# LinkedIn Post Seeds Generated: 2026-06-25T13:20:11Z ## Your Site Is Not Down. DNS Might Be Lying. The browser said the site was gone. The server was answering fine. Command: `curl --resolve example.com:443:203.0.113.10 https://example.com/` A domain appears unreachable, but you need to separate a real server outage from stale or wrong DNS. Question: When a site disappears, do you check DNS first or the web server first? Full terminal demo and notes: https://linuxoneliners.com/lessons/curl-resolve-site-check/ --- ## Find the Files Eating Your Disk The disk was full, but guessing at folders was the slow part. Command: `find /var -type f -printf '%s %p\n' | sort -nr | head -20` A machine is low on disk space and you need to quickly find the largest files under a path. Question: What is the first disk-space command you usually run? Full command and safer cleanup notes: https://linuxoneliners.com/lessons/find-large-files/ --- ## Run Rsync Without Deleting Your Backup One rsync flag can save you. Another can erase the wrong side. Command: `rsync -avhn --delete ./source/ ./backup/` You need to preview an rsync operation before moving or deleting files. Question: Have you ever seen `rsync --delete` pointed the wrong way? Full demo and safer checklist: https://linuxoneliners.com/lessons/rsync-dry-run/ --- ## Watch Logs Without Opening the Whole File The app was failing now. Opening a giant log file was the wrong move. Command: `tail -n 80 -f /var/log/nginx/error.log` You need to watch recent log lines while a service or script is actively failing. Question: Do you inspect logs before or after reproducing a bug? Full log-watching demo: https://linuxoneliners.com/lessons/tail-live-logs/ --- ## Find Errors Before Reading Every Log Line The error was in the log. The problem was finding it without reading noise. Command: `grep -iE 'error|failed|denied|timeout' /var/log/nginx/error.log | tail -40` A log file has too much output and you need a quick first pass for failure words. Question: What failure words do you grep for first? Full grep pattern and caveats: https://linuxoneliners.com/lessons/grep-errors-in-logs/ --- ## Check What Is Actually Listening The app was running. The port was not listening. Command: `ss -tulpn | grep ':80\|:443'` A service appears started, but you need to confirm whether anything is listening on the expected port. Question: When a service is up but unreachable, do you check the port or the logs first? Full listener check demo: https://linuxoneliners.com/lessons/check-listening-ports/ --- ## Inspect Permissions Before Changing Them The permission fix was easy. Knowing what not to chmod was the hard part. Command: `namei -l /var/www/example/index.html` A file or directory has a permission issue, but recursive fixes could break more than they repair. Question: What permission command do you trust before reaching for `chmod -R`? Full permission inspection demo: https://linuxoneliners.com/lessons/inspect-permissions/ --- ## Find the Exact Log Line Before You Scroll The error was there. The useful part was knowing exactly where it was. Command: `grep -inE 'error|failed|denied|timeout' /var/log/nginx/error.log` A log file contains likely failures, but you need line numbers so you can inspect context around the match. Question: Do you jump straight into logs, or search for line numbers first? Full line-number grep demo: https://linuxoneliners.com/lessons/grep-line-numbers/ --- ## Find Which Folder Is Filling the Disk The disk was full. The fastest clue was the folder, not the file. Command: `du -sh /var/* 2>/dev/null | sort -h` A server is low on disk and you need a quick folder-level view before drilling into files. Question: Do you start disk cleanup with `du` or `find`? Full disk triage demo: https://linuxoneliners.com/lessons/disk-usage-by-folder/ --- ## Show Only Recent Errors The log had old failures too. I only cared about the newest ones. Command: `grep -iE 'error|failed|denied|timeout' /var/log/nginx/error.log | tail -10` A noisy log contains old and new errors, and you need the most recent likely failures. Question: When logs are noisy, do you filter first or tail first? Full recent-error demo: https://linuxoneliners.com/lessons/recent-log-errors/ --- ## Preview What Rsync Would Delete `rsync --delete` is useful. It is also how people erase the wrong side. Command: `rsync -avhn --delete ./source/ ./backup/ | grep '^deleting'` You need to know which files rsync would delete before running a real sync. Question: Would you run `rsync --delete` without checking the delete list first? Full dry-run delete demo: https://linuxoneliners.com/lessons/rsync-show-deletes/ --- ## Check Owner and Mode in One Line The file existed. The owner and mode explained why it still failed. Command: `stat -c '%A %U:%G %n' /var/www/example/index.html` A path exists but access fails, and you need owner, group, and mode quickly. Question: Do you use `stat` or `ls -l` first for permission issues? Full ownership check demo: https://linuxoneliners.com/lessons/file-owner-and-mode/ --- ## Find the Processes Using Memory The server felt slow. Memory pressure was the first thing to rule out. Command: `ps -eo pid,comm,%mem,%cpu --sort=-%mem | head` You need a quick process-level view of memory usage. Question: What do you check first when a VPS feels slow? Full memory triage demo: https://linuxoneliners.com/lessons/list-processes-by-memory/ --- ## Show Big Files in Human Units Byte counts are precise. Human units are faster under pressure. Command: `find /var -type f -printf '%s %p\n' | sort -nr | head -10 | awk '{printf "%.1f MB %s\n", $1/1024/1024, $2}'` You need to find large files and read their sizes without mentally converting bytes. Question: Do you prefer raw bytes or human units during disk cleanup? Full large-file demo: https://linuxoneliners.com/lessons/show-top-files-human/ --- ## Find What Is Using a Local Dev Port Your dev server says port 3000 is busy. Ask macOS who is holding it. Command: `lsof -nP -iTCP:3000 -sTCP:LISTEN` A local server will not start because another process is already listening on the same TCP port. Question: What is your fastest habit for debugging EADDRINUSE on macOS? Save this for the next time your local server refuses to start.: https://linuxoneliners.com/lessons/mac-find-what-is-using-port/ --- ## Stop the Process Blocking a Dev Port Free a stuck dev port without hunting through Activity Monitor. Command: `lsof -ti tcp:3000 | xargs kill` A stale local server keeps listening on a port after its terminal window was closed. Question: Do you prefer killing stale dev servers by PID, port, or process name? Use this carefully when a local server leaves a port behind.: https://linuxoneliners.com/lessons/mac-stop-process-on-port/ --- ## Show Your PATH One Entry Per Line Wrong Node, Python, or FFmpeg? Start by reading your PATH clearly. Command: `echo "$PATH" | tr ':' '\n' | nl -ba` A tool runs from an unexpected location because PATH order is unclear. Question: How often do your toolchain bugs turn out to be PATH order problems? Save this as the first check for weird CLI resolution issues.: https://linuxoneliners.com/lessons/mac-show-path-lines/ --- ## See Exactly Which Command macOS Will Run Before blaming npm, Python, or Git, check the binary your shell actually found. Command: `command -v node && node -v` Multiple versions of the same command are installed and the shell may be choosing the wrong one. Question: What command has bitten you most often because the wrong version was first in PATH? Run this before reinstalling a toolchain.: https://linuxoneliners.com/lessons/mac-which-command-will-run/ --- ## Find Large Files Inside a Project Before committing, check whether a huge video, build artifact, or export slipped into your repo. Command: `find . -type f -size +100M -print` A project folder contains unexpectedly large files that slow sync, backups, or