Common commands for Web management

Real-time view of executing SQL statements

#/usr/sbin/tcpdump-i eth0-s 0-l-w-dst Port 3306 | Strings | Egrep-i ' select| update| delete| Insert| Set| Commit| rollback| create| drop| alter| Call '

View HTTP connections

Netstat-n | awk '/^tcp/{++state[$NF]} END {for (key in) print key, "T", State[key]} '

Let's take a look at awk:

/^tcp/
Filter out the beginning of the TCP record, blocking UDP, socket and other unrelated records.

State[]
Equivalent to defining an array named state

Nf
Indicates the number of recorded fields, as shown above, NF equals 6

$NF
Represents the value of a field, such as the record shown above, $NF that is $6, which represents the value of the 6th field, which is time_wait

state[$NF]
The number of connections representing the values of the array elements, such as the record shown above, which is the state[time_wait] state

++state[$NF]
To add a number to a record, as shown above, is to add a state[time_wait] state to the number of connections

END
Represents the command to be executed in the final phase

For (key in state)
Iterating through an array

Print key, "\ T", State[key]
Print the array of keys and values, in the middle with a \ t tab split, beautify a bit.

Viewing HTTP connections for SYN status

Netstat-n | awk '/^tcp/{++state[$NF]} END {for (key in) print key, "T", State[key]} '

View HTTP connections for TIME_WAIT status

Netstat-tna | Cut-b 49-|grep time_wait | Sort |more

grep time_wait | awk ' {print $5} ' | Awk-f: ' {print $1sortsort -nr | more

View HTTP connections for established status

Netstat-an | grep established | awk ' {print $} ' | Awk-f: ' {print $} ' | Sort | uniq-c | Sort-nr | Morenetstat-an | grep ": 80" | grep established | Sort | More

　　

Bulk Kill Process

Ps-efww|grep sqlr-listener|grep-v grep|cut-c 9-15|xargs kill-9

　　

View the number of active php-cgi connections

Ps-efww|grep sqlr-listener|grep-v grep|cut-c 9-15|xargs kill-9

　　

Judge cc attack netstat command in detail to quickly find the problematic IP

Common commands for site troubleshooting analysis "
System Connection Status Chapter:
1. View TCP connection Status
Netstat-nat |awk ' {print $6} ' |sort|uniq-c|sort-rn
Netstat-n | awk '/^tcp/{++s[$NF]}; END {for (a in S) print A, s[a]} ' or
Netstat-n | awk '/^tcp/{++state[$NF]}; END {for (key in) print key, "T", State[key]} '
Netstat-n | awk '/^tcp/{++arr[$NF]}; END {for (k in arr) print K, "T", arr[k]} '
Netstat-n |awk '/^tcp/{print $NF} ' |sort|uniq-c|sort-rn
Netstat-ant | awk ' {print $NF} ' | Grep-v ' [A-z] | Sort | Uniq-c

2. Find the number of requests 20 IP (commonly used to find the source of attack):
Netstat-anlp|grep 80|grep Tcp|awk ' {print $} ' |awk-f: ' {print '} ' |sort|uniq-c|sort-nr|head-n20
Netstat-ant |awk '/:80/{split ($5,ip, ":"); ++a[ip[1]]}end{for (i in A) print A[i],i} ' |sort-rn|head-n20

3. Sniff 80-port access with tcpdump to see who is the tallest
Tcpdump-i ETH0-TNN DST Port 80-c 1000 | Awk-f "." ' {print $1″. ' $2″. " $3″. " $4} ' | Sort | uniq-c | Sort-nr |head-20

4. Find more time_wait connections
Netstat-n|grep Time_wait|awk ' {print $} ' |sort|uniq-c|sort-rn|head-n20

5. Check for more SYN connections
Netstat-an | grep SYN | awk ' {print $} ' | Awk-f: ' {print $} ' | Sort | uniq-c | Sort-nr | More

6. Depending on the port column process
NETSTAT-NTLP | grep 80 | awk ' {print $7} ' | Cut-d/-F1

7. Calculate the average number of httpd occupied memory
PS aux|grep-v Grep|awk '/httpd/{sum+=$6;n++}; End{print sum/n} '
Website Log Analysis 1 (Apache):
1. Get access to the top 10 IP addresses
Cat Access.log|awk ' {print '} ' |sort|uniq-c|sort-nr|head-10
Cat Access.log|awk ' {counts[$ (11)]+=1}; END {for (URL in counts) print Counts[url], url} '

2. Most visited files or pages, take the top 20
Cat Access.log|awk ' {print $11} ' |sort|uniq-c|sort-nr|head-20

3. List the maximum number of EXE files to be transmitted (commonly used when analyzing the download station)
Cat Access.log |awk ' ($7~/.exe/) {print $ "" $ "" $4 "" $7} ' |sort-nr|head-20

4. list exe files with output greater than 200000byte (approx. 200kb) and the number of corresponding file occurrences
Cat Access.log |awk ' ($ > 200000 && $7~/.exe/) {print $7} ' |sort-n|uniq-c|sort-nr|head-100

5. If the last column of the log records the paging file transfer time, there are the most time-consuming pages listed to the client
Cat Access.log |awk ' ($7~/.php/) {print $NF "" $ "" $4 "" $7} ' |sort-nr|head-100

6. List the most time-consuming pages (more than 60 seconds) and the number of corresponding page occurrences
Cat Access.log |awk ' ($NF > && $7~/.php/) {print $7} ' |sort-n|uniq-c|sort-nr|head-100

7. List files that have been transmitted for longer than 30 seconds
Cat Access.log |awk ' ($NF >) {print $7} ' |sort-n|uniq-c|sort-nr|head-20

8. Statistics website Traffic (G)
Cat Access.log |awk ' {sum+=$10} END {print sum/1024/1024/1024} '

9. Statistics 404 of the Connection
awk ' ($9 ~/404/) ' Access.log | awk ' {print $9,$7} ' | Sort
10. Statistics HTTP status.
Cat Access.log |awk ' {counts[$ (9)]+=1}; END {for (code in counts) print code, Counts[code]} '
Cat Access.log |awk ' {print $9} ' |sort|uniq-c|sort-rn

10. Spider Analysis
See which spiders are crawling content.
/usr/sbin/tcpdump-i Eth0-l-S 0-w-DST Port 80 | Strings | Grep-i User-agent | Grep-i-E ' bot|crawler|slurp|spider '

Website Daily Analysis 2 (Squid article)

2. Statistic Traffic by domain
Zcat squid_access.log.tar.gz| awk ' {print $10,$7} ' |awk ' begin{fs= "[/]"}{trfc[$4]+=$1}end{for (domain in TRFC) {printf "%st%dn", Domain,trfc[domain]}} ‘
For more efficient Perl versions, please download: http://docs.linuxtone.org/soft/tools/tr.pl
Database Chapter
1. View SQL executed by the database
/usr/sbin/tcpdump-i eth0-s 0-l-w-dst Port 3306 | Strings | Egrep-i ' select| update| delete| Insert| Set| Commit| rollback| create| drop| alter| Call '

System Debug Analysis Chapter
1. Debug commands
Strace-p PID
2. Tracking the PID of the specified process
Gdb-p PID