Based on the recent blog of my colleague Rodel Mendrez, we looked at last month’s spam using Excel 4.0 macros and found some interesting examples. Both campaigns use a fake calculation theme, and both use the Excel 4.0 macro to download malicious executables.

Example 1: List of hidden Excel 4.0 macros downloaded via web request

Figure 1 : Trustwave Security Email Gateway (SEG), which displays the first spam in Excel 4.0.

In the first spam campaign is an archive with a fake account new_Invoice 0962.xls. Since the fake invoice is an Excel file that follows the Composite Binary File Format (CFBF), we can unpack its threads with 7Zip to get more information about the attachment static.

Figure 2 : DocumentSummaryInformation flow of the annex new_Invoice 0962.xls obtained with 7-Zip

The summary information flow in the document indicates that the attachment contains the Excel 4.0 macro. The Excel file consists of 2 sheets: Sheets 1 and 8XoaRgSmhZwAxAOJuv2a. In addition, sheet 1 contains a link to a cell or a series of cells called SzpmQrOQqq4E98Rm40RZ7.

When displaying a workbook data stream, two lines indicate a connection to an external data source – the connection line and the URL hxxps://emmnebuc[…]xyz/SDVJKBsdkhv1.

Figure 3 : Workbook procedure as shown in Figure 2

The workflow of the workbook follows the specifications of the binary file format (BIFF). Using the BiffView tool, we check the BIFF data in the annex new_Invoice 0962.xls and focus on the data related to the above observations – BOUNDSHEET and DCONN.

There are two BIFF BOUNDSHEETS in the application that contain information about the card. The first record is for Sheet 1, a visible worksheet, and the second record is for 8XoaRgSmhZwAxAOJuv2a, a hidden Excel 4.0 macro sheet.

Figure 4 : The BIFF BOUNDSHEET records the new_invoice 0962.xls

The BIFF DCONN input stores information about the connections for data transmission. The file new_Invoice 0962.xls has a DCONN number and indicates that Excel will execute the web query as Connection and the corresponding Excel object – Sheet1!SzpmQrOQqq4E98Rm40RZ7.

Figure 5 : BIFF DCONN input Excel input attachments

Thanks to the features of new_invoice 0962.xls we can now study more information about the connectivity of macros and data in Microsoft Excel.

Figure 6 : The Show asset record1 option is activated if there is a hidden record.

The Excel Formula tab in the Name Manager of the Excel application has 5 specific names. The first 4 are specific names for the cells of the hidden leaf 8XoaRgSmhZwAxAOJuv2a. The first specific name Auto_Open is used as autostart for the formulas in the macro list. The fifth name refers to the cell area on Sheet 1 and is an Excel object that will be called Web Query.

Figure 7 : The Excel object connected to the data connection

Once the data connection parameter is enabled, the web request is executed immediately and its return value is set to Sheet1!$Y$100:$Y$103, the cell range to which the fifth specific name refers.

Figure 8 : The formula is loaded after activating the data link.

The formula obtained using Web Query contains macro functions from Excel 4.0 and therefore does not work in Sheet 1. When macros are enabled, they are copied and finally executed on the Excel 4.0 macro sheet.

Figure 9 : Fill Formula.fill executes the loaded formula in the list of Excel 4.0 macros.

The charged formula serves as a charger for the second step. It loads a DLL of hxxps://emmnebuc[.]xyz/SDKVJBsaduv7, saves it as an html file in a %public% directory and executes it. Since this article was written, the URL is unfortunately no longer available.

Example 2: Downloading highly hidden Excel 4.0 macro sheets

Figure 9 : SEG displays 2. fake spam on the invoice

In the meantime, an Excel file is added directly to the e-mail in the second spam example. With BiffView, we checked whether Rechnung_372571.xls contains the Excel 4.0 macro.

Figure 10 : The BIFF BOUNDHSEET entries of Rechnung_372571.xls received with BiffView.

As with the first spam sample, malicious behavior occurs when using the Excel 4.0 macro list. The list of macros has a very hidden property, so it doesn’t appear in the Fade-in dialog. To display the macro, you must change its BIFF BOUNDHSEET record – the fifth byte of the first record in Figure 10 changes from 02:00 to 00:00.

Figure 11 : The file Changed Invoice_372571.xls, which displays the name of the handler, contains only one specific name. Originally there was a very hidden macro sheet when clicking the Auto_Open link.

The list of macros contains a series of RUN functions that start with the reference cell Auto_Open and lead to the execution of the formula in sygfdesy! $CY$375. Ivoice_372571.xls downloads hxxp://paypeted[.]com/esdfrtDERGTYuicvbnTYUv/gspqm[.]exe and runs it under the name C:Intelsgift.exe.

Figure 12 : Macro execution sequence in Excel 4.0

Conclusion

The Excel 4.0 macros were introduced almost 28 years ago, and only a year after their introduction they were overshadowed by the VBA introduced in Excel 5.0. Recently, however, we have noticed that malware writers are making increasing use of this feature, which is still supported in Excel.

Malicious Excel 4.0 macros are more difficult to analyze and detect than VBA macros. VBA macros have their own specific threads, while Excel 4.0 macros are stored in BIFF records in the workbook thread.

Note that these threats will not work if the macros are disabled in the Trust Center settings, just like VBA macros. So if you’re not sure of the confirmation and the source, don’t activate these macros.

IOC

new_invoice 0962.xls (185344 bytes) SHA1 : 16476552B017B61C01152D624F038BBE895E52EE
Invoice_372571.xls (65024 bytes) SHA1 : 96 AE371021192490B5DA7911329ED2DBC837D

Here’s an easy way to sample the changes included in Ubuntu 20.04 without the hassle of having to download and install the distro first!

I’ve went on a screen snapping spree in a fresh copy of the os to collate the following collection of screenshots that showcase some of visible end-user changes in Focal Fossa.

Think of this post as a pack of pre-install spoilers crossed with some pragmatic pre-install promotion

Dive in and take a look!

Ubuntu 20.04 in Screenshots

We start at the Ubiquity installer which, few will be surprised to hear, hasn’t changed dramatically for eons… or is that Eoans?

That said there are a clutch of updated screenshots and rewritten info blurbs, both aimed at letting users know a bit more about the system they’re in the process of installing…

Ubuntu installer

Once the Ubuntu install completes, and the user reboots as prompted, they’ll be delivered to the revamped login screen which, in this release, boasts a cleaner overall layout:

The password entry box is now neatly aligned with the user pod, and the ability to ‘password peek’ added. Notably, the session switcher menu has moved to the lower right corner of the screen:

The new Ubuntu login screen

The first time anyone logs in to the Ubuntu desktop they are greeted by the welcome wizard. No new pages or options have been added to what previously existed, but the tool remains a solid primer all the same:

Ubuntu’s welcome tool

Ubuntu 20.04 has a clean and minimal desktop. Only icons for Home and Trash folders are displayed by default (and can be hidden). The Top Bar and Ubuntu Dock neatly frame the brand new ‘Focal Fossa’ mascot wallpaper:

The Ubuntu 20.04 LTS Desktop

Revised versions of Ubuntu’s Yaru GTK and GNOME Shell themes feature, both rebased on upstream versions in Adwaita and GNOME Shell. Eagle-eyed users may spot the odd dash of purple that’s now peppered throughout the UI:

Yaru theme tweaks

Calendar widget and app notification banners sport a raised, carded look in the Notification Center/message tray applet, a change that’s really helps lift (pun intended) the overall aesthetic:

Carded-effect notifications and widgets

Sticking with theme changes for a moment there’s a brand new “dark mode” option available in the Settings > Appearance panel.

