Tag: self-hosted

Certsplotting: Exploiting Certificate Transparency for Mischief – Part 1
Disclaimer:
The information provided on this blog is for educational purposes only. The use of hacking tools discussed here is at your own risk.
For the full disclaimer, please click here.
Introduction
Certspotter stands as the original authority in certificate transparency log monitoring—a mouthful, indeed. Let’s dissect why you, as a hacker, should pay attention to it.
One of your primary maneuvers when targeting a system is reconnaissance, particularly passive reconnaissance. Unlike active reconnaissance, which directly engages the target, passive recon operates discreetly.
Passive recon involves employing tactics that evade triggering any alerts from the target. For instance, conducting a Google search about your target doesn’t tip them off. While technically they might detect someone from your area or country searching for them via Search Console, using a VPN and a private browser can easily circumvent this.
You can even explore their entire website using Google cache (just search for cache:your-target.com) or archive.org without exposing your IP or intentions to them. On the other hand, active recon tends to be more assertive, such as port scanning, which leaves traces in the target’s logs. Depending on their security measures and level of vigilance, they might notice and decide to block you.
If you were to scan my public IP, I’d promptly block you 😃.
But I digress. What if you could continuously and passively monitor your target for new subdomains, project developments, systems, or any other endeavors that require a certificate? Imagine being alerted right as they register it.
Now, you might wonder, “How much will that cost me?” Surprisingly, nothing but the electricity to power your server or whatever charges your cloud provider levies. With Certspotter, you can scrutinize every certificate issued to your target’s domains and subdomains.
What mischief can I stir?
Your mind is probably already concocting schemes, so here’s a scenario to fuel your imagination:
Imagine your target sets up a WordPress site requiring an admin password upon the first visit. You could swoop in ahead of them, seizing control of their server. (Sure, they might reinstall, but it’ll definitely ruffle their feathers 😏).
A bit sneakier? How about adding a covert admin account to a fresh Grafana or Jenkins installation, which might still be using default credentials upon release. Truly, you never know what you might uncover.
Setting up Certspotter
To begin, you’ll need a fresh Debian-based Linux distro. I’ll opt for Kali to simplify later use of other hacking tools. Alternatively, you can choose any Linux distribution to keep your image size compact.
Certspotter
Start by visiting their Certspotter GitHub. I strongly advise thoroughly reading their documentation to acquaint yourself with the tool.
Installation:
Bash
```
go install software.sslmate.com/src/certspotter/cmd/certspotter@latest
```
Next, create directories:
Bash
```
mkdir $HOME/.certspotter
mkdir $HOME/.certspotter/hooks.d # scripts
touch $HOME/.certspotter/watchlist # targets
```
The watchlist file is straightforward:
Bash
```
exploit.to
virus.malware.to
.bmw.de
```
Prefixing a domain with a . signifies monitoring the domain and all its subdomains. Without the prefix, Certspotter will monitor certificates matching the exact domain/subdomain.
I can anticipate your next thought—you want all the logs, don’t you? Since 2013, there have been 7,485,653,605 of them (Source), requiring substantial storage. If you’re undeterred, you’d need to modify this code here and rebuild Certspotter to bypass the watchlist and retrieve everything.
Now, let’s set up the systemd service. Here’s how mine looks:
Bash
```
sudo nano /etc/systemd/system/certspotter.service
```
You’ll need to adjust the paths unless your username is also karl:
Bash
```
[Unit]
Description=Certspotter Service
After=network.target

[Service]
Environment=HOME=/home/karl
Environment=CERTSPOTTER_CONFIG_DIR=/home/karl/.certspotter
Type=simple
ExecStart=/home/karl/go/bin/certspotter -verbose
Restart=always
RestartSec=3

[Install]
WantedBy=multi-user.target
```
Note: I’m currently not utilizing the -start_at_end flag. As a result, my script begins its operation from the initial point and might take a considerable amount of time to detect recently issued certificates. By modifying the line that begins with ExecStart= and adding the -start_at_end parameter to the certspotter command, you instruct the script to disregard previously issued certificates and commence monitoring from the current time onward.
To activate and check if it’s running, run this:
Bash
```
sudo systemctl daemon-reload
sudo systemctl start certspotter
sudo systemctl status certspotter
```
Now let us add a script in hooks.d:
Bash
```
touch $HOME/.certspotter/hooks.d/certspotter.sh
sudo chmod u+x $HOME/.certspotter/hooks.d/certspotter.sh
```
If you have issues with reading ENV, you might have to experiment with the permissions.
In cerstpotter.sh:
Bash
```
#!/bin/bash

if [ -z "$EVENT" ] || [ "$EVENT" != 'discovered_cert' ]; then
    # no event
    exit 0
fi

DNS=$(cut -d "=" -f2 <<< "$SUBJECT_DN")
IP="$(dig "$DNS" A +short | grep -v '\.$' | head -n 1 | tr -d '\n')"
IP6="$(dig "$DNS" AAAA +short | grep -v '\.$' | head -n 1 | tr -d '\n')"

JSON_FILE_DATA=$(cat "$JSON_FILENAME")
dns_names=$(echo "$JSON_FILE_DATA" | jq -r '.dns_names | join("\n")')

JSON_DATA=$(cat <<EOF
{
    "pubkey": "$PUBKEY_SHA256",
    "watch_item": "$WATCH_ITEM",
    "not_before": "$NOT_BEFORE_RFC3339",
    "not_after": "$NOT_AFTER_RFC3339",
    "dns_names": "$dns_names",
    "issuer": "$ISSUER_DN",
    "asn": "$ASN",
    "ipv4": "$IP",
    "ipv6": "$IP6",
    "cn": "$SUBJECT_DN",
    "crt.sh": "https://crt.sh/?sha256=$CERT_SHA256"
}
EOF
)

# post data to br... might do somethign with answer
response=$(curl -s -X POST -H "Content-Type: application/json" \
    -H "Content-Type: application/json" \
    -d "$JSON_DATA" \
    "http://10.102.0.11:8080/api/v1/certspotter/in")
```
You could edit this to your liking. The data should look like this:
JSON
```
{
  "pubkey": "ca4567a91cfe51a2771c14f1462040a71d9b978ded9366fe56bcb990ae25b73d",
  "watch_item": ".google.com",
  "not_before": "2023-11-28T14:30:55Z",
  "not_after": "2024-01-09T14:30:54Z",
  "dns_names": ["*.sandbox.google.com"],
  "isssuer": "C=US, O=Google Trust Services LLC, CN=GTS CA 1C3",
  "asn": "GOOGLE,US",
  "ipv4": "142.250.102.81",
  "ipv6": "2a00:1450:4013:c00::451",
  "cn": "CN=*.sandbox.google.com",
  "crt.sh": "https://crt.sh/?sha256=cb657858d9fb6475f20ed5413d06da261be20951f6f379cbd30fe6f1e2558f01"
}
```
Depending on your target, it will take a while until you see results. Maybe even days.
Summary
In this first part of our exploration into Certspotter, we’ve laid the groundwork for understanding its significance in passive reconnaissance. Certspotter emerges as a pivotal tool in monitoring certificate transparency logs, enabling hackers to gather crucial intelligence without alerting their targets.
We’ve delved into the distinction between passive and active reconnaissance, emphasizing the importance of discreet operations in avoiding detection. Through Certspotter, hackers gain the ability to monitor target domains and subdomains continuously, staying informed about new developments and potential vulnerabilities.
