geo-whitelist, $geo-blacklist, $lan-ip.
An example for allowing a single country:
map $geoip2_data_country_iso_code $geo-whitelist {\n default no;\n UK yes; #Replace with your country code list https://dev.maxmind.com/geoip/legacy/codes/iso3166/\n}\n
An example for blocking high risk countries: (GilbN's list based on the Spamhaus statistics and Aakamai\u2019s state of the internet report) map $geoip2_data_country_iso_code $geo-blacklist {\n default yes; #If your country is listed below, remove it from the list\n CN no; #China\n RU no; #Russia\n HK no; #Hong Kong\n IN no; #India\n IR no; #Iran\n VN no; #Vietnam\n TR no; #Turkey\n EG no; #Egypt\n MX no; #Mexico\n JP no; #Japan\n KR no; #South Korea\n KP no; #North Korea\n PE no; #Peru\n BR no; #Brazil\n UA no; #Ukraine\n ID no; #Indonesia\n TH no; #Thailand\n }\n
Utilize the geoblock in your configuration by adding one of the following lines above your location section in every application you want to protect.
Note that when using a whitelist filter, you also need to check if the source is a LAN IP, it's not required when using a blacklist filter.
if ($lan-ip = yes) { set $geo-whitelist yes; }\n if ($geo-whitelist = no) { return 404; }\n
Or if ($geo-blacklist = no) { return 404; }\n
Example:
server {\n listen 443 ssl;\n listen [::]:443 ssl;\n\n server_name authelia.*;\n include /config/nginx/ssl.conf;\n client_max_body_size 0;\n\n if ($lan-ip = yes) { set $geo-whitelist yes; } #Check for a LAN IP\n if ($geo-whitelist = no) { return 404; } #Check the country filter\n\n location / {\n include /config/nginx/proxy.conf;\n include /config/nginx/resolver.conf;\n set $upstream_app authelia;\n set $upstream_port 9091;\n set $upstream_proto http;\n proxy_pass $upstream_proto://$upstream_app:$upstream_port;\n }\n}\n
Add the lines to every external application based on your needs.
"},{"location":"secure/#nginx-configuration","title":"NGINX Configuration","text":""},{"location":"secure/#x-robots-tag","title":"X-Robots-Tag","text":"You can prevent applications from appearing in results of search engines and web crawlers, regardless of whether other sites link to it. It doesn't work on all search engines and web crawlers, but it significantly reduces the amount.
Add the X-Robots-Tag config line to ssl.conf to enable it on all of your applications:
add_header X-Robots-Tag \"noindex, nofollow, nosnippet, noarchive\";\n
Disable on a specific application and allow search engines to display it by add the following line to the application config inside the server tag:
add_header X-Robots-Tag \"\";\n
"},{"location":"secure/#hsts","title":"HSTS","text":"HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone.
HSTS requires a working SSL certificate on your domains before enabling it.
Enable HSTS by uncommenting the HSTS config line in ssl.conf:
add_header Strict-Transport-Security \"max-age=63072000; includeSubDomains; preload\" always;\n
"},{"location":"secure/#optional-strengthening-hsts","title":"Optional - Strengthening HSTS","text":"After enabling the HSTS header, users are still vulnerable to attack if they access an HSTS\u2011protected website over HTTP when they have:
- Never before visited the site
- Recently reinstalled their operating system
- Recently reinstalled their browser
- Switched to a new browser
- Switched to a new device (for example, mobile phone)
- Deleted their browser\u2019s cache
- Not visited the site recently and the max-age time has passed
To address this, Google maintains a \u201cHSTS preload list\u201d of web domains and subdomains that use HSTS and have submitted their names to HSTS Preload. This domain list is distributed and hardcoded into major web browsers. Clients that access web domains in this list automatically use HTTPS and refuse to access the site using HTTP.
Be aware that once you set the STS header or submit your domains to the HSTS preload list, it is impossible to remove it. It\u2019s a one\u2011way decision to make your domains available over HTTPS.
"},{"location":"secure/#authelia","title":"Authelia","text":"Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. Refer to this blog post to configure Authelia.
"},{"location":"setuplist/","title":"Setup-list","text":""},{"location":"setuplist/#here-you-will-find-a-list-of-useful-programs-go-for-it","title":"Here you will find a list of useful programs. Go for it!","text":""},{"location":"setuplist/#web","title":"Web","text":"Application Description Firefox Firefox Firefox is a free and open-source web browser developed by Mozilla. Known for its speed, privacy-focused features, and customizability, it provides users with a secure and efficient browsing experience across multiple platforms, including Windows, macOS, Linux, and mobile devices. Betterfox Modified Firefox."},{"location":"setuplist/#ssh","title":"SSH","text":"Application Description PuTTY PuTTY is a free and open-source terminal emulator and network file transfer application. It supports a variety of network protocols, including SSH, Telnet, and SCP, making it a popular tool for securely accessing and managing remote servers. PuTTY is lightweight, highly customizable, and widely used on Windows, though it is also available for other operating systems. Termius Termius is a modern and feature-rich SSH client designed for managing remote systems securely and efficiently. It supports a wide range of platforms, including Windows, macOS, Linux, iOS, and Android, enabling seamless access across devices. With features like end-to-end encryption, SFTP file transfer, and organized host grouping, Termius is ideal for developers, system administrators, and IT professionals. It also includes a sleek interface, advanced terminal capabilities, and options for syncing settings and credentials across multiple devices."},{"location":"setuplist/#ftp","title":"FTP","text":"Container Description FileZilla FileZilla is a free and open-source FTP client designed for efficient file transfer between local and remote systems. It supports FTP, SFTP, and FTPS protocols, providing a secure and reliable solution for website management and server maintenance. With its intuitive interface, drag-and-drop functionality, and robust file management features, FileZilla is suitable for both beginners and advanced users. It is available on Windows, macOS, and Linux platforms."},{"location":"setuplist/#vpn","title":"VPN","text":"Application Description WireGuard WireGuard is a modern and highly efficient VPN protocol and software designed for secure and fast network connections. It is known for its simplicity, minimal codebase, and high performance, offering encryption standards that ensure strong privacy and data protection. WireGuard is cross-platform, working on Windows, macOS, Linux, Android, and iOS. Its lightweight design makes it easy to configure and maintain, making it a popular choice for both individuals and organizations. Nekoray Nekoray is an easy-to-use and versatile proxy client designed to simplify VPN and proxy management. It supports a range of protocols, including V2Ray, Shadowsocks and VLESS, making it ideal for bypassing restrictions and maintaining online privacy. With a clean interface, detailed configuration options, and compatibility across Windows, macOS, and Linux, Nekoray is a reliable solution for secure browsing and application-specific proxy setups."