Git operations. Question: What large file type most often sneaks into your projects: video, zip, database, or build output? Run this before pushing a repo that suddenly feels slow.: https://linuxoneliners.com/lessons/mac-find-large-project-files/ --- ## Find Which Folder Is Eating Disk Space When your Mac is full, start with the biggest folders in the current directory. Command: `du -sh ./* 2>/dev/null | sort -h` Disk space is low and the user needs to identify which project folder or cache is largest. Question: What is usually the biggest disk-space offender on your Mac? Use this from a specific folder when storage gets tight.: https://linuxoneliners.com/lessons/mac-sort-folder-size/ --- ## Flush macOS DNS Cache Changed DNS but your Mac still visits the old place? Flush the resolver cache. Command: `sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder` macOS may keep using cached DNS answers after a domain, hosts entry, or local network record changes. Question: When DNS debugging gets weird, do you check local cache before waiting on propagation? Keep this around for local domain and VPN troubleshooting.: https://linuxoneliners.com/lessons/mac-flush-dns-cache/ --- ## Watch a Log or Build File Update Need to see whether a file is still changing? Let tail follow it live. Command: `tail -f ./app.log` A developer or creator needs to monitor a changing log, export report, or build output file. Question: What local file do you tail most often while building? Use this for quick live feedback without opening another app.: https://linuxoneliners.com/lessons/mac-watch-file-changes/ --- ## Search a Log for Errors With Context A wall of logs is useless until you pull the error and the lines around it. Command: `grep -n -C 2 'ERROR' ./app.log` A local log contains too many lines to manually scan for the relevant failure. Question: Do you usually search logs directly, or save command output to a file first? Try context lines the next time a log is too noisy.: https://linuxoneliners.com/lessons/mac-search-logs-for-errors/ --- ## Check a URL Without Downloading the Page Before opening a broken page in five browsers, ask the server for headers. Command: `curl -I https://example.com` A developer needs to confirm whether a local or remote URL returns the expected status, redirect, or content type. Question: What header do you check first when a web page behaves strangely? Use this before opening another browser tab.: https://linuxoneliners.com/lessons/mac-test-url-headers/ --- ## List Newest Source Files Before Backup Before trusting a backup, know which files changed most recently. Command: `find source -type f -printf '%TY-%Tm-%Td %TH:%TM %p\n' | sort` You need a timestamp-sorted view of source files before comparing backups. Question: Do you check recent source changes before validating a backup? Timestamp the source tree before comparing it.: https://linuxoneliners.com/lessons/backup-list-newest-source-files/ --- ## Create a SHA256 Checksum Manifest A file list says what exists; checksums say whether bytes match. Command: `sha256sum source/app/config.yml source/content/index.md source/content/about.md source/assets/logo.svg` You need checksums for key files before copying or archiving them. Question: Do you generate checksums before moving critical small files? Use checksums when exact bytes matter.: https://linuxoneliners.com/lessons/backup-create-checksum-manifest/ --- ## Verify a SHA256 Checksum Manifest A checksum file is only useful if you actually verify it. Command: `sha256sum -c checksums.sha256` You need to confirm files still match a saved SHA256 manifest. Question: Do you verify checksum manifests after restores, or just create them? Run the manifest check after copying data.: https://linuxoneliners.com/lessons/backup-verify-checksum-manifest/ --- ## Compare Source and Backup File Lists A backup can be missing files and still look plausible at a glance. Command: `comm -3 <(find source -type f | sed 's#^source/##' | sort) <(find backup -type f | sed 's#^backup/##' | sort)` You need to compare relative file paths in source and backup directories. Question: Do you compare backup file presence separately from file contents? Start with relative path lists, then verify bytes.: https://linuxoneliners.com/lessons/backup-compare-source-and-backup-file-lists/ --- ## Preview Backup Drift with rsync Rsync can tell you what would change before it changes anything. Command: `rsync -ain --delete source/ backup/` You need to see source-to-backup drift without modifying the backup. Question: Do you read rsync itemized output before removing --dry-run? Keep -n until the drift makes sense.: https://linuxoneliners.com/lessons/backup-rsync-dry-run-itemize/ --- ## Find Empty Files in a Backup Zero-byte files can be normal, or they can be failed writes. Command: `find backup -type f -size 0 -print` You need to spot empty files inside a backup tree. Question: Do you flag zero-byte files in backup reports? Treat empty files as a triage signal, not automatic failure.: https://linuxoneliners.com/lessons/backup-find-empty-files/ --- ## List Largest Files in a Backup Large backup files are where storage surprises usually start. Command: `find backup -type f -printf '%s %p\n' | sort -nr | head` You need to rank backup files by size. Question: When backup storage grows, do you rank files by size first? Use size ranking before cleanup decisions.: https://linuxoneliners.com/lessons/backup-list-largest-files/ --- ## List Contents of a Backup Tarball You can inspect an archive without extracting it. Command: `tar -tf archives/site-backup.tar | sort | head` You need to see what a backup tarball contains before restoring it. Question: Do you inspect tarball contents before extracting backups? List first, restore second.: https://linuxoneliners.com/lessons/backup-list-tar-contents/ --- ## Count Source Files by Extension A quick extension count can show whether expected content made it into the source tree. Command: `find source -type f -printf '%f\n' | sed -n 's/.*\.//p' | sort | uniq -c | sort -nr` You need a small inventory of source file types. Question: Do you inventory file types when validating backups? Use extension counts as a quick sanity check.: https://linuxoneliners.com/lessons/backup-count-source-file-types/ --- ## Find Files Newer Than a Backup Snapshot Files newer than the last snapshot are the ones most likely missing from it. Command: `find source -type f -newer backup/.snapshot -print | sort` You need to list source files changed after the backup snapshot marker. Question: Do you keep a snapshot marker for quick backup freshness checks? Use newer-than checks as one backup signal.: https://linuxoneliners.com/lessons/backup-find-files-newer-than-snapshot/ --- ## Check Whether PostgreSQL Is Accepting Connections The database was running, but it was not ready. Command: `pg_isready -h 127.0.0.1 -p 5432` An app cannot reach PostgreSQL and you need a quick first-response check before digging into logs or credentials. Question: When an app cannot reach Postgres, do you check readiness before logs? Postgres first-response demo: https://linuxoneliners.com/lessons/postgres-check-server-readiness/ --- ## Show Active PostgreSQL Connections The database was not down. It was full. Command: `psql -X -A -F '|' -c "select pid,usename,datname,state,client_addr from pg_stat_activity order by state, pid;"` PostgreSQL is slow or rejecting clients and you need to see current sessions quickly. Question: Do you check active database sessions before restarting PostgreSQL? Connection triage demo: https://linuxoneliners.com/lessons/postgres-show-active-connections/ --- ## Find Long-Running PostgreSQL Queries One query can make the whole app look broken. Command: `psql -X -c "select pid, now() - query_start as age, state, left(query, 80) as query from pg_stat_activity where query_start is not null order by age desc limit 10;"` PostgreSQL is slow and you need to identify queries that have been running the longest. Question: What is your first command when PostgreSQL suddenly feels slow? Long-query inspection demo: https://linuxoneliners.com/lessons/postgres-find-long-running-queries/ --- ## Check PostgreSQL Lock Waits The outage was a queue, not a crash. Command: `psql -X -c "select pid, wait_event_type, wait_event, state, left(query, 80) as query from pg_stat_activity where wait_event_type is not null order by pid;"` Writes are stuck and you need to see whether sessions are waiting on locks. Question: Do you check wait events before restarting a stuck database? Postgres lock-wait demo: https://linuxoneliners.com/lessons/postgres-check-lock-waits/ --- ## Show PostgreSQL Database Sizes Disk pressure starts with knowing what grew. Command: `psql -X -c "select datname, pg_size_pretty(pg_database_size(datname)) as size from pg_database order by pg_database_size(datname) desc;"` Disk usage is rising and you need a quick database-level size breakdown. Question: When database storage grows, do you check database sizes before tables? Postgres size demo: https://linuxoneliners.com/lessons/postgres-show-database-sizes/ --- ## Check Whether MySQL Responds The port was open. MySQL still had to answer. Command: `mysqladmin ping -h 127.0.0.1 -P 3306` An app cannot connect to MySQL and you need to distinguish a dead server from a credential or query issue. Question: Do you separate MySQL reachability from credential checks during incidents? MySQL ping demo: https://linuxoneliners.com/lessons/mysql-check-server-ping/ --- ## Show Active MySQL Sessions The app was waiting behind busy sessions. Command: `mysql -e "show full processlist;"` MySQL is slow or rejecting clients and you need a quick view of active sessions. Question: What do you check before restarting a slow MySQL server? MySQL processlist demo: https://linuxoneliners.com/lessons/mysql-show-processlist/ --- ## Find Long-Running MySQL Queries One old query explained the whole slowdown. Command: `mysql -e "select id,user,host,db,command,time,state,left(info,80) as info from information_schema.processlist where command <> 'Sleep' order by time desc limit 10;"` MySQL is slow and you need to identify queries that have been running the longest. Question: Do you sort MySQL sessions by runtime during slow incidents? Long MySQL query demo: https://linuxoneliners.com/lessons/mysql-find-long-running-queries/ --- ## Show MySQL Database Sizes The storage alert needed a database name. Command: `mysql -e "select table_schema, round(sum(data_length + index_length)/1024/1024, 1) as mb from information_schema.tables group by table_schema order by mb desc;"` Disk usage is rising and you need to know which MySQL schemas are largest. Question: When MySQL disk usage grows, do you check schema sizes first? MySQL size demo: https://linuxoneliners.com/lessons/mysql-check-database-sizes/ --- ## Check Whether Databases Listen Publicly The fastest database security check is the listening address. Command: `ss -ltnp | awk '$4 ~ /:(5432|3306)$/ {print}'` You need to know whether PostgreSQL or MySQL is exposed beyond localhost. Question: Do you check database bind addresses during VPS security reviews? Database exposure demo: https://linuxoneliners.com/lessons/database-check-public-listeners/ --- ## Tail the Failing CI Lines Skip the full CI log and jump straight to lines that usually explain the failure. Command: `grep -RInE 'error|failed|exception|traceback|fatal' logs/ | tail -50` A build log is thousands of lines long and the useful error is buried near the end. Question: What is the first command you run when a CI log is too noisy? Share your fastest deployment triage one-liner.: https://linuxoneliners.com/lessons/tail-failing-ci-log-lines/ --- ## List Newest Build Artifacts Confirm what your pipeline actually produced before you deploy it. Command: `find artifacts/ -type f -printf '%TY-%Tm-%Td %TH:%TM %10s %p\n' | sort | tail -20` A deployment references an artifact, but you are not sure which files were built most recently. Question: Do you verify artifacts before deploy, or trust the pipeline name? Save this for your next release check.: https://linuxoneliners.com/lessons/list-newest-build-artifacts/ --- ## Check the Current Release Symlink One glance tells you which release directory production is pointing at. Command: `readlink -f releases/current && ls -ld releases/current` A deploy uses a current symlink and you need to verify the active release. Question: Does your deploy system make the active release obvious? Use this before blaming the app code.: https://linuxoneliners.com/lessons/check-current-release-symlink/ --- ## Find the Largest CI Logs Huge logs often point to loops, noisy tests, or runaway debug output. Command: `find logs/ -type f -printf '%s %p\n' | sort -nr | head -10` A CI job is slow or hard to inspect because some logs are unexpectedly large. Question: Have oversized logs ever hidden the real failure from your team? Try sorting logs by size during your next CI cleanup.: https://linuxoneliners.com/lessons/find-largest-ci-logs/ --- ## Show Release Directory Ages See your newest release directories without opening a dashboard. Command: `find releases/ -mindepth 1 -maxdepth 1 -type d -printf '%T@ %TY-%Tm-%Td %TH:%TM %p\n' | sort -nr | head -10 | cut -d' ' -f2-` You need to confirm recent releases exist and identify their order. Question: How do you confirm the release directory you expect is actually present? Add this to your deployment triage notes.: https://linuxoneliners.com/lessons/show-release-directory-ages/ --- ## Extract Environment Names Only Audit environment labels without printing secret values. Command: `grep -RhoE 'ENVIRONMENT|NODE_ENV|APP_ENV|RAILS_ENV' config deploy | sort -u` You need to see which environment names appear in config files, but must avoid exposing secrets. Question: Do your deployment checks avoid printing secret values by default? Use name-only checks when sharing terminal output.: https://linuxoneliners.com/lessons/extract-env-names-from-configs/ --- ## Smoke Check an HTTP Status A deploy is not done until the endpoint answers. Command: `curl -fsS -o /dev/null -w '%{http_code} %{time_total}s\n' https://example.com/health` You need a quick status-code check after a deployment. Question: What is your minimum smoke check after deployment? Post the one command your team trusts.: https://linuxoneliners.com/lessons/smoke-check-http-status/ --- ## Compare Artifact Checksums Verify two artifact copies match before blaming deployment code. Command: `sha256sum artifacts/app.tar.gz releases/current/app.tar.gz` You need to confirm whether a built artifact and deployed artifact are identical. Question: Do you verify artifact identity during deployment incidents? Keep checksum checks in your rollback playbook.: https://linuxoneliners.com/lessons/compare-artifact-checksums/ --- ## Count Failures by Test File Turn noisy test logs into a ranked failure list. Command: `grep -RhoE '[A-Za-z0-9_./-]+\.(test|spec)\.(js|ts|py|rb)' logs/ | sort | uniq -c | sort -nr | head` A CI log has repeated failures and you need to see which files appear most often. Question: When many tests fail, do you rank the failures or inspect them in log order? Try counting repeated test paths first.: https://linuxoneliners.com/lessons/count-failures-by-test-file/ --- ## Inspect Release Disk Usage Disk pressure during deploys often starts in old release directories. Command: `du -sh releases/* 2>/dev/null | sort -h | tail -10` A host is low on disk and release directories may be taking too much space. Question: What usually fills disk first on your deployment hosts? Measure before cleanup, especially during incidents.: https://linuxoneliners.com/lessons/inspect-release-disk-usage/ --- ## Check Image Tags in Manifests Find the image tags your deployment files reference without printing env values. Command: `grep -RhoE 'image:[[:space:]]*[^[:space:]]+' deploy/ | sort -u` You need to confirm which container image tags are present in deployment manifests. Question: Have you ever deployed the right code with the wrong image tag? Add a manifest tag check to your release routine.: https://linuxoneliners.com/lessons/check-container-image-tag-in-manifest/ --- ## Show Containers in a Clean Triage Table Turn noisy docker ps output into the few fields operators scan first. Command: `docker ps -a --format 'table {{.Names}}\t{{.Status}}\t{{.Image}}\t{{.Ports}}'` You need a fast view of container state, image, uptime, and published ports without wrapped columns hiding the important parts. Question: What fields do you always want in your first Docker triage view? Save this for the next time docker ps output is too noisy to scan.: https://linuxoneliners.com/lessons/docker-ps-human-table/ --- ## Find Restarting Containers Fast Restart loops hide in plain sight unless you filter for them. Command: `docker ps -a --filter status=restarting --format 'table {{.Names}}\t{{.Status}}\t{{.Image}}'` A service is unstable and you need to quickly identify containers stuck restarting. Question: Do you check restart loops before digging into app logs? Keep this one-liner handy for outage triage.: https://linuxoneliners.com/lessons/docker-restarting-containers/ --- ## Check Container Health Status Docker may say a container is running while its health check says otherwise. Command: `docker inspect --format '{{.Name}} health={{if .State.Health}}{{.State.Health.Status}}{{else}}none{{end}} status={{.State.Status}}' web` You need to see health-check state without opening a full inspect dump. Question: How often do you see running containers that are still unhealthy? Add this to your Docker incident checklist.: https://linuxoneliners.com/lessons/docker-container-health-status/ --- ## Read Recent Container Logs Skip the million-line log scroll and read only the recent failure window. Command: `docker logs --since 10m --tail 100 api` A container is failing and full logs are too large or too noisy. Question: What time window do you usually start with when reading container logs? Use this pattern before opening full logs.: https://linuxoneliners.com/lessons/docker-tail-recent-logs/ --- ## Snapshot Container CPU and Memory Get Docker resource usage once, without leaving a live dashboard running. Command: `docker stats --no-stream --format 'table {{.Name}}\t{{.CPUPerc}}\t{{.MemUsage}}\t{{.NetIO}}\t{{.BlockIO}}'` You need a quick CPU and memory snapshot for running containers. Question: Do you prefer one-shot resource snapshots or live terminal dashboards during incidents? Save this for quick host pressure checks.: https://linuxoneliners.com/lessons/docker-stats-once/ --- ## Show Published Container Ports When a service is unreachable, confirm Docker is publishing the port you think it is. Command: `docker port web` You need to map container ports to host ports without scanning firewall rules. Question: What is your first check when a containerized web service is unreachable? Keep this command in your web service triage notes.: https://linuxoneliners.com/lessons/docker-port-map/ --- ## Summarize Docker Disk Usage See how Docker storage is split across images, containers, volumes, and cache. Command: `docker system df -v` The host disk is full and you need a safe storage summary before cleanup. Question: What Docker storage category has surprised you most during disk incidents? Run this before reaching for cleanup commands.: https://linuxoneliners.com/lessons/docker-system-df-verbose/ --- ## Inspect Container Environment Names Check what environment variables exist without printing their secret values. Command: `docker inspect --format '{{range .Config.Env}}{{println .}}{{end}}' api | sed 's/=.*$/=/'` You need to know whether expected env vars are present, but dumping values may expose credentials. Question: Have you seen secrets accidentally pasted from docker inspect output? Use redacted config checks when sharing triage output.: https://linuxoneliners.com/lessons/docker-container-env-redacted/ --- ## See Container Network Attachments A container can be healthy and still attached to the wrong network. Command: `docker inspect --format '{{.Name}} {{range $name, $net := .NetworkSettings.Networks}}{{$name}} {{$net.IPAddress}} {{end}}' api` Services cannot reach each other and you need to confirm container network membership. Question: How often are container networking bugs really attachment or naming issues? Add this to your container connectivity checklist.: https://linuxoneliners.com/lessons/docker-network-container-map/ --- ## Review Recent Docker Events Docker keeps a recent event trail for starts, stops, pulls, and health changes. Command: `docker events --since 30m --until 0s` Something changed on the host and you need a quick timeline of recent Docker activity. Question: Do you check Docker events during incident timelines? Try this before digging through every service log.: https://linuxoneliners.com/lessons/docker-events-recent/ --- ## Read UFW Policy Verbosely The firewall was active, but the defaults mattered more than the rule list. Command: `ufw status verbose` You need the UFW default policy, logging state, and allowed inbound rules in one readable snapshot. Question: Do you check firewall defaults before reading individual rules? Start exposure triage with the policy snapshot.: https://linuxoneliners.com/lessons/firewall-ufw-status-verbose/ --- ## List Numbered UFW Rules Numbered rules make firewall review less ambiguous. Command: `ufw status numbered` You need a compact, ordered UFW rule list that can be discussed or reviewed without editing anything. Question: Do you capture numbered firewall rules before changing UFW? Use numbered output for review, not guesswork.: https://linuxoneliners.com/lessons/firewall-ufw-numbered-rules/ --- ## Show the nftables Input Chain The packet path was hiding below UFW. Command: `nft list ruleset | sed -n '/chain input/,/}/p'` You need to inspect the nftables input chain policy and the key accept or drop rules. Question: When UFW output is not enough, do you inspect nftables directly? Read the input chain before changing policy.: https://linuxoneliners.com/lessons/firewall-nft-input-policy/ --- ## Show iptables INPUT Rules Legacy firewall state can still explain live exposure. Command: `iptables -S INPUT` You need a concise view of the iptables INPUT chain policy and rules. Question: Do you still check iptables on mixed firewall hosts? Capture the INPUT chain before editing rules.: https://linuxoneliners.com/lessons/firewall-iptables-input-rules/ --- ## List Listening TCP Sockets Firewall rules matter after you know what is listening. Command: `ss -ltnp` You need to see which TCP sockets are listening and which process owns each one. Question: Do you list listening sockets before changing firewall rules? Pair socket state with firewall policy.: https://linuxoneliners.com/lessons/exposure-list-listening-sockets/ --- ## Show Publicly Bound Listeners Localhost services are different from public listeners. Command: `ss -ltnp | awk 'NR==1 || $4 ~ /^(0[.]0[.]0[.]0|[[]::[]]|[*]):/'` You need to filter listening sockets down to services bound on all interfaces or IPv6 wildcard addresses. Question: Do you separate localhost listeners from public bind addresses during exposure checks? Build the public listener worklist first.: https://linuxoneliners.com/lessons/exposure-public-listeners-only/ --- ## Find Allowed Ports with No Listener An open firewall rule can outlive the service it was created for. Command: `comm -23 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '/LISTEN/ {n=split($4,a,":"); print a[n]}' | sort -u)` You need to find UFW-allowed ports that do not currently have a listening TCP socket. Question: Do you look for firewall allow rules that no current listener uses? Compare firewall policy with socket state.: https://linuxoneliners.com/lessons/firewall-allowed-ports-without-listeners/ --- ## Find Public Listeners Not Allowed by UFW The process was public, but the firewall did not mention it. Command: `comm -13 <(ufw status numbered | awk '/ALLOW/ {print}' | grep -Eo '[0-9]+/(tcp|udp)' | cut -d/ -f1 | sort -u) <(ss -ltnp | awk '$4 ~ /^(0[.]0[.]0[.]0|[[]::[]]|[*]):/ {n=split($4,a,":"); print a[n]}' | sort -u)` You need to find publicly bound listening ports that are not listed as UFW allow rules. Question: Do you compare public listeners against firewall allow rules during hardening? Find services outside the declared policy.: https://linuxoneliners.com/lessons/exposure-public-listeners-not-in-ufw/ --- ## Check Whether SSH Is Publicly Bound SSH can be locked down by source and still bind publicly. Command: `ss -ltnp | awk '$4 ~ /:22$/ && $4 !