New dark mode option

GNOME developers have tweaked the layout of “Authentication Required” dialogs (among others) to improve consistency throughout the UI, i.e. centrally aligned elements, password peek toggle etc:

Authentication dialog in Focal

The ability to create custom app folders using drag and drop in the Applications grid was introduced in Ubuntu 19.10 and GNOME 3.34 — but the feature is much improved in this release.

App folders now spawn predictably from the centre of the screen; the icon shuffling animation is less flaky; and it’s easier to edit folder names directly from the folder itself:

A custom app folder

Search results displayed in the Applications screen are now easier to read, and are grouped by source:

Search results grouped by source

Those rocking high-resolution displays can enable fractional scaling in Ubuntu 20.04 using the new toggle present in the Settings > Display panel:

Fractional scaling options in Focal

Sticking with Settings for a moment, users may appreciate the newly redesigned “About” panel (though may not appreciate the fact that this no longer shows the kernel version):

GNOME 3.36 features a redesigned About pane

Ubuntu’s lock screen no longer requires users to set a separate background for it. Instead the lock screen reuses the desktop wallpaper with a heavy blur applied to it:

The new lock screen

There are no major software additions in Ubuntu 20.04 beyond a Snap’d version of Ubuntu Software by default (but those who want to install Flatpak apps will need to install the repo version instead):

Snap’d Ubuntu Software

Snap versions of Calculator, Characters, and Logs have been removed the default installed and replaced with the respective repo versions:

The Logs and Characters apps

The latest versions of Mozilla Firefox, LibreOffice, and Thunderbird comes as standard:

Firefox 75 and LibreOffice 6.4

And there are new versions of other core open source apps, like Calendar, To-Do and the Shotwell photo manager:

Shotwell, Calendar and the To Do app

GNOME 3.36, around which Ubuntu 20.04 LTS sits, does deliver a new “Suspend” option in the Status Menu:

Visible suspend option

Finally, the power off dialog is (like other dialogs in this release) is now centre-aligned:

C YA

Ubuntu 20.04 ships with a new dark theme option, but some users don’t think the feature goes far enough.

So in this guide I show you how to change the GNOME Shell theme in Ubuntu 20.04 LTS to Yaru Dark. This simple step gives you a more complete ‘dark mode’ experience throughout the whole Ubuntu desktop UI.

But why is a tutorial on this needed at all?

Well…

Ubuntu’s New Dark Theme

As you probably know by now Ubuntu 20.04 makes it very easy change the look and feel of “window colours” directly from the Settings > Appearance app.

Three window colour choices are offered here: light, standard, and dark:

It’s a great feature, one I was particularly pleased to see Ubuntu add.

The “problem” stems from the factor that the new ‘Dark’ setting only changes the look and feel of apps that run on the desktop. It does not change the colour of the desktop UI itself.

Instead, the GNOME Shell UI continues to use a light theme, regardless of which window colour preference you’ve picked:

It doesn’t look terrible but it’s not quite the full dark theme experience that some users are after.

So I’m pleased to say you can change it — and here’s how.

How to Make GNOME Shell Dark in 20.04

First, you’re going to need to install the User Themes GNOME Shell extension. This add-on lets you to change GNOME Shell theme incredibly easily.

You can install this particular power-up from the extensions.gnome.org (EGO) website but I find it quicker to just install the gnome-shell-extensions package (warning: it adds lots of other add-ons too) straight from the Ubuntu archives, no browser required:

Click to the GNOME Extensions Bundle

Alternatively, you can run this command to install the User Themes GNOME extension on Ubuntu from the command line:

sudo apt install gnome-shell-extensions

Whatever way you choose to install the User Themes extension you are going to need both the (new) GNOME Extensions app and GNOME Tweaks to take advantage of it:

Click to install GNOME Tweaks on Ubuntu

Click to install GNOME Extensions App on Ubuntu

I don’t have a fresh install to test but it might be the case that the ‘new’ Extensions preferences app doesn’t need to be installed manually. It might enabled as soon as you install an extension — just look for it in the Applications grid:

Now you’re all set!

• Open GNOME Extensions app
• Slide the toggle next to ‘User Themes’ to on (coloured)

Just like in this picture:

Then you need to log out and back in to your session OR manually restart GNOME Shell (Alt + F2, type r, hit enter) for the theming extension to actually be activated.

Lastly, open the GNOME Tweaks tool and:

• Select ‘Appearance’ in the sidebar
• Locate the Shell section
• Select ‘Yaru Dark’ from the menu adjacent

Refer to this screenshot if you need help:

That’s all you need to do. Your desktop is now fully dark in ALL areas!

If you get bored of the dark look — impossible, true me — and want to switch back to the standard ‘light’ look for GNOME Shell UI elements just repeat the last set of steps again, but choose ‘Default’ in place of ‘Yaru Dark’.

Do you prefer light or dark Shell themes? Let me know below

Thanks to everyone who sent this tip inubuntu 20.04 dark theme,ubuntu theme

This tutorial is going to show you how to run your own VPN server by installing OpenConnect VPN server on Ubuntu 20.04. OpenConnect VPN server, aka ocserv, is an open-source implementation of Cisco AnyConnnect VPN protocol, which is widely used in businesses and universities. AnyConnect is an SSL-based VPN protocol that allows individual users to connect to a remote network.

Why Set Up Your Own VPN Server?

• Maybe you are a VPN service provider or a system administrator, which behooves you to set up our own VPN server.
• You don’t trust the no-logging policy of VPN service providers, so you go the self-host route.
• You can use VPN to implement network security policy. For example, if you run your own email server, you can require users to log in only from the IP address of the VPN server by creating an IP address whitelist in the firewall. Thus, your email server is hardened to prevent hacking activities.
• Perhaps you are just curious to know how VPN server works.

Features of OpenConnect VPN Server

• Lightweight and fast. In my test, I can watch YouTube 4K videos with OpenConnect VPN. YouTube is blocked in my country (China).
• Runs on Linux and most BSD servers.
• Compatible with Cisco AnyConnect client
• There are OpenConnect client software for Linux, MacOS, Windows and OpenWRT. For Android and iOS, you can use the Cisco AnyConnect Client.
• Supports password authentication and certificate authentication
• Supports RADIUS accounting.
• Easy to set up

I particularly like the fact that compared to other VPN technologies, it is very easy and convenient for the end-user to use OpenConnect VPN. Whenever I install a Linux distro on my computer and want to quickly unblock websites or hide my IP address, I install OpenConnect client and connect to the server with just two lines of commands:

sudo apt install openconnect

sudo openconnect -b vpn.mydomain.com

There is also OpenConnect VPN client for Fedora, RHEL, CentOS, Arch Linux and OpenSUSE. You can easily install it with your package manager.

sudo dnf install openconnect
sudo yum install openconnect
sudo pacman -S openconnect

Prerequisites

To follow this tutorial, you will need a VPS (Virtual Private Server) that can access blocked websites freely (Outside of your country or Internet filtering system). I recommend Vultr VPS (This is my referral link. You can get $50 free credit by creating an account at Vultr via my referral link). They offer 512M memory high-performance KVM VPS for just $2.5 per month, which is perfect for your private VPN server. Once you have a VPS, install Ubuntu 20.04 on it and follow the instructions below.

You also need a domain name. I registered my domain name from NameCheap because the price is low and they give whois privacy protection free for life.

Update: The new Vultr $2.5/month plan includes IPv6 address only. You can select the $3.5/month plan at the New York (NJ) data center to have both IPv4 and IPv6 addresses.

Step 1: Install OpenConnect VPN Server on Ubuntu 20.04

Log into your Ubuntu 20.04 server. Then use apt to install the ocserv package from the default Ubuntu repository.

sudo apt update
sudo apt install ocserv

Once installed, the OpenConnect VPN server is automatically started. You can check its status with:

systemctl status ocserv

Sample output:

● ocserv.service – OpenConnect SSL VPN server
Loaded: loaded (/lib/systemd/system/ocserv.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-04-12 19:57:08 HKT; 12s ago
Docs: man:ocserv(8)
Main PID: 216409 (ocserv-main)
Tasks: 2 (limit: 9451)
Memory: 1.6M
CGroup: /system.slice/ocserv.service
├─216409 ocserv-main
└─216429 ocserv-sm

Hint: If the above command doesn’t quit immediately, you can press the Q key to gain back control of the terminal.

If it’s not running, then you can start it with:

sudo systemctl start ocserv

By default OpenConnect VPN server listens on TCP and UDP port 443. If it’s being used by web server, then the VPN server would probably fail to start. We will see how to change the port in OpenConnect VPN configuration file later.

If there’s a firewall running on your server, then you will need to open port 80 and 443. For example, if you use UFW, then run the following command.

sudo ufw allow 80,443/tcp

Step 2: Install Let’s Encrypt Client (Certbot) on Ubuntu 20.04 Server

The gnutls-bin package installed along with ocserv provides tools to create your own CA and server certificate, but we will obtain and install Let’s Encrypt certificate. The advantage of using Let’s Encrypt certificate is that it’s free, easier to set up and trusted by VPN client software.

Run the following commands to install Let’s Encrypt client (certbot) from the default Ubuntu repository.

sudo apt install certbot

To check the version number, run

certbot –version

Sample output:

certbot 0.40.0

Step 3: Obtain a Trusted TLS Certificate from Let’s Encrypt

I recommend using the standalone or webroot plugin to obtain TLS certificate for ocserv.

Standalone Plugin

If there’s no web server running on your Ubuntu 20.04 server and you want OpenConnect VPN server to use port 443, then you can use the standalone plugin to obtain TLS certificate from Let’s Encrypt. Run the following command. Don’t forget to set A record for your domain name.

sudo certbot certonly –standalone –preferred-challenges http –agree-tos –email [email protected] -d vpn.example.com

Where:

• certonly: Obtain a certificate but don’t install it.
• –standalone: Use the standalone plugin to obtain a certificate
• –preferred-challenges http: Perform http-01 challenge to validate our domain, which will use port 80.
• –agree-tos: Agree to Let’s Encrypt terms of service.
• –email: Email address is used for account registration and recovery.
• -d: Specify your domain name.

As you can see the from the following screenshot, I successfully obtained the certificate.

Using webroot Plugin

If your Ubuntu 20.04 server has a web server listening on port 80 and 443, then it’s a good idea to use the webroot plugin to obtain a certificate because the webroot plugin works with pretty much every web server and we don’t need to install the certificate in the web server.

First, you need to create a virtual host for vpn.example.com.

Apache

If you are using Apache, then

sudo nano /etc/apache2/sites-available/vpn.example.com.conf

And paste the following lines into the file.

ServerName vpn.example.com

DocumentRoot /var/www/ocserv

Save and close the file. Then create the web root directory.

sudo mkdir /var/www/ocserv

Set www-data (Apache user) as the owner of the web root.

sudo chown www-data:www-data /var/www/ocserv -R

Enable this virtual host.

sudo a2ensite vpn.example.com

Reload Apache for the changes to take effect.

sudo systemctl reload apache2

Once virtual host is created and enabled, run the following command to obtain Let’s Encrypt certificate using webroot plugin.

sudo certbot certonly –webroot –agree-tos –email [email protected] -d vpn.example.com -w /var/www/ocserv

Nginx

If you are using Nginx, then

sudo nano /etc/nginx/conf.d/vpn.example.com.conf

Paste the following lines into the file.

server {
listen 80;
server_name vpn.example.com;

root /var/www/ocserv/;

location ~ /.well-known/acme-challenge {
allow all;
}
}

Save and close the file. Then create the web root directory.

sudo mkdir -p /var/www/ocserv

Set www-data (Nginx user) as the owner of the web root.

sudo chown www-data:www-data /var/www/ocserv -R

Reload Nginx for the changes to take effect.

sudo systemctl reload nginx

Once virtual host is created and enabled, run the following command to obtain Let’s Encrypt certificate using webroot plugin.

sudo certbot certonly –webroot –agree-tos –email [email protected] -d vpn.example.com -w /var/www/ocserv

Step 4: Edit OpenConnect VPN Server Configuration File

Edit ocserv main configuration file.

sudo nano /etc/ocserv/ocserv.conf

First, we need to configure password authentication. By default, password authentication through PAM (Pluggable Authentication Modules) is enabled, which allows you to use Ubuntu system accounts to login from VPN clients. This behavior can be disabled by commenting out the following line.

auth = “pam[gid-min=1000]”

If we want users to use separate VPN accounts instead of system accounts to login, we need to add the following line to enable password authentication with a password file.

auth = “plain[passwd=/etc/ocserv/ocpasswd]”

After finishing editing this config file, we will see how to use ocpasswd tool to generate the /etc/ocserv/ocpasswd file, which contains a list of usernames and encoded passwords.

Note: Ocserv supports client certificate authentication, but Let’s Encrypt does not issue client certificate. You need to set up your own CA to issue client certificate.

Next, if you don’t want ocserv to use TCP and UDP port 443, then find the following two lines and change the port number. Otherwise leave them alone.

tcp-port = 443
udp-port = 443

Then find the following two lines. We need to change them.

server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
server-key = /etc/ssl/private/ssl-cert-snakeoil.key

Replace the default setting with the path of Let’s Encrypt server certificate and server key file.

server-cert = /etc/letsencrypt/live/vpn.example.com/fullchain.pem
server-key = /etc/letsencrypt/live/vpn.example.com/privkey.pem

Then, set the maximal number of clients. Default is 128. Set to zero for unlimited.

max-clients = 128

Set the number of devices a user is able to login from at the same time. Default is 2. Set to zero for unlimited.

max-same-clients = 2

Next, find the following line. Change false to true to enable MTU discovery, which can optimize VPN performance.

try-mtu-discovery = false

You can set the time that a client is allowed to stay idle before being disconnected via the following two parameters. If you prefer the client to stay connected indefinitely, then comment out these two parameters.

idle-timeout=1200
mobile-idle-timeout=1800

After that, set the default domain to vpn.example.com.

default-domain = vpn.example.com

The IPv4 network configuration is as follows by default. This will cause problems because many home routers also set the IPv4 network range to 192.168.1.0/24.

ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0

We can use another private IP address range (10.10.10.0/24) to avoid IP address collision, so change the value of ipv4-network to

ipv4-network = 10.10.10.0

Now uncomment the following line to tunnel all DNS queries via the VPN.

tunnel-all-dns = true

The default DNS resolver addresses are as follows, which is fine.

dns = 8.8.8.8
dns = 1.1.1.1

Note: If you are a VPN service provider, then it’s a good practice to run your own DNS resolver on the same server. If there’s a DNS resolver running on the same server, then specify the DNS as

dns = 10.10.10.1

10.10.10.1 is the IP address of OpenConnect VPN server in the VPN LAN. This will speed up DNS lookups a little bit for clients because the network latency between the VPN server and the DNS resolver is eliminated.

Then comment out all the route parameters (add # symbol at the beginning of the following four lines), which will set the server as the default gateway for the clients.

route = 10.0.0.0/8
route = 172.16.0.0/12
route = 192.168.0.0/16

no-route = 192.168.5.0/255.255.255.0

Save and close the file  Then restart the VPN server for the changes to take effect.

sudo systemctl restart ocserv

Step 5: Create VPN Accounts

Now use the ocpasswd tool to generate VPN accounts.

sudo ocpasswd -c /etc/ocserv/ocpasswd username

You will be asked to set a password for the user and the information will be saved to /etc/ocserv/ocpasswd file. To reset password, simply run the above command again.

Step 6: Enable IP Forwarding

In order for the VPN server to route packets between VPN clients and the Internet, we need to enable IP forwarding. Edit sysctl.conf file.

sudo nano /etc/sysctl.conf

Add the following line at the end of this file.

net.ipv4.ip_forward = 1

Save and close the file. Then apply the changes with the below command. The -p option will load sysctl settings from /etc/sysctl.conf file. This command will preserve our changes across system reboots.

sudo sysctl -p

Step 7: Configure IP Masquerading in Firewall

We need to set up IP masquerading in the server firewall, so that the server becomes a virtual router for VPN clients. I will use UFW, which is a front end to the iptables firewall. Install UFW on Ubuntu with:

sudo apt install ufw

First, you need to allow SSH traffic.

sudo ufw allow 22/tcp

Then edit /etc/default/ufw file.

sudo nano /etc/default/ufw

Change the default forward policy from “DROP” to “ACCEPT”.

DEFAULT_FORWARD_POLICY=”ACCEPT”

Save and close the file. Next, find the name of your server’s main network interface.

ip addr

As you can see, it’s named ens3 on my Ubuntu server.

To configure IP masquerading, we have to add iptables command in a UFW configuration file.

sudo nano /etc/ufw/before.rules

By default, there are some rules for the filter table. Add the following lines at the end of this file. Replace ens3 with your own network interface name.

# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0] -A POSTROUTING -o ens3 -j MASQUERADE

# End each table with the ‘COMMIT’ line or these rules won’t be processed
COMMIT

In Nano text editor, you can go to the end of the file by pressing Ctrl+W, then pressing Ctrl+V.

The above lines will append (-A) a rule to the end of of POSTROUTING chain of nat table. It will link your virtual private network with the Internet. And also hide your network from the outside world. So the Internet can only see your VPN server’s IP, but can’t see your VPN client’s IP, just like your home router hides your private home network.

Save and close the file. Then enable UFW.

sudo ufw enable

If you have enabled UFW before, then you can use systemctl to restart UFW.

sudo systemctl restart ufw

Now if you list the rules in the POSTROUTING chain of the NAT table by using the following command:

sudo iptables -t nat -L POSTROUTING

You can see the Masquerade rule.

Step 8: Open Port 443 in Firewall

Run the following command to open TCP and UDP port 443. If you configured a different port for ocserv, then change 443 to your configured port.

sudo ufw allow 443/tcp
sudo ufw allow 443/udp

Now OpenConnect VPN server is ready to accept client connections.

For those of you who run a local DNS resolver, if you specified 10.10.10.1 as the DNS server for VPN clients, then you must allow VPN clients to connect to port 53 with the following UFW rule.

sudo ufw insert 1 allow in from 10.10.10.0/24

You also need to edit the BIND DNS server’s configuration to allow VPN clients to send recursive DNS queries like below.

allow-recursion { 127.0.0.1; 10.10.10.0/24; };

How to Install and Use OpenConnect VPN client on Ubuntu 20.04 Desktop

Run the following command to install OpenConnect VPN command line client on Ubuntu desktop.

sudo apt install openconnect

You can Connect to VPN from the command line like below. -b flag will make it run in the background after connection is established.

sudo openconnect -b vpn.example.com:port-number

You will be asked to enter VPN username and password. If connection is successfully established, you will see the following message.

Got CONNECT response: HTTP/1.1 200 CONNECTED
CSTP connected. DPD 90, Keepalive 32400
Connected tun0 as 192.168.1.139, using SSL
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(RSA)-(AES-256-GCM).

To stop the connection, run:

sudo pkill openconnect

To run the client non-interactively, use the following syntax.

echo -n password | sudo openconnect -b vpn.example.com -u username –passwd-on-stdin

If you want to use Network Manager to manage VPN connection, then you also need to install these packages.

sudo apt install network-manager-openconnect network-manager-openconnect-gnome

If you are successfully connected to the VPN server, but your public IP address doesn’t change, that’s because IP forwarding or IP masquerading is not working. I once had a typo in my iptables command, which caused my computer not being able to browse the Internet.

Auto-Connect on System Startup

To let OpenConnect VPN client automatically connect to the server at boot time, we can create a systemd service unit.

sudo nano /etc/systemd/system/openconnect.service

Put the following lines to the file. Replace the red text.

[Unit] Description=OpenConnect VPN Client
After=network-online.target
Wants=network-online.target

[Service] Type=simple
ExecStart=/bin/bash -c ‘/bin/echo -n password | /usr/sbin/openconnect vpn.example.com -u username –passwd-on-stdin’
KillSignal=SIGINT
Restart=always
RestartSec=2

[Install] WantedBy=multi-user.target

Save and close the file. Then enable this service so that it will start at boot time.

sudo systemctl enable openconnect.service

Explanation of the file content:

• After=network-online.target and Wants=network-online.target make this service run after network is up.
• In reality, this service can still run before network is up. We add Restart=always and RestartSec=2 to restart this service after 2 seconds if this service fails.
• Systemd doesn’t recognise pipe redirection, so in the ExecStart directive, we wrap the comand in single quotes and run it with the Bash shell.
• Since OpenConnect VPN client will run as a systemd service, which runs in the background, there’s no need to add -b flag to the openconnect command.
• The KillSignal directive tells Systemd to send the SIGINT signal when the systemctl stop openconnect command is issued. This will performs a clean shutdown by logging the session off, and restoring DNS server settings and the Linux kernel routing table.

To start this Systemd service immediately, run

sudo systemctl start openconnect

To stop this Systemd service, run

sudo systemctl stop openconnect

OpenConnect GUI Client for Windows and MacOS

They can be downloaded from OpenConnect GUI Github Page.

Speed

OpenConnect VPN is pretty fast. I can use it to watch 4k videos on YouTube.

Auto-Renew Let’s Encrypt Certificate

Edit root user’s crontab file.

sudo crontab -e

Add the following line at the end of the file. It’s necessary to reload ocserv service for the VPN server to pick up new certificate and key file.

@daily certbot renew –quiet && systemctl reload ocserv

Optimization

OpenConnect by default uses TLS over UDP protocol (DTLS) to achieve faster speed, but UDP can’t provide reliable transmission. TCP is slower than UDP but can provide reliable transmission. One optimization tip I can give you is to disable DTLS, use standard TLS (over TCP), then enable TCP BBR to boost TCP speed.

To disable DTLS, comment out (add # symbol at the beginning) the following line in ocserv configuration file.

udp-port = 443

Save and close the file. Then restart ocserv service.

sudo systemctl restart ocserv.service

To enable TCP BBR, please check out the following tutorial.

In my test, standard TLS with TCP BBR enabled is two times faster than DTLS.

Troubleshooting

Note that if you are using OpenVZ VPS, make sure you enable the TUN virtual networking device in VPS control panel. (If you use Vultr VPS, then you have KVM-based VPS, so you don’t have to worry about this.)

If you encounter any problem, then check OpenConnect VPN server log.

sudo journalctl -eu ocserv.service

I found that if I change port 443 to a different port, the great firewall of China will block this VPN connection.

Make OpenConnect VPN server and web server use port 443 at the same time

Normally a port can only be used by one process. However, we can use HAproxy (High Availability Proxy) and SNI (Server Name Indication) to make ocserv and Apache/Nginx use port 443 at the same time.

First, edit ocserv configuration file.

sudo nano /etc/ocserv/ocserv.conf

Uncomment the following line. This will allow ocserv to obtain the client IP address instead of HAproxy IP address.

listen-proxy-proto = true

Then find the following line.

#listen-host = [IP|HOSTNAME]

Change it to

listen-host = 127.0.0.1

This will make ocserv listen on 127.0.0.1 because later HAproxy will need to listen on the public IP address. Save and close the file. Then restart ocserv.

sudo systemctl restart ocserv

Next, we also need to make the web server listen on localhost only, instead of listening on public IP address. If you use Nginx, edit the server block file.

sudo nano /etc/nginx/conf.d/www.example.com.conf

In the SSL server block, find the following directive.

listen 443 ssl;

Change it to

listen 127.0.0.2:443 ssl;

This time we make it listen on 127.0.0.2:443 because 127.0.0.1:443 is already taken by ocserv. Save and close the file. Then restart Nginx.

sudo systemctl restart nginx

Now install HAproxy.

sudo apt install haproxy

Edit configuration file.

sudo nano /etc/haproxy/haproxy.cfg

Copy and paste the following lines to the end of the file. Replace 12.34.56.78 with the public IP address of your server. Replace vpn.example.com with the domain name used by ocserv and www.example.com with the domain name used by your web server.

frontend https
bind 12.34.56.78:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }

use_backend ocserv if { req_ssl_sni -i vpn.example.com }
use_backend nginx if { req_ssl_sni -i www.example.com }
use_backend nginx if { req_ssl_sni -i example.com }

default_backend ocserv

backend ocserv
mode tcp
option ssl-hello-chk
server ocserv 127.0.0.1:443 send-proxy-v2

backend nginx
mode tcp
option ssl-hello-chk
server nginx 127.0.0.2:443 check

Save and close the file. Then restart HAproxy.

sudo systemctl restart haproxy

In the configuration above, we utilized the SNI (Server Name Indication) feature in TLS to differentiate VPN traffic and normal HTTPS traffic.

• When vpn.example.com is in the TLS Client Hello, HAProxy redirect traffic to the ocserv backend.
• When www.example.com is in the TLS Client Hello, HAProxy redirect traffic to the nginx backend.
• If the client doesn’t specify the server name in TLS Client Hello, then HAproxy will use the default backend (ocserv).

You can test this setup with the openssl tool. First, run the following command multiple times.

echo | openssl s_client -connect your-server-IP:443 | grep subject

We didn’t specify server name in the above command, so HAproxy will always pass the request to the default backend (ocserv), and its certificate will be sent to the client. Next, run the following two commands.

echo | openssl s_client -servername www.example.com -connect your-server-IP:443 | grep subject

echo | openssl s_client -servername vpn.example.com -connect your-server-IP:443 | grep subject

Now we specified the server name in the commands, so HAproxy will pass request accordingly. Note that the Cisco AnyConnect App doesn’t support TLS SNI, so it’s better to set ocserv as the default backend in HAProxy configuration file.

When renewing Let’s Encrypt certificate for your website, it’s recommended that you use the http-01 challenge instead of tls-alpn-01 challenge, because HAproxy is listening on port 443 of the public IP address, so it can interfere with the renew process.

sudo certbot renew –preferred-challenges http-01

Fixing HAproxy Error

If your Nginx web server doesn’t show up in your browser and you see the following messages in haproxy log (/var/log/haproxy.log)

Server nginx/nginx is DOWN, reason: Socket error, info: “Connection reset by peer

backend nginx has no server available!

Layer6 invalid response

It maybe because your backend Nginx web server is using a TLS certificate with OCSP must staple extension. Nginx doesn’t send the OCSP staple information on the first HTTP request. To make it work, be sure to add a resolver in your Nginx virtual host configuration like below.

{
….
ssl_trusted_certificate /etc/letsencrypt/live/www.example/chain.pem;
ssl_stapling on;
ssl_stapling_verify on;

resolver 8.8.8.8;
….
}

Save and close the file. Then restart Nginx.

sudo systemctl restart nginx

Also consider removing health check for the backend server in HAproxy. So change

server nginx 127.0.0.2:443 check

To

server nginx 127.0.0.2:443

Save and close the file. Then restart HAproxy.

sudo systemctl restart haproxy

How to Disable TLS 1.0 and TLS 1.1 in ocserv

The PCI council deprecated TLS 1.0 in June 30, 2018 and main stream web browsers are going to disable TLS 1.0 and TLS 1.1 in 2020. We should do the same with VPN server. Edit the main configuration file.

sudo nano /etc/ocserv/ocserv.conf

Find the following line:

tls-priorities = “NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128”

To disable TLS 1.0 and TLS 1.1 in OpenConnect VPN server, just add -VERS-TLS1.0 and -VERS-TLS1.1 in the line.

tls-priorities = “NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128:-VERS-TLS1.0:-VERS-TLS1.1”

Save and close the file. Then restart ocserv.

sudo systemctl restart ocserv

Now ocserv will only accept TLS 1.2. For further information on configuring the TLS parameter in ocserv, please see GnuTLS priority strings.

To check if TLS 1.0 is supported in your OpenConnect VPN server, run the following command.

openssl s_client -connect vpn.your-domain.com:443 -tls1

And check TLS 1.1

openssl s_client -connect vpn.your-domain.com:443 -tls1_1

If you see the following message in the output, that means the TLS version is not supported.

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported

Note: The ocserv package on Ubuntu 20.04 supports TLS 1.3.

Per User or Per Group Configuration

Ocserv allows per user and per group configurations. To enable this feature, uncomment the following two lines in /etc/ocserv/ocserv.conf file.

config-per-user = /etc/ocserv/config-per-user/
config-per-group = /etc/ocserv/config-per-group/

Save and close the file. Then create the per user and per-group config directory.

sudo mkdir /etc/ocserv/config-per-user/
sudo mkdir /etc/ocserv/config-per-group/

Next, you can create a file under these two directories. For example, create the user1 file to allow custom configuration for user1.

sudo nano /etc/ocserv/config-per-user/user1

You can also create the group1 file to allow custom configuration for the group named group1.

sudo nano /etc/ocserv/config-per-group/group1

You can add something like below in the file.

route = 10.10.10.0/255.255.255.0
tunnel-all-dns = false
dns = 8.8.8.8
dns = 1.1.1.1

Where:

• The first line means that after user1 or users in group1 connect to this VPN server, only traffic to the 10.10.10.0/24 network will be routed via VPN server. Traffic to other IP addresses are routed via the original gateway.
• The second line disables tunneling DNS queries.
• The third and fourth line set DNS servers for VPN clients.

I use this trick to allow my another VPS (virtual private server) to connect to this VPN server without disrupting normal traffic, so the TUN device (vpns0) of my VPN server is always turned on, which means my VPN server will always have the private IP address 10.10.10.1.

Save and close the file. Restart ocserv for the changes to take effect.

sudo systemctl restart ocserv

Wrapping Up

That’s it! I hope this tutorial helped you install and configure OpenConnect VPN on Ubuntu 20.04. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks

Rate this tutorial

[Total: 3 Average: 5]install openconnect ubuntu,ocserv certificate authentication

Dovecot is an open source service for IMAP and POP3 on Unix-like operating systems. It focuses on a lean and secure email server that is available for most Linux operating systems. This manual will help you install and configure POS3/IMAP with Dovecot on your CentOS 8 operating system.

Step 1 – Placing a pigeon on CentOS 8

The Dovecot package is available in AppStream’s yum repository. Simply install the package on your CentOS 8 system using the yum/dnf package manager.

sudo dnf -y Installation of the pigeon loft

Step 2 – Insertion of the pigeon

Once the installation is complete, configure the Dovecot server according to your needs. Below you will find a quick and useful configuration of Dovecot to work with your system.

• Edit the loft’s main configuration file and leave comments in the following lines to activate the POP3 and IMAP protocols. Configure also deafcot on all interfaces. sudo vi /etc/dovecot/dovecot.conf
  protocol = imap pop3 lmtp
  listen = *, : :
• Then change the authentication file for Dovecot and update the following values: .sudo vi /etc/dovecot/conf.d/10-auth.conf
  disable_plaintext_auth = no
  auth_mechanisms = normal login
• Then edit the mail configuration file to configure the location of your mailbox. Make sure the mail server settings have the correct location for emails.sudo vi /etc/dovecot/conf.d/10-mail.conf
  mail_location = maildir:~/Maildir
• Then edit the following configuration file and specify the user and group name of the mail server on which .sudo vi /etc/dovecot/conf.d/10-master.conf
  unix_listener /var/spool/postfix/private/auth {
  mode = 0666
  user = postfix
  group = postfix
  }.
• Finally, change the SSL configuration file of the loft. Set SSL to Yes or Mandatory. A self-separation certificate is used as standard. If you have your own certificates, update them as follows: sudo vi /etc/dovecot/conf.d/10-ssl.conf
  ssl= yes

ssl_cert = /letsencrypt/live/mail.tecadmin.net/cert.pem
ssl_key = /letsencrypt/live/mail.tecadmin.net/privkey.pem

Step 3 – Managing the pigeon service

We can control the loft with the systemctl command line tool. Use the following command to activate the Dovecot service.

sudo systemctl Start-up of the loft.service

Use the following commands to start/stop or restart the loft service:

sudo systemctl Start deafcot.service
sudo systemctl Stop deafcot.service
sudo systemctl Restart deafcot.service

To view the current status of the service, use the following command

sudo systemctl status deafcot.service

Step 4 – Test setup

The username rahul was created on my CentOS 8 system. We need the command line program mutt to connect the mailbox via the imaps protocol.

Scandal at court

Then use the following command to connect to your mailbox :

mormel -f imaps:// [Email Protection]

You will be asked to accept the certificate (press a to always accept it). You will then be asked to enter your password. Enter the user’s password and press the Enter key. You will see the e-mail address of your account.

Step 5 – Setting up rules in the Firewall

To access your mail server from another computer, you must configure firewall rules to allow connections to the server at the required ports. The default ports are POP/IMAP :

• IMAP – 143
• IMAPS – 993
• POP3 – 110
• POP3S – 995

Execute the following commands to add firewall rules :

sudo firewall-cmd –add-service={pop3,imap} -permanent
sudo-Firewall-cmd –add-service={pop3s,imaps} -permanent

Then restart the changes.

sudo firewall-cmd – reboot

Conclusion

The Dovecot service is configured in your system. You have configured your server to access the user’s mailbox using the POP3 or IMAP protocols.install dovecot centos 7,configure dovecot postfix

Here is our selection of the best things you can do after installing Ubuntu 20.04 LTS ‘Focal Fossa’ – things that will help you get the most out of your Linux system.

The release of the latest version of Long Term Support (LTS) for Ubuntu is a real challenge as most Ubuntu users (who are constantly growing) have chosen to start the LTS edition compared to the last short edition.

Ubuntu is proud of the standard delivery. It comes with applications that most people will use and with settings that most people will like.

But you’re not everything, and there may be things you want to turn on and off or install – and that’s exactly what this guide covers.

Although some of the tips below may seem obvious, they are often forgotten or overlooked. Others are a sensory niche or specific needs. In any case, this set of parameters contributes to improving the Ubuntu experience without compromising its stability and reliability.

Cases to be resolved after installation of Ubuntu 20.04

1. Look what’s new.

Each version of Ubuntu is different from the previous one, and the last sentence is no exception. So, before you start changing settings or flipping switches, take a little time – say 3 minutes and 25 seconds – to find out what’s new and remarkable about Focal Fossa.

If you don’t see the embedded video above, you can find it on our YouTube channel.

2. Playing with Dark Mode

Ubuntu 20.04 has option Dark Mode

Dark modes have been all the rage with all the major mobile and desktop operating systems these days, and I can imagine having one – and this offer now includes Ubuntu.

Although this is not the default theme, it is very easy to switch to dark window colours in Ubuntu 20.04 :

• Settings > Open appearance
• Select the setting for dark windows.

Let’s go, let’s go, let’s go, let’s go! The change takes effect immediately and immediately dims the background and toolbars of most applications. Note that dark mode in Ubuntu does not change the color of the GNOME Shell user interface, such as the notification menu, calendar, and system menu.

If you get tired of the dark display, you can return to the default mixed mode in the Appearance Settings window (or try the bright light version).

3. Installing Gnome Optimizations

Gnome Tweaks is a Swiss army knife of options, including…

• Change the GTK and the theme symbol
• Move the window buttons to the left
• Change the font and font size on your desktop
• Automatic new window centre
• Show the day of the week on the label of the watch
• Switching between dynamic and static working range

And a little more!

In short, Ubuntu Tweaks makes fine-tuning your Ubuntu desktop much, much easier than wandering around in the dconf editor.

The best way to install it is to do it in one click:

Click here to install GNOME Tweaks on Ubuntu.

4. Get a powerful example tool forfiles

GNOME Sushi is a useful tool for viewing space panels on the GNOME Shell desktop.

Anyone who has ever tried MacOS immediately knows what I mean by ‘gap viewing’, a feature first introduced to the Apple operating system and very popular with users.

First select (click) the file in the Nautilus file manager and then click the space bar. This gives an almost instant overview of the file.

The layout of the preview varies depending on the file, but the most common file formats are supported. Use Sushi for instant image viewing, media playback, PDF and LibreOffice document scrolling, folder size information, and more. – All this without having to open a single application.

And if you find the folder you want to fully open, the sushi window (in most cases) allows you to do so.

Sushi is free and open source software. You can install it to Ubuntu from the Ubuntu software. Just search for sushi by name, or if you are reading this message from the Ubuntu system, click this button:

Click here to install GNOME Sushi on Ubuntu

5. Activate minimization by clicking

If you want applications to be minimized when you click the Ubuntu Docking Station icon, you can enable this behavior manually.

And I mean by hand, because even though it’s one of the most popular Ubuntu tweets, there’s still no easy way to do it with the GUI – but don’t worry, the command line is close!

Open a new terminal window and type the following command to be clicked to enable minimization in Ubuntu

gsettingset org.gnome.shell.extensions.dash-to-dock click action ‘minim’.

The change is immediate.

Do you want to move Doc Ubuntu? Use Settings > Dock > Position

6. Display battery with a power factor of

Skip this step if you are not using your laptop (or if you are and don’t want your battery percentage to go away without entering the status menu).

The Ubuntu battery charge indicator allows you to briefly check the battery life without entering the status menu. But it’s a bit small and a bit vague (does 2 bars mean I still have 60% or 30%?).

You can easily have Ubuntu display the percentage of battery charge using the power panel of the GNOME Tweaks tool, which I recommend in step 3 :

1. Open GNOME Preferences
2. Select Supreme Organ.
3. Set the battery percentage slider to ON.

If you do not want to follow the GUI route, you can use the following command to display the battery level as a percentage on the top panel:

gsettingset org.gnome.desktop.interface show-battery percentage where

Much better!

Tip: You can open the terminal window at any time by pressing Ctrl + Alt + t.

7. Touch PanelChange of Slide Direction

If you’ve ever used a touchpad or trackpad with Ubuntu and the way the scroll direction is set by default – called Natural Scroll – then you shouldn’t get stuck!

Simply change the direction of the touchpad in Ubuntu so that the content moves in the same direction as you move, for example by scrolling down the page:

• Open parameters
• Switch to mouse and touchpad
• Slide the Natural Scroll switch to the on position.

That’s all you need to set a scroll direction that makes you feel more comfortable.

8. LivepatchAdjustment

Livepatch can install and apply kernel security updates without rebooting your computer.

This feature is (of course) more focused on servers and business systems with mission-critical workloads, but Ubuntu Livepatch also works well on desktops – but only on LTS versions!

If you hate restarting as much as I do, this job is definitely a good find. Simply launch the Livepatch link from the application table to view it.

9. Switching on automatic waste disposal

The privacy options in the customer settings include a convenient set of space saving features, including automatic cleaning of the bin(s) at regular intervals – ideal if you (like me) tend to forget to remove the bin(s) regularly.

This feature and the Automatic deletion of temporary files settings can help you save space on Ubuntu with a minimum of effort on your site.

Yeah, yeah, yeah, yeah, yeah, yeah, yeah, yeah: Ubuntu gives you reason to be lazy!

10. Try top of the line software

The world of software, free, paid and open source, is at your disposal at Ubuntu. But where to start?

Well, tons of open source favorites are available for installation on Ubuntu 20.04 LTS directly from the Ubuntu software application, among others :

• Mixer
• Chrome
• GIMP
• Crete
• Kdenlive
• OBS
• VirtualBox
• VLC

And you don’t limit yourself to what’s in the archives. Other popular (but not necessarily open source) programs are also available for Ubuntu, including well-known names such as

• Disagreements
• Google Chrome
• Lighting works
• Skype
• Silence
• Steam
• Telegram
• Traction waveform

And these are just superficial scratches.

You can follow this blog to get more software recommendations, news about updated and promising new applications, how and when we open them! For more information about the software, please refer to the best Electron applications in our manual.

… and 4 things you can’t do…

So here are some things to do after the installation of Ubuntu 20.04 LTS. I hope you found some of them useful – but what shouldn’t you do after installing or upgrading Ubuntu 20.04?

Here are some…

Do not add millions of additional spas

PPAs are a convenient way to install new applications and updates for Ubuntu that are delivered outside the main repository.

However, it will take some time to get familiar with your system before you add some random PPAs (often recommended, yes, sites like mine).

And if you can’t live without, try using only software-specific APPs, i.e. don’t add APPs to sinks that contain a lot of different tools and software you don’t want!

And that’s twice as much as the sink in the kitchen.

Do not uninstall a default desktop.

As mentioned at the beginning of this note, Ubuntu comes with a number of default settings that are as attractive as possible.

But the perception of Ubuntu on the GNOME shield desktop is not for everyone.

And while it’s trivial to get a vanilla GNOME installation with the Ubuntu version, completely removing the default desktop from the distribution is not the right solution, which you don’t like.

You will get a cheaper and cleaner system if you first install the right distribution and desktop.

Do not execute random Internet commands

You should never execute scripts or random commands that you find online on your system.

My rule of thumb is this: If I don’t understand what a team is going to do, I won’t abide by it.

As always.

This amount is doubled for jobs that do more than one thing at a time or that download and run scripts (ALWAYS check the content of the scripts before running them. Always, always, always).

P.S. NEVER execute this command. You know what I mean. It’s just… …no.

Don’t forget to share Ubuntu with others

A good way to contribute to the improvement of Ubuntu is to talk about it, what it can do, how you find it useful, and so on.

You can do it online in your blog post or social media updates or in person at a convention or leisure group.

I’m not saying we should go to aunt Barbara in the Netherlands and ask her to install it, but don’t be afraid to articulate the advantages of a system like Ubuntu.

P.S. Maybe not to mention it on the first date… speak from experience.

That’s my point, but what’s yours? Share it below!

The 23rd. In April 2020, the Kanonengruppe published the long-awaited Ubuntu on 20.04. The latest release replaces the predecessor of Ubuntu 18.04 LTS and comes with a stylish new desktop theme, an improved look, the 5.4 Linux kernel, ZFS file system support and tons of hardware and software improvements. Ubuntu 20.04 is a Long-Term Service (LTS) version and will be supported like any other LTS version for 5 years until 2025.

After you have installed Ubuntu 20.04 LTS on your system, here are some of the 14 best things to consider before using your system fully.

