在本实验中,我们将探索 Linux 中的 head 命令。这是一个用于预览文本文件开头的强大工具。想象你是一名数字侦探,任务是快速扫描大量文件以寻找关键信息。head 命令将是你得力的放大镜,让你无需打开整个文件就能窥见其开头内容。
我们将模拟一个场景:你正在调查来自一台繁忙 Web 服务器的一组日志文件。你的目标是高效地检查这些日志,以识别潜在问题并获取洞察。通过这个实战练习,你将学会如何有效地使用 head 命令,从而让你的文件探索任务变得更加快速和高效。
让我们从检查一个简单的日志文件开始,以了解 head 的工作原理。
首先,切换到项目目录:
cd /home/labex/project现在,让我们对名为 access.log 的文件使用 head 命令:
head access.log你应该会看到类似如下的输出:
192.168.1.100 - - [01/Jan/2024:00:00:01 +0000] "GET /index.html HTTP/1.1" 200 1234
192.168.1.101 - - [01/Jan/2024:00:00:02 +0000] "GET /style.css HTTP/1.1" 200 567
192.168.1.102 - - [01/Jan/2024:00:00:03 +0000] "GET /logo.png HTTP/1.1" 200 2345
192.168.1.103 - - [01/Jan/2024:00:00:04 +0000] "POST /login HTTP/1.1" 302 -
192.168.1.104 - - [01/Jan/2024:00:00:05 +0000] "GET /dashboard HTTP/1.1" 200 3456
192.168.1.105 - - [01/Jan/2024:00:00:06 +0000] "GET /api/user HTTP/1.1" 200 789
192.168.1.106 - - [01/Jan/2024:00:00:07 +0000] "GET /images/banner.jpg HTTP/1.1" 200 4567
192.168.1.107 - - [01/Jan/2024:00:00:08 +0000] "POST /comment HTTP/1.1" 201 -
192.168.1.108 - - [01/Jan/2024:00:00:09 +0000] "GET /search?q=linux HTTP/1.1" 200 2345
192.168.1.109 - - [01/Jan/2024:00:00:10 +0000] "GET /about HTTP/1.1" 200 1234默认情况下,head 会显示文件的前 10 行。此日志中的每一行代表对 Web 服务器的一次请求,显示了 IP 地址、时间戳、HTTP 方法、请求的资源、状态码以及响应大小。
有时,10 行可能太多或太少。让我们学习如何自定义 head 显示的行数。
要仅查看日志的前 5 行,请使用 -n 选项:
head -n 5 access.log该命令应输出:
192.168.1.100 - - [01/Jan/2024:00:00:01 +0000] "GET /index.html HTTP/1.1" 200 1234
192.168.1.101 - - [01/Jan/2024:00:00:02 +0000] "GET /style.css HTTP/1.1" 200 567
192.168.1.102 - - [01/Jan/2024:00:00:03 +0000] "GET /logo.png HTTP/1.1" 200 2345
192.168.1.103 - - [01/Jan/2024:00:00:04 +0000] "POST /login HTTP/1.1" 302 -
192.168.1.104 - - [01/Jan/2024:00:00:05 +0000] "GET /dashboard HTTP/1.1" 200 3456当你寻找文件开头附近的特定信息,但又不需要看到完整的 10 行时,这个功能特别有用。
作为一名文件侦探,你经常需要快速查看多个文件。head 命令允许你同时查看多个文件的开头。
让我们同时检查 access.log 和 error.log 的开头:
head access.log error.log你应该会看到类似如下的输出:
==> access.log <==
192.168.1.120 - - [01/Jan/2024:00:00:53 +0000] "POST /about HTTP/1.1" 200 7616
192.168.1.147 - - [01/Jan/2024:00:00:45 +0000] "GET /dashboard HTTP/1.1" 200 7348
192.168.1.138 - - [01/Jan/2024:00:00:03 +0000] "DELETE /comment HTTP/1.1" 400 8341
192.168.1.138 - - [01/Jan/2024:00:00:31 +0000] "DELETE /about HTTP/1.1" 200 3254
192.168.1.122 - - [01/Jan/2024:00:00:15 +0000] "PUT /index.html HTTP/1.1" 500 6061
192.168.1.125 - - [01/Jan/2024:00:00:09 +0000] "DELETE /logo.png HTTP/1.1" 301 4916
192.168.1.148 - - [01/Jan/2024:00:00:33 +0000] "POST /admin/dashboard HTTP/1.1" 201 5546
192.168.1.146 - - [01/Jan/2024:00:00:56 +0000] "GET /images/banner.jpg HTTP/1.1" 301 2332
192.168.1.195 - - [01/Jan/2024:00:00:12 +0000] "DELETE /dashboard HTTP/1.1" 404 6740
192.168.1.136 - - [01/Jan/2024:00:00:18 +0000] "GET /login HTTP/1.1" 200 2374
==> error.log <==
[01/Jan/2024:00:01:23 +0000] [error] [client 192.168.1.150] File does not exist: /var/www/html/missing.html
[01/Jan/2024:00:02:34 +0000] [error] [client 192.168.1.151] PHP Parse error: syntax error, unexpected ';' in /var/www/html/index.php on line 30
[01/Jan/2024:00:03:45 +0000] [warn] [client 192.168.1.152] ModSecurity: Access denied with code 403 (phase 2). Matched phrase "sql injection attempt" at REQUEST_URI. [file "/etc/modsecurity/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "50"] [id "942100"] [rev ""] [msg "SQL Injection Attack Detected via libinjection"] [data "Matched Data: SQL injection found within REQUEST_URI: /vulnerable.php?id=1'"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [hostname "example.com"] [uri "/vulnerable.php"] [unique_id "YvKp2H8AAQEAAAxxBGIAAAAC"]
[01/Jan/2024:00:04:56 +0000] [error] [client 192.168.1.153] AH01071: Got error 'PHP message: PHP Fatal error: Uncaught Error: Call to undefined function mysql_connect() in /var/www/html/db.php:15...'
[01/Jan/2024:00:05:67 +0000] [warn] [client 192.168.1.154] ModSecurity: Warning. Matched "Operator \`Ge' with parameter \`5' against variable \`TX:ANOMALY_SCORE' (Value: \`5' ) [file "/etc/modsecurity/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "57"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [hostname "example.com"] [uri "/admin"] [unique_id "YvKp2H8AAQEAAAxxBGIAAAAD"]
[01/Jan/2024:00:06:78 +0000] [error] [client 192.168.1.155] PCE: Can't open perl script "/var/www/html/cgi-bin/printenv": No such file or directory
[01/Jan/2024:00:07:89 +0000] [warn] [client 192.168.1.156] ModSecurity: Access denied with code 403 (phase 2). Matched phrase "directory traversal attempt" at ARGS:file. [file "/etc/modsecurity/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "75"] [id "930110"] [rev ""] [msg "Path Traversal Attack (/../)"] [data "Matched Data: ../ found within ARGS:file: ../../../etc/passwd"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [hostname "example.com"] [uri "/download.php"] [unique_id "YvKp2H8AAQEAAAxxBGIAAAAE"]