As we conclude Part 1, we’ve only scratched the surface of what Certspotter has to offer. In Part 2, we’ll dive deeper into advanced techniques for leveraging Certspotter’s capabilities, exploring tools to enrich our data and enhance our reconnaissance efforts. Stay tuned for an in-depth exploration of Certspotter’s potential in uncovering valuable insights for hackers.
For Part 2 go this way -> Here
2025-01-06
Exploring OSINT Tools: From Lightweight to Powerhouse
Disclaimer:
The information provided on this blog is for educational purposes only. The use of hacking tools discussed here is at your own risk.
For the full disclaimer, please click here.
Introduction
Welcome to a journey through the exciting world of Open Source Intelligence (OSINT) tools! In this post, we’ll dive into some valuable tools, from the lightweight to the powerhouse, culminating in the grand reveal of Spiderfoot.
The main star of this post is Spiderfoot, but before we get there, I want to show you some other more lightweight tools you might find useful.
Holehe
While perusing one of my favorite OSINT blogs (Oh Shint), I stumbled upon a gem to enhance my free OSINT email tool: Holehe.
Holehe might seem like a forgotten relic to some, but its capabilities are enduring. Developed by megadose, this tool packs a punch when it comes to unearthing crucial information.
Sherlock
Ah, Sherlock – an old friend in my toolkit. I’ve relied on this tool for countless investigations, probably on every single one. The ability to swiftly uncover and validate your targets’ online presence is invaluable.
Sherlock’s prowess lies in its efficiency. Developed by Sherlock Project, it’s designed to streamline the process of gathering information, making it a staple for OSINT enthusiasts worldwide.
Introducing Holehe
First up, let’s shine a spotlight on Holehe, a tool that might have slipped under your radar but packs a punch in the OSINT arena.
Easy Installation
Getting Holehe up and running is a breeze. Just follow these simple steps bewlo. I quickly hopped on my Kali test machine and installed it:
Bash
```
git clone https://github.com/megadose/holehe.git
cd holehe/
sudo python3 setup.py install
```
I’d recommend installing it with Docker, but since I reinstall my demo Kali box every few weeks, it doesn’t matter that I globally install a bunch of Python libraries.
Running Holehe
Running Holehe is super simple:
Bash
```
holehe --no-clear --only-used [email protected]
```
I used the --no-clear flag so I can just copy my executed command; otherwise, it clears the terminal. I use the --only-used flag because I only care about pages that my target uses.
Let’s check out the result:
Bash
```
*********************
   [email protected]
*********************
[+] wordpress.com

[+] Email used, [-] Email not used, [x] Rate limit, [!] Error
121 websites checked in 10.16 seconds
Twitter : @palenath
Github : https://github.com/megadose/holehe
For BTC Donations : 1FHDM49QfZX6pJmhjLE5tB2K6CaTLMZpXZ
100%|█████████████████████████████████████████| 121/121 [00:10<00:00, 11.96it/s]
```
Sweet! We have a hit! Holehe checked 121 different pages in 10.16 seconds.
Debugging Holehe
So running the tool without the --only-used flag is, in my opinion, important for debugging. It seems that a lot of pages rate-limited me or are throwing errors. So there is a lot of potential of missed accounts here.
Bash
```
*********************
   [email protected]
*********************
[x] about.me
[-] adobe.com
[-] amazon.com
[x] amocrm.com
[-] any.do
[-] archive.org
[x] forum.blitzortung.org
[x] bluegrassrivals.com
[-] bodybuilding.com
[!] buymeacoffee.com

[+] Email used, [-] Email not used, [x] Rate limit, [!] Error
121 websites checked in 10.22 seconds
```
the list is very long so I removed a lot of the output
Personally, I think that since a lot of that code is 2 years old, many of these pages have become a lot smarter about detecting bots, which is why the rate limit gets reached.
Holehe Deep Dive
Let us look at how Holehe works by analyzing one of the modules. I picked Codepen.
Please check out the code. I added some comments:
Python
```
from holehe.core import *
from holehe.localuseragent import *


async def codepen(email, client, out):
    name = "codepen"
    domain = "codepen.io"
    method = "register"
    frequent_rate_limit = False

    # adding necessary headers for codepen signup request
    headers = {
        "User-Agent": random.choice(ua["browsers"]["chrome"]),
        "Accept": "*/*",
        "Accept-Language": "en,en-US;q=0.5",
        "Referer": "https://codepen.io/accounts/signup/user/free",
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest",
        "Origin": "https://codepen.io",
        "DNT": "1",
        "Connection": "keep-alive",
        "TE": "Trailers",
    }

    # getting the CSRF token for later use, adding it to the headers
    try:
        req = await client.get(
            "https://codepen.io/accounts/signup/user/free", headers=headers
        )
        soup = BeautifulSoup(req.content, features="html.parser")
        token = soup.find(attrs={"name": "csrf-token"}).get("content")
        headers["X-CSRF-Token"] = token
    except Exception:
        out.append(
            {
                "name": name,
                "domain": domain,
                "method": method,
                "frequent_rate_limit": frequent_rate_limit,
                "rateLimit": True,
                "exists": False,
                "emailrecovery": None,
                "phoneNumber": None,
                "others": None,
            }
        )
        return None

    # here is where the supplied email address is added
    data = {"attribute": "email", "value": email, "context": "user"}

    # post request that checks if account exists
    response = await client.post(
        "https://codepen.io/accounts/duplicate_check", headers=headers, data=data
    )

    # checks response for specified text. If email is taken we have a hit
    if "That Email is already taken." in response.text:
        out.append(
            {
                "name": name,
                "domain": domain,
                "method": method,
                "frequent_rate_limit": frequent_rate_limit,
                "rateLimit": False,
                "exists": True,
                "emailrecovery": None,
                "phoneNumber": None,
                "others": None,
            }
        )
    else:
        # we land here if email is not taken, meaning no account on codepen
        out.append(
            {
                "name": name,
                "domain": domain,
                "method": method,
                "frequent_rate_limit": frequent_rate_limit,
                "rateLimit": False,
                "exists": False,
                "emailrecovery": None,
                "phoneNumber": None,
                "others": None,
            }
        )
```
The developer of Holehe had to do a lot of digging. They had to manually analyze the signup flow of a bunch of different pages to build these modules. You can easily do this by using a tool like OWASP ZAP or Burp Suite or Postman. It is a lot of manual work, though.
The issue is that flows like this often change. If Codepen changed the response message or format, this code would fail. That’s the general problem with building web scrapers. If a header name or HTML element is changed, the code fails. This sort of code is very hard to maintain. I am guessing it is why this project has been more or less abandoned.
Nonetheless, you could easily fix the modules, and this would work perfectly again. I suggest using Python Playwright for the requests; using a headless browser is harder to detect and will probably lead to higher success.
Sherlock
Let me introduce you to another tool called Sherlock, which I’ve frequently used in investigations.
Installation
I’m just going to install it on my test system. But there’s also a Docker image I’d recommend for a production server:
Bash
```
git clone https://github.com/sherlock-project/sherlock.git
cd sherlock
python3 -m pip install -r requirements.txt
```
Sherlock offers a plethora of options, and I recommend studying them for your specific case. It’s best used with usernames, but today, we’ll give it a try with an email address.
