Thursday, 29 November 2012


Linux Command To List Directories / Directory Names Only



The “ls” command in Linux dumps the files and directories in an argumented directory or the current directory by default. The options to this command change the behavior of this command, such as listing hidden files as well with -a option, or listing in long format with -l option. But if you wish to list directories only, there is no option in this command. But it does not mean that we cannot accomplish this. Linux has provided with a lot of options to fiddle with. You can use command chaining (using pipes) to see what directories are present in a given directory. This article presents a number of ways of getting the directory listing.

Listing directories using Wildcards

The simplest method is using wildcards. All the directories end in forward slash.
$ ls -d */
Desktop/ Downloads/ looped/ Music/ orb.db/ Pictures/ Templates/ Videos/ Virus/
Documents/ jvm/ mounts/ netbeans-6.9/ PacketTracer5/ Public/ Ubuntu One/ VirtualBox VMs/
For long listing, just add -l option.
$ ls -ld */
drwxr-xr-x 4 raghu raghu 4096 2012-09-27 23:50 Desktop/
drwxr-xr-x 13 raghu raghu 4096 2012-09-16 13:22 Documents/
drwxr-xr-x 5 raghu raghu 4096 2012-09-28 15:01 Downloads/
drwxr-xr-x 2 raghu raghu 4096 2012-03-27 10:48 jvm/
drwxr-xr-x 2 raghu raghu 4096 2011-10-29 13:02 looped/
drwxr-xr-x 2 root root 4096 2011-11-15 01:23 mounts/
drwxr-xr-x 2 raghu raghu 4096 2011-10-26 16:03 Music/
drwxr-xr-x 12 raghu raghu 4096 2012-01-24 19:29 netbeans-6.9/
drwxr-xr-x 3 raghu raghu 4096 2012-04-17 12:23 orb.db/
drwxr-xr-x 4 raghu raghu 4096 2011-11-16 13:03 PacketTracer5/
drwxr-xr-x 5 raghu raghu 4096 2012-07-16 11:41 Pictures/
drwxr-xr-x 2 raghu raghu 4096 2011-10-26 16:03 Public/
drwxr-xr-x 2 raghu raghu 4096 2011-10-26 16:03 Templates/
drwxrwxr-x 2 raghu raghu 4096 2011-10-26 19:42 Ubuntu One/
drwxr-xr-x 2 raghu raghu 4096 2012-06-15 18:36 Videos/
drwxr-xr-x 7 raghu raghu 4096 2012-09-13 00:52 VirtualBox VMs/
drwxr-xr-x 2 raghu raghu 4096 2012-01-17 17:46 Virus/

Using -F option and grep

The -F options appends a trailing forward slash. So we can ‘grep’ the directories only by ‘grep’ing lines ending with a forward slash (/).
$ ls -lF | grep \/$
drwxr-xr-x 4 raghu raghu 4096 2012-09-27 23:50 Desktop/
drwxr-xr-x 13 raghu raghu 4096 2012-09-16 13:22 Documents/
drwxr-xr-x 5 raghu raghu 4096 2012-09-28 15:01 Downloads/
drwxr-xr-x 2 raghu raghu 4096 2012-03-27 10:48 jvm/
drwxr-xr-x 2 raghu raghu 4096 2011-10-29 13:02 looped/
drwxr-xr-x 2 root root 4096 2011-11-15 01:23 mounts/
drwxr-xr-x 2 raghu raghu 4096 2011-10-26 16:03 Music/
drwxr-xr-x 12 raghu raghu 4096 2012-01-24 19:29 netbeans-6.9/
drwxr-xr-x 3 raghu raghu 4096 2012-04-17 12:23 orb.db/
drwxr-xr-x 4 raghu raghu 4096 2011-11-16 13:03 PacketTracer5/
drwxr-xr-x 5 raghu raghu 4096 2012-07-16 11:41 Pictures/
drwxr-xr-x 2 raghu raghu 4096 2011-10-26 16:03 Public/
drwxr-xr-x 2 raghu raghu 4096 2011-10-26 16:03 Templates/
drwxrwxr-x 2 raghu raghu 4096 2011-10-26 19:42 Ubuntu One/
drwxr-xr-x 2 raghu raghu 4096 2012-06-15 18:36 Videos/
drwxr-xr-x 7 raghu raghu 4096 2012-09-13 00:52 VirtualBox VMs/
drwxr-xr-x 2 raghu raghu 4096 2012-01-17 17:46 Virus/
or for just the directory names, without -l option,
$ ls -F | grep \/$
Desktop/
Documents/
Downloads/
jvm/
looped/
mounts/
Music/
netbeans-6.9/
orb.db/
PacketTracer5/
Pictures/

Using -l option and grep

In long listing of ls i.e. “ls -l”, we can ‘grep’ the lines starting with ‘d’.
$ ls -l | grep ^d
drwxr-xr-x 4 raghu raghu 4096 2012-09-27 23:50 Desktop
drwxr-xr-x 13 raghu raghu 4096 2012-09-16 13:22 Documents
drwxr-xr-x 5 raghu raghu 4096 2012-09-28 15:01 Downloads
drwxr-xr-x 2 raghu raghu 4096 2012-03-27 10:48 jvm
drwxr-xr-x 2 raghu raghu 4096 2011-10-29 13:02 looped
drwxr-xr-x 2 root root 4096 2011-11-15 01:23 mounts
drwxr-xr-x 2 raghu raghu 4096 2011-10-26 16:03 Music
drwxr-xr-x 12 raghu raghu 4096 2012-01-24 19:29 netbeans-6.9
drwxr-xr-x 3 raghu raghu 4096 2012-04-17 12:23 orb.db
drwxr-xr-x 4 raghu raghu 4096 2011-11-16 13:03 PacketTracer5
drwxr-xr-x 5 raghu raghu 4096 2012-07-16 11:41 Pictures
We can extract just the file names by printing only the last columns.
$ ls -l | grep ^d | awk ‘{print $8,$9}’
Desktop
Documents
Downloads
jvm
looped
mounts
Music
netbeans-6.9
orb.db
PacketTracer5
Pictures

