How to: Linux Iptables block common attacks

Syn-flood protection In this attack system is floods with a series of SYN packets. Each packets causes system to issue a SYN-ACK responses. Then system waits for ACK that follows the SYN+ACK (3 way handshake). Since attack never sends back ACK again entire system resources get fulled aka backlog queue. Once the queue is full system will ignored incoming request from legitimate users for services (http/mail etc). Hence it is necessary to stop this attack with iptables.

Force SYN packets check

Make sure NEW incoming tcp connections are SYN packets; otherwise we need to drop them:
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Force Fragments packets check

Packets with incoming fragments drop them. This attack result into Linux server panic such data loss.
iptables -A INPUT -f -j DROP

XMAS packets

Incoming malformed XMAS packets drop them:
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

Drop all NULL packets

Incoming malformed NULL packets:
iptables -A INPIT -p tcp --tcp-flags ALL NONE -j DROP

Block Spoofing and bad addresses

Using iptables you can filter to drop suspicious source address. Network server should not accept packets claiming from the Internet that claim to originate from inside your network. Spoofing can be classified as:
a) IP spoofing – Disable the source address of authentication, for example rhosts based authentication. Filter RPC based services such as portmap and NFS,
b) DNS spoofing
Please see Iptables: How to avoid Spoofing and bad addresses attack tip for more information.
Also use NAT for your internal network. This makes difficult for attacker to spoof IP address from outside.

Filter incoming ICMP, PING traffic

It includes the ping of death attack and ICMP floods. You should block all ICMP and PING traffic for outside except for your own internal network (so that you can ping to see status of your own server) . See Linux : Iptables Allow or block ICMP ping request article.
Once system is secured, test your firewall with nmap or hping2 command:
# nmap -v -f FIREWALL-IP
# nmap -v -sX FIREWALL-IP
# nmap -v -sN FIREWALL-IP
# hping2 -X FIREWALL-IP

Linux Disable or Enable ExecShield Buffer Overflows Protection

Exec Shield is a project that got started at Red Hat, Inc in late 2002 with the aim of reducing the risk of worm or other automated remote attacks on Linux systems. The first result of the project was a security patch for the Linux kernel that adds an NX bit to x86 CPUs. While the Exec Shield project has had many other components, some people refer to this first patch as Exec Shield.

Task: Disable ExecShield protection

Type the following command as root user:
# sysctl -w kernel.exec-shield=0
You can disable it permanently system-wide after each and every reboot by adding following line to /etc/sysctl.conf file:
# vi /etc/sysctl.conf
Append following line
Save and close the file. Please note that I don’t recommend disabling ExecShild protection.
You can also disable protection by appending the following parameter to the kernel command line in the GRUB bootloader to kernel line:
# vi /etc/grub.conf
Modify / append exec-shield=0 parameter as follows:
kernel /vmlinuz-2.6.8 ro root=LABEL=/ exec-shield=0
Close and save the file.

Enable ExecShield Protection Against Buffer Overflows

Open your /etc/sysctl.conf file:
# vi /etc/sysctl.conf
Add the following lines:
kernel.exec-shield = 1
kernel.randomize_va_space = 1
Save and close the file. First line will enable ExecShield protection and second line will enable random placement of virtual memory regions protection. To load in sysctl settings, enter:
# sysctl -p

Redhat Enterprise Linux 5 / CentOS 5 monitor and track TCP connections on the network (eth0)

Q. How do I track and monitor connection for eth1 public network interface under Redhat Enterprise Linux (RHEL) 5 server?

A.You can use netstat command or tcptrack command. Both command can show established TCP connection and provides the ability to monitor the same.
netstat command

netstat command prints information about the Linux networking subsystem. It also works under UNIX and *BSD oses. It can display network connections, routing tables, interface statistics, masquerade connections, and multicast memberships etc.
netstat command to display established connections

Type the command as follows:
$ netstat -nat

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0* LISTEN
tcp 0 0* LISTEN
tcp 0 0* LISTEN
tcp 0 0* LISTEN
tcp 0 0* LISTEN
tcp 0 0* LISTEN
tcp 0 0* LISTEN
tcp 0 0* LISTEN
tcp 0 0* LISTEN
tcp 0 0* LISTEN
tcp 0 0* LISTEN
tcp 0 0* LISTEN
tcp 0 0 TIME_WAIT
tcp 0 0 TIME_WAIT
tcp6 0 0 :::53 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN

To display client / server ESTABLISHED connections only:
$ netstat -nat | grep 'ESTABLISHED'
tcptrack command

tcptrack command displays the status of TCP connections that it sees on a given network interface. tcptrack monitors their state and displays information such as state, source/destination addresses and bandwidth usage in a sorted, updated list very much like the top command.
Install tcptrack

Redhat (RHEL) / Fedora / CentOS user, download tcptract here. For example download RHEL 64 bit version:
# cd /tmp/
# wget
# rpm -ivh tcptrack-1.1.5-1.2.el5.rf.x86_64.rpm

Debian / Ubuntu Linux user use apt-get as follows:
$ sudo apt-get install tcptrack
How do I use tcptract to monitor and track TCP connections ?

tcptrack requires only one parameter to run i.e. the name of an interface such as eth0, eth1 etc. Use the -i flag followed by an interface name that you want tcptrack to monitor.
# tcptrack -i eth0
# tcptrack -i eth1

Redhat Enterprise Linux 5 / CentOS 5 monitor and track TCP connections on the network (eth0)
(tcptrack in action)

You can just monitor TCP port 25 (SMTP)
# tcptrack -i eth0 port 25

The next example will only show web traffic monitoring on port 80:
# tcptrack -i eth1 port 80

tcptrack can also take a pcap filter expression as an argument. The format of this filter expression is the same as that of tcpdump and other libpcap-based sniffers. The following example will only show connections from host
# tcptrack -i eth0 src or dst

Linux Limit CPU Usage Per Process

I don't want background process to eat all my CPU. I know how to find out CPU utilization but how do I limit the cpu usage of a process under Linux operating system? How do I force a process to limit itself to 25% only?

You can use cpulimit program that attempts to limit the cpu usage of a process. Limits are expressed in percentage and not in cpu time. cpulimit does not act on the nice value or other scheduling priority stuff, but on the real cpu usage. Also, it is able to adapt itself to the overall system load, dynamically and quickly.
Install cpulimit

Type the following commands to install latest stable release:
# cd /tmp
# wget ''
# tar -zxvf cpulimit-1.1.tar.gz
# cd cpulimit-1.1
# make
# cp cpulimit /usr/local/sbin/
# rm -rf cpulimit*
A note about Debian / Ubuntu Linux users

Type the following command to install cpulimit:
$ sudo apt-get update
$ sudo apt-get install cpulimit
How do I use cpulimit?

To limit CPU usage of the process called firefox to 30%, enter:
# cpulimit -e firefox -l 30
To limit CPU usage of the process to 30% by using its PID, enter:
# cpulimit -p 1313 -l 30
To find out PID of the process use any of the following:
# ps aux | less
# ps aux | grep firefox
# pgrep -u vivek php-cgi
# pgrep lighttpd
You can also use absolute path name of the executable, enter:
# cpulimit -P /opt/firefox/firebox -l 30

* -p : Process PID.
* -e : Process name.
* -l : percentage of CPU allowed from 0 to 100.
* -P: absolute path name of the executable program file.

Root vs Normal User Account

From the project webpage:

cpulimit should run at least with the same user running the controlled process. But it is much better if you run cpulimit as root, in order to have a higher priority and a more precise control.

A Note About SMP (Multicore / MultiCpu) Systems

Again quoting from the project webpage:

If your machine has one processor you can limit the percentage from 0% to 100%, which means that if you set for example 50%, your process cannot use more than 500 ms of cpu time for each second. But if your machine has four processors, percentage may vary from 0% to 400%, so setting the limit to 200% means to use no more than half of the available power. In any case, the percentage is the same of what you see when you run top.

Differences between Ext2,Ext3 and Ext4 file systems in linux.

EXT2 : Ext2 was the standard file system for linux until the introduction of ext3.It was introduced with the 1.0 kernel in 1993.Ext2 is flexible,can handle file system up to 4 TB,and supports long filenames up to 1012 characters,it has sparse super blocks feature which increase file system performance.In case any user processes fill up a file system,ext2 normally reserves about 5% of disk blocks for exclusive use by root so that root can easily recover from that situation.Now our rescue diskettes use ext2 instead of minix.

EXT3 : Ext3 (Extended 3 file system) provides all the features of ext2,and also features journaling and backward compatibility with ext2.The backward compatibility enables you to still run kernals that are only ext2-aware with ext3 partitions.we can also use all of the ext2 file system tuning,repair and recovery tools with ext3 also you can upgrade an ext2 file system to an ext3 file system without losing any of your data.
Ext3’s journaling feature speeds up the amount of time it takes to bring the file system back to a sane state if it’s not been cleanly unmounted (that is,in the event of a power outage or a system crash). Under ext2,when a file system is uncleanly mounted ,the whole file system must be checked.This takes a long time on large file systems.On an ext3 system ,the system keeps a record of uncommitted file transactions and applies only those transactions when the system is brought back up.So a complete system check is not required and the system will come back up much faster.
A cleanly unmounted ext3 file system can be mounted and used as an ext2 file system,this capability can come in handy if you need to revert back to an older kernel that is not aware of ext3.The kernel sees the ext3 filesystem as an ext2 file system.

Ext4 : Ext4 is part of the Linux 2.6.28 kernel,Ext4 is the evolution of the most used Linux file system, Ext3. In many ways, Ext4 is a deeper improvement over Ext3 than Ext3 was over Ext2. Ext3 was mostly about adding journaling to Ext2, but Ext4 modifies important data structures of the file system such as the ones destined to store the file data. The result is a filesystem with an improved design, better performance, reliability and features.

Features of Ext4 file system : 1. Compatibility
2. Bigger filesystem/file sizes
3. Subdirectory scalability
4. Extents
5. Multiblock allocation
6. Delayed allocation
7. Fast fsck
8. Journal checksumming
9. Online defragmentation
10. Inode-related features
11. Persistent preallocation
12. Barriers on by default

Show Hardware Device Information on Linux

The step by step example below show the example of lshw command with -X option ( lshw-gui command) to show hardware device information on Linux Fedora desktop. The lshw -X command ( lshw-gui command ) must be execute in Graphical User Interface (GUI desktop) environment in order to see the hardware device information on graphical window screen. You may get error output if execute lshw -X (lshw-gui) if not log in on Graphical User Interface Desktop mode.

Show hardware device information:

1. Open Terminal on the Gnome desktop, go to menu bar... Application -> System Tools -> and click on Terminal.
2. Execute lshw -X & or lshw-gui &, to open the lshw graphical screen, as show on example below.

[root@fedora ~]# lshw -X &
[1] 3058
[root@fedora ~]#

3. The figure show the example of lshw -X window screen (lshw-gui window screen). Browse to see hardware device information by clicking on the hardware device listed on the lshw window screen.

Example when executing lshw -X and lshw-gui command display the error message when not in GUI mode:

lshw -X:
[root@fedora ~]# lshw -X

(gtk-lshw:3201): Gtk-WARNING **: cannot open display:
[root@fedora ~]#

[root@fedora ~]# lshw-gui

(lshw-gui:3202): Gtk-WARNING **: cannot open display:
[root@fedora ~]#

Keywords: show hardware information, show hardware device, hardware information, lshw-gui, graphical hardware information, lshw-gui command

To see PCI connected devices, from the command line do: lspci
For USB connected devices... lsusb

Hwinfo –short

What is the difference between ext2,ext3 & ext4?

What is the difference between ext2 and ext3?

Ext3 is a tiny bit slower than ext2 is, but it holds tremendous advantages. There is really only one difference between ext2 and ext3, and that is that ext3 uses a journal to prevent filesystem corruption in the case of an unclean shutdown (ie. before the filesystem is synced to disk). That makes ext3 a bit slower than ext2 since all metadata changes are written to the journal, and then flushed to disk, but on the other hand you don't risk having the entire filesystem destroyed at power failure or if an unwitted person turns the computer off uncleanly. You don't have to check the filesystem after an unclean shutdown either. Ext3 has three levels of journalling. Metadata (ie. internal filesystem structures) are always journalled, so that the filesystem itself is never corrupted. How ordinary data is written to the file system is controllable, though. The default option is the "ordered" mode, which causes file contents to be written to the filesystem before metadata is even committed to the journal. The highest reliable mode is called the "journal" mode, which causes file data to be committed to the journal before it is flushed to its final place, like the metadata. The least reliable mode, but rumoured to be the fastest, is called the "writeback" mode, which makes no promises at all regarding the consistency of file data. Only metadata is output reliably in writeback mode. So as for anything else, it's mainly a matter of priority. If you don't want ultimate speed, go with ext3.

The main benefits that ext4 has over ext3 are:

* faster timestamping
* faster file system checking
* journaling checksums
* extents (basically automatic space allocation to avoid fragmentation)

Binding USB hotplug to a usb port

You can instruct udev / hotplug to create the correct dev entry following the ID of the device.
See the udev(8) man page here:
You'll find an example that should be what you need to do:

# USB printer to be called lp_color
BUS=="usb", SYSFS{serial}=="W09090207101241330", NAME="lp_color"

Change "W09...." with the serial number of each device, and "NAME" with the name of the device you need.
I would not use "ttyUSBn" as it could be used by other devices, instead i would use some like "usbModemx" or similar.
Also, the script modemplug can be replaced by a line in udev.conf

# ttyUSB1 should always be called pda with two additional symlinks
KERNEL=="ttyUSB1", NAME="pda", SYMLINK="palmtop handheld"

NOTE:- Your kernel should be above to 2.6.30 around.
udevadm test /class/tty/ttyUSB1 |grep ID

[root@localhost ~]# cat /etc/udev/rules.d/99-mod.rules
BUS=="usb", ID=="4-1:1.0", NAME="usbModem01"
BUS=="usb", ID=="2-2:1.0", NAME="usbModem02"

Linux How to bind Qmail to specific IP address

qmail is a mail transfer agent that runs on Linux and Unixish oses. It is more secure replacement for the popular Sendmail program. Yes, it is possible to bind Qmail to specific IP. Here is what I did. Please note that I am running light weight QMAIL server from xinetd service.

1) Open your /etc/xinetd.d/smtp file and add bind=IP line:

# vi /etc/xinetd.d/smtp
Append/add following line to it:
bind =


bind = Qmail IP address to bind.

2) Save file

3) Reload xinetd with any one of the following command:
# /etc/init.d/xinetd reload
/etc/init.d/xinetd restart

how to mount a CD/DVD image under Linux

How to mount a cd/dvd image under GNU/Linux. I don’t use so frequently this command, so I tend to forget it.

# mkdir /media/iso
# mount -o loop=/dev/loop0 "/path/to/iso/my_iso.iso" \
/media/iso -t iso9660

Qmail Queue...........


When qmail queues a message for delivery, it will try mightily to deliver it --though not indefinitely. After messages have been in the queue for more than control/queuelifetime seconds, qmail will give up and bounce the message back to the sender as undeliverable.

The default queuelifetime is one week:

# bin/qmail-showctl | grep queuelifetime
queuelifetime: (Default.) Message lifetime in the queue is 604800 seconds.

I'm guessing this is longer than your users would like.

To bounce undeliverable messages more promptly, so senders will be alerted sooner about any delivery delays, set control/queuelifetime with a value equal to a day or so:

# echo "82800" > control/queuelifetime
# bin/qmail-showctl | grep queuelifetime
queuelifetime: Message lifetime in the queue is 82800 seconds.

Now the message will bounce if not delivered within 23 hours.

Linux Formatting Tip

You probably know how you can format a Linux partition:

mkfs.ext3 /dev/hda

This formats the partition with ext3 file system. However did you know how to extract maximum space out of this partition, especially if it a large partition?

How to maximize available space in a partition

Enter the magical -m option. If the file system becomes filled and there is no more space to write, it is basically unusable because the operating system is constantly writing to disk. By default, five percent of the partition is reserved for use by the root user. This allows root to conduct administrative activities on the partition and perhaps move some data off. Firstly, this is most critical when the partition contains / or home directories. For pure data partitions, this is just lost space. Five percent of a 250Gb partition is 12.5 Gb. Especially in the case of large partitions, it is safe to set the reserved space to the minimum, which is one percent.
mkfs.ext3 -m 1 /dev/hdb1
creates a file system with only 1% of its space reserved for the root user.

Note: You can use tune2fs -m later to adjust the reserved blocks after data is loaded on the partition.
Bonus tip: How to label a partition

Use -L with mkfs.ext3 to add a label to the partition. You can later refer to this label instead of the device name when mounting. This provides the same functionality as e2label which can be used to label a partition later.

Guide Or How To Monitor CPU Temperature in Linux

To monitor CPU temperature in Linux you will need to install lm_sensors package and then install gnome-applet-sensors (assuming you are using gnome) to get a nice graphical display. The devil is in the details. The shipped lm_sensors doesn't work on Fedora Core 6 with 2.6 kernels. It also doesn't support core 2 duo.
To use lm_sensors you will have to install it from the development repository.
Login as root and run the following:
rpm -iv
This will install lm_sensors on your machine. You have completed the first step.
Note: The provided version number of lm_sensors is likely to change soon. So you are better off just browsing to and selecting the latest lm_sensors package for installation.
You now need to detect available sensors on your system. Run sensors-detect from command line (after logging as root).
Accept all the default values.
At the end it will print out something like:
To make the sensors modules behave correctly, add these lines to
#—-cut here—-
# I2C module options
alias char-major-89 i2c-dev
#—-cut here—-
Add the line, as instructed, to the end of /etc/modprobe.conf file.
Ignore the other instructions. Now run:
service lm_sensors start
This will start the lm_sensors service. Now run:
sensors -s
There should be no output. Next run:
This will list available sensors and provide current sensor data.
The last two steps are for checking that the sensor detection is working correctly.
Now install gnome-applet-sensors:
yum install gnome-applet-sensors
To activate it right click on a Gnome panel and choose Add to Panel. Then select Hardware Sensors Monitor.
lm_sensors requires coretemp kernel module which is only available in 2.6.21.x kernels and above. So you will have to install the development versions of kernel to use lm_sensors in core 2 duo systems. Personally I am waiting for the 2.6.21 release version. It will soon be released.

Kernel Tunable Security Parameters

The following list shows tunable kernel parameters you can use to secure your Linux server against attacks.

For each tunable kernel parameters I will show the entry that needs to be added to the /etc/sysctl.conf configuration file to make the change permanent after reboots. To activate the configured kernel parameters immediately at runtime, use:
# sysctl -p

Enable TCP SYN Cookie Protection

A "SYN Attack" is a denial of service attack that consumes all the resources on a machine. Any server that is connected to a network is potentially subject to this attack.

To enable TCP SYN Cookie Protection, edit the /etc/sysctl.conf file and add the following line:
  net.ipv4.tcp_syncookies = 1

Disable IP Source Routing

Source Routing is used to specify a path or route through the network from source to destination. This feature can be used by network people for diagnosing problems. However, if an intruder was able to send a source routed packet into the network, then he could intercept the replies and your server might not know that it's not communicating with a trusted server.

To enable Source Route Verification, edit the /etc/sysctl.conf file and add the following line:
  net.ipv4.conf.all.accept_source_route = 0

Disable ICMP Redirect Acceptance

ICMP redirects are used by routers to tell the server that there is a better path to other networks than the one chosen by the server. However, an intruder could potentially use ICMP redirect packets to alter the hosts's routing table by causing traffic to use a path you didn't intend.

To disable ICMP Redirect Acceptance, edit the /etc/sysctl.conf file and add the following line:
  net.ipv4.conf.all.accept_redirects = 0

Enable IP Spoofing Protection

IP spoofing is a technique where an intruder sends out packets which claim to be from another host by manipulating the source address. IP spoofing is very often used for denial of service attacks. For more information on IP Spoofing, I recommend the article IP Spoofing: Understanding the basics.

To enable IP Spoofing Protection, turn on Source Address Verification. Edit the /etc/sysctl.conf file and add the following line:
  net.ipv4.conf.all.rp_filter = 1

Enable Ignoring to ICMP Requests

If you want or need Linux to ignore ping requests, edit the /etc/sysctl.conf file and add the following line:
  net.ipv4.icmp_echo_ignore_all = 1
This cannot be done in many environments.

Enable Ignoring Broadcasts Request

If you want or need Linux to ignore broadcast requests, edit the /etc/sysctl.conf file and add the following line:
  net.ipv4.icmp_echo_ignore_broadcasts = 1

Enable Bad Error Message Protection

To alert you about bad error messages in the network, edit the /etc/sysctl.conf file and add the following line:
  net.ipv4.icmp_ignore_bogus_error_responses = 1

Enable Logging of Spoofed Packets, Source Routed Packets, Redirect Packets

To turn on logging for Spoofed Packets, Source Routed Packets, and Redirect Packets, edit the /etc/sysctl.conf file and add the following line:
  net.ipv4.conf.all.log_martians = 1

References for Kernel Tunable Parameters

Network Security with /proc/sys/net/ipv4
IP Spoofing: Understanding the basics

Linux Create A Bootable USB Pen

You need to format your USP pen device as Win FAT32. Once formatted type the following commands to make it bootable.

Our Device Names

  1. USB Pen Device Name : /dev/sdb1
  2. DVD Mount : /media/cdrom0
  3. USB Mount Point : /media/usb
  4. USB File System : Win FAT32
  5. ISO or DVD Image : Fedora / CentOS / RHEL
To find information about your devices and current partitions run:
# dmesg | less
# dmesg | egrep -i 'cd|dvd'
# fdisk -l

Use the first command to identify the USB device name.


Type the following command to mount Fedora 12 iso image:
# mount Fedora-12-x86_64-netinst.iso -o loop /media/cdrom0/
# DVD=/media/cdrom0
# ls -l $DVD

Sample outputs:
total 6
dr-xr-xr-x 3 root root 2048 2009-11-09 05:37 EFI
drwxr-sr-x 3 root  499 2048 2009-11-09 05:37 images
drwxr-sr-x 2 root  499 2048 2009-11-09 05:36 isolinux
You need to use files stored in isolinux directory to create a bootable usb pen.

Format Usb

Create the fdisk partition:
# fdisk /dev/sdb
You need to create only 1 partition. Next format the partition:
# USB=/media/usb
# mkdosfs /dev/sdb1

Finally mount the partition:
# mkdir -p /media/usb
# mount /dev/sdb1 /media/usb
# USB=/media/usb

Copy Required Files

Type the following commands:
# cp -av $DVD/isolinux/* $USB
# cd $USB
# rm isolinux.bin TRANS.TBL
# mv isolinux.cfg syslinux.cfg

Also copy the installer's initial RAM disk $DVD/images/pxeboot/initrd.img (for CentOS / RHEL Linux use $DVD/RedHat/images/pxeboot/initrd.img file) CD/DVD onto the usb drive:
# cp -v $DVD/images/pxeboot/initrd.img $USB

Unmount the USB drive

# umount /dev/sdb1

Make the USB Bootable

Type the following command to make the USB drive bootable
# syslinux /dev/sdb1
# mount /dev/sdb1 $USB

syslinux is a boot loader for the Linux operating system which operates off an MS-DOS/Windows FAT filesystem.

Install Grub

Type the following command to install GRUB on the USB device:
# grub-install --root-directory=$USB /dev/sdb
Create grub.conf:
# cd $USB
# mkdir -p boot/grub

Edit the grub.conf file
root (hd1,0)
title Fedora Linux
kernel /vmlinuz
initrd /initrd.img
Finally, unmount the USB pen drive, enter:
# umount /dev/sdb1
Your USB pen is ready and should be bootable from the USB device. This can be used to install Fedora or CentOS or RHEL. You can also copy other required tools (such as sniffers or data recovery tools) on this pen. This is left as exercise for the reader.

Unetbootin Installer of Linux/BSD Distributions (GUI Tools)

If command line options are too complicated to follow. Try UNetbootin, which allows you to create bootable Live USB drives for a variety of Linux distributions from Windows or Linux, without requiring you to burn a CD. To install to a partition or USB drive type the following command:
$ sudo apt-get install unetbootin

How to: Linux or UNIX List just directories or directory names

Q. How do I list just directory names under Linux?
A. Under Linux or UNIX use ls command to list files and directories. However ls does not have an option to list only directories. You can use combination of ls and grep to list directory names only.

Display or list all directories

Type the following command:
$ ls -l | egrep `^d'

Display or list only files

Type the following command:
$ ls -l | egrep -v `^d'
grep command used to searches input. It will filter out directories name by matching first character d. To reverse effect (just to display files) you need to pass -v option. It invert the sense of matching, to select non-matching lines.

Task: Create aliases to save time

You can create two aliases as follows to list only directories and files.
alias lf="ls -l | egrep -v '^d'"
alias ldir="ls -l | egrep '^d'"

Put above two aliases in your bash shell startup file:
$ cd
$ vi .bash_profile

Append two lines:
alias lf="ls -l | egrep -v '^d'"
alias ldir="ls -l | egrep '^d'"

Save and close the file.
Now just type lf - to list files and ldir - to list directories only:
$ cd /etc
$ lf

-rw-r--r--   1 root root      2149 2006-09-04 23:25 adduser.conf
-rw-r--r--   1 root root        44 2006-09-29 05:11 adjtime
-rw-r--r--   1 root root       197 2006-09-04 23:48 aliases
-rw-------   1 root root       144 2002-01-18 13:43 at.deny
-rw-r--r--   1 root root       162 2006-09-22 23:24 aumixrc
-rw-r--r--   1 root root        28 2006-09-22 23:24 aumixrc1
List directory names only:
$ cd /etc
$ ldir