ADMIN SPONSORED BY Network & Security Terrific Tools 10 FOR THE BUSY ADMIN 2020 EDITION

Find a free tool to help you • Generate memorable passwords • Discover rootkits on your system • Find bandwidth hogs • And much more!

Bonus articles • Getting Insights with eBPF • Hidden CLI Tools

www.admin-magazine.com US$ 7.95

Welcome 10 TERRIFIC TOOLS – 2020 ADMIN Network & Security Terrific Tools 10 FOR THE BUSY ADMIN 2020 EDITION

ADMIN Special Dear Readers:

Editor in Chief – Joe Casad The environment includes specific needs. We’re proud to Managing Editor – Lori White thousands of small but powerful share our latest collection of gems Copy Editors – Amy Pettle, Megan Phelps tools designed to address very for the sys admin toolkit. Layout / Graphic Design – Dena Friesen, Lori White Advertising Table of Contents Brian Osborn, [email protected] phone +49 89 3090 5128 Log2Ram ...... 4 urlwatch. . . . . 10 Publisher – Brian Osborn Write syslog data to a RAM disk. Get news from websites by Customer Service / Subscription 1 6 For USA and Canada: detecting HTML changes. Email: [email protected] Phone: 1-866-247-2802 NetHogs...... 5 xkcdpass...... 11 (toll-free from the US and Canada) Find the processes that are Generate easy-to-remember www.admin-magazine.com 2 7 hogging bandwidth. passwords. While every care has been taken in the content of the magazine,­ the publishers cannot be held responsible for the accuracy of the information darkstat ...... 6 TigerVNC . . . . . 13 contained within it or any consequences­ arising from the use of it. 3 A tiny tool that monitors without 8 Easy and free VNC client. Copyright & Trademarks © 2020 Linux New Media noticeable system load. USA, LLC Cover Illustration © Corina Rosu, 123RF.com No material may be reproduced in any form rkhunter...... 7 EncFS...... 14 whatsoever in whole or in part without the written 4 Root out rootkits hidden on your 9 This file tool is easy permission of the publishers.­ It is assumed that all system. to customize. correspondence sent, for example, letters, email, faxes, photographs, articles, drawings, are ­supplied for publication or license to third parties LFT...... 9 Dialog ...... 16 on a non-exclusive worldwide basis by Linux New Firewalls and wireless routers won’t Create dialog boxes with Media unless otherwise stated in writing. 5 10 All brand or product names are trademarks of their stop this traceroute alternative. checkboxes and progress bars. respective owners. Contact us if we haven’t credited your copyright; we will always correct any oversight. Printed in Nuremberg, Germany by hofmann info- As a special bonus, we’re also including two more articles com GmbH on recycled paper from 100% post-con- on other great tools for the admin toolkit: sumer waste; no chlorine bleach is used in the pro- duction process. Getting Insights with eBPF ...... 18 Distributed by Seymour Distribution Ltd, United Kingdom Use this in-kernel virtual machine to identify resource bottlenecks. ADMIN is published by Linux New Media USA, LLC, 2721 W 6th St, Ste D, Lawrence, KS 66049, USA. Hidden CLI Tools ...... 22 Published in Europe by: Sparkhaus Media GmbH, Take a tour of some useful yet unsung command-line utilities, including timelimit, Zieblandstr. 1, 80799 Munich, Germany timeout, pv, bar, pipemeter, dd, cpipe, and progress.

WWW.ADMIN-MAGAZINE.COM 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE 3 10 TERRIFIC TOOLS – 2020 Xxx Log2Ram

Just for the Record 1 Write syslog data to a RAM disk with Log2Ram. By Charly Kühnast From time to time, I use nmap ‑sP data. Once an hour, the collected rather inject my Log2Ram data 10.0.0.1‑254 to check how many data is written to disk. into a web page, just in case I feel IP devices are online in my home the urge to inspect the files while network. There are now more Need to Talk I’m on the road. A small tool by than 50, half of them Raspberry the name of frontail [2] helps Pis. The need for a central syslog I installed Log2Ram by running me do exactly this. It is based on server is slowly growing. An old the following command line on Node.js, so you need to install the miniature PC with an Intel Atom, the log server: npm installer. You then install fron‑ which I retrofitted with an SSD, is tail and launch it like this: the designated candidate for this git clone https://github.com/azlux/log2ram permanent task. The syslog server npm i frontail ‑g comes courtesy of the standard I then changed to the directory frontail /var/log/syslog rsyslogd. In its configuration file created in the last step and exe- (/etc/rsyslog.conf), the following cuted the install.sh script. At first This starts a small web server on lines ensure that the server can re- the installation failed because the port 9001. Now, when I open the ceive syslog data from other hosts Mailutils package was missing, page in a web browser, I’m wel- via UDP and TCP: and Log2Ram insists on the abil- comed by the syslog (Figure 1). ity to mail to the admin in case of With just a little manual interven- $ModLoad imudp problems. tion, I can enjoy the view and $UDPServerRun 514 Also the size of the RAM disk, an SSD that should survive for a $ModLoad imtcp 40MB by default, was too small couple of years. n $InputTCPServerRun 514 for my setup, but I was able to adapt this setting with a manual On other machines, I add an entry edit of the configuration file. Info of *.* @10.0.0.254 to rsyslog.conf Now I just have one more wish: [1] Log2Ram: so that they all send their log data I don’t want to be restricted to [https://​­github.​­com/​­azlux/​­log2ram] to the server on 10.0.0.254. viewing the logs with tail ‑f on [2] frontail: [https://​­github.​­com/​­mthenw/​ However, the incoming syslog the log server console. I would ­frontail/​­blob/​­master/​­README.​­md] messages generate huge numbers of writes, and I’m worried about the SSD service life. Enter Log2Ram [1] stage left. Lo- g2Ram creates a RAM disk on /var/log, to which the central rsys- logd writes all the incoming Figure 1: frontail opens a viewing window into the log bucket.

4 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE WWW.ADMIN-MAGAZINE.COM NetHogs 10 TERRIFIC TOOLS – 2020

Everything Must Go Every sys admin has a few favorite tools that they always carry with them, if only because they do not want to be without these often overlooked treasures. The gems 2 dangling from Charly’s key ring include Dstat, NetHogs, and nload. By Charly Kühnast

Dstat [1] is a useful tool for get- pears (Figure 2). I use the R and # nload ‑t 1000 ‑o 10000 ting details about the installed S keys to tell Dstat to sort this list hardware (especially RAM) in by incoming and outgoing traffic The ‑t 1000 parameter specifies Linux. My secret weapon for de- respectively. NetHogs also has a the update interval in milliseconds termining which processes are nice graphical add-on called Hog- (default: 500ms). ‑o 10000 tells the grabbing the most resources looks Watch [3] that visualizes the data, tool to cap the graph at 10Mbps, like this: although HogWatch is no longer because nload scales it to the in- actively maintained. terface’s maximum speed. n # dstat ‑cdn ‑D sda ‑N U enp2s0 ‑C total ‑‑top‑cpu U nload Info ‑‑top‑io ‑‑top‑mem ‑f 5 [1] Dstat: If you are looking for an alterna- [https://​­github.​­com/​­dagwieers/​­dstat] Every second, this command tive that draws a meaningful net [2] NetHogs: displays which processes are gen- load curve from the command [https://​­github.​­com/​­raboof/​­nethogs] erating the highest CPU, memory, line, nload [4] will do the job. [3] HogWatch: [https://​­github.​­com/​ and I/​O load (Figure 1). This com- The following command draws ­akshayKMR/​­hogwatch] mand has saved me from working the current net load level with [4] nload: [https://​­github.​­com/​ late dozens of times. cursors on the console: ­rolandriegel/​­nload]

Figure 1: Dstat frequently saves Charly from working late.

Unfortunately, Dstat does not show you which process is gener- ating the most network traffic at the moment. NetHogs [2] fills this gap. On machines with multiple interfaces, it only needs the name of the desired network interface as a parameter. If not specified, Net- Hogs grabs the first interface that is not called localhost. A list of all processes that send or receive network packets ap- Figure 2: NetHogs adds the traffic information that Dstat lacks.

