A few linux commands you need to know to manage your VPS.

click here to get the best cheap VPS


After logging on your VPS with a ssh terminal tool, the first Linux command to use is top which gives you a basic impression about the current status of your box.

top – 23:05:22 up 1 day, 14:50, 1 user, load average: 0.00,
Tasks: 20 total, 1 running, 19 sleeping, 0 stopped, 0
Cpu(s): 0.0%us, 0.0%sy, 0.0%ni,100.0%id, 0.0%wa, 0.0%hi,
Mem: 524288k total, 24752k used, 499536k free,
Swap: 65536k total, 0k used, 65536k free, 1284

1 root 20 0 2900 1388 1204 S 0.0 0.3 0:00.00

top command outputs the current status of the system continuously until you type Ctrl-C.
From the information top generates, we know that the current time is 23:05:22, you VPS os has been running for one day, 14 hours and 50 minutes(from this information, you can know if your VPS has restarted since you bought the VPS or booted it box manually, if it has been rebooted, figure out the reason.). There is currently 1 user logged into the system(it is you, yourself). If you find multiple login users, you should be aware that your vps may be compromised or hacked, and you may need to kick off other login users immediately. load average is not a percentage, but the process that is using or waiting to use cpu. For one-cpu machine, a load average of 1 means the cpu is fully utilized. So if you want to know whether your computation ability of your vps  is powerful enough to handle with your tasks, load average is a good indication. If load average is above the number of cpus(or cpu cores), it is time to consider to upgrade to a vps plan with more cpus(cores).  The following line is the information about the processes(tasks) in the system. You can see there are 20 tasks(processes) in which 1 is in running status, 19 are in sleeping status, 0 is in stopped status. After you install other software, you will find more tasks in the system. And if there are too many processes in the system, chances are your system has been hacked. The next line is the usage of CPU. There are some abbreviations you should know: us – user, sy – system, ni – nice, id – idle wa – IO-wait, hi – hardware interrupts. This line shows the percentage of CPU time that is allocated for user mode, system mode, niced user processes, IO wait, hardware interrupt handlers, and idle status. If your system is overloaded, there is little CPU time for idle status. So notice the value of %id. Now in our system, there is 100%id which means almost no utilization of CPU. If the time for idle is less than 50%, and it is not due to abnormal process behavior, it would be an indication that you should upgrade your VPS. The next line is about the usage of memory including the total amount of memory(when you buy a VPS, you should find this number on the product introduction.), the amount of memory used by process, and the remaining free memory. Checking the usage of memory from time to time can let you know the system health status and give you indication whether the performance of VPS satisfies your needs. The next line is the information about swap. When you purchase a VPS, you should notice the amount of swap the vendor provides to you. Swap is used as virtual memory, the bigger, the better. The following lines display the status of running processes in the system. Checking them to see if the processes are running normally. The information fields about process include process id(PID), the owner of process(USER), the priority of process(PR), the nice value(NI), the virtual memory used by process(VIRT, unit KB), the physical memory used by process(RES, unit KB), the share memory used by process(SHR, unit KB), the process status S(R – running, S – sleeping,etc.), the percentage of CPU time used by the process since the last screen update(%CPU), the percentage of physical memory used by process(%MEM), and the CPU time used since process started(TIME+, unit hundredths).

Notice that top is an interactive command, which means you can input a command by keyboard during its run. To see which processes use the most amount of memory, type M(capitalized m). To see which process occupy CPU most, type P.


04:18:58 up 1 day, 20:04, 1 user, load average: 0.00, 0.00, 0.00
root pts/0 03:47 0.00s 0.00s 0.00s w

The first line shows the current time, the system up time, total logged on users, CPU load average during past 1, 5, and 15 minutes. The following lines shows the information for each currently logged on user, including user name, TTY, ip address of logged on user, time past since the user logged on, idle time of the user, time used by all processes attached to the tty (JCPU), time used by the current process(PCPU), current command line of the user(WHAT).


To kill a user(which means killing all processes belong to this user) that is not supposed to logged on, use pkill -u username. To kick out another user login on your vps, first use w command to find its login tty, then use pkill -9 -t tty to kill all processes attached to that tty thus log off that user.


