Commands by JohnQUnknown (2)

  • This command shows a sorted list of the IP addresses from which there have been authentication errors via SSH (possible script kiddies trying to gain access to your server), it eliminates duplicates so it's easier to read, but you can remove the "uniq" command at the end, or even do a "uniq -c" to have a count of how many times each IP address shows in the log (the path to the log may vary from system to system) Show Sample Output


    2
    cat /var/log/auth.log | grep -i "pam_unix(sshd:auth): authentication failure;" | cut -d' ' -f14,15 | cut -d= -f2 | sort | uniq
    JohnQUnknown · 2011-10-25 04:58:09 9
  • Provides a cleaner output plus some more details about the IP address. Also, a flaw was corrected where the URL provided the results in Spanish by default. Show Sample Output


    0
    function geoip() { curl -s "http://www.geoiptool.com/en/?IP=$1" | html2text | egrep --color "IP Address:|Country:|City:|Longitude:|Latitude:|Host Name:" }
    JohnQUnknown · 2011-10-25 04:49:25 4

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands


Check These Out

Check for login failures and summarize
This command checks for the number of times when someone has tried to login to your server and failed. If there are a lot, then that user is being targeted on your system and you might want to make sure that user either has remote logins disabled, or has a strong password, or both. If your output has an "invalid" line, it is a summary of all logins from users that don't exist on your system.

Exclude inserting a table from a sql import
Starting with a large MySQL dump file (*.sql) remove any lines that have inserts for the specified table. Sometimes one or two tables are very large and uneeded, eg. log tables. To exclude multiple tables you can get fancy with sed, or just run the command again on subsequently generated files.

Start a new command in a new screen window
If you are already running screen then you often want to start a command in a fresh window. You use this alias by typing 's whatever' from your command line and 'whatever' starts running in a new window. Good with interactive commands like info, vim, and nethack.

Display the top ten running processes - sorted by memory usage
ps returns all running processes which are then sorted by the 4th field in numerical order and the top 10 are sent to STDOUT.

Print a single route to a destination and its contents exactly as the kernel sees it
Useful to determine the source_ip of outgoing packages to a certain destination

Sets shell timeout
Useful in root's .profile - will auto-logout after TMOUT seconds of inactivity. Close after `seconds` inactive. export TMOUT=seconds (unefunge)

Split a tarball into multiple parts
Create a tar file in multiple parts if it's to large for a single disk, your filesystem, etc. Rejoin later with `cat .tar.*|tar xf -`

Protect directory from an overzealous rm -rf *
-R Recursively change attributes of directories and their contents. +i to set the immutable bit to prevent even root from erasing or changing the contents of a file.

Which processes are listening on a specific port (e.g. port 80)
swap out "80" for your port of interest. Can use port number or named ports e.g. "http"

reverse order of file


Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: