Skip to content
· 10 min read INFO @Sdmrf

Linux for Security: Your First 20 Commands

The essential Linux commands every security beginner needs - navigation, files, processes, and networking. No fluff, just what you'll actually use.

#tutorial #fundamentals #ground-up #linux
On this page
Series

Ground Up: Operating Systems

Part 1 of 3

This is the first part
Next

Users, Permissions, and Why Root Is Dangerous

View all parts
  1. 1Linux for Security: Your First 20 Commands
  2. 2Users, Permissions, and Why Root Is Dangerous
  3. 3Windows Under the Hood: What Security Pros Need to Know

Most security tools run on Linux. Most servers run Linux. Most malware targets Linux servers. If you can’t navigate a Linux terminal, you’ll be stuck watching tutorials instead of doing the work.

This isn’t a Linux administration course. These are the 20 commands you’ll use constantly in security work - from CTFs to penetration testing to incident response.

Why Linux Matters in Security

Quick reality check on why this is worth learning:

  • Kali Linux (the most popular pentest distro) is Linux
  • Most web servers run Linux (Apache, Nginx on Ubuntu, CentOS, Debian)
  • Security tools (nmap, Wireshark, Burp Suite, Metasploit) are built for Linux first
  • Cloud instances (AWS, Azure, GCP) are overwhelmingly Linux
  • Containers (Docker) run Linux
  • Most CTF challenges give you a Linux shell

You don’t need to become a sysadmin. But you need to be comfortable enough that the terminal isn’t an obstacle.

Getting a Terminal

If you have a lab: Use your Kali or Ubuntu VM from the networking module.

If you don’t:

  • Mac: Open Terminal (it’s Unix-based, most commands work identically)
  • Windows: Install WSL2 (wsl --install in PowerShell) for a real Linux terminal
  • Browser: Use TryHackMe or an online terminal

The Commands

1. pwd - Where Am I?

pwd
/home/user

Print Working Directory. Shows your current location in the file system. When you’re lost, start here.

2. ls - What’s Here?

ls              # List files in current directory
ls -la          # List ALL files (including hidden) with details
ls -la /etc     # List files in a specific directory
drwxr-xr-x  2 user user 4096 Jan 30 10:00 Documents
-rw-r--r--  1 user user  220 Jan 30 09:00 .bashrc

The -la flags are important:

  • -l shows permissions, owner, size, and date
  • -a shows hidden files (files starting with .)

In security, hidden files matter. Config files, SSH keys, and history files are all hidden by default.

3. cd - Move Around

cd /etc          # Go to /etc
cd ~             # Go to your home directory
cd ..            # Go up one directory
cd -             # Go back to where you just were

The file system is a tree. / is the root (top). Everything branches from there.

/
├── home/        ← User home directories
│   └── user/
├── etc/         ← Configuration files
├── var/         ← Variable data (logs, web files)
├── tmp/         ← Temporary files
├── opt/         ← Optional software
└── usr/         ← User programs and utilities

Security note: Know these directories. /etc/passwd has user accounts. /var/log has system logs. /tmp is world-writable (attackers love it). You’ll visit them constantly.

4. cat - Read Files

cat /etc/hostname           # Display file contents
cat /etc/passwd             # Show user accounts

For long files, cat dumps everything at once. Use these instead:

less /var/log/syslog        # Scroll through a file (q to quit)
head -20 /var/log/auth.log  # First 20 lines
tail -20 /var/log/auth.log  # Last 20 lines
tail -f /var/log/syslog     # Follow new lines in real time

tail -f is invaluable during incident response - watch logs as events happen.

5. grep - Search Inside Files

grep "error" /var/log/syslog           # Find lines containing "error"
grep -i "failed" /var/log/auth.log     # Case-insensitive search
grep -r "password" /etc/               # Search recursively through directories
grep -n "root" /etc/passwd             # Show line numbers

Grep is your search engine for files. In security work, you’ll grep through logs, configs, and source code constantly.

Combine with pipes:

cat /var/log/auth.log | grep "Failed password"

This sends the output of cat into grep as input. Pipes (|) chain commands together - the output of one becomes the input of the next.

6. find - Search for Files

find / -name "passwords.txt"           # Find file by name
find /tmp -type f -name "*.sh"         # Find shell scripts in /tmp
find / -perm -4000 2>/dev/null         # Find SUID files (privilege escalation!)
find /home -mtime -1                   # Files modified in last 24 hours

The SUID one is important for security. SUID files run with the owner’s permissions instead of yours. If a root-owned SUID binary has a vulnerability, you can escalate to root. This is a core privilege escalation technique.

7. mkdir and touch - Create Things

mkdir my-project            # Create a directory
mkdir -p path/to/nested     # Create nested directories
touch notes.txt             # Create an empty file

8. cp, mv, rm - Move and Delete Things

cp file.txt backup.txt          # Copy a file
cp -r folder/ backup-folder/    # Copy a directory (recursive)
mv file.txt new-name.txt        # Rename/move a file
rm file.txt                     # Delete a file (no recycle bin!)
rm -rf directory/               # Delete a directory and everything in it

Warning: rm is permanent. There’s no recycle bin. rm -rf / would delete your entire system. Be careful with wildcards and sudo rm.

9. chmod - Change Permissions

chmod 755 script.sh       # rwx for owner, rx for group and others
chmod +x script.sh        # Add execute permission
chmod 600 id_rsa          # rw for owner only (required for SSH keys)

We’ll cover permissions in depth in the next post. For now, know that chmod controls who can read, write, and execute files.

