Thursday, 9 July 2026

What is getent command in linux ?

getent stands for "get entries".

It is a Linux command that retrieves entries from system databases configured in NSS (Name Service Switch). Instead of reading only local files like /etc/passwd, it queries the system's configured user/group sources (local files, LDAP, NIS, Active Directory integration, etc.).

Syntax

getent <database>

Common examples


Get all users

getent passwd

Output:

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
dinesh:x:1000:1000:Dinesh:/home/dinesh:/bin/bash

Get a specific user

getent passwd dinesh

Output:

dinesh:x:1000:1000:Dinesh:/home/dinesh:/bin/bash

Get all groups

getent group

Get a specific group

getent group sudo

Output:

sudo:x:27:dinesh,admin

Get host information

getent hosts localhost

Output:

127.0.0.1 localhost


Why use getent passwd instead of cat /etc/passwd?

cat /etc/passwd

Only reads the local file.

getent passwd

Queries the system's user database, which may include:

  • Local users (/etc/passwd)
  • LDAP users
  • Active Directory users
  • NIS users

Therefore, getent is generally the recommended command for user lookups.

To list only usernames

getent passwd | cut -d: -f1

Example output:

root
daemon
ubuntu
dinesh

This is one of the most common commands to see all users known to an Ubuntu system.

How to display the users in a Ubunu linux ?

 On Ubuntu (or any Linux system), you can view all user accounts in several ways.

1. List all users from /etc/passwd

cat /etc/passwd

Or just display the usernames:

cut -d: -f1 /etc/passwd

Example output:

root
daemon
bin
sys
ubuntu
dinesh

2. Get all users from the system database

This method also works if users come from LDAP or other authentication services:

getent passwd

To show only usernames:

getent passwd | cut -d: -f1

3. List regular (human) users only

Most system accounts have UIDs below 1000. To show regular users:

awk -F: '$3 >= 1000 {print $1}' /etc/passwd

Example:

dinesh
john
alice

4. See currently logged-in users

who

or

w

Example:

dinesh pts/0 2026-07-09 09:00

5. Check users with sudo privileges

Members of the sudo group can run administrative commands:

getent group sudo

Or:

grep '^sudo:' /etc/group

6. Count total users

getent passwd | wc -l

7. Display users and their UID/GID

getent passwd | awk -F: '{print "User=" $1 ", UID=" $3 ", GID=" $4}'

This can help distinguish system users from normal users.


Most commonly used command:

getent passwd | cut -d: -f1

It lists all users known to the Ubuntu system.

What is fail2ban tool in linux ?

Fail2ban is a highly popular, open-source security tool in Linux that works hand-in-hand with your firewall (like UFW) and your SSH daemon (sshd) to protect your server from brute-force attacks. 

If your server has an open SSH port, automated bots across the internet will constantly attempt to guess your passwords. Fail2ban stops them automatically. 

How Fail2ban Works

  1. Log Monitoring: It constantly scans system log files (like /var/log/auth.log for SSH logins) looking for suspicious activity. 
  2. Detection: It counts automated patterns, such as multiple failed login attempts from the exact same IP address within a short time frame.
  3. Action (The "Ban"): Once an IP address hits a specified threshold (e.g., 5 failed attempts), Fail2ban automatically updates your firewall (UFW/iptables) rules to completely block that IP address for a set period of time. 

Essential Fail2ban Commands

For example, if you are working with Ubuntu, here are the most critical commands to install, manage, and monitor Fail2ban.

1. Installation & Service Management

Fail2ban does not come pre-installed on Ubuntu by default. You can install it using: 
sudo apt update
sudo apt install fail2ban -y
Once installed, manage its background service just like sshd: 
sudo systemctl status fail2ban    # Check if it's running
sudo systemctl restart fail2ban   # Restart after changing settings

2. Checking the Status (The Control Center)

Fail2ban organizes its protection rules into profiles called "Jails" (e.g., an sshd jail, an apache jail, etc.). You interact with them using the fail2ban-client command. 
  • See active protection modules (jails):
    sudo fail2ban-client status
    
  • See stats for a specific jail (e.g., SSH):
    This command shows you exactly how many times bots have tried to attack you, and lists the IP addresses currently locked out.
    sudo fail2ban-client status sshd
    

3. Banning and Unbanning IPs Manually

Sometimes you might accidentally lock yourself out of your own server by typing your password wrong too many times, or you might want to manually ban a malicious IP address. How to unban an IP address (Rescue yourself):
  • sudo fail2ban-client set sshd unbanip <IP_ADDRESS>
    
  • How to manually ban an IP address:
    sudo fail2ban-client set sshd banip <IP_ADDRESS>
    


How to Configure Fail2ban Securely

Never edit the default configuration file directly (/etc/fail2ban/jail.conf), because system updates will overwrite your changes. Instead, create a local copy: 
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Open that new file using a text editor like nano: 
sudo nano /etc/fail2ban/jail.local
Look for the [DEFAULT] section to adjust your core thresholds:
  • ignoreip: Add your home or office IP address here (separated by spaces) so Fail2ban never accidentally bans you.
  • bantime: How long an IP stays blocked (e.g., 10m for 10 minutes, or 1d for a whole day).
  • findtime: The time window for mistakes (e.g., if a user fails maxretry times within 10m, ban them).
  • maxretry: The number of failed attempts allowed before the ban triggers (usually set between 3 and 5).

What is sshd in linux/unix environment ?

In Linux & Networking: Secure Shell Daemon

In computer networks and Linux/Unix systems, sshd is a crucial background software program:
  • What it does: The letters stand for Secure Shell daemon (in Linux, a "daemon" is simply a background process).
  • How it works: It runs continuously on a server, listening for incoming network connections via the Secure Shell (SSH) Protocol.
  • Purpose: When you want to securely log into your server or transfer files from a remote location, sshd is the program that catches your request, handles user authentication, and encrypts the entire communication tunnel.