Using echo command

We can use echo command to list the entries trailing with forward slash (/).
$ echo */
Desktop/ Documents/ Downloads/ jvm/ looped/ mounts/ Music/ netbeans-6.9/ orb.db/ PacketTracer5/ Pictures/

Using printf

Similarly, printf can be used to highlight strings ending with forward slash (/).
$ printf ‘%s\n’ */
Desktop/
Documents/
Downloads/
jvm/
looped/
mounts/
Music/
netbeans-6.9/
orb.db/
PacketTracer5/
Pictures/

Using find command

We can always find files based on their file types using ‘find’ command:
$ find . -maxdepth 1 -type d
.
./.netbeans-registration
./.gvfs
./.shotwell
./.gegl-0.0
./.cache
./.ssh
./VirtualBox VMs
./.mission-control
./.gnome2
./.jedit
./.config
./mounts
./.gconf
./Desktop
./Documents
./.dbus
./Templates
./Virus
./Videos
./.Skype
./.tsclient
./.macromedia
./.purple
./PacketTracer5
./Public
./.nautilus
./.icons
./Downloads
./Pictures
The maxdepth option in the above command specifies that the search is to be performed in specified directory only. Otherwise, find command will find the directories recursively, by traversing each directory and their subdirectories. Also, in this command, the hidden directories are also shown. In all above methods that use ls command, the same can be achieved through -a option. For example,
$ ls -laF | grep \/$
drwxr-xr-x 60 raghu raghu 4096 2012-09-28 20:18 ./
drwxr-xr-x. 6 root root 4096 2012-06-25 01:08 ../
drwx—— 3 raghu raghu 4096 2011-10-29 14:04 .adobe/
drwx—— 28 raghu raghu 4096 2012-09-28 20:07 .cache/
drwx—— 3 raghu raghu 4096 2011-10-26 16:06 .compiz/
drwxr-xr-x 26 raghu raghu 4096 2012-09-27 00:20 .config/
drwx—— 3 raghu raghu 4096 2011-10-26 16:03 .dbus/
drwxr-xr-x 4 raghu raghu 4096 2012-09-27 23:50 Desktop/
drwxr-xr-x 13 raghu raghu 4096 2012-09-16 13:22 Documents/
drwxr-xr-x 5 raghu raghu 4096 2012-09-28 15:01 Downloads/
drwxr-xr-x 7 raghu raghu 4096 2012-09-15 23:21 .drpython/
drwxr-xr-x 2 raghu raghu 4096 2012-09-10 14:28 .fontconfig/
drwx—— 5 raghu raghu 4096 2012-09-28 20:07 .gconf/
drwx—— 2 raghu raghu 4096 2012-09-28 23:10 .gconfd/
drwx—— 4 raghu raghu 4096 2011-11-26 20:23 .gegl-0.0/
drwxr-xr-x 22 raghu raghu 4096 2012-09-27 01:44 .gimp-2.6/
drwx—— 11 raghu raghu 4096 2012-09-22 05:23 .gnome2/
drwx—— 2 raghu raghu 4096 2011-10-26 18:16 .gnome2_private/
drwxr-xr-x 2 raghu raghu 4096 2012-09-23 19:45 .gstreamer-0.10/
dr-x—— 2 raghu raghu 0 2012-09-28 20:07 .gvfs/
drwxr-xr-x 5 raghu raghu 4096 2012-03-09 10:12 .icedtea/
drwxr-xr-x 2 raghu raghu 4096 2011-10-26 19:10 .icons/
drwxr-xr-x 9 raghu raghu 4096 2012-09-16 13:28 .jedit/
drwxr-xr-x 2 raghu raghu 4096 2012-03-27 10:48 jvm/
drwxr-xr-x 3 raghu raghu 4096 2011-10-29 14:25 .libreoffice/
drwxr-xr-x 3 raghu raghu 4096 2011-10-26 16:03 .local/
drwxr-xr-x 2 raghu raghu 4096 2011-10-29 13:02 looped/
drwx—— 3 raghu raghu 4096 2011-10-29 14:04 .macromedia/
drwx—— 3 raghu raghu 4096 2011-11-15 01:08 .mission-control/
drwxr-xr-x 2 root root 4096 2011-11-15 01:23 mounts/
drwx—— 4 raghu raghu 4096 2011-10-26 18:22 .mozilla/
drwxr-xr-x 2 raghu raghu 4096 2011-10-26 16:03 Music/
drwxr-xr-x 2 raghu raghu 4096 2011-10-26 16:03 .nautilus/
drwxr-xr-x 7 raghu raghu 4096 2012-01-24 19:31 .nbi/
drwxr-xr-x 3 raghu raghu 4096 2012-01-24 20:13 .netbeans/
drwxr-xr-x 12 raghu raghu 4096 2012-01-24 19:29 netbeans-6.9/
drwxr-xr-x 3 raghu raghu 4096 2012-01-24 19:29 .netbeans-registration/
drwxr-xr-x 3 raghu raghu 4096 2012-04-17 12:23 orb.db/
drwxr-xr-x 4 raghu raghu 4096 2011-11-16 13:03 PacketTracer5/
drwxr-xr-x 5 raghu raghu 4096 2012-07-16 11:41 Pictures/
or
$ ls -la | grep ^d
drwxr-xr-x 60 raghu raghu 4096 2012-09-28 20:18 .
drwxr-xr-x. 6 root root 4096 2012-06-25 01:08 ..
drwx—— 3 raghu raghu 4096 2011-10-29 14:04 .adobe
drwx—— 28 raghu raghu 4096 2012-09-28 20:07 .cache
drwx—— 3 raghu raghu 4096 2011-10-26 16:06 .compiz
drwxr-xr-x 26 raghu raghu 4096 2012-09-27 00:20 .config
drwx—— 3 raghu raghu 4096 2011-10-26 16:03 .dbus
drwxr-xr-x 4 raghu raghu 4096 2012-09-27 23:50 Desktop
drwxr-xr-x 13 raghu raghu 4096 2012-09-16 13:22 Documents
drwxr-xr-x 5 raghu raghu 4096 2012-09-28 15:01 Downloads
drwxr-xr-x 7 raghu raghu 4096 2012-09-15 23:21 .drpython
drwxr-xr-x 2 raghu raghu 4096 2012-09-10 14:28 .fontconfig
drwx—— 5 raghu raghu 4096 2012-09-28 20:07 .gconf
drwx—— 2 raghu raghu 4096 2012-09-28 23:10 .gconfd
drwx—— 4 raghu raghu 4096 2011-11-26 20:23 .gegl-0.0
drwxr-xr-x 22 raghu raghu 4096 2012-09-27 01:44 .gimp-2.6
drwx—— 11 raghu raghu 4096 2012-09-22 05:23 .gnome2
drwx—— 2 raghu raghu 4096 2011-10-26 18:16 .gnome2_private
drwxr-xr-x 2 raghu raghu 4096 2012-09-23 19:45 .gstreamer-0.10
dr-x—— 2 raghu raghu 0 2012-09-28 20:07 .gvfs
drwxr-xr-x 5 raghu raghu 4096 2012-03-09 10:12 .icedtea
Posted by at No comments:
Labels:

Best Difference Between Linux Grub and Grub2 Bootloader


Here, in this article I am going to provide some understanding of Linux boot loader known as GRUB. If you have understanding of working pattern of GRUB then it can help you to know how the operating system exactly works. Even it will help you to fix and recover many Linux starting problems. If you really want to gain confidence in working of Linux then you should master the GRUB boot loader. It is very important step. GRUB can easily work with DOS, Windows, Linux or any BSD operating system. GRUB means Grand Unified Boot loader.If someone asks me which am the most frightening thing of Linux then I would say boot loader. Main reason for this is because most of the Linux users have used Windows operating system in their life. In windows, they have not bothered to know more about boot loaders. Even, sometimes they use only Recovery Console to solve their problems. So, they have never got a chance to learn more about this small software called boot loader.
This boot loader can be configured dynamically. This means that user has an option to make changes while booting. Even users can also easily alter the current boot entries, they can add new entries, select multiple kernels or even they can modify initrd. GRUB has also got a support of Logical Block Address. GRUB can be installed and executed from any type of device like hard disk, CD and USB. GRUB and GRUB2 are two different versions.
GRUB2 is considered as default boot loader of Ubuntu whereas GRUB is generally used in RHEL. When started, GRUB2 mainly presents a menu and waits for some input from users. It generally transfers control to our operating system kernel. GRUB2 is mainly designed to provide flexibility and performance to today’s operating systems.

Features and Comparisons between GRUB and GRUB2

The default menu which is looking very similar to GRUB but there are some changes made in this.
1. In today’s new installation of Ubuntu 9.10 or later versions, GRUB2 will now directly show a login prompt and no menu is displayed now.
2. If you want to see the menu during boot you need to hold down SHIFT key. Even sometimes by pressing ESC you can also display the menu.
3. Now, the new configuration file is /boot/grub/grub.cfg. There is no file called /boot/grub/menu.lst now. This main configuration file contains different types of scripts and it is not allowed to edit this file directly.
4. Users have also now choice of creating custom files in which they can place their own menu entries. You can make use of a file called 40_custom which is available in /etc/grub.d folder.
5. Even users can now change the menu display settings. This is done through a file called grub located in /etc/default folder.
6. In today’s GRUB, numbering of partitioning has totally changed. The first partition is now considered as 1 instead of 0. The first device is still identified with hd0. These changes can be altered if needed by making some changes to device.map file of the /etc/grub folder.
Posted by at No comments:
Labels:

Tuesday, 9 October 2012

20 Iptables Examples For New SysAdmins

 

IPTABLES Rules Example

  • Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell. Do not type commands on remote system as it will disconnect your access.
  • For demonstration purpose I've used RHEL 6.x, but the following command should work with any modern Linux distro.
  • This is NOT a tutorial on how to set iptables.

#1: Displaying the Status of Your Firewall

Type the following command as root:
# iptables -L -n -v
Sample outputs:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
Above output indicates that the firewall is not active. The following sample shows an active firewall:
# iptables -L -n -v
Sample outputs:
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
  394 43586 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
   93 17292 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
    1   142 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  br0    br0     0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID
    0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
    0     0 wanin      all  --  vlan2  *       0.0.0.0/0            0.0.0.0/0
    0     0 wanout     all  --  *      vlan2   0.0.0.0/0            0.0.0.0/0
    0     0 ACCEPT     all  --  br0    *       0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT 425 packets, 113K bytes)
 pkts bytes target     prot opt in     out     source               destination
Chain wanin (1 references)
 pkts bytes target     prot opt in     out     source               destination
Chain wanout (1 references)
 pkts bytes target     prot opt in     out     source               destination
Where,
  • -L : List rules.
  • -v : Display detailed information. This option makes the list command show the interface name, the rule options, and the TOS masks. The packet and byte counters are also listed, with the suffix 'K', 'M' or 'G' for 1000, 1,000,000 and 1,000,000,000 multipliers respectively.
  • -n : Display IP address and port in numeric format. Do not use DNS to resolve names. This will speed up listing.

#1.1: To inspect firewall with line numbers, enter:

# iptables -n -L -v --line-numbers
Sample outputs:
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy DROP)
num  target     prot opt source               destination
1    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
2    DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
3    TCPMSS     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU
4    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
5    wanin      all  --  0.0.0.0/0            0.0.0.0/0
6    wanout     all  --  0.0.0.0/0            0.0.0.0/0
7    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
Chain wanin (1 references)
num  target     prot opt source               destination
Chain wanout (1 references)
num  target     prot opt source               destination
You can use line numbers to delete or insert new rules into the firewall.

#1.2: To display INPUT or OUTPUT chain rules, enter:

# iptables -L INPUT -n -v
# iptables -L OUTPUT -n -v --line-numbers

#2: Stop / Start / Restart the Firewall

If you are using CentOS / RHEL / Fedora Linux, enter:
# service iptables stop
# service iptables start
# service iptables restart
You can use the iptables command itself to stop the firewall and delete all rules:
# iptables -F
# iptables -X
# iptables -t nat -F
# iptables -t nat -X
# iptables -t mangle -F
# iptables -t mangle -X
# iptables -P INPUT ACCEPT
# iptables -P OUTPUT ACCEPT
# iptables -P FORWARD ACCEPT
Where,
  • -F : Deleting (flushing) all the rules.
  • -X : Delete chain.
  • -t table_name : Select table (called nat or mangle) and delete/flush rules.
  • -P : Set the default policy (such as DROP, REJECT, or ACCEPT).

#3: Delete Firewall Rules

To display line number along with other information for existing rules, enter:
# iptables -L INPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers
# iptables -L OUTPUT -n --line-numbers | less
# iptables -L OUTPUT -n --line-numbers | grep 202.54.1.1
You will get the list of IP. Look at the number on the left, then use number to delete it. For example delete line number 4, enter:
# iptables -D INPUT 4
OR find source IP 202.54.1.1 and delete from rule:
# iptables -D INPUT -s 202.54.1.1 -j DROP
Where,
  • -D : Delete one or more rules from the selected chain

#4: Insert Firewall Rules

To insert one or more rules in the selected chain as the given rule number use the following syntax. First find out line numbers, enter:
# iptables -L INPUT -n --line-numbers
Sample outputs:
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  202.54.1.1           0.0.0.0/0
2    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED
To insert rule between 1 and 2, enter:
# iptables -I INPUT 2 -s 202.54.1.2 -j DROP
To view updated rules, enter:
# iptables -L INPUT -n --line-numbers
Sample outputs:
Chain INPUT (policy DROP)
num  target     prot opt source               destination
1    DROP       all  --  202.54.1.1           0.0.0.0/0
2    DROP       all  --  202.54.1.2           0.0.0.0/0
3    ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state NEW,ESTABLISHED

#5: Save Firewall Rules

To save firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables save
In this example, drop an IP and save firewall rules:
# iptables -A INPUT -s 202.5.4.1 -j DROP
# service iptables save
For all other distros use the iptables-save command:
# iptables-save > /root/my.active.firewall.rules
# cat /root/my.active.firewall.rules

#6: Restore Firewall Rules

To restore firewall rules form a file called /root/my.active.firewall.rules, enter:
# iptables-restore < /root/my.active.firewall.rules
To restore firewall rules under CentOS / RHEL / Fedora Linux, enter:
# service iptables restart

#7: Set the Default Firewall Policies

To drop all traffic:
# iptables -P INPUT DROP
# iptables -P OUTPUT DROP
# iptables -P FORWARD DROP
# iptables -L -v -n
#### you will not able to connect anywhere as all traffic is dropped ###
# ping cyberciti.biz
# wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2

#7.1: Only Block Incoming Traffic

To drop all incoming / forwarded packets, but allow outgoing traffic, enter:
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -P OUTPUT ACCEPT
# iptables -A INPUT -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -L -v -n
### *** now ping and wget should work *** ###
# ping cyberciti.biz
# wget http://www.kernel.org/pub/linux/kernel/v3.0/testing/linux-3.2-rc5.tar.bz2

#8:Drop Private Network Address On Public Interface

IP spoofing is nothing but to stop the following IPv4 address ranges for private networks on your public interfaces. Packets with non-routable source addresses should be rejected using the following syntax:
# iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

#8.1: IPv4 Address Ranges For Private Networks (make sure you block them on public interface)

  • 10.0.0.0/8 -j (A)
  • 172.16.0.0/12 (B)
  • 192.168.0.0/16 (C)
  • 224.0.0.0/4 (MULTICAST D)
  • 240.0.0.0/5 (E)
  • 127.0.0.0/8 (LOOPBACK)

#9: Blocking an IP Address (BLOCK IP)

To block an attackers ip address called 1.2.3.4, enter:
# iptables -A INPUT -s 1.2.3.4 -j DROP
# iptables -A INPUT -s 192.168.0.0/24 -j DROP

#10: Block Incoming Port Requests (BLOCK PORT)

To block all service requests on port 80, enter:
# iptables -A INPUT -p tcp --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp --dport 80 -j DROP
To block port 80 only for an ip address 1.2.3.4, enter:
# iptables -A INPUT -p tcp -s 1.2.3.4 --dport 80 -j DROP
# iptables -A INPUT -i eth1 -p tcp -s 192.168.1.0/24 --dport 80 -j DROP

#11: Block Outgoing IP Address

To block outgoing traffic to a particular host or domain such as cyberciti.biz, enter:
# host -t a cyberciti.biz
Sample outputs:
cyberciti.biz has address 75.126.153.206
Note down its ip address and type the following to block all outgoing traffic to 75.126.153.206:
# iptables -A OUTPUT -d 75.126.153.206 -j DROP
You can use a subnet as follows:
# iptables -A OUTPUT -d 192.168.1.0/24 -j DROP
# iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j DROP

