25 Bash Scripts Every Linux Sysadmin Needs

The most reliable outage prevention on a Linux server is a simple threshold check running on cron. This one-liner reads every mounted filesystem and prints any that have crossed the 80% mark. At 80% you still have hours or days to respond. Pipe the output to mail and you have an email alert. Pair it with find-large-files-linux and you have a complete disk triage workflow.

The full script adds a configurable threshold (default 80%), hostname identification for servers where you run the same script on multiple machines, and a clean crontab entry that fires daily at 7am.

When disk-space-warning fires, the next question is always: what grew? This command answers it in seconds. du -ah walks every file and directory under the target path, calculates sizes in human-readable format, and sort -rh puts the largest items at the top. The head -20 limits output to the top 20 candidates worth investigating.

On a typical server, the culprits are application logs, database dump files, old Docker layers, and downloaded archive files that were never cleaned up. The full script adds exclusion patterns for /proc and /sys, which contain virtual filesystems that can produce misleading sizes.

Log growth is almost always the first thing to prune when a disk starts filling. Application logs, nginx access logs, systemd journal dumps — on a server that has been running for a year without rotation configured correctly, /var/log can hold tens of gigabytes of files you have already read and will never need again.

This command finds every .log file under /var/log that was last modified more than 30 days ago and deletes it. The -mtime +30 flag means "more than 30 days ago" — the + prefix is easy to misread and important to get right. The full script includes a --dry-run flag that prints what would be deleted without touching anything.

This script uses md5sum to generate a checksum for every file under a target path, then groups files with identical checksums. The uniq -w32 -D flag matches on the first 32 characters of each line — the MD5 hash — and prints all duplicate lines. On a shared server or a machine used for development work, the space reclaimed from forgotten duplicates is often several gigabytes.

The full script adds directory-level comparison, a human-readable output format that groups each duplicate set, and a total bytes-wasted summary so you know whether the cleanup is worth the time before you commit to it.

Every Docker-based deployment leaves behind a layer of accumulated debris. Stopped containers that were never removed. Intermediate build layers from images that have since been replaced. Volumes from services that no longer exist. On an active CI server or deployment host, this can reach 20–40GB within a month of operation without any action on your part.

This command first shows you the current state with docker system df so you know what you are about to reclaim, then removes all images that have not been used in the last 30 days. The --filter "until=720h" flag is the key safety valve — it preserves images actively in use while clearing the historical accumulation. The full script adds volume pruning with a separate confirmation step and a before/after disk usage report.

This command creates a compressed .tar.gz archive of the target directory with today's date embedded in the filename. The $(date +%Y%m%d)substitution runs at execution time, so every cron invocation produces a distinct archive — 20260606_backup.tar.gz, 20260607_backup.tar.gz, and so on. Without a retention policy, these archives accumulate until the backup volume fills.

The full script adds automatic rotation — archives older than a configurable number of days are deleted at the end of each run — and a verification step using tar -tzf to confirm the archive is not corrupt before the old one is removed.

mysqldump --all-databases produces a SQL dump of every database in the MySQL instance. Redirect it to a timestamped file and you have a recoverable point-in-time backup. This is the minimum viable database backup — one command, one output file, scheduled on cron at 2am before the morning deployment window.

The full script handles credential management via .my.cnf so passwords never appear in the process list, compresses output with gzip to reduce storage, rotates old dumps automatically, and verifies the dump file is non-empty before completing — so a silent failure writes a zero-byte file that is immediately detectable rather than a missing file you only notice at restore time.

rsync over SSH is the most practical incremental backup mechanism available without installing additional software. The -avz flags enable archive mode (preserves permissions, timestamps, symlinks), verbose output for the log, and compression for the transfer. The --delete flag mirrors deletions to the remote, keeping the backup in sync rather than accumulating stale files. Only changed files transfer on each run, making subsequent backups fast even for large directories.

The full script adds a --dry-run flag for testing, exclude patterns for cache directories and temporary files, and a cron-ready invocation that logs transfer statistics to a dedicated file for weekly review.

This is the minimal service watchdog. systemctl is-active --quiet returns exit code 0 if the service is running and non-zero if it is not. The ||operator runs the restart only when the check fails. Put this on a 5-minute cron and your maximum undetected downtime drops from "until someone notices" to 5 minutes.

The full script handles multiple services in a loop, sends an email alert on each restart event so you know the service crashed even if it recovered, and logs every restart with a timestamp for post-incident review. The log is how you notice that nginx is restarting three times a day because of a memory leak — which a naked watchdog loop would mask by restarting it before anyone sees a symptom.

pkill -f sends SIGTERM to every process whose full command line matches the pattern, giving the process a chance to clean up. The || chain falls through to kill -9 only if the graceful kill produced no running process to terminate. This two-stage approach avoids data corruption from hard kills when a graceful kill would work, while still handling processes that ignoreSIGTERM.

The full script adds a safety confirmation prompt before killing, a pgrep -apreview showing what would be killed before execution, and a post-kill verification check to confirm the process is no longer running.

lsof -ti returns only the PID of the process holding the specified port — no headers, no formatting, just the number. xargs -r kill passes that PID to kill, with -r preventing an error if the output is empty (the port was already free). One command, one port freed, no need to look up the PID manually first.

The full script adds SIGTERM followed by a brief wait and then SIGKILLif the process hasn't exited, supports UDP ports in addition to TCP, and works on systems where lsof is not available by falling back to ss and/proc.

This awk expression reads /proc/meminfo directly — no external tools, works on every Linux kernel — and calculates used memory as a percentage of total. The same approach works for CPU utilization by reading /proc/statacross two samples with a sleep interval. Both metrics are available without top, htop, or any interactive tool that would block a cron job.

The full script checks both CPU and memory against configurable thresholds, logs each reading with a timestamp to a file you can tail -f during an incident, and sends an email alert when either metric crosses the threshold. A week of this log gives you a baseline — anything that deviates from baseline is worth investigating before it becomes a crash.

This compound command chains the five most useful system overview commands with&&: kernel version and hostname from uname -a, uptime and load averages, memory consumption from free -h, disk usage across all filesystems from df -h, and the top 5 memory consumers from ps aux. All of this fits in a single terminal screen.

The full script formats each section with a labeled header so the output is readable at a glance, adds IP address information from ip addr, and can be added to/etc/profile.d/ so it runs automatically on every SSH login — giving you an instant snapshot of server health without any manual commands.

curl -s -o /dev/null -w "%{http_code}" makes an HTTP request and prints only the response status code — discarding the response body, suppressing progress output, and returning in under a second on a live connection. A 200 means the site is responding. Anything else — 5xx, connection refused, or no response — means it is not.

The full script wraps this in a loop with configurable retry logic (3 attempts with a 10-second interval before declaring the site down), sends an email alert with the HTTP status code on failure, and supports HTTPS with certificate validation. Run it on cron every 5 minutes and your average time-to-detection for an outage drops from "whenever a user reports it" to 5 minutes maximum.

ss -tlnp lists every TCP socket in the LISTEN state with the process name and PID that owns each socket. The flags: -t for TCP only, -l for listening sockets only, -n for numeric output (faster, no DNS resolution),-p for process information. This is the first command to run on any server you inherit or haven't reviewed recently.

Unexpected entries in this output are how you find: a debug server left running from a deployment, a database port accidentally exposed to 0.0.0.0 instead of 127.0.0.1, a crypto miner that opened a listener, or a misconfigured application binding to a port that conflicts with production. The full script adds UDP sockets, cross-references output against a known-good baseline, and flags any new listeners that appeared since the last audit.

This two-command sequence generates an ed25519 key pair — the current recommended algorithm, smaller and faster than RSA-4096 with equivalent security — and copies the public key to the authorized_keys file on the remote server using ssh-copy-id, which handles the correct permissions and file format automatically. After this runs, you can disable password authentication in /etc/ssh/sshd_config and eliminate the brute-force attack surface entirely.

The full script verifies the key was installed correctly by attempting an authentication test, checks that ~/.ssh has the correct permissions (700), that authorized_keys has 600, and outputs a checklist of recommendedsshd_config hardening settings to apply after key authentication is confirmed working.

find /var/www -type f -perm /o=w locates every file under the web root where the "other" permission class has write access. -exec chmod o-w {} \;strips that write bit from each match. This handles the most dangerous permission state in a web root: a file that any local process or exploited web application can overwrite. Run this weekly, and any deployment that accidentally sets wrong permissions gets corrected before it becomes an exposure window.

The full script also audits SSH directory permissions (700 for ~/.ssh, 600 for authorized_keys and private keys), finds configuration files readable by non-root users, and produces a permission audit report with each finding labeled by severity.

This command connects to the live server, reads the certificate it presents — not the one stored on disk, but the one actually served to browsers — and prints its expiry date. The key word is "live": this catches the scenario where the certificate on disk was renewed but nginx was never reloaded to serve the new one, a failure mode that certbot hooks don't always prevent.

The full script calculates days remaining until expiry, fires an alert at 30 days and again at 7 days, supports multiple domains in a single run, and produces output formatted for cron log review: [OK] example.com expires in 84 daysor [WARN] example.com expires in 12 days. Set it on a weekly cron and you will never again discover certificate expiry from a browser error.

Every monitoring script on this list becomes significantly more useful when it can notify you rather than waiting for you to check a log file. This one-liner sends a plain text email using the system mail infrastructure — on most servers, eithersendmail or postfix with a local relay. The $(hostname)substitution in the subject line identifies which server sent the alert when you are managing multiple machines.

The full script handles both sendmail and msmtp (for servers without a local MTA), provides a template for the alert body that includes timestamp, hostname, and the specific metric that triggered the alert, and can be sourced as a function by other scripts — so every monitoring script in your toolkit can call send_alert as a single line.

set -euo pipefail is the single most important line in any production bash script. -e exits immediately if any command returns a non-zero exit code.-u treats unset variables as errors rather than expanding them to empty strings. -o pipefail makes a pipeline fail if any stage fails, not just the last one. Without these three flags, a script that encounters a disk-full error partway through a backup continues running and reports success.

The trap line registers an error handler that fires on any unexpected exit, printing the line number where the failure occurred and exiting with a non-zero code that cron can detect. The full script adds a cleanup trap for temporary files, a logging function that timestamps every operation, and a pattern for graceful error messages that distinguish between expected failures and unexpected ones.

The [[ ]] construct is bash's extended test command — more reliable than [ ] for string testing, supports regex matching with =~, and handles empty string edge cases correctly. The :- parameter expansion provides a default value for potentially unset variables, preventing the -u flag from triggering an unbound variable error. This pattern — test a variable defensively, provide a default — appears in nearly every production bash script.

The full reference covers string testing, numeric comparison with -eq/-lt/-gtvs. arithmetic context, file existence and type checks, exit code testing, and the five most common mistakes beginners make with bash conditionals and the specific output those mistakes produce.

$(date +%Y-%m-%d) expands to the current date in ISO 8601 format at the moment of execution — 2026-06-06, for example. Combined with mkdir -p(which creates intermediate directories and doesn't error if the target already exists), this produces a uniquely named directory for every day the script runs. The pattern appears in every backup and archiving script in this collection.

The full script covers alternative date formats for different use cases (%Y%m%d for sortable filenames, %Y-%m-%dT%H%M%S for second-precision timestamps when multiple runs per day are possible), and includes a function that creates both the dated directory and a latest symlink pointing to the most recent run.

grep -rn searches recursively through every file under the target path and prints matching lines with filename and line number. The --include="*.conf"filter limits results to files with the specified extension — removing that flag searches all file types, which is useful when you don't know which file type contains the value you're hunting for. Add -i for case-insensitive matching and -l to list only filenames rather than matching lines.

The full reference demonstrates the four most common grep variations for sysadmin work: finding all references to an IP address across config files, searching for a specific error pattern in log files within a date range, inverting a match to find lines that don't contain a required string, and displaying N lines of context around each match with -B and -A.

jq is the standard tool for processing JSON in bash scripts. It handles nested objects, arrays, and type conversions that would require dozens of lines of fragile sed/awk to replicate. The naive version shown here extracts a top-level field — the full script covers filtering arrays, transforming output format, handling null values safely, and piping API responses directly from curl into jq for single-command data extraction.

The naive retry loop — until command; do sleep 5; done — has no maximum attempt count, which means a permanently failing command runs forever. The full script adds configurable attempt limits, exponential backoff (doubling the sleep interval on each retry to avoid thundering herd against a recovering service), a maximum wait cap, and a final exit with a non-zero code when all attempts are exhausted. This pattern belongs in every deployment script that makes network calls.