Running Sherlock
Simply run:
Bash
```
python3 sherlock [email protected]
```
Sherlock takes a little bit longer than holehe, so you need a little more patience. Here are the results of my search:
Bash
```
[*] Checking username [email protected] on:

[+] Archive.org: https://archive.org/details/@[email protected]
[+] BitCoinForum: https://bitcoinforum.com/profile/[email protected]
[+] CGTrader: https://www.cgtrader.com/[email protected]
[+] Chaos: https://chaos.social/@[email protected]
[+] Cults3D: https://cults3d.com/en/users/[email protected]/creations
[+] Euw: https://euw.op.gg/summoner/[email protected]
[+] Mapify: https://mapify.travel/[email protected]
[+] NationStates Nation: https://nationstates.net/[email protected]
[+] NationStates Region: https://nationstates.net/[email protected]
[+] Oracle Community: https://community.oracle.com/people/[email protected]
[+] Polymart: https://polymart.org/user/[email protected]
[+] Slides: https://slides.com/[email protected]
[+] Trello: https://trello.com/[email protected]
[+] chaos.social: https://chaos.social/@[email protected]
[+] mastodon.cloud: https://mastodon.cloud/@[email protected]
[+] mastodon.social: https://mastodon.social/@[email protected]
[+] mastodon.xyz: https://mastodon.xyz/@[email protected]
[+] mstdn.io: https://mstdn.io/@[email protected]
[+] social.tchncs.de: https://social.tchncs.de/@[email protected]

[*] Search completed with 19 results
```
At first glance, there are a lot more results. However, upon review, only 2 were valid, which is still good considering this tool is normally not used for email addresses.
Sherlock Deep Dive
Sherlock has a really nice JSON file that can easily be edited to add or remove old tools. You can check it out sherlock/resources/data.json.
This makes it a lot easier to maintain. I use the same approach for my OSINT tools here on this website.
This is what one of Sherlock’s modules looks like:
JSON
```
  "Docker Hub": {
    "errorType": "status_code",
    "url": "https://hub.docker.com/u/{}/",
    "urlMain": "https://hub.docker.com/",
    "urlProbe": "https://hub.docker.com/v2/users/{}/",
    "username_claimed": "blue"
  },
```
There’s not much more to it; they basically use these “templates” and test the responses they get from requests sent to the respective endpoints. Sometimes by matching text, sometimes by using regex.
Spiderfoot
Now we get to the star of the show: Spiderfoot. I love Spiderfoot. I use it on every engagement, usually only in Passive mode with just about all the API Keys that are humanly affordable. The only thing I do not like about it is that it actually finds so much information that it takes a while to sort through the data and filter out false positives or irrelevant data. Playing around with the settings can drastically reduce this.
Installation
Spiderfoot is absolutely free and even without API Keys for other services, it finds a mind-boggling amount of information. It has saved me countless hours on people investigations, you would not believe it.
You can find the installation instructions on the Spiderfoot GitHub page. There are also Docker deployments available for this. In my case, it is already pre-installed on Kali, so I just need to start it.
Bash
```
spiderfoot -l 0.0.0.0:8081
```
This starts the Spiderfoot webserver, and I can reach it from my network on the IP of my Kali machine on port 8081. In my case, that would be http://10.102.0.11:8081/.
After you navigate to the address, you will be greeted with this screen:
I run a headless Kali, so I just SSH into my Kali “server.” If you are following along, you can simply run spiderfoot -l 127.0.0.1:8081 and only expose it on localhost, then browse there on your Kali Desktop.
Running Spiderfoot
Spiderfoot is absolutely killer when you add as many of the API Keys as possible. A lot of them are for free. Just export the Spiderfoot.cfg from the settings page, fill in the keys, then import them.
Important: before you begin, check the settings. Things like port scans are enabled by default. Your target will know you are scanning them. By default, this is not a passive recon tool like the others. You can disable them OR just run Spiderfoot in Passive mode when you configure a new scan.
My initial scan did not find many infos, that’s good. The email address I supplied should be absolutely clean. I did want to show you some results, so I started another search with my karlcom.de domain, which is my consulting company.
By the time the scan was done, it had found over 2000 results linking Karlcom to Exploit and a bunch of other businesses and websites I run. It found my clear name and a whole bunch of other interesting information about what I do on the internet and how things are connected. All that just by putting my domain in without ANY API keys. That is absolutely nuts.
You get a nice little correlation report at the end (you do not really need to see all the things in detail here):
Once you start your own Spiderfoot journey, you will have more than enough time to study the results there and see them as big as you like.
Another thing I did not show you was the “Browse” option. While a scan is running, you can view the results in the web front end and already check for possible other attack vectors or information.
Summary
So, what did we accomplish on our OSINT adventure? We took a spin through some seriously cool tools! From the nifty Holehe to the trusty Sherlock and the mighty Spiderfoot, each tool brings its own flair to the table. Whether you’re sniffing out secrets or just poking around online, these tools have your back. With their easy setups and powerful features, Holehe, Sherlock, and Spiderfoot are like the trusty sidekicks you never knew you needed in the digital world.
Keep exploring, stay curious, and until next time!
2025-01-06
Node-RED, building Nmap as a Service
Introduction
In the realm of cybersecurity, automation is not just a convenience but a necessity. Having a tool that can effortlessly construct endpoints and interconnect various security tools can revolutionize your workflow. Today, I’m excited to introduce you to Node-RED, a powerhouse for such tasks.
This is part of a series of hacking tools automated with Node-RED.
Setup
While diving into the intricacies of setting up a Kali VM with Node-RED is beyond the scope of this blog post, I’ll offer some guidance to get you started.
Base OS
To begin, you’ll need a solid foundation, which is where Kali Linux comes into play. Whether you opt for a virtual machine setup or use it as the primary operating system for your Raspberry Pi, the choice is yours.
- Download Kali Linux: Get it here
Running Node-RED
Once you’ve got Kali Linux up and running, the next step is to install Node-RED directly onto your machine, NOT in a Docker container since you will ned root access to the host system. Follow the installation guide provided by the Node-RED team.
- Node-RED Installation: Guide here
To ensure seamless operation, I highly recommend configuring Node-RED to start automatically at boot. One effective method to achieve this is by utilizing PM2.
- Starting Node-RED at Boot with PM2: Instructions here
By following these steps, you’ll have Node-RED set up and ready to streamline your cybersecurity automation tasks.
Nmap as a Service
In this section, we’ll create a web service that executes Nmap scans, accessible via a URL like so: http://10.10.0.11:8080/api/v1/nmap?target=exploit.to (Note: Your IP, port, and target will differ).
Building the Flow
To construct this service, we’ll need to assemble the following nodes:
- HTTP In
- Function
- Exec
- Template
- HTTP Response
That’s all it takes.
You can define any path you prefer for the HTTP In node. In my setup, it’s /api/v1/nmap.
The function node contains the following JavaScript code:
JavaScript
```
msg.scan_options = "-sS -Pn -T3";
msg.scan_target = msg.payload.target;

msg.payload = msg.scan_options + " " + msg.scan_target;
return msg;
```
It’s worth noting that this scan needs to be run as a root user due to the -sS flag (learn more here). The msg.payload.target parameter holds the ?target= value. While in production, it’s crucial to filter and validate input (e.g., domain or IP), for local testing, it suffices.
The Exec node is straightforward:
It simply executes Nmap and appends the msg.payload from the previous function node. So, in this example, it results in:
Bash
```
nmap -sS -Pn -T3 exploit.to
```
The Template node formats the result for web display using Mustache syntax:
```
<pre>
{{payload}}
</pre>
```
Finally, the HTTP Response node sends the raw Nmap output back to the browser. It’s important to note that this setup isn’t suitable for extensive Nmap scans that take a while, as the browser may timeout while waiting for the response to load.
