How to: Shrink/Reclaim free virtual disk space from Virtual Machines on Proxmox VE (PVE) (Windows/Linux/Debian/Ubuntu/Kali Linux/RHEL/CentOS/Fedora etc.)

Pre-requirements

Following method only works for virtual machines (VM) that are satisfying these pre-requirements:

  • Thin-provisioned backing storage (qcow2 disk, thin-lvm, zfs, …)
  • Virtio-SCSI controller configured on guest.
  • Guest scsi disks with the discard option enabled [1]

Note: While changing provisioning types and Virtio-SCSI driver are not easy with existing virtual machines, but changing VM scsi disk’s discard options is simple, that means, if we appear to have an existing VM that is using thin-provisioned backing storage and Virtio-SCSI but “discard” options is not enabled/checked, we can simply find that VM and check that option, then we are good to follow the reset of this guide.

The Issue

When we are using qcow2 sparse virtual disks, we can reclaim free disk spaces which are not using by the virtual machine. How to trigger the VM/guest operating system to reclaim it for us though?

The Fix

1 Login to Proxmox VE web gui

2 Find the VM we want to reclaim the unused disk space for and click on it

3 Click on Hardware

4 Double click on the virtual hard’s virtual hard drive we want to reclaim unused space for

5 Make sure the “Discard” is checked

Proxmox VE - Discard option
Proxmox VE – Discard option

6 Start the VM

Once the VM is fully booted

6a For Linux/Debian/Ubuntu/Kali Linux/CentOS/RHEL/Fedora etc.

6a.1 We use following command to reclaim the unused disk space from a terminal

sudo fstrim -av

Once it’s done, we should be able to see the reclaimed disk space from Proxmox VE host (Only if there is unused space, if there is no unused space, we will not see any changes from Proxmox VE host’s disk space)

6a.2 We can also enable the automatic fstrim from the VM, so we do not need to do it manually everytime. Use following command to enable this feature

sudo systemctl enable fstrim.timer

6b For Windows

Usually the trim is enabled by default on Windows (Windows 7/2008R2 and up), we should not need to modify anything.

We can check if TRIM is enabled or not by using following command

fsutil behavior query DisableDeleteNotify

The output should be 0, otherwise, we can set it manually

fsutil behavior set DisableDeleteNotify 0

We can also trigger it manually, here is how.

First, we need to shutdown the Windows VM.

Then from the Proxmox VE web gui, find the Windows VM, Navigate to “Hardware”, double click on the virtual hard drive that we want to reclaim unused space from, make sure the “Discard” and “SSD emulation” are both checked, now start the Windows VM

Proxmox VE - Discard and SSD emulation checked
Proxmox VE – Discard and SSD emulation checked

When the Windows booted, we type “defrag” in start menu to search for “Defragment and Optimize Drives” program.

Windows 10 - Defragment and Optimize Drives
Windows 10 – Defragment and Optimize Drives

Click on it to launch it, then select the drive which we want to claim unused space from, click on “Optimize” button.

We now have manually reclaimed unused space from Windows VM

References

[1] “Shrink Qcow2 Disk Files – Proxmox VE”, Pve.proxmox.com, 2019. [Online]. Available: https://pve.proxmox.com/wiki/Shrink_Qcow2_Disk_Files


How to: Install Apache Guacamole on Debian/Ubuntu the easiest way (Clientless Remote Desktop Gateway)

1 Update the system with following commands

sudo apt update
sudo apt upgrade -y

2 Install Apache Guacamole

2.1 Download the .sh file [1]

wget -O guac-install.sh https://git.io/fxZq5

2.2 Make it executable

chmod +x guac-install.sh

2.2 Run the script as root

  • (Interactive (asks for passwords))
./guac-install.sh
  • Non-Interactive (values provided via cli):
./guac-install.sh --mysqlpwd password --guacpwd password --nomfa --installmysql

OR

./guac-install.sh -r password -gp password -o -i

Once installed, we can access Guacamole by open: http://:8080/guacamole/ The default credentials are guacadmin as both username and password. Please change them or disable guacadmin after install!

(For upgrade, refer to the link in the reference.)

Appendices

The content of the script (as of writing)

#!/bin/bash
# Something isn't working? # tail -f /var/log/messages /var/log/syslog /var/log/tomcat*/*.out /var/log/mysql/*.log
# Check if user is root or sudo
if ! [ $( id -u ) = 0 ]; then
    echo "Please run this script as sudo or root" 1>&2
    exit 1
fi
# Check to see if any old files left over
if [ "$( find . -maxdepth 1 \( -name 'guacamole-*' -o -name 'mysql-connector-java-*' \) )" != "" ]; then
    echo "Possible temp files detected. Please review 'guacamole-*' & 'mysql-connector-java-*'" 1>&2
    exit 1
fi
# Version number of Guacamole to install
# Homepage ~ https://guacamole.apache.org/releases/
GUACVERSION="1.1.0"
# Latest Version of MySQL Connector/J if manual install is required (if libmariadb-java/libmysql-java is not available via apt)
# Homepage ~ https://dev.mysql.com/downloads/connector/j/
MCJVER="8.0.19"
# Colors to use for output
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
RED='\033[0;31m'
GREEN='\033[0;32m'
CYAN='\033[0;36m'
NC='\033[0m' # No Color
# Log Location
LOG="/tmp/guacamole_${GUACVERSION}_build.log"
# Initialize variable values
installTOTP=""
installDuo=""
installMySQL=""
mysqlHost=""
mysqlPort=""
mysqlRootPwd=""
guacDb=""
guacUser=""
guacPwd=""
PROMPT=""
MYSQL=""
# Get script arguments for non-interactive mode
while [ "$1" != "" ]; do
    case $1 in
        # Install MySQL selection
        -i | --installmysql )
            installMySQL=true
            ;;
        -n | --nomysql )
            installMySQL=false
            ;;
        # MySQL server/root information
        -h | --mysqlhost )
            shift
            mysqlHost="$1"
            ;;
        -p | --mysqlport )
            shift
            mysqlPort="$1"
            ;;
        -r | --mysqlpwd )
            shift
            mysqlRootPwd="$1"
            ;;
        # Guac database/user information
        -db | --guacdb )
            shift
            guacDb="$1"
            ;;
        -gu | --guacuser )
            shift
            guacUser="$1"
            ;;
        -gp | --guacpwd )
            shift
            guacPwd="$1"
            ;;
        # MFA selection
        -t | --totp )
            installTOTP=true
            ;;
        -d | --duo )
            installDuo=true
            ;;
        -o | --nomfa )
            installTOTP=false
            installDuo=false
            ;;
    esac
    shift
done
if [[ -z "${installTOTP}" ]] && [[ "${installDuo}" != true ]]; then
    # Prompt the user if they would like to install TOTP MFA, default of no
    echo -e -n "${CYAN}MFA: Would you like to install TOTP? (y/N): ${NC}"
    read PROMPT
    if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
        installTOTP=true
        installDuo=false
    else
        installTOTP=false
    fi
fi
if [[ -z "${installDuo}" ]] && [[ "${installTOTP}" != true ]]; then
    # Prompt the user if they would like to install Duo MFA, default of no
    echo -e -n "${CYAN}MFA: Would you like to install Duo (configuration values must be set after install in /etc/guacamole/guacamole.properties)? (y/N): ${NC}"
    read PROMPT
    if [[ ${PROMPT} =~ ^[Yy]$ ]]; then
        installDuo=true
        installTOTP=false
    else
        installDuo=false
    fi
fi
# We can't install TOTP and Duo at the same time...
if [[ "${installTOTP}" = true ]] && [ "${installDuo}" = true ]; then
    echo -e "${RED}MFA: The script does not support installing TOTP and Duo at the same time.${NC}" 1>&2
    exit 1
fi
echo
if [[ -z ${installMySQL} ]]; then
    # Prompt the user to see if they would like to install MySQL, default of yes
    echo "MySQL is required for installation, if you're using a remote MySQL Server select 'n'"
    echo -e -n "${CYAN}Would you like to install MySQL? (Y/n): ${NC}"
    read PROMPT
    if [[ ${PROMPT} =~ ^[Nn]$ ]]; then
        installMySQL=false
    else
        installMySQL=true
    fi
fi
if [ "${installMySQL}" = false ]; then
    # We need to get additional values
    [ -z "${mysqlHost}" ] \
      && read -p "Enter MySQL server hostname or IP: " mysqlHost
    [ -z "${mysqlPort}" ] \
      && read -p "Enter MySQL server port [3306]: " mysqlPort
    [ -z "${guacDb}" ] \
      && read -p "Enter Guacamole database name [guacamole_db]: " guacDb
    [ -z "${guacUser}" ] \
      && read -p "Enter Guacamole user [guacamole_user]: " guacUser
fi
# Checking if mysql host given
if [ -z "${mysqlHost}" ]; then
    mysqlHost="localhost"
fi
# Checking if mysql port given
if [ -z "${mysqlPort}" ]; then
    mysqlPort="3306"
fi
# Checking if mysql user given
if [ -z "${guacUser}" ]; then
    guacUser="guacamole_user"
fi
# Checking if database name given
if [ -z "${guacDb}" ]; then
    guacDb="guacamole_db"
fi
if [ -z "${mysqlRootPwd}" ]; then
    # Get MySQL "Root" and "Guacamole User" password
    while true; do
        echo
        read -s -p "Enter ${mysqlHost}'s MySQL root password: " mysqlRootPwd
        echo
        read -s -p "Confirm ${mysqlHost}'s MySQL root password: " PROMPT2
        echo
        [ "${mysqlRootPwd}" = "${PROMPT2}" ] && break
        echo -e "${RED}Passwords don't match. Please try again.${NC}" 1>&2
    done
else
    echo -e "${BLUE}Read MySQL root's password from command line argument${NC}"
fi
echo
if [ -z "${guacPwd}" ]; then
    while true; do
        echo -e "${BLUE}A new MySQL user will be created (${guacUser})${NC}"
        read -s -p "Enter ${mysqlHost}'s MySQL guacamole user password: " guacPwd
        echo
        read -s -p "Confirm ${mysqlHost}'s MySQL guacamole user password: " PROMPT2
        echo
        [ "${guacPwd}" = "${PROMPT2}" ] && break
        echo -e "${RED}Passwords don't match. Please try again.${NC}" 1>&2
        echo
    done
else
    echo -e "${BLUE}Read MySQL ${guacUser}'s password from command line argument${NC}"
fi
echo
if [ "${installMySQL}" = true ]; then
    # Seed MySQL install values
    debconf-set-selections <<< "mysql-server mysql-server/root_password password ${mysqlRootPwd}"
    debconf-set-selections <<< "mysql-server mysql-server/root_password_again password ${mysqlRootPwd}"
fi
# Different version of Ubuntu and Debian have different package names...
source /etc/os-release
if [[ "${NAME}" == "Ubuntu" ]]; then
    # Ubuntu > 18.04 does not include universe repo by default
    # Add the "Universe" repo, don't update
    add-apt-repository -yn universe
    # Set package names depending on version
    JPEGTURBO="libjpeg-turbo8-dev"
    if [[ "${VERSION_ID}" == "16.04" ]]; then
        LIBPNG="libpng12-dev"
    else
        LIBPNG="libpng-dev"
    fi
    if [ "${installMySQL}" = true ]; then
        MYSQL="mysql-server mysql-client mysql-common"
    # Checking if (any kind of) mysql-client or compatible command installed. This is useful for existing mariadb server
    elif [ -x "$( command -v mysql )" ]; then
        MYSQL=""
    else
        MYSQL="mysql-client"
    fi
elif [[ "${NAME}" == *"Debian"* ]] || [[ "${NAME}" == *"Raspbian GNU/Linux"* ]] || [[ "${NAME}" == *"Kali GNU/Linux"* ]]; then
    JPEGTURBO="libjpeg62-turbo-dev"
    if [[ "${PRETTY_NAME}" == *"stretch"* ]] || [[ "${PRETTY_NAME}" == *"buster"* ]] || [[ "${PRETTY_NAME}" == *"Kali GNU/Linux Rolling"* ]]; then
        LIBPNG="libpng-dev"
    else
        LIBPNG="libpng12-dev"
    fi
    if [ "${installMySQL}" = true ]; then
        MYSQL="default-mysql-server default-mysql-client mysql-common"
    # Checking if (any kind of) mysql-client or compatible command installed. This is useful for existing mariadb server
    elif [ -x "$( command -v mysql )" ]; then
        MYSQL=""
    else
        MYSQL="default-mysql-client"
    fi
else
    echo "Unsupported distribution - Debian, Kali, Raspbian or Ubuntu only"
    exit 1
fi
# Update apt so we can search apt-cache for newest Tomcat version supported &amp; libmariadb-java/libmysql-java
echo -e "${BLUE}Updating apt...${NC}"
apt-get -qq update
# Check if libmariadb-java/libmysql-java is available
# Debian 10 >= ~ https://packages.debian.org/search?keywords=libmariadb-java
if [[ $( apt-cache show libmariadb-java 2> /dev/null | wc -l ) -gt 0 ]]; then
    # When something higher than 1.1.0 is out ~ https://issues.apache.org/jira/browse/GUACAMOLE-852
    #echo -e "${BLUE}Found libmariadb-java package...${NC}"
    #LIBJAVA="libmariadb-java"
    # For v1.1.0 and lower
    echo -e "${YELLOW}Found libmariadb-java package (known issues). Will download libmysql-java ${MCJVER} and install manually${NC}"
    LIBJAVA=""
# Debian 9 <= ~ https://packages.debian.org/search?keywords=libmysql-java
elif [[ $( apt-cache show libmysql-java 2> /dev/null | wc -l ) -gt 0 ]]; then
    echo -e "${BLUE}Found libmysql-java package...${NC}"
    LIBJAVA="libmysql-java"
else
    echo -e "${YELLOW}lib{mariadb,mysql}-java not available. Will download mysql-connector-java-${MCJVER}.tar.gz and install manually${NC}"
    LIBJAVA=""
fi
# tomcat9 is the latest version
# tomcat8.0 is end of life, but tomcat8.5 is current
# fallback is tomcat7
if [[ $( apt-cache show tomcat9 2> /dev/null | egrep "Version: 9" | wc -l ) -gt 0 ]]; then
    echo -e "${BLUE}Found tomcat9 package...${NC}"
    TOMCAT="tomcat9"
elif [[ $( apt-cache show tomcat8 2> /dev/null | egrep "Version: 8.[5-9]" | wc -l ) -gt 0 ]]; then
    echo -e "${BLUE}Found tomcat8.5+ package...${NC}"
    TOMCAT="tomcat8"
elif [[ $( apt-cache show tomcat7 2> /dev/null | egrep "Version: 7" | wc -l ) -gt 0 ]]; then
    echo -e "${BLUE}Found tomcat7 package...${NC}"
    TOMCAT="tomcat7"
else
    echo -e "${RED}Failed. Can't find Tomcat package${NC}" 1>&amp;2
    exit 1
fi
# Uncomment to manually force a Tomcat version
#TOMCAT=""
# Install features
echo -e "${BLUE}Installing packages. This might take a few minutes...${NC}"
# Don't prompt during install
export DEBIAN_FRONTEND=noninteractive
# Required packages
apt-get -y install build-essential libcairo2-dev ${JPEGTURBO} ${LIBPNG} libossp-uuid-dev libavcodec-dev libavutil-dev \
libswscale-dev freerdp2-dev libpango1.0-dev libssh2-1-dev libtelnet-dev libvncserver-dev libpulse-dev libssl-dev \
libvorbis-dev libwebp-dev libwebsockets-dev \
freerdp2-x11 libtool-bin ghostscript dpkg-dev \
wget crudini \
${MYSQL} ${LIBJAVA} ${TOMCAT} &amp;>> ${LOG}
# If apt fails to run completely the rest of this isn't going to work...
if [ $? -ne 0 ]; then
    echo -e "${RED}Failed. See ${LOG}${NC}" 1>&amp;2
    exit 1
else
    echo -e "${GREEN}OK${NC}"
fi
echo
# Set SERVER to be the preferred download server from the Apache CDN
SERVER="http://apache.org/dyn/closer.cgi?action=download&amp;filename=guacamole/${GUACVERSION}"
echo -e "${BLUE}Downloading files...${NC}"
# Download Guacamole Server
wget -q --show-progress -O guacamole-server-${GUACVERSION}.tar.gz ${SERVER}/source/guacamole-server-${GUACVERSION}.tar.gz
if [ $? -ne 0 ]; then
    echo -e "${RED}Failed to download guacamole-server-${GUACVERSION}.tar.gz" 1>&amp;2
    echo -e "${SERVER}/source/guacamole-server-${GUACVERSION}.tar.gz${NC}"
    exit 1
else
    # Extract Guacamole Files
    tar -xzf guacamole-server-${GUACVERSION}.tar.gz
fi
echo -e "${GREEN}Downloaded guacamole-server-${GUACVERSION}.tar.gz${NC}"
# Download Guacamole Client
wget -q --show-progress -O guacamole-${GUACVERSION}.war ${SERVER}/binary/guacamole-${GUACVERSION}.war
if [ $? -ne 0 ]; then
    echo -e "${RED}Failed to download guacamole-${GUACVERSION}.war" 1>&amp;2
    echo -e "${SERVER}/binary/guacamole-${GUACVERSION}.war${NC}"
    exit 1
fi
echo -e "${GREEN}Downloaded guacamole-${GUACVERSION}.war${NC}"
# Download Guacamole authentication extensions (Database)
wget -q --show-progress -O guacamole-auth-jdbc-${GUACVERSION}.tar.gz ${SERVER}/binary/guacamole-auth-jdbc-${GUACVERSION}.tar.gz
if [ $? -ne 0 ]; then
    echo -e "${RED}Failed to download guacamole-auth-jdbc-${GUACVERSION}.tar.gz" 1>&amp;2
    echo -e "${SERVER}/binary/guacamole-auth-jdbc-${GUACVERSION}.tar.gz"
    exit 1
else
    tar -xzf guacamole-auth-jdbc-${GUACVERSION}.tar.gz
fi
echo -e "${GREEN}Downloaded guacamole-auth-jdbc-${GUACVERSION}.tar.gz${NC}"
# Download Guacamole authentication extensions
# TOTP
if [ "${installTOTP}" = true ]; then
    wget -q --show-progress -O guacamole-auth-totp-${GUACVERSION}.tar.gz ${SERVER}/binary/guacamole-auth-totp-${GUACVERSION}.tar.gz
    if [ $? -ne 0 ]; then
        echo -e "${RED}Failed to download guacamole-auth-totp-${GUACVERSION}.tar.gz" 1>&amp;2
        echo -e "${SERVER}/binary/guacamole-auth-totp-${GUACVERSION}.tar.gz"
        exit 1
    else
        tar -xzf guacamole-auth-totp-${GUACVERSION}.tar.gz
    fi
    echo -e "${GREEN}Downloaded guacamole-auth-totp-${GUACVERSION}.tar.gz${NC}"
fi
# Duo
if [ "${installDuo}" = true ]; then
    wget -q --show-progress -O guacamole-auth-duo-${GUACVERSION}.tar.gz ${SERVER}/binary/guacamole-auth-duo-${GUACVERSION}.tar.gz
    if [ $? -ne 0 ]; then
        echo -e "${RED}Failed to download guacamole-auth-duo-${GUACVERSION}.tar.gz" 1>&amp;2
        echo -e "${SERVER}/binary/guacamole-auth-duo-${GUACVERSION}.tar.gz"
        exit 1
    else
        tar -xzf guacamole-auth-duo-${GUACVERSION}.tar.gz
    fi
    echo -e "${GREEN}Downloaded guacamole-auth-duo-${GUACVERSION}.tar.gz${NC}"
fi
# Deal with missing MySQL Connector/J
if [[ -z $LIBJAVA ]]; then
    # Download MySQL Connector/J
    wget -q --show-progress -O mysql-connector-java-${MCJVER}.tar.gz https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-${MCJVER}.tar.gz
    if [ $? -ne 0 ]; then
        echo -e "${RED}Failed to download mysql-connector-java-${MCJVER}.tar.gz" 1>&amp;2
        echo -e "https://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-${MCJVER}.tar.gz${NC}"
        exit 1
    else
        tar -xzf mysql-connector-java-${MCJVER}.tar.gz
    fi
    echo -e "${GREEN}Downloaded mysql-connector-java-${MCJVER}.tar.gz${NC}"
else
    echo -e "${YELLOW}Skipping manually installing MySQL Connector/J${NC}"
fi
echo -e "${GREEN}Downloading complete.${NC}"
echo
# Make directories
rm -rf /etc/guacamole/lib/
rm -rf /etc/guacamole/extensions/
mkdir -p /etc/guacamole/lib/
mkdir -p /etc/guacamole/extensions/
# Install guacd (Guacamole-server)
cd guacamole-server-${GUACVERSION}/
echo -e "${BLUE}Building Guacamole-Server with GCC $( gcc --version | head -n1 | grep -oP '\)\K.*' | awk '{print $1}' ) ${NC}"
echo -e "${BLUE}Configuring Guacamole-Server. This might take a minute...${NC}"
./configure --with-init-dir=/etc/init.d  &amp;>> ${LOG}
if [ $? -ne 0 ]; then
    echo -e "${RED}Failed. See ${LOG}${NC}" 1>&amp;2
    exit 1
else
    echo -e "${GREEN}OK${NC}"
fi
echo -e "${BLUE}Running Make on Guacamole-Server. This might take a few minutes...${NC}"
make &amp;>> ${LOG}
if [ $? -ne 0 ]; then
    echo -e "${RED}Failed. See ${LOG}${NC}" 1>&amp;2
    exit 1
else
    echo -e "${GREEN}OK${NC}"
fi
echo -e "${BLUE}Running Make Install on Guacamole-Server...${NC}"
make install &amp;>> ${LOG}
if [ $? -ne 0 ]; then
    echo -e "${RED}Failed. See ${LOG}${NC}" 1>&amp;2
    exit 1
else
    echo -e "${GREEN}OK${NC}"
fi
ldconfig
echo
# Move files to correct locations (guacamole-client &amp; Guacamole authentication extensions)
cd ..
mv -f guacamole-${GUACVERSION}.war /etc/guacamole/guacamole.war
mv -f guacamole-auth-jdbc-${GUACVERSION}/mysql/guacamole-auth-jdbc-mysql-${GUACVERSION}.jar /etc/guacamole/extensions/
# Create Symbolic Link for Tomcat
ln -sf /etc/guacamole/guacamole.war /var/lib/${TOMCAT}/webapps/
# Deal with MySQL Connector/J
if [[ -z $LIBJAVA ]]; then
    echo -e "${BLUE}Moving mysql-connector-java-${MCJVER}.jar (/etc/guacamole/lib/mysql-connector-java.jar)...${NC}"
    mv -f mysql-connector-java-${MCJVER}/mysql-connector-java-${MCJVER}.jar /etc/guacamole/lib/mysql-connector-java.jar
elif [ -e /usr/share/java/mariadb-java-client.jar ]; then
    echo -e "${BLUE}Linking mariadb-java-client.jar  (/etc/guacamole/lib/mariadb-java-client.jar)...${NC}"
    ln -sf /usr/share/java/mariadb-java-client.jar /etc/guacamole/lib/mariadb-java-client.jar
elif [ -e /usr/share/java/mysql-connector-java.jar ]; then
    echo -e "${BLUE}Linking mysql-connector-java.jar  (/etc/guacamole/lib/mysql-connector-java.jar)...${NC}"
    ln -sf /usr/share/java/mysql-connector-java.jar /etc/guacamole/lib/mysql-connector-java.jar
else
    echo -e "${RED}Can't find *.jar file${NC}" 1>&amp;2
    exit 1
fi
echo
# Move TOTP Files
if [ "${installTOTP}" = true ]; then
    echo -e "${BLUE}Moving guacamole-auth-totp-${GUACVERSION}.jar (/etc/guacamole/extensions/)...${NC}"
    mv -f guacamole-auth-totp-${GUACVERSION}/guacamole-auth-totp-${GUACVERSION}.jar /etc/guacamole/extensions/
    echo
fi
# Move Duo Files
if [ "${installDuo}" = true ]; then
    echo -e "${BLUE}Moving guacamole-auth-duo-${GUACVERSION}.jar (/etc/guacamole/extensions/)...${NC}"
    mv -f guacamole-auth-duo-${GUACVERSION}/guacamole-auth-duo-${GUACVERSION}.jar /etc/guacamole/extensions/
    echo
fi
# Configure guacamole.properties
rm -f /etc/guacamole/guacamole.properties
touch /etc/guacamole/guacamole.properties
echo "mysql-hostname: ${mysqlHost}" >> /etc/guacamole/guacamole.properties
echo "mysql-port: ${mysqlPort}" >> /etc/guacamole/guacamole.properties
echo "mysql-database: ${guacDb}" >> /etc/guacamole/guacamole.properties
echo "mysql-username: ${guacUser}" >> /etc/guacamole/guacamole.properties
echo "mysql-password: ${guacPwd}" >> /etc/guacamole/guacamole.properties
# Output Duo configuration settings but comment them out for now
if [ "${installDuo}" = true ]; then
    echo "# duo-api-hostname: " >> /etc/guacamole/guacamole.properties
    echo "# duo-integration-key: " >> /etc/guacamole/guacamole.properties
    echo "# duo-secret-key: " >> /etc/guacamole/guacamole.properties
    echo "# duo-application-key: " >> /etc/guacamole/guacamole.properties
    echo -e "${YELLOW}Duo is installed, it will need to be configured via guacamole.properties${NC}"
fi
# Restart Tomcat
echo -e "${BLUE}Restarting Tomcat service &amp; enable at boot...${NC}"
service ${TOMCAT} restart
if [ $? -ne 0 ]; then
    echo -e "${RED}Failed${NC}" 1>&amp;2
    exit 1
else
    echo -e "${GREEN}OK${NC}"
fi
# Start at boot
systemctl enable ${TOMCAT}
echo
# Set MySQL password
export MYSQL_PWD=${mysqlRootPwd}
if [ "${installMySQL}" = true ]; then
    # Restart MySQL service
    echo -e "${BLUE}Restarting MySQL service &amp; enable at boot...${NC}"
    service mysql restart
    if [ $? -ne 0 ]; then
        echo -e "${RED}Failed${NC}" 1>&amp;2
        exit 1
    else
        echo -e "${GREEN}OK${NC}"
    fi
    # Start at boot
    systemctl enable mysql
    echo
    # Default locations of MySQL config file
    for x in /etc/mysql/mariadb.conf.d/50-server.cnf \
             /etc/mysql/mysql.conf.d/mysqld.cnf \
             /etc/mysql/my.cnf \
             ; do
        # Check the path exists
        if [ -e "${x}" ]; then
            # Does it have the necessary section
            if grep -q '^\[mysqld\]$' "${x}"; then
                mysqlconfig="${x}"
                # no point keep checking!
                break
            fi
        fi
    done
    if [ -z "${mysqlconfig}" ]; then
        echo -e "${YELLOW}Couldn't detect MySQL config file - you may need to manually enter timezone settings${NC}"
    else
        # Is there already a value?
        if grep -q "^default_time_zone[[:space:]]?=" "${mysqlconfig}"; then
            echo -e "${YELLOW}Timezone already defined in ${mysqlconfig}${NC}"
        else
            timezone="$( cat /etc/timezone )"
            if [ -z "${timezone}" ]; then
                echo -e "${YELLOW}Couldn't find timezone, using UTC${NC}"
                timezone="UTC"
            fi
            echo -e "${YELLOW}Setting timezone as ${timezone}${NC}"
            # Fix for https://issues.apache.org/jira/browse/GUACAMOLE-760
            mysql_tzinfo_to_sql /usr/share/zoneinfo 2>/dev/null | mysql -u root -D mysql -h ${mysqlHost} -P ${mysqlPort}
            crudini --set ${mysqlconfig} mysqld default_time_zone "${timezone}"
            # Restart to apply
            service mysql restart
            echo
        fi
    fi
fi
# Create ${guacDb} and grant ${guacUser} permissions to it
# SQL code
guacUserHost="localhost"
if [[ "${mysqlHost}" != "localhost" ]]; then
    guacUserHost="%"
    echo -e "${YELLOW}MySQL Guacamole user is set to accept login from any host, please change this for security reasons if possible.${NC}"
fi
# Check for ${guacDb} already being there
echo -e "${BLUE}Checking MySQL for existing database (${guacDb})${NC}"
SQLCODE="
SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='${guacDb}';"
# Execute SQL code
MYSQL_RESULT=$( echo ${SQLCODE} | mysql -u root -D information_schema -h ${mysqlHost} -P ${mysqlPort} )
if [[ $MYSQL_RESULT != "" ]]; then
    echo -e "${RED}It appears there is already a MySQL database (${guacDb}) on ${mysqlHost}${NC}" 1>&amp;2
    echo -e "${RED}Try:    mysql -e 'DROP DATABASE ${guacDb}'${NC}" 1>&amp;2
    #exit 1
else
    echo -e "${GREEN}OK${NC}"
fi
# Check for ${guacUser} already being there
echo -e "${BLUE}Checking MySQL for existing user (${guacUser})${NC}"
SQLCODE="
SELECT COUNT(*) FROM mysql.user WHERE user = '${guacUser}';"
# Execute SQL code
MYSQL_RESULT=$( echo ${SQLCODE} | mysql -u root -D mysql -h ${mysqlHost} -P ${mysqlPort} | grep '0' )
if [[ $MYSQL_RESULT == "" ]]; then
    echo -e "${RED}It appears there is already a MySQL user (${guacUser}) on ${mysqlHost}${NC}" 1>&amp;2
    echo -e "${RED}Try:    mysql -e \"DROP USER '${guacUser}'@'${guacUserHost}'; FLUSH PRIVILEGES;\"${NC}" 1>&amp;2
    #exit 1
else
    echo -e "${GREEN}OK${NC}"
fi
# Create database &amp; user, then set permissions
SQLCODE="
DROP DATABASE IF EXISTS ${guacDb};
CREATE DATABASE IF NOT EXISTS ${guacDb};
CREATE USER IF NOT EXISTS '${guacUser}'@'${guacUserHost}' IDENTIFIED BY \"${guacPwd}\";
GRANT SELECT,INSERT,UPDATE,DELETE ON ${guacDb}.* TO '${guacUser}'@'${guacUserHost}';
FLUSH PRIVILEGES;"
# Execute SQL code
echo ${SQLCODE} | mysql -u root -D mysql -h ${mysqlHost} -P ${mysqlPort}
# Add Guacamole schema to newly created database
echo -e "${BLUE}Adding database tables...${NC}"
cat guacamole-auth-jdbc-${GUACVERSION}/mysql/schema/*.sql | mysql -u root -D ${guacDb} -h ${mysqlHost} -P ${mysqlPort}
if [ $? -ne 0 ]; then
    echo -e "${RED}Failed${NC}" 1>&amp;2
    exit 1
else
    echo -e "${GREEN}OK${NC}"
fi
echo
# Ensure guacd is started
echo -e "${BLUE}Starting guacd service &amp; enable at boot...${NC}"
service guacd stop 2>/dev/null
service guacd start
systemctl enable guacd
echo
# Deal with ufw and/or iptables
# Check if ufw is a valid command
if [ -x "$( command -v ufw )" ]; then
    # Check if ufw is active (active|inactive)
    if [[ $(ufw status | grep inactive | wc -l) -eq 0 ]]; then
        # Check if 8080 is not already allowed
        if [[ $(ufw status | grep "8080/tcp" | grep "ALLOW" | grep "Anywhere" | wc -l) -eq 0 ]]; then
            # ufw is running, but 8080 is not allowed, add it
            ufw allow 8080/tcp comment 'allow tomcat'
        fi
    fi
fi    
# It's possible that someone is just running pure iptables...
# Check if iptables is a valid running service
systemctl is-active --quiet iptables
if [ $? -eq 0 ]; then
    # Check if 8080 is not already allowed
    # FYI: This same command matches the rule added with ufw (-A ufw-user-input -p tcp -m tcp --dport 22 -j ACCEPT)
    if [[ $(iptables --list-rules | grep -- "-p tcp" | grep -- "--dport 22" | grep -- "-j ACCEPT" | wc -l) -eq 0 ]]; then
        # ALlow it
        iptables -A INPUT -p tcp --dport 8080 --jump ACCEPT
    fi
fi
# I think there is another service called firewalld that some people could be running instead
# Unless someone opens an issue about it or submits a pull request, I'm going to ignore it for now
# Cleanup
echo -e "${BLUE}Cleanup install files...${NC}"
rm -rf guacamole-*
rm -rf mysql-connector-java-*
unset MYSQL_PWD
echo
# Done
echo -e "${BLUE}Installation Complete\n- Visit: http://localhost:8080/guacamole/\n- Default login (username/password): guacadmin/guacadmin\n***Be sure to change the password***.${NC}"
if [ "${installDuo}" = true ]; then
    echo -e "${YELLOW}\nDon't forget to configure Duo in guacamole.properties. You will not be able to login otherwise.\nhttps://guacamole.apache.org/doc/${GUACVERSION}/gug/duo-auth.html${NC}"
fi

References

[1 ]”MysticRyuujin/guac-install”, GitHub, 2020. [Online]. Available: https://github.com/MysticRyuujin/guac-install


How to: Find/Show/List hidden directories/folders from Linux/Unix/Debian/Ubuntu/Kali Linux/RHEL/CentOS etc.

1 For System with Graphical User Interface (GUI) (Usually means we boot into an interface where we can see and use cursor)

1.1 Open the “Files” program (Like File Explorer in Windows)

1.2 For most of Linux distros use Ctrl + H key combination to show all hidden files and folders/directories (Use Ctrl + H again to hide them)

CentOS - File, showing hidden files and folders, directories
CentOS – File, showing hidden files and folders, directories

(In Linux folders and Files begin with the dot “.” hence the dotfile/dot file are hidden)

2 For Terminal

List all files and folders/directories (Including non-hidden and hidden)

ls -ahlp
Terminal - Showing all files and folders, directories (including non-hidden and hidden)
Terminal – Showing all files and folders, directories (including non-hidden and hidden)

-a: do not ignore entries starting with the dot “.”
-h: with -l and -s, print sizes like 1K 234M 2G etc.
-l: use a long listing format
-p: append / indicator to directories

List only hidden files

ls -ap | grep -v / | grep "^."
ls -ap | grep -v / | egrep "^."

-v: select non-matching lines
-v /: Inverse match everything with a slash “/”, so that only files are shwon

^. : Anything start with the dot “.”

Terminal - Show all hidden files
Terminal – Show all hidden files

List only hidden folders/directories

ls -ap | grep "^\..*/$"
ls -ap | egrep "^\..*/$"
Terminal - Showing all hidden folders, directories
Terminal – Showing all hidden folders, directories

List only hidden folders/directories without showing “./” and “../”

ls -Ap | grep "^\..*/$"
ls -Ap | egrep "^\..*/$"
Terminal - Showing only hidden folders, directories without anything else
Terminal – Showing only hidden folders, directories without anything else

Bonus

grep (Global Regular Expressions Print) and egrep (Extended Global Regular Expressions Print) have same function but different ways to interpret regular expression patterns.


How to: Find real path of symbolic links in Debian/Ubuntu etc.

e.g. The symbolic link is “/tmp/a.sh” which pointing to the real file “/tmp/test.sh”

1 Launch terminal or connect via SSH

2 Use following command we can see all symbolic links within a directory

ls -ahl /tmp | grep "\->"

Output

lrwxrwxrwx 1 [user] [group] [date] [time] a.sh -> test.sh

3 Alternatively we can use following command to check against single link file

readlink /tmp/a.sh

Output

test.sh

Want to know how to create symbolic/soft links and hard links?

Follow this guide: Quick Linux File Manipulation Commands Reference (and How to: Create Symbolic link/Soft link/Hard link)


How to: Delete/Remove/Clear LVM volume

Warning: Proceed with extreme care, you can destroy your data easily with following commands

Can be used in Linux/Debian/Ubuntu/Kali Linux/CentOS/RHEL/Fedora/Proxmox (PVE) etc.

In this guide we assume the mount point is datamount

1 Delete entry from /etc/fstab with your favourite text editor

sudo nano /etc/fstab
# For nano, when done, Ctrl + X, Y Enter to save and exit

2 Unmount the mount point

umount /datamount
or
umount name
or
umount pve-OLD-xxxxx

3 Disable LVM

lvchange -an /dev/vg/lv
or
lvchange -an name
or
lvchange -an pve-OLD-xxxxx

4 Delete LVM volume

lvremove /dev/vg/lv
or
lvremove name
or
lvremove pve-OLD-xxxxx

5 Disable volume group

vgchange -an vg
or
vgchange -an name
or
vgchange -an pve-OLD-xxxxx

6 Delete volume group

vgremove vg
or
vgremove name
or
vgremove pve-OLD-xxxxx

7 Delete physical volumes used for volume group “vg”

pvremove /dev/sdc /dev/sdd

How to: Create/Configure/Setup OCserv/OpenConnect VPN server with Ubuntu Server 19 (both Quick ways & Tuning/Refining) [A simple yet comprehensive OCserv VPN Server setup Guide]

This can get you up and running quickly, to use OCserv/OpenConnect VPN in the long run, you will still need to do some work including security hardening like getting and configure proper SSL/TLS certificate, configure OCserv server routing table based on principle of least privilege (POLP), hardening Ubuntu Server ports/routing table with iptables or at least use UFW firewall to configure some rules, create different VPN credentials for different use/user with POLP in mind.

Before starting, we assume the Ubuntu Server 19 is newly installed and clean, with ufw disabled (Not a good idea to have ufw and iptables disabled on production servers).

If you have existing Ubuntu server running, you probably want to check what ports are used (Guide can be found here: How to: Check/View ports in use/listening ports locally on Linux/Debian/Ubuntu/Kali Linux/CentOS/Fedora/RHEL etc.) If port 443 is used (default port for OCserv) we will need to change ports for OCserv, to check current if ufw is enabled or not (sudo ufw status), to check existing iptables rules (How to: List all rules from iptables (How to: List all iptables rules)).

Table of contents

  1. Create/Configure/Setup OCserv/OpenConnect VPN server (Basics to get it running quickly)
  2. Get the OCserv/OpenConnect VPN Server and Clients running
  3. Get the OCserv/OpenConnect VPN Server connection information
  4. Extend

1 Create/Configure/Setup OCserv/OpenConnect VPN server (Basics to get it running quickly)

1.1 Prepare the server

1.1.1 Assign static IP address for the server if necessary (Unless just testing)

(For production mode, we have to assign static IP address for the server or we can lose connection easily)

Follow this guide to configure static IP address for Ubuntu Server 19: How to: Set/Configure Static IP Address/DHCP for Ubuntu Server/Desktop 18.04/19.04/19.10 via Terminal using netplan

1.1.2 Enable packet forwarding for Ubuntu Server 19

1.1.2.1 Make a backup of “/etc/sysctl.conf”

sudo cp /etc/sysctl.conf /etc/sysctl.conf_bk
Backup sysctl.conf
Backup sysctl.conf

1.1.2.2 Modify “/etc/sysctl.conf” to Enable packet forwarding

We can use nano or other editor to add “net.ipv4.ip_forward=1” to “/etc/sysctl.conf” file or use one command

Method 1 – Using Nano

# Use nano to edit the file
sudo nano /etc/sysctl.conf
 
# Add net.ipv4.ip_forward=1 at the bottom of the tile
net.ipv4.ip_forward=1
 
# Save and Exit the nano editor
Ctrl + W, Y, Enter
 
# Apply the changes
sudo sysctl -p

Method 2 – Using one command

# Append the net.ipv4.ip_forward=1 to bottom of the "/etc/sysctl.conf" file
sudo bash -c 'echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf'
 
# Apply the change
sudo sysctl -p
Append changes, apply changes
Append changes, apply changes

1.1.3 Enable NAT/MASQUERADE with iptables

1.1.3.1 Check your NIC name on Ubuntu

(In this example it is ens33, yours can be different)

sudo ip a
ip a command output
ip a command output

1.1.3.2 Create NAT rule with iptables (Here we have ens33, yours can be different) (Type exactly same command, beware of upper case and lower case)

sudo iptables -t nat -A POSTROUTING -o ens33 -j MASQUERADE
# Check if the rules was added
sudo iptables -t nat -L
Check if the rules was added, sudo iptables -t nat -L
Check if the rules was added, sudo iptables -t nat -L

1.1.3.3 Make the iptables rule persistent

(Without this step, iptables rules will be lost after Ubuntu Server reboot)

# Install necessary tools
sudo apt install -y iptables-save iptables-persistent
 
# Answer Yes when asked
 
# Now the current iptables rules are saved, they will be restored after server reboot

(More on making iptables rules persistent: How to: Make iptables rules persistent between reboots on Debian/Ubuntu 18, 19)

If we have made new changes, we have to use following command to save the current iptables rules again

sudo bash -c 'echo "iptables-save" > /etc/iptables/rules.v4'

1.1.4 ufw firewall

1.1.4.1 ufw should be disabled by default, if not, use following command to check the status and disable it if necessary (For production use, we should carefully configure ufw rather than disable it)

# Check ufw firewall status
sudo ufw status
 
# Output
Status: inactive

If it’s not disabled, use following command to disable it

# Disable ufw firewall
sudo ufw disable

1.2 Install OCserv/OpenConnect

sudo apt update
sudo apt install -y ocserv
 
# If you are having problem running the aove command, try to update the system first by using following commands then run the above command again
sudo apt update
sudo apt upgrade

1.3 Configure OCserv/OpenConnect

1.3.1 Backup default OCserv/OpenConnect configuration file

sudo cp /etc/ocserv/ocserv.conf /etc/ocserv/ocserv.conf_bk

1.3.2 Bare minimum Configuration for OCserv/OpenConnect to run, accept connections and route all traffic

1.3.2.1 Open and edit the configuration file “/etc/ocserv/ocserv.conf”

sudo nano /etc/ocserv/ocserv.conf
1.3.2.2 The content of default OCserv/OpenConnect configuration “/etc/ocserv/ocserv.conf” file
# User authentication method. Could be set multiple times and in 
# that case all should succeed. To enable multiple methods use
# multiple auth directives. Available options: certificate, 
# plain, pam, radius, gssapi.
#
# Note that authentication methods cannot be changed with reload.
# certificate:
#  This indicates that all connecting users must present a certificate.
#
# pam[gid-min=1000]:
#  This enabled PAM authentication of the user. The gid-min option is used 
# by auto-select-group option, in order to select the minimum valid group ID.
#
# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
#  The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname1,groupname2:encoded-password"
# One entry must be listed per line, and 'ocpasswd' should be used
# to generate password entries. The 'otp' suboption allows to specify
# an oath password file to be used for one time passwords; the format of
# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile
#
# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
#  The radius option requires specifying freeradius-client configuration
# file. If the groupconfig option is set, then config-per-user/group will be overriden,
# and all configuration will be read from radius. That also includes the
# Acct-Interim-Interval, and Session-Timeout values.
#
# See doc/README-radius.md for the supported radius configuration atributes.
#
# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
#  The gssapi option allows to use authentication methods supported by GSSAPI,
# such as Kerberos tickets with ocserv. It should be best used as an alternative
# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
# tickets and without tickets to login. The default value for require-local-user-map
# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented
# to have been issued within the provided number of seconds. That option is used to
# restrict logins even if the KDC provides long time TGT tickets.
#auth = "pam"
auth = "pam[gid-min=1000]"
#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
#auth = "plain[passwd=./sample.passwd]"
#auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
# Specify alternative authentication methods that are sufficient
# for authentication. That is, if set, any of the methods enabled
# will be sufficient to login.
#enable-auth = "certificate"
#enable-auth = "gssapi"
#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"
# Accounting methods available:
# radius: can be combined with any authentication method, it provides
#      radius accounting to available users (see also stats-report-time).
#
# pam: can be combined with any authentication method, it provides
#      a validation of the connecting user's name using PAM. It is
#      superfluous to use this method when authentication is already
#      PAM.
#
# Only one accounting method can be specified.
#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
# Use listen-host to limit to specific IPs or to the IPs of a provided 
# hostname.
#listen-host = [IP|HOSTNAME]
# When the server has a dynamic DNS address (that may change),
# should set that to true to ask the client to resolve again on
# reconnects.
#listen-host-is-dyndns = true
# TCP and UDP port number
# Note: These options are controlled by ocserv.socket if socket-activated
# version of systemd configuration is used
tcp-port = 443
udp-port = 443
# Accept connections using a socket file. It accepts HTTP
# connections (i.e., without SSL/TLS unlike its TCP counterpart),
# and uses it as the primary channel. That option cannot be
# combined with certificate authentication.
#listen-clear-file = /run/ocserv-conn.socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
#occtl-socket-file = /run/occtl.socket
# socket file used for server IPC (worker-main), will be appended with .PID
# It must be accessible within the chroot environment (if any), so it is best
# specified relatively to the chroot directory.
socket-file = /run/ocserv.socket
# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g., 
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# The server-cert file may contain a single certificate, or
# a sorted certificate chain.
#
# There may be multiple server-cert and server-key directives,
# but each key should correspond to the preceding certificate.
server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
server-key = /etc/ssl/private/ssl-cert-snakeoil.key
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem
# In case PKCS #11, TPM or encrypted keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the 
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
# The password or PIN needed to unlock the key in server-key file.
# Only needed if the file is encrypted or a PKCS #11 object. This
# is an alternative method to pin-file.
#key-pin = 1234
# The SRK PIN for TPM.
# This is an alternative method to srk-pin-file.
#srk-pin = 1234
# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
### All configuration options below this line are reloaded on a SIGHUP.
### The options above, will remain unchanged. Note however, that the 
### server-cert, server-key, dh-params and ca-cert options will be reloaded
### if the provided file changes, on server reload. That allows certificate
### rotation, but requires the server key to remain the same for seamless
### operation. If the server key changes on reload, there may be connection
### failures during the reloading time.
# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 
# system calls allowed to a worker process, in order to reduce damage from a
# bug in the worker process. It is available on Linux systems at a performance cost.
# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
# Note however, that process isolation is restricted to the specific libc versions
# the isolation was tested at. If you get random failures on worker processes, try
# disabling that option and report the failures you, along with system and debugging
# information at: https://gitlab.com/ocserv/ocserv/issues
isolate-workers = true
# A banner to be displayed on clients
#banner = "Welcome"
# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 128
# Limit the number of identical clients (i.e., users connecting 
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 2
# When the server receives connections from a proxy, like haproxy
# which supports the proxy protocol, set this to obtain the correct
# client addresses. The proxy protocol (v2) would then be expected in
# the TCP or UNIX socket (not the UDP one).
#listen-proxy-proto = true
# Limit the number of client connections to one every X milliseconds 
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Stats report time. The number of seconds after which each
# worker process will report its usage statistics (number of
# bytes transferred etc). This is useful when accounting like
# radius is in use.
#stats-report-time = 360
# Stats reset time. The period of time statistics kept by main/sec-mod
# processes will be reset. These are the statistics shown by cmd
# 'occtl show stats'. For daily: 86400, weekly: 604800
# This is unrelated to stats-report-time.
server-stats-reset-time = 604800
# Keepalive in seconds
keepalive = 300
# Dead peer detection in seconds.
# Note that when the client is behind a NAT this value
# needs to be short enough to prevent the NAT disassociating
# his UDP session from the port number. Otherwise the client
# could have his UDP connection stalled, for several minutes.
dpd = 60
# Dead peer detection for mobile clients. That needs to
# be higher to prevent such clients being awaken too 
# often by the DPD messages, and save battery.
# The mobile clients are distinguished from the header
# 'X-AnyConnect-Identifier-Platform'.
mobile-dpd = 300
# If using DTLS, and no UDP traffic is received for this
# many seconds, attempt to send future traffic over the TCP
# connection instead, in an attempt to wake up the client
# in the case that there is a NAT and the UDP translation
# was deleted. If this is unset, do not attempt to use this
# recovery mechanism.
switch-to-tcp-timeout = 30
# MTU discovery (DPD must be enabled)
try-mtu-discovery = false
# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der
# The object identifier that will be used to read the user ID in the client 
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are: 
#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the 
# client certificate. The object identifier should be part of the certificate's
# DN. If the user may belong to multiple groups, then use multiple such fields
# in the certificate's DN. Useful OIDs are: 
#  OU (organizational unit) = 2.5.4.11 
#cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above.
# See the manual to generate an empty CRL initially. The CRL will be reloaded
# periodically when ocserv detects a change in the file. To force a reload use
# SIGHUP.
#crl = /path/to/crl.pem
# Uncomment this to enable compression negotiation (LZS, LZ4).
compression = true
# Set the minimum size under which a packet will not be compressed.
# That is to allow low-latency for VoIP packets. The default size
# is 256 bytes. Modify it if the clients typically use compression
# as well of VoIP with codecs that exceed the default value.
no-compress-limit = 256
# GnuTLS priority string; note that SSL 3.0 is disabled by default
# as there are no openconnect (and possibly anyconnect clients) using
# that protocol. The string below does not enforce perfect forward
# secrecy, in order to be compatible with legacy clients.
#
# Note that the most performant ciphersuites are the moment are the ones
# involving AES-GCM. These are very fast in x86 and x86-64 hardware, and
# in addition require no padding, thus taking full advantage of the MTU.
# For that to be taken advantage of, the openconnect client must be
# used, and the server must be compiled against GnuTLS 3.2.7 or later.
# Use "gnutls-cli --benchmark-tls-ciphers", to see the performance
# difference with AES_128_CBC_SHA1 (the default for anyconnect clients)
# in your system.
# More combinations in priority strings are available, check
# http://gnutls.org/manual/html_node/Priority-Strings.html
# E.g., the string below enforces perfect forward secrecy (PFS) 
# on the main channel.
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
# That option requires the established DTLS channel to use the same
# cipher as the primary TLS channel. This cannot be combined with
# listen-clear-file since the ciphersuite information is not available
# in that configuration. Note also, that this option implies that
# dtls-legacy option is false; this option cannot be enforced
# in the legacy/compat protocol.
#match-tls-dtls-ciphers = true
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 240
# The time (in seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
idle-timeout = 1200
# The time (in seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
mobile-idle-timeout = 1800
# The time (in seconds) that a client is not allowed to reconnect after 
# a failed authentication attempt.
min-reauth-time = 3
# Banning clients in ocserv works with a point system. IP addresses
# that get a score over that configured number are banned for
# min-reauth-time seconds. By default a wrong password attempt is 10 points,
# a KKDCP POST is 1 point, and a connection is 1 point. Note that
# due to difference processes being involved the count of points
# will not be real-time precise.
#
# Score banning cannot be reliably used when receiving proxied connections
# locally from an HTTP server (i.e., when listen-clear-file is used).
#
# Set to zero to disable.
max-ban-score = 50
# The time (in seconds) that all score kept for a client is reset.
ban-reset-time = 300
# In case you'd like to change the default points.
#ban-points-wrong-password = 10
#ban-points-connection = 1
#ban-points-kkdcp = 1
# Cookie timeout (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. That cookie will be invalidated if not
# used within this timeout value. This cookie remains valid, during
# the user's connected time, and after user disconnection it
# remains active for this amount of time. That setting should allow a
# reasonable amount of time for roaming between different networks.
cookie-timeout = 300
# If this is enabled (not recommended) the cookies will stay
# valid even after a user manually disconnects, and until they
# expire. This may improve roaming with some broken clients.
#persistent-cookies = true
# Whether roaming is allowed, i.e., if true a cookie is
# restricted to a single IP address and cannot be re-used
# from a different IP.
deny-roaming = false
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable (note
# that, some clients fail if rekey is disabled).
rekey-time = 172800
# ReKey method
# Valid options: ssl, new-tunnel
#  ssl: Will perform an efficient rehandshake on the channel allowing
#       a seamless connection during rekey.
#  new-tunnel: Will instruct the client to discard and re-establish the channel.
#       Use this option only if the connecting clients have issues with the ssl
#       option.
rekey-method = ssl
# Script to call when a client connects and obtains an IP.
# The following parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client),
# IP_REAL_LOCAL (the local interface IP the client connected), IP_LOCAL
# (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
# In addition the following variables OCSERV_ROUTES (the applied routes for this
# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
# will contain a space separated list of routes or DNS servers. A version
# of these variables with the 4 or 6 suffix will contain only the IPv4 or
# IPv6 values.
# The disconnect script will receive the additional values: STATS_BYTES_IN,
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
# output from the tun device, and the duration of the session in seconds.
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript
# UTMP
# Register the connected clients to utmp. This will allow viewing
# the connected clients using the command 'who'.
#use-utmp = true
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
# or via a unix socket).
use-occtl = true
# PID file. It can be overriden in the command line.
pid-file = /run/ocserv.pid
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
# priority. Alternatively this can be used to set the IP Type-
# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
# This can be set per user/group or globally.
#net-priority = 3
# Set the VPN worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
#cgroup = "cpuset,cpu:test"
#
# Network settings
#
# The name to use for the tun device
device = vpns
# Whether the generated IPs will be predictable, i.e., IP stays the
# same for the same user when possible.
predictable-ips = true
# The default domain to be advertised
default-domain = example.com
# The pool of addresses that leases will be given from. If the leases
# are given via Radius, or via the explicit-ip? per-user config option then 
# these network values should contain a network with at least a single
# address that will remain under the full control of ocserv (that is
# to be able to assign the local part of the tun device address).
# Note that, you could use addresses from a subnet of your LAN network if you
# enable proxy arp in the LAN interface (see http://infradead.org/ocserv/recipes-ocserv-pseudo-bridge.html);
# in that case it is recommended to set ping-leases to true.
ipv4-network = 192.168.1.0
ipv4-netmask = 255.255.255.0
# An alternative way of specifying the network:
#ipv4-network = 192.168.1.0/24
# The IPv6 subnet that leases will be given from.
#ipv6-network = fda9:4efe:7e3b:03ea::/48 
# Specify the size of the network to provide to clients. It is
# generally recommended to provide clients with a /64 network in
# IPv6, but any subnet may be specified. To provide clients only
# with a single IP use the prefix 128.
#ipv6-subnet-prefix = 128
#ipv6-subnet-prefix = 64
# Whether to tunnel all DNS queries via the VPN. This is the default
# when a default route is set.
#tunnel-all-dns = true
# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
dns = 8.8.8.8
dns = 8.8.4.4
# The NBNS server (if any)
#nbns = 192.168.1.3
# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
# Only set to true, if there can be occupied addresses in the
# IP range for leases.
ping-leases = false
# Use this option to set a link MTU value to the incoming
# connections. Unset to use the default MTU of the TUN device.
# Note that the MTU is negotiated using the value set and the
# value sent by the peer.
#mtu = 1420
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000
# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 10
# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the 
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
# comment out all routes from the server, or use the special keyword
# 'default'.
route = 10.0.0.0/8
route = 172.16.0.0/12
route = 192.168.0.0/16
#route = fd00::/8
#route = default
# Subsets of the routes above that will not be routed by
# the server.
#no-route = 192.168.5.0/255.255.255.0
# Note the that following two firewalling options currently are available
# in Linux systems with iptables software. 
# If set, the script /usr/bin/ocserv-fw will be called to restrict
# the user to its allowed routes and prevent him from accessing
# any other routes. In case of defaultroute, the no-routes are restricted.
# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
# --removeall. This option can be set globally or in the per-user configuration.
#restrict-user-to-routes = true
# This option implies restrict-user-to-routes set to true. If set, the
# script /usr/bin/ocserv-fw will be called to restrict the user to
# access specific ports in the network. This option can be set globally
# or in the per-user configuration.
#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
# You could also use negation, i.e., block the user from accessing these ports only.
#restrict-user-to-ports = "!(tcp(443), tcp(80))"
# When set to true, all client's iroutes are made visible to all
# connecting clients except for the ones offering them. This option
# only makes sense if config-per-user is set.
#expose-iroutes = true
# Groups that a client is allowed to select from.
# A client may belong in multiple groups, and in certain use-cases
# it is needed to switch between them. For these cases the client can
# select prior to authentication. Add multiple entries for multiple groups.
# The group may be followed by a user-friendly name in brackets.
#select-group = group1
#select-group = group2[My special group]
# The name of the (virtual) group that if selected it would assign the user
# to its default group.
#default-select-group = DEFAULT
# Instead of specifying manually all the allowed groups, you may instruct
# ocserv to scan all available groups and include the full list.
#auto-select-group = true
# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
#  ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route,
#  explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, 
#  keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
#  restrict-user-to-routes, user-profile, cgroup, stats-report-time,
#  mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
#  and session-timeout.
#
# Note that the 'iroute' option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below). The no-udp
# is a boolean option (e.g., no-udp = true), and will prevent a UDP session
# for that specific user or group. The hostname option will set a
# hostname to override any proposed by the user. Note also, that, any 
# routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/
# When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration.
#default-user-config = /etc/ocserv/defaults/user.conf
#default-group-config = /etc/ocserv/defaults/group.conf
# The system command to use to setup a route. %{R} will be replaced with the
# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
#
# The following example is from linux systems. %{R} should be something
# like 192.168.2.0/255.255.255.0 and %{RI} 192.168.2.0/24 (the argument of iroute).
#route-add-cmd = "ip route add %{R} dev %{D}"
#route-del-cmd = "ip route delete %{R} dev %{D}"
# This option allows to forward a proxy. The special keywords '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/
# This option allows you to specify a URL location where a client can
# post using MS-KKDCP, and the message will be forwarded to the provided
# KDC server. That is a translation URL between HTTP and Kerberos.
# In MIT kerberos you'll need to add in realms:
#   EXAMPLE.COM = {
#     kdc = https://ocserv.example.com/KdcProxy
#     http_anchors = FILE:/etc/ocserv-ca.pem
#   }
# In some distributions the krb5-k5tls plugin of kinit is required.
#
# The following option is available in ocserv, when compiled with GSSAPI support. 
#kkdcp = "SERVER-PATH KERBEROS-REALM [email protected]:PORT"
#kkdcp = "/KdcProxy KERBEROS.REALM [email protected]:88"
#kkdcp = "/KdcProxy KERBEROS.REALM [email protected]:88"
#kkdcp = "/KdcProxy KERBEROS.REALM [email protected][::1]:88"
#
# The following options are for (experimental) AnyConnect client 
# compatibility. 
# This option will enable the pre-draft-DTLS version of DTLS, and
# will not require clients to present their certificate on every TLS
# connection. It must be set to true to support legacy CISCO clients
# and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true.
cisco-client-compat = true
# This option allows to disable the DTLS-PSK negotiation (enabled by default).
# The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate
# the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the
# DTLS channel to negotiate its ciphers and the DTLS protocol version.
#dtls-psk = false
# This option allows to disable the legacy DTLS negotiation (enabled by default,
# but that may change in the future).
# The legacy DTLS uses a pre-draft version of the DTLS protocol and was
# from AnyConnect protocol. It has several limitations, that are addressed
# by the dtls-psk protocol supported by openconnect 7.08+.
dtls-legacy = true
# Client profile xml. A sample file exists in doc/profile.xml.
# It is required by some of the CISCO clients.
# This file must be accessible from inside the worker's chroot. 
# Note that enabling this option is not recommended as it will allow
# the worker processes to open arbitrary files (when isolate-workers is
# set to true).
#user-profile = /path/to/file.xml
#Advanced options
# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment. You shouldn't
# need to use this option normally; if you do and you think that
# this may help others, please send your settings and reason to
# the openconnect mailing list. The special keywords '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#custom-header = "X-My-Header: hi there"
# An example virtual host with different authentication methods serviced
# # by this server.
#
# [vhost:www.example.com]
# auth = "certificate"
#
# ca-cert = ../tests/certs/ca.pem
#
# # The certificate set here must include a 'dns_name' corresponding to
# # the virtual host name.
#
# server-cert = ../tests/certs/server-cert-secp521r1.pem
# server-key = ../tests/certs/server-key-secp521r1.pem
#
# ipv4-network = 192.168.2.0
# ipv4-netmask = 255.255.255.0
#
# cert-user-oid = 0.9.2342.19200300.100.1.1
#

1.3.2.3 Modification & The content of OCserv/OpenConnect configuration “/etc/ocserv/ocserv.conf” file after modification

Add # before following lines

route = 10.0.0.0/8
route = 172.16.0.0/12
route = 192.168.0.0/16

Remove # in front of

#route = default

(We can add “no-route” to protect our server LAN network “no-route = 192.168.247.0/255.255.255.0”, thus use the VPN server only for proxy internet traffic.)

no-route = 192.168.5.0/255.255.255.0

Modify following line if necessary (IPv4 network will be used for VPN clients)

ipv4-network = 192.168.1.0

Here we change it to

ipv4-network = 192.168.101.0

Modify DNS server if necessary (You can add other DNS servers or replace them)

dns = 8.8.8.8
dns = 8.8.4.4

Use Ctrl + W, Y, Enter to Exit and save the modification

1.3.2.4 Configuration file after modification
# User authentication method. Could be set multiple times and in 
# that case all should succeed. To enable multiple methods use
# multiple auth directives. Available options: certificate, 
# plain, pam, radius, gssapi.
#
# Note that authentication methods cannot be changed with reload.
# certificate:
#  This indicates that all connecting users must present a certificate.
#
# pam[gid-min=1000]:
#  This enabled PAM authentication of the user. The gid-min option is used 
# by auto-select-group option, in order to select the minimum valid group ID.
#
# plain[passwd=/etc/ocserv/ocpasswd,otp=/etc/ocserv/users.otp]
#  The plain option requires specifying a password file which contains
# entries of the following format.
# "username:groupname1,groupname2:encoded-password"
# One entry must be listed per line, and 'ocpasswd' should be used
# to generate password entries. The 'otp' suboption allows to specify
# an oath password file to be used for one time passwords; the format of
# the file is described in https://code.google.com/p/mod-authn-otp/wiki/UsersFile
#
# radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true,nas-identifier=name]:
#  The radius option requires specifying freeradius-client configuration
# file. If the groupconfig option is set, then config-per-user/group will be overriden,
# and all configuration will be read from radius. That also includes the
# Acct-Interim-Interval, and Session-Timeout values.
#
# See doc/README-radius.md for the supported radius configuration atributes.
#
# gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]
#  The gssapi option allows to use authentication methods supported by GSSAPI,
# such as Kerberos tickets with ocserv. It should be best used as an alternative
# to PAM (i.e., have pam in auth and gssapi in enable-auth), to allow users with
# tickets and without tickets to login. The default value for require-local-user-map
# is true. The 'tgt-freshness-time' if set, it would require the TGT tickets presented
# to have been issued within the provided number of seconds. That option is used to
# restrict logins even if the KDC provides long time TGT tickets.
#auth = "pam"
auth = "pam[gid-min=1000]"
#auth = "plain[passwd=./sample.passwd,otp=./sample.otp]"
#auth = "plain[passwd=./sample.passwd]"
#auth = "certificate"
#auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
# Specify alternative authentication methods that are sufficient
# for authentication. That is, if set, any of the methods enabled
# will be sufficient to login.
#enable-auth = "certificate"
#enable-auth = "gssapi"
#enable-auth = "gssapi[keytab=/etc/key.tab,require-local-user-map=true,tgt-freshness-time=900]"
# Accounting methods available:
# radius: can be combined with any authentication method, it provides
#      radius accounting to available users (see also stats-report-time).
#
# pam: can be combined with any authentication method, it provides
#      a validation of the connecting user's name using PAM. It is
#      superfluous to use this method when authentication is already
#      PAM.
#
# Only one accounting method can be specified.
#acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
# Use listen-host to limit to specific IPs or to the IPs of a provided 
# hostname.
#listen-host = [IP|HOSTNAME]
# When the server has a dynamic DNS address (that may change),
# should set that to true to ask the client to resolve again on
# reconnects.
#listen-host-is-dyndns = true
# TCP and UDP port number
# Note: These options are controlled by ocserv.socket if socket-activated
# version of systemd configuration is used
tcp-port = 443
udp-port = 443
# Accept connections using a socket file. It accepts HTTP
# connections (i.e., without SSL/TLS unlike its TCP counterpart),
# and uses it as the primary channel. That option cannot be
# combined with certificate authentication.
#listen-clear-file = /run/ocserv-conn.socket
# The user the worker processes will be run as. It should be
# unique (no other services run as this user).
run-as-user = nobody
run-as-group = daemon
# socket file used for IPC with occtl. You only need to set that,
# if you use more than a single servers.
#occtl-socket-file = /run/occtl.socket
# socket file used for server IPC (worker-main), will be appended with .PID
# It must be accessible within the chroot environment (if any), so it is best
# specified relatively to the chroot directory.
socket-file = /run/ocserv.socket
# The default server directory. Does not require any devices present.
#chroot-dir = /path/to/chroot
# The key and the certificates of the server
# The key may be a file, or any URL supported by GnuTLS (e.g., 
# tpmkey:uuid=xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx;storage=user
# or pkcs11:object=my-vpn-key;object-type=private)
#
# The server-cert file may contain a single certificate, or
# a sorted certificate chain.
#
# There may be multiple server-cert and server-key directives,
# but each key should correspond to the preceding certificate.
server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
server-key = /etc/ssl/private/ssl-cert-snakeoil.key
# Diffie-Hellman parameters. Only needed if you require support
# for the DHE ciphersuites (by default this server supports ECDHE).
# Can be generated using:
# certtool --generate-dh-params --outfile /path/to/dh.pem
#dh-params = /path/to/dh.pem
# In case PKCS #11, TPM or encrypted keys are used the PINs should be available
# in files. The srk-pin-file is applicable to TPM keys only, and is the 
# storage root key.
#pin-file = /path/to/pin.txt
#srk-pin-file = /path/to/srkpin.txt
# The password or PIN needed to unlock the key in server-key file.
# Only needed if the file is encrypted or a PKCS #11 object. This
# is an alternative method to pin-file.
#key-pin = 1234
# The SRK PIN for TPM.
# This is an alternative method to srk-pin-file.
#srk-pin = 1234
# The Certificate Authority that will be used to verify
# client certificates (public keys) if certificate authentication
# is set.
ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
### All configuration options below this line are reloaded on a SIGHUP.
### The options above, will remain unchanged. Note however, that the 
### server-cert, server-key, dh-params and ca-cert options will be reloaded
### if the provided file changes, on server reload. That allows certificate
### rotation, but requires the server key to remain the same for seamless
### operation. If the server key changes on reload, there may be connection
### failures during the reloading time.
# Whether to enable seccomp/Linux namespaces worker isolation. That restricts the number of 
# system calls allowed to a worker process, in order to reduce damage from a
# bug in the worker process. It is available on Linux systems at a performance cost.
# The performance cost is roughly 2% overhead at transfer time (tested on a Linux 3.17.8).
# Note however, that process isolation is restricted to the specific libc versions
# the isolation was tested at. If you get random failures on worker processes, try
# disabling that option and report the failures you, along with system and debugging
# information at: https://gitlab.com/ocserv/ocserv/issues
isolate-workers = true
# A banner to be displayed on clients
#banner = "Welcome"
# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 128
# Limit the number of identical clients (i.e., users connecting 
# multiple times). Unset or set to zero for unlimited.
max-same-clients = 2
# When the server receives connections from a proxy, like haproxy
# which supports the proxy protocol, set this to obtain the correct
# client addresses. The proxy protocol (v2) would then be expected in
# the TCP or UNIX socket (not the UDP one).
#listen-proxy-proto = true
# Limit the number of client connections to one every X milliseconds 
# (X is the provided value). Set to zero for no limit.
#rate-limit-ms = 100
# Stats report time. The number of seconds after which each
# worker process will report its usage statistics (number of
# bytes transferred etc). This is useful when accounting like
# radius is in use.
#stats-report-time = 360
# Stats reset time. The period of time statistics kept by main/sec-mod
# processes will be reset. These are the statistics shown by cmd
# 'occtl show stats'. For daily: 86400, weekly: 604800
# This is unrelated to stats-report-time.
server-stats-reset-time = 604800
# Keepalive in seconds
keepalive = 300
# Dead peer detection in seconds.
# Note that when the client is behind a NAT this value
# needs to be short enough to prevent the NAT disassociating
# his UDP session from the port number. Otherwise the client
# could have his UDP connection stalled, for several minutes.
dpd = 60
# Dead peer detection for mobile clients. That needs to
# be higher to prevent such clients being awaken too 
# often by the DPD messages, and save battery.
# The mobile clients are distinguished from the header
# 'X-AnyConnect-Identifier-Platform'.
mobile-dpd = 300
# If using DTLS, and no UDP traffic is received for this
# many seconds, attempt to send future traffic over the TCP
# connection instead, in an attempt to wake up the client
# in the case that there is a NAT and the UDP translation
# was deleted. If this is unset, do not attempt to use this
# recovery mechanism.
switch-to-tcp-timeout = 30
# MTU discovery (DPD must be enabled)
try-mtu-discovery = false
# If you have a certificate from a CA that provides an OCSP
# service you may provide a fresh OCSP status response within
# the TLS handshake. That will prevent the client from connecting
# independently on the OCSP server.
# You can update this response periodically using:
# ocsptool --ask --load-cert=your_cert --load-issuer=your_ca --outfile response
# Make sure that you replace the following file in an atomic way.
#ocsp-response = /path/to/ocsp.der
# The object identifier that will be used to read the user ID in the client 
# certificate. The object identifier should be part of the certificate's DN
# Useful OIDs are: 
#  CN = 2.5.4.3, UID = 0.9.2342.19200300.100.1.1
cert-user-oid = 0.9.2342.19200300.100.1.1
# The object identifier that will be used to read the user group in the 
# client certificate. The object identifier should be part of the certificate's
# DN. If the user may belong to multiple groups, then use multiple such fields
# in the certificate's DN. Useful OIDs are: 
#  OU (organizational unit) = 2.5.4.11 
#cert-group-oid = 2.5.4.11
# The revocation list of the certificates issued by the 'ca-cert' above.
# See the manual to generate an empty CRL initially. The CRL will be reloaded
# periodically when ocserv detects a change in the file. To force a reload use
# SIGHUP.
#crl = /path/to/crl.pem
# Uncomment this to enable compression negotiation (LZS, LZ4).
compression = true
# Set the minimum size under which a packet will not be compressed.
# That is to allow low-latency for VoIP packets. The default size
# is 256 bytes. Modify it if the clients typically use compression
# as well of VoIP with codecs that exceed the default value.
no-compress-limit = 256
# GnuTLS priority string; note that SSL 3.0 is disabled by default
# as there are no openconnect (and possibly anyconnect clients) using
# that protocol. The string below does not enforce perfect forward
# secrecy, in order to be compatible with legacy clients.
#
# Note that the most performant ciphersuites are the moment are the ones
# involving AES-GCM. These are very fast in x86 and x86-64 hardware, and
# in addition require no padding, thus taking full advantage of the MTU.
# For that to be taken advantage of, the openconnect client must be
# used, and the server must be compiled against GnuTLS 3.2.7 or later.
# Use "gnutls-cli --benchmark-tls-ciphers", to see the performance
# difference with AES_128_CBC_SHA1 (the default for anyconnect clients)
# in your system.
# More combinations in priority strings are available, check
# http://gnutls.org/manual/html_node/Priority-Strings.html
# E.g., the string below enforces perfect forward secrecy (PFS) 
# on the main channel.
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
# That option requires the established DTLS channel to use the same
# cipher as the primary TLS channel. This cannot be combined with
# listen-clear-file since the ciphersuite information is not available
# in that configuration. Note also, that this option implies that
# dtls-legacy option is false; this option cannot be enforced
# in the legacy/compat protocol.
#match-tls-dtls-ciphers = true
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 240
# The time (in seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
idle-timeout = 1200
# The time (in seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
mobile-idle-timeout = 1800
# The time (in seconds) that a client is not allowed to reconnect after 
# a failed authentication attempt.
min-reauth-time = 3
# Banning clients in ocserv works with a point system. IP addresses
# that get a score over that configured number are banned for
# min-reauth-time seconds. By default a wrong password attempt is 10 points,
# a KKDCP POST is 1 point, and a connection is 1 point. Note that
# due to difference processes being involved the count of points
# will not be real-time precise.
#
# Score banning cannot be reliably used when receiving proxied connections
# locally from an HTTP server (i.e., when listen-clear-file is used).
#
# Set to zero to disable.
max-ban-score = 50
# The time (in seconds) that all score kept for a client is reset.
ban-reset-time = 300
# In case you'd like to change the default points.
#ban-points-wrong-password = 10
#ban-points-connection = 1
#ban-points-kkdcp = 1
# Cookie timeout (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. That cookie will be invalidated if not
# used within this timeout value. This cookie remains valid, during
# the user's connected time, and after user disconnection it
# remains active for this amount of time. That setting should allow a
# reasonable amount of time for roaming between different networks.
cookie-timeout = 300
# If this is enabled (not recommended) the cookies will stay
# valid even after a user manually disconnects, and until they
# expire. This may improve roaming with some broken clients.
#persistent-cookies = true
# Whether roaming is allowed, i.e., if true a cookie is
# restricted to a single IP address and cannot be re-used
# from a different IP.
deny-roaming = false
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable (note
# that, some clients fail if rekey is disabled).
rekey-time = 172800
# ReKey method
# Valid options: ssl, new-tunnel
#  ssl: Will perform an efficient rehandshake on the channel allowing
#       a seamless connection during rekey.
#  new-tunnel: Will instruct the client to discard and re-establish the channel.
#       Use this option only if the connecting clients have issues with the ssl
#       option.
rekey-method = ssl
# Script to call when a client connects and obtains an IP.
# The following parameters are passed on the environment.
# REASON, USERNAME, GROUPNAME, DEVICE, IP_REAL (the real IP of the client),
# IP_REAL_LOCAL (the local interface IP the client connected), IP_LOCAL
# (the local IP in the P-t-P connection), IP_REMOTE (the VPN IP of the client),
# IPV6_LOCAL (the IPv6 local address if there are both IPv4 and IPv6
# assigned), IPV6_REMOTE (the IPv6 remote address), IPV6_PREFIX, and
# ID (a unique numeric ID); REASON may be "connect" or "disconnect".
# In addition the following variables OCSERV_ROUTES (the applied routes for this
# client), OCSERV_NO_ROUTES, OCSERV_DNS (the DNS servers for this client),
# will contain a space separated list of routes or DNS servers. A version
# of these variables with the 4 or 6 suffix will contain only the IPv4 or
# IPv6 values.
# The disconnect script will receive the additional values: STATS_BYTES_IN,
# STATS_BYTES_OUT, STATS_DURATION that contain a 64-bit counter of the bytes 
# output from the tun device, and the duration of the session in seconds.
#connect-script = /usr/bin/myscript
#disconnect-script = /usr/bin/myscript
# UTMP
# Register the connected clients to utmp. This will allow viewing
# the connected clients using the command 'who'.
#use-utmp = true
# Whether to enable support for the occtl tool (i.e., either through D-BUS,
# or via a unix socket).
use-occtl = true
# PID file. It can be overriden in the command line.
pid-file = /run/ocserv.pid
# Set the protocol-defined priority (SO_PRIORITY) for packets to
# be sent. That is a number from 0 to 6 with 0 being the lowest
# priority. Alternatively this can be used to set the IP Type-
# Of-Service, by setting it to a hexadecimal number (e.g., 0x20).
# This can be set per user/group or globally.
#net-priority = 3
# Set the VPN worker process into a specific cgroup. This is Linux
# specific and can be set per user/group or globally.
#cgroup = "cpuset,cpu:test"
#
# Network settings
#
# The name to use for the tun device
device = vpns
# Whether the generated IPs will be predictable, i.e., IP stays the
# same for the same user when possible.
predictable-ips = true
# The default domain to be advertised
default-domain = example.com
# The pool of addresses that leases will be given from. If the leases
# are given via Radius, or via the explicit-ip? per-user config option then 
# these network values should contain a network with at least a single
# address that will remain under the full control of ocserv (that is
# to be able to assign the local part of the tun device address).
# Note that, you could use addresses from a subnet of your LAN network if you
# enable proxy arp in the LAN interface (see http://infradead.org/ocserv/recipes-ocserv-pseudo-bridge.html);
# in that case it is recommended to set ping-leases to true.
ipv4-network = 192.168.101.0
ipv4-netmask = 255.255.255.0
# An alternative way of specifying the network:
#ipv4-network = 192.168.1.0/24
# The IPv6 subnet that leases will be given from.
#ipv6-network = fda9:4efe:7e3b:03ea::/48 
# Specify the size of the network to provide to clients. It is
# generally recommended to provide clients with a /64 network in
# IPv6, but any subnet may be specified. To provide clients only
# with a single IP use the prefix 128.
#ipv6-subnet-prefix = 128
#ipv6-subnet-prefix = 64
# Whether to tunnel all DNS queries via the VPN. This is the default
# when a default route is set.
#tunnel-all-dns = true
# The advertized DNS server. Use multiple lines for
# multiple servers.
# dns = fc00::4be0
dns = 8.8.8.8
dns = 8.8.4.4
# The NBNS server (if any)
#nbns = 192.168.1.3
# The domains over which the provided DNS should be used. Use
# multiple lines for multiple domains.
#split-dns = example.com
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
# Only set to true, if there can be occupied addresses in the
# IP range for leases.
ping-leases = false
# Use this option to set a link MTU value to the incoming
# connections. Unset to use the default MTU of the TUN device.
# Note that the MTU is negotiated using the value set and the
# value sent by the peer.
#mtu = 1420
# Unset to enable bandwidth restrictions (in bytes/sec). The
# setting here is global, but can also be set per user or per group.
#rx-data-per-sec = 40000
#tx-data-per-sec = 40000
# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 10
# Routes to be forwarded to the client. If you need the
# client to forward routes to the server, you may use the 
# config-per-user/group or even connect and disconnect scripts.
#
# To set the server as the default gateway for the client just
# comment out all routes from the server, or use the special keyword
# 'default'.
#route = 10.0.0.0/8
#route = 172.16.0.0/12
#route = 192.168.0.0/16
#route = fd00::/8
route = default
# Subsets of the routes above that will not be routed by
# the server.
#no-route = 192.168.5.0/255.255.255.0
# Note the that following two firewalling options currently are available
# in Linux systems with iptables software. 
# If set, the script /usr/bin/ocserv-fw will be called to restrict
# the user to its allowed routes and prevent him from accessing
# any other routes. In case of defaultroute, the no-routes are restricted.
# All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
# --removeall. This option can be set globally or in the per-user configuration.
#restrict-user-to-routes = true
# This option implies restrict-user-to-routes set to true. If set, the
# script /usr/bin/ocserv-fw will be called to restrict the user to
# access specific ports in the network. This option can be set globally
# or in the per-user configuration.
#restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"
# You could also use negation, i.e., block the user from accessing these ports only.
#restrict-user-to-ports = "!(tcp(443), tcp(80))"
# When set to true, all client's iroutes are made visible to all
# connecting clients except for the ones offering them. This option
# only makes sense if config-per-user is set.
#expose-iroutes = true
# Groups that a client is allowed to select from.
# A client may belong in multiple groups, and in certain use-cases
# it is needed to switch between them. For these cases the client can
# select prior to authentication. Add multiple entries for multiple groups.
# The group may be followed by a user-friendly name in brackets.
#select-group = group1
#select-group = group2[My special group]
# The name of the (virtual) group that if selected it would assign the user
# to its default group.
#default-select-group = DEFAULT
# Instead of specifying manually all the allowed groups, you may instruct
# ocserv to scan all available groups and include the full list.
#auto-select-group = true
# Configuration files that will be applied per user connection or
# per group. Each file name on these directories must match the username
# or the groupname.
# The options allowed in the configuration files are dns, nbns,
#  ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route,
#  explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp, 
#  keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
#  restrict-user-to-routes, user-profile, cgroup, stats-report-time,
#  mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
#  and session-timeout.
#
# Note that the 'iroute' option allows to add routes on the server
# based on a user or group. The syntax depends on the input accepted
# by the commands route-add-cmd and route-del-cmd (see below). The no-udp
# is a boolean option (e.g., no-udp = true), and will prevent a UDP session
# for that specific user or group. The hostname option will set a
# hostname to override any proposed by the user. Note also, that, any 
# routes, no-routes, DNS or NBNS servers present will overwrite the global ones.
#config-per-user = /etc/ocserv/config-per-user/
#config-per-group = /etc/ocserv/config-per-group/
# When config-per-xxx is specified and there is no group or user that
# matches, then utilize the following configuration.
#default-user-config = /etc/ocserv/defaults/user.conf
#default-group-config = /etc/ocserv/defaults/group.conf
# The system command to use to setup a route. %{R} will be replaced with the
# route/mask, %{RI} with the route in CIDR format, and %{D} with the (tun) device.
#
# The following example is from linux systems. %{R} should be something
# like 192.168.2.0/255.255.255.0 and %{RI} 192.168.2.0/24 (the argument of iroute).
#route-add-cmd = "ip route add %{R} dev %{D}"
#route-del-cmd = "ip route delete %{R} dev %{D}"
# This option allows to forward a proxy. The special keywords '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#proxy-url = http://example.com/
#proxy-url = http://example.com/%{U}/
# This option allows you to specify a URL location where a client can
# post using MS-KKDCP, and the message will be forwarded to the provided
# KDC server. That is a translation URL between HTTP and Kerberos.
# In MIT kerberos you'll need to add in realms:
#   EXAMPLE.COM = {
#     kdc = https://ocserv.example.com/KdcProxy
#     http_anchors = FILE:/etc/ocserv-ca.pem
#   }
# In some distributions the krb5-k5tls plugin of kinit is required.
#
# The following option is available in ocserv, when compiled with GSSAPI support. 
#kkdcp = "SERVER-PATH KERBEROS-REALM [email protected]:PORT"
#kkdcp = "/KdcProxy KERBEROS.REALM [email protected]:88"
#kkdcp = "/KdcProxy KERBEROS.REALM [email protected]:88"
#kkdcp = "/KdcProxy KERBEROS.REALM [email protected][::1]:88"
#
# The following options are for (experimental) AnyConnect client 
# compatibility. 
# This option will enable the pre-draft-DTLS version of DTLS, and
# will not require clients to present their certificate on every TLS
# connection. It must be set to true to support legacy CISCO clients
# and openconnect clients < 7.08. When set to true, it implies dtls-legacy = true.
cisco-client-compat = true
# This option allows to disable the DTLS-PSK negotiation (enabled by default).
# The DTLS-PSK negotiation was introduced in ocserv 0.11.5 to deprecate
# the pre-draft-DTLS negotiation inherited from AnyConnect. It allows the
# DTLS channel to negotiate its ciphers and the DTLS protocol version.
#dtls-psk = false
# This option allows to disable the legacy DTLS negotiation (enabled by default,
# but that may change in the future).
# The legacy DTLS uses a pre-draft version of the DTLS protocol and was
# from AnyConnect protocol. It has several limitations, that are addressed
# by the dtls-psk protocol supported by openconnect 7.08+.
dtls-legacy = true
# Client profile xml. A sample file exists in doc/profile.xml.
# It is required by some of the CISCO clients.
# This file must be accessible from inside the worker's chroot. 
# Note that enabling this option is not recommended as it will allow
# the worker processes to open arbitrary files (when isolate-workers is
# set to true).
#user-profile = /path/to/file.xml
#Advanced options
# Option to allow sending arbitrary custom headers to the client after
# authentication and prior to VPN tunnel establishment. You shouldn't
# need to use this option normally; if you do and you think that
# this may help others, please send your settings and reason to
# the openconnect mailing list. The special keywords '%{U}'
# and '%{G}', if present will be replaced by the username and group name.
#custom-header = "X-My-Header: hi there"
# An example virtual host with different authentication methods serviced
# # by this server.
#
# [vhost:www.example.com]
# auth = "certificate"
#
# ca-cert = ../tests/certs/ca.pem
#
# # The certificate set here must include a 'dns_name' corresponding to
# # the virtual host name.
#
# server-cert = ../tests/certs/server-cert-secp521r1.pem
# server-key = ../tests/certs/server-key-secp521r1.pem
#
# ipv4-network = 192.168.2.0
# ipv4-netmask = 255.255.255.0
#
# cert-user-oid = 0.9.2342.19200300.100.1.1
#

2 Get the OCserv/OpenConnect VPN Server and Clients running

2.1 On the Ubuntu Server 19, we restart the ocserv process to apply the settings we just made

sudo systemctl restart ocserv

2.2 On the client

(We can use Cisco Anyconnect client on iOS, Android on other platforms/OS) (Here we use Windows 10) we can install openconnect-gui client or Cisco Anyconnect client, in the example we use openconnect-gui

2.2.1 We download and install the client, openconnect-gui

Download link: https://github.com/openconnect/openconnect-gui/releases

2.2.2 Once done, launch the client

OpenConnect-GUI VPN client icon
OpenConnect-GUI VPN client icon

2.2.3 Click on the icon then click on “New profile”

OpenConnect-GUI Create new profile
OpenConnect-GUI Create new profile

2.2.4 Enter your Ubuntu Server IP address “https://Ubuntu Server IP address”, click on “Save & Connect” button

OpenConnect-GUI Gateway
OpenConnect-GUI Gateway

2.2.5 Click on “Accurate information” to continue (You can click on “Show Details…” button to have a look on the certificate file if necessary)

OpenConnect-GUI Accept certificate
OpenConnect-GUI Accept certificate

2.2.6 If it did not ask for your username, click on “Connect” button

OpenConnect-GUI Connect
OpenConnect-GUI Connect

2.2.7 Enter your Ubuntu Server 19 username and password, then click on “OK” button to connect

OpenConnect-GUI - Connect - Username
OpenConnect-GUI – Connect – Username
OpenConnect-GUI - Connect - Password
OpenConnect-GUI – Connect – Password

2.2.8 We should be connected now, a green lock icon will appear, click on “View log” to view connection information/log if necessary

OpenConnect-GUI - Connected
OpenConnect-GUI – Connected

2.2.9 Click on “VPN Info” Tab, we will see more information about current connection

OpenConnect-GUI - VPN Info
OpenConnect-GUI – VPN Info

3 Get the OCserv/OpenConnect VPN Server connection information

3.1 Show current ocserv status

sudo occtl -n show status
Show current ocserv status
Show current ocserv status

3.2 Show current online users

sudo occtl -n show users
Show current online users
Show current online users

3.3 Other show options

[email protected]:~$ sudo occtl -n show
[sudo] password for dc1:
      show status       Prints the status and statistics of the server
       show users       Prints the connected users
     show ip bans       Prints the banned IP addresses
 show ip ban points     Prints all the known IP addresses which have points
     show iroutes       Prints the routes provided by users of the server
 show sessions all      Prints all the session IDs
 show sessions valid    Prints all the valid for reconnection sessions
 show session [SID]     Prints information on the specified session
    show user [NAME]    Prints information on the specified user
      show id [ID]      Prints information on the specified ID
      show events       Provides information about connecting users
 show cookies all       Alias for show sessions all
 show cookies valid     Alias for show sessions valid
[email protected]:~$

3.4 Kick/Disconnect user

sudo occtl disconnect user [username]
 
# e.g.
sudo occtl disconnect user test
or
sudo occtl disconnect id [id number]

4 Extend

4.1 Use dedicate VPN account/username and password pair rather than using system user accounts (PAM) by default

4.1.1 Create user test with password test

sudo ocpaswd -c /etc/ocserv/ocpasswd test
ocpasswd create user
ocpasswd create user

4.1.2 Make ocserv authenticate through dedicate user accounts file for client to login by modifying ocserv configuration file

sudo nnao /etc/ocserv/ocserv.conf

Add # in front of

auth = "pam[gid-min=1000]"

Add a new line

auth = "plain[passwd=/etc/ocserv/ocpasswd]"

Restart ocserv server

sudo systemctl restart ocserv

Now we can use username:test and password:test to login to VPN

4.1.3 Delete/Remove VPN users

sudo nano /etc/ocserv/ocpasswd

Remove the line with unwanted username (Here we only have user “test”, if we remove this line, user test will not be able to login to VPN again)

ocpasswd file
ocpasswd file

Use Ctrl + X, Y, Enter key to Exit and Save the file

4.2 Create different user groups and assign them different routing tables (route, no-route etc.)

4.2.1 Create users with groups

sudo ocpasswd -c /etc/ocserv/ocpasswd -g group1 test1
 
sudo ocpasswd -c /etc/ocserv/ocpasswd -g group2 test2
Create two users with different groups
Create two users with different groups

4.2.2 Create different group rules/routing tables/route

# Create folder for saving group configuration files
sudo mkdir /etc/ocserv/groups
 
# Create route rules for group1
sudo bash -c 'echo "route=192.168.101.1/24" > /etc/ocserv/groups/group1'
 
# Create route rules for group 2
sudo bash -c 'echo "no-route=192.168.102.1/24" > /etc/ocserv/groups/group2'

4.2.3 Modify configuration file to use our group configuration file

4.2.3.1 We can use nano to edit the file or use echo >> to append configuration to the bottom of the file (By default those settings are commented out, otherwise we have to replace them rather than append)

# Per Group config folder
sudo bash -c 'echo "config-per-group = /etc/ocserv/groups/" >> /etc/ocserv/ocserv.conf'
 
# If we do not specify user group, when creating the user, by default they will use routing tables from group1
sudo bash -c 'echo "default-group-config = /etc/ocserv/groups/group1" >> /etc/ocserv/ocserv.conf'
 
# The name of the (virtual) group that if selected it would assign the user to its default group. (If we do not specify user group, when creating the user, by default they will use routing tables from group1)
sudo bash -c 'echo "default-select-group = group1" >> /etc/ocserv/ocserv.conf'

4.2.3.2 Restart the ocserv process

sudo systemctl restart ocserv

4.2.3.3 Now we can use test1:test1 test2:test2 to test connections

4.3 Configure “default-domain”

4.3.1 Open the configuration file

sudo nano /etc/ocserv/ocserv.conf

4.3.2 Find “default-domain = example.com” and replace the “exapmle.com” with the external IP address or proper domain name that users will use to connect to the VPN server

4.3.3 Save and Exit the file and Restart the ocserv process

Ctrl + X, Y, Enter key
 
sudo systemctl restart ocserv

4.4 Configure SSL certificate

4.4.1 Regenerate system default SSL certificates

By default ocserv uses system default ssl certificates at following location

/etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/ssl/private/ssl-cert-snakeoil.key

We can use following command to regenerate those certificates

sudo make-ssl-cert generate-default-snakeoil --force-overwrite

4.4.2 Create our own self-signed SSL certificates

We can use following command to create our own self-signed SSL certificates

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout certificate-key.key -out certificate-cert.pem

More on self-signed SSL certificates/openssl command can be found here: How to: Create self-signed SSL/TLS certificates on Linux/Ubuntu etc. easily & quickly (Use self-signed with caution!)

4.4.3 Configure ocserv to use specific SSL certificates

sudo nano /etc/ocserv/ocserv.conf

4.4.3.1 Find following lines

server-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem
server-key = /etc/ssl/private/ssl-cert-snakeoil.key
ca-cert = /etc/ssl/certs/ssl-cert-snakeoil.pem

4.4.3.2 Modify as desired

4.4.3.3 Save and Exit the file and Restart the ocserv process

Ctrl + X, Y, Enter key
 
sudo systemctl restart ocserv

4.5 Optimization

4.5.1 Change ocserv ports (Usually 443 is the best port for SSL VPN) if necessary

sudo nano /etc/ocserv/ocserv.conf

4.5.1.1 Find following lines

tcp-port = 443
udp-port = 443

4.5.1.2 Modify as desired

4.5.1.3 Save and Exit the file and Restart the ocserv process

Ctrl + X, Y, Enter key
 
sudo systemctl restart ocserv

4.5.2 Limit the number of clients

Modify if necessary

sudo nano /etc/ocserv/ocserv.conf

4.5.2.1 Find following lines

# Limit the number of clients. Unset or set to zero for unlimited.
#max-clients = 1024
max-clients = 128

4.5.2.2 Save and Exit the file and Restart the ocserv process

Ctrl + X, Y, Enter key
 
sudo systemctl restart ocserv

4.5.3 Limit the number of identical clients (users connecting multiple times)

Modify if necessary

sudo nano /etc/ocserv/ocserv.conf

4.5.3.1 Find following lines

# Limit the number of identical clients (i.e., users connecting multiple times). Unset or set to zero for unlimited.
max-same-clients = 2

4.5.3.2 Save and Exit the file and Restart the ocserv process

Ctrl + X, Y, Enter key
 
sudo systemctl restart ocserv

4.5.4 Other places in configuration file we can look into to optimize

Configuration file: /etc/ocserv/ocserv.conf

# Keepalive in seconds
keepalive = 300
 
# Dead peer detection in seconds.
# Note that when the client is behind a NAT this value
# needs to be short enough to prevent the NAT disassociating
# his UDP session from the port number. Otherwise the client
# could have his UDP connection stalled, for several minutes.
dpd = 60
 
# Dead peer detection for mobile clients. That needs to
# be higher to prevent such clients being awaken too
# often by the DPD messages, and save battery.
# The mobile clients are distinguished from the header
# 'X-AnyConnect-Identifier-Platform'.
mobile-dpd = 300
 
## Set to true may improve performance
# MTU discovery (DPD must be enabled)
try-mtu-discovery = false
 
# If using DTLS, and no UDP traffic is received for this
# many seconds, attempt to send future traffic over the TCP
# connection instead, in an attempt to wake up the client
# in the case that there is a NAT and the UDP translation
# was deleted. If this is unset, do not attempt to use this
# recovery mechanism.
switch-to-tcp-timeout = 30
 
# The time (in seconds) that a client is allowed to stay connected prior
# to authentication
auth-timeout = 240
 
# The time (in seconds) that a client is allowed to stay idle (no traffic)
# before being disconnected. Unset to disable.
idle-timeout = 1200
 
# The time (in seconds) that a mobile client is allowed to stay idle (no
# traffic) before being disconnected. Unset to disable.
mobile-idle-timeout = 1800
 
# Banning clients in ocserv works with a point system. IP addresses
# that get a score over that configured number are banned for
# min-reauth-time seconds. By default a wrong password attempt is 10 points,
# a KKDCP POST is 1 point, and a connection is 1 point. Note that
# due to difference processes being involved the count of points
# will not be real-time precise.
#
# Score banning cannot be reliably used when receiving proxied connections
# locally from an HTTP server (i.e., when listen-clear-file is used).
#
# Set to zero to disable.
max-ban-score = 50
 
# The time (in seconds) that all score kept for a client is reset.
ban-reset-time = 300
 
# Cookie timeout (in seconds)
# Once a client is authenticated he's provided a cookie with
# which he can reconnect. That cookie will be invalidated if not
# used within this timeout value. This cookie remains valid, during
# the user's connected time, and after user disconnection it
# remains active for this amount of time. That setting should allow a
# reasonable amount of time for roaming between different networks.
cookie-timeout = 300
 
# Whether roaming is allowed, i.e., if true a cookie is
# restricted to a single IP address and cannot be re-used
# from a different IP.
deny-roaming = false
 
# ReKey time (in seconds)
# ocserv will ask the client to refresh keys periodically once
# this amount of seconds is elapsed. Set to zero to disable (note
# that, some clients fail if rekey is disabled).
rekey-time = 172800
 
# The name to use for the tun device
device = vpns
 
# Whether the generated IPs will be predictable, i.e., IP stays the
# same for the same user when possible.
predictable-ips = true
 
# Prior to leasing any IP from the pool ping it to verify that
# it is not in use by another (unrelated to this server) host.
# Only set to true, if there can be occupied addresses in the
# IP range for leases.
ping-leases = false
 
# Use this option to set a link MTU value to the incoming
# connections. Unset to use the default MTU of the TUN device.
# Note that the MTU is negotiated using the value set and the
# value sent by the peer.
#mtu = 1420
 
## Depending on latendy/throuput requirements
# The number of packets (of MTU size) that are available in
# the output buffer. The default is low to improve latency.
# Setting it higher will improve throughput.
#output-buffer = 10

4.5.5 ocpasswd command (From ocserv)

Add user

sudo ocpasswd -c /etc/ocserv/ocpasswd [username]

Add user to group

sudo ocpasswd -c /etc/ocserv/ocpasswd -g [GroupName] [UserName]

Lock user

sudo ocpasswd -c /etc/ocserv/ocpasswd -l [username]

Unlock user

sudo ocpasswd -c /etc/ocserv/ocpasswd -u [username]

Delete/Remove user

sudo ocpasswd -c /etc/ocserv/ocpasswd -d [username]

ocpasswd help

ocpasswd help
ocpasswd help

4.5.6 occtl command (From ocserv)

Show ocserv current status

sudo occtl -n show status
Show ocserv current status
Show ocserv current status

Show online user details

sudo occtl -n show users
Show online user details
Show online user details

Show all session IDs

sudo occtl -n show sessions all
Show all session IDs
Show all session IDs

Kick/Disconnect online users by their username

sudo occtl disconnect user [username]

Kick/Disconnect online users by their ID

sudo occtl disconnect id [UserID]

occtl help

occtl help
occtl help

4.5.7 Ubuntu system optimization

Enabling TCP BBR congestion control algorithm

4.5.5.1 Check current congestion control algorithm that Ubuntu Server is using (By default it should be cubic)

sysctl net.ipv4.tcp_congestion_control
 
# Output
net.ipv4.tcp_congestion_control = cubic

4.5.5.2 Check supported congestion control algorithm

sysctl net.ipv4.tcp_available_congestion_control
 
# Output
net.ipv4.tcp_available_congestion_control = reno cubic

4.5.5.3 Enabling BBR by using following commands

Append settings to the end of “/etc/sysctl.conf” file, then apply

sudo bash -c 'echo "net.core.default_qdisc=fq" >> /etc/sysctl.conf'
 
sudo bash -c 'echo "net.ipv4.tcp_congestion_control=bbr" >> /etc/sysctl.conf'
 
sudo sysctl -p

Note: (To revert the changes just remove net.core.default_qdisc=fq and net.ipv4.tcp_congestion_control=bbr, then use sudo sysctl -p again to apply the revert)

4.5.5.4 Check current congestion control algorithm

sysctl net.ipv4.tcp_congestion_control
 
# Output
net.ipv4.tcp_congestion_control = bbr

4.5.8 Increase ulimit number (Open Files limit)

By default ulimit is 1024, which can be one of the bottleneck for ocserv process when there are too many connections or users

Increase it and adjust the number accordingly, here in the example we increase it to 51200 (You have to find a number that suites your system, or it might crash the system when it’s under pressure)

# Increase soft limit to 512000 for all users (The default is 1024)
sudo bash -c 'echo "* soft nofile 512000" >> /etc/security/limits.conf'
 
# Increase hard limit to 512000 for all users(The default is 1024)
sudo bash -c 'echo "* hard nofile 512000" >> /etc/security/limits.conf'
 
# Restart the system
sudo reboot

(We can also use “ulimit -n 51200” to make temporary change, it will be lost after reboot)

Check current Hard limit, Soft limit

ulimit -Hn
 
ulimit -Sn
 
# Check limit other users
su - www-data -c 'ulimit -aHS' -s '/bin/bash'
Other places might need to be changed to make it work (Sometimes we need to modify this value as well)

Change System-Wide Limit:

Modify the value (2097152) accordingly

# Append the changes to the bottom of the sysctl.conf file
sudo bash -c 'echo "fs.file-max = 2097152" >> /etc/sysctl.conf'
 
# Apply the change
sudo sysctl -p
ulimit vs fs.file-max

file-max is the maximum File Descriptors (FD) enforced on a kernel level, which cannot be surpassed by all processes without increasing. The ulimit is enforced on a process level, which can be less than the file-max. [4]

Resources

[1] “ocserv 1.0.0”, Openconnect VPN Server. [Online]. Available: https://ocserv.gitlab.io/www/manual.html

[2] “OpenConnect VPN client.”, Infradead.org, 2020. [Online]. Available: https://www.infradead.org/openconnect

[3] “openconnect/openconnect-gui”, GitHub, 2020. [Online]. Available: https://github.com/openconnect/openconnect-gui/releases

[4] “How do ulimit -n and /proc/sys/fs/file-max differ?”, Server Fault, 2020. [Online]. Available: https://serverfault.com/questions/122679/how-do-ulimit-n-and-proc-sys-fs-file-max-differ.


How to: sudo echo without permission error on Linux

The Issue

If we do “sudo echo > /etc/xxx” we will get error saying “-bash: /etc/aaa: Permission denied”

The Fix

That’s because the redirection is done before sudo is invoked

We can use following ways to resolve it

Method 1 – bash -c

sudo bash -c 'echo "test" > /etc/aaa'
 
# Append
sudo bash -c 'echo "test" >> /etc/aaa'

Method 2 – tee

echo "test" | sudo tee /etc/bbb
 
# Append
echo "test" | sudo tee /etc/bbb -a

Results
Results

How to: Check/View ports in use/listening ports locally on Linux/Debian/Ubuntu/Kali Linux/CentOS/Fedora/RHEL etc.

  1. netstat command
  2. lsof command
  3. Extra

netstat command

sudo netstat -tulpn
 
sudo netstat -tulpn | grep LISTEN
 
# *ss is the substitute of netstat
ss -tulpn
ss -tulpn | grep LISTEN
sudo netstat -tulpn
sudo netstat -tulpn
sudo netstat -tuln | grep LISTEN
sudo netstat -tuln | grep LISTEN

-t: Show only TCP sockets on Linux
-u: Show only UDP sockets on Linux
-l: Show listening sockets. For example, TCP port 80 is opened by Apache server.
-p: List process name that opened sockets
-n: Don’t resolve service names i.e. don’t use DNS

lsof command

sudo lsof -i -n -P
 
# List all listening ports
sudo lsof -i -n -P | grep LISTEN
 
# View specific port, 443 in this case
sudo lsof -i:443

-i: Select IPv[46] files

-n: no host names

-P: no port names

Extra

Help documents

(Back to top)

netstat – help

[email protected]:~$ netstat --help
usage: netstat [-vWeenNcCF] [<Af>] -r         netstat {-V|--version|-h|--help}
       netstat [-vWnNcaeol] [<Socket> ...]
       netstat { [-vWeenNac] -i | [-cnNe] -M | -s [-6tuw] }
        -r, --route              display routing table
        -i, --interfaces         display interface table
        -g, --groups             display multicast group memberships
        -s, --statistics         display networking statistics (like SNMP)
        -M, --masquerade         display masqueraded connections
        -v, --verbose            be verbose
        -W, --wide               don't truncate IP addresses
        -n, --numeric            don't resolve names
        --numeric-hosts          don't resolve host names
        --numeric-ports          don't resolve port names
        --numeric-users          don't resolve user names
        -N, --symbolic           resolve hardware names
        -e, --extend             display other/more information
        -p, --programs           display PID/Program name for sockets
        -o, --timers             display timers
        -c, --continuous         continuous listing
        -l, --listening          display listening server sockets
        -a, --all                display all sockets (default: connected)
        -F, --fib                display Forwarding Information Base (default)
        -C, --cache              display routing cache instead of FIB
        -Z, --context            display SELinux security context for sockets
  <Socket>={-t|--tcp} {-u|--udp} {-U|--udplite} {-S|--sctp} {-w|--raw}
           {-x|--unix} --ax25 --ipx --netrom
  <AF>=Use '-6|-4' or '-A <af>' or '--<af>'; default: inet
  List of possible address families (which support routing):
    inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25)
    netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP)
    x25 (CCITT X.25)
[email protected]:~$

lsof – help

[email protected]:~$ lsof -?
lsof 4.91
 latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
 latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
 latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
 usage: [-?abhKlnNoOPRtUvVX] [+|-c c] [+|-d s] [+D D] [+|-E] [+|-e s] [+|-f[gG]]
 [-F [f]] [-g [s]] [-i [i]] [+|-L [l]] [+m [m]] [+|-M] [-o [o]] [-p s]
 [+|-r [t]] [-s [p:s]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Defaults in parentheses; comma-separated set (s) items; dash-separated ranges.
  -?|-h list help          -a AND selections (OR)     -b avoid kernel blocks
  -c c  cmd c ^c /c/[bix]  +c w  COMMAND width (9)    +d s  dir s files
  -d s  select by FD set   +D D  dir D tree *SLOW?*   +|-e s  exempt s *RISKY*
  -i select IPv[46] files  -K [i] list|(i)gn tasKs    -l list UID numbers
  -n no host names         -N select NFS files        -o list file offset
  -O no overhead *RISKY*   -P no port names           -R list paRent PID
  -s list file size        -t terse listing           -T disable TCP/TPI info
  -U select Unix socket    -v list version info       -V verbose search
  +|-w  Warnings (+)       -X skip TCP&UDP* files     -Z Z  context [Z]
  -- end option scan
  -E display endpoint info              +E display endpoint info and files
  +f|-f  +filesystem or -file names     +|-f[gG] flaGs
  -F [f] select fields; -F? for help
  +|-L [l] list (+) suppress (-) link counts < l (0 = all; default = 0)
                                        +m [m] use|create mount supplement
  +|-M   portMap registration (-)       -o o   o 0t offset digits (8)
  -p s   exclude(^)|select PIDs         -S [t] t second stat timeout (15)
  -T qs TCP/TPI Q,St (s) info
  -g [s] exclude(^)|select and print process group IDs
  -i i   select by IPv[46] address: [46][proto][@host|addr][:svc_list|port_list]
  +|-r [t[m<fmt>]] repeat every t seconds (15);  + until no files, - forever.
       An optional suffix to t is m<fmt>; m must separate t from <fmt> and
      <fmt> is an strftime(3) format for the marker line.
  -s p:s  exclude(^)|select protocol (p = TCP|UDP) states by name(s).
  -u s   exclude(^)|select login|UID set s
  -x [fl] cross over +d|+D File systems or symbolic Links
  names  select named files or files on named file systems
Anyone can list all files; /dev warnings disabled; kernel ID check disabled.
[email protected]:~$

man page

(Back to top)

