Basic SSH commands

Basic SSH commands

FILE MANAGEMENT

Copy file
cp -a archivo.zip archivocopia.zip
Create a 404.html file
touch /home/usuario/public_html/404.html
Compress directory
zip -r archivo.zip /home/usuario/public_html/directorio
Extract file
unzip archivo.zip
View contents of a zip file
unzip -v archivo.zip
Compress files excluding certain extensions
zip -r /home/user/public_html/backup_php_ah.zip /home/user/public_html/uploads/ -x */\.* *.git* \.* *.JPG *.jpg *.PNG *.PDF *.pdf *.msg *.jpeg *.zip *.rar *.xlsx *.PDF *.png *.mp4 *.html *.docx *.pptx

DIRECTORY MANAGEMENT

List files and folders
ls
List files and folders with detailed information
ls -al
List files, folders, and subdirectories
ls -aR
List files and information including all subdirectories with pagination
ls -aR | more
List files and subdirectory information and save it to a file
ls -alR > resultado.txt
List all files ending in .html
ls *.html
Count the number of folders in a directory (excludes files)
echo */ | wc
Show folder size
du -h | grep \/.*\\/ -v
Search in home for a file named whatever with a size greater than 5MB.
find /home/ -name lo_que_sea -size +5M
Show directory space usage
du -sh
Show space used by each file sorted by size
du -hs * | sort -h

FILE AND DIRECTORY SYNCHRONIZATION

It is important to be careful with trailing slashes on folders. If NOT placed, the last folder will be recreated inside the command destination.

Synchronize information within the same server
rsync -avhzo /home/usuario/carpeta_origen/ /home/usuario/carpeta_destino/
Synchronize information from an external server. This command is executed from the destination server. This instruction uses port 22, so the source server must have SSH enabled.
rsync -avhzo root@servidor.origen.com:/home/usuario/carpeta_origen/ /home/usuario/carpeta_destino/
Synchronize information from an external server. This command is executed from the destination server. This instruction uses port 1157. Replace it with the port that the source server has configured for SSH connections.
rsync -avhzo -e "ssh -p1157" root@servidor.origen.com:/home/usuario/carpeta_origen/ /home/usuario/carpeta_destino/

SERVER MONITORING

Check if Apache has reached the worker limit and needs to increase its value
grep -i maxclient /usr/local/apache/logs/error_log
Count the number of processes running on port 80
netstat -an | grep :80 | wc -l
Count the number of accesses to port 80 by a single IP
netstat -an | grep :80 | egrep '^tcp' | grep -v LISTEN | awk '{print $5}' | egrep '([0-9]{1,3}\.){3}[0-9]{1,3}' | sed 's/^\(.*:\)\?\(\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\).*$/\2/' | sort | uniq -c | sort -nr | sed 's/::ffff://' | head -20
If the attack is from multiple IPs, we can trace the entire /24 subnet
netstat -ntu | awk '{print $5}' | cut -d: -f1 -s | cut -f1,2,3 -d'.' | sed 's/$/.0/' | sort | uniq -c | sort -nk1 -r
Or, the broader subnet: /16
netstat -ntu | awk '{print $5}' | cut -d: -f1 -s | cut -f1,2 -d'.' | sed 's/$/.0.0/' | sort | uniq -c | sort -nk1 -r
Check the TOP processes using processing capacity (execute line by line after "#").
# resize;clear;echo;date;echo "Top 10 Processes by CPU %";echo ""; ps -eo user,%cpu,%mem,rsz,args,pid,lstart|sort -rnk2|\
# awk 'BEGIN {printf "%12s\t%s\t%s\t%s\t%s\n","USER","%CPU","%MEM","RSZ","COMMAND","PID","Started"} \ # {printf "%12s\t%g'\''%\t%g'\''%\t%d MB\t%s\n",$1,$2,$3,$4/1024,$5}' | head -n10;echo; \ # echo "== Last 90 mins ==";echo;sar | head -n6;sar -u | tail -n20;echo;sar -q | head -n6;sar -q | \ # tail -n20;echo;echo "== Current 5 Second Intervals ==";echo;sar -u 5 12;echo;sar -q 5 5
This command creates a file called proc-list that shows exactly what a specific process is doing (replace PID-Number).
ps awux | grep lsof
ls -l /proc/PID-Number/* > /root/proc-list
Check visitors in Apache status who are attacking WordPress login. Can be replaced with any other attacked script.
/usr/local/apache/bin/apachectl fullstatus | grep 'wp-login\|xmlrp'
LOG analysis
cat /usr/local/apache/logs/access_log | awk '{print $1}' | sort | uniq -c | sort -n
Analyzes the Apache access log and shows the number of times an IP has connected to Apache.
Search all activity of an IP in the Apache log and error log.
grep -i [IP] /usr/local/apache/logs/access_log
grep -i [IP] /usr/local/apache/logs/error_log

SPAM FIGHTING

Analysis of directories from which email is being sent
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
Number of emails in the Queue Manager
/usr/sbin/exim -bpc
Once a suspicious directory is detected, you can identify the suspicious script and search for the accesses it has had to block the resulting IPs
grep "mailer.php" /home/userna5/access-logs/example.com | awk '{print $1}' | sort -n | uniq -c | sort -n
Analyze possible attack on EXIM
/usr/sbin/exigrep "unrecognized command" /var/log/exim_mainlog
Analyze if there are blocks in Hotmail
/usr/sbin/exigrep "Unfortunately, some messages from" /var/log/exim_mainlog
Analyze if there are blocks in Yahoo
/usr/sbin/exigrep "temporarily deferred due to user complaints" /var/log/exim_mainlog
Delete messages from the Exim queue
Single sender:
exiqgrep -if user@domain | xargs exim -MrmSingle recipient:exiqgrep -ir user@domain | xargs exim -Mrm
Clear all:
exim -bp | grep < | awk '{print $3}' | xargs exim -Mrm

HARDWARE INFORMATION

Show CPU information
cat /proc/cpuinfo
Count the physical processors of a server
cat /proc/cpuinfo | grep proc | tail -n 1
Show disk partitions and mounts
lsblk

    • Related Articles

    • JetBackup 5: How to fix the Integrity Check error using CLI/SSH

      When JetBackup performs its automated integrity verification processes, they may sometimes complete partially due to network interruptions, timeouts, or communication issues with the remote storage destination. If you receive notifications indicating ...

    • 'Never Finished' error in JetBackup 5

      The "Never Finished" error in JetBackup happens when a backup job doesn’t complete properly, leaving the process stuck in a "never finished" state. This issue can pop up for a bunch of reasons, like JetBackup services acting up, cache problems, or ...

    • Emails don't appear in webmail searches

      When you search for an email in Roundcube (cPanel) and it doesn't appear in the results even though it exists in your mailbox, the problem almost always stems from the server not having properly indexed the messages. For example, if you try to locate ...

    • Using Screen on Linux: create, resume, and close terminal sessions

      Screen is a command-line tool on Linux that allows you to manage multiple, persistent terminal sessions. With screen, you can run programs in the background, detach from a session without closing it, and resume it later. This is useful for ...

    • How to Block IPs and Ranges in Imunify360: CLI & GUI Master Guide

      Imunify360 is the ultimate defense for web servers. While its automated firewall is excellent, manual intervention is sometimes necessary to stop botnets or targeted attacks. In this guide, you will learn how to manage blocks precisely using commands ...