WWW.ADMIN-MAGAZINE.COM 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE 5 10 TERRIFIC TOOLS – 2020 Xxx darkstat

Light Touch Thanks to its minimal footprint, the 20-year-old darkstat monitoring tool hardly generates 3 any noticeable load even on low-powered systems. By Charly Kühnast

Next to our kitchen, there is a figuration file is voluntary; I could tab (Figure 2). This is where dark- small utility room. I don’t think ignore it and simply start darkstat stat lists the devices in a table; you its floorspace is even two square at the command line. can sort by the column headers. meters. In addition to the usual The only mandatory parameter is This is how I found out, for exam- building services, such as a fuse ‑i . The darkstat ‑‑help ple, that music streaming is very box, there are two firewalls, a web command lists all the other param- popular today. (My eldest child and mail server, network-attached eters. Be careful with ‑‑syslog. If must be embarking on a career as storage (NAS), and a large switch. you enable this option, darkstat an Instagram influencer.) The tiny router supplied by my In- suppresses all console messages. Also practical: darkstat not only ternet provider sits a little intimi- It therefore makes sense not to set displays live data but also visual- dated in the corner. I downgraded this parameter until everything else izes sessions that you record with it to something like the IT equiva- is working to your satisfaction. Wireshark or Tcpdump. n lent of a flow heater. It opens the Once darkstat is running as de- connection to the provider and sired, a web server on port 667 Info passes it to the firewall. I have displays the current traffic data [1] darkstat: switched off everything else, like (Figure 1). It is a pity that darkstat [https://​­unix4lyfe.​­org/​­darkstat/] WLAN, telephony, and the DHCP displays the data in bytes, not in [2] pfSense: [https://​­www.​­pfsense.​­org] server; I prefer to do that myself bits, but it’s fine for a quick over- [3] darkstat package for Synology NAS: on my own hardware. view of what’s crossing the . [https://​­synocommunity.​­com/​­package/​ You need to monitor what you You’ll find more details in the hosts ­darkstat] run. For long-term monitoring of loads and latencies, I use Munin and SmokePing. But if I just want to have a quick look at what cur- rently is happening on the firewall interface, darkstat [1] is the hero of the day. Darkstat, a true Methuselah at the ripe old age of almost 20, has been under the GPL license since 2002. I had my first contact with the software when I tried pfSense [2]. Thanks to its minimal footprint, the monitoring tool generates so little system load that it even runs Figure 1: Darkstat returns clear evaluations via a web server on port 667. unobtrusively on my ancient NAS box with 128MB RAM [3]. Darkstat gets its data via libpcap; the output comes courtesy of a built-in, lean web server. The most important parameters are stored in a small configuration file, which resides in /etc/darkstat/ on my Ubuntu test system. Using the con- Figure 2: Darkstat uses the hosts tab to list the devices.

6 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE WWW.ADMIN-MAGAZINE.COM rkhunter 10 TERRIFIC TOOLS – 2020

Automating Security The Rootkit Hunter script efficiently checks for malware, with the potential to detect over 240 rootkits. By Bruce Byfield 4 Rootkit Hunter, or rkhunter, detects Setup and Configuration You may also want to configure over 240 rootkits – pieces of mal- /etc/rkhunter.conf for your sys- ware designed to gain control of a If you install rkhunter from outside tem. The field MAIL‑ON‑WARNING system. However, although testing your distro’s standard repositories, ="EMAIL" can be modified to send for rootkits may be rkhunter’s main you can make sure that you always a list of warnings to the address of purpose, it is far from the only one. have the latest version by running your choice. You may also want to You can see the list of the names rkhunter ‑‑versioncheck to ensure whitelist some common false posi- of the various tests run by the your system’s security. With most tives by removing the # to uncom- script by entering rkhunter ‑‑list commands, I normally recommend ment these lines: (Figure 1) [1]. Mostly, the tests’ not running the repository version, names are self-explanatory. They but rkhunter is so slow to release #ALLOWHIDDENDIR=/dev/.udev include checks not only for rootkits, that in many cases the latest version #ALLOWHIDDENDIR=/dev/.static but also changed or deleted librar- is contained in a distro’s repository #ALLOWHIDDENDIR=/dev/.initramfs ies and commands, hidden ports, (see below). Currently, for example, loaded kernel modules, and several even Debian, whose software ver- After you first run rkhunter, dozen other aspects of a system. sions often lag behind those of you can define additional Rkhunter is written for generic Unix other distributions, has the latest rk- whitelists by adding the field systems with a Bourne-type shell, hunter release in its official release. SCRIPTWHITELIST="FILE,FILE" so such as Bash or ksh. Since its tests No matter what your installation that false positives are not flagged depend on online databases, it also source, before running rkhunter when the command is run. After requires an Internet connection. It for the first time, you need to run any changes to rkhunter.conf, in is available in major Linux distribu- rkhunter ‑‑propupd to ensure that some distros you can run rkhunter tions and can be run from the com- the command’s databases are up to ‑C to check for any errors. mand line or as a cron job. Note date. You should also run ‑‑propupd that some distributions, such as whenever the system is updated. Running the Tests Debian and its derivatives, may not Otherwise, the log will contain false install some of the Perl packages positives that will only waste your If you install rkhunter from a dis- needed for a few of the tests. You time. You can automate the updat- tribution’s repository, it can be run can see what functionality might be ing of the databases by adding: as soon as it is installed, although missing by running rkhunter ‑‑list whitelisted files will be logged. If and then figuring out which pack- APT_AUTOGEN="yes" you install from an outside source, ages support the missing functional- however, configure the command ity. These packages, of course, may to as described above. In either case, have different names depending on to run the command, enter rkhunter your distribution. /etc/default/rkhunter ‑‑check (‑c) (Figure 2). Rkhunter will begin to run its tests, although at several stages it will pause until you press the Enter key. As it runs, it may flag warnings, ranging from whitelists (files that list acceptable files) to unusually large files. A run- ning summary of results displays (Figure 3) as tests are done, al- though they may scroll too quickly Figure 1: The ‑‑list option shows the tests that rkhunter runs. to be easily read at some stages.

WWW.ADMIN-MAGAZINE.COM 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE 7 10 TERRIFIC TOOLS – 2020 rkhunter

Not to worry – you will want to study /var/log/rkhunter anyway. Some of the warnings may be false positives; for example, Firefox often has a larger than usual configura- tion file (Figure 4). Take your time with the logfile, and make a list of any problems that you need to re- search to learn how to address. This basic sequence can be modi- fied with options, some of which have a long and a short form, and some which have only a long form. Figure 2: Rkhunter at the start of its run. To start with, you can use ‑‑dis‑ able or ‑‑enable to select the tests and hours using a 24-hour clock, However, this concern seems to to run in comma-separated lists followed by the command. For ex- be groundless. A web search im- (use the ‑‑list option to see which ample, if you want to run rkhunter mediately reveals that the long time tests are available). Since the next at 3am, when you are not using between releases has done little to step after running rkhunter is to your computer, the cron job entry stop rkhunter’s use. After 14 years examine the log, you can also use would look like this: of development, rkhunter is a ma- ‑‑display‑logfile to show the ture script, with a comprehensive log immediately after the comple- 00 03 * * * /usr/bin/rkhunter U awareness of different intrusion tion of the command. Similarly, ‑‑cronjob ‑‑update ‑‑quiet methods. Even if the current version ‑‑skip‑keypress (‑sk) omits the does not cover a particular root- pauses in the running of the com- Release Lags kit, rkhunter’s other tests, such as mand where you need to press changes in key files, can probably the Enter key to continue. In ad- If you examine the rkhunter detect evidence of a new rootkit, if dition, you can also suppress de- project, you may notice that the not the particular kit. n fault features with commands like latest release, version 1.4.6 was ‑‑nocolors and ‑‑nolog or set the released two years ago. In addi- directories to use with options like tion, recent traffic on the project Info configfile FILE or tmpdir FILE. forums is rarely more than a [1] Rootkit Hunter: few posts per month from only [http://​­rkhunter.​­sourceforge.​­net/] Running as a Cron Job half a dozen people or so. Rkhunter can be automated even Such evidence more by setting it to run as a cron may lead you job. The cron job is best run with to wonder MAIL‑ON‑WARNING set in /etc/rk‑ how current hunter.conf. Since rkhunter must rkhunter is, run as root, use the root account’s and whether crontab. Before beginning, use there is recent crontab ‑l to see if root already has malware that it a crontab, and, if so, back it up be- does not cover. Figure 3: Rkhunter finishes with a summary of results. fore beginning. To add rkhunter to the crontab, enter crontab ‑e while logged in as root, and, if this is your first time editing it, choose a text editor to use. There are many ways to enter times and dates with crontab, but Figure 4: Some warnings are false positives; rkhunter can be configured to ignore such warnings the easiest is to enter the minutes after its first run.

