Windows 10 Security Settings

Unwanted Application Protection

Set-MpPreference -PUAProtection 1

Disable connection to suspicious hosts

Set-MpPreference -EnableNetworkProtection Enabled

Backup with rsnapshot

Backup concept

A backup server which can be woken via wake-on-lan will pull data from live servers via rsnapshot . Waking, creating a backup, and shutting down will be done from a specific live server.

Key generation and automated login

First create an SSH key which will authorize the backup server against the live servers: On the backup server run ssh-keygen -b 4096 -f backup_auth. The generated file has to be appended to /root/.ssh/authorized_keys to enable automated login. Later we will limit commands availabe to rsync only for safety reasons. Check that the clients /etc/ssh/sshd_config sets PermitRootLogin without-password so that a first connection test from the backup server can succeed. Do this vice-versa for the live server which will later control the backup server.


Run aptitude install rsnapshot and modify /etc/rsnapshot.conf to at least (see comments in config file for explanations):

snapshot_root <path>
no_create_root 1
cmd_ssh /usr/bin/ssh
retain ...
ssh_args -i /root/.ssh/backup_auth

# live server directories
backup root@server.local:/etc/ ./
backup root@server.local:/home/ ./

Limiting rights of automated login

Extract (Debian 8/9) or copy (Debian 10) rrsync (restricted rsync) from /usr/share/doc/rsync/scripts to /usr/local/bin/rrsync and make it executable. The backup auth key can now be restricted in /root/.ssh/authorized_keys. Prepend the entry with command="/usr/local/bin/rrsync -ro /" which limits access with this key to just this command. Additionally limiting measures can be implemented by adding further restrictions after command:

command="/usr/local/bin/rrsync -ro /",no-pty,no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc ssh-rsa ...

Additionally change PermitRootLogin in /etc/ssh/sshd_config to forced-commands-only.


Waking the backup server

wakeonlan [...]

Creating backups

ssh -i <keyfile> rsnapshot [...]

Keyfile should authenticate the live server against the backup server.

Shutting the backup server down

ssh -i <keyfile> /sbin/ethtool -s eth0 wol g
ssh -i <keyfile> /sbin/shutdown -h -t 1

Setting up vsftpd for Brother ADS-1100W

Setup vsftpd

Run aptitude install vsftpd and modify /etc/vsftpd.conf:


Create target folder with mkdir -p /data/ftp/incoming and change incoming folder rights (basedir is left as only readable for anonymous):
chown ftp.ftp /data/ftp/incoming

Setup Brother ADS-1100W

Create FTP-Profiles using username anonymous and an arbitrary password (empty password did not work). Set incoming as target folder. The scan folder can be shared via Samba by adding a section for the target folder in /etc/samba/smb.conf:

   comment = Scans
   path = /data/ftp/incoming
   force user = ftp
   force group = ftp
   read only = No

Smartmontools + hdparm


aptitude install hdparm smartmontools


Since Debian 9, hdparm is not run during system startup anymore. Thus, a custom systemd service has to be created in /etc/systemd/system/rc-local.service:


ExecStart=/etc/rc.local start


Create a dummy /etc/rc.local:

#!/bin/sh -e
# rc.local
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
# In order to enable or disable this script just change the execution
# bits.
# By default this script does nothing.

exit 0

Make it runnable and enable the systemd service:

chmod +x /etc/rc.local
systemctl enable rc-local
systemctl status rc-local.service

To check health status of all disks change the DEVICESCAN line in /etc/smartd.conf to the following based on an articel in c’t 17/2011, p178:

DEVICESCAN -a -n standby -m root -M test -o on -S on -s (S/../.././0|L/../../6/0)

Description of used options:

-a: equivalent to -H, -f, -t, -l selftest, -l error, -C 197, -U 198
-n: nocheck when in given powermode
-m: send warning email to ADD
-M: email-behaviour
-o: automatic offline tests
-S: attribute autosave
-s: start self-test when type/date matches regex

Letting smartd checking on the drives every 12h is sufficient for private use, so change /etc/default/smartmontools to:




aptitude install lighttpd


Adapt /var/www/html/index.html and add a favicon.ico there as well.


Adapt certificate paths in /etc/lighttpd/conf-available/10-ssl.conf and add the server name:

# /usr/share/doc/lighttpd/ssl.txt

# check against for issues

$SERVER["socket"] == "" {
        ssl.engine  = "enable"
        ssl.pemfile = "/etc/letsencrypt/live/domain.example/cert+privkey.pem" = "/etc/letsencrypt/live/domain.example/fullchain.pem" = "domain.example"

        ssl.cipher-list = "ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM"
        ssl.honor-cipher-order = "enable"

Enable SSL with lighty-enable-mod ssl and restart the service.

Additionally redirect by default to https by creating /etc/lighttpd/conf-available/10-http-https-redirect.conf:

$HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
        url.redirect = (".*" => "https://%0$0")

Activate the redirection by running lighty-enable-mod http-https-redirect and reloading lighttpd.

Webmail: roundcube + sqlite3 + lighttpd


A small footprint solution for webmail is using roundcube in conjunction with sqlite3 and lighttpd. The order of installing PHP packaches is important as otherwise we end up with Apache dependencies.

apt-get install lighttpd php-cgi php

Debian 9: Because of installing roundcube needs some help to work correctly. Install roundcube while also getting low priority questions. Choose default answers where applicable but don’t select any https serverto be configured.

