Geody Labs


# Main Index: Debian Linux Magic Spells Cheat Sheet (one liners, how to, tips and tricks)

# Users

Edit user creation preferences:
jed /etc/adduser.conf

Create a new user:
# useradd is similar to adduser
adduser USER # add a new USER with a home directory in the default path ( /home/USER )
adduser --home DIR USER # add a new USER specifying a non standard path for the home directory
adduser --no-create-home USER # add a new USER without a home directory

Modify a user information:
usermod [OPTIONS] USER

Edit user deletion preferences:
jed /etc/deluser.conf

Remove a user:
# userdel is similar to deluser
deluser USER # remove the specified user
deluser --remove-home USER # remove the specified user and his home directory and mail spool
deluser --remove-all-files USER # remove the specified user and all files owned by the user (be careful)

Change user contact information:
chfn [OPTIONS] USER

Change a user's default shell:
chsh [OPTIONS] USER

Get a user hashed password:
getent shadow|grep "USER"|cut -f 2- -d ":"|cut -f 1 -d ":" # Get the hash type, salt and hashed password for given USER
getent shadow|grep "$(whoami)"|cut -f 2- -d ":"|cut -f 1 -d ":" # Get the hash type, salt and hashed password for current user
getent shadow|grep "$(whoami)"|cut -f 2- -d ":"|cut -f 1 -d ":"|cut -f 4- -d "$" # Get the hashed password for given USER
getent shadow|grep "$(whoami)"|cut -f 2- -d ":"|cut -f 1 -d ":"|cut -f 4- -d "$" # Get the hashed password for current user
getent shadow|grep "USER"|cut -f 2- -d ":"|cut -f 1 -d ":"|cut -f 2- -d "$"|cut -f 2- -d "$"|cut -f 1 -d "$" # Get the salt for given USER
getent shadow|grep "$(whoami)"|cut -f 2- -d ":"|cut -f 1 -d ":"|cut -f 2- -d "$"|cut -f 2- -d "$"|cut -f 1 -d "$" # Get the salt for current user
getent shadow|grep "USER"|cut -f 2- -d ":"|cut -f 1 -d ":"|cut -f 2- -d "$"|cut -f 1 -d "$" # Get the hash type for given USER (1: md5, 5: sha-256, 6: sha-512)
getent shadow|grep "$(whoami)"|cut -f 2- -d ":"|cut -f 1 -d ":"|cut -f 2- -d "$"|cut -f 1 -d "$" # Get the hash type for current user (1: md5, 5: sha-256, 6: sha-512)

Change a user password:
passwd USER

Set a user password to expire:
# note that having frequently changing passwords is usually not a good policy, as it becomes harder for users to remember them, and they generally end up with weak passwords
chage -m 3 -M 30 -w 2 USER # USER's password can last up to 30 days, can't be changed earlier than 3 days after last change, and will be warned 2 days before password expiration

Change root password without knowing the existing one:
You need physical access to the system.
Add init=/bin/bash to boot parameters
mount -o remount,rw # mount file system
passwd # set new password. WARNING: sudo passwd will change root password, regardless of the current account.

Recover a deleted password file:
# Debian makes regular backups of the password files in /var/backups/
cp /var/backups/passwd.bak /etc/passwd ; chmod 644 /etc/passwd
cp /var/backups/shadow.bak /etc/shadow ; chmod 644 /etc/shadow

Create a new user group:
# addgroup is a link to adduser ( adduser --group ). There's also a groupadd command.
addgroup GROUP

Modify a group information:
groupmod [OPTIONS] GROUP

Remove a group:
# There's also a delgroup link to deluser ( deluser --group )
groupdel GROUP

Add a user to a group:
adduser USER GROUP

Execute a command with root privileges (root password will be asked):
sudo COMMAND

Change current user's password:
passwd

Show all existing users:
getent passwd # format: username:password (usually shadowed, a 'x' is shown instead, and you have to refer to /etc/shadow for the shadowed passwords):user id:group id:real name:home path:console. If you are root you can access directly the file with cat /etc/passwd
getent shadow # show users and their hashed password. If you are root you can access directly the file with cat /etc/shadow
getent passwd | grep -c . # count all existing users

Show all logged users:
users # list all logged users
who # show information about all logged users
w # show more information than "who"
who | grep -c . # count all logged users