[01/Jan/2024:00:08:90 +0000] [error] [client 192.168.1.157] PHP Fatal error: Allowed memory size of 134217728 bytes exhausted (tried to allocate 20480 bytes) in /var/www/html/memory_hog.php on line 10
[01/Jan/2024:00:09:01 +0000] [warn] [client 192.168.1.158] ModSecurity: Warning. Pattern match "(?i:(?:[\s'\"`_''\(\)]*?(?:[\d\w]+[\s'\"`_''\(\)]*?){2,}[\s'\"`_''\(\)]*?(?:having|rongjitest|select|union|where|get_lst))" at ARGS:username. [file "/etc/modsecurity/rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"] [line "1126"] [id "942480"] [rev ""] [msg "SQL Injection Attack"] [data "Matched Data: union select found within ARGS:username: admin' UNION SELECT password FROM users--"] [severity "CRITICAL"] [ver "OWASP_CRS/3.3.0"] [maturity "0"] [accuracy "0"] [hostname "example.com"] [uri "/login.php"] [unique_id "YvKp2H8AAQEAAAxxBGIAAAAF"]
[01/Jan/2024:00:10:12 +0000] [error] [client 192.168.1.159] AH01797: client denied by server configuration: /var/www/html/restricted/请注意 head 是如何通过标题清晰地分隔每个文件的输出。当你需要快速比较多个文件的开头时,这非常有用。
作为一名熟练的文件侦探,你经常需要组合命令来更有效地过滤和分析数据。head 命令可以很好地与管道配合使用,允许你将其与其他命令链接起来。
假设你想查看 access.log 的前 3 行,但只需要显示时间戳和请求资源的部分。你可以将 cut 命令与 head 结合使用来实现这一点:
cut -d '"' -f2 access.log | head -n 3该命令应输出:
POST /about HTTP/1.1
GET /dashboard HTTP/1.1
DELETE /comment HTTP/1.1以下是该命令的作用:
cut -d '"' -f2 access.log:这会将每一行在引号处进行分割,并选择第二个字段,即包含 HTTP 请求的部分。|:这会将 cut 命令的输出通过管道传递给 head 命令。head -n 3:这会仅显示管道输入的前 3 行。这种组合允许你快速关注日志条目的特定部分,使你的调查更加高效。
现在,让我们将 head 与另一个强大的命令 grep 结合使用,在日志中搜索特定的模式。
假设你收到了关于 /admin 页面异常活动的报告。你想检查访问日志中前几次出现的 /admin 记录:
grep "/admin" access.log | head -n 3该命令应输出类似以下内容:
192.168.1.148 - - [01/Jan/2024:00:00:33 +0000] "POST /admin/dashboard HTTP/1.1" 201 5546
192.168.1.115 - - [01/Jan/2024:00:00:22 +0000] "PUT /admin HTTP/1.1" 302 1113
192.168.1.163 - - [01/Jan/2024:00:00:56 +0000] "POST /admin/dashboard HTTP/1.1" 301 815该命令执行以下操作:
grep "/admin" access.log:在 access.log 文件中搜索包含「/admin」的行。|:将 grep 的输出通过管道传递给 head 命令。head -n 3:仅显示管道输入的前 3 行。这种组合允许你快速锁定日志文件中的相关条目,使你的调查更具针对性和效率。
作为一名文件侦探,你经常会遇到非常大的日志文件。head 命令在快速检查这些文件的开头时特别有用,因为它不需要将整个内容加载到内存中。
让我们通过使用一直在操作的 access.log 文件来模拟处理大文件的场景。我们假装它比实际大得多。
首先,让我们检查文件大小:
ls -lh access.log现在,让我们使用 head 查看前 15 行:
head -n 15 access.log你应该会看到与之前类似的输出,但这次是 15 行而不是 10 行。
在处理超大文件时,head 命令尤其有价值,原因如下:
head 只读取文件的开头,因此即使对于巨大的文件,它也能迅速完成。head 不需要将整个文件加载到内存中。在本实验中,我们探索了 head 命令,这是一个用于快速检查文件开头的强大工具。我们学习了如何:
head 查看文件的前 10 行。-n 选项自定义显示的行数。head 同时检查多个文件。head 与 cut 和 grep 等其他命令结合使用。head 高效地处理大文件。本实验未涵盖的其他 head 参数:
-c:显示文件的前几个字节而不是行数。-q:在检查多个文件时不显示标题。-v:在检查多个文件时始终显示标题。
