Jun 212015

It was a while I did not post anything on this blog, so I will engage into something cool now 🙂

And into something I will need one day or another: a collection of very, very useful networking commands available for Linux.

Let’s start with an easy one: iperf and its variant with more options, netperf.
Very useful to measure TCP/UDP performances between two hosts by pumping traffic either mono or bidirectionally.
In the simplest usage, on one server you run iperf -s and get the following output:

$ iperf -s
Server listening on TCP port 5001
TCP window size:  128 KByte (default)


On the client, you run iperf -c <destination_host) -f m (this option is to get output in Mbps) and after few seconds you’ll see:

root@facchina:~# iperf -c -f m
Client connecting to, TCP port 5001
TCP window size: 0.02 MByte (default)
[  3] local port 48643 connected with port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0-10.0 sec  1122 MBytes   941 Mbits/sec

 Rather cool, huh? And there are countless options…

The second one I’m sharing with you is tcptrack. Fantastic tool to keep track of the tcp connections happening on your machine and how much they are active. When you type tcptrack -i <interface> here’s what you get:



Let’s continue with bmon, specifically conceived to monitor interface traffic while keeping historical info in the view:



Another great one to detect programs eating bandwidth is nethogs, shown here below in a running sample:nethogs


And then, a really cool one I use VERY frequenty: iftop, to chech the bandwidth used by every connection on the machine.


To conclude this list of tools I selected speedometer, a very nice and clean tool to display network traffic information with quite many options

That’s all folks… enjoy!


Oct 122014

Pretty long title for a pretty long work, which took me more than initially thought. And because I’ve sorted out blending multiple info from multiple sites, here we go with a unified post.

Let’s start with the goal.

I wanted to have root access to my home machine via SSH/SFTP with a strong authentication system; but I also wanted to offer to a friend of mine an access to an externally connected hard drive with a simple password.

And to keep everything more secure, I wanted to have this guy chrooted into the directory he can login.

I will not cover the strong authentication setup since there are very good instructions on their site.

To enable the strong authentication only for root, I had to modify a little bit my /etc/ssh/sshd_config file as shown below.

  • disable PAM integration, by putting a hash at the beginning of the line:
    # UsePAM yes

    This is needed since we’re going to use the Match Group directive

  • inserted the following lines below the Subsystem sftp /usr/lib/openssh/sftp-server section
    Match Group root
    ForceCommand /usr/sbin/login_duo

Save and exit, restart the ssh service and test that if you try to ssh the system, after you type in root username and the password something appears similar to what reported below:

$ ssh root@
root@'s password: 
Duo two-factor login for root
Enter a passcode or select one of the following options:
1. Duo Push to +XX XXX XXX 1791
 2. Phone call to +XX XXX XXX 1791
 3. SMS passcodes to +XX XXX XXX 1791
Passcode or option (1-3):

Once you choose (for example) 1 and confirm on your authentication device, login will complete.

To enable chromed access for my friend without forcing him to enroll to strong auth, I have created an sftp group with the command:

groupadd sftp

Then I have him to this group with the command:

usermod -G sftp <login name>

I have also disabled his shell with the command:

usermod -s /bin/bash

and set his home directory to my external disk with the command:

usermod -d /media/external/friend

Finally I have created the following entries for sftp in /etc/ssh/sshd_config file under the Subsystem sftp /usr/lib/openssh/sftp-server section as shown below.

Match Group sftp
 ChrootDirectory /media/external/friend
 AllowTCPForwarding no
 X11Forwarding no
 ForceCommand internal-sftp

NOTABENE: the directory friend must be owned by root with 700 rights. Because my friend is part of the sftp group, to allow him to upload content I needed to create a directory upload below the directory friend and had to chown such directory to his login name as shown below:


If you want to have some more background info about why you need to change ownership and set rights are mentioned, check here.

Once you complete all the editing, remember to restart the ssh service with the command

service ssh restart



Apr 132014

First of, a BIG thank you to my friend Luca Ferrarotti who inspired, actively contributed and helped me with this HowTo.

Then, something I wanted to write since a very long time. Other articles in this blog instruct about how to use OS X or iOS to build a native client to site IPSec VPN terminated on McAfee (formerly Stonesoft) Next Generation Firewall. Since I joined Stonesoft many years ago, lots of people enquired me and Support and my SE colleagues about how to build this configuration… here you are. Your voice has been listened!

I wrote this article using McAfee Next Generation Firewall version 5.5.6 and McAfee Security Management Center 5.7.0, while on client side I am on Ubuntu 12.04.4 LTS. Continue reading »

Dec 312013

tux-tmIt took me quite a lot and quite long time of experimenting before finding the proper way to do this, especially considering that Mavericks is a bit different from the previous felines… and that I was using Debian Squeeze…

I’ve finally been able to achieve it (and testing with file restore also), hence I’ve decided to document here my configuration hoping it will be of some benefit for others.

To be clear: this is a document to build a backup system “à la Time Machine” for your Mac based on Mavericks OS X 10.9.1 using a file share on Debian Linux and AFP protocol.

First of, some statements about false/deviating info I’ve found on other sites:

  • You cannot use AFP with Mavericks, since it defaults to SMB2 ==> not true. I have a working configuration using AFP
  • You can use whatever Debian/Ubuntu version, at worst you just tune your config ==> not true. At least not for me. It all started working when I moved from the previous Squeeze Debian (6.0) to the latest greatest Wheezy (7.0)
  • It’s hard to configure the stuff, requires programming/scripting. Not true. Sure, you need to modify some configuration files on your Linux box… but if you are not able to vi some files, maybe you should think to have another operating system.

As said, please ensure your Debian Linux is at version 7.0 (Wheezy). If not, you should really consider to upgrade. It’s free, well documented, easy and it will save you tons of days and headaches trying to make bits behave 🙂

Continue reading »

Mar 252013

Continuing on my seafile experiments, I’ve found that they’ve done a pretty good job in offering local language support and this includes italian.

Well, sort of.

I mean, the tranlsation is nice and mostly well done… but sometimes you see part of the UI in… cyrillic???

After my first WTF reaction 🙂 I started checking how to fix this and I got good hints from Seafile as well. I ended up improving the italian language support they offer, and they promise to integrate my efforts in next version (good!).

In case you’re interested in modifying some part of an existing language support in Seafile web UI, what you need to have on your server machine is the following (commands refers to Ubuntu 12.04 LTS):

  • Python 2.7 (if you don’t have it, give a “apt-get install python-2.7” to get it)
  • Django extension to Python (if you don’t have it, give a “apt-get install python-django” to get it)
  • gettext command (if you don’t have it, give a “apt-get install gettext” to get it)

Then, modify the file <seafile_install_directory>/seahub/locale/<your_language_country_code>/LC_MESSAGES/django.po

Replace <your_language_country_code> with the language code your interested in, for example it for Italian.

Change/correct/replace/add the strings you’re missing.

The file logic is based on the string in English, followed by the one in the local language, for example:

#: forms.py:56 templates/snippets/repo_create_js.html:28
msgid "Name can't be empty"
msgstr "Il nome non può essere vuoto"

Once you’re done with your django.po file, copy the existing django.mo file (language file compiled) in the same directory to some other safe place and from <seafile_install_directory>/seahub/ directory type the command:

./i18n.sh compile-all

This should generate a new django.mo file with the modifications you have made.

As a bonus, if you just want to get rid of cyrillic you can copy these two files into <seafile_install_directory>/seahub/locale/<your_language_country_code>/LC_MESSAGES/ in your installation and restart the servers (seafile and seahub).



Mar 212013

seafilelogoSeafile is a cool project about building a private “Dropbox-like” system.

Although young, it looks VERY promising and it is well documented.

The only shadow part is that if you follow the manual step by step you end up in having an HTTP web server frontend which is definitely not perfect if you’re looking for security.

Info about how to decently configure Apache2 are a bit dispersed on multiple sites, hence I’ve decided to detail in this post the few simple steps you need to achieve a Seafile based private cloud where even the  web frontend works in HTTPS.

Let’s pick up from where you end up if you follow the instructions published by Seafile Team.

Continue reading »

Nov 292012

Can’t remember how much I dug this info on the internet, always when in emergency.

Hence I’ve decided once forever to write a small note here.