DEBIAN_PRIORITY=low apt-get install dbconfig-sqlite3 roundcube-core roundcube-sqlite3

Manually enable roundcube in lighttpd with

ln -s /etc/roundcube/lighttpd.conf /etc/lighttpd/conf-available/50-roundcube.conf
lighty-enable-mod roundcube fastcgi fastcgi-php

Debian 10: The bugfix was included for this release so we can install easily via aptitude install dbconfig-sqlite3 roundcube-sqlite3 roundcube.


Session timeout can be configured in /etc/roundcube/ via

// Session lifetime in minutes
$config['session_lifetime'] = 360;

Default host can be configured in /etc/roundcube/

$config['default_host'] = array("localhost");

Debian 10: Set smtp_user and smtp_pass to empty strings, this was the default setting previously but OpenSMPTD does not authenticate on the loopback device!

$config['smtp_user'] = '';
$config['smtp_pass'] = '';

Setting attachment sizes in /etc/php/7.*/cgi/php.ini

upload_max_filesize = 20M
post_max_size = 30M

Roundcube user settings are stored in /var/lib/dbconfig-common/sqlite3/roundcube (see /etc/dbconfig-common/roundcube.conf)

Surveillance cameras

Surveillance cameras can be captured using ffmpeg wrapped in a script:


set -e

if [ -z "$1" ]; then
  echo "Usage: $0 duration stream acodec destdir prefix"
  exit -1

ffmpeg -t $1 -i $2 -acodec $3 -vcodec copy -y $4/${5}_$(date +\%F-\%T | sed 's/:/_/g' ).mp4

Calling it from cron every hour which will generate timestamped files in /data/cctv prefixed with cam1 and a duration of little more than an hour:

5 * * * * 3900 rtsp://camera.example.domain/live.sdp mp2 /data/cctv cam1

Additionally disk space needs to be monitored and old recordings removed as required.

Time lapse videos can be created by getting an image regularly and saving it with timestamp info. The actual video can be done via ffmpeg.



aptitude install samba


Changes in default smb.conf:

  • [global]
    • interfaces =
    • bind interfaces only = yes
  • [homes]
    • read only = no
    • create mask = 0600
  • remove [printers] & [print$] sections (printers will be handled via cups)

Add own sections as needed:

   comment = Section description
   path = /what/to/share
   read only = Yes/No

Example for public read only share for e.g. to be used by OpenELEC:

   comment = Section description
   path = /what/to/share
   read only = Yes
   guest ok = Yes

User management

smbpasswd -a username # will ask for SMB password
smbpasswd -e username # enables this user



The aim is to setup a headless VDR backend which:

  • provides content via VNSI to an OpenElec client
  • provides a web interface for live viewing and programming
  • provides EPG searching
aptitude install vdr vdr-plugin-vnsiserver vdr-plugin-live vdr-plugin-streamdev-server vdr-plugin-epgsearch


Main configuration is located in /etc/vdr/conf.d/00-vdr.conf. Add -l 2 to reduce log spamming and specify --video= to the actual recordings location. Remove --lirc to avoid log spamming. Add --filesize=100G to split recordings into 100GB chunks.

Streaming has to be allowed for the local network in /etc/vdr/plugins/streamdevhosts.conf by adding the local subnet, e.g.

The web frontend listens by default on all interfaces, this can be changed in /etc/vdr/conf.d/50-live.conf by using multiple --ip lines so that it only listens internally:


The VNSI plugin provides a default config for allowed hosts which has to be adapted in /etc/vdr/plugins/vnsiserver/allowed_hosts.conf.


Following files are relevant for backing up timers and channels:


OpenSMTPD with sender dependent smart hosts


aptitude install opensmtpd


The main config resides in /etc/smtpd.conf. In this case it enables authenticated users to relay to several smart hosts depending on the sender of the email. Thus, users can send from with their non-local adresses and OpenSMTPD knows where to forward it:

# This is the smtpd server system-wide configuration file.
# See smtpd.conf(5) for more information.

# Certificates for SSL and TLS
pki domain.example certificate "/etc/letsencrypt/live/domain.example/cert.pem"
pki domain.example key "/etc/letsencrypt/live/domain.example/privkey.pem"

# Accept local mail
listen on localhost
listen on

# Accept external mail when authenticated over a secure channel, authenticated user are considered local!
listen on smtps pki domain.example auth

listen on smtps pki domain.example auth

#listen on port 465 tls pki domain.example auth

# If you edit the file, you have to run "smtpctl update table aliases"
table aliases file:/etc/aliases

# Forward mail for local accounts to their inbox
accept for local alias  deliver to mda "/usr/lib/dovecot/dovecot-lda -k"
accept from source for local alias  deliver to mda "/usr/lib/dovecot/dovecot-lda -k"

# Table for smtp-auth credentials, has to be created with "makemap /etc/smtpd_auth"
table smtp_auth_db db:/etc/smtpd_auth.db

# Accept mail from known mail accounts and forward them to their respective smarthosts using smtp-auth
accept from local sender some_user@mailprovider.example for any relay via tls+auth://some_user_mailprovider@mailprovider.example auth

accept for any relay

Authorization data is located in /etc/smtpd_auth:

some_user_mailprovider username:password

After changing it the database has to be updated via makemap /etc/smtpd_auth. Authorization databases need to be readable by the user opensmtpd and should be protected from other users:

chmod 600 /etc/smtpd.conf /etc/smtpd_auth*
chown root.root /etc/smtpd.conf /etc/smtpd_auth
chown opensmtpd.opensmtpd /etc/smtpd_auth.db

/etc/aliases had to be updated to redirect root mails to an actual user.