10. ps - See Running Processes

ps aux                    # All running processes
ps aux | grep nginx       # Find a specific process
ps auxf                   # Show process tree (parent-child relationships)

In incident response, this is how you find suspicious processes. A crypto miner, a reverse shell, a backdoor - they all show up as processes.

11. kill - Stop Processes

kill 1234                 # Send SIGTERM to process 1234 (polite stop)
kill -9 1234              # Send SIGKILL (force stop, no cleanup)

Get the process ID (PID) from ps aux.

12. netstat / ss - Network Connections

ss -tlnp                  # TCP listening ports with process names
ss -tnp                   # Active TCP connections
ss -ulnp                  # UDP listening ports

This shows what’s listening on the machine and what connections are active. During compromise assessment: is there a suspicious listening port? An outbound connection to a weird IP? This command answers those questions.

Older systems use netstat:

netstat -tlnp             # Same as ss -tlnp
netstat -an               # All connections

13. ifconfig / ip - Network Configuration

ip addr show              # Show all network interfaces and IPs
ip route show             # Show routing table

Know your machine’s IP, what interfaces exist, and how traffic routes. Essential for both attacking and defending.

14. wget / curl - Download Things

wget https://example.com/file.zip              # Download a file
curl https://example.com                        # Fetch URL content
curl -o output.html https://example.com         # Save to file
curl -I https://example.com                     # Headers only

In pentesting, you’ll use these to download tools to a compromised machine. In defense, you’ll see these in attack logs. In analysis, you’ll use curl to inspect HTTP responses.

15. which / whereis - Find Commands

which python3             # Where is python3?
which nc                  # Where is netcat?
whereis nmap              # Find binary, source, and man pages

On a compromised system, quickly check what tools are available. Is Python installed? Is netcat there? This informs your next move.

16. history - Command History

history                   # Show command history
history | grep ssh        # Find past SSH commands

In forensics, checking a user’s command history reveals what they did. Attackers often clear history (history -c or removing ~/.bash_history), which is itself suspicious.

17. echo and Redirection

echo "hello"                    # Print text
echo "data" > file.txt          # Write to file (overwrites)
echo "more data" >> file.txt    # Append to file

> overwrites. >> appends. Getting this wrong can destroy data.

18. man - Read the Manual

man nmap          # Full manual for nmap
man grep          # Full manual for grep

When you forget flags or syntax, man has the answer. Press q to quit.

19. sudo - Run as Root

sudo apt update                    # Run package update as root
sudo cat /etc/shadow               # Read a root-only file
sudo -l                            # List what you can run as sudo

sudo runs a command with root (administrator) privileges. We’ll cover why this matters and why it’s dangerous in the next post.

sudo -l is critical in pentesting - it shows what the current user is allowed to run with elevated privileges. Misconfigurations here are a common privilege escalation path.

20. apt / dnf - Install Software

sudo apt update                    # Update package lists (Debian/Ubuntu)
sudo apt install nmap              # Install nmap
sudo dnf install nmap              # Install nmap (Fedora/RHEL)

Different Linux distributions use different package managers. Ubuntu/Debian use apt. Fedora/RHEL use dnf. The concept is the same: download and install software from repositories.

Combining Commands: Pipes and Chaining

The real power of Linux comes from combining commands.

Pipes (|)

Send the output of one command into another:

# Find failed SSH logins
cat /var/log/auth.log | grep "Failed password" | tail -20

# Count how many unique IPs connected
ss -tn | awk '{print $5}' | sort | uniq -c | sort -rn

# Find the largest files in a directory
ls -la | sort -k5 -rn | head -10

Chaining

# Run if previous command succeeds
mkdir test && cd test

# Run regardless of previous result
command1 ; command2

# Run only if previous fails
command1 || echo "command1 failed"

Quick Reference Card

WhatCommand
Where am I?pwd
What’s here?ls -la
Move to directorycd /path
Read a filecat file or less file
Search file contentgrep "pattern" file
Find filesfind / -name "file"
Running processesps aux
Network connectionsss -tlnp
My IP addressip addr show
Download filewget URL or curl -O URL
Command historyhistory
Read the manualman command
Run as adminsudo command
Install softwaresudo apt install package

Try It Yourself

Open a Linux terminal and run through this exercise:

# 1. Check where you are
pwd

# 2. Look around
ls -la

# 3. Check your network
ip addr show
ss -tlnp

# 4. Check running processes
ps aux | head -20

# 5. Look at system logs (if available)
sudo tail -20 /var/log/auth.log

# 6. Check your command history
history | tail -10

# 7. Find all SUID files on the system
find / -perm -4000 2>/dev/null

Every command here will come up again in later modules. Get comfortable with them now.

What’s Next

Commands are one thing. Understanding permissions - who can do what on a system - is where security really starts. In the next post, we’ll cover users, groups, file permissions, and why running everything as root is a terrible idea.

References

You don’t need to memorize 500 commands. You need to be fluent in 20. These are the 20.

Related Articles

info·9 min read

Users, Permissions, and Why Root Is Dangerous

How Linux access control works - users, groups, file permissions, SUID, and sudo. Understanding this is understanding half of privilege escalation.

info·10 min read

Authentication Attacks: Passwords, Sessions, and Tokens

How login systems break - brute force, credential stuffing, session hijacking, token flaws, and MFA bypass. The complete beginner's guide to auth attacks.

info·8 min read

Cybersecurity Career Paths: Finding Your Direction

Offensive, defensive, GRC, cloud security, AppSec - the major cybersecurity career paths explained. What each role does, what skills you need, and how to choose.