net.ipv4.icmp_echo_ignore_broadcasts = 1
Don’t respond to ping broadcasts. Ping broadcasts and multicasts are usually an
attack of some kind, like a Smurf attack. You may want to use a ping broadcast
to see what hosts on your LAN are up, but there are other ways to do this. It is a
lot safer to leave this disabled.
ipcalc This is a standard program available for any Linux. This
command shows you everything you need to know for a single network:
$ ipcalc 192.168.10.0/24
Address: 192.168.10.0 11000000.10101000.00001010. 00000000
Netmask: 255.255.255.0 = 24 11111111.11111111.11111111. 00000000
Wildcard: 0.0.0.255 00000000.00000000.00000000. 11111111
Network: 192.168.10.0/24 11000000.10101000.00001010. 00000000
HostMin: 192.168.10.1 11000000.10101000.00001010. 00000001
HostMax: 192.168.10.254 11000000.10101000.00001010. 11111110
Broadcast: 192.168.10.255 11000000.10101000.00001010. 11111111
Hosts/Net: 254 Class C, Private Internet
Making Static Routes Persistent
Of course there are. On Debian, add them to /etc/network/interfaces in the stanza for
their corresponding interface:
iface eth1 inet static
up route add -net 172.16.5.0/24 gw 192.168.10.100 eth1
up route add -net 172.24.0.0/24 gw 192.168.10.100 eth1
down route del -net 172.24.0.0/24
down route del -net 172.16.5.0/24
You want to change the passphrase on one of your private keys.
Use the -p switch with the ssh-keygen command:
$ ssh-keygen -p -f ~/.ssh/id_dsa
Mounting Entire Remote Filesystems with sshfs
OpenSSH is pretty fast and efficient, and even tunneling X Windows over OpenSSH
isn’t too laggy. But sometimes, you want a faster way to edit a number of remote
files—something more convenient than scp, and kinder to bandwidth than running a
graphical file manager over SSH.
sshfs is just the tool for you. sshfs lets you mount an entire remote filesystem and
then access it just like a local filesystem.
Install sshfs, which should also install fuse. You need a local directory for your
carla@xena:~$ mkdir /sshfs
Then, make sure the fuse kernel module is loaded:
$ lsmod|grep fuse
fuse 46612 1
If it isn’t, run modprobe fuse.
Next, add yourself to the fuse group.
Then, log in to the remote PC and go to work:
carla@xena:~$ sshfs uberpc: sshfs/
Now, the remote filesystem should be mounted in ~/sshfs and just as accessible as
your local filesystems.
When you’re finished, unmount the remote filesystem:
$ fusermount -u sshfs/
Users who are new to sshfs always ask these questions: why not just run X over SSH,
or why not just use NFS?
It’s faster than running X over SSH, it’s a heck of a lot easier to set up than NFS, and
a zillion times more secure than NFS, is why.
Customizing the Remote VNC Desktop
The default VNC remote desktop on Linux is little better than a plain vanilla SSH
session—all you get is some barebones window manager like TWM or Metacity, and
an Xterm. How do you get the window manager or desktop of your choice?
Edit your ~/.vnc/xstartup file on the server. This is the default:
xsetroot -solid grey
x-terminal-emulator -geometry 80×24+10+10 -ls -title “$VNCDESKTOP Desktop” &
If there is no ~/.Xresources file, comment that line out.
Simply replace -window-manager with the startup command for the window manager
of your choice, like this:
Whenever you make changes in this file, you need to stop and restart the server:
$ tightvncserver -kill :1
Then, log in again from your remote PC.
Table 8-2 lists some startup commands for various window managers, which must
be installed on the server if you want to use them.
To create a bootable USB flash drive, you need at least a 256 MB drive. Then, down-
load the hd-media/boot.img.gz file from your favorite Debian mirror. Make sure the
drive is unmounted, and copy it to the drive with this command:
# zcat boot.img.gz > /dev/sda
FPing pings all the addresses in a range in sequence. This example pings a subnet
once, reports which hosts are alive, queries DNS for the hostnames, and prints a
$ fping -c1 -sdg 192.168.1.0/24
ping6 to one interface
$ ping6 -c2 -I eth0 fe80::203:6dff:fe00:83cf
Finding Duplicate IP Addresses with arping
You want to know how to test an IP address on your LAN to see whether it is a
Use arping, like this:
$ arping -D 192.168.1.76
Testing HTTP Throughput and Latency with httping
As always, your users are complaining “the web site is too slow! We’re dying here!”
But it seems OK to you. Isn’t there some way you can make some objective measure-
ments without having to master some expensive, complicated analysis tool?
While sophisticated HTTP server analysis tools are nice, and there are dozens of
them, sometimes you just want something quick and easy. httping is an excellent
utility for measuring HTTP server throughput and latency, and because it’s a tiny
command-line tool, you can easily run it from multiple locations via SSH.
Its simplest invocation is to test latency:
$ httping -c4 -g http://www.oreilly.com
Traceroute may not work over the Internet because a lot of routers are programmed
to ignore its UDP datagrams. If you see a lot of timeouts, try the -I option, which
sends ICMP ECHO requests instead.
You could also try tcptraceroute, which sends TCP packets and is therefore nearly
$ tcptraceroute bratgrrl.com
An excellent utility that combines ping and traceroute is mtr (My Traceroute). Use
this to capture combined latency, packet loss, and problem router statistics. Here is
an example that runs mtr 100 times, organizes the data in a report format, and stores
it in a text file:
$ mtr -r -c100 oreilly.com >> mtr.txt
Measuring Throughput, Jitter, and Packet Loss with iperf
You want to measure throughput on your various network segments, and you want
to collect jitter and datagram loss statistics. You might want these just as a routine
part of periodically checking your network performance, or you’re running a VoIP
server like Asterisk, Trixbox, or PBXtra, so you need your network to be in extra-
good shape to have good call quality.
Use iperf, which is a nifty utility for measuring TCP and UDP performance between
two endpoints. It must be installed at both ends of the connection you’re measuring;
in this example, that is Xena and Penguina. We’ll call Xena the server and Penguina
the client. First, start iperf on Xena in server mode, then fire it up on Penguina. (The
easy way is to do all this on Xena in two X terminals via SSH.)
carla@xena:~$ iperf -s
Server listening on TCP port 5001
TCP window size: 85.3 KByte (default)
terry@penguina:~$ iperf -c xena