From Just another day in the life of a linux sysadmin
Jump to: navigation, search

Disk Cleanup

Viewing files with numerical permissions

 stat -c '%a' filename.etx

Check to see if all sites are loading

cat /etc/userdatadomains | awk '{print $1}' | tr -d ':|*' > domainlist.txt
while read LINE; do
 curl -o /dev/null --silent --head --write-out '%{http_code}' "$LINE"
echo " $LINE"
done < domainlist.txt

LS in tree style format

ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/   /' -e 's/-/|/'

Well Organized breakdown of filesize within a directory

du -sk ./* | sort -nr | awk 'BEGIN{ pref[1]="K"; pref[2]="M"; pref[3]="G";} { total = total + $1; x = $1; y = 1; while( x > 1024 ) { x = (x + 1023)/1024; y++; } printf("%g%s\t%s\n",int(x*10)/10,pref[y],$2); } END { y = 1; while( total > 1024 ) { total = (total + 1023)/1024; y++; } printf("Total: %g%s\n",int(total*10)/10,pref[y]); }'

Running an audit for changing files

auditctl -w /home/USER/public_html/SOMEDIR/index.php -p wx -k NAMEOFYOUR_audit

It can be searched with the following command:

ausearch -k NAMEOFYOUR_audit

Deleting files NEWER than a certain date

create a file with said date

touch --date "2014-05-01" /tmp/start

then delete all files newer than that file from said dir

find /home/flge/mail/.plynam\@flgoldexchange_com/cur/ -type f -newer /tmp/start -exec rm -vf '{}' \;

Obtain files of a certain size

Easy way to obtain file of specific size:

You can also use K / M / G as extensions.

dd if=/dev/zero of=output.dat bs=1M count=14

would create a 14 MB file.

delete files older than X amount of days

find PATH -mtime +X -exec rm {} \;

replace path with location or * for all and X with number of days

Finding Large files:

find / -type f -size +500M

Find files not used on over 60 days:

find . -mtime +60

Find files modified in the last 2 days:

find . –mtime -2

Linux File Structuring

/bin = essential binaries (sort of like system32)

/sbin = more essential system binaries (also sort of like system32)

/boot = bootloader stuff.

/etc = config files and such, but many configs are also in usr directories.

/usr = contains config files and some appdata, something similar to windows user directories

/var = contains log files and app cache, almost similar to Application Data except without the config files that Application Data holds

/home = actual home directories, contains less system data than /usr does.

Runtime stuff, Runlevels, Rebooting, etc

In /etc/rc.d/init.d there are scripts for each shit's boot process. the "rc.d" directory controls startup processes, numbered by boot order.

chkconfig gives run level/init info and controls. For example, to turn off cpanel during run level 3:

chkconfig --level 3 cpanel off/on

If you install from a package manager (like YUM), it'll auto-add to chkconfig. Installing from source usually tells you what to do in the install options to get it into chkconfig.

Don't just blindly reboot. If a customer wants something rebooted, try to ssh in and see if works. If so, ask them why to reboot. Get monitoring to reboot dedis, I can reboot VPS/Shared.


dr-xr-xr-x. 25 root root 4.0K May 3 12:09 ./

dr-xr-xr-x. 25 root root 4.0K May 3 12:09 ../

-rwxr--r-- 1 root root 0 May 3 22:14 aquota.user*

-rw-r--r-- 1 root root 0 May 3 10:44 .autofsck

-rw-r--r-- 1 root root 0 Dec 30 10:29 .autorelabel

dr-xr-xr-x. 2 root root 4.0K May 4 03:39 bin/

dr-xr-xr-x. 5 root root 1.0K May 8 10:42 boot/

drwxr-xr-x. 2 root root 4.0K Sep 23 2011 cgroup/

drwxr-xr-x 17 root root 3.5K May 6 03:06 dev/

400 r-------- files (won't let you accidentally erase)

444 r--r--r-- files (lets everyone read)

600 rw------- files (no one else can read or see files)

644 rw-r--r-- files

664 rw-rw-r-- files

666 rw-rw-rw- files

700 rwx------ programs and directories

750 rwxr-x--- programs and directories

755 rwxr-xr-x programs and directories

777 rwxrwxrwx programs and directories

first value is d for directory, l for symlink, or - for regular file.

Three permission groups: User, Group, Global

rwx is read/write/execute permissions. r = 4, w = 2, x = 1.

755 and 644 are common. 777 is bad. Nothing should be 777 ever. Global having rwx is potentially destructive.

chmod changes permissions.

chown and chgrp change the appropriate owner/group values. Note that chuser is not related to this, that is for file attributes.

to change permission sets for a particular file type and or for using making suphp functional:

for files:

find ./ -type f -exec chmod 644 {} \;

for directories

find ./ -type d -exec chmod 755 {} \;

Extended Attributes

The most interesting thing to take away from extended attributes is the +i attribute.

chattr +i <file>

Makes a file GODMODE.

Un-tarring a tarball

The following tutorial assumes the name of your file is yourfile.tar.gz Replace with your actual filename.

   From the terminal, change to the directory where yourfile.tar.gz has been downloaded.
   Type tar -zxvf yourfile.tar.gz to extract the file to the current directory.
   You can specify a different directory to extract to using -C parameter and a path to the directory as follows:
   Example: tar -C /myfolder -zxvf yourfile.tar.gz

How to open or Untar a "tar" file in Linux or Unix:

   From the terminal, change to the directory where yourfile.tar has been downloaded.
   Type tar -zxvf yourfile.tar to extract the file to the current directory.
   Or tar -C /myfolder -zxvf yourfile.tar to extract to another director

Bash files

A user's home directory contains various ".bash" files.

.bash_login and .bash_logout are interesting, because they execute when a user logs in/out of SSH. .bashrc is run when bash ITSELF is started.

.bash_history is a user's history. You can also get history by typing the "history" command, but if you want a specific users history, then their .bash_history file is probably the place to go. You could probably spy on people by tail -f'ing this.

Package Management

YUM and apt are the main Package Managers. YUM for CentOS (fedora), apt for debian-based distros (ubuntu is debian based).

To install from rpm, use rpm -Uvh

to find and install a YUM package:

yum search <package term>

yum install <package name>

for Debian based systes use apt-get

this is probably the largest complaint of those who dislike debian. The command for install is 1 word longer

apt-get install package_name

Installing from Source



make install

Great site for this:


Display one page at a time

ll -h | more


The find command locates files in many different ways. Unlike the rest of the commands in this section, find does not look at the contents of a file--it only helps you find files that meet certain criteria, such as name, size, age, and type. The general form of the find command is find <starting point> <search criteria> <action>

The starting point is the name of the directory where find should start looking for files. The find command examines all files in this directory (and any subdirectories) to see if they meet the specified search criteria. If any do, find performs the specified action on each found file. Here are some of the most useful search criteria options:

-name pattern Find files with names that match the pattern. -size [+|-] n Find files larger or smaller than a certain size. -atime [+|-] n Find files accessed before or after a certain date. -mtime [+|-] n Find files modified before or after a certain date. -type filetype Find only regular files or only directories.

And here are the actions that can be applied to found files:

-print Print just the names of matching files. -ls Print the names, dates, sizes, and so on of matching files. -exec command Execute a command with the file name as input. -ok command Same as -exec, but asks for confirmation first.

That all might look a bit confusing, so here are some examples to bring things down to earth. To find files (starting in the current directory) with names ending with .data and to print their names, try this:

find . -name '*.data' -print

To find files larger than 40K and print the file names and details (use a minus sign instead of a plus sign to find files smaller than a certain size), issue this command:

find . -size +40k -ls -rw-rw-r-- hermie users 56720 Jan 16 12:42 bigfile -rw-rw-r-- hermie users 415206 Feb 27 21:37 largefile -rw-rw-r-- hermie users 315428 Jan 07 05:23 hugefile

To find files ending with .dat that are smaller than 100K, enter

find . -name *.txt -size -100k -ls -rw-rw-r-- hermie users 26720 Feb 06 23:52 recipes.txt -rw-rw-r-- hermie users 506 Feb 18 18:45 poem.txt

To find files that have not been accessed for over 30 days and delete them (by sending their names to the rm command), enter

find . -atime +30 -exec rm {} \;

To find directories (starting in the junk directory) and conditionally delete them (by sending their names to the rmdir command), enter

find junk -type d -ok rmdir {} \;



top -c

shift+m = sort by RAM

shift+p = sort by CPU

u = search for user

wordcount (wc)

Prints word count of a file. One neat trick with the -l flag is:

   ls | wc -l
   ls /var/cpanel/users | wc -l

running this on a cpanel box in "/var/cpanel/users" will quickly give you the total number of cpanel users on that box, as cpanel creates a new file for every user there.

BE AWARE that wc -l will always have an extra TWO entries (for /. and /.. I think), so if the command returns "8" there are actually 6 (SIX) users, NOT EIGHT.


"dig aaaa" is for IPv6 addresses (quad-A is IPv6 after all)

"dig -x <stuff>" does a reverse lookup.

To see if a DNS is working, you can just instantly dig the DNS in question before the 24-48 propagation period.

copying from one directory to another and changing ownership of all the files

cd /home/scenario/public_html
cp -rv 2012/* .
chown -Rv scenario:scenario *

dont forget the . after the * it tells it to copy to the current directory

Disk Management

df -h = diskfree.

du -h --max-depth=1 is for the hierarchical directory structure that shows usage per directory, useful for seeing what uses a shitton of space.


Write it to a file with > usage, if desired.

fdisk is the partition manager.

fdisk -l will generally list all the partitions on a system, and show you the physical disks.

System Information

/etc/redhat-release contains info on the OS.

"dmesg" command displays info on hardware devices. Almost like a command line device manager.

"free -m" gives you RAM usage info.

/proc/cpuinfo is a file that contains CPU info. Wow!

There are also meminfo and loadavg (LOAD AVERAGE) files.

The proc folder itself has a bunch of directories in it that correspond with PIDs. These contain data for currently running applications such as environment variables, file descriptors, limits.

Network Controls

To restart a box's network, simply do:

   /etc/init.d/network restart

BUT cpanel boxes also need this restarted:

   /etc/init.d/ipaliases restart


ps faux <--- listing processes

pgrep <name> <--- searching for PIDs, but I see myself using "ps faux | grep <stuff>" more

Niceness is a processeses priority in using CPU value. Negative number = process hogs, positive value = it leaves room for others. If a customer wants you to "re-nice" processes, tell them no, just upgrade.

Three types of processes: Interactive (manually executed), Automated (scheduled), Daemon (startup, always running).

Put an ampersand on the end of processes to launch them in the background. LIKE SO:

   find butts >> butts.txt &

ctrl+z = suspend. use over ctrl+c for putting stuff in the background. Also, "job" lists current jobs. So, if you run a process and end up wanting it in the background, you do:

   grep <something that takes forever>
   bg <jobid>

searching for a process (eg a weird tty user)

ps faux |grep tty1 -B1

root 6058 0.0 0.0 54172 1352 ? Ss Mar17 0:00 login -- root

root 13426 0.0 0.0 66224 1636 tty1 Ss+ May21 0:00 \_ -bash

root 5546 0.0 0.0 65728 1012 pts/1 R+ 22:11 0:00 \_ ps faux

root 5547 0.0 0.0 61196 744 pts/1 S+ 22:11 0:00 \_ grep tty1 -B1

the ID is the --root file so the ID is 6058

kill 6058 to end the odd session


/usr/local/apache/conf/httpd.conf = main config file.

php.conf = php handler config

modsec.user.conf = modsec rulelist

whitelist.conf = modsec whitelist

first step when troubleshooting apache;

rebuildhttpdconf (after backing up old conf)

On non-cpanel servers, configs are usually in /etc/httpd/conf and /etc/httpd/conf.d. In this situation, vhosts are in a separate file.

Note-worthy Directives:

-> VirtualHost

Allows multiple domains to run on one IP.

<VirtualHost IP address:port> Here, info goes. Most import part is probably servername and docroot.

-> IfModule

-> Listen

Tells Apache to Listen on IP/port.

-> AddType

males a filename extension to a specified content type.

-> LoadModule

Loads modules into Apache. Omg!!

There's another command, but it isn't overly used (I think Matt said apfx?)


Types of attacks:

Network Saturation attacks: Brute force, saturating the network with connections.

TCP/IP based attacks: for example, SYN flood. Exploits 3 way TCP Handshake, hard to spot.

Service Vulnerability attacks: rarest of attacks, exploit vulnerabilities/bugs.

DoS Detection; Nagios, Cacti, MRTG. CLI TOOLS: netstat, tcpdump.

Be sure to tell networking or monitoring if there is a possible DoS attack. Don't speculate to customers.

Other Webservers

IIS = Windows.

Apache Tomcat = open source Java and JSP servlet,

nginx = built for speed and load. At LW, this does reverse proxying.

lighttpd = very fast for static content like images/flat files.

LiteSpeed = able to read apache config files directly.

Port Numbers

Link to Wikipedia's list of port numbers

Port Numbers