Suppose that in /boot directory there is a kernel you want to remove, identified by files like:

  • abi-2.6.38-15-generic-pae
  • config-2.6.38-15-generic-pae
  • initrd.img-2.6.38-15-generic-pae
  • System.map-2.6.38-15-generic-pae
  • vmcoreinfo-2.6.38-15-generic-pae
  • vmlinuz-2.6.38-15-generic-pae

Here’s the right command:

apt-get remove --purge linux-image-2.6.38-15-generic-pae

If you are brave and wanna go scripting wild 🙂 first you check what kernel are you booting with using the command:

uname -r

This will give you an output like: “2.6.38-16-generic-pae”

Then you check which other kernels you have, except the one you’re booting with, using the command:

dpkg -l|egrep '^ii  linux-(im|he)'|awk '{print $2}'|grep -v `uname -r`
(yes, if you do not use egrep on the first grep it won't work)

This will return the list of kernels which are not the one you’re executing (because you excluded that one with grep -v):


Finally, you run the remove command using:

sudo apt-get remove $(dpkg -l|egrep '^ii  linux-(im|he)'|awk '{print $2}'|grep -v `uname -r`)

TO BE CHECKED: the command above might remove also metapackages such as linux-headers-generic-pae. Hence it is safer to remove one by one the needed packages from the above list.

Jan 262012

As usual, not that immediate to find a proper answer on the ‘Net, hence I’m providing one here.

While in Snow Leopard was quite easy to see your ext2/ext3 formatted disks via MacFuse and ext2-fuse, in Lion you need to install another fuse fork and select a special option. That new fork is OSXFUSE, which latest release at the time of this post if from December 2011.

The most common symptom indicating you need this is to try mounting an ext2/3 formatted drive and see the following error:

fuse-ext2 /dev/disk3s1 /Volumes/Movies
dyld: Library not loaded: /usr/local/lib/libfuse.2.dylib
 Referenced from: /usr/local/bin/fuse-ext2
 Reason: image not found

During the installation of OSXFUSE, you need to enable MacFuse Compatibility Layer by flagging the appropriate checkbox as shown below:

click to zoom

Once you’re done with this, replug your ext2/3 formatted drive and it’ll automagically mount it in Finder, giving your deserved magnificent user experience of a Mac user 😉




Dec 042011

How many times I did find myself launching a script, or worst, seeing a process running on a system and wishing to take control over it… the answer is too many 😉

Today I’ve found a nice solution at least for Linux systems with the utility reptyr.

While I’m writing this post the package is still in unstable dist, hence not part of the “standard” repositories for a Debian Linux system.

But you can download it using command:

wget http://http.us.debian.org/debian/pool/main/r/reptyr/reptyr_0.3-2_i386.deb

for i386 architecture.

Then, to install

qpkg -i reptyr_0.3-2_i386.deb

And finally you run it.

For example, to bring a process with pid 4242 to your running tty you type:

reptyr 4242


Nov 172011

Found this process well described on Ubuntu website, hence thought it was a good idea to report here also, for future usage.

Note: this procedure requires an .img file that you will be required to create from the .iso file you download.

TIP: Drag and Drop a file from Finder to Terminal to ‘paste’ the full path without typing and risking type errors.


1. Download the desired file

2. Open the Terminal (in /Applications/Utilities/ or query Terminal in Spotlight)

3. Convert the .iso file to .img using the convert option of hdiutil (e.g.,hdiutil convert -format UDRW -o ~/path/to/target.img ~/path/to/ubuntu.iso)

4. Note: OS X tends to put the .dmg ending on the output file automatically.

5. Run diskutil list to get the current list of devices

6. Insert your flash media

7. Run diskutil list again and determine the device node assigned to your flash media (e.g. /dev/disk2)

8. Run diskutil unmountDisk /dev/diskN (replace N with the disk number from the last command; in the previous example, N would be 2)

9. Execute sudo dd if=/path/to/downloaded.img of=/dev/rdiskN bs=1m (replace /path/to/downloaded.img with the path where the image file is located; for example,./ubuntu.img or ./ubuntu.dmg).

▪ Using /dev/rdisk instead of /dev/disk may be faster.

▪ If you see the error dd: Invalid number ‘1m’, you are using GNU dd. Use the same command but replace bs=1m with bs=1M.

▪ If you see the error dd: /dev/diskN: Resource busy, make sure the disk is not in use. Start the ‘Disk Utility.app’ and unmount (don’t eject) the drive.

10. Run diskutil eject /dev/diskN and remove your flash media when the command completes

11. Restart your Mac and press alt while the Mac is restarting to choose the USB-Stick