8 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE WWW.ADMIN-MAGAZINE.COM LFT 10 TERRIFIC TOOLS – 2020

Trickier than Traceroute If unfriendly digital natives interfere with an ICMP filter, switch to a clever alternative like LFT. By Charly Kühnast 5 Practically every admin uses the (bbc.co.uk). classic traceroute tool at more or The first call less regular intervals. This gets me gets stuck at all the more irritated when I find some point, myself in a hotel with a WiFi net- probably due work where the admin has com- to an ICMP pletely disabled ICMP. Disabling filter. The ICMP causes more trouble than second one benefit for what is, by definition, uses TCP a public network, and it can be SYN pack- easily circumvented. ets – it gets The first version of traceroute was to its destina- written in 1988 by a certain Van tion unhin- Jacobsen – Van is his first name, dered. not an honorific. To be able to Others have trace the path of packets through taken the Figure 1: Where the classic traceroute fails, a simple ‑T (for TCP SYN) often the web, Jacobsen came up with a traceroute does the trick. clever method. He sent test packets concept and through the Internet to a defined developed alternatives, such as the autonomous system respon- destination and increased the time MTR [1], which continuously re- sible for it (Figure 2). to live (TTL) value for each packet. peats the trace and thus helps to If you are on an unfamiliar net- The first packet is assigned a detect occasional packet losses. work and find that your favorite TTL of one. Each router that Another very interesting alter- diagnostic tools are faltering, LFT transports the packet further native is Layer Four Traceroute is a good alternative to the useful reduces the TTL by one. Once (LFT). You can download LFT and familiar traceroute. n the TTL reaches a value of zero, from the project’s SourceForge the router sends it back with an site [2]. LFT can handle other Info ICMP TTL exceeded message. By transport methods and thus makes [1] “Sys Admin’s Daily Grind: Step Coun- successively increasing the TTL, it through most firewalls. In ad- ter” by Charly Kühnast, Linux Maga- Jacobsen got the packets back dition, it can output whose net- zine, issue 119, October 2010, p. 47 from routers that were further work blocks the packet is passing [2] LFT: [http://​­freshmeat.​­sourceforge.​ and further away and was able through, including the number of ­net/​­projects/LFT]​­ to follow the path of the packet until it finally reached its desti- nation. Unfortunately, this tech- nique does not work if the remote peer suppresses ICMP messages. The good news is that the trac- eroute concept has evolved over the years. Even the classic tool is now able to use an alternative TCP-based method that relies on TCP SYN packets. Figure 1 shows two traceroutes to the same Figure 2: Knows where it’s going: LFT makes it through most firewalls and returns the network destination, the BBC web server blocks it has passed through.

WWW.ADMIN-MAGAZINE.COM 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE 9 10 TERRIFIC TOOLS – 2020 Xxx urlwatch

What’s New Pussycat? Urlwatch is a command-line tool that presents the latest news from websites – not 6 through RSS but by detecting HTML changes. By Charly Kühnast

Some years ago, I got interested eye on the online news page for filter: element‑by‑id:td_module_9 in the Miniflux RSS feed aggrega- Linux Magazine. . Miniflux is lean, fast, and easy In my home directory below Now urlwatch only alerts me when to use. The media have been pre- .config/urlwatch/, urlwatch has a new ticker entry appears on the dicting the death of RSS feeds for now created a configuration file website. There is a rich selection of what feels like an eternity, but this named urls.yaml (Listing 2). So alerting types; I opted for plain old demise still has not happened. far, so good – but I want to be email. All I had to do was enter the However, some websites simply sure that I am only notified when appropriate mail server, as well as don’t offer feeds. As an alterna- a new news ticker post is pub- the sender and recipient addresses, tive, I need a tool that alerts me lished. I want urlwatch to ignore below .config/urlwatch/ in the when a website changes. any other changes to the website. urlwatch.yaml configuration file’s That’s far more complicated than To do this, I briefly immersed my- report section. And, lo and behold, it sounds at first. Using a web self in the website’s HTML source the electronic mailman was soon service for this purpose (there are code and discovered that every ringing the bell (Figure 1). n countless numbers of them) is out news ticker entry is introduced by of the question for reasons of data a div tag that contains the speci- economy. However, the biggest fication "td_module_9 td_module_ Info problem is something else. Things wrap" as its class specification. [1] urlwatch packages: [https://​­repology.​ on websites that I don’t find rel- This prompted me to append the ­org/​­project/​­urlwatch/​­versions] evant are constantly changing. For following line to the configuration [2] urlwatch on GitHub: example, a daily newspaper that I in urls.yaml: [https://​­github.​­com/​­thp/​­urlwatch] regularly read displays job ads that change with every reload. If I was Listing 1: Monitoring Websites notified every time, it would drive 01 $ urlwatch ‑‑add url=http://www.linux‑magazine.com/Online/News,name=LinMag me crazy. There has to be a better way – and there is: urlwatch. Listing 2: urls.yaml Written in Python 3, urlwatch is included in most popular distribu- 01 kind: url tions. If you want to know exactly 02 name: LinMag 03 url: http://www.linux‑magazine.com/Online/News if and which version of urlwatch is available in your favorite distro, you can find out on Repology.org [1]; DIY enthu- siasts can use GitHub [2]. For an example of urlwatch at work, the com- mand in List- ing 1 keeps an Figure 1: urlwatch immediately notifies by email when news is posted on a favorite website.

10 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE WWW.ADMIN-MAGAZINE.COM xkcdpass 10 TERRIFIC TOOLS – 2020

Balancing Act Computer-generated passwords are often complicated and difficult to remember. A tool called xkcdpass tries to keep it simple. By Bruce Byfield 7

How should you generate convenience over security and with the convenience of memo- passwords? You probably know use the same password every- rable passwords. Instead of the the standard advice of using a where – which is just about the usual mixture of characters, the variety of characters, but the worst thing you can do. strip advocates strings of words, resulting passwords are hard to xkcdpass [1] is a Python script maintaining that these strings remember, especially since the inspired by a comic strip from are just as secure as a tradi- recommended length keeps get- the geekily popular xkcd comic tional password – and much ting longer as cracking methods (Figure 1). The goal of xkcdpass easier to remember. xkcdpass become more sophisticated. It’s is to combine the power of au- is designed to generate these enough to make users choose tomated password generation strings [2].

Figure 1: The comic strip that inspired xkcdpass.

