From Just another day in the life of a linux sysadmin
Revision as of 09:08, 13 October 2020 by Joelparks (talk | contribs) (→‎Commands)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Disk Cleanup

Fix perms

Run within public_html changes all files and dirs to 644 and 755

find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;

top 40 processes sorted by cpu usage

ps -eo pcpu,pid,user,args | sort -k 1 -r | head -40

Understanding SAR

Understanding the output of SAR command

This shows the total time that the processor is spending on processes for this users end process
this shows the percentage of time spend by the processor for operating system tasks(because the previous user shows the time spend for user end process)
the name iowait itself suggests that its the time spend by processor waiting for devices(input and output)
a user can change the priority of a process in linux by changing the nice value in Linux. This table shows the time spend by CPU for process whose nice value has been changed.
This column shows the amount to time spend by a CPU (which is virtualized), for resources from the physical CPU
This shows the idle time spend by the processor.

ps -eo pcpu,pid,user,args | sort -k 1 -r | head -40

the -r option available in sar command is very much useful. it shows the memory,swap,cached memory etc at every interval or required time interval.

02:20:01 AM kbmemfree kbmemused  %memused kbbuffers  kbcached kbswpfree kbswpused  %swpused  kbswpcad
02:30:01 AM    609500   1487652     70.94    242420    777560   1075980       364      0.03       360
02:40:01 AM    609500   1487652     70.94    242424    777568   1075980       364      0.03       360
02:50:01 AM    609500   1487652     70.94    242424    777592   1075980       364      0.03       360
03:00:01 AM    608980   1488172     70.96    242424    777600   1075980       364      0.03       360
03:10:01 AM    608584   1488568     70.98    242424    777628   1075980       364      0.03       360
03:20:01 AM    608584   1488568     70.98    242424    777648   1075980       364      0.03       360

in the above output most of the columns are self explanatory(and most of the outputs are in KB).

kbmemfree: this shows the amount of free memory Kbmemused: memory used %memused: percentage of memory used kbbuffers: buffer memory used by the kernel. kbcached: cached memory used by the kernel all other entries for memory are swap(free,used,percentage etc)


psfaux=`ps faux`;for user in `echo "$psfaux" |grep -v USER | awk '{print $1}' | sort | uniq`; do echo "$psfaux" | egrep ^$user | awk 'BEGIN{total=0};{total += $4};END{print total "%", $1}'; done | sort -rn

Viewing files with numerical permissions

 stat -c '%a' filename.etx

Check to see if all sites are loading

cat /etc/userdatadomains | awk '{print $1}' | tr -d ':|*' > domainlist.txt
while read LINE; do
 curl -o /dev/null --silent --head --write-out '%{http_code}' "$LINE"
echo " $LINE"
done < domainlist.txt

LS in tree style format

ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/   /' -e 's/-/|/'

Well Organized breakdown of filesize within a directory

du -sk ./* | sort -nr | awk 'BEGIN{ pref[1]="K"; pref[2]="M"; pref[3]="G";} { total = total + $1; x = $1; y = 1; while( x > 1024 ) { x = (x + 1023)/1024; y++; } printf("%g%s\t%s\n",int(x*10)/10,pref[y],$2); } END { y = 1; while( total > 1024 ) { total = (total + 1023)/1024; y++; } printf("Total: %g%s\n",int(total*10)/10,pref[y]); }'

Running an audit for changing files

auditctl -w /home/USER/public_html/SOMEDIR/index.php -p wx -k NAMEOFYOUR_audit

It can be searched with the following command:

ausearch -k NAMEOFYOUR_audit

Deleting files NEWER than a certain date

create a file with said date

touch --date "2014-05-01" /tmp/start

then delete all files newer than that file from said dir

find /home/flge/mail/.plynam\@flgoldexchange_com/cur/ -type f -newer /tmp/start -exec rm -vf '{}' \;