},{"location":"setuplist/#monitoring-and-sys-info","title":"Monitoring and sys info","text":"Application Description NeoHtop NeoHtop is a modern and visually enhanced system monitoring tool inspired by Htop. It provides real-time insights into system processes, resource usage, and performance metrics with a user-friendly interface. NeoHtop is designed for simplicity and efficiency, offering advanced features like process filtering and customizable views, making it a powerful tool for system administrators and developers. Im-sensors Im-sensors for linux, It allows displaying the CPU temperature and its cores in the console. You can check the current temperature or enable real-time temperature monitoring. HWiNFO HWiNFO is a comprehensive hardware diagnostics and monitoring tool for Windows. It provides detailed information about your system's components, including CPU, GPU, motherboard, and storage devices. With real-time performance monitoring, temperature tracking, and customizable reporting, HWiNFO is ideal for system optimization, troubleshooting, and hardware analysis. CPU-Z CPU-Z is a lightweight and free system profiling tool that provides detailed information about your computer's hardware. It displays key specifications of your CPU, motherboard, memory, and GPU, making it an essential tool for system monitoring, troubleshooting, and hardware analysis. With its user-friendly interface and accurate reporting, CPU-Z is popular among tech enthusiasts and professionals alike. CPU-G CPU-G is a lightweight and open-source system information tool designed to provide detailed insights into your computer's hardware. Similar to CPU-Z, it displays key specifications about the CPU, motherboard, memory, and more. With its focus on simplicity and cross-platform support, CPU-G is a handy utility for users looking to monitor and analyze their system's components."},{"location":"setuplist/#video-recording","title":"Video-recording","text":"Application Description OBS OBS (Open Broadcaster Software) is a free and open-source software for video recording and live streaming. It allows users to capture and broadcast high-quality video and audio from various sources, such as screens, webcams, and external devices. With advanced features like scene transitions, customizable layouts, and real-time video mixing, OBS is widely used by content creators, streamers, and professionals for its flexibility and performance."},{"location":"wush/","title":"Wush","text":""},{"location":"wush/#who-is-this-wush","title":"Who is this Wush?","text":"Wush - wush is a command line tool that lets you easily transfer files and open shells over a peer-to-peer WireGuard connection. It's similar to magic-wormhole but:
- No requirement to set up or trust a relay server for authentication.
- Powered by WireGuard for secure, fast, and reliable connections.
- Automatic peer-to-peer connections over UDP.
- Endless possibilities; rsync, ssh, etc.
"},{"location":"wush/#commands","title":"Commands","text":"USAGE:
Wush subcommand
Start the wush server:
wush serve\n
Open a shell to the wush host:
wush ssh \n
Transfer files to the wush host using rsync:
wush rsync local-file.txt :/path/to/remote/file \n
Copy a single file to the host:
wush cp local-file.txt \n
SUBCOMMANDS: | Command | Meaning | |-----------------|----------------------------| | cp | Transfer files. | | port-forward | Transfer files. | | rsync | Transfer files over rsync. | | serve | Run the wush server. | | ssh | Open a shell. | | version | Show wush version. |
OPTIONS:
wush --version bool \n
Print the version and exit.
"},{"location":"wush/#install","title":"Install","text":"Download file from Git
We tested the program using machines running Windows and Linux (with a GUI).
For Windows: Extract the files to a folder and drive of your choice. Files that we will be transferring will be sent to/from there.
On Linux, installation is done using the method that works best for you. Files (at least for us) were saved/sent to/from the Home directory.
"},{"location":"wush/#how-to-use","title":"How to use","text":"Now let's transfer a PNG file from one machine to another. In our case, Windows will act as the host, and Linux will be the client. To do this, open CMD from the folder where Wush is located. Then, enter the following commands:
Obtain the host machine's auth key using the following command:
./Wush serve \n
Copy Auth key
Now, on the client machine, enter the command to send the file:
wush cp 2.png\n
2.png is the file that we want to send from Linux to Windows.
In the client console, we paste the key that was obtained earlier on the host machine.
How looking it
Well Done
"},{"location":"wush/#ssh","title":"SSH","text":"You can also use Wush for remote access to a machine's console. The connection is also established using an Auth key.
Use the following commands:
For hosts
Wush serve\n
For client
Wush ssh\n
"},{"location":"wush/#_1","title":"Wush","text":"Source - GitHub Coder-Wush
"}]}
\ No newline at end of file
+{"config":{"lang":["en"],"separator":"[\\s\\-]+","pipeline":["stopWordFilter"]},"docs":[{"location":"","title":"Welcome to TeamDominant wiki","text":"Little disclaimer. Some information was copied from virtualize.link, because I find information provided by its author useful. Make sure to check the source or star the repo.
"},{"location":"#software","title":"Software","text":" - Discord
- Firefox
- Telegram
"},{"location":"#network","title":"Network","text":" - 3x-ui
- Nekoray
- Streisand
"},{"location":"#server","title":"Server","text":" - Nextcloud
- SWAG
- Geoblock
- Jfscan
"},{"location":"#other","title":"Other","text":" - iPhone
- Nothing Phone
- Setup list
- Wush
"},{"location":"3x-ui/","title":"3x-ui","text":""},{"location":"3x-ui/#setup-used","title":"Setup used","text":"The setup was used in my case:
- OS: Ubuntu 22.04.5
- 3x-ui Version: 2.4.6
- VPS: Aeza
"},{"location":"3x-ui/#installation","title":"Installation","text":"As soon as we log into the system after purchasing a VPS, we execute the following commands:
-
apt update && apt upgrade -y\n
to install all updates -
openssl req -x509 -keyout /etc/ssl/certs/3x-ui.key -out /etc/ssl/certs/3x-ui.pem -newkey rsa:4096 -sha256 -days 3650 -nodes -new\n
where .pem is the public key, and .key is the private key. Just keep pressing Enter, no need to fill anything in. -
bash <(curl -Ls https://raw.githubusercontent.com/mhsanaei/3x-ui/master/install.sh)\n
to install the panel itself
"},{"location":"3x-ui/#setting-up","title":"Setting up","text":" -
Would you like to customize the Panel Port settings? (If not, a random port will be applied) we answer \"n\".
-
Click on the link in the \"Access URL\" line to access our panel. Enter the credentials generated for us after the installation.
3.Go to Panel Settings, then to the Authentication section, and change the login details. In the General section, specify the path to the already created Public & Private keys: /etc/ssl/certs/3x-ui.pem and /etc/ssl/certs/3x-ui.key. Scroll up, click Save, and restart the panel.
"},{"location":"3x-ui/#inbound-creation","title":"Inbound creation","text":" - Protocol:
vless - Port:
443 - Client:
Enabled - Email =
email or username - Security:
Reality - uTLS:
chrome/firefox - Dest \u0438 SNI: choose a website with the lowest ping in the country where your VPS is located. You can check it by running the following command in your VPS terminal: ping domain.com. You can ask your VPS support for assistance or simply ask ChatGPT.
If port 443 is occupied, then:
- Port: custom or default
- uTLS: chrome/firefox/random You are supposed to test it yourself because it works differently on each VPS, ISP, and even OS.
- Dest and SNI: you also need to test these yourself.
Click on the QR code icon next to the created client, then click the QR code to copy it to the clipboard, and paste it into Nekoray/Streisand.
"},{"location":"3x-ui/#securing-and-little-tweaks","title":"Securing and little tweaks","text":""},{"location":"3x-ui/#fail2ban","title":"Fail2ban","text":"apt install fail2ban -y && apt install ufw -y\n
After runnig touch /etc/fail2ban/jail.local && nano /etc/fail2ban/jail.local Copy and paste (ctrl + shift + v):
[sshd]\nenabled = true\nfilter = sshd\naction = iptables[name=SSH, port=ssh, protocol=tcp]\nlogpath = /var/log/auth.log\nfindtime = 600\nmaxretry = 3\nbantime = 43200\n
Press ctrl + x, then y, and hit enter to save and exit.
"},{"location":"3x-ui/#ufw","title":"Ufw","text":" -
nano /etc/ufw/before.rules\n
Look -A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT and change ACCEPT to DROP -
apt install net-tools\n
netstat -ntlp | grep LISTEN\n
Open the ports you need (SSH, 3x-ui, 443, and any others if you have additional services). ufw allow 22/tcp && ufw allow 443 && ufw allow {panel_port} && ufw enable\n
ctrl + x, y and enter. -
In the terminal, type
x-ui\n
-
Type 20 (IP Limit Management) and press Enter. Then press 1 to install and type y.
"},{"location":"3x-ui/#bbr","title":"BBR","text":" -
In the terminal, type
x-ui\n
-
Type 23 (Enable BBR) and select 1 (Enable BBR).
"},{"location":"3x-ui/#final","title":"Final","text":"Finally, clean up, reboot, and you're ready to use it.
apt update && apt upgrade -y && apt autoclean -y && apt clean -y && apt autoremove -y && reboot\n
"},{"location":"discord/","title":"Discord","text":""},{"location":"discord/#pc","title":"PC","text":" - OpenAsar \u2014 perfomance tweak
- Vencord \u2014 better alternative of BetterDiscord w/ OpenAsar (recommended)
- Vesktop \u2014 Vencord, but w/ perfomance of web Discord (Linux, not sure about macOS)
"},{"location":"discord/#ios","title":"iOS","text":" - BunnyTweak \u2014 Get prebuilt rootful and rootless
.deb files or the prepatched .ipa
"},{"location":"discord/#android","title":"Android","text":" - BunnyXposed \u2014 Root with Xposed
- BunnyManager \u2014 Non-root
"},{"location":"discord/#plugins-themes","title":"Plugins & Themes","text":"Check out Vendetta Discord server.
IMPORTANT As of 06/02/24, Vendetta has been discontinued.
"},{"location":"geoblock/","title":"Geoblock","text":"Little disclaimer. Some information was copied from virtualize.link, because I find information provided by its author useful. Make sure to check the source or star the repo.
"},{"location":"geoblock/#vps","title":"VPS","text":"I've been dealing with constant attacks on a mail server on a VPS coming from 2 specific countries, the only solution that worked was completely blocking these countries.
There are 2 popular geoblock providers, Maxmind and DP-IP, we can utilize them using a python library called geoipsets.
"},{"location":"geoblock/#installation","title":"Installation","text":"Install the following packages:
sudo apt install python3 python3.12 python3-pip python3-venv ipset\n
Create a python virtual environment:
python3 -m venv .venv\n
Verify that it works:
source .venv/bin/activate\n
"},{"location":"geoblock/#geoblock-config","title":"Geoblock Config","text":"Create a geoblock config according to the geoipsets documentation.
For example /home/user/geoipsets.conf:
[general]\nprovider=dbip\nfirewall=iptables\naddress-family=ipv4,ipv6\n\n[countries]\nRU\nCN\n
Verify that it works:
source .venv/bin/activate\ngeoipsets -o /home/user -c /home/user/geoipsets.conf\n
"},{"location":"geoblock/#geoblock-script","title":"Geoblock Script","text":"Create a script to refresh the geoblock ipsets and recreate the iptables rules.
For example /home/user/geoblock.sh:
#!/bin/bash\n\noutput_path=\"/home/user\"\nvenv_path=\"/home/user/.venv/bin/activate\"\nconfig_path=\"/home/user/geoipsets.conf\"\nlog=\"/home/user/geoblock.log\"\n\necho \"Updating Blocklist $(date)\" >> $log\nsource $venv_path\ngeoipsets -o $output_path -c $config_path >> $log\n\nfor i in $(find \"${output_path}/geoipsets\" -name \"*.ipv*\");\ndo\n name=$(basename $i)\n echo $name >> $log\n /usr/sbin/ipset flush $name >> $log\n /usr/sbin/ipset restore --exist --file $i >> $log\n command=$(if [[ $name == *ipv4 ]]; then echo \"/usr/sbin/iptables\"; else echo \"/usr/sbin/ip6tables\"; fi)\n $command -D FORWARD -m set --match-set $name src -j DROP &>/dev/null\n $command -D INPUT -m set --match-set $name src -j DROP &>/dev/null\n $command -D DOCKER-USER -m set --match-set $name src -j DROP &>/dev/null\n $command -I DOCKER-USER 1 -m set --match-set $name src -j DROP >> $log\n $command -I INPUT 1 -m set --match-set $name src -j DROP >> $log\n $command -I FORWARD 1 -m set --match-set $name src -j DROP >> $log\ndone\n
Verify that it works and the ipsets have been filled:
chmod +x /home/user/geoblock.sh\nsudo /home/user/geoblock.sh\nsudo ipset list RU.ipv4\n
"},{"location":"geoblock/#cron-scheduling","title":"Cron Scheduling","text":""},{"location":"geoblock/#warning-make-sure-youre-not-accidentally-blocking-your-own-access-to-the-vps-before-proceeding","title":"Warning - make sure you're not accidentally blocking your own access to the VPS before proceeding.","text":"Run the geoblock script on reboot and weekly.
For example, add the following to sudo crontab -e:
20 0 * * 2 /home/user/geoblock.sh\n@reboot sleep 120 && /home/user/geoblock.sh\n
Verify that it runs on reboot and weekly. There's a 2 minute delay before it applies after reboots, to give you enough time to fix a lockout.
"},{"location":"geoblock/#opnsense","title":"OPNSense","text":""},{"location":"geoblock/#alias","title":"Alias","text":"Navigate to Firewall > Aliases > GeoIP settings and add a link to a geoblock database with your license key:
https://download.maxmind.com/app/geoip_download?edition_id=GeoLite2-Country-CSV&license_key=your-license-key&suffix=zip\n
Navigate to Firewall > Aliases and create aliases with the countries you want to block or whitelist a specific country:
Name: Geoblock\nType: GeoIP (IPv4, IPv6)\nContent: Select all the countries you want to block\n
Name: UK\nType: GeoIP (IPv4, IPv6)\nContent: Select UK\n
"},{"location":"geoblock/#firewall","title":"Firewall","text":"Navigate to Firewall > Rules > WAN and create firewall rules:
Action: Block\nInterface: WAN\nDirection: in\nTCP/IP Version: IPv4+IPv6\nProtocol: any\nSource: Geoblock\nDestination: any\nDescription: Blocks specific countries\n
Action: Pass\nInterface: WAN\nDirection: in\nTCP/IP Version: IPv4+IPv6\nProtocol: TCP\nSource: UK\nDestination: WAN address\nDestination port range: 443\nDescription: Whitelist UK on port 443\n
"},{"location":"geoblock/#cron","title":"Cron","text":"Create a cron job to automatically update the blocklists every day.
Navigate to System > Settings > Cron and add the following job:
Eabled: checked\nMinutes: 0\nHours: 0\nDay of the month: *\nMonths: *\nDays of the week: *\nCommand: Update and reload firewall aliases\n
"},{"location":"gettingstarted/","title":"Getting Started","text":""},{"location":"gettingstarted/#about","title":"About","text":"Welcome to docs, which created by my personal experience in EVERYTHING me and my mates and team face nowadays and faced during our lifes.
"},{"location":"gettingstarted/#language-barrier","title":"Language barrier","text":"To be honest, I don't care. It would be too easy if all the data was presented to you like a dish in a restaurant. I want the reader to understand the problem he is dealing with and \"dive\" in the topic.
"},{"location":"iphone/","title":"iPhone usage notes","text":""},{"location":"jfscan/","title":"Jfscan","text":"https://github.com/nullt3r/jfscan
"},{"location":"nekoray/","title":"Nekoray","text":"Before we begin, note that there are two installation options depending on your needs:
- If you only need the proxy to work in a browser, any version of Nekoray will do.
- If you need to proxy specific applications, we recommend using versions 3.24 or 3.25.
This is because in version 3.26, the \"Whitelist Mode\" in Tun Mode settings does not work. As a result, you won\u2019t be able to proxy only specific applications.
"},{"location":"nekoray/#1-install","title":"1. Install","text":"Installing and Configuring Nekoray
Here is a list of all available download links for Nekoray, categorized by operating system:
-
Nekoray for Windows (64-bit) - Download 3.26 - Download 3.25 - Download 3.24
-
Nekoray for linux (64-bit, archive) - Download 3.26 - Download 3.25 - Download 3.24
-
Nekoray for Linux (AppImage) - Download 3.26 - Download 3.25 - Download 3.24
-
Nekoray for Debian/Ubuntu (64-bit, package .deb) - Download 3.26 - Download 3.25 - Download 3.24
-
Nekoray for Android - Download 1.3.2 arm64-v8a - Download 1.3.2 armeabi-v7a
"},{"location":"nekoray/#2-installing-nekoray-on-windows","title":"2. Installing Nekoray on Windows","text":"Next, we will look at the installation process for Nekoray on Windows. Some steps may vary depending on the system, but the overall process remains the same.
Step 1: Download Nekoray
Step 2: fter the download is complete, follow these steps:
- Locate the downloaded file:
nekoray-3.26-2023-12-09-windows64.zip.
- Right-click on the file and select \"Extract All\u2026\", or use an archiving tool like WinRAR or 7-Zip to extract the contents to a convenient location on your computer.
Step 3: Launching the Program
- Open the folder with the extracted files.
- Locate the file
nekoray.exe. - Double-click it to launch the program.
The program works out of the box. No installation is required.
"},{"location":"nekoray/#3-initial-setup-of-nekoray","title":"3. Initial Setup of Nekoray","text":" - Core Selection:
When you launch the program for the first time, make sure to select the sing-box core.
This is necessary for proper functionality. If you were not given this choice or selected something other than sing-box, you can check or change it in the settings:
- Click on Settings
- General Settings
- Navigate to the Core tab
- Select
sing-box.
-
Adding a Profile
-
Copy the profile link for the VPN connection.
- Paste it into Nekoray using the shortcut Ctrl + V or through the menu: - Click on the Server button. - Select the option Add Profile from Clipboard.
Now we have three scenarios:
-
If you only need to proxy the browser. This works for any version.
-
If you need everything to be proxied, select \"TUN Mode\". We\u2019ll go into more detail about configuring this below. This is only relevant for version 3.26.
-
This scenario involves configuring TUN Mode for specific programs. This is only relevant for versions 3.24 and 3.25.
"},{"location":"nekoray/#scenario-1-enable-your-profile","title":"Scenario 1: Enable your profile.","text":"System Proxy mode
- Right-click on the profile.
- Select Start.
- At the top, you will see System Proxy Mode \u2014 turn it on.
Done.
"},{"location":"nekoray/#scenario-2","title":"Scenario 2:","text":"For 3.26 version
- Go to the Settings tab.
- Open TUN Mode Settings.
- Configure the following: - Stack: Mixed - MTU: 1500 (you can leave it at 9000, but we recommend 1500). - Mode TUN: Turn off. - Enable Whitelist Mode (although in version 3.26, it doesn\u2019t work properly \u2014 or at all).
Next:
- Right-click on the profile.
- Select Start.
- At the top, you will see TUN Mode \u2014 turn it on. You will be prompted to restart the program as an administrator. Confirm.
Done.
"},{"location":"nekoray/#scenario-3","title":"Scenario 3:","text":" - Go to the Settings tab.
- Open TUN Mode Settings.
- Configure the following: - Stack:
Mixed - MTU: 1500 (you can leave it at 9000, but we recommend setting to 1500). - Mode TUN: Turn off. - Enable Whitelist Mode.
Now, in the second column, Proxy Processes, enter the processes you want to proxy.
Example: Discord.exe Updater.exe (for Discord) firefox.exe etc.
Next:
- Right-click on the profile.
- Select Start.
- At the top, you will see TUN Mode \u2014 turn it on. You will be prompted to restart the program as an administrator. Confirm.
Done.
"},{"location":"nekoray/#processes-of-popular-browsers","title":"Processes of popular browsers ;","text":" - Google Chrome:
chrome.exe
- Yandex Browser:
browser.exe
- Mozilla Firefox:
firefox.exe
- Microsoft Edge:
msedge.exe
- Opera Browser:
opera.exe
- Safari (Windows):
safari.exe
- Brave Browser:
brave.exe
"},{"location":"nekoray/#_1","title":"Nekoray","text":"Source - A\u00e9za
"},{"location":"nextcloud/","title":"Optimizing Nextcloud","text":"Little disclaimer. Some information was copied from virtualize.link, because I find information provided by its author useful. Make sure to check the source or star the repo.
The following is a collection of ways to optimize Nextcloud's performance and responsiveness.
"},{"location":"nextcloud/#optimization-steps","title":"Optimization Steps","text":" - Use the LSIO image, not the official
- Use the latest tag which includes php8
- Enable redis
- Use mariadb (alpine) or postgres
- Use nextcloud v22 or higher
- Use imaginary to speed up thumbnail creation
- Add the following to
/config/php/php-local.ini
memory_limit = -1\nopcache.enable = 1\nopcache.enable_cli = 1\nopcache.interned_strings_buffer = 16\nopcache.max_accelerated_files = 130987\nopcache.memory_consumption = 256\nopcache.save_comments = 1\nopcache.revalidate_freq = 1\n
- Add the following to
/config/php/www2.conf pm = dynamic\npm.max_children = 120\npm.start_servers = 12\npm.min_spare_servers = 6\npm.max_spare_servers = 18\n
- Disable Dark Reader extension on it, if you use it
- For Nextcloud to identify filesystem changes, add the following to the config:
'filesystem_check_changes' => 1,\n
- Move
/config to a fast disk such as nvme and mount it from there - After the initial run move
/data/appdata_INSTANCEID to a fast disk such as nvme and mount it from there, add the following under volumes:: (the ID in the directory names will be different) - /path/to/appdata/appdata_ocytnd8b2l1b:/data/appdata_ocytnd8b2l1b\n
"},{"location":"nextcloud/#example-nextcloud-config","title":"Example Nextcloud Config","text":"Located in /config/www/nextcloud/config/config.php
'dbname' => 'nextcloud',\n 'dbhost' => 'mariadb',\n 'dbport' => '',\n 'dbtableprefix' => 'oc_',\n 'mysql.utf8mb4' => true,\n 'dbuser' => 'nextcloud_user',\n 'dbpassword' => 'DATABASE_PASSWORD',\n 'trusted_proxies' => ['172.16.0.0/12'],\n 'filesystem_check_changes' => 1,\n 'memcache.local' => '\\\\OC\\\\Memcache\\\\APCu',\n 'memcache.distributed' => '\\\\OC\\\\Memcache\\\\Redis',\n 'memcache.locking' => '\\\\OC\\\\Memcache\\\\Redis',\n 'enable_previews' => true,\n 'enabledPreviewProviders' => \n array (\n 0 => 'OC\\\\Preview\\\\Imaginary',\n 1 => 'OC\\\\Preview\\\\Movie',\n 2 => 'OC\\\\Preview\\\\MP4',\n ),\n 'preview_imaginary_url' => 'http://imaginary:9000',\n 'redis' => \n array (\n 'host' => 'redis',\n 'port' => 6379,\n ),\n
"},{"location":"nextcloud/#example-compose","title":"Example Compose","text":" nextcloud:\n image: ghcr.io/linuxserver/nextcloud:latest\n container_name: nextcloud\n environment:\n - PUID=1000\n - PGID=1000\n - TZ=Europe/London\n volumes:\n - /path/to/appdata:/config\n - /path/to/data:/data\n - /path/to/appdata/appdata_ocytnd8b2l1b:/data/appdata_ocytnd8b2l1b\n restart: unless-stopped\n depends_on:\n - mariadb\n - redis\n - imaginary\n imaginary:\n image: nextcloud/aio-imaginary:latest\n container_name: imaginary\n restart: unless-stopped\n redis:\n image: redis:alpine\n container_name: redis\n restart: unless-stopped\n mariadb:\n image: ghcr.io/linuxserver/mariadb\n container_name: mariadb\n environment:\n - PUID=1000\n - PGID=1000\n - TZ=Europe/London\n - MYSQL_DATABASE=nextcloud\n - MYSQL_USER=nextcloud_user\n - MYSQL_PASSWORD=DATABASE_PASSWORD\n - MYSQL_ROOT_PASSWORD=ROOT_ACCESS_PASSWORD\n volumes:\n - /path/to/appdata:/config\n restart: unless-stopped\n
"},{"location":"nothing/","title":"Here you will find: tips, programs, and fixes for Nothing Phone issues.","text":"Test menu: ##0##
"},{"location":"nothing/#battery-drain","title":"Battery Drain","text":"If you have recently purchased the Nothing Phone 1, it might be running a very old firmware version, possibly as outdated as 1.0.2. Increased battery consumption may occur until you update to the latest version.
We also recommend doing the following:
- Clear the cache and storage of the Nothing Launcher.
- Clear the cache and delete the data of Google Play Services.
- Clear the cache of Google Play Services for AR.
- Set the battery usage mode for Nothing Launcher to \"RESTRICTED.\"
- Disable notification access for Nothing Launcher.
- Restart and fully charge your phone.
"},{"location":"nothing/#chargers","title":"Chargers","text":"The phones support Quick Charge 4.0 and Power Delivery 3.0 charging protocols.
- Nothing Phone 1 - 33 Watts
- Nothing Phone 2, 2a - 45 Watts
All phones support Qi standard wireless charging with up to 15 Watts. Recommended GaN charger brands:
- Baseus
- Anker
- Ugreen
The author has been using the Baseus GaN5 Pro 2C+U charger for a year.
There are no exact recommendations\u2014choose a charger based on your needs, such as the number of ports, size, power, etc. Simply research and pick the one that suits your functionality requirements best.
"},{"location":"nothing/#disabling-call-recording-notification-during-a-call","title":"Disabling Call Recording Notification During a Call","text":"To disable the voice notification that call recording has started, follow these steps:
- Install
TTSLexx from Google Play. - In your phone settings, search for
Text-to-Speech and open it. - In the Text-to-Speech settings, select
Default Text-to-Speech Engine and choose TTSLexx. - Go to Apps in the settings, find the Phone app, and open it. Tap Clear Cache and Clear Storage. Your contacts will remain safe (this is confirmed for the Google Phone app).
IMPORTANT: The notification about call recording will appear during the first call, but it will not occur in subsequent calls
"},{"location":"secure/","title":"Securing SWAG","text":"Little disclaimer. Some information was copied from virtualize.link, because I find information provided by its author useful. Make sure to check the source or star the repo.
SWAG - Secure Web Application Gateway (formerly known as linuxserver/letsencrypt) is a full fledged web server and reverse proxy with Nginx, PHP7, Certbot (Let's Encrypt\u2122 client) and Fail2Ban built in. SWAG allows you to expose applications to the internet, doing so comes with a risk and there are security measures that help reduce that risk. This article details how to configure SWAG and enhance it's security.
"},{"location":"secure/#requirements","title":"Requirements","text":" - A working instance of SWAG
"},{"location":"secure/#monitor-swag","title":"Monitor SWAG","text":"Use monitoring solutions such as SWAG Dashboard to keep an eye on the traffic going through SWAG and check for suspicious activity such as:
- A lot of hits from a country unrelated to your users
- A lot of requests to a specific page or static file
- Referers that shouldn't refer to your domain
- A lot of hits on status codes that are not 2xx
"},{"location":"secure/#internal-applications","title":"Internal Applications","text":"Internal applications can be proxied through SWAG in order to use app.mydomain.com instead of ip:port, and block them externally so only your local network could access them.
Create a file called nginx/internal.conf with the following configuration:
allow 192.168.1.0/24; #Replace with your LAN subnet\ndeny all;\n
Utilize the lan filter in your configuration by adding the following line inside every location block for every application you want to protect.
include /config/nginx/internal.conf;\n
Example:
server {\n listen 443 ssl;\n listen [::]:443 ssl;\n\n server_name collabora.*;\n include /config/nginx/ssl.conf;\n client_max_body_size 0;\n\n location / {\n include /config/nginx/internal.conf;\n include /config/nginx/proxy.conf;\n include /config/nginx/resolver.conf;\n set $upstream_app collabora;\n set $upstream_port 9980;\n set $upstream_proto https;\n proxy_pass $upstream_proto://$upstream_app:$upstream_port;\n }\n}\n
Repeat the process for all internal applications and for every location block.
One way to securely access internal applications from the internet is through a VPN, for example WireGuard:
WireGuard Container
WireGuard on OPNSense
"},{"location":"secure/#fail2ban","title":"Fail2Ban","text":"Fail2Ban is an intrusion prevention software that protects external applications from brute-force attacks. Attackers that fail to login to your applications a certain number of times will get blocked from accessing all of your applications. Fail2Ban looks for failed login attempts in log files, counts the failed attempts in a short period, and bans the IP address of the attacker.
Mount the application logs to SWAG's container by adding a volume for the log to the compose yaml:
- /path/to/nextcloud/nextcloud.log:/nextcloud/nextcloud.log:ro\n
If the application has multiple log files with dates, mount the entire folder: - /path/to/jellyfin/log:/jellyfin:ro\n
Recreate the container with the log mount, then create a file called nextcloud.local under fail2ban/filter.d: [Definition]\nfailregex=^.*Login failed: '?.*'? \\(Remote IP: '?<ADDR>'?\\).*$\n ^.*\\\"remoteAddr\\\":\\\"<ADDR>\\\".*Trusted domain error.*$\nignoreregex =\n
The configuration file containes a pattern by which failed login attempts are matched. Test the pattern by failing to login to nextcloud and look for the entry corresponding to your failed attempt. {\"reqId\":\"k5j5H7K3eskXt3hCLSc4i\",\"level\":2,\"time\":\"2020-10-14T22:56:14+00:00\",\"remoteAddr\":\"1.2.3.4\",\"user\":\"--\",\n\"app\":\"no app in context\",\"method\":\"POST\",\"url\":\"/login\",\"message\":\"Login failed: username (Remote IP: 5.5.5.5)\",\n\"userAgent\":\"Mozilla/5.0 (Linux; Android 11; Pixel 5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/5.6.7.8 Mobile \nSafari/537.36\",\"version\":\"19.0.4.2\"}\n
Test the pattern in nextcloud.local by running the following command on the docker host: docker exec swag fail2ban-regex /nextcloud/nextcloud.log /config/fail2ban/filter.d/nextcloud.local\n
If the pattern works, you will see matches corresponding to the amount of failed login attempts: Lines: 92377 lines, 0 ignored, 2 matched, 92375 missed\n[processed in 7.51 sec]\n
The final step is to activate the jail, add the following to fail2ban/jail.local: [nextcloud]\nenabled = true\nport = http,https\nfilter = nextcloud\nlogpath = /nextcloud/nextcloud.log\naction = iptables-allports[name=nextcloud]\n
The logpath is slightly different for applications that have multiple log files with dates: [jellyfin]\nenabled = true\nfilter = jellyfin\nport = http,https\nlogpath = /jellyfin/log*.log\naction = iptables-allports[name=jellyfin]\n
Repeat the process for every external application, you can find Fail2Ban configurations for most applications on the internet.
If you need to unban an IP address that was blocked, run the following command on the docker host:
docker exec swag fail2ban-client unban <ip address>\n
This great mod sends a discord notification when Fail2Ban blocks an attack: f2bdiscord.
"},{"location":"secure/#geoblock","title":"Geoblock","text":"Geoblock reduces the attack surface of SWAG by restricting access based on countries.
Enable geoblock using either DBIP mod or Maxmind mod, follow the mod's instructions to set it up.
The mods come with 3 definitions for $geo-whitelist, $geo-blacklist, $lan-ip.
An example for allowing a single country:
map $geoip2_data_country_iso_code $geo-whitelist {\n default no;\n UK yes; #Replace with your country code list https://dev.maxmind.com/geoip/legacy/codes/iso3166/\n}\n
An example for blocking high risk countries: (GilbN's list based on the Spamhaus statistics and Aakamai\u2019s state of the internet report) map $geoip2_data_country_iso_code $geo-blacklist {\n default yes; #If your country is listed below, remove it from the list\n CN no; #China\n RU no; #Russia\n HK no; #Hong Kong\n IN no; #India\n IR no; #Iran\n VN no; #Vietnam\n TR no; #Turkey\n EG no; #Egypt\n MX no; #Mexico\n JP no; #Japan\n KR no; #South Korea\n KP no; #North Korea\n PE no; #Peru\n BR no; #Brazil\n UA no; #Ukraine\n ID no; #Indonesia\n TH no; #Thailand\n }\n
Utilize the geoblock in your configuration by adding one of the following lines above your location section in every application you want to protect.
Note that when using a whitelist filter, you also need to check if the source is a LAN IP, it's not required when using a blacklist filter.
if ($lan-ip = yes) { set $geo-whitelist yes; }\n if ($geo-whitelist = no) { return 404; }\n
Or if ($geo-blacklist = no) { return 404; }\n
Example:
server {\n listen 443 ssl;\n listen [::]:443 ssl;\n\n server_name authelia.*;\n include /config/nginx/ssl.conf;\n client_max_body_size 0;\n\n if ($lan-ip = yes) { set $geo-whitelist yes; } #Check for a LAN IP\n if ($geo-whitelist = no) { return 404; } #Check the country filter\n\n location / {\n include /config/nginx/proxy.conf;\n include /config/nginx/resolver.conf;\n set $upstream_app authelia;\n set $upstream_port 9091;\n set $upstream_proto http;\n proxy_pass $upstream_proto://$upstream_app:$upstream_port;\n }\n}\n
Add the lines to every external application based on your needs.
"},{"location":"secure/#nginx-configuration","title":"NGINX Configuration","text":""},{"location":"secure/#x-robots-tag","title":"X-Robots-Tag","text":"You can prevent applications from appearing in results of search engines and web crawlers, regardless of whether other sites link to it. It doesn't work on all search engines and web crawlers, but it significantly reduces the amount.
Add the X-Robots-Tag config line to ssl.conf to enable it on all of your applications:
add_header X-Robots-Tag \"noindex, nofollow, nosnippet, noarchive\";\n
Disable on a specific application and allow search engines to display it by add the following line to the application config inside the server tag:
add_header X-Robots-Tag \"\";\n
"},{"location":"secure/#hsts","title":"HSTS","text":"HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should automatically interact with it using only HTTPS connections, which provide Transport Layer Security (TLS/SSL), unlike the insecure HTTP used alone.
HSTS requires a working SSL certificate on your domains before enabling it.
Enable HSTS by uncommenting the HSTS config line in ssl.conf:
add_header Strict-Transport-Security \"max-age=63072000; includeSubDomains; preload\" always;\n
"},{"location":"secure/#optional-strengthening-hsts","title":"Optional - Strengthening HSTS","text":"After enabling the HSTS header, users are still vulnerable to attack if they access an HSTS\u2011protected website over HTTP when they have:
- Never before visited the site
- Recently reinstalled their operating system
- Recently reinstalled their browser
- Switched to a new browser
- Switched to a new device (for example, mobile phone)
- Deleted their browser\u2019s cache
- Not visited the site recently and the max-age time has passed
To address this, Google maintains a \u201cHSTS preload list\u201d of web domains and subdomains that use HSTS and have submitted their names to HSTS Preload. This domain list is distributed and hardcoded into major web browsers. Clients that access web domains in this list automatically use HTTPS and refuse to access the site using HTTP.
Be aware that once you set the STS header or submit your domains to the HSTS preload list, it is impossible to remove it. It\u2019s a one\u2011way decision to make your domains available over HTTPS.
"},{"location":"secure/#authelia","title":"Authelia","text":"Authelia is an open-source authentication and authorization server providing 2-factor authentication and single sign-on (SSO) for your applications via a web portal. Refer to this blog post to configure Authelia.
"},{"location":"setuplist/","title":"Setup-list","text":""},{"location":"setuplist/#here-you-will-find-a-list-of-useful-programs-go-for-it","title":"Here you will find a list of useful programs. Go for it!","text":""},{"location":"setuplist/#web","title":"Web","text":"Application Description Firefox Firefox Firefox is a free and open-source web browser developed by Mozilla. Known for its speed, privacy-focused features, and customizability, it provides users with a secure and efficient browsing experience across multiple platforms, including Windows, macOS, Linux, and mobile devices. Betterfox Modified Firefox."},{"location":"setuplist/#ssh","title":"SSH","text":"Application Description PuTTY PuTTY is a free and open-source terminal emulator and network file transfer application. It supports a variety of network protocols, including SSH, Telnet, and SCP, making it a popular tool for securely accessing and managing remote servers. PuTTY is lightweight, highly customizable, and widely used on Windows, though it is also available for other operating systems. Termius Termius is a modern and feature-rich SSH client designed for managing remote systems securely and efficiently. It supports a wide range of platforms, including Windows, macOS, Linux, iOS, and Android, enabling seamless access across devices. With features like end-to-end encryption, SFTP file transfer, and organized host grouping, Termius is ideal for developers, system administrators, and IT professionals. It also includes a sleek interface, advanced terminal capabilities, and options for syncing settings and credentials across multiple devices."},{"location":"setuplist/#ftp","title":"FTP","text":"Container Description FileZilla FileZilla is a free and open-source FTP client designed for efficient file transfer between local and remote systems. It supports FTP, SFTP, and FTPS protocols, providing a secure and reliable solution for website management and server maintenance. With its intuitive interface, drag-and-drop functionality, and robust file management features, FileZilla is suitable for both beginners and advanced users. It is available on Windows, macOS, and Linux platforms."},{"location":"setuplist/#vpn","title":"VPN","text":"Application Description WireGuard WireGuard is a modern and highly efficient VPN protocol and software designed for secure and fast network connections. It is known for its simplicity, minimal codebase, and high performance, offering encryption standards that ensure strong privacy and data protection. WireGuard is cross-platform, working on Windows, macOS, Linux, Android, and iOS. Its lightweight design makes it easy to configure and maintain, making it a popular choice for both individuals and organizations. Nekoray Nekoray is an easy-to-use and versatile proxy client designed to simplify VPN and proxy management. It supports a range of protocols, including V2Ray, Shadowsocks and VLESS, making it ideal for bypassing restrictions and maintaining online privacy. With a clean interface, detailed configuration options, and compatibility across Windows, macOS, and Linux, Nekoray is a reliable solution for secure browsing and application-specific proxy setups."},{"location":"setuplist/#monitoring-and-sys-info","title":"Monitoring and sys info","text":"Application Description NeoHtop NeoHtop is a modern and visually enhanced system monitoring tool inspired by Htop. It provides real-time insights into system processes, resource usage, and performance metrics with a user-friendly interface. NeoHtop is designed for simplicity and efficiency, offering advanced features like process filtering and customizable views, making it a powerful tool for system administrators and developers. Im-sensors Im-sensors for linux, It allows displaying the CPU temperature and its cores in the console. You can check the current temperature or enable real-time temperature monitoring. HWiNFO HWiNFO is a comprehensive hardware diagnostics and monitoring tool for Windows. It provides detailed information about your system's components, including CPU, GPU, motherboard, and storage devices. With real-time performance monitoring, temperature tracking, and customizable reporting, HWiNFO is ideal for system optimization, troubleshooting, and hardware analysis. CPU-Z CPU-Z is a lightweight and free system profiling tool that provides detailed information about your computer's hardware. It displays key specifications of your CPU, motherboard, memory, and GPU, making it an essential tool for system monitoring, troubleshooting, and hardware analysis. With its user-friendly interface and accurate reporting, CPU-Z is popular among tech enthusiasts and professionals alike. CPU-G CPU-G is a lightweight and open-source system information tool designed to provide detailed insights into your computer's hardware. Similar to CPU-Z, it displays key specifications about the CPU, motherboard, memory, and more. With its focus on simplicity and cross-platform support, CPU-G is a handy utility for users looking to monitor and analyze their system's components."},{"location":"setuplist/#video-recording","title":"Video-recording","text":"Application Description OBS OBS (Open Broadcaster Software) is a free and open-source software for video recording and live streaming. It allows users to capture and broadcast high-quality video and audio from various sources, such as screens, webcams, and external devices. With advanced features like scene transitions, customizable layouts, and real-time video mixing, OBS is widely used by content creators, streamers, and professionals for its flexibility and performance."},{"location":"wush/","title":"Wush","text":""},{"location":"wush/#who-is-this-wush","title":"Who is this Wush?","text":"Wush - wush is a command line tool that lets you easily transfer files and open shells over a peer-to-peer WireGuard connection. It's similar to magic-wormhole but:
- No requirement to set up or trust a relay server for authentication.
- Powered by WireGuard for secure, fast, and reliable connections.
- Automatic peer-to-peer connections over UDP.
- Endless possibilities; rsync, ssh, etc.
"},{"location":"wush/#commands","title":"Commands","text":"USAGE:
Wush subcommand
Start the wush server:
wush serve\n
Open a shell to the wush host:
wush ssh \n
Transfer files to the wush host using rsync:
wush rsync local-file.txt :/path/to/remote/file \n
Copy a single file to the host:
wush cp local-file.txt \n
SUBCOMMANDS: | Command | Meaning | |-----------------|----------------------------| | cp | Transfer files. | | port-forward | Transfer files. | | rsync | Transfer files over rsync. | | serve | Run the wush server. | | ssh | Open a shell. | | version | Show wush version. |
OPTIONS:
wush --version bool \n
Print the version and exit.
"},{"location":"wush/#install","title":"Install","text":"Download file from Git
We tested the program using machines running Windows and Linux (with a GUI).
For Windows: Extract the files to a folder and drive of your choice. Files that we will be transferring will be sent to/from there.
On Linux, installation is done using the method that works best for you. Files (at least for us) were saved/sent to/from the Home directory.
"},{"location":"wush/#how-to-use","title":"How to use","text":"Now let's transfer a PNG file from one machine to another. In our case, Windows will act as the host, and Linux will be the client. To do this, open CMD from the folder where Wush is located. Then, enter the following commands:
Obtain the host machine's auth key using the following command:
./Wush serve \n
Copy Auth key
Now, on the client machine, enter the command to send the file:
wush cp 2.png\n
2.png is the file that we want to send from Linux to Windows.
In the client console, we paste the key that was obtained earlier on the host machine.
How looking it
Well Done
"},{"location":"wush/#ssh","title":"SSH","text":"You can also use Wush for remote access to a machine's console. The connection is also established using an Auth key.
Use the following commands:
For hosts
Wush serve\n
For client
Wush ssh\n
"},{"location":"wush/#_1","title":"Wush","text":"Source - GitHub Coder-Wush
"}]}
\ No newline at end of file
diff --git a/secure/index.html b/secure/index.html
old mode 100644
new mode 100755
index 4c672a7..e3d2a7b
--- a/secure/index.html
+++ b/secure/index.html
@@ -20,7 +20,7 @@
-
+
diff --git a/setuplist/index.html b/setuplist/index.html
old mode 100644
new mode 100755
index 55257f2..4d361d9
--- a/setuplist/index.html
+++ b/setuplist/index.html
@@ -20,7 +20,7 @@
-
+
diff --git a/sitemap.xml b/sitemap.xml
old mode 100644
new mode 100755
diff --git a/sitemap.xml.gz b/sitemap.xml.gz
old mode 100644
new mode 100755
diff --git a/streisand/index.html b/streisand/index.html
old mode 100644
new mode 100755
index 6afcb23..d3f39be
--- a/streisand/index.html
+++ b/streisand/index.html
@@ -20,7 +20,7 @@
-
+
diff --git a/telegram/index.html b/telegram/index.html
old mode 100644
new mode 100755
index 73d8ec8..eedb77e
--- a/telegram/index.html
+++ b/telegram/index.html
@@ -20,7 +20,7 @@
-
+
diff --git a/wush/index.html b/wush/index.html
old mode 100644
new mode 100755
index 412ae31..8f8f596
--- a/wush/index.html
+++ b/wush/index.html
@@ -18,7 +18,7 @@
-
+