If you work in cybersecurity, system administration, or ethical hacking, Linux is your best friend. It’s not just an operating system — it’s a powerful command-line-driven environment that gives you complete control over your systems.
In this guide, I’ll walk you through Linux commands from beginner to advanced, explaining why they’re used, when to use them, and giving real-life professional examples.
1. Beginner-Level Linux Commands 🐧
These are the building blocks. If you’re new to Linux, start here.
1.1 pwd – Print Working Directory
- Why: Shows your current location in the filesystem.
- When: Anytime you’re lost in directories.
- Example: While navigating logs during a security incident, I use
pwdto confirm I’m in/var/log/apache2before running analysis scripts.
pwd
1.2 ls – List Files
- Why: Displays files and directories.
- When: To quickly check what’s in a folder.
- Example: During a penetration test, I use
ls -lato check for hidden.sshkeys in a user’s home directory.
ls -la
1.3 cd – Change Directory
- Why: Moves you between folders.
- When: Navigating to configuration or log directories.
- Example: Switching to
/etc/nginxto edit firewall rules.
cd /etc/nginx
1.4 cat – View File Contents
- Why: Displays file content without opening an editor.
- When: Quickly checking configuration or log files.
- Example: Viewing
/etc/passwdto check for suspicious accounts.
cat /etc/passwd
1.5 cp & mv – Copy and Move Files – Linux Commands to know
- Why: Manage files efficiently.
- When: Backing up configs before changes.
- Example: Copying
nginx.confbefore editing to avoid downtime.
cp nginx.conf nginx.conf.bak
mv old_logs/ archive/
2. Intermediate-Level Linux Commands ⚙️
Once you’re comfortable, these commands help you manage processes, permissions, and networking.
2.1 grep – Search Inside Files
- Why: Finds patterns in files.
- When: Searching logs for specific IPs or errors.
- Example: During a DDoS investigation, I search logs for a malicious IP.
grep "192.168.1.50" /var/log/auth.log
2.2 chmod & chown – Permissions & Ownership
- Why: Control file access.
- When: Securing sensitive files.
- Example: Restricting access to
/etc/shadowso only root can read it.
chmod 600 /etc/shadow
chown root:root /etc/shadow
2.3 ps & kill – Process Management
- Why: View and terminate processes.
- When: Stopping malicious or runaway processes.
- Example: Killing a suspicious crypto-mining process.
ps aux | grep miner
kill -9 2345
2.4 netstat / ss – Network Connections
- Why: See active network connections.
- When: Detecting suspicious outbound traffic.
- Example: Spotting a reverse shell connection to an unknown IP.
ss -tulnp
2.5 tar & gzip – Archiving and Compression
- Why: Package and compress files.
- When: Backing up logs for forensic analysis.
- Example: Archiving
/var/logbefore sending to a SOC team.
tar -czvf logs.tar.gz /var/log
3. Advanced-Level Linux Commands 🛡️
These are power tools for cybersecurity professionals.
3.1 iptables / ufw – Firewall Management
- Why: Control inbound/outbound traffic.
- When: Blocking malicious IPs.
- Example: Blocking a brute-force attacker’s IP.
iptables -A INPUT -s 203.0.113.45 -j DROP
3.2 tcpdump – Packet Capture
- Why: Capture and analyze network traffic.
- When: Investigating suspicious activity.
- Example: Capturing packets to analyze a suspected malware C2 connection.
tcpdump -i eth0 host 203.0.113.45
3.3 nmap – Network Scanning
- Why: Discover hosts and services.
- When: Security audits and penetration testing.
- Example: Scanning a subnet for open SSH ports.
nmap -p 22 192.168.1.0/24
3.4 find – Locate Files
- Why: Search for files by name, size, or date.
- When: Hunting for malware or unauthorized scripts.
- Example: Finding all
.phpfiles modified in the last 24 hours.
find /var/www -name "*.php" -mtime -1
3.5 rsync – Remote Sync
- Why: Efficiently sync files between systems.
- When: Backing up or migrating data.
- Example: Syncing security logs to a remote backup server.
rsync -avz /var/log/ user@backup:/logs/
3.6 journalctl – Systemd Logs
- Why: View system logs.
- When: Investigating service failures or attacks.
- Example: Checking failed SSH login attempts.
journalctl -u ssh
4. Real-World Cybersecurity Scenarios 🔐
Here’s how these commands come together in professional environments:
- Incident Response:
During a ransomware attack, I usednetstatto identify active connections,iptablesto block malicious IPs, andrsyncto back up unaffected data before isolating the system. - Penetration Testing:
Usingnmapto map the network,grepto search for sensitive data in config files, andfindto locate outdated scripts vulnerable to exploitation. - Forensics:
Capturing traffic withtcpdump, archiving logs withtar, and analyzing them withgrepto trace the attacker’s steps.
5. Final Thoughts
Mastering Linux commands isn’t about memorizing them all — it’s about knowing which tool to use in the right situation. Whether you’re a beginner learning ls or an advanced user running tcpdump, these commands are the backbone of cybersecurity operations.
If you’re serious about a career in ethical hacking, SOC analysis, or system administration, practice these commands daily. The more comfortable you are in the terminal, the faster and more effective you’ll be in real-world scenarios.
💡 Pro Tip: Create your own Linux command cheat sheet and keep adding to it as you learn. Over time, you’ll develop muscle memory for the commands you use most.
