What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again.

Delete that bloated snippets file you've been using and share your personal repository with the world. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

If you have a new feature suggestion or find a bug, please get in touch via http://commandlinefu.uservoice.com/

Get involved!

You can sign-in using OpenID credentials, or register a traditional username and password.

First-time OpenID users will be automatically assigned a username which can be changed after signing in.


Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for:



2011-03-12 - Confoo 2011 presentation
Slides are available from the commandlinefu presentation at Confoo 2011: http://presentations.codeinthehole.com/confoo2011/
2011-01-04 - Moderation now required for new commands
To try and put and end to the spamming, new commands require moderation before they will appear on the site.
2010-12-27 - Apologies for not banning the trolls sooner
Have been away from the interwebs over Christmas. Will be more vigilant henceforth.
2010-09-24 - OAuth and pagination problems fixed
Apologies for the delay in getting Twitter's OAuth supported. Annoying pagination gremlin also fixed.




Commands tagged Security from sorted by
Terminal - Commands tagged Security - 43 results
security unlock-keychain; security find-generic-password -ga "/Users/mruser/.ssh/id_dsa" 2>&1 > /dev/null
2010-02-02 21:14:57

This must be run the first time while logged into your Mac desktop, as it will graphically prompt for access permissions. Subsequent uses will not prompt, assuming you select "Always allow".

openssl rand -base64 1000 | tr "[:upper:]" "[:lower:]" | tr -cd "[:alnum:]" | tr -d "lo" | cut -c 1-8 | pbcopy
2009-12-29 17:18:25
User: _eirik
Functions: cut tr

eliminates "l" and "o" characters change length by changing 'x' here: cut -c 1-x

gs -q -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=OUTPUT.pdf -c .setpdfwrite -f INPUT.pdf
2009-12-14 21:30:22
User: deijmaster
Functions: gs

Remove security from PDF document using this very simple command on Linux and OSX. You need ghostscript for this baby to work.

openssl rand -base64 6
pwgen -Bs 10 1
2009-12-01 14:33:51

-B flag = don't include characters that can be confused for other characters (this helps when you give someone their password for the first time so they don't cause a lockout with, for example, denyhosts or fail2ban)

-s flag = make a "secure", or hard-to-crack password

-y flag = include special characters (not used in the example because so many people hate it -- however I recommend it)

"1 10" = output 1 password, make it 10 characters in length

For even more secure passwords please use the -y flag to include special characters like so:

pwgen -Bsy 10 1

output>> }&^Y?.>7Wu

cat private-file | gpg2 --encrypt --armor --recipient "Disposable Key" | mailx -s "Email Subject" user@email.com
2009-10-19 20:38:37
User: slashdot
Functions: cat mailx

This is a quick and easy way of encrypting files in a datastream, without ever really creating an output file from gpg. Useful with cron also, when file(s) have to be sent based on a set schedule.

sitepass() { echo -n "$@" | md5sum | sha1sum | sha224sum | sha256sum | sha384sum | sha512sum | gzip - | strings -n 1 | tr -d "[:space:]" | tr -s '[:print:]' | tr '!-~' 'P-~!-O' | rev | cut -b 2-11; history -d $(($HISTCMD-1)); }
2009-10-01 20:14:57
User: syssyphus
Tags: Security

usage: sitepass MaStErPaSsWoRd example.com

description: An admittedly excessive amount of hashing, but this will give you a pretty secure password, It also eliminates repeated characters and deletes itself from your command history.

tr '!-~' 'P-~!-O' # this bit is rot47, kinda like rot13 but more nerdy

rev # this avoids the first few bytes of gzip payload, and the magic bytes.

rkhunter --check
2009-08-30 12:53:33
User: unixbhaskar
Tags: Security shell

rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications.

chkrootkit -x | less
nikto.pl -h yourwebserver
2009-08-29 04:54:43
User: unixbhaskar
Tags: Security shell

This is wonderful perl script to check the web server security and vulnerability .Get it from here :http://www.cirt.net/nikto2

Here are some key features of "Nikto":

? Uses rfp's LibWhisker as a base for all network funtionality

? Main scan database in CSV format for easy updates

? Determines "OK" vs "NOT FOUND" responses for each server, if possible

? Determines CGI directories for each server, if possible

? Switch HTTP versions as needed so that the server understands requests properly