WWW.ADMIN-MAGAZINE.COM 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE 11 10 TERRIFIC TOOLS – 2020 xkcdpass

xkcdpass works by default with begins with a unique three-letter supply the password Church a word list called eff‑long [3], prefix that could be used one day Hermann Auvergne Orthodox which was released by the Elec- for autocompletion. Dictionar- Sculptor (Figure 2). tronic Frontier Foundation under ies for Finnish, French, Italian, Those who are security-conscious a Creative Commons Attribution German, Norwegian, Portuguese, can include ‑‑verbose to read the license for the specific purpose of and Spanish are also available. level of security supplied by a spe- generating passwords. eff‑long, Those who want greater security cific password. Yet another con- in turn, was originally a modifica- can also produce longer, more venience is ‑‑interactive, which tion of Alan Beale’s 12Dicts pack- specialized lists if desired. All continues to generate passwords age for Aspell [4], which itself word lists are stored in /usr/lib/ until you accept one. was based on the standard word python3/dist‑packages/xkcdpass/ list for Diceware. 12Dicts consists static/. Conclusion of common English words of The number of words in a varying lengths originally derived password is five by default. Deciding which password gen- from 12 different dictionaries, However, ‑‑numwords=NUMBER erator to use is no easy task for with outdated works, jargon, can be used to change the most of us. I suspect xkcdpass and scientific terms excluded. default, and ‑‑min=NUMBER or will be tempting, both because eff‑long consists of 7,776 words, ‑‑max=NUMBER can be specified to of its association with the comic listed one per line, with the first control the length of each word. and its deliberate efforts to make line numbered 1111 and the rest Still another way to custom- the passwords it generates easier continuing in sequence. Gener- ize the resulting password is to to remember. However, cautious ally, eff‑long is all that anyone specify a regular expression with users might want to stay with a needs, but other dictionaries ‑‑var‑char=REGEX. For ease of more traditional approach. n are also installed: eff‑special, memory, ‑‑acrostic=WORD can be which contains 1,296 memorable set, so that the first letter of each words that are easier to remem- word spells out another word. Info ber but provide less security, and For example, if the word sup- [1] xkcdpass: eff‑short, in which each word plied is “chaos,” xkcdpass might [https://​­pypi.​­org/​­project/​­xkcdpass/] [2] Explanatory comic: [https://​­www.​­xkcd.​­com/​­936/] [3] eff-long: [https://​­www.​­eff.​­org/​­files/​ ­2016/​­07/​­18/​­eff_large_wordlist.​­txt] Figure 2: Based on a popular comic, xkcdpass can use acrostics to make passwords easier to [4] 12Dicts package: remember. [http://​­wordlist.​­aspell.​­net/12dicts/]​­

12 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE WWW.ADMIN-MAGAZINE.COM TigerVNC 10 TERRIFIC TOOLS – 2020

Big Cat to the Rescue Watching all the computers in your home or workspace could be an unreasonable burden on your personal energy balance. Why not connect with TigerVNC?By Charly Kühnast 8 My powerful Linux workstation with Tigers, Everywhere is in my study up in the attic, be- cause its fan would unnecessarily $vncStartup = "$ENV{HOME}/.vnc/xstartup"; I installed the TigerVNC client on heat up my living room. The family all my Linux computers by typing PC is quiet; it’s in the small hobby and saved the file from Listing 1 in corner, along with a couple of half- the Ohm/.vnc directory. vncpasswd sudo apt install tigervnc‑viewer finished Lego sets, a few Raspberry sets a VNC password, which should Pis, a laptop, and a MIDI controller, not be identical to that of the user. The server connection is opened which I dabble with for relaxation. Now I can choose whether the with: Then there are the two small test user can only watch from a dis- servers in the storeroom next to the tance or actually do something. xtigervncviewer ‑SecurityTypes U kitchen where I try out software be- This completes everything on VncAuth,TLSVnc ‑passwd U fore I write about it. the server side. I fired up the VNC /home//.vnc/passwd <10.0.0.54>:1 SSH prevents me from burning too server by typing vncserver (without many calories when running be- sudo; root rights are not required). It Of course, you need to adapt the IP tween the dispersed machines. But launched, but I only saw a Connec- address to match your own server. if I want to show a host’s whole tion refused when trying to connect. From the selection of clients [2], desktop, then it’s time for Virtual What’s going on? The output from I tried the macOS version on the Network Computing (VNC). To lsof | grep LISTEN sheds light on living room laptop. (My favor- access all of these machines, I re- the subject. The VNC server has ite audio tool is unfortunately cently checked out TigerVNC [1]. only bound to localhost. I stop the not available for Linux.) How- On the workstation in my study, I server with vncserver ‑kill. The ever, the macOS Tiger doesn’t typed the following command for man page, which you only read convince me. Since VNC is quick installation: when something goes wrong, pro- widespread, an alternative was vides the solution: quickly found; I swapped in sudo apt install tigervnc‑standalone‑server U Chicken [3] as a replacement tigervnc‑xorg‑extension vncserver :1 ‑localhost no (Figure 1). Another handful of calories that I don’t have to waste In /etc/vnc.conf, I replaced Now the server accepts connec- by moving my legs. n tions on all interfaces. Time to $vncStartup = "/etc/X11/Xvnc‑session"; move on to the clients. Info [1] TigerVNC: [https://​­tigervnc.​­org] [2] TigerVNC Clients: [https://​­bintray.​ ­com/​­tigervnc/​­stable/​­tigervnc/​­1.​­9.​­0] [3] Chicken: [https://​­sourceforge.​­net/​ ­projects/​­chicken/]

Listing 1: xstartup

01 #!/bin/sh 02 # Start Desktop 03 [ ‑x /etc/vnc/xstartup ] && exec /etc/vnc/xstartup 04 [ ‑r $HOME/.Xresources ] && xrdb $HOME/.Xresources 05 vncconfig ‑iconic & Figure 1: Charly sends his Linux workstation desktop to the Apple laptop. 06 dbus‑launch ‑‑exit‑with‑session gnome‑session &

WWW.ADMIN-MAGAZINE.COM 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE 13 10 TERRIFIC TOOLS – 2020 Xxx EncFS

Simple Security EncFS is an easy and effective file encryption tool that also allows for customization. 9 By Bruce Byfield

First released in 2001, EncFS [1] then set up EncFS with the follow- No matter where the required di- is one of the oldest file encryption ing command: rectories are located, the first time solutions, but it remains one of the you run EncFS, you are prompted easiest to set up and use. EncFS encfs ~/ENCRYPTED‑DIRECTORY U to set up the encryption (Figure 1). uses two directories: an unen- ~/UNENCRYPTED‑DIRECTORY The default standard, or paranoia, crypted directory for dropping files mode provides a moderately high into and an encrypted directory that If the directories named do not level of protection and can be used automatically creates encrypted exist, EncFS automatically cre- automatically by adding the option copies of those files. Any further ates them. However, if you pre- ‑‑standard to the basic command. manipulation of the setup or files fer, you can create the directories By contrast, the expert mode must is done with the encfsctl utility [2]. before running EncFS using always be specifically chosen. Expert Because EncFS runs in userspace mkdir ‑p. The ‑p option creates mode prompts users with a series of and uses the FUSE libraries [3], any necessary parent directory, questions to set the level of encryp- ordinary users can create its vir- as well as the one required. tion. The man page explains each of tual filesystem (not just root). Although security by obscurity the settings, but the most important Additionally, running in userspace should not be relied upon, you difference is the key size (Table 1). means that an encrypted can hide the encrypted directory Setup for both modes ends with can be administered by existing by adding a period at the start of choosing a password for accessing utilities such as and . its name. the encrypted directory via EncFS. Similarly, standard backup utilities If you want to use EncFS in cloud Although the man page recom- can back up only the EncFS-asso- storage, make the encrypted di- mends that most users choose the ciated files that have changed. rectory a subfolder of the direc- paranoia mode, users might prefer EncFS can use both removable tory associated with your cloud to use the expert mode simply to drives and . account. For example, if you are have a larger key. Note, however, using , the subfolder that in the past some cloud stor- Setting up EncFS might be ~/Dropbox/encrypted. The age sites have had trouble with next time you sync your local and EncFS in expert mode. EncFS is available in most major cloud directories, the encrypted To check that EncFS is running, look distributions. Make sure that the directory is automatically up- for entries in the output of mount or FUSE package is installed, and loaded to the cloud storage. temporary entries when running df ‑h. More simply, add a file to the un- Table 1: Encryption Modes encrypted directory and then check Standard or Paranoia Mode Expert Mode that a file appears in the encrypted Cipher AES key AES key directory. If problems persist, try running the command with the ver- Size 192 bits PBKDF2 with 1/​2 second 256 bits PBKDF2 with 3 runtime, 160 bit salt second runtime, 160 bit salt bose option (‑v), which gives copi- (maximum) ous details for debugging (Figure 2). Filesystem block size 1024 bytes 1024 bytes Filename encoding Block encoding with IV chaining, Block encoding with IV Running and unique initialization vector file chaining, unique initializa- Administrating EncFS headers tion vector file headers, message authentication To mount existing EncFS directo- code (MAC) block headers, ries, repeat the command used to external IV chaining create them:

14 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE WWW.ADMIN-MAGAZINE.COM EncFS 10 TERRIFIC TOOLS – 2020

encfs ~/ENCRYPTED‑DIRECTORY U to display an encrypted file in versely, to use encode to show the ~/UNENCRYPTED‑DIRECTORY plain text. name of an unencrypted file and When not using EncFS, you can show its encrypted version. As At this point, you will be shut it down with the command: the man page notes, both decode prompted for the password. and encode are useful for deciding For most users, no additional fusermount ‑u ~/UNENCRYPTED‑DIRECTORY which files to include or exclude options are likely required. How- during a backup. ever, EncFS does have a small set You can perform many admin- Probably the most useful of of options, which are described istrative tasks using encfsctl. encfsctl’s sub-commands is thoroughly in the man page. Most encfsctl is a utility that is gener- passwd, which you can use for of these options set the details of ally packaged with EncFS. For changing passwords (Figure 3). how the command is run, such example, the info sub-command as ‑f, which runs EncFS in the displays basic information about Caveats and foreground instead of the default EncFS’s encrypted directory. If Shortcomings background, or ‑s, which runs you suspect that the applications EncFS in a single thread instead of used to create a file may have EncFS is a simple and reliable en- the default multiple threads. made them unencryptable, you cryption tool, but users should be Users who want to share the en- can confirm your suspicions with aware of its limitations. One pos- crypted directory – which should the sub-command showcruft. At sible concern is that anyone who only be done cautiously – might times, too, it may be useful to can read the encrypted directory use the ‑‑public option. And use decode to show the name of can view the file attributes. This when searching the encrypted an encrypted file and display its information – especially the time directory, ‑‑reverse can be used unencrypted version, or, con- the file was created and the last time the file was saved – could be enough to guess the contents of the file. To avoid this possibility, change the permissions so that the encrypted files can only be read or written by you. Another shortcoming is that, in paranoia mode, EncFS only sup- ports file names of 190 bits. By contrast, most filesystems support names of 256 bits. This difference means that very long file names may be truncated. Figure 1: The first time you run EncFS, you can customize the encryption details using expert mode. More seriously still, some older versions of EncFS are believed to have unpatched vulnerabilities. Version 1.8 is thought to have cor- rected some of these vulnerabilities, but not all. To be as safe as possible, users should use only version 1.9.5 or later, using only expert mode. n

Figure 2: Verbose mode gives detailed information about how EncFS is set up. Info [1] EncFS: [https://​­linux.​­die.​­net/​­man/​­1/​­encfs] [2] encfsctl: [https://​­linux.​­die.​­net/​­man/​­1/​­encfsctl] [3] FUSE: [https://​­en.​­wikipedia.​­org/​­wiki/​ Figure 3: encfsctl is an administrative tool for EncFS. Mostly, it is used for changing passwords. ­Filesystem_in_Userspace]

WWW.ADMIN-MAGAZINE.COM 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE 15 10 TERRIFIC TOOLS – 2020 Xxx Dialog

Fancy Talk Create dialog boxes with checkboxes, progress bars, and many other features 10 that users find helpful when working at the command line. By Bruce Byfield Many Bash scripts do not need so that users can enter input in an The resulting box’s design varies interfaces because they are run by ncurses interface. with the options selected. However, admins, who are perfectly comfort- dialog’s command structure is it will always have text and may able at the command line. However, somewhat unusual (Listing 1). In have buttons (such as Yes, No, Help, if a script is used by everyday users, addition to the appearance of op- or OK) or radio buttons for making it might be more friendly if it uses a tions in two separate places, note selections. It may also have a back dialog box for input and messages. the quotation marks around the title for easy identification. When For over 25 years, a leading com- text and the order of height, width, necessary, the box can be navigated mand for boxes has been dialog [1], and other box type options. Height with arrow keys; it is not supported which can be called from a script is expressed as the number of lines by a mouse. Once a selection is and width as made, then generally the script will Listing 1: Command Structure for dialog the number of continue with if/then/​ else​ state-

dialog ‑‑"COMMON‑OPTIONS" ‑‑BOXTYPE "TEXT" HEIGHT WIDTH ‑‑BOXTYPE‑OPTIONS monospaced ments that correspond to each characters. selection. The easiest way to design a box is Table 1: Selected Boxes and Their Options to open another prompt and run the --background tail Like tail, but runs in the basic dialog command repeatedly background until you have a structure ready to --calendar Displays calendar --day --month --year: For add to the script. Use the Esc key current date to return to the prompt after the --checklist A scrolling list from which to --list-height: Tag item status resulting box is displayed. Unless select multiple items format for default choices (e.g., 1 Accept on \) the background for the dialog box --dselect Selects a directory from a list --filepath matches the terminal’s background, --editbox Allows editing of an existing file --filepath you will see conflicting colors after returning to the prompt unless you --gauge A progress bar --percent: Displays completion percentage enter the clear command or a suffi- --info A message display cient number of new commands. --input A text entry field for answering questions Using Box Options --menu A scrolling list from which to --menuheight: Tag item status select one item format for default choices It makes sense to begin with the (e.g., 1 Accept on \) available types of boxes, one of --message OK button which must always be used in a --passwordbox For password entry dialog command. All boxes can --pause Shows meter for time paused --seconds use the self-explanatory text, --radiolist Shows radio boxes for Tag item status format for height, and width options. Text selection default choices appears after the box type in quo- (e.g., 1 Accept on \) --tail An auto-updating viewer for tation marks, while height and the end of files width options follow, expressed in --timebox Selects time --hour --minute lines and characters. --seconds Other options must follow the --text A scrollable text box width. Available options depend on --yes/no​ Yes and no answer buttons the box type, as shown in Table 1. All boxes can use text, height, and width. Options can be completed to dimension, A simple message box (Figure 1) time, filename, or some other variable as needed. would use a command like:

16 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE WWW.ADMIN-MAGAZINE.COM Dialog 10 TERRIFIC TOOLS – 2020

dialog ‑‑title "Choose" ‑‑msgbox U the command. ‑‑ascii‑line re- Listing 2: Checklist 'Invalid option. Choose again' 6 20 places the ncurses widgets used to dialog ‑‑help‑button ‑‑checklist "Choose one of the create a box with plus and minus following:" 10 40 3 \ A more complicated example is a signs instead (Figure 3). Ordinar- 1 Accept on \ checklist, which asks for a selec- ily, a box is centered on the screen, 2 Reject off \ tion (see Listing 2 and Figure 2). but you can also use ‑‑begin Y X 3 Modify off Listing 2 shows items prefaced to set the vertical and horizontal with an identifying tag and followed coordinates for the upper left cor- dialog’s options total in the doz- by a status for the default display, ner of the box. You can also set the ens, and setting up the command as well as the end of line markers. dimensions of a box with ‑‑aspect structure can be laborious. For Other boxes have similar structures, WIDTH/HEIGHT. With ‑‑scrollbar, a this reason, you may want to run modified by any common com- scrollbar is added to the box, while dialog ‑‑create‑rc FILE in your mand options. For example, the ‑‑no‑shadow suppresses the default home directory to create a default message box above might have a shadow to the right and bottom look and function for the com- help button added to it with the ad- of the box – an option that gives mand. The file uses the current dition of a ‑‑help button option. ncurses a flatter but more modern- settings of your current terminal. For a complete description of each looking appearance. Although you probably want option, see the man page. Screen- ‑‑color expresses settings pref- to leave the top of the line un- shots of other boxes are available aced by a \Z. It uses the numbers touched, there are many choices online [2]. 0‑7 to choose ANSI colors: black, that are self-explanatory enough red, green, yellow, blue, magenta, to edit. This file can be overridden Common Dialog Options cyan, and white – in that order. by options entered at the com- ‑‑color also sets font weights and mand line, but it can save con- Common dialog options affect the effects: b sets bold and B turns off siderable time if you use dialog look and general functionality of bold, while u turns on underlin- regularly (Figure 4). ing and U turns it off. The settings are cumulative, so Z\u\3 produces Alternatives to Dialog green, underlined text. To restore default settings, use \Zn. Although dialog is the most com- Many of the common options mon option for adding partial inter- have to do with how the buttons faces to scripts, both whiptail [3] in a box are used. Options like and zenity [4] offer a similar, if less Figure 1: A simple message box. ‑‑no‑cancel suppress the display of complete, command structure. a specific button altogether. Others, In addition, Xdialog [5] is in- like ‑‑help button add a button to tended as a drop-in replacement types of boxes that could use one; for dialog and is referenced in a gauge box, for example, would dialog’s man pages to mention a have no use for a Help button, since few minor differences. n there is no interaction.

Figure 2: A checklist box, with the default Info choice set to Accept. [1] dialog: [https://​­invisible‑island.​­net/​­dialog/] [2] More dialog screenshots: [https://​­linuxgazette.​­net/101/​­ ​­sunil.​ ­html] [3] whiptail: [https://​­en.​­wikibooks.​­org/​ ­wiki/​­Bash_Shell_Scripting/​­Whiptail] [4] zenity: [https://​­wiki.​­gnome.​­org/​ Figure 3: The same box as in Figure 2 but with ­action/​­show/​­Projects/​­Zenity] boxes drawn with ASCII line art rather than [5] Xdialog: ncurses widgets. Figure 4: Part of the dialog configuration file. [https://​­linux.​­die.​­net/​­man/​­1/​­xdialog]

WWW.ADMIN-MAGAZINE.COM 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE 17 18 10 TERRIFIC TOOLS – 2020 packet filterinBSD. Several BPF was first usedasanHTTP packets. optimized mechanismtofilter order toprovide abetterand eBPF your installation. identify resource bottlenecks and optimize Use the eBPF in-kernel virtual machine to Keen Observer into your system with eBPF Get deeper insights 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE BPF cametolifein1992 called theBerkeley Packet Filter, vidual kernel modules. Originally and networking duties from indi- over more monitoring,security, tion totheLinuxkernel that takes Figure 1: Remember that all the eBPF utilities need root privileges to run. [1] isarelatively new addi- By Mayank Sharma [2] in

Getting Insights with eBPF kernel event orany socket. eBPF eBPF canattachitselftoany stead ofjustredirecting packets, connect totheLinuxkernel. In- also hasanew mechanism to to various new features, eBPF hanced BPForeBPF. Inaddition of BPFiswhatknown asen- on new tasks. Thenew version completely rehashed andtook later, itwas decades mance issuesandbottlenecks. machines todiscover perfor- behind thescenesonyour Linux tracing. You canalso useeBPF an efficientmechanismforLinux Linux kernel and canbeusedas is tightlyintegrated withthe $ sudoaptinstall bpfcc‑tools referred toasbcc Compiler Collectioncommonly of ePBF, installthetoolsfrom BPF To experience thetracing benefits regularly. like Ubuntuandupdatingit of themainstream distributions a problem ifyou are usingone of theserequirements shouldbe BPF_SYSCALL compiled withtheCONFIG_ than v4.4andonethathasbeen eBPF requires akernel newer Get Started and type: terminal inanUbuntuinstallation

linux‑headers‑$(uname ‑r) WWW.ADMIN-MAGAZINE.COM option.Neither [3] . Fire upa U

© Ioannis Kounadeas, Fotolia.com Getting Insights with eBPF 10 TERRIFIC TOOLS – 2020

This command will fetch the tools The tool will Listing 1: execsnoop Output as well as the kernel headers for now keep an $ sudo execsnoop‑bpfcc the kernel version that you are eye out for new PCOMM PID PPID RET ARGS currently using. The bcc includes processes. To gnome‑terminal 14483 1 0 /usr/bin/gnome‑terminal ‑‑window over 70 tools, and under Ubuntu, give it some- gnome‑terminal. 14486 14483 0 /usr/bin/gnome‑terminal.real they are all installed in the /usr/ thing to pick ‑‑window sbin directory and will have a ‑bp‑ up, perform bash 14492 2490 0 /bin/bash fcc extension (Figure 1). The tools some action lesspipe 14493 14492 0 /usr/bin/lesspipe are, in fact, Python scripts that (Figure 2), basename 14494 14493 0 /usr/bin/basename /usr/bin/lesspipe you can edit and modify as per such as fir- dirname 14496 14495 0 /usr/bin/dirname /usr/bin/lesspipe your requirements, provided that ing up a new dircolors 14497 14492 0 /usr/bin/dircolors ‑b you know what you’re doing. If terminal. This you are using another distro, refer action will Listing 2: the execsnoop ‑x Option to the bcc documentation [4] for produce the $ sudo execsnoop‑bpfcc ‑x distribution-specific installation output shown PCOMM PID PPID RET ARGS instructions. in Listing 1. nautilus 15815 15781 ‑2 /usr/local/sbin/net usershare info As you can nautilus 15815 15781 ‑2 /usr/local/bin/net usershare info Keep a Close Watch see from this nautilus 15815 15781 ‑2 /usr/sbin/net usershare info truncated out- I’ll start by showing how to keep put, execsnoop prints one line on a name. For instance, sudo an eye out for new processes us- of output for each new process. execsnoop‑bpcc ‑n ssh will only ing the execsnoop tool. This tool The output shows the parent catch processes where the com- is especially useful for tracing process or command name under mand matches the specified name processes that are short-lived, the PCOMM column, the PID of (in this case, ssh). which is to say those processes the process along with its parent A related tool is opensnoop, which that end before you can track PID, and the return value of the enables you to trace file opens. The them via the traditional process exec() function under the RET open() system call brings up files monitoring tools like top. Keep- column, as well as the command for read and write operations, and ing an eye out for these pro- and any arguments under the keeping an eye on this process can cesses that usually miss your at- ARGS column. reveal a lot of details about how a tention might help you optimize The ‑x option can be used to in- program works behind the scenes. your installation. clude failed execution (Listing 2). It can, for instance, help you iden- Fire up a terminal and type: You can similarly use the ‑t op- tify all the data files, config files, tion to include a timestamp col- and log files that are associated $ sudo execsnoop‑bpfcc umn and the ‑n option to match with an app and the manner in which they are accessed by the app. If an application performs poorly, it could be because it is im- properly configured and is wasting milliseconds trying to access files that don’t exist. The opensnoop tool traces the open() system calls and prints a line for each call that’s found, as shown in Listing 3.

Listing 3: Tracing open() Calls $ sudo opensnoop‑bpfcc PID COMM FD ERR PATH 1 systemd 16 0 /proc/372/cgroup 3642 gnome‑shell 19 0 /proc/self/stat Figure 2: The execsnoop utility catches an incoming SSH connection. 14769 DNS Resolver #9 57 0 /etc/hosts

WWW.ADMIN-MAGAZINE.COM 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE 19 10 TERRIFIC TOOLS – 2020 Getting Insights with eBPF

Listing 4: tcpconnect and destination tcpaccept (Figure 3), which IP for the con- traces the accept() system call. $ sudo tcpconnect‑bpfcc nections, and the The overhead of tcpaccept is PID COMM IP SADDR DADDR DPORT last column is negligible, and although netstat 14786 Socket Threa 4 192.168.0.11 172.217.167.228 443 the port number can do the job of both tcpcon- 14786 Socket Threa 4 192.168.0.11 82.103.136.226 80 at the destina- nect and tcpaccept, the two eBPF 16530 wget 4 192.168.0.11 81.3.27.38 443 tion address. tools are more versatile. You can 16530 wget 4 192.168.0.11 178.124.134.106 443 One common op- even use the ‑p option with both tion is ‑U, which the tools to watch specific pro- The first column is the process ID appends the UID of the processes cesses, such as: of the process that invoked the to the output. You can then use it open() system call. The second along with the ‑u option to filter sudo tcpaccept‑bpfcc ‑p 14786 column, COMM, displays the the output using UID, such as: name of the process, and the third Peak Performance column displays the file descriptor sudo tcpconnect‑bpfcc ‑Uu 1000 as it was returned by open(). Then One of the best uses for the eBPF comes the error value if any error Another tool that is useful for tools is to help you tune your code is returned by open(), and debugging TCP processes is system for maximum perfor- the final column specifies the full path of the file used in the open() system call. On an active Linux installation, the output of opensnoop will be very difficult to follow. It’ll be helpful if you filter the output with grep to make sure you catch hold of what you’re looking for. Another good idea is to filter us- ing the process ID of the process that is of interest to you with the ‑p option or the ‑n option to filter on process name, such as: Figure 3: Note that tcpaccept will only trace successful TCP accept() calls and will not list attempts sudo opensnoop‑bpfcc ‑n gnome‑shell to connect to closed ports.

