While cleaning up my server recently I found that stringing together several commands with pipes made it easier to check logs, find defaults, and remember Linux commands.<\/p>\n
history<\/b> If I want to check the error log I can just up arrow a couple of times and then hit return. Or I could type !502 and hit return.<\/p>\n grep and pipes<\/b> history normally displays on the default output, in this case the terminal. But you can redirect the output to another command or a file. I used the pipe | to redirect the 500 lines of history into the grep command and looked for the characters tar. Rather than displaying 500 lines, I got a few with restart and a coupe of with tar. The target characters are highlighted in red on the terminal. While checking the messages log, I noticed that someone was trying to break into the server by sending login requests every second or so. I was curious about how many attempts there were, so I looked for the words ‘Authentication failure’ in the logs. Note that there is a space in the text I\u2019m looking for so I need to put the search text in quotes. I then piped the result to the wc -l command to count the number of lines. There were almost 10,000 all from the same IP address. We changed our iptables config to only allow 3 attempts from the same IP address and then disable logins for a while.<\/p>\n The output of 493 was thousands of lines like this\u2014all with different users. You can have multiple pipes as well. Here I want to check just the Authentication’s for Jan 3 so I cat the messages file to a grep that looks for Jan 3 (note the quotes) and then pipe that to a grep that looks for Authentication.<\/p>\n Now that the logs are cleaned up, I check for successful logins with this command> If there have been more than 20 logins since I last checked, I can make the number larger.<\/p>\n php error log<\/b> One more grep command<\/b> While cleaning up my server recently I found that stringing together several commands with pipes made it easier to check logs, find defaults, and remember Linux commands. history I don’t do a whole lot of things from the command line, so when I want to do something that I\u2019ve done recently, I just use the … Continue reading Command line tips and tricks<\/span><\/a><\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16],"tags":[],"class_list":["post-1530","post","type-post","status-publish","format-standard","hentry","category-computers"],"_links":{"self":[{"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=\/wp\/v2\/posts\/1530","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1530"}],"version-history":[{"count":0,"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=\/wp\/v2\/posts\/1530\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1530"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1530"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wellgolly.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1530"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nI don’t do a whole lot of things from the command line, so when I want to do something that I\u2019ve done recently, I just use the up arrow key to find the command from the last time I used it. If I\u2019ve done a lot of work on the command line, the history command will save some scrolling. Here\u2019s the tail end of a recent history command.
\n\n 499 exit\n 500 history\n 501 sudo grep sshd:session \/var\/log\/messages \n 502 sudo tail -n 1000 \/var\/log\/php\/error.log\n 503 sudo grep Authentication \/var\/log\/messages | wc -l\n 504 history\n<\/code><\/pre><\/p>\n
\nI can never remember all the options for tarring up a file, so I almost always find the last time I used it and use the same command again. But it was a while ago and searching through 500 lines of history isn\u2019t particularly efficient. That\u2019s where grep and pipes come in.<\/p>\nhistory | grep tar<\/code><\/p>\n
\n\n 279 sudo \/etc\/init.d\/apache2 restart\n 280 sudo \/etc\/init.d\/mysql restart \n 428 sudo tar -czvf .\/mysql-backup.sql.tgz mysql-backup.sql \n<\/code><\/pre><\/p>\n\n493 sudo grep 'Authentication failure' \/var\/log\/messages\n503 sudo grep 'Authentication failure' \/var\/log\/messages | wc -l<\/code><\/pre><\/p>\n
\n\nJan 1 11:04:56 server sshd[12551]: error: PAM: Authentication failure for illegal user testtest from 218.25.99.148\nJan 1 11:05:05 server sshd[12564]: error: PAM: Authentication failure for root from 218.25.99.148\n<\/code><\/pre><\/p>\n\nsudo cat \/var\/log\/messages | grep 'Jan 3'| grep Authentication<\/code><\/pre><\/p>\n
\n\nsudo grep Accepted \/var\/log\/auth.log | tail -20<\/code><\/pre><\/p>\n
\nWe have our server set up to put error messages into an error log rather than displaying them on the screen. Visitors to the site don’t care about the error messages and crackers can take advantage of the messages to exploit vulnerabilities so there is no reason to display them. However, if you are writing a new page or changing an existing one, you as a programmer can benefit from knowing where your code failed. When I\u2019m coding I always have a terminal window open with this command running.<\/p>\ntail -f \/var\/log\/php\/error.log<\/code><\/p>\n
\nWhen we updated to the latest version of PHP we started getting messages in the logs for deprecated commands. We fixed most of them, but the locations of others weren\u2019t obvious from the error messages. Specifically, we needed to replace all of the places we used PEAR to access the MySQL database. So starting at the root of our website code I look for every file where we use the PEAR initialization code for MySQL. The -R in the grep command means to recursively search through all folders. You start with the current location and traverse the entire directory tree. Notice the * at the end of the command. I don\u2019t want to look at a specific file, like I did in other examples, but want to look at all files.<\/p>\ngrep -R initialize_db.inc *<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"