~ /^127[.]/ {print}'` You need to see whether SSH is listening on a non-localhost address. Question: Do you check SSH bind address separately from firewall allow sources? Review SSH exposure with both views.: https://linuxoneliners.com/lessons/ssh-public-exposure-check/ --- ## Show Local-Only Database Listeners The database was listening, but only on localhost. Command: `ss -ltnp | awk '$4 ~ /^127[.]0[.]0[.]1:(5432|3306|6379)$/ {print}'` You need to confirm common database ports are bound only to 127.0.0.1. Question: Do you verify database bind addresses before touching firewall rules? Check local-only listeners first.: https://linuxoneliners.com/lessons/db-local-only-listeners/ --- ## Test Nginx Before Reload The config looked fine. Nginx disagreed before reload broke anything. Command: `nginx -t` You changed an Nginx config and need to validate syntax before reloading the service. Question: Do you run `nginx -t` before every reload? Full Nginx syntax check demo: https://linuxoneliners.com/lessons/nginx-test-config/ --- ## Show Enabled Nginx Sites The config existed, but it was not enabled. Command: `ls -l /etc/nginx/sites-enabled/` You need to see which Nginx site configs are actually enabled. Question: Have you ever edited the available site instead of the enabled one? Full enabled-sites demo: https://linuxoneliners.com/lessons/nginx-show-enabled-sites/ --- ## Find Which Nginx Config Owns a Domain The wrong server block was answering the domain. Command: `grep -R "server_name" /etc/nginx/sites-enabled/` You need to find which Nginx config contains a domain's `server_name`. Question: What do you check first when Nginx serves the wrong site? Full server_name search demo: https://linuxoneliners.com/lessons/nginx-find-server-name/ --- ## Check HTTP to HTTPS Redirect HTTPS worked. The plain HTTP redirect still mattered. Command: `curl -I http://example.com` You need to confirm that plain HTTP redirects to HTTPS. Question: Do you test HTTP redirects after setting up SSL? Full redirect check demo: https://linuxoneliners.com/lessons/check-http-redirect/ --- ## Inspect Response Headers The page loaded, but the headers told the operational story. Command: `curl -sI https://example.com` You need to inspect server and security headers quickly. Question: Which header do you check first on a new site? Full response header demo: https://linuxoneliners.com/lessons/inspect-response-headers/ --- ## Check a Domain A Record The site was fine. The domain was pointed somewhere else. Command: `dig +short example.com A` You need to see the IPv4 address a domain currently resolves to. Question: When a site disappears, do you check DNS before Nginx? Full A-record demo: https://linuxoneliners.com/lessons/dig-a-record/ --- ## List Certbot Certificates The certificate existed. The question was which domains it covered. Command: `certbot certificates` You need to see Certbot-managed certificates and included domains. Question: Do you check Certbot inventory before changing SSL config? Full Certbot inventory demo: https://linuxoneliners.com/lessons/certbot-list-certs/ --- ## Check the Current Release Symlink The deploy finished. The symlink told me what was actually live. Command: `readlink -f /srv/www/example.com/current` You need to verify which release directory a site is serving. Question: Do your deploys expose a current symlink or release marker? Full release symlink demo: https://linuxoneliners.com/lessons/check-nginx-symlink-target/ --- ## Find Top 404 URLs The missing file was not random. The access log had a pattern. Command: `awk '$9==404 {print $7}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head` You need to see which URLs are producing 404 responses. Question: Do you check 404s after deploys? Full Nginx 404 demo: https://linuxoneliners.com/lessons/nginx-find-404s/ --- ## See Top Referrers LinkedIn traffic was not a guess. The referrer field showed it. Command: `awk -F'"' '{print $4}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head` You need a rough look at which referrers are sending requests. Question: Do you trust platform analytics, server logs, or both? Full referrer-count demo: https://linuxoneliners.com/lessons/watch-access-by-referrer/ --- ## Find the Processes Burning CPU A server feels slow, but you need proof before restarting anything. Command: `ps -eo pid,ppid,stat,pcpu,pmem,comm,args --sort=-pcpu | head -n 10` You need to identify which processes are using the most CPU without changing system state. Question: What is your first proof point before restarting a slow service? Start with a read-only CPU snapshot before changing state.: https://linuxoneliners.com/lessons/find-top-cpu-processes-with-ps/ --- ## Find the Processes Eating Memory Memory pressure can look like a slow app, a stuck deploy, or random crashes. Command: `ps -eo pid,ppid,stat,pcpu,pmem,rss,comm,args --sort=-pmem | head -n 10` You need to see which processes are using the most RAM. Question: When memory is tight, do you inspect total memory first or top processes first? Use both: free for pressure, ps for suspects.: https://linuxoneliners.com/lessons/find-top-memory-processes-with-ps/ --- ## Check Memory Pressure with free Linux memory numbers look scary until you know which column matters. Command: `free -h` You need to tell whether the system is actually low on available memory. Question: Which free column do you check first during memory triage? Treat available memory as the first quick read.: https://linuxoneliners.com/lessons/check-memory-pressure-with-free/ --- ## Read Load Average Before You React A high load number is a clue, not a diagnosis. Command: `uptime` You need a fast snapshot of system load and how long the machine has been running. Question: Do you read load average as a trend or a single number? Compare the 1, 5, and 15 minute values before reacting.: https://linuxoneliners.com/lessons/read-load-average-with-uptime/ --- ## Check Filesystem Space with df A full disk can break logins, uploads, databases, and deploys. Command: `df -h` You need to see which mounted filesystem is low on space. Question: What usually fills first on your VPS: logs, uploads, cache, or database files? Use df first, then narrow with du.: https://linuxoneliners.com/lessons/check-disk-space-with-df/ --- ## Check Inodes When Disk Space Looks Fine Sometimes the disk has free bytes but still cannot create files. Command: `df -ih` You need to check whether a filesystem has run out of inodes. Question: Have you hit inode exhaustion on a server that still had free GB? Add df -ih to your disk triage checklist.: https://linuxoneliners.com/lessons/check-inode-pressure-with-df-i/ --- ## Find Large Directories with du Once you know a filesystem is full, the next question is where. Command: `du -xh --max-depth=1 /var 2>/dev/null | sort -h` You need to identify which top-level directory is using the most space. Question: Do you start disk hunts at /, or