Network Inspector

Another useful eBPF tool is tcp‑ connect, which enables you to inspect active TCP connections by watching all connect() system calls. The tcpconnect tool prints all TCP connections, along with their source and destination addresses (Listing 4). The first and second column as usual list the process ID and the name of the process that is called connect(). The third col- umn specifies whether you’re us- ing IPv4 or IPv6. The fourth and fifth columns are the source IP Figure 4: The runqlat tool helps chart the time that was lost while the CPU was busy elsewhere.

20 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE WWW.ADMIN-MAGAZINE.COM Getting Insights with eBPF 10 TERRIFIC TOOLS – 2020

mance by identifying and remov- nfsslower Listing 5: Specifying a Threshold ing bottlenecks at various levels. for NFS and $ sudo ext4slower‑bpfcc 100 You can begin by using the zfsslower Tracing operations slower than 100 ms runqlat tool to chart how long for ZFS file TIME COMM PID T BYTES OFF_KB LAT(ms) FILENAME threads spend waiting in the system. 00:23:01 systemd‑journa 288 S 0 0 128.92 user‑1000.journal CPU run queues. It prints a sum- These tools 00:24:31 journal‑offlin 288 S 0 0 132.98 system.journal mary of the scheduler run queue will time 00:24:31 journal‑offlin 288 S 0 0 104.47 user‑1000.journal latency in the form of a histo- the com- gram, as shown in Figure 4. mon filesystem operations and of understanding of how Linux Then there’s the biolatency tool, print a list of those that exceed a works and its internals. So make which comes in handy to visual- defined threshold. By default the sure you invest some time read- ize the latency of block device I/​ threshold is set at 10ms, but you ing up about the internals of the O. The biolatency tool keeps track can customize it by specifying Linux kernel before you begin to of the elapsed time from when a one manually (Listing 5). utilize these tools to chip away device is called to its completion. The command in Listing 5 will milliseconds and optimize your Like runqlat, this tool will also display all filesystem operations installation. print a histogram once it ends, ei- that are slower than 100 ms. It Also know that eBPF has a greater ther manually or after a specified measures the time it takes from mandate than just tracing. Thanks duration. A typical invocation will when an operation is called from to its architecture, it can also play look like: the virtual filesystem to its com- a role in system security. It can be pletion and flags it if it exceeds used to monitor and detect intru- sudo biolatency‑bpfcc ‑D 6 2 the specified threshold. This sions and may even become the tool is ideal for picking up per- de-facto means for enforcing fire- The ‑D option instructs biola- formance issues caused by slow walls in Linux. n tency to print separate informa- disk I/​O at the filesystem level. tion for each block device. The It is a lot better than statistics Info first numeric value is the time plotted by popular performance [1] eBPF in the Linux Kernel: interval for printing each sum- monitoring tools, since they de- [http://​­www.​­brendangregg.​­com/​­ebpf.​ mary, whereas the second nu- pict the performance of the disk, ­html] meric value informs biolatency when in fact the bottleneck can [2] “The BSD Packet Filter: A New Archi- of the total number of times it also be due to the inability of tecture for User-level Packet Capture” should collect information, af- the filesystem to respond to the by Steven McCanne and Van Jacobson: ter which point biolatency will requests flooding in. [http://​­www.​­tcpdump.​­org/​­papers/​ automatically exit. Therefore, We’ve only touched upon some ­bpf‑usenix93.​­pdf] the previous command instructs of the eBPF tools that are at your [3] bcc Project: biolatency to print the first histo- disposal to trace and inspect [https://​­github.​­com/​­iovisor/​­bcc] gram after 6 seconds of invoking various areas of your installa- [4] bcc Installation: the tool and another after an- tion. Remember, however, that [https://​­github.​­com/​­iovisor/​­bcc/​­blob/​ other 6 seconds. just because you have the per- ­master/​­INSTALL.​­md] In addition to devices, there are formance measurement tools, it also several tools for tracing doesn’t mean that you’ll be able Author filesystems. There’s ext4slower to streamline the performance of Mayank Sharma is a technology writer for EXT4 filesystems, xfsslower your box. Interpreting the results and you can read his scribblings in various for XFS, btrfsslower for , of the trace requires a fair bit geeky magazines on both sides of the pond.

n

WWW.ADMIN-MAGAZINE.COM 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE 21 10 TERRIFIC TOOLS – 2020 Hidden CLI Tools

Overview of some little Linux tools Under the Desktop

The command line has many smart tools that hardly anyone knows about. We introduce some of the most useful. By Frank Hofmann and Axel Beckert

On close inspection, Linux turns Many of the tools can be found in tools discussed here for Debian, out to be a veritable bag of tricks the coreutils [1] package, which Ubuntu, and their derivatives. For in the form of command-line many distributors consider essential other distributions, the package tools. Besides the popular stan- and therefore include in the standard to be installed might have a dif- dard tools, Linux has numerous installation. If, contrary to expecta- ferent name. useful, but virtually unknown, tions, it is not installed on the distri- exotic specimens – or have you al- bution you are using, you can install Time Controlled ready heard of timelimit, timeout, it with the distro’s package manager. pv, bar, pipemeter, dd, cpipe, and In this article, we refer to the The commands that schedule progress? software packages containing the programs for execution include sleep, batch, cat, atq, atrm, and crontab, but commands are rarely used to limit the run time of a call. This category includes tools like timeout from coreutils and timelimit from the pack- Figure 1: The timeout command limits the execution time of a program – to 10 seconds in this Table 2: Metering Throughput example. Command Package Table 1: timelimit Parameters pv pv Switch Explanation Default bar bar -s for orderly termination of the process 15 (SIGTERM) pipemeter pipemeter -t Run time of the process until termination signal 3600 seconds dd coreutils -S Signal for final termination of a process 9 (SIGKILL) cpipe cpipe -T Wait time between exit and cancel signal 120 seconds progress progress © Photographer, pratyaksa, 123rf.com pratyaksa, Photographer, ©

22 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE WWW.ADMIN-MAGAZINE.COM Hidden CLI Tools 10 TERRIFIC TOOLS – 2020

age of the same name. Figure 1 shows how to use Listing 1: Piping to pv timeout to cancel the execution of a command after 10 seconds. $ zcat 9pi.img.gz | pv > /dev/null If a program persistently refuses to terminate, you 480MiB 0:00:04 [ 116MiB/s ] [ <=> ] would usually send the SIGKILL signal to the offend- $ zcat 9pi.img.gz | pv ‑s 480M > /dev/null ing process ID. Timeout relieves you of this task. It 178MiB 0:00:02 [76.5MiB/s] [======> ] 37% ETA has a ‑k (short for ‑‑kill‑after) option that is fol- lowed by the name of the signal to be sent. The call from the following command sends signal 9 (SIGKILL) Listing 2: Piping to bar to the tail process after 10 seconds: $ zcat 9pi.img.gz | bar > /dev/null 480.0MB at 120.0MB/s elapsed: 0:00:04 $ timeout ‑s9 10s tail ‑f /var/log/messages Copied: 503316480B (480.0MB) Time: 4 seconds Throughput: 125829120B (120.0MB/s) The timelimit tool does the same job, but it sends $ zcat 9pi.img.gz | bar ‑s 480M > /dev/null a warning signal in advance then waits a specified 119.1MB at 59.5MB/s eta: 0:00:06 24% [======] period of time before sending signal 9 (SIGKILL) to [...] the process for final cancelation. Unless you specify 480.0MB at 120.0MB/s eta: 0:00:00 100% [======] otherwise, the program uses the options and values Copied: 503316480B (480.0MB) (100% of expected input) specified in Table 1. The call Time: 4 seconds Throughput: 125829120B (120.0MB/s)