Managing the sshd Service

On modern Linux distributions (such as Ubuntu, Debian, CentOS, RHEL, and Fedora), you manage the background process using systemctl. You will need root or sudo privileges to run these.
  • Check the service status: See if the daemon is currently running, stopped, or experiencing errors.
  • sudo systemctl status sshd
  • Start the service: Turn the SSH server on
    • sudo systemctl start sshd
  • Stop the service: Turn the SSH server off (Warning: This will disconnect active remote sessions once they close and prevent new ones).

    • sudo systemctl stop sshd


  • Reload the service: Applies configuration changes without dropping active user connections (safer than a full restart).

    • sudo systemctl reload sshd

  • Enable on boot: Ensure that sshd automatically starts up whenever the server reboots.

    • sudo systemctl enable sshd

  • Disable on boot: Prevents the SSH server from launching automatically when the system starts.
                sudo systemctl disable sshd

Testing Configuration Files


Before you restart your SSH server after making changes, you should always test your configuration file for syntax errors. If there is a typo, the server won't start, and you could get locked out.

Test syntax: Run the daemon in test mode. If it returns no output, your configuration is valid.

                    sudo sshd -t

Extended test mode: Checks the validity of the configuration file, prints the effective configuration options, and then exits.

                    sudo sshd -T

Locating Important Files


While these aren't execution commands, these file paths are critical when working with sshd:
  • Main Configuration File: /etc/ssh/sshd_config (Where you change ports, disable root logins, or configure key authentication).
  • System Logs: /var/log/auth.log (Ubuntu/Debian) or /var/log/secure (RHEL/CentOS). You can view unauthorized access attempts here using:
               sudo tail -f /var/log/auth.log

Checking Active Connections


  •     If you want to see who is currently connected to your server via sshd, you can use network monitoring tools:
                ps aux | grep sshd
  • See active network connections on the SSH port (usually 22):
                sudo ss -tulpn | grep sshd

Friday, 31 October 2025

Difference between a Public IP address and a Private IP address ?

A public IP address is a unique identifier assigned by an Internet Service Provider (ISP) to a device, such as router or server, allowing it to communicate over the internet. These public IP addresses are globally unique and publicly accessible, enabling data exchange between your network and the external systems via TCP/IP protocol.

Because public IP address is exposed to the internet, they can be used to trace a device's approximate geographic location.

A private IP address, also known as local IP address, is assigned by a router to devices within a home, office or public WIFI network. Unlike a public IP address is exposed to internet, private IPs function only within the local network. Since they don't need to globally unique, the same private IP ranges can be used across different network without conflict.

However, each device on the network receive a different private IP address, allowing the router to manage the data transfers effectively. This enables the internal LAN connections between network devices and ensures that external traffic arriving via the public IP address is forwarded to the correct individual network device.

private IP address ranges:

  • 10.0.0.0 - 10.255.255.255 this range allows for 16 million IP addresses and is often used in large enterprise networks or large organizations that have thousands of devices in their local network.
  • 172.16.0.0 - 172.31.255.255, known as 172.16/12 block, this range allows one million IP addresses  and it is used in medium-sized networks such as schools, universities, and businesses.
  • 192.168.0.0 - 192.168.255.255 this range supports about 65000 IP addresses is primarily used in home and small office networks.

What is a DNS server ? What is the use of a DNS server ?

DNS server translates the human-readable domain names (www.google.com) into machine-readable IP addresses (142.250.70.196) which is required for navigating the internet. We can consider its like a Internet Phone Book.

How it works ?

  • When you type a URL in the browser, your device sends the query to DNS server.
  • The DNS server, known as recursive resolver, it checks in its cache if it has IP address for given domain name. Otherwise, it will searches for it by communicating with other DNS servers, including root name servers and authoritative name servers.
  • Once it finds the IP address, it will be sent back to your device, then your browser connect to that website.
We can see the DNS server in windows using ipconfig command ipconfig /all

Wireless LAN adapter Wi-Fi:

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Intel(R) Wi-Fi 6 AX201 160MHz

   Physical Address. . . . . . . . . : XXXXXXXXXXXXXXXX

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

   IPv6 Address. . . . . . . . . . . : XXXXXXXXXXXXXXXX

   Temporary IPv6 Address. . . . . . : XXXXXXXXXXXXXXXX

   Link-local IPv6 Address . . . . . : XXXXXXXXXXXXXXXX

   IPv4 Address. . . . . . . . . . . : 192.168.1.10(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Lease Obtained. . . . . . . . . . : Friday, October 31, 2025 9:36:25 AM

   Lease Expires . . . . . . . . . . : Saturday, November 1, 2025 1:21:33 PM

   Default Gateway . . . . . . . . . : fe80::1%13

                                       192.168.1.1

   DHCP Server . . . . . . . . . . . : 192.168.1.1

   DHCPv6 IAID . . . . . . . . . . . : XXXXXXXXXXXXXXXX

   DHCPv6 Client DUID. . . . . . . . : XXXXXXXXXXXXXXXX

   DNS Servers . . . . . . . . . . . : XXXXXXXXXXXXXXXX

                                       XXXXXXXXXXXXXXXX

                                       192.168.1.1

   Primary WINS Server . . . . . . . : 192.168.1.1

   NetBIOS over Tcpip. . . . . . . . : Disabled

Note: Here, the 192.168.1.1 is my router IP address, which is also acting as my DNS server, DHCP server. We can also use the google public DNS server 8.8.8.8 (alternative: 8.8.4.4)