narrow the path first? Keep recursive size scans scoped during incidents.: https://linuxoneliners.com/lessons/find-large-directories-with-du/ --- ## Find Listening Ports with ss Before blaming the firewall, check whether anything is actually listening. Command: `ss -ltnp` You need to list local TCP services that are accepting connections. Question: When a service is unreachable, do you check bind address before firewall rules? Use ss to prove what is listening locally.: https://linuxoneliners.com/lessons/find-listening-ports-with-ss/ --- ## Find Open Deleted Files with lsof A file can be deleted but still occupy disk while a process holds it open. Command: `lsof +L1` You need to spot deleted files still held by running processes after cleanup. Question: Have you ever deleted logs and wondered why disk space did not come back? Check for open deleted files before restarting services blindly.: https://linuxoneliners.com/lessons/find-open-deleted-files-with-lsof/ --- ## Inspect Established Network Connections Unexpected connections are easier to reason about when you can see them directly. Command: `ss -tan state established` You need to list established TCP connections without changing network state. Question: Do you inspect established sockets during incident timelines? Use ss as a quick snapshot, then move to logs for history.: https://linuxoneliners.com/lessons/inspect-established-connections-with-ss/ --- ## List Tables in a SQLite Database Before querying a database file, see what tables are actually inside it. Command: `sqlite3 app.db ".tables"` You need a quick inventory of tables in a SQLite database. Question: What is your first command when someone hands you a SQLite file? Inventory tables before writing queries.: https://linuxoneliners.com/lessons/sqlite-list-tables/ --- ## Show One SQLite Table Schema A failed query is often just a wrong assumption about column names. Command: `sqlite3 app.db ".schema users"` You need to inspect the schema for one SQLite table. Question: Do you inspect table schema before writing incident queries? Let SQLite show the table shape first.: https://linuxoneliners.com/lessons/sqlite-show-users-schema/ --- ## Check SQLite Database Integrity When a SQLite-backed app behaves strangely, first rule out file corruption. Command: `sqlite3 app.db "PRAGMA integrity_check;"` You need a read-only integrity check for a SQLite database. Question: Do you run integrity checks after SQLite-backed apps crash? Rule out database damage early.: https://linuxoneliners.com/lessons/sqlite-check-integrity/ --- ## List SQLite User Tables Only System metadata tables can distract from the app tables you care about. Command: `sqlite3 app.db "SELECT name FROM sqlite_master WHERE type='table' ORDER BY name;"` You need to list normal tables from sqlite_master. Question: Do you prefer .tables or sqlite_master when scripting SQLite checks? Use sqlite_master when output shape matters.: https://linuxoneliners.com/lessons/sqlite-list-user-tables/ --- ## Count Rows in Key SQLite Tables A quick row count can reveal empty imports, runaway events, or missing data. Command: `sqlite3 app.db "SELECT 'users', count(*) FROM users UNION ALL SELECT 'orders', count(*) FROM orders UNION ALL SELECT 'events', count(*) FROM events;"` You need row counts for several important SQLite tables in one command. Question: Do you check row counts after restoring a SQLite backup? Use small count queries for a first sanity pass.: https://linuxoneliners.com/lessons/sqlite-count-key-tables/ --- ## Show Indexes on a SQLite Table Slow lookups often start with missing or misunderstood indexes. Command: `sqlite3 app.db "PRAGMA index_list('orders');"` You need to inspect indexes attached to one SQLite table. Question: Do you inspect existing indexes before adding a new one? Check table indexes before performance changes.: https://linuxoneliners.com/lessons/sqlite-show-order-indexes/ --- ## Show Recent SQLite Events For small apps, the quickest timeline may be inside the SQLite file. Command: `sqlite3 app.db "SELECT created_at, event_type FROM events ORDER BY created_at DESC LIMIT 5;"` You need the most recent event rows from a SQLite events table. Question: Do your small apps keep enough event data for local timeline checks? Use recent rows as one incident clue.: https://linuxoneliners.com/lessons/sqlite-show-recent-events/ --- ## Count SQLite Events by Type A noisy event type stands out faster when you group it. Command: `sqlite3 app.db "SELECT event_type, count(*) FROM events GROUP BY event_type ORDER BY count(*) DESC;"` You need to summarize event counts by event_type in SQLite. Question: When event volume changes, do you group by type before reading rows? Summarize first, then inspect examples.: https://linuxoneliners.com/lessons/sqlite-count-events-by-type/ --- ## Find Duplicate Emails in SQLite Duplicate account data is easier to spot with one grouped query. Command: `sqlite3 app.db "SELECT email, count(*) FROM users GROUP BY email HAVING count(*) > 1;"` You need to find duplicate email values in a SQLite users table. Question: Do you check duplicates after CSV imports into SQLite? Find duplicate keys before changing rows.: https://linuxoneliners.com/lessons/sqlite-find-duplicate-emails/ --- ## Back Up a SQLite Database File Copying a live SQLite file blindly can produce a bad backup. Command: `sqlite3 app.db ".backup backup/app.db"` You need to create a SQLite backup through sqlite3 instead of a raw file copy. Question: Do you use SQLite .backup before manual database fixes? Create and verify a backup before risky data work.: https://linuxoneliners.com/lessons/sqlite-backup-database-file/ --- ## Find Duplicate Page Titles Duplicate titles make a static site harder to scan in search results and browser tabs. Command: `grep -Rho --include='*.html' '[^<]*' public | sed 's###;s###' | sort | uniq -c | sort -nr` You need to find repeated HTML title text across a built static site. Question: Do you catch duplicate titles from templates before deploy? Audit generated HTML, not just source templates.: https://linuxoneliners.com/lessons/find-duplicate-page-titles/ --- ## Find Pages Missing Canonical Links Canonical tags are easy to drop when templates branch. Command: `find public -name '*.html' -print | while read -r f; do grep -qi 'rel="canonical"' "$f" || echo "$f"; done` You need to list generated HTML pages that do not include a canonical link. Question: Have you had one template path silently drop canonical tags? Check the built files after template changes.: https://linuxoneliners.com/lessons/find-pages-missing-canonical/ --- ## Find Pages Marked noindex A leftover noindex can hide a page after launch. Command: `grep -Rni --include='*.html' 'noindex' public` You need to identify generated HTML pages that contain noindex directives. Question: Do you audit noindex before publishing a static site? Look for directives in the output directory.: https://linuxoneliners.com/lessons/find-noindex-pages/ --- ## Find Pages Missing Meta Descriptions Missing descriptions are usually a content template problem, not a mystery. Command: `find public -name '*.html' -print | while read -r f; do grep -qi 'name="description"' "$f" || echo "$f"; done` You need to list HTML pages without a meta description. Question: Do your generated posts all get descriptions, or only the main pages? Scan output HTML to catch template gaps.: https://linuxoneliners.com/lessons/find-pages-missing-meta-description/ --- ## List URLs from a Sitemap Before comparing sitemap coverage, print the URLs plainly. Command: `grep -o '[^<]*' public/sitemap.xml | sed 's###;s###'` You need to inspect the loc entries inside a sitemap without opening an XML viewer. Question: Do you inspect sitemap output after changing routes? Start with a plain URL list from sitemap.xml.: https://linuxoneliners.com/lessons/list-sitemap-urls/ --- ## Check robots.txt for a Sitemap Line A sitemap can exist and still be hard to discover. Command: `grep -n '^Sitemap:' public/robots.txt` You need to confirm robots.txt advertises the sitemap URL. Question: Do you check robots.txt after moving a static site between domains? Verify the Sitemap directive in the generated file.: https://linuxoneliners.com/lessons/check-robots-sitemap-line/ --- ## Find HTML Pages Missing from the Sitemap A page can exist in the build but never make it into the sitemap. Command: `find public -name '*.html' -print | sed 's#^public#https://example.com#' | while read -r url; do grep -q "$url" public/sitemap.xml || echo "$url"; done` You need to compare generated HTML files against sitemap URLs. Question: Do you compare generated pages against sitemap output? Catch pages that exist but are not advertised.: https://linuxoneliners.com/lessons/find-html-pages-missing-from-sitemap/ --- ## Find Broken Internal Links in Built HTML A broken internal link is easiest to catch before it becomes a 404. Command: `grep -Rho --include='*.html' 'href="/[^"]*"' public | sed 's#href="##;s#"##' | while read -r path; do test -e "public${path}" || echo "$path"; done | sort -u` You need to list internal href paths that do not exist in the static build. Question: Do you check broken internal links from the built output or source files? Audit the exact HTML you are about to serve.: https://linuxoneliners.com/lessons/find-broken-internal-links/ --- ## Find Pages Missing og:title Social previews often fail because one template missed Open Graph tags. Command: `find public -name '*.html' -print | while read -r f; do grep -qi 'property="og:title"' "$f" || echo "$f"; done` You need to list generated HTML pages without og:title metadata. Question: Do you audit Open Graph tags before sharing a new page? Check generated HTML, then preview the URL.: https://linuxoneliners.com/lessons/find-pages-missing-og-title/ --- ## Find Feed Links Missing from the Sitemap Your feed can advertise URLs that the sitemap never lists. Command: `grep -o 'https://example.com/[^<]*' public/feed.xml | sed 's###;s###' | while read -r url; do grep -q "$url" public/sitemap.xml || echo "$url"; done` You need to compare feed item links against sitemap entries. Question: Have you compared feed output against sitemap output after permalink changes? Cross-check generated discovery files together.: https://linuxoneliners.com/lessons/find-feed-links-missing-from-sitemap/ --- ## Show Failed systemd Units One command tells you which services systemd already knows are broken. Command: `systemctl --failed --no-pager` A VPS feels unhealthy, but checking services one by one wastes time and misses failed timers, mounts, and sockets. Question: What is the first command you run when a Linux server feels unhealthy? Save this for your next VPS incident checklist.: https://linuxoneliners.com/lessons/systemd-failed-units/ --- ## Inspect One Service Without Pager Traps Make systemctl status safe for scripts, screenshots, and quick incident notes. Command: `systemctl status nginx --no-pager --lines=30` systemctl status can open a pager, wrap awkwardly, or hide the prompt during a tense server check. Question: Do you prefer systemctl status or journalctl first when debugging one service? Keep this pattern handy for incident notes and clean screenshots.: https://linuxoneliners.com/lessons/service-status-no-pager/ --- ## Read Current-Boot Logs for One Service Ignore stale logs and inspect only what happened since this boot. Command: `journalctl -u nginx -b --no-pager -n 80` Old service logs can make a current incident look worse or point you at errors from last week. Question: How often have old logs sent you down the wrong debugging path? Add -b to your current-boot service checks.: https://linuxoneliners.com/lessons/journalctl-unit-since-boot/ --- ## Check systemd Journal Disk Usage Before deleting random logs, ask journald how much disk it owns. Command: `journalctl --disk-usage` Disk alerts often lead people to delete the wrong files without checking whether the systemd journal is the real consumer. Question: What is your safest first move during a Linux disk-space alert? Measure before cleanup. This one-liner is a good start.: https://linuxoneliners.com/lessons/journal-disk-usage/ --- ## Find Slow Services During Boot Find which units made your VPS boot slowly. Command: `systemd-analyze blame | head -20` A server comes back after reboot, but boot time feels long and there is no obvious culprit. Question: Which services usually dominate boot time on your servers? Use this as a lead list, not a final verdict.: https://linuxoneliners.com/lessons/slow-boot-services/ --- ## Check Whether a Service Starts at Boot Running now does not mean it will survive the next reboot. Command: `systemctl is-enabled nginx` A service is manually started during an incident, but nobody verifies whether systemd will start it after reboot. Question: Have you ever fixed a service only to lose it on reboot? Pair is-active with is-enabled when validating recovery.: https://linuxoneliners.com/lessons/service-enabled-at-boot/ --- ## Check If a Service Is Active Get a clean yes-or-no service state without the full status page. Command: `systemctl is-active nginx` Full status output is noisy when a script, checklist, or quick human check only needs the current active state. Question: What do you pair with systemctl is-active for a real production smoke check? Use this for service state, then verify the user-facing path.: https://linuxoneliners.com/lessons/service-active-check/ --- ## Show Recent Server Reboots Confirm whether the server actually rebooted and when. Command: `last -x reboot | head -5` After an outage, deploy, or provider event, you need evidence of reboot timing without guessing from logs. Question: Do you check reboot history during every unexplained outage? Add reboot history to your first five incident commands.: https://linuxoneliners.com/lessons/recent-reboots/ --- ## Check Memory Pressure Quickly See whether memory is actually tight before restarting services. Command: `free -h` A VPS feels slow, and people often restart daemons before checking whether memory pressure is the cause. Question: Which memory column do you trust first on Linux: free, used, or available? Teach newer operators to read available before reacting.: https://linuxoneliners.com/lessons/memory-pressure-summary/ --- ## List Upcoming systemd Timers Cron is not the only scheduler on modern Linux servers. Command: `systemctl list-timers --all --no-pager` Backups, renewals, and cleanup jobs may run as systemd timers, but they are easy to miss if you only inspect cron. Question: Which scheduled jobs on your servers moved from cron to systemd timers? Add systemd timers to your server audit checklist.: https://linuxoneliners.com/lessons/systemd-timers-due/ --- ## Count Failed SSH Login Users Failed SSH attempts are noisy; grouping users makes the pattern readable. Command: `sed -n 's/.*Failed password for \(invalid user \)\?\([^ ]*\) from .*/\2/p' logs/auth.log | sort | uniq -c | sort -nr` You need to count which usernames are being targeted in SSH failures. Question: Do you group failed SSH attempts by username during first response? Summarize the auth log before reading every line.: https://linuxoneliners.com/lessons/security-count-failed-ssh-users/ --- ## Count Failed SSH Login IPs The loudest SSH source is usually visible with one count. Command: `sed -n 's/.*Failed password .* from \([0-9.]*\) port.