man netstat

NETSTAT(8)                                                                 Linux System Administrator's Manual                                                                 NETSTAT(8)
NAME
       netstat - Print network connections, routing tables, interface statistics, masquerade connections, and multicast memberships
SYNOPSIS
       netstat  [address_family_options]  [--tcp|-t]  [--udp|-u]  [--udplite|-U]  [--sctp|-S]  [--raw|-w]  [--l2cap|-2]  [--rfcomm|-f]  [--listening|-l] [--all|-a] [--numeric|-n] [--nu‐
       meric-hosts] [--numeric-ports] [--numeric-users] [--symbolic|-N] [--extend|-e[--extend|-e]] [--timers|-o] [--program|-p] [--verbose|-v] [--continuous|-c] [--wide|-W]
       netstat {--route|-r} [address_family_options] [--extend|-e[--extend|-e]] [--verbose|-v] [--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c]
       netstat {--interfaces|-i} [--all|-a] [--extend|-e[--extend|-e]] [--verbose|-v] [--program|-p] [--numeric|-n]  [--numeric-hosts]  [--numeric-ports]  [--numeric-users]  [--continu‐
       ous|-c]
       netstat {--groups|-g} [--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c]
       netstat {--masquerade|-M} [--extend|-e] [--numeric|-n] [--numeric-hosts] [--numeric-ports] [--numeric-users] [--continuous|-c]
       netstat {--statistics|-s} [--tcp|-t] [--udp|-u] [--udplite|-U] [--sctp|-S] [--raw|-w]
       netstat {--version|-V}
       netstat {--help|-h}
       address_family_options:
       [-4|--inet]  [-6|--inet6]  [--protocol={inet,inet6,unix,ipx,ax25,netrom,ddp,bluetooth,  ...  } ] [--unix|-x] [--inet|--ip|--tcpip] [--ax25] [--x25] [--rose] [--ash] [--bluetooth]
       [--ipx] [--netrom] [--ddp|--appletalk] [--econet|--ec]
NOTES
       This program is mostly obsolete.  Replacement for netstat is ss.  Replacement for netstat -r is ip route.  Replacement for netstat -i is ip -s link.  Replacement for  netstat  -g
       is ip maddr.
DESCRIPTION
       Netstat prints information about the Linux networking subsystem.  The type of information printed is controlled by the first argument, as follows:
   (none)
       By default, netstat displays a list of open sockets.  If you don't specify any address families, then the active sockets of all configured address families will be printed.
   --route, -r
       Display the kernel routing tables. See the description in route(8) for details.  netstat -r and route -e produce the same output.
   --groups, -g
       Display multicast group membership information for IPv4 and IPv6.
   --interfaces, -i
       Display a table of all network interfaces.
   --masquerade, -M
       Display a list of masqueraded connections.
   --statistics, -s
       Display summary statistics for each protocol.
OPTIONS
   --verbose, -v
       Tell the user what is going on by being verbose. Especially print some useful information about unconfigured address families.
   --wide, -W
       Do not truncate IP addresses by using output as wide as needed. This is optional for now to not break existing scripts.
   --numeric, -n
       Show numerical addresses instead of trying to determine symbolic host, port or user names.
   --numeric-hosts
       shows numerical host addresses but does not affect the resolution of port or user names.
   --numeric-ports
       shows numerical port numbers but does not affect the resolution of host or user names.
   --numeric-users
       shows numerical user IDs but does not affect the resolution of host or port names.
   --protocol=family, -A
       Specifies  the address families (perhaps better described as low level protocols) for which connections are to be shown.  family is a comma (',') separated list of address family
       keywords like inet, inet6, unix, ipx, ax25, netrom, econet, ddp, and bluetooth.  This has the same effect as using the --inet|-4, --inet6|-6, --unix|-x, --ipx, --ax25,  --netrom,
       --ddp, and --bluetooth options.
       The address family inet (Iv4) includes raw, udp, udplite and tcp protocol sockets.
       The address family bluetooth (Iv4) includes l2cap and rfcomm protocol sockets.
   -c, --continuous
       This will cause netstat to print the selected information every second continuously.
   -e, --extend
       Display additional information.  Use this option twice for maximum detail.
   -o, --timers
       Include information related to networking timers.
   -p, --program
       Show the PID and name of the program to which each socket belongs.
   -l, --listening
       Show only listening sockets.  (These are omitted by default.)
   -a, --all
       Show both listening and non-listening sockets.  With the --interfaces option, show interfaces that are not up
   -F
       Print routing information from the FIB.  (This is the default.)
   -C
       Print routing information from the route cache.
OUTPUT
   Active Internet connections (TCP, UDP, UDPLite, raw)
   Proto
       The protocol (tcp, udp, udpl, raw) used by the socket.
   Recv-Q
       Established: The count of bytes not copied by the user program connected to this socket.  Listening: Since Kernel 2.6.18 this column contains the current syn backlog.
   Send-Q
       Established: The count of bytes not acknowledged by the remote host.  Listening: Since Kernel 2.6.18 this column contains the maximum size of the syn backlog.
   Local Address
       Address  and port number of the local end of the socket.  Unless the --numeric (-n) option is specified, the socket address is resolved to its canonical host name (FQDN), and the
       port number is translated into the corresponding service name.
   Foreign Address
       Address and port number of the remote end of the socket.  Analogous to "Local Address".
   State
       The state of the socket. Since there are no states in raw mode and usually no states used in UDP and UDPLite, this column may be left blank. Normally this can be one  of  several
       values:
       ESTABLISHED
              The socket has an established connection.
       SYN_SENT
              The socket is actively attempting to establish a connection.
       SYN_RECV
              A connection request has been received from the network.
       FIN_WAIT1
              The socket is closed, and the connection is shutting down.
       FIN_WAIT2
              Connection is closed, and the socket is waiting for a shutdown from the remote end.
       TIME_WAIT
              The socket is waiting after close to handle packets still in the network.
       CLOSE  The socket is not being used.
       CLOSE_WAIT
              The remote end has shut down, waiting for the socket to close.
       LAST_ACK
              The remote end has shut down, and the socket is closed. Waiting for acknowledgement.
       LISTEN The socket is listening for incoming connections.  Such sockets are not included in the output unless you specify the --listening (-l) or --all (-a) option.
       CLOSING
              Both sockets are shut down but we still don't have all our data sent.
       UNKNOWN
              The state of the socket is unknown.
   User
       The username or the user id (UID) of the owner of the socket.
   PID/Program name
       Slash-separated  pair  of  the  process id (PID) and process name of the process that owns the socket.  --program causes this column to be included.  You will also need superuser
       privileges to see this information on sockets you don't own.  This identification information is not yet available for IPX sockets.
   Timer
       (this needs to be written)
   Active UNIX domain Sockets
   Proto
       The protocol (usually unix) used by the socket.
   RefCnt
       The reference count (i.e. attached processes via this socket).
   Flags
       The flags displayed is SO_ACCEPTON (displayed as ACC), SO_WAITDATA (W) or SO_NOSPACE (N).  SO_ACCECPTON is used on unconnected sockets if their corresponding processes are  wait‐
       ing for a connect request. The other flags are not of normal interest.
   Type
       There are several types of socket access:
       SOCK_DGRAM
              The socket is used in Datagram (connectionless) mode.
       SOCK_STREAM
              This is a stream (connection) socket.
       SOCK_RAW
              The socket is used as a raw socket.
       SOCK_RDM
              This one serves reliably-delivered messages.
       SOCK_SEQPACKET
              This is a sequential packet socket.
       SOCK_PACKET
              Raw interface access socket.
       UNKNOWN
              Who ever knows what the future will bring us - just fill in here :-)
   State
       This field will contain one of the following Keywords:
       FREE   The socket is not allocated
       LISTENING
              The socket is listening for a connection request.  Such sockets are only included in the output if you specify the --listening (-l) or --all (-a) option.
       CONNECTING
              The socket is about to establish a connection.
       CONNECTED
              The socket is connected.
       DISCONNECTING
              The socket is disconnecting.
       (empty)
              The socket is not connected to another one.
       UNKNOWN
              This state should never happen.
   PID/Program name
       Process ID (PID) and process name of the process that has the socket open.  More info available in Active Internet connections section written above.
   Path
       This is the path name as which the corresponding processes attached to the socket.
   Active IPX sockets
       (this needs to be done by somebody who knows it)
   Active NET/ROM sockets
       (this needs to be done by somebody who knows it)
   Active AX.25 sockets
       (this needs to be done by somebody who knows it)
FILES
       /etc/services -- The services translation file
       /proc -- Mount point for the proc filesystem, which gives access to kernel status information via the following files.
       /proc/net/dev -- device information
       /proc/net/raw -- raw socket information
       /proc/net/tcp -- TCP socket information
       /proc/net/udp -- UDP socket information
       /proc/net/udplite -- UDPLite socket information
       /proc/net/igmp -- IGMP multicast information
       /proc/net/unix -- Unix domain socket information
       /proc/net/ipx -- IPX socket information
       /proc/net/ax25 -- AX25 socket information
       /proc/net/appletalk -- DDP (appletalk) socket information
       /proc/net/nr -- NET/ROM socket information
       /proc/net/route -- IP routing information
       /proc/net/ax25_route -- AX25 routing information
       /proc/net/ipx_route -- IPX routing information
       /proc/net/nr_nodes -- NET/ROM nodelist
       /proc/net/nr_neigh -- NET/ROM neighbours
       /proc/net/ip_masquerade -- masqueraded connections
       /sys/kernel/debug/bluetooth/l2cap -- Bluetooth L2CAP information
       /sys/kernel/debug/bluetooth/rfcomm -- Bluetooth serial connections
       /proc/net/snmp -- statistics
SEE ALSO
       route(8), ifconfig(8), iptables(8), proc(5) ss(8) ip(8)
BUGS
       Occasionally strange information may appear if a socket changes as it is viewed. This is unlikely to occur.
AUTHORS
       The  netstat  user interface was written by Fred Baumgarten <[email protected]>, the man page basically by Matt Welsh <[email protected]>. It was updated by Alan
       Cox <[email protected]>, updated again by Tuan Hoang <[email protected]>. The man page and the command included in the net-tools package is totally rewritten by  Bernd  Ecken‐
       fels <[email protected]>.  UDPLite options were added by Brian Micek <[email protected]>
net-tools                                                                               2014-10-07                                                                             NETSTAT(8)
[email protected]:~$

man lsof

(Back to top)