Obtain files of a certain size

Easy way to obtain file of specific size:

You can also use K / M / G as extensions.

dd if=/dev/zero of=output.dat bs=1M count=14

would create a 14 MB file.

delete files older than X amount of days

find PATH -mtime +X -exec rm {} \;

replace path with location or * for all and X with number of days

Finding Large files:

find / -type f -size +500M

Find files not used in over 60 days:

find . -mtime +60

Find files modified in the last 2 days:

find . –mtime -2

Linux File Structuring

/bin = essential binaries (sort of like system32)

/sbin = more essential system binaries (also sort of like system32)

/boot = bootloader stuff.

/etc = config files and such, but many configs are also in usr directories.

/usr = contains config files and some appdata, something similar to windows user directories

/var = contains log files and app cache, almost similar to Application Data except without the config files that Application Data holds

/home = actual home directories, contains less system data than /usr does.

Runtime stuff, Runlevels, Rebooting, etc

In /etc/rc.d/init.d there are scripts for each shit's boot process. the "rc.d" directory controls startup processes, numbered by boot order.

chkconfig gives run level/init info and controls. For example, to turn off cpanel during run level 3:

chkconfig --level 3 cpanel off/on

If you install from a package manager (like YUM), it'll auto-add to chkconfig. Installing from source usually tells you what to do in the install options to get it into chkconfig.

Don't just blindly reboot. If a customer wants something rebooted, try to ssh in and see if works. If so, ask them why to reboot. Get monitoring to reboot dedis, I can reboot VPS/Shared.


dr-xr-xr-x. 25 root root 4.0K May 3 12:09 ./

dr-xr-xr-x. 25 root root 4.0K May 3 12:09 ../

-rwxr--r-- 1 root root 0 May 3 22:14 aquota.user*

-rw-r--r-- 1 root root 0 May 3 10:44 .autofsck

-rw-r--r-- 1 root root 0 Dec 30 10:29 .autorelabel

dr-xr-xr-x. 2 root root 4.0K May 4 03:39 bin/

dr-xr-xr-x. 5 root root 1.0K May 8 10:42 boot/

drwxr-xr-x. 2 root root 4.0K Sep 23 2011 cgroup/

drwxr-xr-x 17 root root 3.5K May 6 03:06 dev/

400 r-------- files (won't let you accidentally erase)

444 r--r--r-- files (lets everyone read)

600 rw------- files (no one else can read or see files)

644 rw-r--r-- files

664 rw-rw-r-- files (this is the standard for ALL files on a web server)

666 rw-rw-rw- files

700 rwx------ programs and directories

750 rwxr-x--- programs and directories

755 rwxr-xr-x programs and directories (this is the standard for ALL directories on a web server)

777 rwxrwxrwx programs and directories

first value is d for directory, l for symlink, or - for regular file.

Three permission groups: User, Group, Global

rwx is read/write/execute permissions. r = 4, w = 2, x = 1.

755 and 644 are common. 777 is bad. Nothing should be 777 ever. Global having rwx is potentially destructive.

chmod changes permissions.

chown and chgrp change the appropriate owner/group values. Note that chuser is not related to this, that is for file attributes.

to change permission sets for a particular file type and or for using making suphp functional:

for files:

find ./ -type f -exec chmod 644 {} \;

for directories

find ./ -type d -exec chmod 755 {} \;

Extended Attributes

The most interesting thing to take away from extended attributes is the +i attribute.

chattr +i <file>

Makes a file "GOD MODE" in a way of speaking.

Basically this means:

A file that is set with the ‘i‘ attribute, cannot be modified. It is considered immutable. This means no renaming, no symbolic link creation, no execution, not writable, and only root / owner can unset the attribute.

Un-tarring a tarball

How to open or Untar a "tar" file in Linux or Unix:

From the terminal, change to the directory where yourfile.tar has been downloaded.

tar -zxvf yourfile.tar to extract the file to the current directory.
tar -C /myfolder -zxvf yourfile.tar to extract to another director

Bash files

A user's home directory contains various ".bash" files.

.bash_login and .bash_logout are interesting, because they execute when a user logs in/out of SSH. .bashrc is run when bash ITSELF is started.

.bash_history is a user's history. You can also get history by typing the "history" command, but if you want a specific users history, then their .bash_history file is probably the place to go. You could probably spy on people by tail -f'ing this.

Package Management

YUM and apt are the main Package Managers. YUM for CentOS (fedora), apt for debian-based distros (ubuntu is debian based).

To install from rpm, use rpm -Uvh

to find and install a YUM package:

yum search <package term>

yum install <package name>

for Debian based systes use apt-get

this is probably the largest complaint of those who dislike debian. The command for install is 1 word longer

apt-get install package_name

Installing from Source



make install

Great site for this:


Display one page at a time

ll -h | more


The find command locates files in many different ways. Unlike the rest of the commands in this section, find does not look at the contents of a file--it only helps you find files that meet certain criteria, such as name, size, age, and type. The general form of the find command is find <starting point> <search criteria> <action>

The starting point is the name of the directory where find should start looking for files. The find command examines all files in this directory (and any subdirectories) to see if they meet the specified search criteria. If any do, find performs the specified action on each found file. Here are some of the most useful search criteria options:

-name pattern Find files with names that match the pattern. -size [+|-] n Find files larger or smaller than a certain size. -atime [+|-] n Find files accessed before or after a certain date. -mtime [+|-] n Find files modified before or after a certain date. -type filetype Find only regular files or only directories.

And here are the actions that can be applied to found files:

-print Print just the names of matching files. -ls Print the names, dates, sizes, and so on of matching files. -exec command Execute a command with the file name as input. -ok command Same as -exec, but asks for confirmation first.

That all might look a bit confusing, so here are some examples to bring things down to earth. To find files (starting in the current directory) with names ending with .data and to print their names, try this:

find . -name '*.data' -print

To find files larger than 40K and print the file names and details (use a minus sign instead of a plus sign to find files smaller than a certain size), issue this command:

find . -size +40k -ls

-rw-rw-r-- hermie users 56720 Jan 16 12:42 bigfile -rw-rw-r-- hermie users 415206 Feb 27 21:37 largefile -rw-rw-r-- hermie users 315428 Jan 07 05:23 hugefile

To find files ending with .dat that are smaller than 100K, enter

find . -name *.txt -size -100k -ls

-rw-rw-r-- hermie users 26720 Feb 06 23:52 recipes.txt -rw-rw-r-- hermie users 506 Feb 18 18:45 poem.txt

To find files that have not been accessed for over 30 days and delete them (by sending their names to the rm command), enter

find . -atime +30 -exec rm {} \;

To find directories (starting in the junk directory) and conditionally delete them (by sending their names to the rmdir command), enter

find junk -type d -ok rmdir {} \;


top -c
shift+m = sort by RAM
shift+p = sort by CPU
u = search for user

wordcount (wc)

Prints word count of a file. One neat trick with the -l flag is:

   ls | wc -l
   ls /var/cpanel/users | wc -l

running this on a cpanel box in "/var/cpanel/users" will quickly give you the total number of cpanel users on that box, as cpanel creates a new file for every user there.

BE AWARE that wc -l will always have an extra TWO entries (for /. and /.. I think), so if the command returns "8" there are actually 6 (SIX) users, NOT EIGHT.


"dig aaaa" is for IPv6 addresses (quad-A is IPv6 after all)

"dig -x <stuff>" does a reverse lookup.

To see if a DNS is working, you can just instantly dig the DNS in question before the 24-48 propagation period.

copying from one directory to another and changing ownership of all the files

cd /home/scenario/public_html
cp -rv 2012/* .
chown -Rv scenario:scenario *

dont forget the . after the * it tells it to copy to the current directory

Disk Management

df -h = diskfree.

du -h --max-depth=1 is for the hierarchical directory structure that shows usage per directory, useful for seeing what uses a shitton of space.


