Linux security commands

November 29, 2011

The following is a haphazard list of Linux commands useful to know for security-related tasks. Some of these either require higher permissions to run, or will run but will not produce full results unless the proper permissions are used. Also note that depending on the Linux distribution, some of these commands refer to files located outside of the normal path.

USE WITH CAUTION! Author is not liable for any damages resulting from inaccuracies or mistakes within this page.

Create a file on /mnt/sdb1 called junk.dat and fill it with zeroes (ASCII null values) until all space is exhausted:

dd if=/dev/zero of=/mnt/sdb1/junk.dat

Same as above, but with fill junk.dat with pseudo-random data (returned pseudo-random values are theoretically vulnerable to a cryptographic attack):

dd if=/dev/urandom of=/mnt/sdb1/junk.dat

Encrypt file filename.txt with the symetric cipher AES 256 (use "gpg --version" to see the list of supported algorithms. By default gpg uses CAST5):

gpg -v -c --cipher-algo AES256 filename.txt

Have the results of a command output to both a file (output.txt) and screen simultaneously:

ping | tee output.txt

See listening and open network connections:

netstat --inet -a

See the list of interfaces on which tcpdump can listen on:

tcpdump -D

See listing of running processes engaged in network communications:

lsof -i

Trace the route to using TCP SYN packets on port 80 instead of ICMP:

traceroute --tcp -p 80

See which methods are allowed by the web server

printf "OPTIONS / HTTP/1.1\nHost:\n\n" | nc -q 1 -v 80

Confirm if SSLv2 or lower is enabled on host by excluding SSLv3 and TLSv1 in the protocol handshake:

openssl s_client -no_ssl3 -no_tls1 -connect

See which users are currently logged on the system:


See the last logged in users:


See the last logins for user jsmith:

last jsmith

See the current system time, immediately followed by the system time in UTC:

date; date -u

See the Linux distribution and version information:

cat /etc/issue

See the Linux kernel release, version, and hardware platform:

uname -a

See all installed packages (Debian based systems):

dpkg -l

See all installed packages (Red Hat based systems):

rpm -qa

See which services are configured to run on startup on (Debian based systems. sysv-rc-conf may need to be installed):

sysv-rc-conf --list

See which services are configured to run on startup on (Red Hat based systems):

chkconfig --list

List partition tables of mounted devices:

fdisk -l

See listing of open files:


See all the files that are opened or accessed by Firefox while it is in use:
strace -o /tmp/output.txt /usr/bin/firefox
egrep "^(open|access)" /tmp/output.txt | grep -v ENOENT

Determine the file type for filename:

file filename

Display the shared library dependencies for filename (useful if "file filename" above show the file as dynamically linked ELF):

ldd filename

See all strings of printable characters of at least 5 characters in length within the entire file filename (omitting -a will scan only the initialized and loaded sections of object files):

strings -a -n 5 filename

See the file, section, and program headers of the ELF (Executable and Linking Format) file /usr/bin/filename:

readelf -a /usr/bin/filename

Display the assembler code for object /usr/bin/filename:

objdump -d /usr/bin/filename

Display a hex dump of filename:

hexdump -C -v filename

Search filename for patterns or keywords that are listed in wordlist.txt, case insensitive (due to the -i):

egrep -i -f wordlist.txt filename

See all world writable files and directories (excludes symbolic links):

find / -perm -o=w ! -type l -ls | more

See all world writable and executable files (excludes symbolic links):

find / -perm -o=wx ! -type l ! -type d -ls | more

Create a forensic image of all data within device /dev/sdb1, without stopping should an error be encountered (such as bad blocks), and replacing any errors found with null bytes:

dd if=/dev/sdb1 of=usb.img conv=notrunc,noerror,sync

Mount an image usb.img onto /mnt/usb (use losetup -a to see which loopback device was used)

mount -o loop usb.img /mnt/usb

See iptables firewall rules:

/etc/init.d/iptables status

Set the MAC address of a network card to 00:01:02:03:04:05 (assuming the device driver supports this operation):
ifconfig eth0 down
ifconfig eth0 hw ether 00:01:02:03:04:05

ifconfig eth0 up

Originally posted November 5, 2009