You now have a basic Nmap as a Service.
TODO
You can go anywhere from here, but I would suggest:
- add validation to the endpoint
- add features to supply custom nmap flags
- stream result to browser via websocket
- save output to database or file and poll another endpoint to check if done
- format output for web (either greppable nmap or xml)
- ChatOps (Discord, Telegram bot)
Edit 1:
I ended up adding validation for domain and IPv4. I also modified the target variable. It is now msg.target vs. msg.payload.target.
JavaScript
```
function validateDomain(domain) {
  var domainRegex = /^(?!:<strong>\/\/</strong>)([a-zA-Z0-9-]+<strong>\.</strong>)+[a-zA-Z]{2,}$/;
  return domainRegex.test(domain);
}

function validateIPv4(ipv4) {
  var ipv4Regex =
    /^(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)<strong>\.</strong>(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)<strong>\.</strong>(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)<strong>\.</strong>(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$/;
  return ipv4Regex.test(ipv4);
}

if (validateDomain(msg.payload.target) || validateIPv4(msg.payload.target)) {
  msg.passed = true;
  msg.target = msg.payload.target;
  return msg;
}

msg.passed = false;
return msg;
```
The flow now looks like this, and checks the msg.passed. If it is false then it returns a HTTP 400 Bad Request, else it starts the Nmap scan.
2025-01-06
AdGuard Home for security and blocking ads
Introduction
In today’s digital age, the internet is saturated with advertisements and trackers, leading to slower browsing speeds and potential security threats. To combat these issues, leveraging AdGuard Home as a central ad blocker provides several key benefits, such as improved security and faster internet speeds. While browser plugins like “uBlock Origin” offer protection for individual devices within specific browsers, they fall short in safeguarding all devices, particularly those without browser support, such as IoT devices.
Enhanced Security
AdGuard Home blocks intrusive ads and potentially harmful websites before they even reach your devices. By filtering out malicious content, AdGuard Home significantly reduces the risk of malware infections and phishing attacks, safeguarding your personal information and sensitive data.
Protecting Privacy
Ads often come bundled with tracking scripts that monitor your online behavior, compromising your privacy. With AdGuard Home, you can prevent these trackers from collecting your data, preserving your anonymity and preventing targeted advertising based on your browsing habits.
Faster Internet Speeds
Advertisements consume valuable bandwidth and resources, leading to slower loading times and sluggish internet performance. By eliminating ads and unnecessary tracking requests, AdGuard Home helps optimize your network’s efficiency, resulting in faster page loading speeds and smoother browsing experiences.
Open-Source and Transparent
AdGuard Home is open-source software, meaning its source code is freely available for scrutiny and verification by the community. This transparency fosters trust and ensures that the software operates with integrity, free from hidden agendas or backdoors.
Hosting AdGuard Home
Now that you understand why you would want a central adblocker in your home network let’s get started in setting it up.
First you need to decide if you want to host locally or in the cloud.
Hosting locally:
Benefits:
- easier setup
- more secure
- private
Drawbacks:
- need a server
Cloud hosting:
Benefits:
- no local server
- better uptime
Drawbacks:
- more setup for same privacy and security
Since DNS is not encrypted, like HTTPS for example, the cloud provider will most likely be able to see you DNS queries. You will need to use DNS-over-TLS or DNS-over-HTTPS. In a home network it is usually okay to use regular DNS, because AdGuard Home itself uses DNS-over-*S resolvers to get the final address. An example of Cloudflare’s resolvers
```
https://dns.cloudflare.com/dns-query
tls://1dot1dot1dot1.cloudflare-dns.com
https://security.cloudflare-dns.com/dns-query
tls://security.cloudflare-dns.com
```
the regular DNS server would be 1.1.1.1
Local Setup
Depending on your setup, you might already have a server, Home Assistant, pfSesne firewall or nothing at all. I am going to assume you do not have any of the above. So first of all you will need to repuporse an old PC or somethign like a Raspberry Pi (which i highly recommend, i own 7).
I have personally run AdGuard Home in a reasoably sized home network on a Raspberry Pi Zero W. I recommend a bigger one, but if you’re on a really tight budget, that is probably your best bet.
Once you have a machine and it is running a Linux distribution of your choice, you now can install AdGuard Home either in a Container or directly.
Adguard already has a pretty good documentation you can find here, i will shortly show you the 2 options:
Docker
Firstly you need to install Docker. Once you did this, all that is left to do is basically just run:
```
docker run --name adguardhome\
    --restart unless-stopped\
    -v ./work:/opt/adguardhome/work\
    -v ./conf:/opt/adguardhome/conf\
    -p 53:53/tcp -p 53:53/udp\
    -p 67:67/udp -p 68:68/udp\
    -p 80:80/tcp -p 443:443/tcp -p 443:443/udp -p 3000:3000/tcp\
    -p 853:853/tcp\
    -p 784:784/udp -p 853:853/udp -p 8853:8853/udp\
    -p 5443:5443/tcp -p 5443:5443/udp\
    -d adguard/adguardhome
```
and that is it. Now you can go to http://[YOUR-IP]:3000 and follow the steps.
Direct
Installing directly is just as simple:
```
curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v
```
That is it. You might have to copy the start command which will be shown in your terminal before you can set up your AdGuard in the browser.
Web UI
The steps for AdGuard in the Web UI are self explanatory so I did not go into detail here. You are basically good to go. I recommend 2 things:
Go to Filters > DNS blocklists, then click on “Add blocklist” and select every Security list. I have also enabled all the “General” blocklists and not trouble.
Go to Settings > DNS settings, I have the following upstream DNS server:
```
quic://dns.adguard-dns.com
# SWITCH
https://dns.switch.ch/dns-query
tls://dns.switch.ch
# quad9
tls://dns.quad9.net
# cloudflare
https://dns.cloudflare.com/dns-query
tls://1dot1dot1dot1.cloudflare-dns.com
https://security.cloudflare-dns.com/dns-query
tls://security.cloudflare-dns.com
```
Router Configuration
I think most of the readers will have a Fritz!Box so this is what I will show here. The setup is probably very similar on your router. You basically just have to edit the DNS server settings in your router.
Fritz!Box
I did not show you my DNS Server IP by mistake. Scroll to the end to find out why. 9.9.9.9 is the Quad9 DNS Server, I use this in case my AdGuard goes down, otherwise I would not be able to browse the web.
Bonus
You are welcome to use my public AdGuard Home instance at 130.61.74.147, just enter it into your router. Please be advised that i will be able to see you DNS logs, which means I would know what you do on the internet… I do not care to be honest so you are free to make your own choice here.
2025-01-06
How to sell rugs online (fast) – hosting your own Dark web market
Disclaimer:
The information provided on this blog is for educational purposes only. The use of hacking tools discussed here is at your own risk.
For the full disclaimer, please click here.
Welcome to the Dark Web Rug Emporium!
So, you’ve made the bold decision to take your rug-selling business to the mysterious realms of the internet’s underworld? Congratulations on joining the league of adventurers! But before you take the plunge into this clandestine universe, let’s shed some light on what exactly the dark web is.
Unveiling the Dark Web
Picture the dark web as the shady back alleys of cyberspace, lurking beyond the reach of traditional search engines like Google or Bing. To access this hidden realm, you’ll need specialized software such as Tor (The Onion Router). Tor works like a digital disguise, masking your online activities by bouncing them through a global network of servers, rendering them virtually untraceable. Think of it as donning a digital ski mask while you explore.