$ timelimit ‑t10 tail ‑f /var/log/messages Listing 3: Piping to pipemeter demonstrates how to influence the time to final exit. $ zcat 9pi.img.gz | pipemeter > /dev/null 120.00M/s 480.00M 8.00k 0:00:04 Transferring Data $ zcat 9pi.img.gz | pipemeter ‑s 480M > /dev/null Some tasks require you to transfer images from parti- [********‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑‑] 115.18M/s 115.18M 24.0% 0:00:03 tions, SD cards, or hard drives – be it to store an ISO [?] [********************************] 120.00M/s 480.00M 100.0% 0:00:04 image on a USB stick or to back up data with ssh to another computer. Often the dd and zcat commands are used with a pipe; sometimes just a cp in the ter- Listing 4: Piping to dd minal is sufficient. $ zcat 9pi.img.gz | dd status=progress > /dev/null Because the commands often transfer large amounts 473956864 bytes (474 MB, 452 MiB) copied, 4 s, 118 MB/s of data, a progress indicator would be useful to es- 983040+0 records in timate how long the transfer will take. The zcat and 983040+0 records out cp commands do not offer this option, but dd has 503316480 bytes (503 MB, 480 MiB) copied, 4.18 s, 120 MB/s the status=progress option, available since coreutils v8.24 (July 2015); thus, it is still missing in distribu- 16.04 LTS and Debian 9 Stretch includes a progress tions like Ubuntu 14.04 Trusty LTS or Debian 8 Jes- indicator (Listing 4). sie. However, you have a few alternatives for measur- The cpipe command works somewhat differently, ing throughput (Table 2). requiring you to specify a parameter (Listing 5). Except for progress, the commands all work in a Moreover, it outputs a separate line for each cycle similar way, routing the data stream through a pipe measured. With the ‑s option, you can limit through- to a corresponding command (e.g., pv) [2], which put speed, if necessary. in turn indicates throughput on the terminal and the The progress tool serves the same purpose but amount of data already processed (Listing 1, first works in a fundamentally different way than the call). If you enter pv ‑s and the size of the expected utilities previously presented, because you do not amount of data (Listing 1, second call), it calculates pipe data to it. Instead, it looks externally at the the total duration and outputs a progress bar (ETA/​ processes and usually finds the right program. If eta=estimated time of arrival, i.e., to finish). you call it at a time when you are not moving any The bar (Listing 2) and pipemeter (Listing 3) pro- data back and forth, it tells you what tools it is grams work in a similar way. Also, dd in Ubuntu looking for (Listing 6).

WWW.ADMIN-MAGAZINE.COM 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE 23 10 TERRIFIC TOOLS – 2020 Hidden CLI Tools

If you call the they are in the file opened for in open files, monitors them, and reading. outputs the matching data. zcat .gz > /dev/null The call above only returns a snapshot of the current state. If Conclusions command in a shell and start you want to observe the process progress in another, you will see of copying data over a longer The tools presented here add a output like: period of time, you use the ‑m kick to the daily grind at the com- (monitoring) switch; of course, mand line, although they differ in $ progress you should start progress ‑m only detail: Some offer more features, [19153] gzip /home/abe/Images/U if a suitable process is running. whereas others focus on the es- Raspberry_Pi/9pi.img.gz The software terminates auto- sentials. Before using the tools, you 14.0% (17.1 MiB / 121.8 MiB) matically if it can no longer find should browse their man pages, a suitable process. which you can do up front even The number in square brackets at The ‑M rather than ‑m option dis- before installing the tools by read- the beginning of the output is the ables the automatic exit. In this ing the help pages online [3]. n process ID. Unlike other programs, way, you can call progress before progress does not analyze the you start transferring data. In amount of decompressed data in principle, this mode is equivalent Info archives, but rather the size of the to watch progress. Armed with [1] coreutils: [https://​­packages.​­debian.​ compressed file on the filesystem. both options, the tool displays a ­org/​­coreutils] The tool looks in real time at the read rate, including an extrapola- [2] Progress bar with pv and progress: running programs to see where tion of the remaining time: [https://​­www.​­howtoforge.​­com/​ ­tutorial/​­how‑​­to‑​­monitor‑​­progress‑​ Listing 5: Piping to cpipe $ progress ‑mM ­of‑​­linux‑​­commands‑​­using‑​­pv‑​­and‑​ U $ zcat 9pi.img.gz | cpipe ‑vt > /dev/null [21040] gzip /home/abe/Images/ ­progress‑​­utilities/] thru: 1.144ms at 109.3MB/s ( 109.3MB/s avg) 128.0kB Raspberry_Pi/9pi.img.gz [3] Man pages online: U thru: 1.223ms at 102.2MB/s ( 103.8MB/s avg) 256.0kB 66.0% (80.4 MiB / 121.8 MiB) [https://​­manpages.​­debian.​­org] thru: 1.525ms at 82.0MB/s ( 95.1MB/s avg) 384.0kB 40.0 MiB/s remaining 0:00:01 [4] Debian Package Management Book: thru: 1.605ms at 77.9MB/s ( 89.9MB/s avg) 512.0kB [http://​­www.​­dpmb.​­org/​­index.​­en.​­html] thru: 1.719ms at 72.7MB/s ( 85.5MB/s avg) 640.0kB As you have already seen, prog‑ thru: 1.542ms at 81.1MB/s ( 84.6MB/s avg) 768.0kB ress supports numerous tools by The Authors thru: 1.611ms at 77.6MB/s ( 83.3MB/s avg) 896.0kB default. If a required tool is miss- Digital nomad Frank Hofmann prefers to thru: 1.658ms at 75.4MB/s ( 82.1MB/s avg) 1024.0kB ing, you can tell the utility about work from Berlin, Geneva, and Cape Town thru: 1.538ms at 81.3MB/s ( 81.9MB/s avg) 1.1MB it with the ‑c (only this as a developer, LPI-certified trainer, and thru: 1.599ms at 78.2MB/s ( 81.4MB/s avg) 1.2MB program) and ‑a (also author. Axel Beckert is a Linux system ad- thru: 1.704ms at 73.4MB/s ( 80.5MB/s avg) 1.4MB this program) options. The tool ministrator and network security specialist thru: 1.473ms at 84.9MB/s ( 80.8MB/s avg) 1.5MB then searches for matching calls with ETH Zurich IT services. The duo wrote with read and write operations Debian Package Management Book [4].

Listing 6: progress Tools

$ progress No command currently running: cp, mv, dd, tar, cat, rsync, grep, fgrep, egrep, cut, sort, md5sum, sha1sum, sha224sum, sha256sum, sha384sum, sha512sum, adb, gzip, gunzip, bzip2, bunzip2, xz, unxz, lzma, unlzma, 7z, 7za, zcat, bzcat, lzcat, split, gpg, or wrong permissions.

n

24 10 TERRIFIC TOOLS FOR THE BUSY ADMIN: 2020 EDITION – SPONSORED BY FOSSLIFE WWW.ADMIN-MAGAZINE.COM REAL SOLUTIONS forREAL NETWORKS

ADMIN is your source for technical solutions to real-world problems. Full Page ad Improve your admin skills with practical articles on: • Security • Cloud computing • DevOps • HPC • Storage and more!

GET IT FAST with a digital subscription! 6 issues per year! ORDER NOW shop.linuxnewmedia.com