LSOF(8)                                                                          System Manager's Manual                                                                          LSOF(8)
NAME
       lsof - list open files
SYNOPSIS
       lsof [ -?abChlnNOPRtUvVX ] [ -A A ] [ -c c ] [ +c c ] [ +|-d d ] [ +|-D D ] [ +|-e s ] [ +|-E ] [ +|-f [cfgGn] ] [ -F [f] ] [ -g [s] ] [ -i [i] ] [ -k k ] [ -K k ] [ +|-L [l] ] [
       +|-m m ] [ +|-M ] [ -o [o] ] [ -p s ] [ +|-r [t[m<fmt>]] ] [ -s [p:s] ] [ -S [t] ] [ -T [t] ] [ -u s ] [ +|-w ] [ -x [fl] ] [ -z [z] ] [ -Z [Z] ] [ -- ] [names]
DESCRIPTION
       Lsof revision 4.91 lists on its standard output file information about files opened by processes for the following UNIX dialects:
            Apple Darwin 9 and Mac OS X 10.[567]
            FreeBSD 8.[234], 9.0 and 1[012].0 for AMD64-based systems
            Linux 2.1.72 and above for x86-based systems
            Solaris 9, 10 and 11
       (See the DISTRIBUTION section of this manual page for information on how to obtain the latest lsof revision.)
       An open file may be a regular file, a directory, a block special file, a character special file, an executing text reference, a library, a stream  or  a  network  file  (Internet
       socket, NFS file or UNIX domain socket.)  A specific file or all the files in a file system may be selected by path.
       Instead of a formatted display, lsof will produce output that can be parsed by other programs.  See the -F, option description, and the OUTPUT FOR OTHER PROGRAMS section for more
       information.
       In addition to producing a single output list, lsof will run in repeat mode.  In repeat mode it will produce output, delay, then repeat the output operation until stopped with an
       interrupt or quit signal.  See the +|-r [t[m<fmt>]] option description for more information.
OPTIONS
       In the absence of any options, lsof lists all open files belonging to all active processes.
       If  any  list  request option is specified, other list requests must be specifically requested - e.g., if -U is specified for the listing of UNIX socket files, NFS files won't be
       listed unless -N is also specified; or if a user list is specified with the -u option, UNIX domain socket files, belonging to users not in the list, won't be listed unless the -U
       option is also specified.
       Normally  list  options  that are specifically stated are ORed - i.e., specifying the -i option without an address and the -ufoo option produces a listing of all network files OR
       files belonging to processes owned by user ``foo''.  The exceptions are:
       1) the `^' (negated) login name or user ID (UID), specified with the -u option;
       2) the `^' (negated) process ID (PID), specified with the -p option;
       3) the `^' (negated) process group ID (PGID), specified with the -g option;
       4) the `^' (negated) command, specified with the -c option;
       5) the (`^') negated TCP or UDP protocol state names, specified with the -s [p:s] option.
       Since they represent exclusions, they are applied without ORing or ANDing and take effect before any other selection criteria are applied.
       The -a option may be used to AND the selections.  For example, specifying -a, -U, and -ufoo produces a listing of only UNIX socket files that belong to processes  owned  by  user
       ``foo''.
       Caution:  the  -a  option  causes all list selection options to be ANDed; it can't be used to cause ANDing of selected pairs of selection options by placing it between them, even
       though its placement there is acceptable.  Wherever -a is placed, it causes the ANDing of all selection options.
       Items of the same selection set - command names, file descriptors, network addresses, process identifiers, user identifiers, zone names, security contexts - are joined in a  sin‐
       gle  ORed set and applied before the result participates in ANDing.  Thus, for example, specifying [email protected], [email protected], -a, and -ufff,ggg will select the listing of files that
       belong to either login ``fff'' OR ``ggg'' AND have network connections to either host aaa.bbb OR ccc.ddd.
       Options may be grouped together following a single prefix -- e.g., the option set ``-a -b -C'' may be stated as -abC.  However, since values are optional following +|-f, -F,  -g,
       -i, +|-L, -o, +|-r, -s, -S, -T, -x and -z.  when you have no values for them be careful that the following character isn't ambiguous.  For example, -Fn might represent the -F and
       -n options, or it might represent the n field identifier character following the -F option.  When ambiguity is possible, start a new option with a  `-'  character  -  e.g.,  ``-F
       -n''.  If the next option is a file name, follow the possibly ambiguous option with ``--'' - e.g., ``-F -- name''.
       Either the `+' or the `-' prefix may be applied to a group of options.  Options that don't take on separate meanings for each prefix - e.g., -i - may be grouped under either pre‐
       fix.  Thus, for example, ``+M -i'' may be stated as ``+Mi'' and the group means the same as the separate options.  Be careful of prefix grouping when one or more options  in  the
       group  does  take  on separate meanings under different prefixes - e.g., +|-M; ``-iM'' is not the same request as ``-i +M''.  When in doubt, use separate options with appropriate
       prefixes.
       -? -h    These two equivalent options select a usage (help) output list.  Lsof displays a shortened form of this output when it detects an error in the options  supplied  to  it,
                after it has displayed messages explaining each error.  (Escape the `?' character as your shell requires.)
       -a       causes list selection options to be ANDed, as described above.
       -A A     is available on systems configured for AFS whose AFS kernel code is implemented via dynamic modules.  It allows the lsof user to specify A as an alternate name list file
                where the kernel addresses of the dynamic modules might be found.  See the lsof FAQ (The FAQ section gives its location.)  for more information  about  dynamic  modules,
                their symbols, and how they affect lsof.
       -b       causes lsof to avoid kernel functions that might block - lstat(2), readlink(2), and stat(2).
                See the BLOCKS AND TIMEOUTS and AVOIDING KERNEL BLOCKS sections for information on using this option.
       -c c     selects  the  listing  of files for processes executing the command that begins with the characters of c.  Multiple commands may be specified, using multiple -c options.
                They are joined in a single ORed set before participating in AND option selection.
                If c begins with a `^', then the following characters specify a command name whose processes are to be ignored (excluded.)
                If c begins and ends with a slash ('/'), the characters between the slashes are interpreted as a regular expression.  Shell meta-characters  in  the  regular  expression
                must be quoted to prevent their interpretation by the shell.  The closing slash may be followed by these modifiers:
                     b    the regular expression is a basic one.
                     i    ignore the case of letters.
                     x    the regular expression is an extended one
                          (default).
                See the lsof FAQ (The FAQ section gives its location.)  for more information on basic and extended regular expressions.
                The simple command specification is tested first.  If that test fails, the command regular expression is applied.  If the simple command test succeeds, the command regu‐
                lar expression test isn't made.  This may result in ``no command found for regex:'' messages when lsof's -V option is specified.
       +c w     defines the maximum number of initial characters of the name, supplied by the UNIX dialect, of the UNIX command associated with a process to be printed  in  the  COMMAND
                column.  (The lsof default is nine.)
                Note  that  many  UNIX dialects do not supply all command name characters to lsof in the files and structures from which lsof obtains command name.  Often dialects limit
                the number of characters supplied in those sources.  For example, Linux 2.4.27 and Solaris 9 both limit command name length to 16 characters.
                If w is zero ('0'), all command characters supplied to lsof by the UNIX dialect will be printed.
                If w is less than the length of the column title, ``COMMAND'', it will be raised to that length.
       -C       disables the reporting of any path name components from the kernel's name cache.  See the KERNEL NAME CACHE section for more information.
       +d s     causes lsof to search for all open instances of directory s and the files and directories it contains at its top level.  +d does NOT descend the directory  tree,  rooted
                at s.  The +D D option may be used to request a full-descent directory tree search, rooted at directory D.
                Processing  of  the  +d option does not follow symbolic links within s unless the -x or -x  l option is also specified.  Nor does it search for open files on file system
                mount points on subdirectories of s unless the -x or -x  f option is also specified.
                Note: the authority of the user of this option limits it to searching for files that the user has permission to examine with the system stat(2) function.
       -d s     specifies a list of file descriptors (FDs) to exclude from or include in the output listing.  The file descriptors are specified in the comma-separated  set  s  -  e.g.,
                ``cwd,1,3'', ``^6,^2''.  (There should be no spaces in the set.)
                The list is an exclusion list if all entries of the set begin with `^'.  It is an inclusion list if no entry begins with `^'.  Mixed lists are not permitted.
                A  file  descriptor  number range may be in the set as long as neither member is empty, both members are numbers, and the ending member is larger than the starting one -
                e.g., ``0-7'' or ``3-10''.  Ranges may be specified for exclusion if they have the `^' prefix - e.g., ``^0-7'' excludes all file descriptors 0 through 7.
                Multiple file descriptor numbers are joined in a single ORed set before participating in AND option selection.
                When there are exclusion and inclusion members in the set, lsof reports them as errors and exits with a non-zero return code.
                See the description of File Descriptor (FD) output values in the OUTPUT section for more information on file descriptor names.
       +D D     causes lsof to search for all open instances of directory D and all the files and directories it contains to its complete depth.
                Processing of the +D option does not follow symbolic links within D unless the -x or -x  l option is also specified.  Nor does it search for open files  on  file  system
                mount points on subdirectories of D unless the -x or -x  f option is also specified.
                Note: the authority of the user of this option limits it to searching for files that the user has permission to examine with the system stat(2) function.
                Further  note:  lsof  may  process  this option slowly and require a large amount of dynamic memory to do it.  This is because it must descend the entire directory tree,
                rooted at D, calling stat(2) for each file and directory, building a list of all the files it finds, and searching that list for a match with every open file.  When  di‐
                rectory D is large, these steps can take a long time, so use this option prudently.
       -D D     directs lsof's use of the device cache file.  The use of this option is sometimes restricted.  See the DEVICE CACHE FILE section and the sections that follow it for more
                information on this option.
                -D must be followed by a function letter; the function letter may optionally be followed by a path name.  Lsof recognizes these function letters:
                     ? - report device cache file paths
                     b - build the device cache file
                     i - ignore the device cache file
                     r - read the device cache file
                     u - read and update the device cache file
                The b, r, and u functions, accompanied by a path name, are sometimes restricted.  When these functions are restricted, they will not appear in the description of the  -D
                option  that  accompanies  -h  or  -?  option output.  See the DEVICE CACHE FILE section and the sections that follow it for more information on these functions and when
                they're restricted.
                The ?  function reports the read-only and write paths that lsof can use for the device cache file, the names of any environment variables whose values lsof will  examine
                when forming the device cache file path, and the format for the personal device cache file path.  (Escape the `?' character as your shell requires.)
                When available, the b, r, and u functions may be followed by the device cache file's path.  The standard default is .lsof_hostname in the home directory of the real user
                ID that executes lsof, but this could have been changed when lsof was configured and compiled.  (The output of the -h and -?  options show the current default  prefix  -
                e.g., ``.lsof''.)  The suffix, hostname, is the first component of the host's name returned by gethostname(2).
                When available, the b function directs lsof to build a new device cache file at the default or specified path.
                The i function directs lsof to ignore the default device cache file and obtain its information about devices via direct calls to the kernel.
                The  r function directs lsof to read the device cache at the default or specified path, but prevents it from creating a new device cache file when none exists or the ex‐
                isting one is improperly structured.  The r function, when specified without a path name, prevents lsof from updating an incorrect or outdated device cache file, or cre‐
                ating  a new one in its place.  The r function is always available when it is specified without a path name argument; it may be restricted by the permissions of the lsof
                process.
                When available, the u function directs lsof to read the device cache file at the default or specified path, if possible, and to rebuild it, if necessary.   This  is  the
                default device cache file function when no -D option has been specified.
       +|-e s   exempts  the  file  system  whose  path name is s from being subjected to kernel function calls that might block.  The +e option exempts stat(2), lstat(2) and most read‐
                link(2) kernel function calls.  The -e option exempts only stat(2) and lstat(2) kernel function calls.  Multiple file systems may be specified with separate +|-e  speci‐
                fications and each may have readlink(2) calls exempted or not.
                This option is currently implemented only for Linux.
                CAUTION:  this  option can easily be mis-applied to other than the file system of interest, because it uses path name rather than the more reliable device and inode num‐
                bers.  (Device and inode numbers are acquired via the potentially blocking stat(2) kernel call and are thus not available, but see the +|-m m option as a possible alter‐
                native way to supply device numbers.)  Use this option with great care and fully specify the path name of the file system to be exempted.
                When  open  files  on exempted file systems are reported, it may not be possible to obtain all their information.  Therefore, some information columns will be blank, the
                characters ``UNKN'' preface the values in the TYPE column, and the applicable exemption option is added in parentheses to the end of the NAME column.  (Some device  num‐
                ber information might be made available via the +|-m m option.)
       +|-E     +E  specifies  that Linux pipe, Linux UNIX socket and Linux pseudoterminal files should be displayed with endpoint information and the files of the endpoints should also
                be displayed.  Note: UNIX socket file endpoint information is only available when the compile flags line of -v output contains HASUXSOCKEPT, and  psudoterminal  endpoint
                information is only available when the compile flags line contains HASPTYEPT.
                Pipe  endpoint  information is displayed in the NAME column in the form ``PID,cmd,FDmode'', where PID is the endpoint process ID; cmd is the endpoint process command; FD
                is the endpoint file's descriptor; and mode is the endpoint file's access mode.
                Pseudoterminal endpoint information is displayed in the NAME column as ``->/dev/ptsmin PID,cmd,FDmode'' or ``PID,cmd,FDmode''.  The first form is for  a  master  device;
                the  second, for a slave device.  min is a slave device's minor device number; and PID, cmd, FD and mode are the same as with pipe endpoint information.  Note: psudoter‐
                minal endpoint information is only available when the compile flags line of -V output contains HASPTYEPT.
                UNIX socket file endpoint information is displayed in the NAME column in the form
                ``type=TYPE ->INO=INODE PID,cmd,FDmode'', where TYPE is the socket type; INODE is the i-node number of the connected socket; and PID, cmd, FD and mode are  the  same  as
                with pipe endpoint information.  Note: UNIX socket file endpoint information is available only when the compile flags line of -v output contains HASUXSOCKEPT.
                Multiple occurrences of this information can appear in a file's NAME column.
                -E specfies that Linux pipe and Linux UNIX socket files should be displayed with endpoint information, but not the files of the endpoints.
       +|-f [cfgGn]
                f  by  itself clarifies how path name arguments are to be interpreted.  When followed by c, f, g, G, or n in any combination it specifies that the listing of kernel file
                structure information is to be enabled (`+') or inhibited (`-').
                Normally a path name argument is taken to be a file system name if it matches a mounted-on directory name reported by mount(8), or if it represents a block device, named
                in  the  mount  output  and associated with a mounted directory name.  When +f is specified, all path name arguments will be taken to be file system names, and lsof will
                complain if any are not.  This can be useful, for example, when the file system name (mounted-on device) isn't a block device.  This happens for some  CD-ROM  file  sys‐
                tems.
                When  -f  is  specified by itself, all path name arguments will be taken to be simple files.  Thus, for example, the ``-f -- /'' arguments direct lsof to search for open
                files with a `/' path name, not all open files in the `/' (root) file system.
                Be careful to make sure +f and -f are properly terminated and aren't followed by a character (e.g., of the file or file system name) that might be taken as a  parameter.
                For example, use ``--'' after +f and -f as in these examples.
                     $ lsof +f -- /file/system/name
                     $ lsof -f -- /file/name
                The  listing of information from kernel file structures, requested with the +f [cfgGn] option form, is normally inhibited, and is not available in whole or part for some
                dialects - e.g., /proc-based Linux kernels below 2.6.22.  When the prefix to f is a plus sign (`+'), these characters request file structure information:
                     c    file structure use count (not Linux)
                     f    file structure address (not Linux)
                     g    file flag abbreviations (Linux 2.6.22 and up)
                     G    file flags in hexadecimal (Linux 2.6.22 and up)
                     n    file structure node address (not Linux)
                When the prefix is minus (`-') the same characters disable the listing of the indicated values.
                File structure addresses, use counts, flags, and node addresses may be used to detect more readily identical files inherited by child processes and  identical  files  in
                use by different processes.  Lsof column output can be sorted by output columns holding the values and listed to identify identical file use, or lsof field output can be
                parsed by an AWK or Perl post-filter script, or by a C program.
       -F f     specifies a character list, f, that selects the fields to be output for processing by another program, and the character that terminates each output field.   Each  field
                to be output is specified with a single character in f.  The field terminator defaults to NL, but may be changed to NUL (000).  See the OUTPUT FOR OTHER PROGRAMS section
                for a description of the field identification characters and the field output process.
                When the field selection character list is empty, all standard fields are selected (except the raw device field, security context and zone field for  compatibility  rea‐
                sons) and the NL field terminator is used.
                When  the field selection character list contains only a zero (`0'), all fields are selected (except the raw device field for compatibility reasons) and the NUL termina‐
                tor character is used.
                Other combinations of fields and their associated field terminator character must be set with explicit entries in f, as described in the OUTPUT FOR OTHER  PROGRAMS  sec‐
                tion.
                When  a  field selection character identifies an item lsof does not normally list - e.g., PPID, selected with -R - specification of the field character - e.g., ``-FR'' -
                also selects the listing of the item.
                When the field selection character list contains the single character `?', lsof will display a help list of the field identification characters.  (Escape the `?' charac‐
                ter as your shell requires.)
       -g [s]   excludes or selects the listing of files for the processes whose optional process group IDentification (PGID) numbers are in the comma-separated set s - e.g., ``123'' or
                ``123,^456''.  (There should be no spaces in the set.)
                PGID numbers that begin with `^' (negation) represent exclusions.
                Multiple PGID numbers are joined in a single ORed set before participating in AND option selection.  However, PGID exclusions are applied without  ORing  or  ANDing  and
                take effect before other selection criteria are applied.
                The -g option also enables the output display of PGID numbers.  When specified without a PGID set that's all it does.
       -i [i]   selects the listing of files any of whose Internet address matches the address specified in i.  If no address is specified, this option selects the listing of all Inter‐
                net and x.25 (HP-UX) network files.
                If -i4 or -i6 is specified with no following address, only files of the indicated IP version, IPv4 or IPv6, are displayed.  (An IPv6 specification may be  used  only  if
                the dialects supports IPv6, as indicated by ``[46]'' and ``IPv[46]'' in lsof's -h or -?  output.)  Sequentially specifying -i4, followed by -i6 is the same as specifying
                -i, and vice-versa.  Specifying -i4, or -i6 after -i is the same as specifying -i4 or -i6 by itself.
                Multiple addresses (up to a limit of 100) may be specified with multiple -i options.  (A port number or service name range is counted as one address.)  They  are  joined
                in a single ORed set before participating in AND option selection.
                An Internet address is specified in the form (Items in square brackets are optional.):
                [46][protocol][@hostname|hostaddr][:service|port]
                where:
                     46 specifies the IP version, IPv4 or IPv6
                          that applies to the following address.
                          '6' may be be specified only if the UNIX
                          dialect supports IPv6.  If neither '4' nor
                          '6' is specified, the following address
                          applies to all IP versions.
                     protocol is a protocol name - TCP, UDP
                     hostname is an Internet host name.  Unless a
                          specific IP version is specified, open
                          network files associated with host names
                          of all versions will be selected.
                     hostaddr is a numeric Internet IPv4 address in
                          dot form; or an IPv6 numeric address in
                          colon form, enclosed in brackets, if the
                          UNIX dialect supports IPv6.  When an IP
                          version is selected, only its numeric
                          addresses may be specified.
                     service is an /etc/services name - e.g., smtp -
                          or a list of them.
                     port is a port number, or a list of them.
                IPv6  options  may  be  used only if the UNIX dialect supports IPv6.  To see if the dialect supports IPv6, run lsof and specify the -h or -?  (help) option.  If the dis‐
                played description of the -i option contains ``[46]'' and ``IPv[46]'', IPv6 is supported.
                IPv4 host names and addresses may not be specified if network file selection is limited to IPv6 with -i 6.  IPv6 host names and addresses may not be specified if network
                file selection is limited to IPv4 with -i 4.  When an open IPv4 network file's address is mapped in an IPv6 address, the open file's type will be IPv6, not IPv4, and its
                display will be selected by '6', not '4'.
                At least one address component - 4, 6, protocol, hostname, hostaddr, or service - must be supplied.  The `@' character, leading the host  specification,  is  always  re‐
                quired;  as  is  the `:', leading the port specification.  Specify either hostname or hostaddr.  Specify either service name list or port number list.  If a service name
                list is specified, the protocol may also need to be specified if the TCP, UDP and UDPLITE port numbers for the service name are different.  Use any case - lower or upper
                - for protocol.
                Service  names  and port numbers may be combined in a list whose entries are separated by commas and whose numeric range entries are separated by minus signs.  There may
                be no embedded spaces, and all service names must belong to the specified protocol.  Since service names may contain embedded minus signs, the starting entry of a  range
                can't be a service name; it can be a port number, however.
                Here are some sample addresses:
                     -i6 - IPv6 only
                     TCP:25 - TCP and port 25
                     @1.2.3.4 - Internet IPv4 host address 1.2.3.4
                     @[3ffe:1ebc::1]:1234 - Internet IPv6 host address
                          3ffe:1ebc::1, port 1234
                     UDP:who - UDP who service port
                     [email protected]:513 - TCP, port 513 and host name lsof.itap
                     [email protected]:1-10,smtp,99 - TCP, ports 1 through 10,
                          service name smtp, port 99, host name foo
                     [email protected]:1-smtp - TCP, ports 1 through smtp, host bar
                     :time - either TCP, UDP or UDPLITE time service port
       -K k     selects the listing of tasks (threads) of processes, on dialects where task (thread) reporting is supported.  (If help output - i.e., the output of the -h or -?  options
                - shows this option, then task (thread) reporting is supported by the dialect.)
                If -K is followed by a value, k, it must be ``i''.  That causes lsof to ignore tasks, particularly in the default, list-everything case when no other options are  speci‐
                fied.
                When -K and -a are both specified on Linux, and the tasks of a main process are selected by other options, the main process will also be listed as though it were a task,
                but without a task ID.  (See the description of the TID column in the OUTPUT section.)
                Where the FreeBSD version supports threads, all threads will be listed with their IDs.
                In general threads and tasks inherit the files of the caller, but may close some and open others, so lsof always reports all the open files of threads and tasks.
       -k k     specifies a kernel name list file, k, in place of /vmunix, /mach, etc.  -k is not available under AIX on the IBM RISC/System 6000.
       -l       inhibits the conversion of user ID numbers to login names.  It is also useful when login name lookup is working improperly or slowly.
       +|-L [l] enables (`+') or disables (`-') the listing of file link counts, where they are available - e.g., they aren't available for sockets, or most FIFOs and pipes.
                When +L is specified without a following number, all link counts will be listed.  When -L is specified (the default), no link counts will be listed.
                When +L is followed by a number, only files having a link count less than that number will be listed.  (No number may follow -L.)  A specification of  the  form  ``+L1''
                will select open files that have been unlinked.  A specification of the form ``+aL1 <file_system>'' will select unlinked open files on the specified file system.
                For other link count comparisons, use field output (-F) and a post-processing script or program.
       +|-m m   specifies an alternate kernel memory file or activates mount table supplement processing.
                The option form -m m specifies a kernel memory file, m, in place of /dev/kmem or /dev/mem - e.g., a crash dump file.
                The option form +m requests that a mount supplement file be written to the standard output file.  All other options are silently ignored.
                There will be a line in the mount supplement file for each mounted file system, containing the mounted file system directory, followed by a single space, followed by the
                device number in hexadecimal "0x" format - e.g.,
                     / 0x801
                Lsof can use the mount supplement file to get device numbers for file systems when it can't get them via stat(2) or lstat(2).
                The option form +m m identifies m as a mount supplement file.
                Note: the +m and +m m options are not available for all supported dialects.  Check the output of lsof's -h or -?  options to see if the +m and +m m  options  are  avail‐
                able.
       +|-M     Enables  (+) or disables (-) the reporting of portmapper registrations for local TCP, UDP and UDPLITE ports, where port mapping is supported.  (See the last paragraph of
                this option description for information about where portmapper registration reporting is supported.)
                The default reporting mode is set by the lsof builder with the HASPMAPENABLED #define in the dialect's machine.h header file; lsof is distributed with the HASPMAPENABLED
                #define  deactivated,  so  portmapper  reporting  is disabled by default and must be requested with +M.  Specifying lsof's -h or -?  option will report the default mode.
                Disabling portmapper registration when it is already disabled or enabling it when already enabled is acceptable.  When portmapper registration reporting is enabled, lsof
                displays  the  portmapper  registration  (if  any) for local TCP, UDP or UDPLITE ports in square brackets immediately following the port numbers or service names - e.g.,
                ``:1234[name]'' or ``:name[100083]''.  The registration information may be a name or number, depending on what the registering program supplied to the portmapper when it
                registered the port.
                When  portmapper  registration reporting is enabled, lsof may run a little more slowly or even become blocked when access to the portmapper becomes congested or stopped.
                Reverse the reporting mode to determine if portmapper registration reporting is slowing or blocking lsof.
                For purposes of portmapper registration reporting lsof considers a TCP, UDP or UDPLITE port local if: it is found in the local part of its containing  kernel  structure;
                or  if it is located in the foreign part of its containing kernel structure and the local and foreign Internet addresses are the same; or if it is located in the foreign
                part of its containing kernel structure and the foreign Internet address is INADDR_LOOPBACK (127.0.0.1).  This rule may make lsof ignore some foreign ports  on  machines
                with multiple interfaces when the foreign Internet address is on a different interface from the local one.
                See the lsof FAQ (The FAQ section gives its location.)  for further discussion of portmapper registration reporting issues.
                Portmapper  registration reporting is supported only on dialects that have RPC header files.  (Some Linux distributions with GlibC 2.14 do not have them.)  When portmap‐
                per registration reporting is supported, the -h or -?  help output will show the +|-M option.
       -n       inhibits the conversion of network numbers to host names for network files.  Inhibiting conversion may make lsof run faster.  It is also useful when host name lookup  is
                not working properly.
       -N       selects the listing of NFS files.
       -o       directs lsof to display file offset at all times.  It causes the SIZE/OFF output column title to be changed to OFFSET.  Note: on some UNIX dialects lsof can't obtain ac‐
                curate or consistent file offset information from its kernel data sources, sometimes just for particular kinds of files (e.g., socket files.)  Consult the lsof FAQ  (The
                FAQ section gives its location.)  for more information.
                The  -o  and  -s options are mutually exclusive; they can't both be specified.  When neither is specified, lsof displays whatever value - size or offset - is appropriate
                and available for the type of the file.
       -o o     defines the number of decimal digits (o) to be printed after the ``0t'' for a file offset before the form is switched to ``0x...''.  An o value of zero  (unlimited)  di‐
                rects lsof to use the ``0t'' form for all offset output.
                This  option  does  NOT  direct  lsof  to display offset at all times; specify -o (without a trailing number) to do that.  -o o only specifies the number of digits after
                ``0t'' in either mixed size and offset or offset-only output.  Thus, for example, to direct lsof to display offset at all times with a decimal digit count of 10, use:
                     -o -o 10
                or
                     -oo10
                The default number of digits allowed after ``0t'' is normally 8, but may have been changed by the lsof builder.  Consult the description of the -o o option in the output
                of the -h or -?  option to determine the default that is in effect.
       -O       directs  lsof  to bypass the strategy it uses to avoid being blocked by some kernel operations - i.e., doing them in forked child processes.  See the BLOCKS AND TIMEOUTS
                and AVOIDING KERNEL BLOCKS sections for more information on kernel operations that may block lsof.
                While use of this option will reduce lsof startup overhead, it may also cause lsof to hang when the kernel doesn't respond to a function.  Use this option cautiously.
       -p s     excludes or selects the listing of files for the processes whose optional process IDentification (PID) numbers are in the  comma-separated  set  s  -  e.g.,  ``123''  or
                ``123,^456''.  (There should be no spaces in the set.)
                PID numbers that begin with `^' (negation) represent exclusions.
                Multiple  process  ID  numbers are joined in a single ORed set before participating in AND option selection.  However, PID exclusions are applied without ORing or ANDing
                and take effect before other selection criteria are applied.
       -P       inhibits the conversion of port numbers to port names for network files.  Inhibiting the conversion may make lsof run a little faster.  It is also useful when port  name
                lookup is not working properly.
       +|-r [t[m<fmt>]]
                puts  lsof  in repeat mode.  There lsof lists open files as selected by other options, delays t seconds (default fifteen), then repeats the listing, delaying and listing
                repetitively until stopped by a condition defined by the prefix to the option.
                If the prefix is a `-', repeat mode is endless.  Lsof must be terminated with an interrupt or quit signal.
                If the prefix is `+', repeat mode will end the first cycle no open files are listed - and of course when lsof is stopped with an interrupt or quit signal.   When  repeat
                mode ends because no files are listed, the process exit code will be zero if any open files were ever listed; one, if none were ever listed.
                Lsof  marks  the  end  of  each  listing:  if field output is in progress (the -F, option has been specified), the default marker is `m'; otherwise the default marker is
                ``========''.  The marker is followed by a NL character.
                The optional "m<fmt>" argument specifies a format for the marker line.  The <fmt> characters following `m' are interpreted as a format specification to  the  strftime(3)
                function,  when  both it and the localtime(3) function are available in the dialect's C library.  Consult the strftime(3) documentation for what may appear in its format
                specification.  Note that when field output is requested with the -F option, <fmt> cannot contain the NL format, ``%n''.  Note also that when <fmt>  contains  spaces  or
                other characters that affect the shell's interpretation of arguments, <fmt> must be quoted appropriately.
                Repeat mode reduces lsof startup overhead, so it is more efficient to use this mode than to call lsof repetitively from a shell script, for example.
                To use repeat mode most efficiently, accompany +|-r with specification of other lsof selection options, so the amount of kernel memory access lsof does will be kept to a
                minimum.  Options that filter at the process level - e.g., -c, -g, -p, -u - are the most efficient selectors.
                Repeat mode is useful when coupled with field output (see the -F, option description) and a supervising awk or Perl script, or a C program.
       -R       directs lsof to list the Parent Process IDentification number in the PPID column.
       -s [p:s] s alone directs lsof to display file size at all times.  It causes the SIZE/OFF output column title to be changed to SIZE.  If the file does not have a size, nothing  is
                displayed.
                The optional -s p:s form is available only for selected dialects, and only when the -h or -?  help output lists it.
                When  the  optional form is available, the s may be followed by a protocol name (p), either TCP or UDP, a colon (`:') and a comma-separated protocol state name list, the
                option causes open TCP and UDP files to be excluded if their state name(s) are in the list (s) preceded by a `^'; or included if their name(s) are not preceded by a `^'.
                Dialects that support this option may support only one protocol.  When an unsupported protocol is specified, a message will be displayed indicating state names  for  the
                protocol are unavailable.
                When  an  inclusion list is defined, only network files with state names in the list will be present in the lsof output.  Thus, specifying one state name means that only
                network files with that lone state name will be listed.
                Case is unimportant in the protocol or state names, but there may be no spaces and the colon (`:') separating the protocol name (p) and the state name list  (s)  is  re‐
                quired.
                If  only TCP and UDP files are to be listed, as controlled by the specified exclusions and inclusions, the -i option must be specified, too.  If only a single protocol's
                files are to be listed, add its name as an argument to the -i option.
                For example, to list only network files with TCP state LISTEN, use:
                     -iTCP -sTCP:LISTEN
                Or, for example, to list network files with all UDP states except Idle, use:
                     -iUDP -sUDP:Idle
                State names vary with UNIX dialects, so it's not possible to provide a complete list.  Some common TCP  state  names  are:  CLOSED,  IDLE,  BOUND,  LISTEN,  ESTABLISHED,
                SYN_SENT, SYN_RCDV, ESTABLISHED, CLOSE_WAIT, FIN_WAIT1, CLOSING, LAST_ACK, FIN_WAIT_2, and TIME_WAIT.  Two common UDP state names are Unbound and Idle.
                See the lsof FAQ (The FAQ section gives its location.)  for more information on how to use protocol state exclusion and inclusion, including examples.
                The  -o  (without a following decimal digit count) and -s option (without a following protocol and state name list) are mutually exclusive; they can't both be specified.
                When neither is specified, lsof displays whatever value - size or offset - is appropriate and available for the type of file.
                Since some types of files don't have true sizes - sockets, FIFOs, pipes, etc. - lsof displays for their sizes the content amounts in their associated kernel buffers,  if
                possible.
       -S [t]   specifies  an  optional  time-out seconds value for kernel functions - lstat(2), readlink(2), and stat(2) - that might otherwise deadlock.  The minimum for t is two; the
                default, fifteen; when no value is specified, the default is used.
                See the BLOCKS AND TIMEOUTS section for more information.
       -T [t]   controls the reporting of some TCP/TPI information, also reported by netstat(1), following the network addresses.  In normal output the information appears in  parenthe‐
                ses, each item except TCP or TPI state name identified by a keyword, followed by `=', separated from others by a single space:
                     <TCP or TPI state name>
                     QR=<read queue length>
                     QS=<send queue length>
                     SO=<socket options and values>
                     SS=<socket states>
                     TF=<TCP flags and values>
                     WR=<window read length>
                     WW=<window write length>
                Not all values are reported for all UNIX dialects.  Items values (when available) are reported after the item name and '='.
                When the field output mode is in effect (See OUTPUT FOR OTHER PROGRAMS.)  each item appears as a field with a `T' leading character.
                -T with no following key characters disables TCP/TPI information reporting.
                -T with following characters selects the reporting of specific TCP/TPI information:
                     f    selects reporting of socket options,
                          states and values, and TCP flags and
                          values.
                     q    selects queue length reporting.
                     s    selects connection state reporting.
                     w    selects window size reporting.
                Not  all  selections are enabled for some UNIX dialects.  State may be selected for all dialects and is reported by default.  The -h or -?  help output for the -T option
                will show what selections may be used with the UNIX dialect.
                When -T is used to select information - i.e., it is followed by one or more selection characters - the displaying of state is disabled by default, and it must be explic‐
                itly selected again in the characters following -T.  (In effect, then, the default is equivalent to -Ts.)  For example, if queue lengths and state are desired, use -Tqs.
                Socket  options,  socket  states, some socket values, TCP flags and one TCP value may be reported (when available in the UNIX dialect) in the form of the names that com‐
                monly appear after SO_, so_, SS_, TCP_  and TF_ in the dialect's header files - most often <sys/socket.h>,  <sys/socketvar.h>  and  <netinet/tcp_var.h>.   Consult  those
                header files for the meaning of the flags, options, states and values.
                ``SO='' precedes socket options and values; ``SS='', socket states; and ``TF='', TCP flags and values.
                If  a  flag  or option has a value, the value will follow an '=' and the name -- e.g., ``SO=LINGER=5'', ``SO=QLIM=5'', ``TF=MSS=512''.  The following seven values may be
                reported:
                     Name
                     Reported  Description (Common Symbol)
                     KEEPALIVE keep alive time (SO_KEEPALIVE)
                     LINGER    linger time (SO_LINGER)
                     MSS       maximum segment size (TCP_MAXSEG)
                     PQLEN          partial listen queue connections
                     QLEN      established listen queue connections
                     QLIM      established listen queue limit
                     RCVBUF    receive buffer length (SO_RCVBUF)
                     SNDBUF    send buffer length (SO_SNDBUF)
                Details on what socket options and values, socket states, and TCP flags and values may be displayed for particular UNIX dialects may be found in the answer to the  ``Why
                doesn't lsof report socket options, socket states, and TCP flags and values for my dialect?'' and ``Why doesn't lsof report the partial listen queue connection count for
                my dialect?''  questions in the lsof FAQ (The FAQ section gives its location.)
       -t       specifies that lsof should produce terse output with process identifiers only and no header - e.g., so that the output may be piped to kill(1).  -t selects  the  -w  op‐
                tion.
       -u s     selects  the  listing  of files for the user whose login names or user ID numbers are in the comma-separated set s - e.g., ``abe'', or ``548,root''.  (There should be no
                spaces in the set.)
                Multiple login names or user ID numbers are joined in a single ORed set before participating in AND option selection.
                If a login name or user ID is preceded by a `^', it becomes a negation - i.e., files of processes owned by the login name or user ID will never be listed.  A negated lo‐
                gin name or user ID selection is neither ANDed nor ORed with other selections; it is applied before all other selections and absolutely excludes the listing of the files
                of the process.  For example, to direct lsof to exclude the listing of files belonging to root processes, specify ``-u^root'' or ``-u^0''.
       -U       selects the listing of UNIX domain socket files.
       -v       selects the listing of lsof version information, including: revision number; when the lsof binary was constructed; who constructed the binary and where; the name of  the
                compiler  used  to construct the lsof binary; the version number of the compiler when readily available; the compiler and loader flags used to construct the lsof binary;
                and system information, typically the output of uname's -a option.
       -V       directs lsof to indicate the items it was asked to list and failed to find - command names, file names, Internet addresses or files, login names, NFS files, PIDs, PGIDs,
                and UIDs.
                When other options are ANDed to search options, or compile-time options restrict the listing of some files, lsof may not report that it failed to find a search item when
                an ANDed option or compile-time option prevents the listing of the open file containing the located search item.
                For example, ``lsof -V [email protected] -a -d 999'' may not report a failure to locate open files at ``[email protected]'' and may not list any, if none have a file descriptor num‐
                ber of 999.  A similar situation arises when HASSECURITY and HASNOSOCKSECURITY are defined at compile time and they prevent the listing of open files.
       +|-w     Enables (+) or disables (-) the suppression of warning messages.
                The  lsof  builder may choose to have warning messages disabled or enabled by default.  The default warning message state is indicated in the output of the -h or -?  op‐
                tion.  Disabling warning messages when they are already disabled or enabling them when already enabled is acceptable.
                The -t option selects the -w option.
       -x [fl]  may accompany the +d and +D options to direct their processing to cross over symbolic links and|or file system mount points encountered when scanning the directory  (+d)
                or directory tree (+D).
                If  -x  is specified by itself without a following parameter, cross-over processing of both symbolic links and file system mount points is enabled.  Note that when -x is
                specified without a parameter, the next argument must begin with '-' or '+'.
                The optional 'f' parameter enables file system mount point cross-over processing; 'l', symbolic link cross-over processing.
                The -x option may not be supplied without also supplying a +d or +D option.
       -X       This is a dialect-specific option.
           AIX:
                This IBM AIX RISC/System 6000 option requests the reporting of executed text file and shared library references.
                WARNING: because this option uses the kernel readx() function, its use on a busy AIX system might cause an application process to hang so completely that it can  neither
                be killed nor stopped.  I have never seen this happen or had a report of its happening, but I think there is a remote possibility it could happen.
                By default use of readx() is disabled.  On AIX 5L and above lsof may need setuid-root permission to perform the actions this option requests.
                The  lsof builder may specify that the -X option be restricted to processes whose real UID is root.  If that has been done, the -X option will not appear in the -h or -?
                help output unless the real UID of the lsof process is root.  The default lsof distribution allows any UID to specify -X, so by default it will appear in the  help  out‐
                put.
                When  AIX  readx()  use is disabled, lsof may not be able to report information for all text and loader file references, but it may also avoid exacerbating an AIX kernel
                directory search kernel error, known as the Stale Segment ID bug.
                The readx() function, used by lsof or any other program to access some sections of kernel virtual memory, can trigger the Stale Segment ID bug.  It can  cause  the  ker‐
                nel's dir_search() function to believe erroneously that part of an in-memory copy of a file system directory has been zeroed.  Another application process, distinct from
                lsof, asking the kernel to search the directory - e.g., by using open(2) - can cause dir_search() to loop forever, thus hanging the application process.
                Consult the lsof FAQ (The FAQ section gives its location.)  and the 00README file of the lsof distribution for a more complete description of the Stale Segment  ID  bug,
                its APAR, and methods for defining readx() use when compiling lsof.
           Linux:
                This Linux option requests that lsof skip the reporting of information on all open TCP, UDP and UDPLITE IPv4 and IPv6 files.
                This  Linux  option  is  most  useful  when  the  system  has  an  extremely  large number of open TCP, UDP and UDPLITE files, the processing of whose information in the
                /proc/net/tcp* and /proc/net/udp* files would take lsof a long time, and whose reporting is not of interest.
                Use this option with care and only when you are sure that the information you want lsof to display isn't associated with open TCP, UDP or UDPLITE socket files.
           Solaris 10 and above:
                This Solaris 10 and above option requests the reporting of cached paths for files that have been deleted - i.e., removed with rm(1) or unlink(2).
                The cached path is followed by the string `` (deleted)'' to indicate that the path by which the file was opened has been deleted.
                Because intervening changes made to the path - i.e., renames with mv(1) or rename(2) - are not recorded in the cached path, what lsof reports is only the path  by  which
                the file was opened, not its possibly different final path.
       -z [z]   specifies how Solaris 10 and higher zone information is to be handled.
                Without a following argument - e.g., NO z - the option specifies that zone names are to be listed in the ZONE output column.
                The  -z  option  may be followed by a zone name, z.  That causes lsof to list only open files for processes in that zone.  Multiple -z z option and argument pairs may be
                specified to form a list of named zones.  Any open file of any process in any of the zones will be listed, subject to other conditions specified by other options and ar‐
                guments.
       -Z [Z]   specifies how SELinux security contexts are to be handled.  It and 'Z' field output character support are inhibited when SELinux is disabled in the running Linux kernel.
                See OUTPUT FOR OTHER PROGRAMS for more information on the 'Z' field output character.
                Without a following argument - e.g., NO Z - the option specifies that security contexts are to be listed in the SECURITY-CONTEXT output column.
                The -Z option may be followed by a wildcard security context name, Z.  That causes lsof to list only open files for processes in that security context.   Multiple  -Z  Z
                option  and argument pairs may be specified to form a list of security contexts.  Any open file of any process in any of the security contexts will be listed, subject to
                other conditions specified by other options and arguments.  Note that Z can be A:B:C or *:B:C or A:B:* or *:*:C to match against the A:B:C context.
       --       The double minus sign option is a marker that signals the end of the keyed options.  It may be used, for example, when the first file name begins with a minus sign.   It
                may  also be used when the absence of a value for the last keyed option must be signified by the presence of a minus sign in the following option and before the start of
                the file names.
       names    These are path names of specific files to list.  Symbolic links are resolved before use.  The first name may be separated from the preceding options with the ``--''  op‐
                tion.
                If  a  name is the mounted-on directory of a file system or the device of the file system, lsof will list all the files open on the file system.  To be considered a file
                system, the name must match a mounted-on directory name in mount(8) output, or match the name of a block device associated with a mounted-on directory  name.   The  +|-f
                option may be used to force lsof to consider a name a file system identifier (+f) or a simple file (-f).
                If  name  is a path to a directory that is not the mounted-on directory name of a file system, it is treated just as a regular file is treated - i.e., its listing is re‐
                stricted to processes that have it open as a file or as a process-specific directory, such as the root or current working directory.  To request that lsof look for  open
                files inside a directory name, use the +d s and +D D options.
                If  a name is the base name of a family of multiplexed files - e.g, AIX's /dev/pt[cs] - lsof will list all the associated multiplexed files on the device that are open -
                e.g., /dev/pt[cs]/1, /dev/pt[cs]/2, etc.
                If a name is a UNIX domain socket name, lsof will usually search for it by the characters of the name alone - exactly as it is specified and is recorded  in  the  kernel
                socket  structure.  (See the next paragraph for an exception to that rule for Linux.)  Specifying a relative path - e.g., ./file - in place of the file's absolute path -
                e.g., /tmp/file - won't work because lsof must match the characters you specify with what it finds in the kernel UNIX domain socket structures.
                If a name is a Linux UNIX domain socket name, in one case lsof is able to search for it by its device and inode number, allowing name to be a relative  path.   The  case
                requires that the absolute path -- i.e., one beginning with a slash ('/') be used by the process that created the socket, and hence be stored in the /proc/net/unix file;
                and it requires that lsof be able to obtain the device and node numbers of both the absolute path in /proc/net/unix and name via successful stat(2) system  calls.   When
                those  conditions  are  met,  lsof  will  be  able  to search for the UNIX domain socket when some path to it is is specified in name.  Thus, for example, if the path is
                /dev/log, and an lsof search is initiated when the working directory is /dev, then name could be ./log.
                If a name is none of the above, lsof will list any open files whose device and inode match that of the specified path name.
                If you have also specified the -b option, the only names you may safely specify are file systems for which your mount table supplies alternate device numbers.   See  the
                AVOIDING KERNEL BLOCKS and ALTERNATE DEVICE NUMBERS sections for more information.
                Multiple file names are joined in a single ORed set before participating in AND option selection.
AFS
       Lsof supports the recognition of AFS files for these dialects (and AFS versions):
            AIX 4.1.4 (AFS 3.4a)
            HP-UX 9.0.5 (AFS 3.4a)
            Linux 1.2.13 (AFS 3.3)
            Solaris 2.[56] (AFS 3.4a)
       It  may  recognize  AFS  files on other versions of these dialects, but has not been tested there.  Depending on how AFS is implemented, lsof may recognize AFS files in other di‐
       alects, or may have difficulties recognizing AFS files in the supported dialects.
       Lsof may have trouble identifying all aspects of AFS files in supported dialects when AFS kernel support is implemented via dynamic modules whose addresses do not appear  in  the
       kernel's variable name list.  In that case, lsof may have to guess at the identity of AFS files, and might not be able to obtain volume information from the kernel that is needed
       for calculating AFS volume node numbers.  When lsof can't compute volume node numbers, it reports blank in the NODE column.
       The -A A option is available in some dialect implementations of lsof for specifying the name list file where dynamic module kernel addresses may be found.  When  this  option  is
       available, it will be listed in the lsof help output, presented in response to the -h or -?
       See the lsof FAQ (The FAQ section gives its location.)  for more information about dynamic modules, their symbols, and how they affect lsof options.
       Because AFS path lookups don't seem to participate in the kernel's name cache operations, lsof can't identify path name components for AFS files.
SECURITY
       Lsof  has  three  features  that  may cause security concerns.  First, its default compilation mode allows anyone to list all open files with it.  Second, by default it creates a
       user-readable and user-writable device cache file in the home directory of the real user ID that executes lsof.  (The list-all-open-files and device cache features  may  be  dis‐
       abled when lsof is compiled.)  Third, its -k and -m options name alternate kernel name list or memory files.
       Restricting the listing of all open files is controlled by the compile-time HASSECURITY and HASNOSOCKSECURITY options.  When HASSECURITY is defined, lsof will allow only the root
       user to list all open files.  The non-root user may list only open files of processes with the same user IDentification number as the real user ID number of the lsof process (the
       one that its user logged on with).
       However, if HASSECURITY and HASNOSOCKSECURITY are both defined, anyone may list open socket files, provided they are selected with the -i option.
       When HASSECURITY is not defined, anyone may list all open files.
       Help output, presented in response to the -h or -?  option, gives the status of the HASSECURITY and HASNOSOCKSECURITY definitions.
       See the Security section of the 00README file of the lsof distribution for information on building lsof with the HASSECURITY and HASNOSOCKSECURITY options enabled.
       Creation  and  use  of a user-readable and user-writable device cache file is controlled by the compile-time HASDCACHE option.  See the DEVICE CACHE FILE section and the sections
       that follow it for details on how its path is formed.  For security considerations it is important to note that in the default lsof distribution, if the real user ID under  which
       lsof  is  executed  is  root, the device cache file will be written in root's home directory - e.g., / or /root.  When HASDCACHE is not defined, lsof does not write or attempt to
       read a device cache file.
       When HASDCACHE is defined, the lsof help output, presented in response to the -h, -D?, or -?  options, will provide device cache file handling information.  When HASDCACHE is not
       defined, the -h or -?  output will have no -D option description.
       Before  you decide to disable the device cache file feature - enabling it improves the performance of lsof by reducing the startup overhead of examining all the nodes in /dev (or
       /devices) - read the discussion of it in the 00DCACHE file of the lsof distribution and the lsof FAQ (The FAQ section gives its location.)
       WHEN IN DOUBT, YOU CAN TEMPORARILY DISABLE THE USE OF THE DEVICE CACHE FILE WITH THE -Di OPTION.
       When lsof user declares alternate kernel name list or memory files with the -k and -m options, lsof checks the user's authority to read them with access(2).  This is intended  to
       prevent whatever special power lsof's modes might confer on it from letting it read files not normally accessible via the authority of the real user ID.
OUTPUT
       This section describes the information lsof lists for each open file.  See the OUTPUT FOR OTHER PROGRAMS section for additional information on output that can be processed by an‐
       other program.
       Lsof only outputs printable (declared so by isprint(3)) 8 bit characters.  Non-printable characters are printed in one of three forms: the C ``\[bfrnt]'' form; the control  char‐
       acter `^' form (e.g., ``^@''); or hexadecimal leading ``\x'' form (e.g., ``\xab'').  Space is non-printable in the COMMAND column (``\x20'') and printable elsewhere.
       For some dialects - if HASSETLOCALE is defined in the dialect's machine.h header file - lsof will print the extended 8 bit characters of a language locale.  The lsof process must
       be supplied a language locale environment variable (e.g., LANG) whose value represents a known language locale in which the extended characters are considered  printable  by  is‐
       print(3).   Otherwise  lsof  considers  the extended characters non-printable and prints them according to its rules for non-printable characters, stated above.  Consult your di‐
       alect's setlocale(3) man page for the names of other environment variables that may be used in place of LANG - e.g., LC_ALL, LC_CTYPE, etc.
       Lsof's language locale support for a dialect also covers wide characters - e.g., UTF-8 - when HASSETLOCALE and HASWIDECHAR are defined in the dialect's machine.h header file, and
       when  a  suitable  language  locale  has  been defined in the appropriate environment variable for the lsof process.  Wide characters are printable under those conditions if isw‐
       print(3) reports them to be.  If HASSETLOCALE, HASWIDECHAR and a suitable language locale aren't defined, or if iswprint(3) reports wide characters that  aren't  printable,  lsof
       considers the wide characters non-printable and prints each of their 8 bits according to its rules for non-printable characters, stated above.
       Consult the answers to the "Language locale support" questions in the lsof FAQ (The FAQ section gives its location.) for more information.
       Lsof dynamically sizes the output columns each time it runs, guaranteeing that each column is a minimum size.  It also guarantees that each column is separated from its predeces‐
       sor by at least one space.
       COMMAND    contains the first nine characters of the name of the UNIX command associated with the process.  If a non-zero w value is specified to the +c w option, the column con‐
                  tains  the first w characters of the name of the UNIX command associated with the process up to the limit of characters supplied to lsof by the UNIX dialect.  (See the
                  description of the +c w command or the lsof FAQ for more information.  The FAQ section gives its location.)
                  If w is less than the length of the column title, ``COMMAND'', it will be raised to that length.
                  If a zero w value is specified to the +c w option, the column contains all the characters of the name of the UNIX command associated with the process.
                  All command name characters maintained by the kernel in its structures are displayed in field output when the command name descriptor (`c') is specified.  See the OUT‐
                  PUT FOR OTHER COMMANDS section for information on selecting field output and the associated command name descriptor.
       PID        is the Process IDentification number of the process.
       TID        is  the  task  (thread) IDentification number, if task (thread) reporting is supported by the dialect and a task (thread) is being listed.  (If help output - i.e., the
                  output of the -h or -?  options - shows this option, then task (thread) reporting is supported by the dialect.)
                  A blank TID column in Linux indicates a process - i.e., a non-task.
       TASKCMD    is the task command name.  Generally this will be the same as the process named in the COMMAND column, but some task implementations (e.g., Linux)  permit  a  task  to
                  change its command name.
                  The TASKCMD column width is subject to the same size limitation as the COMMAND column.
       ZONE       is the Solaris 10 and higher zone name.  This column must be selected with the -z option.
       SECURITY-CONTEXT
                  is  the SELinux security context.  This column must be selected with the -Z option.  Note that the -Z option is inhibited when SELinux is disabled in the running Linux
                  kernel.
       PPID       is the Parent Process IDentification number of the process.  It is only displayed when the -R option has been specified.
       PGID       is the process group IDentification number associated with the process.  It is only displayed when the -g option has been specified.
       USER       is the user ID number or login name of the user to whom the process belongs, usually the same as reported by ps(1).  However, on Linux USER is the user  ID  number  or
                  login  that  owns  the  directory  in  /proc where lsof finds information about the process.  Usually that is the same value reported by ps(1), but may differ when the
                  process has changed its effective user ID.  (See the -l option description for information on when a user ID number or login name is displayed.)
       FD         is the File Descriptor number of the file or:
                       cwd  current working directory;
                       Lnn  library references (AIX);
                       err  FD information error (see NAME column);
                       jld  jail directory (FreeBSD);
                       ltx  shared library text (code and data);
                       Mxx  hex memory-mapped type number xx.
                       m86  DOS Merge mapped file;
                       mem  memory-mapped file;
                       mmap memory-mapped device;
                       pd   parent directory;
                       rtd  root directory;
                       tr   kernel trace file (OpenBSD);
                       txt  program text (code and data);
                       v86  VP/ix mapped file;
                  FD is followed by one of these characters, describing the mode under which the file is open:
                       r for read access;
                       w for write access;
                       u for read and write access;
                       space if mode unknown and no lock
                            character follows;
                       `-' if mode unknown and lock
                            character follows.
                  The mode character is followed by one of these lock characters, describing the type of lock applied to the file:
                       N for a Solaris NFS lock of unknown type;
                       r for read lock on part of the file;
                       R for a read lock on the entire file;
                       w for a write lock on part of the file;
                       W for a write lock on the entire file;
                       u for a read and write lock of any length;
                       U for a lock of unknown type;
                       x for an SCO OpenServer Xenix lock on part      of the file;
                       X for an SCO OpenServer Xenix lock on the entire file;
                       space if there is no lock.
                  See the LOCKS section for more information on the lock information character.
                  The FD column contents constitutes a single field for parsing in post-processing scripts.
       TYPE       is the type of the node associated with the file - e.g., GDIR, GREG, VDIR, VREG, etc.
                  or ``IPv4'' for an IPv4 socket;
                  or ``IPv6'' for an open IPv6 network file - even if its address is IPv4, mapped in an IPv6 address;
                  or ``ax25'' for a Linux AX.25 socket;
                  or ``inet'' for an Internet domain socket;
                  or ``lla'' for a HP-UX link level access file;
                  or ``rte'' for an AF_ROUTE socket;
                  or ``sock'' for a socket of unknown domain;
                  or ``unix'' for a UNIX domain socket;
                  or ``x.25'' for an HP-UX x.25 socket;
                  or ``BLK'' for a block special file;
                  or ``CHR'' for a character special file;
                  or ``DEL'' for a Linux map file that has been deleted;
                  or ``DIR'' for a directory;
                  or ``DOOR'' for a VDOOR file;
                  or ``FIFO'' for a FIFO special file;
                  or ``KQUEUE'' for a BSD style kernel event queue file;
                  or ``LINK'' for a symbolic link file;
                  or ``MPB'' for a multiplexed block file;
                  or ``MPC'' for a multiplexed character file;
                  or ``NOFD'' for a Linux /proc/<PID>/fd directory that can't be opened -- the directory path appears in the NAME column, followed by an error message;
                  or ``PAS'' for a /proc/as file;
                  or ``PAXV'' for a /proc/auxv file;
                  or ``PCRE'' for a /proc/cred file;
                  or ``PCTL'' for a /proc control file;
                  or ``PCUR'' for the current /proc process;
                  or ``PCWD'' for a /proc current working directory;
                  or ``PDIR'' for a /proc directory;
                  or ``PETY'' for a /proc executable type (etype);
                  or ``PFD'' for a /proc file descriptor;
                  or ``PFDR'' for a /proc file descriptor directory;
                  or ``PFIL'' for an executable /proc file;
                  or ``PFPR'' for a /proc FP register set;
                  or ``PGD'' for a /proc/pagedata file;
                  or ``PGID'' for a /proc group notifier file;
                  or ``PIPE'' for pipes;
                  or ``PLC'' for a /proc/lwpctl file;
                  or ``PLDR'' for a /proc/lpw directory;
                  or ``PLDT'' for a /proc/ldt file;
                  or ``PLPI'' for a /proc/lpsinfo file;
                  or ``PLST'' for a /proc/lstatus file;
                  or ``PLU'' for a /proc/lusage file;
                  or ``PLWG'' for a /proc/gwindows file;
                  or ``PLWI'' for a /proc/lwpsinfo file;
                  or ``PLWS'' for a /proc/lwpstatus file;
                  or ``PLWU'' for a /proc/lwpusage file;
                  or ``PLWX'' for a /proc/xregs file;
                  or ``PMAP'' for a /proc map file (map);
                  or ``PMEM'' for a /proc memory image file;
                  or ``PNTF'' for a /proc process notifier file;
                  or ``POBJ'' for a /proc/object file;
                  or ``PODR'' for a /proc/object directory;
                  or ``POLP'' for an old format /proc light weight process file;
                  or ``POPF'' for an old format /proc PID file;
                  or ``POPG'' for an old format /proc page data file;
                  or ``PORT'' for a SYSV named pipe;
                  or ``PREG'' for a /proc register file;
                  or ``PRMP'' for a /proc/rmap file;
                  or ``PRTD'' for a /proc root directory;
                  or ``PSGA'' for a /proc/sigact file;
                  or ``PSIN'' for a /proc/psinfo file;
                  or ``PSTA'' for a /proc status file;
                  or ``PSXSEM'' for a POSIX semaphore file;
                  or ``PSXSHM'' for a POSIX shared memory file;
                  or ``PTS'' for a /dev/pts file;
                  or ``PUSG'' for a /proc/usage file;
                  or ``PW'' for a /proc/watch file;
                  or ``PXMP'' for a /proc/xmap file;
                  or ``REG'' for a regular file;
                  or ``SMT'' for a shared memory transport file;
                  or ``STSO'' for a stream socket;
                  or ``UNNM'' for an unnamed type file;
                  or ``XNAM'' for an OpenServer Xenix special file of unknown type;
                  or ``XSEM'' for an OpenServer Xenix semaphore file;
                  or ``XSD'' for an OpenServer Xenix shared data file;
                  or the four type number octets if the corresponding name isn't known.
       FILE-ADDR  contains the kernel file structure address when f has been specified to +f;
       FCT        contains the file reference count from the kernel file structure when c has been specified to +f;
       FILE-FLAG  when g or G has been specified to +f, this field contains the contents of the f_flag[s] member of the kernel file structure and  the  kernel's  per-process  open  file
                  flags  (if available); `G' causes them to be displayed in hexadecimal; `g', as short-hand names; two lists may be displayed with entries separated by commas, the lists
                  separated by a semicolon (`;'); the first list may contain short-hand names for f_flag[s] values from the following table:
                       AIO       asynchronous I/O (e.g., FAIO)
                       AP        append
                       ASYN      asynchronous I/O (e.g., FASYNC)
                       BAS       block, test, and set in use
                       BKIU      block if in use
                       BL        use block offsets
                       BSK       block seek
                       CA        copy avoid
                       CIO       concurrent I/O
                       CLON      clone
                       CLRD      CL read
                       CR        create
                       DF        defer
                       DFI       defer IND
                       DFLU      data flush
                       DIR       direct
                       DLY       delay
                       DOCL      do clone
                       DSYN      data-only integrity
                       DTY       must be a directory
                       EVO       event only
                       EX        open for exec
                       EXCL      exclusive open
                       FSYN      synchronous writes
                       GCDF      defer during unp_gc() (AIX)
                       GCMK      mark during unp_gc() (AIX)
                       GTTY      accessed via /dev/tty
                       HUP       HUP in progress
                       KERN      kernel
                       KIOC      kernel-issued ioctl
                       LCK       has lock
                       LG        large file
                       MBLK      stream message block
                       MK        mark
                       MNT       mount
                       MSYN      multiplex synchronization
                       NATM      don't update atime
                       NB        non-blocking I/O
                       NBDR      no BDRM check
                       NBIO      SYSV non-blocking I/O
                       NBF       n-buffering in effect
                       NC        no cache
                       ND        no delay
                       NDSY      no data synchronization
                       NET       network
                       NFLK      don't follow links
                       NMFS      NM file system
                       NOTO      disable background stop
                       NSH       no share
                       NTTY      no controlling TTY
                       OLRM      OLR mirror
                       PAIO      POSIX asynchronous I/O
                       PP        POSIX pipe
                       R         read
                       RC        file and record locking cache
                       REV       revoked
                       RSH       shared read
                       RSYN      read synchronization
                       RW        read and write access
                       SL        shared lock
                       SNAP      cooked snapshot
                       SOCK      socket
                       SQSH      Sequent shared set on open
                       SQSV      Sequent SVM set on open
                       SQR       Sequent set repair on open
                       SQS1      Sequent full shared open
                       SQS2      Sequent partial shared open
                       STPI      stop I/O
                       SWR       synchronous read
                       SYN       file integrity while writing
                       TCPM      avoid TCP collision
                       TR        truncate
                       W         write
                       WKUP      parallel I/O synchronization
                       WTG       parallel I/O synchronization
                       VH        vhangup pending
                       VTXT      virtual text
                       XL        exclusive lock
                  this list of names was derived from F* #define's in dialect header files <fcntl.h>, <linux</fs.h>, <sys/fcntl.c>, <sys/fcntlcom.h>, and <sys/file.h>;  see  the  lsof.h
                  header file for a list showing the correspondence between the above short-hand names and the header file definitions;
                  the second list (after the semicolon) may contain short-hand names for kernel per-process open file flags from this table:
                       ALLC      allocated
                       BR        the file has been read
                       BHUP      activity stopped by SIGHUP
                       BW        the file has been written
                       CLSG      closing
                       CX        close-on-exec (see fcntl(F_SETFD))
                       LCK       lock was applied
                       MP        memory-mapped
                       OPIP      open pending - in progress
                       RSVW      reserved wait
                       SHMT      UF_FSHMAT set (AIX)
                       USE       in use (multi-threaded)
       NODE-ID    (or  INODE-ADDR  for some dialects) contains a unique identifier for the file node (usually the kernel vnode or inode address, but also occasionally a concatenation of
                  device and node number) when n has been specified to +f;
       DEVICE     contains the device numbers, separated by commas, for a character special, block special, regular, directory or NFS file;
                  or ``memory'' for a memory file system node under Tru64 UNIX;
                  or the address of the private data area of a Solaris socket stream;
                  or a kernel reference address that identifies the file (The kernel reference address may be used for FIFO's, for example.);
                  or the base address or device name of a Linux AX.25 socket device.
                  Usually only the lower thirty two bits of Tru64 UNIX kernel addresses are displayed.
       SIZE, SIZE/OFF, or OFFSET
                  is the size of the file or the file offset in bytes.  A value is displayed in this column only if it is available.  Lsof displays whatever value - size or offset -  is
                  appropriate for the type of the file and the version of lsof.
                  On  some  UNIX  dialects  lsof  can't  obtain accurate or consistent file offset information from its kernel data sources, sometimes just for particular kinds of files
                  (e.g., socket files.)  In other cases, files don't have true sizes - e.g., sockets, FIFOs, pipes - so lsof displays for their sizes the content  amounts  it  finds  in
                  their  kernel buffer descriptors (e.g., socket buffer size counts or TCP/IP window sizes.)  Consult the lsof FAQ (The FAQ section gives its location.)  for more infor‐
                  mation.
                  The file size is displayed in decimal; the offset is normally displayed in decimal with a leading ``0t'' if it contains 8 digits or less; in hexadecimal with a leading
                  ``0x'' if it is longer than 8 digits.  (Consult the -o o option description for information on when 8 might default to some other value.)
                  Thus the leading ``0t'' and ``0x'' identify an offset when the column may contain both a size and an offset (i.e., its title is SIZE/OFF).
                  If the -o option is specified, lsof always displays the file offset (or nothing if no offset is available) and labels the column OFFSET.  The offset always begins with
                  ``0t'' or ``0x'' as described above.
                  The lsof user can control the switch from ``0t'' to ``0x'' with the -o o option.  Consult its description for more information.
                  If the -s option is specified, lsof always displays the file size (or nothing if no size is available) and labels the column SIZE.  The -o and -s options are  mutually
                  exclusive; they can't both be specified.
                  For files that don't have a fixed size - e.g., don't reside on a disk device - lsof will display appropriate information about the current size or position of the file
                  if it is available in the kernel structures that define the file.
       NLINK      contains the file link count when +L has been specified;
       NODE       is the node number of a local file;
                  or the inode number of an NFS file in the server host;
                  or the Internet protocol type - e.g, ``TCP'';
                  or ``STR'' for a stream;
                  or ``CCITT'' for an HP-UX x.25 socket;
                  or the IRQ or inode number of a Linux AX.25 socket device.
       NAME       is the name of the mount point and file system on which the file resides;
                  or the name of a file specified in the names option (after any symbolic links have been resolved);
                  or the name of a character special or block special device;
                  or the local and remote Internet addresses of a network file; the local host name or IP number is followed by a colon (':'), the port, ``->'', and the two-part  remote
                  address;  IP  addresses  may  be reported as numbers or names, depending on the +|-M, -n, and -P options; colon-separated IPv6 numbers are enclosed in square brackets;
                  IPv4 INADDR_ANY and IPv6 IN6_IS_ADDR_UNSPECIFIED addresses, and zero port numbers are represented by an asterisk ('*'); a UDP destination address may  be  followed  by
                  the amount of time elapsed since the last packet was sent to the destination; TCP, UDP and UDPLITE remote addresses may be followed by TCP/TPI information in parenthe‐
                  ses - state (e.g., ``(ESTABLISHED)'', ``(Unbound)''), queue sizes, and window sizes (not all dialects) - in a fashion similar to what netstat(1) reports;  see  the  -T
                  option description or the description of the TCP/TPI field in OUTPUT FOR OTHER PROGRAMS for more information on state, queue size, and window size;
                  or  the  address  or name of a UNIX domain socket, possibly including a stream clone device name, a file system object's path name, local and foreign kernel addresses,
                  socket pair information, and a bound vnode address;
                  or the local and remote mount point names of an NFS file;
                  or ``STR'', followed by the stream name;
                  or a stream character device name, followed by ``->'' and the stream name or a list of stream module names, separated by ``->'';
                  or ``STR:'' followed by the SCO OpenServer stream device and module names, separated by ``->'';