To see the kernel version of Linux, use uname -a or cat /proc/version. To see the issue name, use cat /etc/issue. uname -a also prints the 32bit/64bit information(i686 means 32bit, x86_64 means 64bit). uname -m, arch also do the same work. cat /proc/cpuinfo prints details of cpu such as how many cores the cpu has.


To install a package, use yum -y install packagename.
To remove a package, use yum remove packagename.
To check the dependency of a package, use yum deplist packagename. This will list all packages that the package depends on.
Note that if you remove a package using yum remove packagename, yum will list all packages that depend on this package. If you confirm to remove, those packages are removed too.

To know the installation date of a package: rpm -q –last packagenme, or rpm -qi packagename

To know the dependencies of an installed rpm package: rpm -qR packagename.

To know the dependencies of a rpm file that is not installed: rpm -qpR rpmfilename,

But I find the best way to find the dependent packages of a package is repoquery, i.e., repoquery –requires –resolve packagename. This will give a clearer output than the above rpm commands. To use repoquery, you should intall yum-utils package first.


iptables is not a necessary command to master if security is not a problem for you, or you do not have an advanced task like setting up a VPN. iptables are usually used to set up firewall in Linux. As the name implies, iptables manages a set of tables, each table has a set of chains, each chain has a set of rules, and each rule defines a policy to handle ip packet such as dropping the incoming ip packets.
To list the chains and rules in a table:
iptables -L -t tablename
To append a rule to a chain in a table:
iptables -t tablename -A chainname xxxxxxxxxxx(rule)
To drop a rule from a chain in table:
iptables -t tablename -D chainname rulenumber
To get the rule number, use iptables -L –line-number.
Another method to delete a specific rule is by typing the same line as you typed to add that rule, just replace -A with -D.

To replace (i.e., edit) an existing rule, use iptables -R chainname rulenum newrule. This is different than deleting the old rule and adding a new rule because the order if rules is changed if you do so.

To dump iptables settings: iptables-save > dumpfile

To restore iptables settings from dump file: iptables-restore < dumpfile

By dumping iptables, editing the dumped file and restoring from dumped file, you can quickly modify the whole iptables.

To block an ip from accessing your vps:

iptables -A INPUT -s xx.xx.xx.xx  -j DROP

To block a range of ip addresses:

iptables -A INPUT -s xx.xx.xx.xx/24  -j DROP

This will append a rule to the INPUT chain of the filter table.

To block all ips that failed to login your server:

utmpdump /var/log/btmp|cut -d ] -f 7|cut -d ‘[‘ -f 2|sort|uniq |sort -n | awk ‘{$1=$1;print}’ > badip

(readarray -t ARRAY < badip; IFS=’,’; echo “${ARRAY[*]}”)

copy the echoed string in the following command:

iptables -I INPUT -s “echoed string” -j DROP

To block outbound connections made by a process of particular user such as apache:

iptables -A OUTPUT -p tcp -m owner –uid-owner apache -j REJECT

ip6tables -A OUTPUT -p tcp -m owner –uid-owner www-data -j REJECT

To log packets:

iptables -A OUTPUT -p tcp -m owner –uid-owner apache -j LOG

You can find the iptables log in /var/log/messages


Note that the command takes effect immediately but the result won’t persist for a restart of iptables service. If you want to save your configuration of the iptables, use service iptables save.

On CentOS 7, you need to install iptables-services first before you can use the command service iptables save, otherwise you may get the error:”Failed to execute operation: Access denied”

yum install iptables-services

systemctl enable iptables


To secure your VPS box that is used for setting up websites, you typically need to set up the following iptables rules:
iptables -F (delete all rules in all chains of all tables)
iptables -A INPUT -p tcp –dport 80 -j ACCEPT (for normal http websites)
iptables -A INPUT -p tcp –dport 443 -j ACCEPT (for https websites)
iptables -A INPUT -p tcp –dport 22 -j ACCEPT (allow ssh access to your box)
iptables -A INPUT -p tcp –dport 1723 -j ACCEPT (if you use pptp vpn. 1723 port is used by pptp control path)
iptables -A INPUT -p gre -j ACCEPT (gre protocol is used by pptp)
iptables -A INPUT -p icmp -j ACCEPT (allow ping to your box)
iptables -P INPUT DROP (set the policy to “DROP” for the INPUT chain, which means all the packets not matching the rules in the INPUT chain will be dropped)

If you would like to specify a range of ports, use
iptables -A INPUT -p tcp –dport firstport:lastport -j ACCEPT
If you use file_get_content() or curl to fetch remote web pages, you need to add the following rule in your iptables:
iptables -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT
This rule accepts all packets belong to a connection that has been already established. Since our firewall does not block any outgoing packet, the calling of file_get_content() can send the SYN packet to the remote website. When the firewall sees the arriving SYN+ACK packet, it considers the connection is in ESTABLISHED status and let the packet pass through, which actually establishes the TCP connection.
An alternative way to get the get_file_content() and curl work is by adding the following two rules:
iptables -A INPUT -p tcp –dport 32768:61000 -j ACCEPT
iptables -A INPUT -p udp –dport 32768:61000 -j ACCEPT

These rules allow the packets with destination ports 32768-61000(which is used by file_get_content() as the local port to send/receive data, you can get the port range by cat /proc/sys/net/ipv4/ip_local_port_range) to come in. You may wonder why need to unblock the udp ports(as the second rule) as it seems only TCP/http is used for the data transfer. Well, that is because DNS uses UDP to query and resolve the host name in the parameter of file_get_content().

The first method is preferred because it prohibits unexpected connection to apps on your VPS which listen on port 32768-61000, thus, is safer.

Pay attention to the order of the commands, or you may be kicked off the system immedietately after you issue the command:iptables -P INPUT DROP, as it closes your ssh connection. If you use iptables -F to clear the rules in the INPUT chain, the policy still persists, so you will get kicked off too. And the worst thing is that if you have used “service iptables save” to save the configuration and iptables service is automatically started at the boot time, you may never have the chance to login your VPS again(unless you rebuild your VPS). So be very careful in configuring the iptables.

To harden your VPS that is used only for hosting websites, you’d better stop those unnecessary services accompanied with VPS management software such as the named service, the snmp service, and the mail service.

service named stop
service postfix stop
service dovecot stop

You can use chkconfig –list|grep 3:on to check the current services on the system. To disable a service at system startup, use chkconfig servicename off, such as:

chkconfig named off

chkconfig httpd off

chkconfig sendmail off



Use netstat -antp to see all sockets opened. You can check if there is suspicious connection to your VPS.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0* LISTEN 514/sendmail
The options: -a means all sockets(including those in connected and listening status), -n shows ip address instead of host name, -t shows only tcp sockets, -p shows program that opens this socket.

How to check login log in CentOS?

cat /var/log/secure for the recent logs. /var/log/secure-date are logs files up to that date.

utmpdump /var/log/wtmp can show more login types including login from pts(i.e. ssh login), login from ppp(i.e. vpn connection), login from tty, or login from console. The output fields are: session number, PID, terminal number/~~(for run level change),login/runlevel,terminal, remote machine name,remote ip, date

utmpdump /var/log/btmp for failed logins


If you have not used kloxo-mr yet, do not use it. I went on the wrong way due to the big name of this server management software. I keep encountering all kinds of problems using this software, which is very frustrating. For example, recently, after reboot, my websites are down. The websites are directed to the Hiawatha installation success page. I know I used Apache instead of Hiawatha to set up the websites. So I issued “service httpd status” to see if apache is running. Not surprisingly, httpd service is down. And “service httpd start” failed saying ” Address already in use: make_sock: could not bind to address [::]:80…”. I know another process has occupied that 80 port. Using netstat command, I found Hiawatha(a not well-known web server) occupied that port. Then I used “chkconfig hiawatha off” and “service hiawatha stop” to stop and disable hiawatha service, and started httpd in the control panel(services). This time apache was up and I could open html files on my website. But I still could not open php files. I remembered there are some options in the webserver config tools that seem related to php. So I went there and switched between various php types like mod_php_ruid2, php-fpm_event, etc. But none worked. So I went to the “Switch a Program” tool to switch Apache back and forward because I had read a post written by the author of kloxo-mr, which, he said, can solve some strange problems. Unfortunately, still not work. In the end I searched google and got the following commands:sh /script/cleanup, sh /script/fix-all, sh /script/restart-all, which finally resolved this problem(although I am still not clear about what these commands are actually doing). You can see the whole recovery process is hard so I do not recommend you use kloxo-mr to manage your vps although its GUI is like CPanel and seems very easy to use. Actually, the kloxo-mr panel is full of seldom used tools which are organized randomly and the functionalities are sometimes redundant.

How to change default ssh port on CentOS?

edit /etc/ssh/sshd_config, change the line “Port 22″ to “Port xxx”.
restart sshd service sshd restart

On Centos 7, things get little more complicated. You won’t find sshd is listening on the new configured port by “netstat -antp”. To enable sshd on the new port, you should install the selinux management tool:

yum install policycoreutils-python

After that,

semanage port -a -t ssh_port_t -p tcp xxxx

After restarting sshd, you will find the sshd is now listening on the new port.


Please do it carefully because you will not be able to  connect to your vps again if your iptables blocks the new port.

cron job

The mechanism of cron job is simple. You specify the commands that need to be executed at fixed intervals in configuration files. A daemon crond runs in background to execute the commands at specified time. Unfortunately, things get complicated as lots of files get involved. If you search articles about cron job on the Internet, you will soon be confused by so many file/directory names like crontab, cron.d cron.daily, cron.weekly, /var/spool/cron, /etc/crontab, /etc/cron.d, /etc/cron.daily, etc. But you will definitely remember the format to specify a cron job as it is repeated in all articles, i.e.,
* * * * * username command
The * is used to specify the intervals to execute the command. The minimum interval is minute,not second, specified at the first *.
Crond checks the cron jobs in /etc/crontab, /etc/cron.d/*, /var/spool/cron/* every minute and loads the new added entries so it can execute the commands at specified time. But why use so many files/directories to save cron jobs? Well, they are used by different users/applications. /etc/crontab is used by root user because ordinary users do not have the privilege to edit /etc/crontab. Ordinary users use crontab command to edit file /var/spool/cron/username to add their cron jobs. System users usually put their cron jobs in /etc/cron.d/.  An example is sentoa/zpanel cron /etc/cron.d/zdaemon,  which executes the command “/usr/bin/php -q /etc/sentora/panel/bin/daemon.php” every 5 minutes. Sometimes this daemon script causes high cpu occupation, and you can control its execution frequency by editing /etc/cron.d/zdaemon.   As to /etc/cron.daily/. /etc/cron.weekly/, etc, they are directories to save scripts(not cron format files)which are executed by the run-parts script (this script runs all scripts in a folder specified as its parameter) that is specified in some cron job. You can use crontab -l to check the cron jobs of current user. You can use crontab -u user -l to list the cron jobs of the specified user, but the cron jobs listed are only those in  /var/spool/cron/username, the cron jobs in other directories are not listed. For detailed information about cron job, refer to this tutorial. Other articles are basically rubbish.

screen command

The screen command is used to run commands without connecting to vps using a terminal such as putty. You may think you can let the commands run in background by appending a “&” to the command line, and close the terminal connection, then connect to vps sometime later and  bring back the command to foreground using the “fg” command. Unfortunately, this is not possible. As soon as you disconnect  the vps, all the commands you submitted, whether they are in foreground or background, will be terminated.   The correct way is to use the screen command.


your command


logout vps

login to vps again

screen -r

Occasionally, you may lost your connection to the vps during a screen section. When you login vps and try to attach the screen again using “screen -r”, you will get the error:”There is no screen to be resumed.”. But it also shows “There is a screen on: xxx (Attached). Using “screen -r xxx” does not help. In this case, you should issue the command “screen -D -RR”. See this post for details.

How to know the free memory available in the system?

free -m

total       used       free     shared    buffers     cached
Mem:           498        491          7          0         10         40
-/+ buffers/cache:        439         59

The third column is the free physical memory currently available in Linux. The red figure(59M) is the correct value. The 59-7=52M memory are cached memory and can be used at anytime.