*/\1/p' logs/auth.log | sort | uniq -c | sort -nr` You need to rank source IPs from failed SSH login attempts. Question: Do you rank SSH failure sources before touching firewall rules? Use counts as evidence, then apply policy.: https://linuxoneliners.com/lessons/security-count-failed-ssh-ips/ --- ## Show Accepted SSH Logins During first response, successful logins matter more than background noise. Command: `grep 'Accepted publickey' logs/auth.log` You need to find successful SSH public-key logins in an auth log. Question: Do you separate successful SSH logins from failed noise first? Build access timelines from accepted login lines.: https://linuxoneliners.com/lessons/security-show-accepted-ssh-logins/ --- ## Show Recent sudo Commands Privilege use is one of the fastest first-response signals. Command: `grep 'sudo:' logs/auth.log | tail -n 10` You need to see recent sudo commands from auth logs. Question: Do you check sudo logs when a VPS changes unexpectedly? Privilege-use logs are fast timeline anchors.: https://linuxoneliners.com/lessons/security-show-recent-sudo-commands/ --- ## List Listening Ports on a VPS Unexpected network listeners are first-response evidence. Command: `ss -ltnp` You need a snapshot of TCP ports listening on the server. Question: Do you check bind addresses before assuming a port is exposed? Pair ss output with firewall checks.: https://linuxoneliners.com/lessons/security-list-listening-ports/ --- ## List Users with Login Shells Not every local account should be able to log in. Command: `awk -F: '$7 ~ /sh$/ {print $1, $7}' etc/passwd` You need to list accounts with shell-like login programs. Question: Do you inventory login-capable users during VPS handoff? Review shell accounts before changing access.: https://linuxoneliners.com/lessons/security-list-login-shell-users/ --- ## Check Key SSH Authentication Settings SSH policy should be visible before you change it. Command: `grep -nE '^(PasswordAuthentication|PermitRootLogin|PubkeyAuthentication|AllowUsers)' etc/ssh/sshd_config` You need to read important SSH daemon authentication settings. Question: Do you inspect SSH auth policy before changing sshd_config? Read the live policy lines before editing.: https://linuxoneliners.com/lessons/security-check-sshd-auth-settings/ --- ## Find World-Writable Web Directories World-writable web paths deserve immediate review. Command: `find srv/www -type d -perm -0002 -print` You need to find directories under a web root that anyone can write to. Question: Do you audit world-writable web directories after deploys? Find risky writable paths before changing modes.: https://linuxoneliners.com/lessons/security-find-world-writable-web-dirs/ --- ## Find Loose Private Key Permissions SSH private keys should not be readable like ordinary files. Command: `find home -type f -name 'id_*' -printf '%m %p\n' | awk '$1 > 600'` You need to find private-key-looking files with modes broader than 600. Question: Do you audit SSH key file modes during VPS access reviews? Find risky key permissions before changing access.: https://linuxoneliners.com/lessons/security-find-loose-private-key-modes/ --- ## List authorized_keys Files Authorized keys are the server's practical access list. Command: `find home -path '*/.ssh/authorized_keys' -printf '%m %p\n'` You need to find authorized_keys files and their modes. Question: Do you inventory authorized_keys files during server handoff? Review SSH access files before removing users.: https://linuxoneliners.com/lessons/security-list-authorized-keys-files/ --- ## List Nginx Listen Directives The site was configured, but the port was not. Command: `grep -RInE '^[[:space:]]*listen[[:space:]]' fixtures/nginx/conf.d fixtures/nginx/sites-enabled` You need to see which Nginx server blocks claim ports before chasing DNS or app errors. Question: When Nginx serves the wrong site, do you check listen lines or server names first? Map Nginx ports before editing configs.: https://linuxoneliners.com/lessons/web-config-list-nginx-listen-directives/ --- ## Find the Nginx Default Server The wrong site answered because it was the fallback. Command: `grep -RIn 'default_server' fixtures/nginx/conf.d fixtures/nginx/sites-enabled` You need to find which Nginx server block is marked as the default. Question: Have you debugged the wrong Nginx site because the fallback answered? Check default_server before changing host rules.: https://linuxoneliners.com/lessons/web-config-find-nginx-default-server/ --- ## Show Nginx Include Lines The config was valid; it just was not included. Command: `grep -RInE '^[[:space:]]*include[[:space:]]' fixtures/nginx/nginx.conf fixtures/nginx/conf.d fixtures/nginx/sites-enabled` You need to see which files the main Nginx config is expected to include. Question: What is your quickest way to prove a config file is in the include path? Trace Nginx include lines first.: https://linuxoneliners.com/lessons/web-config-show-nginx-include-chain/ --- ## Map Nginx Roots and Aliases The URL was right. The filesystem path was not. Command: `grep -RInE '^[[:space:]]*(root|alias)[[:space:]]' fixtures/nginx/conf.d fixtures/nginx/sites-enabled` You need to find which document roots and aliases Nginx config points at. Question: Do you check root and alias before debugging static-file 404s? Map Nginx file paths before changing permissions.: https://linuxoneliners.com/lessons/web-config-map-nginx-roots-aliases/ --- ## Map Nginx Proxy Targets Nginx was healthy. It was proxying to the wrong place. Command: `grep -RInE '^[[:space:]]*proxy_pass[[:space:]]' fixtures/nginx/conf.d fixtures/nginx/sites-enabled` You need to see where Nginx forwards proxied requests. Question: For a 502, do you inspect proxy_pass before checking the app process? Map proxy targets quickly.: https://linuxoneliners.com/lessons/web-config-map-nginx-proxy-targets/ --- ## Show Enabled Apache Sites The Apache config existed. The enabled symlink did not. Command: `find fixtures/apache/sites-enabled -maxdepth 1 -type l -printf '%f -> %l\n' | sort` You need to see which Apache virtual host files are enabled. Question: Have you ever edited an Apache site that was not enabled? Check enabled Apache symlinks first.: https://linuxoneliners.com/lessons/web-config-show-enabled-apache-sites/ --- ## Map Apache Virtual Hosts Apache chose a virtual host. You need to know which one. Command: `grep -RInE '= 3) print count[path], path}' ./fixtures/nginx/access.log | sort -nr | head` You need to identify missing paths that are being requested repeatedly. Question: Do you review repeated 404s as broken-link cleanup, security triage, or both? Prioritize repeated misses before one-off noise.: https://linuxoneliners.com/lessons/repeated-404-paths/ --- ## Spot Request Bursts by Minute Traffic spikes are easier to read when you bucket them by time. Command: `awk '{minute=substr($4,2,17); count[minute]++} END {for (m in count) print count[m], m}' ./fixtures/nginx/access.log | sort -nr | head` You need to find the busiest minute-level windows in an access log. Question: When traffic spikes, do you inspect raw lines first or bucket by time? Use buckets to find the hot window first.: https://linuxoneliners.com/lessons/request-bursts-by-minute/ --- ## Find Unusually Large Web Responses A few huge responses can explain bandwidth, latency, and suspicious download patterns. Command: `awk '$10 ~ /^[0-9]+$/ && $10 > 1000000 {print $10, $1, $7, $9}' ./fixtures/nginx/access.log | sort -nr | head` You need to list large responses from a web access log for operational and defensive review. Question: Do you check response size when investigating traffic spikes? Use byte counts to separate bandwidth from request-count problems.: https://linuxoneliners.com/lessons/large-web-responses/ --- ## Find Clients Repeating the Same Path The suspicious pattern is sometimes one client hammering one URL. Command: `awk '{key=$1 " " $7; count[key]++} END {for (k in count) if (count[k] >= 5) print count[k], k}' ./fixtures/nginx/access.log | sort -nr | head` You need to find IP and path pairs that appear repeatedly in a web access log. Question: Do you group web traffic by IP alone, or by IP plus path? Use this to separate broad activity from repeated loops.: https://linuxoneliners.com/lessons/ip-path-repeaters/