Show last logged users:
last # Show last logins
last USER # show last times when USER logged in
last -n 10 # show last 10 logged users
last -n 5 USER # show last 5 times when USER logged in
touch /var/log/lastlog # Create the login log file to enable lastlog
lastlog # Show last time each user logged in
lastlog -u USER # Show last time the USER logged in
lastlog -t 30 # Show only users who logged in during the last 30 days
lastlog -b 365 # Show only users who last logged more than 365 days ago
lastb -n 10 # show last 10 bad login attempts (which are likely break-in attempts)
lastb -n 10 root # show last 10 bad login attempts to root (which are likely break-in attempts)

grep "Accepted" /var/log/auth.log | tail --lines=10 # See last accepted password events for succeful logins
grep "Failed" /var/log/auth.log | tail --lines=10 # See last rejected password events for failed login attemps (which include possible break-in attempts)
grep "Failed password for invalid user" /var/log/auth.log | tail --lines=10 # See last rejected password events for failed login attemps with non existing users (which are likely break-in attempts)

List all the files containing the login rules:
# Be careful when editing login rules: you may prevent users to access the system or given everyone unrestricted access.
ls /etc/pam.d/

Show failed login attempts:

To enable faillog:
-----
Create the faillog log file:
touch /var/log/faillog

jed /etc/pam.d/common-auth

Add these lines at the top of the file:

# auth required pam_tally.so per_user magic_root even_deny_root deny=5 unlock_time=86400 onerr=fail # Note that pam_tally and pam_tally2 modules have been removed from PAM starting from Debian 11 (Bullseye), so this is valid up to Debian 10 (Buster)
auth required pam_faillock.so per_user magic_root even_deny_root deny=5 unlock_time=86400 onerr=fail # Failed logins are logged to /var/log/faillog by default

jed /etc/pam.d/sshd

Add the following lines immediately before @include common-auth (generally at the beginning of the file):

# Log failed login attempts to /var/log/faillog
# auth required pam_tally.so per_user magic_root even_deny_root deny=5 unlock_time=86400 onerr=fail # Note that pam_tally and pam_tally2 modules have been removed from PAM starting from Debian 11 (Bullseye), so this is valid up to Debian 10 (Buster)
auth required pam_faillock.so per_user magic_root even_deny_root deny=5 unlock_time=86400 onerr=fail # Failed logins are logged to /var/log/faillog by default

jed /etc/ssh/sshd_config

Enable PAM, search for UsePAM and set it to yes if not enabled, or add the whole line if it's missing:

UsePAM yes

Restart SSH:

service ssh restart
-----

faillog # Show all users who attempted to log in without success
faillog -a # Show all failed login attempts including the ones of users who eventually logged in
failed -u USER # Show all failed login attempts for the specified USER, even if he eventually logged in
faillog -t 30 # Show only failed logins occurred during the last 30 days
faillog -l 5 # Lock the account for 5 seconds after each failed attempt
faillog -m 5 # Disable the account after 5 failed attempts (0 means that infinite attempts are allowed. You'd better leave the value for root to 0 to prevent a DoS attack)
faillog -u USER -r # Reset the counter of failed logins for the given user, enabling his account again if it was locked because of too many failed attempts (as specified in faillog -m N)
faillog -r # Reset counters of failed logins for all users
cat /var/log/faillog # Show the actual failed attempts log file
grep "authentication failure" /var/log/messages # extract failed login attempts from the messages file

Show current user's name:
whoami

Show information about a user:
finger USER

Show groups to which current user belongs:
groups

Show user and group IDs:
id # show user and group IDs for the current user
id USER # show user and group IDs for the specified USER

Send a message to a logged user (to the output console of his terminal):
# Check the user device with a w or a who command first then redirect the output of an echo command to such device
echo -ne "Hello\n">/dev/pts/1 # Send "Hello" to the user logged with pts/1

# Send a message to a logged user (to the output console of his terminal) who's using a specific process (identified by its PID):
echo -ne "Hello\n" > /proc/PID/fd/0

Send a message to all logged users:
wall PATH/FILE # show the content of FILE to all logged users (max 20 lines)
wall # use standard input (normally the keyboard) to show a message to all logged users. Message must be terminated with an EOF (End Of File) character (usually CTRL+D)

Execute a command as another user (impersonated user password will be requested):
su USER COMMAND

Start a console as another user (impersonated user password will be requested):
su USER
su # if no user is specified, then root is assumed by default




Please DONATE to support the development of Free and Open Source Software (PayPal, Credit Card, Bitcoin, Ether)

Page issued on 25-Sep-2022 04:02 GMT
Copyright (c) 2022 Geody - Legal notices: copyright, privacy policy, disclaimer