                  or system directory name, `` -- '', and as many components of the path name as lsof can find in the kernel's name cache for selected  dialects  (See  the  KERNEL  NAME
                  CACHE section for more information.);
                  or ``PIPE->'', followed by a Solaris kernel pipe destination address;
                  or ``COMMON:'', followed by the vnode device information structure's device name, for a Solaris common vnode;
                  or the address family, followed by a slash (`/'), followed by fourteen comma-separated bytes of a non-Internet raw socket address;
                  or the HP-UX x.25 local address, followed by the virtual connection number (if any), followed by the remote address (if any);
                  or ``(dead)'' for disassociated Tru64 UNIX files - typically terminal files that have been flagged with the TIOCNOTTY ioctl and closed by daemons;
                  or ``rd=<offset>'' and ``wr=<offset>'' for the values of the read and write offsets of a FIFO;
                  or ``clone n:/dev/event'' for SCO OpenServer file clones of the /dev/event device, where n is the minor device number of the file;
                  or ``(socketpair: n)'' for a Solaris 2.6, 8, 9  or 10 UNIX domain socket, created by the socketpair(3N) network function;
                  or ``no PCB'' for socket files that do not have a protocol block associated with them, optionally followed by ``, CANTSENDMORE'' if sending on the socket has been dis‐
                  abled, or ``, CANTRCVMORE'' if receiving on the socket has been disabled (e.g., by the shutdown(2) function);
                  or the local and remote addresses of a Linux IPX socket file in the form <net>:[<node>:]<port>, followed in parentheses by the transmit and receive  queue  sizes,  and
                  the connection state;
                  or  ``dgram'' or ``stream'' for the type UnixWare 7.1.1 and above in-kernel UNIX domain sockets, followed by a colon (':') and the local path name when available, fol‐
                  lowed by ``->'' and the remote path name or kernel socket address in hexadecimal when available;
                  or the association value, association index, endpoint value, local address, local port, remote address and remote port for Linux SCTP sockets;
                  or ``protocol: '' followed by the Linux socket's protocol attribute.
       For dialects that support a ``namefs'' file system, allowing one file to be attached to another with fattach(3C), lsof will add  ``(FA:<address1><direction><address2>)''  to  the
       NAME  column.  <address1> and <address2> are hexadecimal vnode addresses.  <direction> will be ``<-'' if <address2> has been fattach'ed to this vnode whose address is <address1>;
       and ``->'' if <address1>, the vnode address of this vnode, has been fattach'ed to <address2>.  <address1> may be omitted if it already appears in the DEVICE column.
       Lsof may add two parenthetical notes to the NAME column for open Solaris 10 files: ``(?)'' if lsof considers the path name of questionable accuracy; and ``(deleted)'' if  the  -X
       option  has been specified and lsof detects the open file's path name has been deleted.  Consult the lsof FAQ (The FAQ section gives its location.)  for more information on these
       NAME column additions.
LOCKS
       Lsof can't adequately report the wide variety of UNIX dialect file locks in a single character.  What it reports in a single character is a compromise between the information  it
       finds in the kernel and the limitations of the reporting format.
       Moreover,  when a process holds several byte level locks on a file, lsof only reports the status of the first lock it encounters.  If it is a byte level lock, then the lock char‐
       acter will be reported in lower case - i.e., `r', `w', or `x' - rather than the upper case equivalent reported for a full file lock.
       Generally lsof can only report on locks held by local processes on local files.  When a local process sets a lock on a remotely mounted (e.g., NFS) file, the remote  server  host
       usually  records the lock state.  One exception is Solaris - at some patch levels of 2.3, and in all versions above 2.4, the Solaris kernel records information on remote locks in
       local structures.
       Lsof has trouble reporting locks for some UNIX dialects.  Consult the BUGS section of this manual page or the lsof FAQ (The FAQ section gives its location.)   for  more  informa‐
       tion.
OUTPUT FOR OTHER PROGRAMS
       When the -F option is specified, lsof produces output that is suitable for processing by another program - e.g, an awk or Perl script, or a C program.
       Each  unit of information is output in a field that is identified with a leading character and terminated by a NL (012) (or a NUL (000) if the 0 (zero) field identifier character
       is specified.)  The data of the field follows immediately after the field identification character and extends to the field terminator.
       It is possible to think of field output as process and file sets.  A process set begins with a field whose identifier is `p' (for process IDentifier (PID)).  It  extends  to  the
       beginning  of  the next PID field or the beginning of the first file set of the process, whichever comes first.  Included in the process set are fields that identify the command,
       the process group IDentification (PGID) number, the task (thread) ID (TID), and the user ID (UID) number or login name.
       A file set begins with a field whose identifier is `f' (for file descriptor).  It is followed by lines that describe the file's access mode, lock state, type, device, size,  off‐
       set, inode, protocol, name and stream module names.  It extends to the beginning of the next file or process set, whichever comes first.
       When the NUL (000) field terminator has been selected with the 0 (zero) field identifier character, lsof ends each process and file set with a NL (012) character.
       Lsof always produces one field, the PID (`p') field.  All other fields may be declared optionally in the field identifier character list that follows the -F option.  When a field
       selection character identifies an item lsof does not normally list - e.g., PPID, selected with -R - specification of the field character - e.g., ``-FR'' - also selects the  list‐
       ing of the item.
       It  is  entirely possible to select a set of fields that cannot easily be parsed - e.g., if the field descriptor field is not selected, it may be difficult to identify file sets.
       To help you avoid this difficulty, lsof supports the -F option; it selects the output of all fields with NL terminators (the -F0 option pair selects the output of all fields with
       NUL terminators).  For compatibility reasons neither -F nor -F0 select the raw device field.
       These are the fields that lsof will produce.  The single character listed first is the field identifier.
            a    file access mode
            c    process command name (all characters from proc or
                 user structure)
            C    file structure share count
            d    file's device character code
            D    file's major/minor device number (0x<hexadecimal>)
            f    file descriptor (always selected)
            F    file structure address (0x<hexadecimal>)
            G    file flaGs (0x<hexadecimal>; names if +fg follows)
            g    process group ID
            i    file's inode number
            K    tasK ID
            k    link count
            l    file's lock status
            L    process login name
            m    marker between repeated output
            M    the task comMand name
            n    file name, comment, Internet address
            N    node identifier (ox<hexadecimal>
            o    file's offset (decimal)
            p    process ID (always selected)
            P    protocol name
            r    raw device number (0x<hexadecimal>)
            R    parent process ID
            s    file's size (decimal)
            S    file's stream identification
            t    file's type
            T    TCP/TPI information, identified by prefixes (the
                 `=' is part of the prefix):
                     QR=<read queue size>
                     QS=<send queue size>
                     SO=<socket options and values> (not all dialects)
                     SS=<socket states> (not all dialects)
                     ST=<connection state>
                     TF=<TCP flags and values> (not all dialects)
                     WR=<window read size>  (not all dialects)
                     WW=<window write size>  (not all dialects)
                 (TCP/TPI information isn't reported for all supported
                   UNIX dialects. The -h or -? help output for the
                   -T option will show what TCP/TPI reporting can be
                   requested.)
            u    process user ID
            z    Solaris 10 and higher zone name
            Z    SELinux security context (inhibited when SELinux is disabled)
            0    use NUL field terminator character in place of NL
            1-9  dialect-specific field identifiers (The output
                 of -F? identifies the information to be found
                 in dialect-specific fields.)
       You  can  get  on-line  help information on these characters and their descriptions by specifying the -F?  option pair.  (Escape the `?' character as your shell requires.)  Addi‐
       tional information on field content can be found in the OUTPUT section.
       As an example, ``-F pcfn'' will select the process ID (`p'), command name (`c'), file descriptor (`f') and file name (`n') fields with an  NL  field  terminator  character;  ``-F
       pcfn0'' selects the same output with a NUL (000) field terminator character.
       Lsof doesn't produce all fields for every process or file set, only those that are available.  Some fields are mutually exclusive: file device characters and file major/minor de‐
       vice numbers; file inode number and protocol name; file name and stream identification; file size and offset.  One or the other member of these mutually exclusive sets  will  ap‐
       pear in field output, but not both.
       Normally lsof ends each field with a NL (012) character.  The 0 (zero) field identifier character may be specified to change the field terminator character to a NUL (000).  A NUL
       terminator may be easier to process with xargs (1), for example, or with programs whose quoting mechanisms may not easily cope with the range of characters in the  field  output.
       When the NUL field terminator is in use, lsof ends each process and file set with a NL (012).
       Three aids to producing programs that can process lsof field output are included in the lsof distribution.  The first is a C header file, lsof_fields.h, that contains symbols for
       the field identification characters, indexes for storing them in a table, and explanation strings that may be compiled into programs.  Lsof uses this header file.
       The second aid is a set of sample scripts that process field output, written in awk, Perl 4, and Perl 5.  They're located in the scripts subdirectory of the lsof distribution.
       The third aid is the C library used for the lsof test suite.  The test suite is written in C and uses field output to validate the correct operation of lsof.  The library can  be
       found in the tests/LTlib.c file of the lsof distribution.  The library uses the first aid, the lsof_fields.h header file.
BLOCKS AND TIMEOUTS
       Lsof  can  be  blocked  by  some kernel functions that it uses - lstat(2), readlink(2), and stat(2).  These functions are stalled in the kernel, for example, when the hosts where
       mounted NFS file systems reside become inaccessible.
       Lsof attempts to break these blocks with timers and child processes, but the techniques are not wholly reliable.  When lsof does manage to break a block, it will report the break
       with an error message.  The messages may be suppressed with the -t and -w options.
       The  default timeout value may be displayed with the -h or -?  option, and it may be changed with the -S [t] option.  The minimum for t is two seconds, but you should avoid small
       values, since slow system responsiveness can cause short timeouts to expire unexpectedly and perhaps stop lsof before it can produce any output.
       When lsof has to break a block during its access of mounted file system information, it normally continues, although with less information available to display about open files.
       Lsof can also be directed to avoid the protection of timers and child processes when using the kernel functions that might block by specifying the -O option.  While this will al‐
       low lsof to start up with less overhead, it exposes lsof completely to the kernel situations that might block it.  Use this option cautiously.
AVOIDING KERNEL BLOCKS
       You can use the -b option to tell lsof to avoid using kernel functions that would block.  Some cautions apply.
       First,  using  this  option usually requires that your system supply alternate device numbers in place of the device numbers that lsof would normally obtain with the lstat(2) and
       stat(2) kernel functions.  See the ALTERNATE DEVICE NUMBERS section for more information on alternate device numbers.
       Second, you can't specify names for lsof to locate unless they're file system names.  This is because lsof needs to know the device and inode numbers of files listed  with  names
       in  the lsof options, and the -b option prevents lsof from obtaining them.  Moreover, since lsof only has device numbers for the file systems that have alternates, its ability to
       locate files on file systems depends completely on the availability and accuracy of the alternates.  If no alternates are available, or if they're incorrect, lsof won't  be  able
       to locate files on the named file systems.
       Third, if the names of your file system directories that lsof obtains from your system's mount table are symbolic links, lsof won't be able to resolve the links.  This is because
       the -b option causes lsof to avoid the kernel readlink(2) function it uses to resolve symbolic links.
       Finally, using the -b option causes lsof to issue warning messages when it needs to use the kernel functions that the -b option directs it to avoid.  You can suppress these  mes‐
       sages by specifying the -w option, but if you do, you won't see the alternate device numbers reported in the warning messages.
ALTERNATE DEVICE NUMBERS
       On some dialects, when lsof has to break a block because it can't get information about a mounted file system via the lstat(2) and stat(2) kernel functions, or because you speci‐
       fied the -b option, lsof can obtain some of the information it needs - the device number and possibly the file system type - from the system mount table.  When that is  possible,
       lsof will report the device number it obtained.  (You can suppress the report by specifying the -w option.)
       You  can assist this process if your mount table is supported with an /etc/mtab or /etc/mnttab file that contains an options field by adding a ``dev=xxxx'' field for mount points
       that do not have one in their options strings.  Note: you must be able to edit the file - i.e., some mount tables like  recent  Solaris  /etc/mnttab  or  Linux  /proc/mounts  are
       read-only and can't be modified.
       You  may also be able to supply device numbers using the +m and +m m options, provided they are supported by your dialect.  Check the output of lsof's -h or -?  options to see if
       the +m and +m m options are available.
       The ``xxxx'' portion of the field is the hexadecimal value of the file system's device number.  (Consult the st_dev field of the output of the lstat(2) and stat(2) functions  for
       the appropriate values for your file systems.)  Here's an example from a Sun Solaris 2.6 /etc/mnttab for a file system remotely mounted via NFS:
            nfs  ignore,noquota,dev=2a40001
       There's  an advantage to having ``dev=xxxx'' entries in your mount table file, especially for file systems that are mounted from remote NFS servers.  When a remote server crashes
       and you want to identify its users by running lsof on one of its clients, lsof probably won't be able to get output from the lstat(2) and stat(2) functions for the  file  system.
       If it can obtain the file system's device number from the mount table, it will be able to display the files open on the crashed NFS server.
       Some  dialects that do not use an ASCII /etc/mtab or /etc/mnttab file for the mount table may still provide an alternative device number in their internal mount tables.  This in‐
       cludes AIX, Apple Darwin, FreeBSD, NetBSD, OpenBSD, and Tru64 UNIX.  Lsof knows how to obtain the alternative device number for these dialects and uses it  when  its  attempt  to
       lstat(2) or stat(2) the file system is blocked.
       If  you're not sure your dialect supplies alternate device numbers for file systems from its mount table, use this lsof incantation to see if it reports any alternate device num‐
       bers:
              lsof -b
       Look for standard error file warning messages that begin ``assuming "dev=xxxx" from ...''.
KERNEL NAME CACHE
       Lsof is able to examine the kernel's name cache or use other kernel facilities (e.g., the ADVFS 4.x tag_to_path() function under Tru64 UNIX) on some dialects for most file system
       types,  excluding AFS, and extract recently used path name components from it.  (AFS file system path lookups don't use the kernel's name cache; some Solaris VxFS file system op‐
       erations apparently don't use it, either.)
       Lsof reports the complete paths it finds in the NAME column.  If lsof can't report all components in a path, it reports in the NAME column the file system  name,  followed  by  a
       space, two `-' characters, another space, and the name components it has located, separated by the `/' character.
       When  lsof  is  run  in  repeat mode - i.e., with the -r option specified - the extent to which it can report path name components for the same file may vary from cycle to cycle.
       That's because other running processes can cause the kernel to remove entries from its name cache and replace them with others.
       Lsof's use of the kernel name cache to identify the paths of files can lead it to report incorrect components under some circumstances.  This can  happen  when  the  kernel  name
       cache  uses  device  and  node  number as a key (e.g., SCO OpenServer) and a key on a rapidly changing file system is reused.  If the UNIX dialect's kernel doesn't purge the name
       cache entry for a file when it is unlinked, lsof may find a reference to the wrong entry in the cache.  The lsof FAQ (The FAQ section gives its location.)  has  more  information
       on this situation.
       Lsof can report path name components for these dialects:
            FreeBSD
            HP-UX
            Linux
            NetBSD
            NEXTSTEP
            OpenBSD
            OPENSTEP
            SCO OpenServer
            SCO|Caldera UnixWare
            Solaris
            Tru64 UNIX
       Lsof can't report path name components for these dialects:
            AIX
       If you want to know why lsof can't report path name components for some dialects, see the lsof FAQ (The FAQ section gives its location.)
DEVICE CACHE FILE
       Examining  all members of the /dev (or /devices) node tree with stat(2) functions can be time consuming.  What's more, the information that lsof needs - device number, inode num‐
       ber, and path - rarely changes.
       Consequently, lsof normally maintains an ASCII text file of cached /dev (or /devices) information (exception: the /proc-based Linux lsof where it's not needed.)  The local system
       administrator who builds lsof can control the way the device cache file path is formed, selecting from these options:
            Path from the -D option;
            Path from an environment variable;
            System-wide path;
            Personal path (the default);
            Personal path, modified by an environment variable.
       Consult the output of the -h, -D? , or -?  help options for the current state of device cache support.  The help output lists the default read-mode device cache file path that is
       in effect for the current invocation of lsof.  The -D?  option output lists the read-only and write device cache file paths, the names of any  applicable  environment  variables,
       and the personal device cache path format.
       Lsof  can detect that the current device cache file has been accidentally or maliciously modified by integrity checks, including the computation and verification of a sixteen bit
       Cyclic Redundancy Check (CRC) sum on the file's contents.  When lsof senses something wrong with the file, it issues a warning and attempts to remove the current cache  file  and
       create a new copy, but only to a path that the process can legitimately write.
       The  path  from  which  a  lsof process may attempt to read a device cache file may not be the same as the path to which it can legitimately write.  Thus when lsof senses that it
       needs to update the device cache file, it may choose a different path for writing it from the path from which it read an incorrect or outdated version.
       If available, the -Dr option will inhibit the writing of a new device cache file.  (It's always available when specified without a path name argument.)
       When a new device is added to the system, the device cache file may need to be recreated.  Since lsof compares the mtime of the device cache file with the mtime and ctime of  the
       /dev (or /devices) directory, it usually detects that a new device has been added; in that case lsof issues a warning message and attempts to rebuild the device cache file.
       Whenever lsof writes a device cache file, it sets its ownership to the real UID of the executing process, and its permission modes to 0600, this restricting its reading and writ‐
       ing to the file's owner.
LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS
       Two permissions of the lsof executable affect its ability to access device cache files.  The permissions are set by the local system administrator when lsof is installed.
       The first and rarer permission is setuid-root.  It comes into effect when lsof is executed; its effective UID is then root, while its real (i.e., that of the logged-on user)  UID
       is not.  The lsof distribution recommends that versions for these dialects run setuid-root.
            HP-UX 11.11 and 11.23
            Linux
       The second and more common permission is setgid.  It comes into effect when the effective group IDentification number (GID) of the lsof process is set to one that can access ker‐
       nel memory devices - e.g., ``kmem'', ``sys'', or ``system''.
       An lsof process that has setgid permission usually surrenders the permission after it has accessed the kernel memory devices.  When it does that, lsof can allow more liberal  de‐
       vice cache path formations.  The lsof distribution recommends that versions for these dialects run setgid and be allowed to surrender setgid permission.
            AIX 5.[12] and 5.3-ML1
            Apple Darwin 7.x Power Macintosh systems
            FreeBSD 4.x, 4.1x, 5.x and [6789].x for x86-based systems
            FreeBSD 5.x, [6789].x and 1[012].8for Alpha, AMD64 and Sparc64
                based systems
            HP-UX 11.00
            NetBSD 1.[456], 2.x and 3.x for Alpha, x86, and SPARC-based
                systems
            NEXTSTEP 3.[13] for NEXTSTEP architectures
            OpenBSD 2.[89] and 3.[0-9] for x86-based systems
            OPENSTEP 4.x
            SCO OpenServer Release 5.0.6 for x86-based systems
            SCO|Caldera UnixWare 7.1.4 for x86-based systems
            Solaris 2.6, 8, 9 and 10
            Tru64 UNIX 5.1
       (Note: lsof for AIX 5L and above needs setuid-root permission if its -X option is used.)
       Lsof for these dialects does not support a device cache, so the permissions given to the executable don't apply to the device cache file.
            Linux
DEVICE CACHE FILE PATH FROM THE -D OPTION
       The -D option provides limited means for specifying the device cache file path.  Its ?  function will report the read-only and write device cache file paths that lsof will use.
       When  the  -D  b,  r, and u functions are available, you can use them to request that the cache file be built in a specific location (b[path]); read but not rebuilt (r[path]); or
       read and rebuilt (u[path]).  The b, r, and u functions are restricted under some conditions.  They are restricted when the lsof process is setuid-root.  The path  specified  with
       the r function is always read-only, even when it is available.
       The  b,  r,  and u functions are also restricted when the lsof process runs setgid and lsof doesn't surrender the setgid permission.  (See the LSOF PERMISSIONS THAT AFFECT DEVICE
       CACHE FILE ACCESS section for a list of implementations that normally don't surrender their setgid permission.)
       A further -D function, i (for ignore), is always available.
       When available, the b function tells lsof to read device information from the kernel with the stat(2) function and build a device cache file at the indicated path.
       When available, the r function tells lsof to read the device cache file, but not update it.  When a path argument accompanies -Dr, it names the device cache  file  path.   The  r
       function is always available when it is specified without a path name argument.  If lsof is not running setuid-root and surrenders its setgid permission, a path name argument may
       accompany the r function.
       When available, the u function tells lsof to attempt to read and use the device cache file.  If it can't read the file, or if it finds the contents of the file incorrect or  out‐
       dated, it will read information from the kernel, and attempt to write an updated version of the device cache file, but only to a path it considers legitimate for the lsof process
       effective and real UIDs.
DEVICE CACHE PATH FROM AN ENVIRONMENT VARIABLE
       Lsof's second choice for the device cache file is the contents of the LSOFDEVCACHE environment variable.  It avoids this choice if the lsof process is setuid-root,  or  the  real
       UID of the process is root.
       A  further  restriction  applies  to  a  device  cache file path taken from the LSOFDEVCACHE environment variable: lsof will not write a device cache file to the path if the lsof
       process doesn't surrender its setgid permission.  (See the LSOF PERMISSIONS THAT AFFECT DEVICE CACHE FILE ACCESS section for information on implementations that  don't  surrender
       their setgid permission.)
       The local system administrator can disable the use of the LSOFDEVCACHE environment variable or change its name when building lsof.  Consult the output of -D?  for the environment
       variable's name.
SYSTEM-WIDE DEVICE CACHE PATH
       The local system administrator may choose to have a system-wide device cache file when building lsof.  That file will generally be constructed by a special system  administration
       procedure when the system is booted or when the contents of /dev or /devices) changes.  If defined, it is lsof's third device cache file path choice.
       You can tell that a system-wide device cache file is in effect for your local installation by examining the lsof help option output - i.e., the output from the -h or -?  option.
       Lsof  will  never  write  to the system-wide device cache file path by default.  It must be explicitly named with a -D function in a root-owned procedure.  Once the file has been
       written, the procedure must change its permission modes to 0644 (owner-read and owner-write, group-read, and other-read).
PERSONAL DEVICE CACHE PATH (DEFAULT)
       The default device cache file path of the lsof distribution is one recorded in the home directory of the real UID that executes lsof.  Added to the home  directory  is  a  second
       path component of the form .lsof_hostname.
       This is lsof's fourth device cache file path choice, and is usually the default.  If a system-wide device cache file path was defined when lsof was built, this fourth choice will
       be applied when lsof can't find the system-wide device cache file.  This is the only time lsof uses two paths when reading the device cache file.
       The hostname part of the second component is the base name of the executing host, as returned by gethostname(2).  The base name is defined to  be  the  characters  preceding  the
       first `.'  in the gethostname(2) output, or all the gethostname(2) output if it contains no `.'.
       The  device  cache file belongs to the user ID and is readable and writable by the user ID alone - i.e., its modes are 0600.  Each distinct real user ID on a given host that exe‐
       cutes lsof has a distinct device cache file.  The hostname part of the path distinguishes device cache files in an NFS-mounted home directory into which device  cache  files  are
       written from several different hosts.
       The  personal  device cache file path formed by this method represents a device cache file that lsof will attempt to read, and will attempt to write should it not exist or should
       its contents be incorrect or outdated.
       The -Dr option without a path name argument will inhibit the writing of a new device cache file.
       The -D?  option will list the format specification for constructing the personal device cache file.  The conversions used  in  the  format  specification  are  described  in  the
       00DCACHE file of the lsof distribution.
MODIFIED PERSONAL DEVICE CACHE PATH
       If  this  option  is defined by the local system administrator when lsof is built, the LSOFPERSDCPATH environment variable contents may be used to add a component of the personal
       device cache file path.
       The LSOFPERSDCPATH variable contents are inserted in the path at the place marked by the local system administrator with the ``%p'' conversion in the HASPERSDC format  specifica‐
       tion of the dialect's machine.h header file.  (It's placed right after the home directory in the default lsof distribution.)
       Thus,  for  example, if LSOFPERSDCPATH contains ``LSOF'', the home directory is ``/Homes/abe'', the host name is ``lsof.itap.purdue.edu'', and the HASPERSDC format is the default
       (``%h/%p.lsof_%L''), the modified personal device cache file path is:
            /Homes/abe/LSOF/.lsof_vic
       The LSOFPERSDCPATH environment variable is ignored when the lsof process is setuid-root or when the real UID of the process is root.
       Lsof will not write to a modified personal device cache file path if the lsof process doesn't surrender setgid permission.  (See the LSOF PERMISSIONS  THAT  AFFECT  DEVICE  CACHE
       FILE ACCESS section for a list of implementations that normally don't surrender their setgid permission.)
       If,  for  example,  you want to create a sub-directory of personal device cache file paths by using the LSOFPERSDCPATH environment variable to name it, and lsof doesn't surrender
       its setgid permission, you will have to allow lsof to create device cache files at the standard personal path and move them to your subdirectory with shell commands.
       The local system administrator may: disable this option when lsof is built; change the name of the  environment  variable  from  LSOFPERSDCPATH  to  something  else;  change  the
       HASPERSDC format to include the personal path component in another place; or exclude the personal path component entirely.  Consult the output of the -D?  option for the environ‐
       ment variable's name and the HASPERSDC format specification.
DIAGNOSTICS
       Errors are identified with messages on the standard error file.
       Lsof returns a one (1) if any error was detected, including the failure to locate command names, file names, Internet addresses or files, login names, NFS files, PIDs, PGIDs,  or
       UIDs it was asked to list.  If the -V option is specified, lsof will indicate the search items it failed to list.
       It returns a zero (0) if no errors were detected and if it was able to list some information about all the specified search arguments.
       When  lsof  cannot  open  access to /dev (or /devices) or one of its subdirectories, or get information on a file in them with stat(2), it issues a warning message and continues.
       That lsof will issue warning messages about inaccessible files in /dev (or /devices) is indicated in its help output - requested with the -h or >B -?  options -   with  the  mes‐
       sage:
            Inaccessible /dev warnings are enabled.
       The warning message may be suppressed with the -w option.  It may also have been suppressed by the system administrator when lsof was compiled by the setting of the WARNDEVACCESS
       definition.  In this case, the output from the help options will include the message:
            Inaccessible /dev warnings are disabled.
       Inaccessible device warning messages usually disappear after lsof has created a working device cache file.
EXAMPLES
       For a more extensive set of examples, documented more fully, see the 00QUICKSTART file of the lsof distribution.
       To list all open files, use:
              lsof
       To list all open Internet, x.25 (HP-UX), and UNIX domain files, use:
              lsof -i -U
       To list all open IPv4 network files in use by the process whose PID is 1234, use:
              lsof -i 4 -a -p 1234
       Presuming the UNIX dialect supports IPv6, to list only open IPv6 network files, use:
              lsof -i 6
       To list all files using any protocol on ports 513, 514, or 515 of host wonderland.cc.purdue.edu, use:
              lsof -i @wonderland.cc.purdue.edu:513-515
       To list all files using any protocol on any port of mace.cc.purdue.edu (cc.purdue.edu is the default domain), use:
              lsof -i @mace
       To list all open files for login name ``abe'', or user ID 1234, or process 456, or process 123, or process 789, use:
              lsof -p 456,123,789 -u 1234,abe
       To list all open files on device /dev/hd4, use:
              lsof /dev/hd4
       To find the process that has /u/abe/foo open, use:
              lsof /u/abe/foo
       To send a SIGHUP to the processes that have /u/abe/bar open, use:
              kill -HUP `lsof -t /u/abe/bar`
       To find any open file, including an open UNIX domain socket file, with the name /dev/log, use:
              lsof /dev/log
       To find processes with open files on the NFS file system named /nfs/mount/point whose server is inaccessible, and presuming your  mount  table  supplies  the  device  number  for
       /nfs/mount/point, use:
              lsof -b /nfs/mount/point
       To do the preceding search with warning messages suppressed, use:
              lsof -bw /nfs/mount/point
       To ignore the device cache file, use:
              lsof -Di
       To obtain PID and command name field output for each process, file descriptor, file device number, and file inode number for each file of each process, use:
              lsof -FpcfDi
       To list the files at descriptors 1 and 3 of every process running the lsof command for login ID ``abe'' every 10 seconds, use:
              lsof -c lsof -a -d 1 -d 3 -u abe -r10
       To  list  the  current working directory of processes running a command that is exactly four characters long and has an 'o' or 'O' in character three, use this regular expression
       form of the -c c option:
              lsof -c /^..o.$/i -a -d cwd
       To find an IP version 4 socket file by its associated numeric dot-form address, use:
              lsof [email protected]
       To find an IP version 6 socket file (when the UNIX dialect supports IPv6) by its associated numeric colon-form address, use:
              lsof [email protected][0:1:2:3:4:5:6:7]
       To find an IP version 6 socket file (when the UNIX dialect supports IPv6) by an associated numeric colon-form address that has a run of zeroes in it - e.g., the loop-back address
       - use:
              lsof [email protected][::1]
       To obtain a repeat mode marker line that contains the current time, use:
              lsof -rm====%T====
       To add spaces to the previous marker line, use:
              lsof -r "m==== %T ===="
BUGS
       Since lsof reads kernel memory in its search for open files, rapid changes in kernel memory may produce unpredictable results.
       When  a  file has multiple record locks, the lock status character (following the file descriptor) is derived from a test of the first lock structure, not from any combination of
       the individual record locks that might be described by multiple lock structures.
       Lsof can't search for files with restrictive access permissions by name unless it is installed with root set-UID permission.  Otherwise it is limited to searching  for  files  to
       which its user or its set-GID group (if any) has access permission.
       The  display  of  the  destination address of a raw socket (e.g., for ping) depends on the UNIX operating system.  Some dialects store the destination address in the raw socket's
       protocol control block, some do not.
       Lsof can't always represent Solaris device numbers in the same way that ls(1) does.  For example, the major and minor device numbers that the lstat(2) and stat(2)  functions  re‐
       port  for  the directory on which CD-ROM files are mounted (typically /cdrom) are not the same as the ones that it reports for the device on which CD-ROM files are mounted (typi‐
       cally /dev/sr0).  (Lsof reports the directory numbers.)
       The support for /proc file systems is available only for BSD and Tru64 UNIX dialects, Linux, and dialects derived  from  SYSV  R4  -  e.g.,  FreeBSD,  NetBSD,  OpenBSD,  Solaris,
       UnixWare.
       Some  /proc file items - device number, inode number, and file size - are unavailable in some dialects.  Searching for files in a /proc file system may require that the full path
       name be specified.
       No text (txt) file descriptors are displayed for Linux processes.  All entries for files other than the current working directory, the root directory, and numerical file descrip‐
       tors are labeled mem descriptors.
       Lsof can't search for Tru64 UNIX named pipes by name, because their kernel implementation of lstat(2) returns an improper device number for a named pipe.
       Lsof  can't report fully or correctly on HP-UX 9.01, 10.20, and 11.00 locks because of insufficient access to kernel data or errors in the kernel data.  See the lsof FAQ (The FAQ
       section gives its location.)  for details.
       The AIX SMT file type is a fabrication.  It's made up for file structures whose type (15) isn't defined in the AIX /usr/include/sys/file.h header file.  One way  to  create  such
       file structures is to run X clients with the DISPLAY variable set to ``:0.0''.
       The +|-f[cfgGn] option is not supported under /proc-based Linux lsof, because it doesn't read kernel structures from kernel memory.
ENVIRONMENT
       Lsof may access these environment variables.
       LANG              defines a language locale.  See setlocale(3) for the names of other variables that can be used in place of LANG - e.g., LC_ALL, LC_TYPE, etc.
       LSOFDEVCACHE      defines the path to a device cache file.  See the DEVICE CACHE PATH FROM AN ENVIRONMENT VARIABLE section for more information.
       LSOFPERSDCPATH    defines the middle component of a modified personal device cache file path.  See the MODIFIED PERSONAL DEVICE CACHE PATH section for more information.
FAQ
       Frequently-asked questions and their answers (an FAQ) are available in the 00FAQ file of the lsof distribution.
       That file is also available via anonymous ftp from lsof.itap.purdue.edu at pub/tools/unix/lsofFAQ.  The URL is:
              ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
FILES
       /dev/kmem         kernel virtual memory device
       /dev/mem          physical memory device
       /dev/swap         system paging device
       .lsof_hostname    lsof's device cache file (The suffix, hostname, is the first component of the host's name returned by gethostname(2).)
AUTHORS
       Lsof was written by Victor A.Abell <[email protected]> of Purdue University.  Many others have contributed to lsof.  They're listed in the 00CREDITS file of the lsof distribution.
DISTRIBUTION
       The latest distribution of lsof is available via anonymous ftp from the host lsof.itap.purdue.edu.  You'll find the lsof distribution in the pub/tools/unix/lsof directory.
       You can also use this URL:
              ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof
       Lsof  is  also  mirrored  elsewhere.   When  you  access  lsof.itap.purdue.edu  and change to its pub/tools/unix/lsof directory, you'll be given a list of some mirror sites.  The
       pub/tools/unix/lsof directory also contains a more complete list in its mirrors file.  Use mirrors with caution - not all mirrors always have the latest lsof revision.
       Some pre-compiled Lsof executables are available on lsof.itap.purdue.edu, but their use is discouraged - it's better that you build your own from the sources.  If  you  feel  you
       must  use  a pre-compiled executable, please read the cautions that appear in the README files of the pub/tools/unix/lsof/binaries subdirectories and in the 00* files of the dis‐
       tribution.
       More information on the lsof distribution can be found in its README.lsof_<version> file.  If you intend to get the lsof distribution and build it, please read  README.lsof_<ver‐
       sion> and the other 00* files of the distribution before sending questions to the author.
SEE ALSO
       Not all the following manual pages may exist in every UNIX dialect to which lsof has been ported.
       access(2),  awk(1),  crash(1),  fattach(3C), ff(1), fstat(8), fuser(1), gethostname(2), isprint(3), kill(1), localtime(3), lstat(2), modload(8), mount(8), netstat(1), ofiles(8L),
       perl(1), ps(1), readlink(2), setlocale(3), stat(2), strftime(3), time(2), uname(1).
                                                                                      Revision-4.91                                                                               LSOF(8)

(Back to top)


How to: Create self-signed SSL/TLS certificates on Linux/Ubuntu etc. easily & quickly (Use self-signed with caution!)

Warning: Before continue, make sure you understand the strength and the weakness of self-signed certificates, most of the time self-signed certificates should only be used for testing etc.

Generating self-signed certificate with openssl

openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout certificate-key.key -out certificate-cert.pem

365: The certificate is validated for 365 days

rsa:4096: 4096-bit RSA key pair, we can also use 2048 instead of 4096

With value of 2048, the encryption will be faster compare to 4096 but less secure

# Output of the command
 
Generating a RSA private key
………………………………………………………………………………………..++++
……….++++
writing new private key to 'certificate-key.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Note: The most important part when asked is “Common Name (e.g. server FQDN or YOUR name) []:” here we should use the domain name or public IP address.