How to know the processes that consume most memory?

ps aux –sort -rss

rss is the physical memory used by a process.

using “man ps” to understand the meaning of the output fields of ps

How to know the processes that occupy most of CPU?

ps aux |sort -nrk 3|head -n 5

will list the top five CPU consuming processes.

ps options: a – all processes that have control terminal regardless of whether they belong to current user; x – all processes regardless whether they have or have not control terminal; u – user oriented output format. sort options: k 3 – sort by the third column(field), -n interpret the key as numeric, r – reverse the result(in descending order)

The following command also works for the same aim:


How to know the apache MPM work mode: prefork or worker?

httpd -V, httpd -l

How to limit the memory consumption of Apache?

In a memory limited system, httpd processes may consume all the memory and other processes may be killed to empty memory. To lower the memory consumption of httpds, first determine the Apache work mode using the above commands, then modify the value of MaxSpareServers and MaxClients in the corresponding section of httpd.conf.

 How to know the ip addresses that are accessing your vps most?

netstat -antp |awk ‘{print $5}’|cut -f 4 -d ‘:’|sort|uniq -c|sort -nr

the -c option of uniq puts the number of occurrences before every line.

How to find the ip that accessed your website most for a specified day?

cat domainhostseotool.com-access.log | grep “05/May/2017″ | awk ‘{print $1}’ | sort | uniq -c | sort -nr

domainhostseotool.com-access.log is the Apache access log, which can be found in /var/sentora/logs/domains/zadmin if you intalled Sentora.

How to find what urls a specified ip accessed on a specified day?

cat domainhostseotool.com-access.log | grep “05/May/2017″ | grep “xx.xx.xx.xx” | awk ‘{print $7}’ | sort | uniq -c | sort -nr

How to determine the file system in CentOS?

df -T

How to know the directory that occupies the most disk space?

du -k –max-depth=1|sort -n

How to zip a directory?

zip -r mydir.zip mydir

This will compress all files(including hidden dotfiles), sub-folders, and the folder mydir itself into a single compression file mydir.zip. When uncompressed using the command unzip mydir.zip, it will create the folder mydir under the current directory and uncompress all stuff into that folder.

How to sftp files in Linux?

sftp -oPort=1234 username@xx.xx.xx.xx

get filename /var/www/

 How to disable IPV6 on Linux?

Why need you disable ipv6 interface? It is because some servers (maybe including your own server) do not config ipv6 properly. While ipv6 is enabled, the connection via ipv6 connections may have problem. And the  ipv6 connection may have higher priority than ipv4 connection. So if there is some problem about ipv6, you can disable it by adding the following lines in /etc/sysctl.conf(reference):

net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

and issuing sysctl -p to make it effective.  This will disable ipv6 for all interfaces. You can disable specific interface using

net.ipv6.conf.[interface].disable_ipv6 = 1 ### put interface name here [interface]
net.ipv6.conf.default.disable_ipv6 = 1

 Vi memo

Apart from basic commands, the following are almost the only commands that are worth memorizing:

delete a block of text: go to the beginning, press ma(mark a), go to the end, press d`a(delete to mark a).

delete newline: press J(joint two lines together)

show line number. :set nu(mber). Hide line number:set nu!

replace all occurrences of text:%s/foo/bar/g

How to remove items from a list that are in another list?

comm -13 <(sort file1) <(sort file2) > file3

This command removes the entries from file2 that are in file1 and saves the result to file3.

How to grep specific type of files in all subdirs?

You may want to use “grep -r pattern *.c” to grep pattern in *.c files under all sub-directories. Unfortunately, you may get the error “grep: *.c: No such file or directory”. This is because when *.c is expanded, no matched file is found in current directory. To grep a pattern in files with some extension in all sub-folders, you need to use:

grep -r pattern –include=\*.c *


grep -r pattern –include=\*.c

Without specifying a search directory, the current dir will be used to search. Here is an example”

grep -r ‘[_$]print(‘ –include=\*.php .

which is to search “print(” in all php files under all sub-folders.

How to execute php code on command line?

php -r ‘print_r(split(“,”,”hi,bye”));’

This is useful to check whether your php version supports certain function.

 How to delete files larger than specific size?

find -type f -size +500k -delete

Note k is not capitalized. This is to delete files in current directory that are bigger than 500k(bytes). +1M is for files larger than 1 M(bytes).


Posted in tips of hosting

Leave a Reply