Finding Linux with the find command

A practical cheat sheet for searching files on Linux servers

The find command is one of the most useful Linux tools for VPS administration: it helps you locate files by name, size, time, owner, permissions, and even content—then perform safe actions (move, chmod, archive, delete) on the results.

If you manage a website, mail server, or any application on a Linux VPS, mastering find will save you hours during incidents: “Where did the disk space go?”, “Which files changed last night?”, “Which folders have unsafe permissions?”

find vs locate vs grep: choose the right tool

Many “search” tasks are solved faster with the right command:

General syntax and how find evaluates expressions

find <where-to-look> <tests-and-actions>

Where to look is a directory path. Use . for the current directory. Tests decide what matches (name, type, time, owner, permissions). Actions decide what to do with matches (print, exec, delete).

Important behavior: find evaluates from left to right. When you combine conditions with AND/OR, use parentheses (escaped in shell) to avoid surprises.

# Example: (A OR B) AND type file
find . \( -name "*.log" -o -name "*.txt" \) -type f

Most useful find recipes (copy/paste ready)

1) Search by name (case-sensitive and insensitive)

# Exact name
find /var/www -name "wp-config.php"

# Pattern (all .tmp files)
find / -name "*.tmp"

# Case-insensitive
find /home -iname "*.JPG"

Tip: always quote patterns like "*.tmp" so your shell doesn’t expand them too early.

2) Search by type (files, directories, symlinks)

# Files only
find . -type f

# Directories only
find . -type d

# Symlinks
find /etc -type l

3) Search by size (find what eats disk on a VPS)

# Files larger than 1 GB
find / -type f -size +1G

# Files smaller than 10 KB
find /var/www -type f -size -10k

On production servers, avoid scanning the entire filesystem unless needed. Start with likely hotspots: /var/log, /var/lib, /home, /tmp, and your project directory.

4) Search by time (mtime, mmin, newer)

Time flags are extremely useful for incident response and cleanup:

# Files modified more than 60 days ago
find /var/log -type f -mtime +60

# Files modified in the last 30 minutes
find /var/www -type f -mmin -30

# Files modified between 10 and 20 minutes ago
find /var/www -type f -mmin +10 -mmin -20

Tip: -mtime is in days. -mmin is in minutes. For suspicious activity on a VPS, -mmin is often more practical.

5) Search by owner and group (useful for web roots)

# Files owned by a user
find /var/www -type f -user www-data

# Files owned by a group
find /var/www -type f -group www-data

6) Search by permissions (security and hardening)

These checks are common during Linux security reviews:

# World-writable files (potential risk)
find /var/www -type f -perm -0002

# Directories with 777 (almost always a mistake)
find /var/www -type d -perm 0777

# Files readable/writable by everyone
find / -type f -perm 0666

If you run business services (WordPress, mail server, dashboards) on a VPS, permission hygiene is part of basic security hardening.

7) Search by content (find + grep)

To search inside files, combine find with grep. This is common when hunting secrets, config flags, or suspicious injections.

# Search for a string inside all .conf files
find /etc -type f -name "*.conf" -exec grep -Hn "listen" {} \;

# Case-insensitive search inside PHP files (project folder)
find /var/www/project -type f -name "*.php" -exec grep -Hin "base64_decode" {} \;

Performance tips for large VPS filesystems

• Limit depth to avoid expensive recursion: -maxdepth and -mindepth.
• Stay on one filesystem to avoid mounted volumes: -xdev.
• Exclude directories using -prune (great for node_modules, cache, backups).
• Use -print0 + xargs -0 for safe handling of spaces/newlines in filenames.

# Exclude node_modules and vendor directories
find /var/www/project \
  \( -path "*/node_modules/*" -o -path "*/vendor/*" \) -prune -o \
  -type f -name "*.log" -print

Actions on found objects: -exec, -ok, -delete (use carefully)

The most powerful part of find is automation. But with great power comes “oops, I deleted production”. Use a safe workflow:

1. Run the search with -print first and review output.
2. Then run an action with confirmation (-ok) or log results.
3. Only then use -delete for safe, well-tested patterns.

# SAFE: show what would be removed first
find /tmp -type f -mtime +14 -print

# Semi-safe: ask before executing
find /tmp -type f -mtime +14 -ok rm -f {} \;

# Fast but risky: delete immediately (use only when confident)
find /tmp -type f -mtime +14 -delete

Pro tip: prefer -exec ... {} + (plus) when possible—it’s more efficient than running a command once per file.

Automation example: scheduled cleanup with cron

A classic VPS task: keep temporary folders from growing forever. Schedule a nightly cleanup:

crontab -e

# Remove files older than 14 days from /tmp daily at 00:00
0 0 * * * /usr/bin/find /tmp -type f -mtime +14 -delete

Use the full path to find (check with which find) and always start with a -print dry run on a test folder.

Common mistakes and how to avoid them

• Forgetting quotes around *.log: your shell expands it incorrectly. Fix: use "*.log".
• Running find from / by default: slow and noisy. Fix: target the right directory first.
• Using -delete too early: accidental data loss. Fix: review output with -print first.
• Misunderstanding time flags: -mtime is days, not hours. Fix: use -mmin for short windows.
• Breaking logic precedence with OR/AND. Fix: group with \( ... \).

Why this matters for VPS administration

On a Linux VPS, find is a daily driver: investigate disk usage, clean old files, locate configs, and perform security checks. Combined with monitoring tools (like Zabbix), it becomes an incident response toolkit you can trust.