ZeroShell    Forum
   Feed RSS Feed
EnglishEnglish     ItalianoItaliano     French     Spanish                Zeroshell on LinkedIn LinkedIn       Facebook      Twitter ZeroTruth an interface for Captive Portal

      What is it?
      Mailing List
      On-line Updates
      Kerberos Tutorial  
      Terms of use
      Contact me

  In greater details:
      Hotspot Router
      RADIUS Accounting
      Shibboleth SP
      Net Balancer
      UMTS Router
      Soekris Net5501
      Proxy with Antivirus
      WiFi Access Point
      OpenVPN Client
      OpenVPN Server
      Kerberos 5
      NIS and LDAP
      X.509 Certificates

Valid HTML 4.01 Transitional


January 18, 2018 SNORT - Intrusion Detection and Prevention System is available for Zeroshell. This tool is able to log and block external attacks. You can install SNORT starting from Zeroshell 3.7.1.
December 29, 2017 Zeroshell 3.8.2 has been released for X86/X86_64 and ARM Platform. It cames with latest OpenVPN and nDPI updates, improved hardware detection and other bug fixes.
December 14, 2017 Released a new image of Zeroshell 3.8.1A supporting Orange Pi PC Plus. This small Quad Cores device may be more convenient than the Orange Pi PC because it includes a Wi-Fi module that can work both as a Client and as an Access point. It also has on board an 8GB MMC flash memory on which you can install Zeroshell making it unnecessary to use a Micro SD except for the installation phase.
November 16, 2017 Released a new image of Zeroshell 3.8.1A supporting Orange Pi R1. This small and cheap Quad Cores device has two 10/100 Ethernet ports on board and a Wi-Fi module working both as a Client and as a Access Point.
November 2, 2017 Zeroshell 3.8.1 comes with a more stable kernel and solves some sporadic system crashes. The wireless subsystem has been patched for the latest WPA2 vulnerabilities. Many other fixes has been applied and especially the VPN module appears more reliable. Zeroshell 3.8.1 has been released for X86 and ARM architectures.
July 7, 2017 Zeroshell 3.8.0 comes with a new Kernel and some Bug/Security Fixes. The upgrading to this release is recommended.
April 29, 2017 Zeroshell 3.7.1A is the first release for ARM Architecture. At the moment the only Platforms supported are: Raspberry Pi 2/3 and Orange Pi Zero, Orange Pi PC and Orange Pi Plus/Plus2.
January 20, 2017 An exploit has been identified that allows unauthorized Remote Code Execution. Several installations of Zeroshell appear compromised. It is urgent to upgrade to Zeroshell 3.7.1 that neutralizes the vulnerability. Any earlier version is vulnerable.
January 5, 2017 Zeroshell 3.7.0 has a new Kernel with which some stability problems have been fixed and the perfomance improved. Many services including Captive Portal, VPN and Radius have been recompiled with the new OpenSSL 1.0.2 libraries. This was necessary because the old OpenSSL 0.9.8 are no longer supported and have different vulnerabilities. Also improved the compatibility of the Captive Portal and the RADIUS server with the newest client devices.
December 4, 2016 ipt-netflow is available for Zeroshell 3.6.0 and allows to export traffic accounting on a NetFlow/IPFIX collector where it can be analyzed. ipt-netflow operates in Kernel space so can ensure high performance.
October 20, 2016 NTOPng is available for Zeroshell 3.3.2+. It allows to visualize and analyze Network Traffic. You can sort the connections according to the bandwidth used, the total traffic generated, the type of application (L7 protocols) and more. It also allows the Geolocation of the hosts. Some alerts are generated when traffic is due to suspicious activities. For greater details about NTOP please visit the URL
September 21, 2016 Zeroshell Development Environment is available to be installed from the Package Manager. It requires Zeroshell 3.3.2+ and allows to build applications starting from the source packages. It also allows to compile customized Kernel versions or just single Kernel driver modules better supporting your hardware.
