Linux shell / bash /commands cheatsheet

Use VI like tail -f but with syntax highlighting:

  • vi /var/log/syslog
  • :set autoread | au CursorHold * checktime | call feedkeys("lh")
  • press "G" to go to the end of the file

Explain shell commands

Bash redirection

to file

  • command > stdout.txt
  • command 2> stderr.txt
  • command &> stdout_and_err.txt
  • command > stdout.txt 2> stderr.txt


  • command |& cat
    • pipe stdout + stderr

Advanced with pipe

  • command | tee stdout.txt    outputs stdout to shell and stdout.txt

Be careful, tee swallows the exit code!

  • false | tee /dev/null;echo $?
    • "0" !!! = the return code of tee. Workaround, use pipefail:
  • set -o pipefail && false | tee /dev/null;echo $?
    • "1" -> good!


TODO: check the following for exit code preservation:

Output stdout+stderr and log to files:

  • command > >(tee --append stdout.txt) 2> >(tee --append stderr.txt >&2) | cat

Ideal for cronjobs: Logs stdout and stderr to the same file, outputs stderr but hides stdout

  • command > >(tee --append command.log > /dev/null) 2> >(tee --append command.log >&2) | cat

The final "| cat" returns to the prompt


Remove all partitions

dd if=/dev/zero of=/dev/sdb bs=512 count=1

Or safer, because it warns when overwriting active partitions:

wipefs --all /dev/sdb

sgdisk --zap-all /dev/sdb

List all network devices in local network

nmap -sP

All running processes

ps -aux

Kill a process: kill -9 2745

Log Top 10 Processes

watch -t -n 10 "top -b -n 1 | head -n 17 | tee -a /var/log/top.log"

  • watch -n 10 (every 10 seconds) -t (without header)
  • top -b (batch)  -n 1 (only one iteration/refresh)
  • head -n 17 (show the first 17 lines)
  • tee -a log.log (-a append)

List open ports

netstat -pntl

Number of files in directory

ls -1 | wc -l

Delete files modified older than one month

Values are in minutes

find /var/lib/php/sessions/ -type f -cmin +43200 -delete


Inode information:

df -i

Find directory which uses most inodes

find /var -xdev -printf '%h\n' | sort | uniq -c | sort -k 1 -n


"list open files" - show all open handels. Can be used as a last resort action to find out who blocks a file/device

lsof | grep /mnt


Shows which process access the harddrive (with "-c"  in the current directory)

fatrace -c

Monitor which files a process accesses

strace -p 1234

Log harddrive access

E.g. to find out what wakes up a hdd

  • echo 1 | sudo tee /proc/sys/vm/block_dump
  • tail -f /var/log/syslog | grep sdb


total foreach subdir

du --max-depth=1 -h


du ./* -shx

Force du to include hidden directories (.dir/)

du .[!.]* * -shx

sort by size, human readable

du -hs ./* | sort -h

Find big files

find / -size +10M -ls


Get the current unix timestamp

date +%s


Get a list of disks

  • parted
    • print devices

Get uuids of disks for fstab

  • blkid

Get uuid for a device

  • blkid -o value -s UUID /dev/sda1

Great overview over disks and partitions


Remove MBR

E.g. from bootable USB-Stick

  • sudo dd if=/dev/zero of=/dev/sdc bs=446 count=1


  • fsck.ext3 -v -f -c -y /dev/sdb1
  • smartctl -a /dev/sdb

GUI: palimpsest


Look for incoming ssh traffic

tcpdump 'tcp port 80'


Look for i/o intensive processes

ip link

Show hardware network interfaces

Correct edit time of files

30 minutes in the future. For the past use "30 minutes ago"

touch -d "30 minutes" filename.txt


Permanently disable a service

systemctl disable smartmontools

Show logs of shutdown / reboots

Display list of last reboot entries: last reboot | less

Display list of last shutdown entries: last -x | less

or more precisely: last -x | grep shutdown | less

Use comments in single line commands

  • date; `# show the current date`; ls -l; `# show contents of current directory`; hostname --fqdn; `# show fqdn of hostname`

Or split to multiple lines for better readability

  • date;             `# show the current date`; \
    ls -l;            `# show contents of current directory`; \
    hostname --fqdn;  `# show fqdn of hostname`

Add user with disabled password

  • adduser --disabled-password myusername

Get current network interface name

ls /sys/class/net | grep enp

Search and Replace with sed

  • sed 's/search/replace/g'
  • sed 's/^search/replace/g'
    • "search" needs to be at the begining of the line