Mastering the Linux Command Line: 18 Real-World Case Studies for DevOps and Sysadmins

At 3:14 AM the disk is at 99%, alerts won’t stop, and the client is breathing down your neck.
At that moment it doesn’t matter how many GUIs you know: what saves the day is the terminal.

This guide brings together 18 real production scenarios covering 95% of daily tasks on Debian/Ubuntu servers. All commands are tested, optimized, and ready to copy-paste.

Golden rule: never run any of this directly in production. Always test first in a lab, container, or virtual machine.

Quick lab (choose one)

# Ultra-fast option
docker run -it --rm debian:bookworm bash

# Persistent option
sudo apt install -y qemu-guest-agent cloud-image-utils
qemu-img create -f qcow2 lab.img 20G

Real Cases Organized by Scenario

Section 1: Emergencies and Immediate Diagnostics

Case 1 – The disk is full NOW: find the culprits in < 10 seconds

# The 15 files/directories that use the most space
du -ahx / 2>/dev/null | sort -hr | head -15

# Only files > 500 MB, ordered by size
find / -type f -size +500M -printf '%s %p\n' 2>/dev/null | sort -nr | head -20

# Interactive version (highly recommended)
sudo apt install -y ncdu && ncdu /

Case 2 – SSH brute-force attack in progress: quick detection and blocking

# Top 10 attacking IPs (last 10,000 lines)
tail -10000 /var/log/auth.log | grep "Failed password" | awk '{print $11}' | sort | uniq -c | sort -nr | head -10

# Immediate blocking with iptables (persistent with iptables-persistent)
for ip in $(tail -10000 /var/log/auth.log | grep "Failed password" | awk '{print $11}' | sort | uniq -c | sort -nr | awk '$1>20{print $2}'); do
    iptables -A INPUT -s $ip -j DROP
done

# Modern alternative with ufw
ufw insert 1 deny from 185.53.88.666

Case 3 – Application down: follow logs in real time with color highlighting

tail -f /var/log/apache2/error.log /var/log/nginx/error.log /var/log/myapp/*.log | grep --color=always -i -E "error|warn|fatal|exception|php|trace"

Section 2: Advanced Search and Filtering

Case 4 – Find hardcoded credentials across all code

find /var/www /opt/apps -type f \( -name "*.php" -o -name "*.py" -o -name "*.env" -o -name "*.yml" \) \
  -exec grep -l -i -E "pass|pwd|secret|token|key|database.*password" {} \; 2>/dev/null

Case 5 – Abandoned temporary files (> 30 days)

# List only (dry run)
find /tmp /var/tmp -type f -mtime +30 -ls

# Real deletion (careful!)
find /tmp /var/tmp -type f -mtime +30 -delete

Case 6 – Users with active shells and no expired password

grep -E 'bash|zsh|fish' /etc/passwd | cut -d: -f1 | xargs -I{} sudo chage -l {}

Section 3: Automation and Smart Maintenance

Case 7 – Professional automatic cleanup with per-directory policies

#!/usr/bin/env bash
# /usr/local/sbin/smart-cleanup.sh
set -euo pipefail

POLICIES=(
  "/tmp:3"
  "/var/cache/apt/archives:60"
  "/var/log:14"
  "/home/*/.cache:90"
  "/var/backups:180"
)

for policy in "${POLICIES[@]}"; do
  dir="${policy%:*}"
  days="${policy#*:}"
  echo "Cleaning $dir (files +$days days old)"
  find "$dir" -type f -mtime +$days -print -delete 2>/dev/null || true
done

# Empty directories
find /tmp /var/tmp -mindepth 1 -type d -empty -delete

Run nightly:

0 3 * * * /usr/local/sbin/smart-cleanup.sh >> /var/log/cleanup.log 2>&1

Case 8 – Daily executive report in Markdown + email delivery

#!/usr/bin/env bash
REPORT="/tmp/health-report-$(date +%Y%m%d).md"

cat > "$REPORT" <<EOF
# System Health Report $(hostname) - $(date +'%d/%m/%Y')

## Disk Usage
$(df -h / /var /home)

## Top 10 CPU/Mem Processes
$(ps aux --sort=-%cpu | head -11)

## Errors in the last 7 days
$(journalctl --since "7 days ago" | grep -i -E "error|fail|fatal|oom" | tail -20)

## Files > 1 GB
$(find / -type f -size +1G -ls 2>/dev/null | head -10)
EOF

mail -s "Report $(hostname)" admin@empresa.com < "$REPORT"

Section 4: Security and Hardening

Case 9 – SUID/SGID audit (dangerous)

# Binaries that run as root
find / -type f -perm -4000 -ls 2>/dev/null | sort

# Binaries that run as their owning group
find / -type f -perm -2000 -ls 2>/dev/null | sort

Case 10 – ACLs for granular access without touching groups

# Read-only for analyst in reports directory
sudo setfacl -R -m u:analista:r-X /srv/reportes
sudo setfacl -R -m d:u:analista:r-X /srv/reportes  # inheritance

# Verify
getfacl /srv/reportes

Case 11 – Force immediate password change (new employee)

sudo chage -d 0 nuevo_usuario

Section 5: Log Analysis and Business Intelligence

Case 12 – Top 20 IPs + most visited pages (NGINX/Apache)

awk '{print $1}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head -20
awk '{print $7}' /var/log/nginx/access.log | sort | uniq -c | sort -nr | head -20

Case 13 – Slow SQL queries (> 2 seconds) in PostgreSQL

grep "duration:" /var/log/postgresql/postgresql*.log | \
  awk '$5 > 2000' | tail -50

Quick Reference Table (Save it in your ~/.bashrc)

# Add this to your ~/.bashrc or ~/.zshrc
alias bigfiles='find / -type f -size +100M -ls 2>/dev/null | sort -nr'
alias attackers='tail -10000 /var/log/auth.log | grep "Failed" | awk "{print \$11}" | sort | uniq -c | sort -nr'
alias cleanup='find /tmp -type f -mtime +7 -delete && find /var/tmp -mindepth 1 -empty -delete'
alias sudoers='find / -perm -4000 -o -perm -2000 -ls 2>/dev/null'
alias diskhog='du -shx /* 2>/dev/null | sort -hr | head -15'

Bonus: One-liner to save the day (the famous "nuclear option")

# Find and kill the process that is filling the disk RIGHT NOW
lsof / | awk 'NR>1 {print $2}' | sort | uniq -c | sort -nr | head -5 | awk '{print $2}' | xargs -I{} kill -9 {}

Conclusion

These 18 real cases cover everything from nighttime emergencies to compliance audits and business automation. Mastering them turns any Linux server into a predictable, secure, and easy-to-maintain machine.

Save this guide, adapt it, turn it into your own scripts, and above all: practice, practice, practice.

The terminal doesn’t bite. It’s your best ally.

See you in prod.