July 4, 2016 Zeroshell 3.6.0 fixes some problems with the Captive Portal, VPN and Net Balancer. The Firewall and Traffic Shaping web interface has been changed to support nDPI that will soon replace the L7 filters as Deep Packet inpection system. The hardware support has been improved thanks to the Kernel 4.4.13. Especially the Intel Network Cards on PCIe Bus take advantage of this release.
March 3, 2016 Zeroshell 3.5.0 includes new GLIBC 2.23 libraries that fix the vulnerability described in CVE-2015-7547 on previous versions that would allow, through specific responses of a DNS controlled by hackers to take control of the system. The upgrade is therefore strongly recommended. This release includes the Kernel 4.1.15 that provides better performance and lower latency with Load Average substantially reduced.
January 10, 2016 The Kernel 4.1.15 is available. This Kernel provides better hardware support and will be used as default Kernel in the next Zeroshell Releases.
It has been configured with scheduler frequency and policy parameters that improve the network performance and ensure low latency operations. Using this Kernel, it appears, there is a impressive reduction of the system load.
December 12, 2015 PHP and MySQL are available for installation as Add-ons from the repository.
October 2, 2015 Zeroshell 3.4.0 has a new kernel with improved detection and support for the new generation hardware. Enhanced performance and several bugs have been fixed. Guaranteed Wireless connectivity for iPad and iPhone updated to the latest iOS 9.
The upgrade can be done on-line via the Package Manager without reinstalling.
March 1, 2015 A new Kernel available in the repository allows to run Zeroshell as guest Virtual Machine in XEN Hypervisor. This Kernel is a 64-bit kernel so it is not possible to create 32-bit Virtual Machines.
Feb 1, 2015 All Zeroshell releases up to the 3.3.1 include a GLIBC version of the libraries vulnerable to possible buffer overflow. The vulnerability, called GHOST, could allow remote code execution. For these reasons, it is recommended to upgrade to Zeroshell 3.3.2 which includes the latest version of GLIBC as well as various other fixes.
Jan 25, 2015 Zeroshell 3.3.0 includes the Kernel 3.14.29, many bug fixes and some improvements of the web interface. CNTop utility has been incorporated and now is able to sort and display the hosts that use more bandwidth as well as those generate more connections. An issue of the Failover of the Net Balancer has been fixed. This release also offers the 64-Bit Kernel which improves performance and allows to use the full amount of RAM installed. By accessing the repository the automatically upgrade is possible starting from all the previous releases.
Jan 20, 2015 New 64-bit Kernel available for improving the performance of processes as Firewall, Routing, Bridging, Traffic Shaping, L7 Filters, Network Address Translation (NAT).
Jan 5, 2015 A new enhanced version of CNTop is available for Zeroshell.
This version of the tool allows to know, in addition to the IP addresses that generate the highest number of connections, even the hosts that perform most data exchange. Furthermore, it is possible to enable the resolution of the IP into hostname to more easily identify the type of traffic is taking place on your network and apply IP address, protocol and port number filters.
Sep 29, 2014 The new release of Zeroshell is ready to be installed.
It is strongly recommended to upgrade to this release because all the previous releases are vulnerable as a result of a bug in Bash (CVE-2014-7186 vulnerability ShellShock). By exploiting this vulnerability an unauthenticated user can execute arbitrary code via the web interface.
Many other minor bugs have been fixed with this release.
Sep 14, 2014 A wrong configuration of the Connection Tracking prevented the Layer 7 Filters to work properly. All releases starting from 2.0.RC1 to 3.1.0 have this malfunction. To fix this issue, please install the BugFix Package 23102 on the Zeroshell 3.1.0. This package also eliminates the limit of 100 Free Authorized Clients of the Captive Portal.
July 15, 2014 Zeroshell 3.1.0 is available. This new release improves the stability of the system and corrects many bugs. Among the new features, there are some nice additions such as:
  • The Installation Manager that allows you to install Zeroshell in an easy way, starting from the ISO/USB image or from an already running installation.
  • The Weighted Bonding used to distribute traffic proportionally to the capacity of the interfaces that are part of the bond.
  • The Monitoring and e-Mail/SMS Alerts Suite that warns you or a team of people to the occurrence of an event. The list of events can be extended with custom event handlers.