? SSL Support (Unix with OpenSSL or maybe Windows with ActiveState's Perl/NetSSL)

? Output to file in plain text, HTML or CSV

? Generic and "server type" specific checks

? Plugin support (standard PERL)

? Checks for outdated server software

? Proxy support (with authentication)

? Host authentication (Basic)

? Watches for "bogus" OK responses

? Attempts to perform educated guesses for Authentication realms

? Captures/prints any Cookies received

? Mutate mode to "go fishing" on web servers for odd items

? Builds Mutate checks based on robots.txt entries (if present)

? Scan multiple ports on a target to find web servers (can integrate nmap for speed, if available)

? Multiple IDS evasion techniques

? Users can add a custom scan database

? Supports automatic code/check updates (with web access)

? Multiple host/port scanning (scan list files)

? Username guessing plugin via the cgiwrap program and Apache ~user methods

2009-08-29 04:06:11
User: unixbhaskar
Tags: Security shell

If you follow my other posting regarding "vipw" and "vigr' then no explanation required.It has done the same thing as did with those two command.Open the /etc/sudoers file and attach a lock with it. Once you are done with it ,the lock gets released and the changes reflected to the original file.It will open a tmp file in vi editor to give you the chance to edit the sudoers file securely.visudo parses the sudoers file after the edit and will not save the changes if there is a syntax error. Upon finding an error, visudo will print a message stating the line number(s) where the error occurred and the user will receive the "What now?" prompt. At this point the user may enter "e" to re-edit the sudoers file, "x" to exit without saving the changes, or "Q" to quit and save changes. The "Q" option should be used with extreme care because if visudo believes there to be a parse error, so will sudo and no one will be able to sudo again until the error is fixed. If "e" is typed to edit the sudoers file after a parse error has been detected, the cursor will be placed on the line where the error occurred (if the editor supports this feature).

PS: Although I have had experienced myself and few people shown to me that it behaves badly in some distribution ,noteably SLES.But the problem can be rectified with little caution.

2009-08-29 03:56:07
User: unixbhaskar
Tags: Security shell

If you follow my previous posting regarding "vipw" then no explanation required.The same method goes behind this command also.It will open an tmp file in vi editor to give you the enlisting to edit the group file.And most importantly to attach a lock with it.Once you are done ,the lock is released and the changed reflected to the original file.So you can securely edit the group file over the network without the fear of being tampered .

2009-08-29 03:46:42
User: unixbhaskar
Tags: Security shell

Now a bit of explanation required for this command.Once you type the command it opens up an vi editor with an temporary file enlisting the password file information .So if you make an change it will not reflected in the passwd file until you save the file.The reason behind using this command over other way to view the password file in network environment is that it locks the password file when you start working with it.So no one can temper with it during that period.Once you are done(means you save the tmp file) ,it will release the lock associated with it.I think it's a better mechanism to view the sensitive data like passwd file.Never ever use other tool like cat, nano or any other means.

arp -s $(route -n | awk '/^ {print $2}') \ $(arp -n | grep `route -n | awk '/^ {print $2}'`| awk '{print $3}')
sudo zcat /var/log/auth.log.*.gz | awk '/Failed password/&&!/for invalid user/{a[$9]++}/Failed password for invalid user/{a["*" $11]++}END{for (i in a) printf "%6s\t%s\n", a[i], i|"sort -n"}'
2009-03-21 06:41:59
Functions: awk printf sudo zcat

Show the number of failed tries of login per account. If the user does not exist it is marked with *.

echo -n 'text to be encrypted' | openssl md5
2009-03-18 00:11:46
User: Zenexer
Functions: echo

Thanks to OpenSSL, you can quickly and easily generate MD5 hashes for your passwords.

Alternative (thanks to linuxrawkstar and atoponce):

echo -n 'text to be encrypted' | md5sum -

Note that the above method does not utlise OpenSSL.

sudo route add xxx.xxx.xxx.xxx gw lo
2009-02-23 19:58:09
Functions: route sudo
Tags: Security

Someone might attack on your system. You can drop attacker IP using IPtables. However, you can use route command to null route unwanted traffic. A null route (also called as blackhole route) is a network route or kernel routing table entry that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering.