Zeroshell

Zeroshell is a small open-source Linux distribution for servers and embedded systems which aims to provide network services. Its administration relies on a web-based graphical interface; no shell is needed to administer and configure it. Zeroshell is available as Live CD and CompactFlash images, and VMware virtual machines.

Zeroshell can be installed on any IA-32 computer with almost any Ethernet interface. It can also be installed on most embedded devices and single-board computers such as Raspberry Pi and Orange Pi.

The project reached EOL in April of 2021 with the version 3.9.5. There are several known vulnerabilities for various versions of this software: V2, V3.6x up to V3.7, V3.9.0, V3.9.3 and last V3.9.5 for example, allowing an attacker to e.g. gain root access to the device easily. The main attack vector is the cgi script in use, 'kerbynet'.

Selected features

 * RADIUS server which is able to provide strong authentication for the Wireless clients by using IEEE 802.1X and Wi-Fi Protected Access (WPA/WPA2) protocols
 * Captive portal for network authentication in the HotSpots by using a web browser. The credentials can be verified against a Radius server, a Kerberos 5 KDC (such as Active Directory KDC)
 * Netfilter – Firewall, Packet Filter and Stateful Packet Inspection (SPI), Layer 7 filter to block or shape the connections generated by Peer to Peer clients
 * Linux network scheduler – control maximum bandwidth, the guaranteed bandwidth and the priority of some types of traffic such as VoIP and peer-to-peer
 * VPN host-to-LAN and LAN-to-LAN with the IPSec/L2TP and OpenVPN protocols
 * Routing and Bridging capabilities with VLAN IEEE 802.1Q support
 * Multizone DNS (Domain name system) server
 * Multi subnet DHCP server
 * PPPoE client for connection to the WAN (Wide area network) via ADSL, DSL and cable lines
 * Dynamic DNS client updater for DynDNS
 * NTP (Network Time Protocol) client and server
 * Syslog server for receiving and cataloging the system logs produced by the remote hosts
 * Kerberos 5 authentication
 * LDAP server
 * X.509 certification authority