#11.1: Example - Block Facebook.com Domain

First, find out all ip address of facebook.com, enter:
# host -t a www.facebook.com
Sample outputs:
www.facebook.com has address 69.171.228.40
Find CIDR for 69.171.228.40, enter:
# whois 69.171.228.40 | grep CIDR
Sample outputs:
CIDR:           69.171.224.0/19
To prevent outgoing access to www.facebook.com, enter:
# iptables -A OUTPUT -p tcp -d 69.171.224.0/19 -j DROP
You can also use domain name, enter:
# iptables -A OUTPUT -p tcp -d www.facebook.com -j DROP
# iptables -A OUTPUT -p tcp -d facebook.com -j DROP
From the iptables man page:
... specifying any name to be resolved with a remote query such as DNS (e.g., facebook.com is a really bad idea), a network IP address (with /mask), or a plain IP address ...

#12: Log and Drop Packets

Type the following to log and block IP spoofing on public interface called eth1
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP
By default everything is logged to /var/log/messages file.
# tail -f /var/log/messages
# grep --color 'IP SPOOF' /var/log/messages

#13: Log and Drop Packets with Limited Number of Log Entries

The -m limit module can limit the number of log entries created per time. This is used to prevent flooding your log file. To log and drop spoofing per 5 minutes, in bursts of at most 7 entries .
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -m limit --limit 5/m --limit-burst 7 -j LOG --log-prefix "IP_SPOOF A: "
# iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DROP

#14: Drop or Accept Traffic From Mac Address

Use the following syntax:
# iptables -A INPUT -m mac --mac-source 00:0F:EA:91:04:08 -j DROP
## *only accept traffic for TCP port # 8080 from mac 00:0F:EA:91:04:07 * ##
# iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EA:91:04:07 -j ACCEPT

#15: Block or Allow ICMP Ping Request

Type the following command to block ICMP ping requests:
# iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
# iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j DROP
Ping responses can also be limited to certain networks or hosts:
# iptables -A INPUT -s 192.168.1.0/24 -p icmp --icmp-type echo-request -j ACCEPT
The following only accepts limited type of ICMP requests:
### ** assumed that default INPUT policy set to DROP ** #############
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
## ** all our server to respond to pings ** ##
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

#16: Open Range of Ports

Use the following syntax to open a range of ports:
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 7000:7010 -j ACCEPT

#17: Open Range of IP Addresses

Use the following syntax to open a range of IP address:
## only accept connection to tcp port 80 (Apache) if ip is between 192.168.1.100 and 192.168.1.200 ##
iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT
## nat example ##
iptables -t nat -A POSTROUTING -j SNAT --to-source 192.168.1.20-192.168.1.25

#18: Established Connections and Restaring The Firewall

When you restart the iptables service it will drop established connections as it unload modules from the system under RHEL / Fedora / CentOS Linux. Edit, /etc/sysconfig/iptables-config and set IPTABLES_MODULES_UNLOAD as follows:
IPTABLES_MODULES_UNLOAD = no

#19: Help Iptables Flooding My Server Screen

Use the crit log level to send messages to a log file instead of console:
iptables -A INPUT -s 1.2.3.4 -p tcp --destination-port 80 -j LOG --log-level crit

#20: Block or Open Common Ports

The following shows syntax for opening and closing common TCP and UDP ports:
 
Replace ACCEPT with DROP to block port:
## open port ssh tcp port 22 ##
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
 
## open cups (printing service) udp/tcp port 631 for LAN users ##
iptables -A INPUT -s 192.168.1.0/24 -p udp -m udp --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -p tcp -m tcp --dport 631 -j ACCEPT
 
## allow time sync via NTP for lan users (open udp port 123) ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp --dport 123 -j ACCEPT
 
## open tcp port 25 (smtp) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 25 -j ACCEPT
 
# open dns server ports for all ##
iptables -A INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
 
## open http/https (Apache) server port to all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state NEW -p tcp --dport 443 -j ACCEPT
 
## open tcp port 110 (pop3) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 110 -j ACCEPT
 
## open tcp port 143 (imap) for all ##
iptables -A INPUT -m state --state NEW -p tcp --dport 143 -j ACCEPT
 
## open access to Samba file server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 445 -j ACCEPT
 
## open access to proxy server for lan users only ##
iptables -A INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 3128 -j ACCEPT
 
## open access to mysql server for lan users only ##
iptables -I INPUT -p tcp --dport 3306 -j ACCEPT

#21: Restrict the Number of Parallel Connections To a Server Per Client IP

You can use connlimit module to put such restrictions. To allow 3 ssh connections per client host, enter:
# iptables -A INPUT -p tcp --syn --dport 22 -m connlimit --connlimit-above 3 -j REJECT
Set HTTP requests to 20:
# iptables -p tcp --syn --dport 80 -m connlimit --connlimit-above 20 --connlimit-mask 24 -j DROP
Where,
  1. --connlimit-above 3 : Match if the number of existing connections is above 3.
  2. --connlimit-mask 24 : Group hosts using the prefix length. For IPv4, this must be a number between (including) 0 and 32.

#22: HowTO: Use iptables Like a Pro

For more information about iptables, please see the manual page by typing man iptables from the command line:
$ man iptables
You can see the help using the following syntax too:
# iptables -h
To see help with specific commands and targets, enter:
# iptables -j DROP -h

#22.1: Testing Your Firewall

Find out if ports are open or not, enter:
# netstat -tulpn
Find out if tcp port 80 open or not, enter:
# netstat -tulpn | grep :80
If port 80 is not open, start the Apache, enter:
# service httpd start
Make sure iptables allowing access to the port 80:
# iptables -L INPUT -v -n | grep 80
Otherwise open port 80 using the iptables for all users:
# iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
# service iptables save
Use the telnet command to see if firewall allows to connect to port 80:
$ telnet www.cyberciti.biz 80
Sample outputs:
Trying 75.126.153.206...
Connected to www.cyberciti.biz.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
You can use nmap to probe your own server using the following syntax:
$ nmap -sS -p 80 www.cyberciti.biz
Sample outputs:
Starting Nmap 5.00 ( http://nmap.org ) at 2011-12-13 13:19 IST
Interesting ports on www.cyberciti.biz (75.126.153.206):
PORT   STATE SERVICE
80/tcp open  http
Nmap done: 1 IP address (1 host up) scanned in 1.00 seconds
I also recommend you install and use sniffer such as tcpdupm and ngrep to test your firewall settings.

Conclusion:

This post only list basic rules for new Linux users. You can create and build more complex rules. This requires good understanding of TCP/IP, Linux kernel tuning via sysctl.conf, and good knowledge of your own setup.
Posted by at No comments:
Labels:

Monday, 17 September 2012


What is a shell in linux/unix ?


What is a shell ?
* The Shell is a command line interpreter that executes commands read from the standard input device such as keyboard or from a file.
* In other forms, it is a user program or it is an environment provided for user interaction.
* We can start using the shell by opening the console(terminal).
* The shell is not a part of system kernel, but it uses the system to execute programs.
* The various shells available for linux are:
  • BASH (Bourne-Again SHell) – Most common shell in Linux. It is an Opensource software.
  • CSH (C SHell) – The C shell’s syntax and usage are very similar to the C programming language.
  • KSH (Korn SHell) – Created by David Korn at AT & T Bell Labs. The Korn Shell also was the base for the POSIX Shell standard specifications.
  • TCSH – It is an enhanced but completely compatible version of the Berkeley UNIX C shell (CSH).
What is a shell script ?
* A shell script is series of commands stored in a plain text file.
* Shell scripts are a fundamental part of the UNIX and Linux programming environment.
* Scripts are useful for automating the processes repeatedly at the command line.
* Linux users involved with system administraton and troubleshooting often work with the shell scripts.
/etc/profile is the system-wide user login script which runs whenever a user logs into the system.
Each shell script consists of
• Shell keywords such as if..else, do..while.
• Shell commands such as pwd, test, echo, continue, type.
• Linux binary commands such as w, who, free etc..
• Text processing utilities such as grep, awk, cut.
• Functions – add frequent actions together via functions. For example, /etc/init.d/functions file contains functions
to be used by most or all system shell scripts in the /etc/init.d directory.
• Control flow statments such as if..then..else or shell loops to preform repeated actions.
Each script has purpose
• Specific purpose – For example, backup file system and database to NAS server.
• Act like a command – Each shell script is executed like any other command under Linux.
• Script code usability – Shell scripts can be extended from existing scripts. Also, you can use functions files to
package frequently used tasks.
Why shell scripting?
• Shell scripts can take input from a user or file and output them to the screen.
• Whenever you find yourself doing the same task over and over again you should use shell scripting, i.e., repetitive
task automation.
• Creating your own power tools/utilities.
• Automating command input or entry.
• Customizing administrative tasks.
• Creating simple applications.
• Since scripts are well tested, the chances of errors are reduced while configuring services or system
administration tasks such as adding new users.
Realtime usage of shell scripts where it is actively used:
• Monitoring Linux system.
• Data backup and creating snapshots.
• Dumping Oracle or MySQL database for backup.
• Creating email based alert system.
• Find out what processes are eating up our system resources.
• Find out available and free memory.
• Find out all logged in users and what they are doing.
• Find out if all necessary network services are running or not. For example if web server failed then send an alert
to system administrator via a pager or an email.
• Find out all failed login attempt, if login attempt are continue repeatedly from same network IP automatically
block all those IPs accessing your network/service via firewall.
• User administration as per our own security policies.
• Find out information about local or remote servers.
• Configure server such as BIND (DNS server) to add zone entries.
Advantages
• Easy to use.
• Quick start, and interactive debugging.
• Time Saving.
• Sys Admin task automation.
• Shell scripts can execute without any additional effort on nearly any modern UNIX / Linux / BSD / Mac OS X
operating system as they are written an interpreted language.
Disadvantages
• Compatibility problems between different platforms.
• Slow execution speed.
• A new process launched for almost every shell command executed.
Posted by at No comments:
Labels:

Wednesday, 12 September 2012


9 Examples To Generate Random Password In Linux

  
You may have noted that Many times when you create an account on some website, you are provided with a random password. How can we generate this random data (or passwords in our case) on Linux? This can be done in a number of ways. Let’s see how?

Generating Random Passwords

Linux has a powerful way of chaining commands together, that we will use here to generate random data.Date command prints out date and time of the day. As we know that time keeps on changing, so we use this changing data to create random passwords. So, first, lets have a look at the output of ‘date’ command.
raghu@raghu-Inspiron-1440:~$ date
Thu Jun 28 15:56:02 IST 2012
with +%s, it displays total number of seconds passed since January 01, 1970:
raghu@raghu-Inspiron-1440:~$ date +%s
1340879165

Example 1.

Both of these commands can be used as input to ‘md5sum’ command, which creates 128 bit checksum(and we know that this checksum looks quite random).
raghu@raghu-Inspiron-1440:~$ date | md5sum
746b59da100daa4137d91de95c052793 -

Example 2.

The pipe symbol, “|” is used to chain the commands, i.e. the output of the left command becomes the input of the right command. And the output with “date +%s”,
raghu@raghu-Inspiron-1440:~$ date +%s | md5sum
f751a65f32a1e0cf52c513a7cf23a451 -

Example 3.

