Linux Commands

Practical snippets for daily Linux work

This page collects practical Linux command snippets. Use the menu on the right to jump to a section.

AWK

Text processing and log analysis

  • Find duplicate passwords (detect reuse) 
    awk -F: '{print $2}' passwords.txt | sort | uniq -d
  • Total requests by HTTP status code (Nginx) 
    awk '{print $9}' /var/log/nginx/access.log | sort | uniq -c | sort -rn
  • Top requesters by IP (Nginx) 
    awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head
  • Top requesters by user agent (Nginx) 
    awk -F'"' '{print $6}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head
  • Top requests by URL path (Nginx) 
    awk '{print $7}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head
  • Top IPs requesting non-existent content (404) 
    awk '$9 == 404 {print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head
  • Top URLs returning 404 Not Found 
    awk '$9 == 404 {print $7}' /var/log/nginx/access.log | sort | uniq -c | sort -rn | head
  • Top user agents requesting non-existent content (404) 
    awk '$9 == 404 {print $0}' /var/log/nginx/access.log | awk -F'"' '{print $6}' | sort | uniq -c | sort -rn | head
  • Top IP addresses seen in Nginx error.log (client field) 
    awk 'match($0, /(client: )([^,]+)(, server)/, arr) {print arr[2]}' /var/log/nginx/error.log | sort | uniq -c | sort -rn | head
  • Requests from the last 10 minutes (rough filter) 
    cutoff="$(date -d '10 minutes ago' '+[%d/%b/%Y:%H:%M')"
awk -v cutoff="$cutoff" '$4 > cutoff {print $0}' /var/log/nginx/access.log
  • Frontend request statistics (datamash) 
    awk 'match($0, /( rt=)([^ ]+)( ua=)/, arr) {print arr[2]}' /var/log/nginx/access.log \
| datamash count 1 max 1 min 1 mean 1 median 1 pstdev 1
  • Backend request statistics (datamash) 
    awk 'match($0, /( ut=")([0-9]+\.[0-9]{3})(.*)(" ul=)/, arr) {print arr[2]}' /var/log/nginx/access.log \
| datamash count 1 max 1 min 1 mean 1 median 1 pstdev 1
  • Slow requests by URL (ignore POST, rt > 5 seconds) 
    awk -F'rt=' '$0 !~ /POST/ && substr($2,1,5) > 5 {print $0}' /var/log/nginx/access.log \
| awk '{print $7}' \
| sort | uniq -c | sort -rn | head

Base64

Encoding and decoding

  • Encode file 
    base64 file > base64.txt
  • Decode file 
    base64 -d base64.txt > original.bin
  • Decode one-liner 
    echo 'bGludXggYmFzZTY0IGRlY29kZQo=' | base64 -d

Encoding / Hashing

Basic hashing examples

  • Hash empty input 
    printf "" | sha1sum
printf "" | sha256sum
  • Create SHA256 checksum file 
    sha256sum filename.ext > filename.ext.sha256
  • Verify SHA256 checksum file 
    sha256sum -c filename.ext.sha256
  • Verify a file against a known SHA256 checksum (inline) 
    echo "KNOWN_SHA256SUM  filename.ext" | sha256sum -c

    Note: use two spaces between the hash and filename (same format as sha256sum output).

  • Verify checksums from a distro file (example: SHA256SUMS) 
    sha256sum -c SHA256SUMS

Find

File discovery and basic remediation

  • Find files by name (current directory) 
    find . -name "file.txt"
  • Find files by name case-insensitive 
    find /home -iname "file.txt"
  • Find directories named "file" 
    find / -type d -name "file"
  • Find all PHP files 
    find . -type f -name "*.php"
  • Find files with 777 permissions 
    find . -type f -perm 0777 -print
  • Find SUID and SGID files 
    find / -perm /u=s -type f 2>/dev/null
find / -perm /g=s -type f 2>/dev/null
  • Find files modified in the last 60 minutes 
    find / -mmin -60 2>/dev/null
  • Dangerous example: fix 777 files to 644 (never run on / blindly) 
    find /path -type f -perm 0777 -print -exec chmod 0644 {} \;

Grub

Common adjustments

  • Change interface naming to eth0 (disable predictable names) 
    dmesg | grep -i eth
    sudo vi /etc/default/grub
    GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0"
    sudo grub-mkconfig -o /boot/grub/grub.cfg
  • Secure Grub boot loader (basic) 
    sudo grub-mkpasswd-pbkdf2
    sudo vi /etc/grub.d/40_custom
    set superusers="root"
password_pbkdf2 root PBKDF2_HASH_HERE
    sudo grub-mkconfig -o /boot/grub/grub.cfg

Tcpdump

Packet capture

  • Create a capture (write to pcap) 
    sudo tcpdump -s 0 -i eth0 -w traffic.pcap
    sha256sum traffic.pcap

Wget

Downloading content safely

  • Download a URL to a file 
    wget -O filename "https://example.com/file"
  • Continue an incomplete download 
    wget -c "https://example.com/file"
  • Download all URLs from a text file 
    wget -P path/to/dir -i URLs.txt

OpenSSL

Daily certificate and TLS work

Practical OpenSSL reference: generate keys and CSRs, create certificates, validate and debug TLS, and convert formats.

General

  • Generate private key + CSR 
    openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key
  • Generate self-signed certificate 
    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
  • Remove passphrase from a private key 
    openssl rsa -in privateKey.pem -out newPrivateKey.pem

Checking

  • Check CSR / private key / certificate 
    openssl req  -text -noout -verify -in CSR.csr
openssl rsa  -in privateKey.key -check
openssl x509 -in certificate.crt -text -noout

Debugging

  • Show full cert chain 
    openssl s_client -connect www.paypal.com:443 -showcerts
  • Compare key/cert match (RSA modulus) 
    openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa  -noout -modulus -in privateKey.key  | openssl md5
openssl req  -noout -modulus -in CSR.csr         | openssl md5

Converting

  • DER to PEM 
    openssl x509 -inform der -in certificate.cer -out certificate.pem
  • PKCS#12 to PEM 
    openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

Tip: protect private keys with correct filesystem permissions and keep them out of shared locations.

Linux Sections

Resources