  • The CNTop Utility which shows the top list of the hosts with the highest number of connections. This is very useful if a DDoS is taking place to discover the IP address causing the problem.
Among other things, the Captive portal has been improved with a special tuning and now can handle many more simultaneous users.
If you already have the release 3.0.0 installed and the repository access enabled you can automatically upgrade to Zeroshell 3.1.0 without losing the configuration just by clicking on the package 53100. Do not forget instead, that if you are planning to use the Installation Manager all data on the target disk will be destroyed so you have to backup the profile and then restore it on the new release.
May 10, 2014 Monitoring and e-Mail/SMS Alerts Suite is a new component that enable Zeroshell to keep under control some critical Events that could occur. To each event is assigned a Severity Level based on which the Recipients of eMail and SMS alerts are selected. The Severity Levels are: Info, Warning, Critical and Emergency.
This package is available for Zeroshell 3.0.0 as New Feature and is very reccomended in a production environment where some critical events may have to be handled very quickly.
January 25, 2014 A new procedure to easily install Zeroshell on disk is available as New Feature for the release 3.0.0. The Install Manager automatically resize the profile partition to use the entire disk space. Keep in mind that in a production environment, you should always prefer the installed version of Zeroshell because faster and more reliable than the Live CD version.
Please read the page for more details.
January 13, 2014 The Weighted Bonding has been implented for Zeroshell 3.0.0 as new feature. Using the Weighted Bonding you can distribute traffic proportionally to the capacity of the interfaces that are part of the bond. Before the introduction of this feature, the traffic distribution was made by a simple Round-Robin load balancing that treated the interfaces in a uniform manner regardless of the actual available bandwidth on each of them. The direct consequence of this was that you could benefit from bonding only if the lines merged had a similar capacity . You could see that adding an ADSL line from 2Mb/s to a 7Mb/s one resulted in a bandwidth closed to 4Mbit/s. Far from the expeted 9Mb/s bandwidth.
Now with the Weighted Bonding, by assigning to the first ADSL line a weight of 2 and to the second one a weight equal to 7, you could see a bandwidth aggregation very close to the sum of the two lines members of the bonding.
Note that in the example has been intentionally omitted, for simplicity, to specify that the bonding of WAN lines only makes sense through the VPN bonding and that the weight should be assigned to the Layer 2 VPN interfaces.
January 13, 2014 The Weighted Bonding has been implented for Zeroshell 3.0.0 as new feature. Using the Weighted Bonding you can distribute traffic proportionally to the capacity of the interfaces that are part of the bond. Before the introduction of this feature, the traffic distribution was made by a simple Round-Robin load balancing that treated the interfaces in a uniform manner regardless of the actual available bandwidth on each of them. The direct consequence of this was that you could benefit from bonding only if the lines merged had a similar capacity . You could see that adding an ADSL line from 2Mb/s to a 7Mb/s one resulted in a bandwidth closed to 4Mbit/s. Far from the expeted 9Mb/s bandwidth.
Now with the Weighted Bonding, by assigning to the first ADSL line a weight of 2 and to the second one a weight equal to 7, you could see a bandwidth aggregation very close to the sum of the two lines members of the bonding.
Note that in the example has been intentionally omitted, for simplicity, to specify that the bonding of WAN lines only makes sense through the VPN bonding and that the weight should be assigned to the Layer 2 VPN interfaces.
January 2, 2014 Zeroshell 3.0.0 includes relevant new features such as the automatic update system that automatically applies security and bug fixes, and allows to upgrade to the next releases. Several bugs have been fixed and the security improved. The MRTG graphs no longer require an activation key to be viewed. There are several kernels optimized for different processors and a kernel compiled with PAE (Physical Address Extension) which allows you to use more than 4GB of RAM.
August 7, 2013 With the release 2.0.RC3 of Zeroshell some security issues have been corrected. Specifically, now the DNS works as cache and accepts recursive queries only for local networks if not configured otherwise. Recently, the DNS fully opened are being used to carry out DDoS attacks resulting in bandwidth consumption. For this reason, the migration to 2.0.RC3 is strongly recommended.
No-IP has been added as a provider for dynamic DNS and the recognition of 3G USB modems has been enhanced. You can now disable the virus scan of web pages resulting in improved performance of the transparent proxy on modest hardware.
Several fixes have been applied on the procedure for Backup and Restore of the profiles.
November 21, 2012 Zeroshell 2.0.RC2 improves the support for the load balancing and fault tolerance of multiple connections to the Internet. Particularly, this release allows to keep in Standby PPPoE (xDSL) and UMTS/HSDPA connections, activating the PPP protocol only in the event of absence of connectivity from other accesses. These connections are again placed in standby mode when connectivity is recovered from the default accesses. Improved the Failover mechanism with check in Layer 2 as well as with ICMP. Updated the VPN Bonding for bandwidth aggregation and failover of the LAN-to-LAN connections. Fixed several bugs in the system. In particular, it has been solved a problem that caused the freezing of the Captive Portal under high load.
July 25, 2012 Zeroshell 2.0.RC1 has a new kernel (3.4.6) that enables a better recognition of the latest hardware. The Wi-Fi section, using the ath9k kernel module, supports the 802.11n standard (thanks to Arth for the contribution for the upgrade of the wifi-manager). The atheling's patch was included to allow to use QoS and network balancing simultaneously. In addition to OpenVPN and IPSec/L2TP you can use PPTP as a VPN protocol for users whose authentication can be delegated also to an external RADIUS. Several bugs were fixed with particular attention to the Captive Portal.
September 10, 2011 The release 1.0.beta16 fixes some problems of the Captive Portal that slow the opening of the authentication page on browsers that perform CRL or OCSP checks. The recovery mechanism in case of LDAP DB corruption after a crash has been improved.
The support for Shibboleth Service Provider that redirects the Captive Portal authentication against an Identity Provider belonging to a standalone or federated AAI has been added.
July 15, 2011 The new release 1.0.beta15 of Zeroshell contains RADIUS Accounting module that allows you to count the connection time, the connection traffic and the connection charge either for Captive Portal or Access Point with WPA/WPA2 Enterprise connections. You can set time/traffic limits and manage prepaid connections. The captive portal has been enhanced with new features such as protection against DoS attacks and the ability to disable the pop-up network access on mobile devices (iPhone, IPad, Android SmartPhones, ...).
January 16, 2011 Zeroshell 1.0.beta14 is available. It contains many bug fixes and some improvements to the web interface. Many packages have been compiled with a newer compiler (gcc 4.5.2). The stability has been improved by removing some causes of segmentation fault.
July 2, 2010 It's available the new release 1.0.beta13 of Zeroshell that includes the following new features and improvements: an accounting module preview for controlling the time and the bandwidth per user connection; the Bandwithd application for checking per host bandwidth; some bug fixes.
May 9, 2010 The Samba package is available for Zeroshell to manage Windows Network Resources. See the post
May 9, 2010 The NTFS-3G package is available for Zeroshell to mount NTFS Windows Filesystems. See the post
October 18, 2009
The package Snort 2.8.5 is available as update on-line. By using it, a router/bridge Zeroshell is able to act as IDS (Intrusion Detection System) alerting if an attack/worm takes place on the LAN. Further details are available at the URL
June 14, 2009 The Dansguardian patch has been updated to work with Zeroshell 1.0.beta12.
Further details are available at the URL
May 26, 2009 The release 1.0.beta12 is ready. You should upgrade your system because this release is more stable and many security fixes have been applied.
April 6, 2009 Statistical graphics by MRTG for network traffic (Ethernet, Wi-Fi, VLAN, PPPoE, 3G and VPN), system load average, traffic shaping and gateway load balancing are now available by installing the update
February 9, 2009 The update allows to use the Dynamic DNS updater for OpenDNS. Further details are available at the URL
January 11, 2009 Security Bug - All releases up to 1.0.beta11 (included) are affected to an unauthenticated remote code execution vulnerability.
Only the release 1.0.beta11 can be fixed with the patch
December 16, 2008 Multilink PPP support
November 7, 2008 Asterisk VoIP PBX is now available as an external package. For further details, visit the URL
October 12, 2008 The new Zeroshell release 1.0.beta11 is available. The main new feature is the Net Balancer that allows to obtain the Load Balancing and Failover of the Internet links such as xDSL and UMTS/HSDPA ones. The VPN bonding has been improved to allow to increase the bandwidth and stability of Layer 2 links between remote sites. The 3G Mobile modems are now supported to make Zeroshell to act as UMTS and HSDPA router. An issue regarding the stability of the web proxy with antivirus has been solved and the overall stability of the system improved.
June 29, 2008 Zeroshell 1.0.beta10 is ready. It comes with a newer Kernel which is able to manage more recent hardware. Starting with this release, SATA and USB HD/CDROM are also supported for the boot. Setting the IDE Hard Disk as Primary Master is not longer required for booting. Some bugs have been fixed and the Host-to-LAN VPN service with OpenVPN and the startup script support have been improved.
May 2, 2008 A preconfigured version of DansGuardian is available, that cooperating with the transparent proxy service, allows to filter the unwanted web pages. The default configuration blocks the web pages containing adult material. More details available at URL
April 28, 2008 It is available an update in order to protect the captive portal resources from DoS caused by some worms which use the ports 80 and 443 TCP. This patch acts by limiting the number of simultaneous connections from the same IP address by using the iptables module connlimit. More details available at URL
April 20, 2008 A patch is available in order to increase the stability and the performances of the proxy service. More details available at URL
March 30, 2008 It is available an image of Zeroshell 1.0.beta9 that is able to boot from an USB disk. The minimum size of the USB device is 1 GByte. It is compatible either with USB 1.1 or USB 2.0. In addition, by using an USB 2.0 Flash Memory, the bootstrap is faster than using the ISO image.
March 15, 2008 Zeroshell 1.0.beta9 is now available. This release contains a Transparent Web Proxy (HAVP) that uses ClamAV Antivirus to scan the web pages visited by the users in order to block Viruses and Worms. In addition, the proxy server allows to manage a Blacklist and a Whitelist of URLs.
A flag in the Captive Portal configuration now allows to disable the SSL protocol in the case it is not required for security reason. By using this flag, it is possible to eliminate the security warnings of the user browsers when the X.509 certificate is not signed by a trusted Certification Authority.
The flow of QoS classifier has been changed and it is now more intuitive. Apache and OpenSSL packages have been updated, because the previous versions were vulnerable as reported by Nessus.
January 20, 2008 Zeroshell 1.0.beta8 is now available. The main new feature is the WiFi support, with which, a Zeroshell box is able to act as a Multi-SSID Wireless Access Point. Any SSID can be either routed or bridged with a 802.1q VLAN. Different type of wireless security access modalities are supported, such as WPA-PSK, WPA-EAP with Radius and WEP. Multiple WiFi cards can be managed in the same box and the Load-Balancing between them can be configured. Many bugs have been fixed and the security level of the Captive Portal and the VPN connections has been increased. In addition, the network interfaces can be configured to dynamically acquire an IP address by contacting a DHCP server.
December 6, 2007 The Kerberos tutorial is now an official document of the Massachusetts Institute of Technology Kerberos Consortium at the URL The authentication of Zeroshell is based on MIT Kerberos 5.
November 28, 2007 The ALIX.2C2 with 256MB of RAM, AMD Geode LX CPU 500MHz processor and MiniPCI expansion slots has been tested to work fine with the WRAP CompactFlash image of Zeroshell. I have been impressed by the better performance of this embedded platform for network appliances.