Here, instead of using “md5sum”, “sha256sum” or “sha512sum” can also be used to generate 256 or 512 bit output.
raghu@raghu-Inspiron-1440:~$ date | sha256sum
3a96b9feb1e7d869ed98b101a2e5cc5169e9f8d348712c1fb56196f877e23b8e -
raghu@raghu-Inspiron-1440:~$ date +%s | sha512sum
4f2f1e1863c243fea1dd7082006256211b16d0cb747968cd03ab77abc8f2a01b5c0cac7d9ca078e73d2dadf41959ff9cd2b1b8373dec803ab5967f007b19a5aa -
As you have seen that these commands create quite large output, but sometimes, fixed length output (for example 8 character long) might be needed. The head command prints out first few lines (10 by default) of a file. But with -c option, it can be used to display first few characters.

Example 4.

So, in the above commands, if we pipe the output further into “head -c 10” command, then it will generate only 10 characters of output.
raghu@raghu-Inspiron-1440:~$ date +%s | md5sum | head -c 10 ; echo
c398d742c4
raghu@raghu-Inspiron-1440:~$ date | sha256sum | head -c 8 ; echo
d3b1b029
Here, echo command is used just for a return after the output. Otherwise, output will attach itself with the prompt.
There is a file /dev/urandom, that provides an interface to kernel’s random number generator, means, it can be used for random number generation. This file can produce a lot of random characters. Before we see how to use this file, we will have a look at a text processing tool, “tr”. “tr” command can be used to translate the characters from one range to another (for example, from lowercase to uppercase). We won’t go into much details of this command, but will confine ourselves with only what is needed for random numbers generation. “echo ‘Hello World’ | tr a-z A-Z” will convert all small letters in the message into capitals.
raghu@raghu-Inspiron-1440:~$ echo ‘Hello World’ | tr a-z A-Z
HELLO WORLD
“tr -cd a-z” will truncate (-d option, delete) everything except (-c option, compliment) the letters in the given range (a-z here):
raghu@raghu-Inspiron-1440:~$ echo ‘Hello World’ | tr -cd a-z; echo
elloorld
Here, H and W are removed because they do not belong to range a-z.

Example 5.

Now lets get back to generating random numbers. If you need the random numbers in alphabets only, use “tr -cd [:alpha:] < /dev/urandom”. But be careful, it will fill the screen with random alphabets until you press ctrl+c. (The input redirection symbol, < in above command means that the file /dev/random is the input file of the command on its left side, tr here.) So we will use head command for first few characters.
raghu@raghu-Inspiron-1440:~$ tr -cd [:alpha:] < /dev/urandom | head -c 15 ; echo
QdUAwqfKrCBOnVG

Example 6.

Here, [:alpha:] is a predefined character range for alphabets. “tr -cd A-Za-z “ could also be used for the same effect. If all letters and numbers are required, [:alnum:] (or alternatively A-Za-z0-9 or [alpha]0-9) is used.
raghu@raghu-Inspiron-1440:~$ tr -cd [:alnum:] < /dev/urandom | head -c 10 ; echo
TRIJR4YTZC

Example 7.

To include all characters, such as punctuation marks etc, use:
raghu@raghu-Inspiron-1440:~$ tr -cd [:alnum:][:punct:] < /dev/urandom | head -c 20 ; echo
8ejcWS{kk%`p~Zm5JNfC

Example 8.

This output can be further given to md5sum or sha256sum command:
raghu@raghu-Inspiron-1440:~$ tr -cd [:alnum:] < /dev/urandom | head -c 10 | md5sum | head -c 10; echo
805d13817e

Example 9.

If you want more randomness in password, or if want to complicate more, you can use random number of bits as input to md5sum command (instead of fixed 10).
raghu@raghu-Inspiron-1440:~$ tr -cd [:alnum:] < /dev/urandom | head -c $(tr -cd 0-9 < /dev/urandom | head -c 1) | md5sum | head -c 10; echo
d41d8cd98f
Here, $() substitutes the result of for its place. And here, we have generated a random number using “tr -cd 0-9 < /dev/urandom | head -c 1”. So this command inputs a random number of characters (less than 10) to md5sum command.
Posted by at No comments:
Labels:

Linux Fdisk Tool 


 Simple Enough to Create Partitions


Here what I am trying to do is creating a partition on the disk (ProLiant SmartArray RAID controller – /dev/cciss) You can choose the option “n” to create new partition and “p” to list available partitions. On the below output (7253-8920, default 8920) mean cylinder 7253 upto 8920 is available now.
# fdisk /dev/cciss/c0d0
The number of cylinders for this disk is set to 8920.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
(e.g., DOS FDISK, OS/2 FDISK)
Command (m for help): m
Command action
a toggle a bootable flag
b edit bsd disklabel
c toggle the dos compatibility flag
d delete a partition
l list known partition types
m print this menu
n add a new partition
o create a new empty DOS partition table
p print the partition table
q quit without saving changes
s create a new empty Sun disklabel
t change a partition’s system id
u change display/entry units
v verify the partition table
w write table to disk and exit
x extra functionality (experts only)
Command (m for help): n
First cylinder (7253-8920, default 7253): ==> PRESS ENTER TO ACCEPT DEFAULT
Using default value 7253
Last cylinder or +size or +sizeM or +sizeK (7253-8920, default 8920): +5G
Command (m for help): p
Disk /dev/cciss/c0d0: 73.3 GB, 73372631040 bytes
255 heads, 63 sectors/track, 8920 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/cciss/c0d0p1 * 1 12 96358+ 83 Linux
/dev/cciss/c0d0p2 13 2101 16779892+ 83 Linux
/dev/cciss/c0d0p3 2102 4190 16779892+ 82 Linux swap
/dev/cciss/c0d0p4 4191 8920 37993725 5 Extended
/dev/cciss/c0d0p5 4191 5234 8385898+ 83 Linux
/dev/cciss/c0d0p6 5235 5756 4192933+ 83 Linux
/dev/cciss/c0d0p7 5757 5881 1004031 83 Linux
/dev/cciss/c0d0p8 5882 6006 1004031 83 Linux
/dev/cciss/c0d0p9 6007 7252 10008463+ 83 Linux
/dev/cciss/c0d0p10 7253 7861 4891761 83 Linux
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table.
The new table will be used at the next reboot.
Syncing disks.
The partprobe command will informs the operating system kernel of partition table changes. So no need for reboot. /* CAREFUL : partprobe MAY CAUSE A REBOOT(Not Always, only precaution) – Arrange downtime on live systems*/
# partprobe /dev/cciss/c0d0
Below file displays the available disk partitions. So the newly created partitions would be there in this list. You can run this command before and after the disk partition.
# cat /proc/partitions
major minor #blocks name
104 0 71652960 cciss/c0d0
104 1 96358 cciss/c0d0p1
104 2 16779892 cciss/c0d0p2
104 3 16779892 cciss/c0d0p3
104 5 8385898 cciss/c0d0p5
104 6 4192933 cciss/c0d0p6
104 7 1004031 cciss/c0d0p7
104 8 1004031 cciss/c0d0p8
104 9 10008463 cciss/c0d0p9
104 10 4891761 cciss/c0d0p10
Next step would be to format the partition with required filesystem.
# /sbin/mkfs -t ext3 /dev/cciss/c0d0p10
mke2fs 1.35 (28-Feb-2004)
Filesystem label=
OS type: Linux
Block size=4096 (log=2)
Fragment size=4096 (log=2)
611648 inodes, 1222940 blocks
61147 blocks (5.00%) reserved for the super user
First data block=0
Maximum filesystem blocks=1254096896
38 block groups
32768 blocks per group, 32768 fragments per group
16096 inodes per group
Superblock backups stored on blocks:
32768, 98304, 163840, 229376, 294912, 819200, 884736
Writing inode tables: done
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done
This filesystem will be automatically checked every 33 mounts or
180 days, whichever comes first. Use tune2fs -c or -i to override.
You can set new label name for the filesystem using the e2label command.
# e2label /dev/cciss/c0d0p10 /mydatadisk
You can edit fstab file to update new label (filesystem) information.
# vi /etc/fstab
# This file is edited by fstab-sync – see ‘man fstab-sync’ for details
LABEL=/ / ext3 defaults 1 1
LABEL=/boot /boot ext3 defaults 1 2
none /dev/pts devpts gid=5,mode=620 0 0
none /dev/shm tmpfs defaults 0 0
LABEL=/mlextras /mlextras ext3 defaults 1 2
none /proc proc defaults 0 0
none /sys sysfs defaults 0 0
LABEL=/var /var ext3 defaults 1 2
LABEL=SW-cciss/c0d0p3 swap swap defaults 0 0
LABEL=/itrs /itrs ext3 defaults 1 2
LABEL=/mqmsw /mqmsw ext3 defaults 1 2
LABEL=/mktdata /mktdata ext3 defaults 1 2
LABEL=/mydatadisk /tools ext3 defaults 1 2
/dev/vx/dsk/dg_apps/apps /apps vxfs suid 1 2
/dev/hda /media/cdrecorder auto pamconsole,exec,noauto,managed 0 0
You are now set ready to create folder and mount the partition
# mkdir /tools
# mount /dev/cciss/c0d0p10 /tools
To confirm we can list the mount points with below commands
# df -h /tools
Filesystem Size Used Avail Use% Mounted on
/dev/cciss/c0d0p10 4.6G 42M 4.4G 1% /tools
# mount -l | grep tools
/dev/cciss/c0d0p10 on /tools type ext3 (rw) [/tools]
Posted by at No comments:
Labels:

Disable User Accounts In Linux With Examples

     
Linux systems allow you to disable access to particular user account without changing anything from the account. This might be useful if you do not want to remove user account permanently but, you just want it disabled and no longer able to use the system. The disabled user will still receive emails for example, but he will not be able to login and check them out.
Linux distributions use /etc/shadow file to store the encrypted user passwords.
A user account can be temporarily disabled or permanently removed.

Temporary disable user account

First method Editing /etc/shadow

You can disable or lock a user account temporarily by just putting an asterisk “*” at the beginning of the second field in the file /etc/shadow. This means that “*” won’t permit login for this account. Whenever you want to enable the account, just erase the asterisk and the user account is back in operation, with its old password.
For example you want to disable user “Tom” then you can do this as follows.
#vi /etc/shadow
Tom:*$1$narMEFm6$fhA1puOU422HiSL5aggLI/:11193:0:99999:7:-1:-1:134539228
Here, the second field is the encrypted password.
You can replace the password with “*” or “!”. This will render user account inaccessible and it will mean that no login is permitted for the user.
#vi /etc/shadow
Tom:*:13852:0:99999:7:::
However, main disadvantage of this method is that the password will be lost in the case we will want to re-enable it again later.

Second method using passwd command

Passwd command can be used to disable the user account.
#passwd Tom –l
Output
“Password changed.”
Above command changes the shadow file and adds “!” in front of the user password:
Tom:!$1$eFd7EIOg$EeCk6XgKktWSUgi2pGUpk.:13852:0:99999:7:::
Now in case If you want enable the account just unlock it using –u option as follows
#passwd Tom -u
You can also enable account by removing manually the “!” character from the user’s password line in /etc/shadow.

Permanently Remove User Account

You can permanently remove the user just run userdel command.
#userdel Tom
Or
#userdel -r Tom
Make sure to check home of the user before running this command.
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)