Write it to a file with > usage, if desired.

fdisk is the partition manager.

fdisk -l will generally list all the partitions on a system, and show you the physical disks.

System Information

/etc/redhat-release contains info on the OS.

"dmesg" command displays info on hardware devices. Almost like a command line device manager.

"free -m" gives you RAM usage info.

/proc/cpuinfo is a file that contains CPU info. Wow!

There are also meminfo and loadavg (LOAD AVERAGE) files.

The proc folder itself has a bunch of directories in it that correspond with PIDs. These contain data for currently running applications such as environment variables, file descriptors, limits.

Network Controls

To restart a box's network, simply do:

   /etc/init.d/network restart

BUT cpanel boxes also need this restarted:

   /etc/init.d/ipaliases restart


ps faux <--- listing processes

pgrep <name> <--- searching for PIDs, but I see myself using "ps faux | grep <stuff>" more

Niceness is a processeses priority in using CPU value. Negative number = process hogs, positive value = it leaves room for others. If a customer wants you to "re-nice" processes, tell them no, just upgrade.

Three types of processes: Interactive (manually executed), Automated (scheduled), Daemon (startup, always running).

Put an ampersand on the end of processes to launch them in the background. LIKE SO:

   find butts >> butts.txt &

ctrl+z = suspend. use over ctrl+c for putting stuff in the background. Also, "job" lists current jobs. So, if you run a process and end up wanting it in the background, you do:

   grep <something that takes forever>
   bg <jobid>

searching for a process (eg a weird tty user)

ps faux |grep tty1 -B1

root 6058 0.0 0.0 54172 1352 ? Ss Mar17 0:00 login -- root

root 13426 0.0 0.0 66224 1636 tty1 Ss+ May21 0:00 \_ -bash

root 5546 0.0 0.0 65728 1012 pts/1 R+ 22:11 0:00 \_ ps faux

root 5547 0.0 0.0 61196 744 pts/1 S+ 22:11 0:00 \_ grep tty1 -B1

the ID is the --root file so the ID is 6058

kill 6058 to end the odd session


/usr/local/apache/conf/httpd.conf = main config file.

php.conf = php handler config

modsec.user.conf = modsec rulelist

whitelist.conf = modsec whitelist

first step when troubleshooting apache;

rebuildhttpdconf (after backing up old conf)

On non-cpanel servers, configs are usually in /etc/httpd/conf and /etc/httpd/conf.d. In this situation, vhosts are in a separate file.

Note-worthy Directives:

-> VirtualHost

Allows multiple domains to run on one IP.

<VirtualHost IP address:port> Here, info goes. Most import part is probably servername and docroot.

-> IfModule

-> Listen

Tells Apache to Listen on IP/port.

-> AddType

males a filename extension to a specified content type.

-> LoadModule

Loads modules into Apache. Omg!!

There's another command, but it isn't overly used (I think Matt said apfx?)


Types of attacks:

Network Saturation attacks: Brute force, saturating the network with connections.

TCP/IP based attacks: for example, SYN flood. Exploits 3 way TCP Handshake, hard to spot.

Service Vulnerability attacks: rarest of attacks, exploit vulnerabilities/bugs.

DoS Detection; Nagios, Cacti, MRTG. CLI TOOLS: netstat, tcpdump.

Be sure to tell networking or monitoring if there is a possible DoS attack. Don't speculate to customers.

Other Webservers

IIS = Windows.

Apache Tomcat = open source Java and JSP servlet,

nginx = built for speed and load. At LW, this does reverse proxying.

lighttpd = very fast for static content like images/flat files.

LiteSpeed = able to read apache config files directly.

Port Numbers

Link to Wikipedia's list of port numbers

Port Numbers