The Secrets Within
Within this shadowy domain lies a treasure trove of hidden services known as onion sites. These sites sport the “.onion” suffix and are exclusively accessible via Tor. They operate on encrypted networks, providing users with a veil of anonymity for their online dealings and conversations. Yes, your potential rug emporium can thrive in this covert corner of the internet.
Setting Up Shop
But don’t think setting up shop in the dark web is as simple as putting up a “For Sale” sign. It demands a certain level of technical expertise and a deep understanding of anonymity protocols. But fret not, brave entrepreneur, for we’re about to embark on a journey to illuminate the path to rug-selling triumph in the internet’s shadows. So, buckle up, adjust your night vision goggles, and let’s dive in.
Recommended Talk
For valuable insights into navigating the dark web as a rug salesman, I highly recommend checking out this enlightening talk: DEF CON 30 – Sam Bent – Tor – Darknet Opsec By a Veteran Darknet Vendor
Establishing Your Den
Now that we’ve suited up with our cybernetic fedoras and armed ourselves with the necessary tools, it’s time to establish our base of operations. Think of it as laying the foundation for your virtual rug emporium.
Payment Processing: Decrypting the Coinage
In the dark web marketplace, cash is so last millennium. Cryptocurrencies reign supreme, offering a level of anonymity and decentralization that traditional fiat currencies can only dream of. To cater to our discerning clientele, we’ll be accepting payments in Bitcoin and Monero, the preferred currencies of choice for denizens of the deep web.
But how do we integrate these cryptocurrencies into our rug-selling empire? Fear not, for the internet offers solutions to meet our clandestine needs. Here are a few notable options to consider:
1. Bitcart: A sleek and user-friendly payment processor. With its robust features and seamless integration, Bitcart ensures a smooth transaction experience for both buyers and sellers. Check out their website for a complete list of features.
2. BTCPay Server: For the more tech-savvy rug merchants among us, BTCPay Server offers unparalleled flexibility and control over our payment infrastructure. This open-source platform allows us to self-host our payment gateway, giving us complete autonomy over our financial transactions. Check out their website for a complete list of features.
Now that we’ve selected our payment processors, it’s time to lay the groundwork for our virtual storefront. We’ll be starting with a fresh Debian 12 LXC container, providing us with a clean slate to build upon. Let’s roll up our sleeves and prepare our base system for the dark web bazaar:
Bash
```
sudo su
apt update && apt upgrade -y
apt install git curl sudo -y
curl -fsSL https://get.docker.com -o get-docker.sh
sh get-docker.sh
```
With our base system primed and ready, we’re one step closer to realizing our rug-selling dreams in the shadowy corners of the internet. But remember, dear reader, the journey ahead is fraught with peril and intrigue. So, steel yourself, for the dark web awaits.
Bitcart
Effortless Deployment
Deploying Bitcart is a breeze with our simplified steps:
Replace YOUR_DOMAIN_OR_IP with your domain/IP
Bash
```
sudo su -
apt-get update && apt-get install -y git
if [ -d "bitcart-docker" ]; then echo "Existing bitcart-docker folder found, pulling instead of cloning."; git pull; fi
if [ ! -d "bitcart-docker" ]; then echo "Cloning bitcart-docker"; git clone https://github.com/bitcart/bitcart-docker bitcart-docker; fi
export BITCART_HOST=YOUR_DOMAIN_OR_IP
export BITCART_REVERSEPROXY=nginx
export BITCART_CRYPTOS=btc,xmr
export BITCART_ADDITIONAL_COMPONENTS=tor
cd bitcart-docker
./setup.sh
```
This will add Tor support and make Monero (XMR) and Bitcoin (BTC) usable.
After setup, navigate to http://DOMAIN_OR_IP/admin/register to register your first user, who will be designated as your admin.
Real talk about Bitcart
Using Bitcart to set up your online store is straightforward, but there’s a lot to learn to make the most of it. Check out their documentation to understand all the options and features.
Running an online store may seem easy, but it’s actually quite complex. Even though Bitcart makes it easier, there are still challenges, especially if you want to use it with Tor. Tor users might have trouble loading certain parts of your store, which could reveal their identity.
If you’re comfortable with WordPress, you might want to try Bitcart’s WooCommerce integration. But if you’re serious about building a dark web store, a custom solution is best. Bitcart offers a way to do this, which you can learn about here. You can use Python and Django to build it, which is great because Django lets you make pages with less JavaScript, which is important for user privacy.
So, while Bitcart is a good starting point, building your own store tailored for the dark web ensures you have more control and can give your users a safer experience. With the right tools and approach, you can create a successful online store in the hidden corners of the internet.
Harnessing Bitcart’s Capabilities
If you’re contemplating Bitcart, delving into their documentation could revolutionize your approach. Crafting a tailored solution using their API opens up a plethora of opportunities.
To bolster security, consider limiting Bitcart’s accessibility to your local machine, shielding it from prying eyes. Meanwhile, powering your marketplace storefront with platforms like PHP (Laravel), Django, or even Next.js provides scalability and flexibility.
This strategy seamlessly integrates Bitcart’s robust backend features with the versatility of these frameworks, ensuring a smooth and secure shopping experience for your users.
The reasoning behind this suggestion lies in the solid community support and reliability of battle-tested technologies. Platforms such as PHP (Laravel), Django, and Next.js boast extensive communities and proven track records—essential qualities in the dark web landscape.
In the clandestine corners of cyberspace, resilience reigns supreme. A single vulnerability in your storefront could lead to catastrophe. By aligning with established frameworks, you gain access to a wealth of expertise and resources, bolstering your defenses against potential threats.
Ultimately, adopting these trusted technologies isn’t merely a matter of preference—it’s a strategic necessity for safeguarding your online presence in the murky depths of the internet.
BTCPayServer: Unveiling a Sophisticated Setup
Setting up BTCPayServer demands a bit more effort due to its slightly complex documentation, especially when deploying on a local network. However, integrating Monero turned out to be surprisingly straightforward. Here’s an excellent guide on that: Accepting Monero via BTCPay Server.
I’ve made slight modifications to the deployment script from the official documentation:
Bash
```
mkdir BTCPayServer
cd BTCPayServer
git clone https://github.com/btcpayserver/btcpayserver-docker
cd btcpayserver-docker
export BTCPAY_HOST="btcpay.local"
export REVERSEPROXY_DEFAULT_HOST="$BTCPAY_HOST"
export NBITCOIN_NETWORK="mainnet"
export BTCPAYGEN_CRYPTO1="btc"
export BTCPAYGEN_CRYPTO2="xmr"
export BTCPAYGEN_ADDITIONAL_FRAGMENTS="opt-save-storage-xxs" # for demo
export BTCPAYGEN_REVERSEPROXY="nginx"
export BTCPAYGEN_LIGHTNING="clightning"
. ./btcpay-setup.sh -i
```
Note that this is a local setup, but it will be publicly accessible over the onion address.
What distinguishes BTCPayServer is its sleek and modern admin interface. As someone who appreciates good design, I find its aesthetics truly appealing. Furthermore, it includes a built-in store and support for Tor, adding an extra layer of privacy.
Customization is seamless with BTCPayServer’s highly adaptable UI. Additionally, its robust API empowers users to craft their own frontend experiences, ensuring flexibility and control.
Their documentation provides clear and insightful examples, making development a delightful experience. Personally, as a fan of NodeJS, I found their NodeJS examples particularly helpful.
In this demonstration, I’ll initiate a Fast Sync to expedite the process. However, in practical scenarios, exercising patience becomes crucial. Given my location in a less technologically advanced country like Germany, Fast Sync typically completes within a few hours on my 100Mbit/s line, whereas the regular sync could span over several days.
Starting Fast Sync
Initiating Fast Sync is straightforward. Either follow the documentation or run these commands in your BTCPayServer directory:
Bash
```
btcpay-down.sh
cd contrib/FastSync
./load-utxo-set.sh
```
Bash
```
# Once FastSync has completed
cd ../
btcpay-up.sh
```
After the snyc is done you can accept payments:
(Please do not send any Bitcoin to this address. They will be lost.)
Clearing Things Up
Before we conclude, let’s debunk a common misconception about the “dark web.” It’s not merely a haven for illicit activities. While I used attention-grabbing examples to highlight these tools, it’s essential to recognize their legitimate applications.
Gone are the days when Tor provided complete anonymity for nefarious actors. As your enterprise expands, tracing your activities becomes increasingly feasible, albeit challenging.
I emphasize this point to underscore that the services and tools discussed here aren’t inherently unlawful. While they can be exploited for illicit purposes, they also serve valid functions.
Consider the case of “Shiny Flakes,” who operated a drug trade through a conventional website without relying on Tor, evading detection for a significant duration. You can explore this story further on Netflix: Shiny Flakes: The Teenage Drug Lord. The takeaway is that we shouldn’t demonize technology solely based on its potential for misuse. Encryption, for example, is integral for safeguarding data, despite its association with ransomware.
Understanding the dual nature of these technologies is crucial for fostering responsible usage and harnessing their benefits while mitigating risks. It’s a delicate balance between innovation and accountability in the ever-evolving landscape of cybersecurity.
Crafting Your Own Payment Processor
Creating a custom lightweight solution isn’t as daunting as it sounds. While the previously mentioned platforms offer comprehensive features, you might find yourself needing only a fraction of them. Allow me to introduce you to one of my “Karl Projects” that I never quite finished. One day, while procrastinating on my actual project, I stumbled upon the idea of a super-secret Telegram chat where people would have to pay fees in Bitcoin or Monero. This brainchild was inspired by contemplating the possibilities of utilizing a State Machine.
Here’s the gist of what you’ll need:
- State Management: Maintain states such as ORDER_NEW, ORDER_PROCESSING, ORDER_PAID.
- Dynamic Address Generation: Generate a new address for each transaction (because, let’s face it, that’s what the cool kids do).
- Transaction Verification: Verify if transactions are confirmed.
- Payment Request Generation: Create a mechanism for generating payment requests.
Now, let’s take a peek at my unfinished test code. May it ignite your creativity and spur you on to achieve remarkable feats:
Python
```
import json
from typing import List
from bitcoinlib.wallets import Wallet, wallet_create_or_open, WalletKey, BKeyError

# Creating or opening a wallet
w = wallet_create_or_open(
    "karls_wallet",
    keys="",
    owner="",
    network=None,
    account_id=0,
    purpose=None,
    scheme="bip32",
    sort_keys=True,
    password="",
    witness_type=None,
    encoding=None,
    multisig=None,
    sigs_required=None,
    cosigner_id=None,
    key_path=None,
    db_uri=None,
    db_cache_uri=None,
    db_password=None,
)

def get_personal_address(wallet: Wallet, name: str = "") -> WalletKey | List[WalletKey]:
    if not name:
        return wallet.keys()

    return wallet.key(name)

def create_new_address(wallet: Wallet, name: str = "") -> WalletKey:
    if not name:
        return wallet.get_key()

    return wallet.new_key(name)

def check_for_transaction(wallet_key: str | WalletKey, wallet: Wallet):
    if isinstance(wallet_key, str):
        try:
            wallet_key = wallet.key(wallet_key)
        except BKeyError as e:
            print(f'Sorry, no key by the name of "{wallet_key}" in the wallet.')
            return

    wallet.scan_key(wallet_key)
    recent_transaction = w.transaction_last(wallet_key.address)

    if recent_transaction:
        print("Most Recent Transaction:")
        print("Transaction ID:", recent_transaction.txid)
        print("Amount:", recent_transaction.balance_change)
        print("Confirmations:", recent_transaction.confirmations)
    else:
        print("No transactions found for the address.")
```
Feel free to adapt and expand upon this code to suit your needs. Crafting your payment processor from scratch gives you unparalleled control and customization options, empowering you to tailor it precisely to your requirements. Maybe one day I will put a finished minimalistic payment processor out there.
Summary
And with that disappointing note, we conclude for now. But fear not, for knowledge awaits. Here are some additional sources to delve deeper into the world of cybersecurity and anonymity:
Keep exploring, stay curious, and until next time!
In case you are from Interpol
You might be thinking, “Whoa, talking about setting up shop on the dark web sounds sketchy. Should we knock on this guys door?” Hey, I get it! But fear not, my friend. Writing about this stuff doesn’t mean I am up to no good. I am just exploring the possibilities, like any curious entrepreneur would. Plus, remember the “Shiny Flakes” story? Bad actors can do bad stuff anywhere, not just on the dark web.
2025-01-06
Vaultwarden: A Lightweight, Self-Hosted Password Manager
What is Vaultwarden ?
According to their GitHub page:
An alternative server implementation of the Bitwarden Client API, written in Rust and compatible with official Bitwarden clients [disclaimer], perfect for self-hosted deployment where running the official resource-heavy service might not be ideal.
If you’re unfamiliar with Vaultwarden or Bitwarden, here’s a quick primer: Vaultwarden is a self-hosted password manager that allows you to securely access your credentials via web browsers, mobile apps, or desktop clients. Unlike traditional cloud-based solutions, Vaultwarden is designed for those of us who value control over our data and want a “syncable” password manager without the resource-heavy overhead.
Since anything that isn’t self-hosted or self-administered is out of the question for me, Vaultwarden naturally caught my attention. Its lightweight design is perfect for a minimal resource setup. Here’s what I allocated to my Vaultwarden instance:
• Alpine LXC
• 1 CPU Core
• 1 GB RAM
• 5 GB SSD Storage
And let me tell you, this thing is bored. The occasional uptick in memory usage you might notice is mostly me testing backups or opening 20 simultaneous sessions across devices—so not even Vaultwarden’s fault. To put it simply: you could probably run this on a smart toaster, and it would still perform flawlessly.
Why I Tried Vaultwarden
Initially, I came across Vaultwarden while exploring the Proxmox VE Helper Scripts website and thought, “Why not give it a shot?” The setup was quick, and I was immediately impressed by its sleek, modern UI. Since Vaultwarden is compatible with Bitwarden clients, you get the added bonus of using the polished Bitwarden desktop app and its functional, albeit less visually appealing, browser extension.
My main motivation for trying Vaultwarden was to move away from syncing my KeePass database across Nextcloud and iCloud. This process had become tedious, especially when setting up new development environments or trying out new Linux distributions—something I do frequently.
Each time, I had to manually copy over my KeePass database, which meant logging into Nextcloud to retrieve it—a task that was ironically dependent on a password stored inside KeePass, which I didn’t have access to yet. With Vaultwarden, I can simply open a browser, enter my master password, and access everything instantly.
Yes, it’s only one or two steps less than my KeePassXC workflow, but sometimes those minor annoyances add up more than they should. Vaultwarden’s seamless syncing across devices has been a breath of fresh air.
Is KeePassXC Bad? Not at All! Here’s Why I Still Love It
Over the years, KeePassXC has been an indispensable tool for managing my passwords and SSH keys. Even as new solutions like Vaultwarden (a self-hosted version of Bitwarden) gain popularity, KeePassXC continues to hold its ground, excelling in several areas where others fall short. Here’s a detailed breakdown of why I still rely on KeePassXC and how it outshines alternatives like Vaultwarden and Bitwarden.
Why KeePassXC Stands Out (in my opinion)
1. Superior Password Generator
KeePassXC’s default password generator is leaps and bounds ahead of the competition. Its design is both powerful and intuitive, offering extensive customization without overwhelming the user. You can effortlessly fine-tune the length, complexity, and character set of generated passwords, making it ideal for advanced use cases.
2. SSH Agent Integration
If you work with multiple SSH keys (I manage over 100), KeePassXC’s built-in SSH agent is a game-changer. It allows seamless integration and management of SSH keys alongside your passwords, streamlining workflows for developers and sysadmins alike. This feature alone makes KeePassXC a must-have for me.
3. File and Hidden Text Storage
Unlike Bitwarden, which doesn’t currently support file storage, KeePassXC offers advanced options for securely storing files and hidden text.
Why I’m Running KeePassXC and Vaultwarden in Parallel
While I’ve started using Vaultwarden for some tasks, there are still key features in KeePassXC that I simply can’t live without:
Local-Only Security:
KeePassXC keeps everything offline by default, which eliminates the risks of exposing passwords to the internet. Even though I host Vaultwarden behind a VPN for added peace of mind, there’s something inherently reassuring about KeePassXC’s local-first approach.
Privacy vs. Accessibility:
Vaultwarden offers enough security features like MFA, WebAuthn or hardwaretoken to safely expose it online, but the idea of having my passwords accessible over the internet still feels unsettling. For that reason, KeePassXC remains my go-to for my most sensitive credentials. I am probably just paranoid, hosting it behind Cloudflare and a firewall with a Client certificate would add sufficient security (on top) where you would not have to worry.
Unique Features:
There are small yet critical features in KeePassXC, like its file storage capabilities and SSH agent integration, that Vaultwarden simply lacks at the moment.
What Vaultwarden Does Well
To give credit where it’s due, Vaultwarden brings some compelling features to the table. One standout is the reporting feature, which alerts you to compromised passwords. It’s a fantastic tool for staying on top of security best practices, I am also a huge fan of web based tools and I like the UI and UX in general.
Conclusion
Both KeePassXC and Vaultwarden have their strengths, and which one you choose ultimately depends on your priorities. For me, KeePassXC remains the gold standard for password management, offering unparalleled functionality for advanced users. Vaultwarden complements it well for “cloud”-based access and reporting, but it still has a long way to go before it can replace KeePassXC in my workflow.
For now, running both in parallel strikes the perfect balance between security, usability, and convenience. Since I am running Vaultwarden on my Proxmox, which is already handling all my backup tasks, I also do not have to worry about data loss or doing extra work.
2025-01-06
Unlock the Power of Remote Development with code-server
In the fast-paced world of software development, flexibility and efficiency are paramount. Enter code-server, an innovative tool that allows you to run Visual Studio Code (VS Code) in your browser, bringing a seamless and consistent development environment to any device, anywhere.
Whether you’re working on a powerful desktop, a modest laptop, or even a tablet (pls don’t!), code-server ensures you have access to your development environment at all times. Here’s an in-depth look at what makes code-server a game-changer.
What is code-server ?
code-server is an open-source project that enables you to run VS Code on a remote server and access it via your web browser. This means you can:
• Work on any device with an internet connection.
• Leverage the power of cloud servers to handle resource-intensive tasks.
• Maintain a consistent development environment across devices.
With over 69.2k stars on GitHub, code-server has gained significant traction among developers, teams, and organizations looking for efficient remote development solutions.
Why would you use code-server ?
1. Flexibility Across Devices
Imagine coding on your laptop, switching to a tablet, or even a Chromebook, without missing a beat. With code-server, your development environment follows you wherever you go—seamlessly.
2. Offloading Performance to the Server
Running resource-intensive tasks on a server instead of your local machine? Yes, please! Whether you’re working on complex builds or handling large datasets, code-server takes the heavy lifting off your device and onto the server.
3. Bringing Your Dev Environment Closer to LLMs
With the rise of large language models (LLMs), working near powerful servers hosting these models has become a necessity. No more downloading terabytes of data just to test integrations locally. Code-server simplifies this by placing your environment right where the action is.
4. Because I Can! 🥳
As a coder and IT enthusiast, sometimes the best reason is simply: Because I can! Sure, you could run local VSCode with “Remote Development” extensions or install it directly on a Chromebook—but where’s the fun in that? 😉
5. Streamlined Backup and File Management
One of my favorite aspects? Developing directly on a remote system where my regular backup processes already take care of everything. No extra steps, no worries—just peace of mind knowing my work is secure.
I just did it to do it, I use code-server to manage all my Proxmox scrips and develop little Sysadmin tools. You also get a nice web shell.
Installation
Requirements
Before diving in, make sure your system meets the minimum requirements:
• Linux machine with WebSockets enabled. (this is important to know when you use a reverse proxy)
• At least 1 GB RAM and 2 vCPUs.
I think you can get away with 1 CPU, mine is bored most of the time, obviously running resource intensive code will eat more.
Check out the full requirements here.
Installation
There are multiple ways to get started with code-server, but I choose the easiest one:
Bash
```
curl -fsSL https://code-server.dev/install.sh | sh
```
This script ensures code-server is installed correctly and even provides instructions for starting it. Never run script like this from the internet before checking it.
Configuration
After installation, you can customize code-server for your needs. Explore the setup and configuration guide to tweak settings, enable authentication, and enhance your workflow.
Bash
```
nano ~/.config/code-server/config.yaml
```
That is where you will find the password to access code-server and you can also change the port:
~/.config/code-server/config.yml
```
bind-addr: 127.0.0.1:8080
password: 5f89a538c9c849b439d0f866
cert: false
```
You can disable auth by commenting out password. Personally I use SSO through Authentik for authentication.
Now you have an awesome way to code in your browser:
Resources
• GitHub Repository
• Setup Guide
• Frequently Asked Questions
2025-01-06
How to Get Real Trusted SSL Certificates with ACME-DNS in Nginx Proxy Manager
Today, I’m going to show you how you can obtain real, trusted SSL certificates for your home network or even a public website. Using this method, you can achieve secure HTTPS for your web services with certificates that browsers recognize as valid. Fun fact: the very website you’re reading this on uses this same method!
This guide focuses on using ACME-DNS with Nginx Proxy Manager (NPM), a popular reverse proxy solution with a user-friendly web interface. Whether you’re setting up a self-hosted website, Nextcloud, or any other service, this approach can provide you with certificates signed by a trusted Certificate Authority (CA) for your home network or the public.
Prerequisites
- I am assuming you are on a Debian based Linux distribution (I will use a Debian 12 LXC). This should work an any host supporting Docker though.
- You should have some knowledge of Docker and Docker Compose and it should be installed. You can find a step by step guide here.
- You need your own domain. I get mine from Namecheap but any provider works. (I usually change the Nameserver to Cloudflare and manage them there since Namecheap is cheaper to buy)
Please make sure you have these packages installed:
Bash
```
apt install curl jq nano
```
(Jup, I like nano. Feel free to use your editor of choice.)
Installing Nginx Proxy Manager
Please refer to the installation guide on the Nginx Proxy Manager Website.
For our installation we will be using Docker with Docker Compose:
docker-compose.yml
```
services:
  npm:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      - '443:443'
      - '81:81' # Admin Port
      # - '80:80' # not needed in this setup
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
      # - ./custom-syslog.conf:/etc/nginx/conf.d/include/custom-syslog.conf
```
I only like to expose port 443, since we will be using ACME-DNS we will not need 80. Port 81 will be exposed for now, but once configured we will remove this too.
Now just run this command and you will be able to log in via http://your-ip:81 (replace “your-ip” with the actual IP of your machine, you can try http://127.0.0.1:81 if run locally)
Bash
```
docker compose up -d
```
The default credentials are:
Bash
```
Email:    [email protected]
Password: changeme
```
Optional:
I will show you my custom syslog config, but this is beyond the scope of this post, this is optional you do not need this:
custom-syslog.conf
```
log_format proxy_host_logs '$remote_addr - $remote_user [$time_local] '
                           '"$request" $status $body_bytes_sent '
                           '"$http_referer" "$http_user_agent" "$host" '
                           'tag="proxy-host-$host"';

access_log syslog:server=udp://logs.karl:514,tag=proxy-host-$host proxy_host_logs;
error_log syslog:server=udp://logs.karl:514,tag=proxy-host-$host warn;
```
logs.karl is my local DNS record for my rsyslog server. I will make a post about my logging setup and link it here in the future.
Setting up ACME-DNS
The official documentation can be found here.
Simply run this command:
Bash
```
curl -s -X POST https://auth.acme-dns.io/register | jq
```
The response should look like this (I used some “X” to anonymize it a little):
JSON
```
{
  "username": "XXXXc1ab-XXXX-XXXX-XXXX-ec893c5ad50e",
  "password": "CkdjW5wqnXXXXXXXXXXXXXXcGZZyznUDkGRuXHdz",
  "fulldomain": "XXXX040a-XXXX-XXXX-XXXX-XXXX f8525a11.auth.acme-dns.io",
  "subdomain": "XXXX040a-XXXX-XXXX-XXXX-XXXX f8525a11",
  "allowfrom": []
}
```
Please take note of your output and copy it to a file or note taking tool for later.
We will need to edit this a little. If you set this up for your home network it is usually a good idea to use subdomain and a wildcard certificate, this will enable you to secure anything under that subdomain.
There should be a “data” directory in your current one from the docker command earlier. We will create a JSON config file for Nginx Proxy Manager, you can name it whatever you want.
Bash
```
ls # check if "data" dir exists
cd data
nano acme__you_domain.json # use your domain name, but name does not matter
```
In this file you will need to paste the config. I suggest using a subdomain like “home”.
JSON
```
{
  "home.your-domain.com": {
    "username": "XXXXc1ab-XXXX-XXXX-XXXX-ec893c5ad50e",
    "password": "CkdjW5wqnXXXXXXXXXXXXXXcGZZyznUDkGRuXHdz",
    "fulldomain": "XXXX040a-XXXX-XXXX-XXXX-XXXX f8525a11.auth.acme-dns.io",
    "subdomain": "XXXX040a-XXXX-XXXX-XXXX-XXXX f8525a11",
    "allowfrom": []
  },
  "*.home.your-domain.com": {
    "username": "XXXXc1ab-XXXX-XXXX-XXXX-ec893c5ad50e",
    "password": "CkdjW5wqnXXXXXXXXXXXXXXcGZZyznUDkGRuXHdz",
    "fulldomain": "XXXX040a-XXXX-XXXX-XXXX-XXXX f8525a11.auth.acme-dns.io",
    "subdomain": "XXXX040a-XXXX-XXXX-XXXX-XXXX f8525a11",
    "allowfrom": []
  }
}
```
It is important to note that with a wildcard like this you can not do something like: “plex.media.home.your-domain.com”, you can only use the specified level of subdomain, if you did want to do a “sub-sub” you would need to use “*.media.home.your-domain.com” and so on.
A note on the “allowfrom": []“. If you have a static IP that you will always be coming from this is a good idea. Since this guide focuses on SSL for home you most likely have a dynamic IP which will work until it changes, so probably 24h or a week.
Configuring DNS Records
You need to edit your local DNS server and edit these in your registrar. I am using Cloudflare
Cloudflare
go to “your Domain -> DNS -> Records” there you will need to add a CNAME record.
In the “Name” field put “_acme-challenge.YOUR-SUBDOMAIN” in our example that would be like you see in the image below. In the “Target” field you put the “fulldomain” from your config, like “XXXX040a-XXXX-XXXX-XXXX-XXXX f8525a11.auth.acme-dns.io“. Leave “Proxy status” on “DNS only”.
(If you are doing a public and not home only setup you would also add a A, AAAA or CNAME record pointing to your public IP. For home setup you do not need this.)
Local DNS
The devices in your network need to know that your reverse proxy aka. Nginx Proxy Manager is handling “*.home.your-domain.com” you need to add this to your local DNS server so whenever someone goes to “*.home.your-domain.com” it is directed to your proxy. Now if you have a Pi-Hole, AdGuard, pfSense, OPNSense or in your Router varies, technically you could even edit the hosts file of each device.
I am using a Unifi Dream Machine :
In your dream machine go to: /network/default/settings/routing/dns
there you create a new entry like so:
Please use your configured domain and the IP of your system.
Bringing it all together
All we need to do now I configure our setup in the Nginx Proxy Manager. Go to your Admin interface at http://your-ip:81/nginx/certificates then click on “Add SSL-Certificate” and choose “Let’s Encrypt”
There is a lot going on here but I will explain:
- In “Domain Names” enter the domains you have configured
- Enter your E-Mail Address
- Choose “ACME-DNS” in the Provider menu
- In the API URL enter “https://auth.acme-dns.io”
- the registration file is the JSON file we created earlier. Add whatever you called it in there, the path “/data/” should be fine if you followed all the steps.
- Leave propagation empty
Finally just agree and save.
Your new certificate will pop up once the loading screen goes away.
It should look like this:
By the way, I have a profile image because I used my Gravatar email address for the admin login.
Securing the Nginx Proxy Manager Admin
Now that we have a certificate let us use it directly on our admin interface.
Add a new proxy host. Enter the domain of your choosing (you need to change “your-domain.com”. Since it is accessing itself in the Docker network the hostname is “npm” this is its name from the “docker-compose.yml” at the beginning.
Under the “SSL” tab just choose your created certificate.
You do not have to choose the options for Force SSL, HTTP/2 and Block Common Exploits for this to work.
Okay now press Save and test!
If it works you can now remove the port from the compose:
Bash
```
docker compose down
nano docker-compose.yml
```
docker-compose.yml
```
services:
  npm:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      - '443:443'
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
```
Bash
```
docker compose up -d --build
```
Now you can access your Nginx Proxy Manager admin interface via your new domain with a trusted SSL certificate.
Conclusion
Using ACME-DNS with Nginx Proxy Manager is a powerful way to obtain SSL certificates for your home network or website. It simplifies the process of handling DNS challenges and automates certificate issuance for secure HTTPS. You also will no longer have to expose your local services to the internet to get new certificates.
By following this guide, you’ve gained the tools to secure your online services with minimal hassle. Stay tuned for more tips on managing your self-hosted environment, and happy hosting!
2025-01-06