1) Install the latest updates of package

After the installation of a new Linux system it is always a good idea to update system packages and repositories. This will help you become familiar with the latest system packages and security updates. So to update the system and system packages, execute the command:

[Secure email]:~$ sudo apt update && sudo apt upgrade -y

2) Adjust appearance/look and feel

Since the release of Ubuntu 18.10, the standard Ubuntu theme is always elegant and neat yaru. This time, the canonical team intensified its efforts and decided to send 3 versions of the Yara theme with a set of polished icons. The options for the Yaru themes are light, standard and dark. By default Ubuntu 20.04 LTS launches the standard version of the Yaru theme.

If you switch to a dark theme, you will get the picture below:

There are also Ubuntu 20.04 games with additional background images that you can use to add a touch of color and improve the appearance of your wallpaper.

In addition to being able to switch between themes and backgrounds, users can play with the docking station settings and increase the size of the icons.

3) Installation of the GNOMEretrofitting tool

GNOME Tweaks, commonly referred to as the GNOME Tweak tool, is a free configuration tool that gives you more flexibility to further customize the appearance of the GNOME desktop, shell extensions, windowing and performance settings, to name but a few.

To install GNOME Tweak, follow the :

~$ sudo apt set gnome-tweak-tool -y

4) Installation of multimedia codecs for playback of MPEG4 and other multimedia files.

By default, Ubuntu 20.04 LTS, like other previous versions, does not support playback of multimedia files such as MPEG4 and AVI. If you want to play such media files, you need to install the Ubuntu package with limited additional features. It is software with basic applications such as media codecs, Adobe Flash and GStreamer. To install a package with a limited number of Ubuntu add-ons, follow the command below:

[Protected Email]:~$ sudo apt install ubuntu-restricted-extras -y

On the EULA screen, use the tab key to accept the conditions of the EULA and press ENTER in the Ok option.

On the next screen, select Yes to accept the terms of the license. Then the system will start installing the Ubuntu limited add-on package.

5) Firewall activation and configuration (ufw)

The firewall (ufw) is installed automatically when you install Ubuntu 20.04 LTS, but is disabled by default. So he has to make sure the system is safe.

ufwStatus sudostatus: inactive[secure email]:~$ ufwStatus sudostatus: inactive[secure email]:~$

Run the following command to activate the Firewall,

The command can interrupt existing ssh connections. Keep working (y|n) ? y
The firewall is active and enabled at startup
[Email Protection]:~$.

6) Install Synaptic Package Manager.

Install the Synaptic package management tool, it provides a graphical interface for package management, run the command line below to install Synaptic,

~$ sudo apt install Synaptic -y

Once it is installed, we can access it by performing a synaptic search using the hyphen,

7) Customize your email client

Topicality is a top priority for most users. Of course e-mail is accessible via a web browser, but Linux and especially Ubuntu 20.04 have made working with e-mail easier by using e-mail clients such as the native e-mail client Thunderbird.  You can easily follow the instructions to add an email account to your Thunderbird mail program to receive and send emails. If you don’t like Thunderbird, there are other options you can install, such as Evolution.

8) Adjusting the time difference (backup tool)

Securing is one of the most important tasks that every Linux user must remember. Things may not go the way you expect, and if they do, your system could crash fatally, resulting in the loss of valuable data. All it takes is a wrong command that is executed to make your system fail. To prepare for the worst case scenario, it is always wise to have a system backup. Timeshift is an open source application that allows Linux users to create a system restore point from which they can return if something goes wrong.

TimeShift takes incremental snapshots of the entire operating system, including the home directory, settings, and system configuration. In case of a problem, you can make your system work properly again.

You can install Timeshift by adding Timeshift PPA as shown in the figure :

[protected email]:~$ sudo apt-add-repository -y ppa:teejee2008/ppa

The system must then be updated to synchronize with the time difference APP.

[secure email]:~$ sudo apt update

And finally, install Timeshift with the command:

~$ sudo apt install timeshift-y

9) Installation of required software applications

Although Ubuntu 20.04 LTS comes with all the basic applications you need, some may not have all the capabilities you need to perform certain tasks. For example, some video formats may not work properly because some video codecs are missing.

Fortunately, there are many other multifunctional, open and free applications that extend the functionality of standard applications and provide a better user experience.  Below is a brief description of some of the applications you can install on your system.

• The VLC Media Player is a very popular multifunctional video and audio player.
• Google Chrome : A widely used multifunctional web browser with many functions and features.
• GIMP: Free and free photo editor that can perform many tasks such as photo editing, taking screenshots, free form drawing and more complex graphical editing tasks.
• Shot in the flames: A free and powerful tool for capturing the screen
• VirtualBox : A free and open source virtualization platform for creating and running virtual machines.
• SKYPE is a free means of communication with which we can make online audio and video calls.
• FileZilla is a free and open ftp and sftp client that allows files to be transferred between the ftp/sftp client and the server using the ftp and scp protocols.

An easy way to install these applications is by using the good old Ubuntu Software Center. The applications are divided into several main categories to help you navigate and install the selected applications:

• Audio and video
• Communication and news
• Games
• Productivity
• Graphic design and photography
• Additions

10) Installation of GNOME shield extensions

The GNOME Shell Extensions are excellent pieces of code that allow you to customize your desktop and extend the functionality of the GNOME Desktop. A popular GNOME extension is the GNOME OpenWeather shell, which opens when you click on it and displays it in a certain location.

To install the GNOME shell extensions, use the following commands,

[protected email]:~$ sudo apt gnome-shell extensions install -y

Now open a web browser, add the GNOME Shell Integration Module, and restart the terminal under the command

~$ sudo apt install chrome-gnome-shell -y

To return to the web browser, click GNOME Shell Extension and then click OpenWeather Extension,

Turn it on,

As you can see on the line above, the Open Weather application is visible, now set your current position.

11) Setting up Google Drive using online accounts.

Thanks to the online account function in Ubuntu 20.04 LTS we can easily configure our Google reader,

Go to Settings -> Online Accounts -> select Google.

Enter your Gmail ID and follow the on-screen instructions to complete the installation.

12) Activating the night lighting

If we use the Ubuntu system at night, it is advisable to switch on the night lighting to reduce the strain on the eyes. To activate the night lighting mode, go to Settings -> Display on screen.

13) Look what’s new.

Ubuntu 20.04 brings a new perspective on Yara, which was released on 18.10 on Ubuntu. You’ll also get a new GNOME 3.36 desktop environment with polished icons and buttons and a more aesthetic look. The new office environment also has a new dark theme.  You may also need the split-zoom function, which allows you to get high-resolution screens and monitors.

In addition, you can use the latest versions of software applications such as :

• Firefox 75.0
•  LibreOffice 6.4.3
• Thunderbird 68.7

14) Install the Windows software and the game with PlayOnLinux.

Wine is an open source application that makes it possible to run Windows applications on Linux. PlayOnLinux is a leading program for wine. With Wine and PlayOnLinux you can run applications that otherwise would not work on Linux, such as games and Adobe Photoshop.

To install PlayonLinux together with Wine, follow the aptical command below,

E-mail secure]:~$ sudo apt install playonlinux -y [E-mail secure]:~$ sudo apt install playonlinux -y

Here we finish our top 14 things after the installation of the new Ubuntu 20.04 LTS view. It is expected that the latest version of Ubuntu will be highly appreciated by most Ubuntu fans for its popularity and ease of use.top 10 things to do after installing ubuntu 18.04 lts desktop,10 things to do after installing linux