November 25, 2007 It is available a patch for the release 1.0.beta7 of Zeroshell which enables the EAP-TTLS authentication instead of PAP (Password Authentication Protocol) for the Captive Portal validation against a RADIUS server. By using TLS encrypted tunnels, EAP-TTLS improves the security level of the Captive Portal authentication in the case in which you use RADIUS instead of the more secure Kerberos 5 protocol. For more details click here
November 4, 2007 In the download section it is available a package which adds WiFi support to Zeroshell. The Client Station and the Access Point modes are both supported. This release of the WiFi package only works with Wi-Fi cards (miniPCI and PCI) which have the Atheros Communications chipsets supported by the Kernel modules available at To learn how to install the Wi-Fi package, read the post
October 6, 2007 In the download section, a VMWare Virtual Machine with a pre-installed Zeroshell image is available. You can use this VM either for testing purpose without using a dedicated hardware or in a production environment. The Virtual Appliance of Zeroshell has been tested working with VMWare Player, VMWare Workstation e VMWare Server.
September 16, 2007 ZeroShell 1.0.beta7 release is available. A few bugs have been fixed and Host-to-LAN VPN connections are now possible using OpenVPN. This type of VPN, which is supported by the most used platforms such as Linux, Solaris, OpenBSD, FreeBSD, NetBSD, Mac OS X and Microsoft Windows, is easier to configure in the client than the L2TP/IPSec VPN. Using OpenVPN, ZeroShell is able to authenticate the VPN users with X.509 certificates, Kerberos 5 servers (such as a Active Directory Domain controllers) and RADIUS servers.
A client configuration file for OpenVPN is available in the download section.
September 11, 2007 ZeroShell is now a Certified DynDNS dynamic DNS updater. Please visit this page for further details.
August 22, 2007 ZeroShell 1.0.beta6 release is available at the URL The main new features are related to the Captive Portal which is now able to authenticate also by using external RADIUS servers and the X.509 certificates. The X.509 authentication allow you to use the Smart Card to access to the LAN.
This release includes the Daemon Watcher that is a process which checks if the services (LDAP, DNS, Kerberos, RADIUS, DHCP, ssh) work fine and it restarts them if a crash occurs.
FreeRadius is updated with the latest release which should work with the supplicant 802.1x/PEAP of Windows Vista.
July 2, 2007 There is a bug in the release 1.0.beta5 of ZeroShell for which the VoIP connections with SIP protocol could not work correctly. To solve the problem you have to add the command modprobe -r ip_nat_sip in the startup script from the section [Setup]->[Startup].
June 27, 2007 ZeroShell 1.0.beta5 release is available at the URL It contains many bug fixes and new features. The main improvement is the implementation in the Firewall of the Connection Tracking Logger which allows to log all the connections (Protocol, Source IP, Source Port, Destination IP, Destination Port).
April 18, 2007 A Captive Portal BUG is causing that the Username and the Password of the users are listed in the History of the browser. You should not use the Captive Portal in a public place such as a HotSpot in which more users are able to access to a same web browser profile. This bad behavior will be corrected in the 1.0.beta5 release.
February 18, 2007 Zeroshell 1.0.beta4 is now available. The difference with the previous version is the presence of the package l7-filter that allows to classify the traffic by inspecting the application layer. This is useful if you want to provide the QoS to the protocols that you are not able to identify only with the IP addresses or the TCP/UDP ports such as the VoIP protocols H323 and SIP.
January 28, 2007 Zeroshell 1.0.beta3 is now available. The main new feature of this release is the QoS (Quality of Service) manager to control the traffic over a congested network. You will be able to guarantee the minimum bandwidth, limit the max bandwidth and prioritize the traffic classes. Moreover, you will able with the Firewall and QoS classifier to intercept Peer-to-Peer file sharing traffic by using IPP2P iptables module and connection tracking.
7 November 2006 Due to several requests I have added support for the WRAP (Wireless Router Application Platform) boards. These nice and cheap small computer for network appliances need of a custom CompactFlash image
2 November 2006 At the URL some forums are available about ZeroShell, networking, Linux and networking and embedded devices for network appliances
25 October 2006 The Compact Flash image 1.0.beta2 is now available.
24 September 2006 The ISO image of Zeroshell 1.0.beta2 is now available.
29 June 2006 The Compact Flash image is now available.
25 June 2006 The ISO image of Zeroshell 1.0.beta1 is now available. The Compact Flash image and the C++ source code will be available as soon as possible.

    Copyright (C) 2005-2016 by Fulvio Ricciardi