Discovering Existing and Connecting Users on a Linux Server

Image for post
Image for post

By Alain Francois, Alibaba Cloud Community Blog author

As an administrator, you can need to grant some access on your server for the remote users such as your employees or collaborators. You can also need to set up a public server which should be accessible over internet, which means that someone can try to penetrate your server.

At that moment it’s important to know exactly the existing users/accounts in your server and the users actually connected for a better troubleshooting. There are some commands in Linux which can help you to reach that goal. We will learn the commands to use in this case

1) Commands to List Existing Users on Your Server

a) List /etc/passwd

  • first column: the username
  • second column: the password
  • thirth column: the User ID
  • fourth column: the user’s primary group
  • fifth column: it’s the description
  • sixth column: the home directory of the user
  • seventh column: it defines the login shell of the user

By listing the content of this file, we can have all the users of the system but we will need to filter the file to have only the column with the useful information by using the awk command

$ cat /etc/passwd | awk -F: '{ print $1}'
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
systemd-timesync
systemd-network
systemd-resolve
systemd-bus-proxy
_apt
dnsmasq
avahi-autoipd
messagebus
usbmux
geoclue
speech-dispatcher
sshd
rtkit
pulse
avahi
colord
saned
Debian-gdm
hplip
alain-francois
dimitri
peter

b) Use the getent command

$ getent passwd | awk -F: '{ print $1}'
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
systemd-timesync
systemd-network
systemd-resolve
systemd-bus-proxy
_apt
dnsmasq
avahi-autoipd
messagebus
usbmux
geoclue
speech-dispatcher
sshd
rtkit
pulse
avahi
colord
saned
Debian-gdm
hplip
alain-francois
dimitri
peter

c) Use /etc/shadow

  • first column: the login name of the user
  • second column: the encrypted password
  • thirth column: Days between January 1, 1970, and the date when the password was last changed.
  • fourth column: Minimum: Days before password may be changed
  • fifth column: Maximum: Days after which password must be changed.
  • sixth column: Warn: Days before password expiration that user is warned.
  • seventh column: Inactive: Days after password expiration that account is disabled
  • eight column: Expire: Days between January 1, 1970, and the date when the account was disabled.
  • ninth column: Reserved field (this field is currently not used).
# cat /etc/shadow | awk -F: '{ print $1}'
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
systemd-timesync
systemd-network
systemd-resolve
systemd-bus-proxy
_apt
dnsmasq
avahi-autoipd
messagebus
usbmux
geoclue
speech-dispatcher
sshd
rtkit
pulse
avahi
colord
saned
Debian-gdm
hplip
alain-francois
dimitri
peter

d) Use the compgen command

$ compgen -u
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
nobody
systemd-timesync
systemd-network
systemd-resolve
systemd-bus-proxy
_apt
dnsmasq
avahi-autoipd
messagebus
usbmux
geoclue
speech-dispatcher
sshd
rtkit
pulse
avahi
colord
saned
Debian-gdm
hplip
alain-francois
alain
francois

2) Commands to Find Users Connected to Your Server

a) w

The command displays the informations in two parts, first you have a header of 6 items showing

  • the current time
  • since how long in minute the system has been running
  • the number of users logged on the system
  • the system load average during the last, 05 and 15 minutes;

and a table consisting of 08 columns:

  • USER: is the login name of the user actually connected
  • TTY: is the tty name that the user is currently using
  • FROM: is the remote host (ip address) from which the users are actually logged in
  • LOGIN@: shows since when or which time the user is logged in the system:
  • IDLE: shows since how many times the user was inactive
  • JCPU: represents the number of minutes accumulated by all processes attached to the tty including only the currently running background processes
  • PCPU: shows the time consumed by the processes that the users are actually running.
  • WHAT: shows the command line of the current process that a user is running. It also shows the options used with the command.

To understand properly how the command works, we currently have 2 users remotely connected to our computer so that we can have a view on the results of the command

$ w
09:19:21 up 1 day, 3:40, 4 users, load average: 0.76, 0.61, 0.72
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
alain-fr tty2 :0 Thu05 27:40m 4:10m 0.29s /opt/google/chrome/chrome --type=renderer --field-trial-handle=4941997322712276813,1
alain-fr pts/0 mycomputer Thu05 27:38m 0.05s 0.05s /bin/bash
dimitri pts/6 192.168.1.8 22:51 4:02m 0.18s 0.09s vi document
peter pts/4 192.168.1.5 09:19 5.00s 0.11s 0.11s -bash

By default it gives a report about all the users who have logged in using a console or GUI login window. It will not show the users connected through a window in a GUI that emulates a console commonly called terminal windows.

The w command can be used with some options to filter the result so that you will be able to display only the necessary information that you need. You can use the w --help command to list the available options

b) who

$ who
alain-francois tty2 2019-07-25 05:40 (:0)
alain-francois pts/0 2019-07-25 05:40 (mycomputer)
dimitri pts/6 2019-07-25 22:51 (192.168.1.8)
peter pts/4 2019-07-26 09:19 (192.168.1.5)

You can display the information with a header line using the -H option

$ who -H
NAME LINE TIME COMMENT
alain-francois tty2 2019-07-25 05:40 (:0)
alain-francois pts/0 2019-07-25 05:40 (mycomputer)
dimitri pts/6 2019-07-25 22:51 (192.168.1.8)
peter pts/4 2019-07-26 09:19 (192.168.1.5)

Or you can print only the logged on users with the total numbers of users for a better information

$ who -q
alain-francois alain-francois francois alain
# users=4

To list the different option available to filter the results to display. Use the who --help command to list the different options

$ who --help
Usage: who [OPTION]... [ FILE | ARG1 ARG2 ]
Print information about users who are currently logged in.
-a, --all same as -b -d --login -p -r -t -T -u
-b, --boot time of last system boot
-d, --dead print dead processes
-H, --heading print line of column headings
--ips print ips instead of hostnames. with --lookup,
canonicalizes based on stored IP, if available,
rather than stored hostname
-l, --login print system login processes
--lookup attempt to canonicalize hostnames via DNS
-m only hostname and user associated with stdin
-p, --process print active processes spawned by init
-q, --count all login names and number of users logged on
-r, --runlevel print current runlevel
-s, --short print only name, line, and time (default)
-t, --time print last system clock change
-T, -w, --mesg add user's message status as +, - or ?
-u, --users list users logged in
--message same as -T
--writable same as -T
--help display this help and exit
--version output version information and exit

c) users

$ users
alain-francois alain-francois dimitri peter

You can see that this command is very limited but useful if you only want to list the users. You can also list the number of users by combining it with the wc command

$ users | wc -w
4

d) The others commands

  • whoami
$ whoami
alain-francois
  • id which show also the group information of the user and the information about another user that you know
$ id
uid=1000(alain-francois) gid=1000(alain-francois) groups=1000(alain-francois),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),119(scanner),999(docker)

As a system administrator, sometimes you need to make sure there is no access violation on your server. We have seen some commands which can help you to be aware on who is connected which the possibility to know what they are doing.

Original Source

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store