Linux Command Cheat Sheet

Page 01 — Foundation commands with what they do and when to use them.

Linux admin work usually comes down to: finding files, reading files, checking services, checking logs, checking ports, checking permissions, and testing connectivity. These commands cover all of that.

Navigation and files

pwd

pwd

Shows your current directory. Use it when you are not sure where you are.

ls -la

ls -la

Lists files in the current directory, including hidden ones. Shows ownership and permissions. Use it to inspect what is in a folder.

cd /path

cd /path

Changes directory. Use it to move around the filesystem.

tree

tree

Shows directories in a tree format. Useful when you want to understand folder structure quickly.

find /etc -name "*.conf"

find /etc -name "*.conf"

Searches under /etc for files ending in .conf. Use it when you know the kind of file you want but not its exact location.

stat file

stat file

Shows detailed file info: size, permissions, owner, timestamps. Use it when checking whether a file changed recently or who owns it.

file file

file file

Tries to identify what kind of file it is. Useful if a file has no extension or you are unsure whether it is text, binary, cert, archive, etc.

locate filename

locate filename

Finds files by name from a pre-built index. Faster than find but the index may be stale. Run updatedb to refresh it.

Reading files

cat file

cat file

Prints the whole file to the screen. Good for short files.

less file

less file

Opens a scrollable viewer. Better for long files. Press q to quit, / to search.

head -n 20 file

head -n 20 file

Shows the first 20 lines. Use it to inspect the start of a config or log file.

tail -n 50 file

tail -n 50 file

Shows the last 50 lines. Very useful for logs.

tail -f /var/log/messages

tail -f /var/log/messages

Follows a file live as new lines are added. Use it while reproducing a problem.

grep -n "error" file

grep -n "error" file

Searches for the word error and shows line numbers. Use it to find relevant lines in configs or logs.

grep -Ri "listen" /etc/nginx

grep -Ri "listen" /etc/nginx

Recursively searches under /etc/nginx for the word listen, case-insensitive. Use it when hunting where a setting is defined.

Copy, move, delete

cp file /tmp/

cp file /tmp/

Copies a file. Use it for backups before editing something.

cp -r dir /tmp/

cp -r dir /tmp/

Copies a directory recursively. Use it when copying a whole config folder.

mv old new

mv old new

Moves or renames a file. Use it to rename files or relocate them.

rm file

rm file

Deletes a file. Be careful — there is no recycle bin.

rm -r dir

rm -r dir

Deletes a directory recursively. Very dangerous if used on the wrong path.

mkdir -p /path/to/dir

mkdir -p /path/to/dir

Creates a directory and any missing parent directories. Use it when building nested directory structures.

Permissions and identity

ls -l

ls -l

Shows long listing including permissions, owner, and group. Use this constantly for permission problems.

chmod 644 file

chmod 644 file

Sets file permissions. 644 means owner can read/write, group and others can only read. Common for config files.

chmod 755 script.sh

chmod 755 script.sh

Makes a script executable by owner, and readable/executable by others. Common for scripts and directories.

chmod symbolic mode

# Symbolic mode — safer than numeric for targeted changes
chmod u+x script.sh       # add execute for owner only
chmod g-w file            # remove write for group
chmod o=r file            # set others to read-only exactly
chmod a+r file            # add read for all (a = all)

# Capital X = execute only if it is a directory (or already executable)
# Useful for recursively setting dirs without affecting file execute bits
chmod -R u+rwX,g+rX,o-rwx /var/www/html

The symbolic form (u+rwX) is easier to read and less prone to "I meant 755 but I typed 754" mistakes when you only need to change one permission bit.

sudo -i vs sudo command

sudo -i              # full login shell as root — gets root's PATH and env
sudo -s              # non-login root shell — inherits your environment
sudo systemctl restart nginx   # run a single command as root

Use sudo -i when you need multiple root commands and want root's full environment. Use sudo command for one-off operations. Note that sudo strips many env vars (including PATH) for security — if a command "works as root but not with sudo", the issue is usually PATH or environment variables.

chown user:group file

chown user:group file

Changes owner and group of a file. Use it when a service cannot read a file due to wrong ownership.

whoami

whoami

Shows your current user. Useful when checking whether you are root or another account.

id

id

Shows your user ID (UID), group ID (GID), and all groups. Use it to check group membership.

groups

groups

Shows which groups your user belongs to. Useful for permission debugging.

sudo -i

sudo -i

Starts a root shell. Use it when you need admin access for several commands in a row.

Processes

ps aux

ps aux

Lists all running processes with user, PID, CPU, and memory. Use it to see whether something is running.

pgrep nginx

pgrep nginx

Finds process IDs matching nginx. Good for quickly checking whether a service exists as a process.

top / htop

top
htop

top shows live CPU and memory usage. htop is a nicer interactive version if installed. Use either for performance or runaway process issues.

kill / kill -9

kill PID
kill -9 PID

kill PID asks a process to stop gracefully. kill -9 PID force-kills it — use only if normal stop fails.

Services and systemd

A service is a managed background program (daemon) like nginx or sshd. On most modern Linux systems, services are managed by systemd via systemctl.

systemctl status

systemctl status nginx

Shows whether the service is running, failed, or stopped — and often recent log lines. This is usually your first check.

systemctl start / stop / restart / reload

systemctl start nginx
systemctl stop nginx
systemctl restart nginx
systemctl reload nginx

restart does a full stop then start — use after config changes. reload re-reads config without full restart if supported.

systemctl enable / disable

systemctl enable nginx
systemctl disable nginx

Controls whether the service starts automatically at boot. Enable = starts at boot. Disable = does not.

journalctl -u nginx -n 50

journalctl -u nginx -n 50

Shows the last 50 journal log lines for nginx. Very useful for troubleshooting. Add --since today or -f to follow live.

journalctl -xe

journalctl -xe

Shows recent logs with extra detail, often around errors. Useful for general system troubleshooting when you do not know which service failed.

systemctl list-units --failed

systemctl list-units --failed

Lists all units currently in a failed state. Run this after a reboot or when something stops working — it immediately shows everything systemd considers broken.

systemd-analyze blame

systemd-analyze blame          # show boot time per service, slowest first
systemd-analyze critical-chain # show the dependency chain of the slowest path

Useful for diagnosing slow boots and understanding which service is holding up the chain. On production servers, NetworkManager-wait-online.service and cloud-init.service are common culprits.

Networking

ip a

ip a

Shows network interfaces and their IP addresses. Use it to check whether a host has the address you expect.

ip r

ip r

Shows the routing table. Use it if traffic is not reaching the right network.

ss -tulpn

ss -tulpn

Shows listening TCP/UDP ports and which processes are using them. Use it to check whether a service is actually listening on the expected port.

ping

ping 8.8.8.8
ping google.com

ping 8.8.8.8 tests basic IP connectivity. If this works but ping google.com fails, the problem is likely DNS.

curl -I / curl -vk

curl -I http://host
curl -vk https://host

-I fetches only HTTP headers — quickly checks if a web server responds. -vk is verbose with TLS details and ignores cert trust errors. Very useful for web/TLS debugging.

nc -zv host 443

nc -zv host 443

Tests whether TCP port 443 is open on a host. Use it to check reachability without making a full HTTP request.

traceroute

traceroute host

Shows the network hops to a host. Use it when you suspect routing or a specific hop is the problem.

DNS

DNS translates names like example.com into IP addresses. When names do not resolve, or resolve to the wrong IP, services fail in confusing ways.

dig

dig example.com
dig @8.8.8.8 example.com
dig -x 1.2.3.4

dig is the most detailed DNS query tool. Without an @, it uses your configured resolver. @8.8.8.8 queries a specific server — useful when comparing resolvers. -x does a reverse lookup on an IP.

host / nslookup

host example.com
nslookup example.com

Simpler DNS query tools. host is cleaner. nslookup is older but common on all platforms.

Storage

df -h

df -h

Shows free disk space in human-readable form. Use it when services fail because a disk is full.

du -sh /var/log

du -sh /var/log

Shows how much disk space a directory uses. Use it to find which folder is consuming space.

lsblk

lsblk

Lists block devices and disks in a tree view. Useful when checking attached storage.

Archives and transfer

tar — create and extract

tar -czf archive.tar.gz dir/
tar -xzf archive.tar.gz

-czf creates a compressed archive. -xzf extracts one. Use for backups or transfers.

scp

scp file user@host:/tmp/

Copies a file over SSH to another machine.

rsync

rsync -av dir/ user@host:/tmp/dir/

Efficiently syncs files or directories over SSH. Better than scp for repeated copies — only transfers changed files.

Packages

RHEL-like (dnf / rpm)

dnf install pkg
dnf remove pkg
dnf search pkg
rpm -qa | grep pkg
rpm -qf /path/to/file

Debian-like (apt / dpkg)

apt install pkg
apt remove pkg
dpkg -l | grep pkg
dpkg -S /path/to/file

rpm -qf and dpkg -S tell you which package a specific file belongs to — useful for troubleshooting.

Text tools

grep pattern file
sed -n '1,20p' file
awk '{print $1}' file
cut -d: -f1 /etc/passwd
sort file
uniq file
sort file | uniq

Useful one-liners

grep -Ri "keyword" /etc
find / -type f -mtime -1
journalctl -u service --since today
ss -tulpn | grep :443

Shell I/O and redirection

Pipes and redirects are fundamental — nearly every real troubleshooting command chains multiple tools together.

# Pipe: send stdout of one command to stdin of the next
ps aux | grep nginx

# Redirect stdout to a file (overwrite)
command > output.txt

# Append stdout to a file
command >> output.txt

# Redirect stderr to a file
command 2> error.txt

# Redirect both stdout and stderr to a file
command > output.txt 2>&1
command &> output.txt   # bash shorthand

# Discard output entirely
command > /dev/null 2>&1

# tee: write to a file AND see output on screen
ansible-playbook site.yml | tee deploy.log

# xargs: pass stdin lines as arguments to a command
find /etc -name "*.conf" | xargs grep "Listen"
cat servers.txt | xargs -I{} ssh {} "uptime"

2>&1 means "redirect stderr (file descriptor 2) to wherever stdout (fd 1) currently goes." Order matters: cmd > file 2>&1 is correct. cmd 2>&1 > file does something different (stderr goes to old stdout, stdout to file).

Environment and PATH

# View current environment
env
printenv PATH

# Set an environment variable for this shell session
export MY_VAR="hello"

# View a specific variable
echo $PATH

# Common problem: sudo strips PATH
# Works: /usr/local/bin/mytool
sudo /usr/local/bin/mytool
# Fails with "command not found":
sudo mytool

# Fix: use full path, or pass the var explicitly
sudo env PATH=$PATH mytool

# The login shell (-i) restores the full root PATH
sudo -i which mytool

When automation or cron jobs fail with "command not found" but the same command works in your shell, the cause is almost always PATH. Always use absolute paths in scripts and cron jobs, or explicitly set PATH at the top of the script.

ACLs — fine-grained permissions

Standard Unix permissions only allow one owner and one group. ACLs (Access Control Lists) let you grant permissions to additional users or groups without changing ownership — essential for shared directories and multi-service access.

# View ACLs on a file or directory
getfacl /var/www/html

# Grant read+write to a specific user (without making them owner)
setfacl -m u:nginx:rw /var/log/app/app.log

# Grant read+execute to a specific group on a directory
setfacl -m g:developers:rx /var/www/html

# Set default ACL (inherited by new files in directory)
setfacl -d -m g:developers:rx /var/www/html

# Remove ACL for a user
setfacl -x u:nginx /var/log/app/app.log

# Remove all ACLs
setfacl -b /var/log/app/app.log

If ls -l shows a + at the end of the permission string (e.g. -rw-r--r--+), ACLs are set. Always check with getfacl when permissions look correct but access is still denied. On RHEL, the acl package provides these tools; the filesystem mount must have ACL support (most modern filesystems do by default).

Time and timezone

# Check current time, timezone, and NTP sync status
timedatectl

# Set timezone
timedatectl set-timezone Europe/London
timedatectl set-timezone Australia/Sydney

# List available timezones
timedatectl list-timezones | grep Australia

# Check if NTP is active
timedatectl show --property=NTPSynchronized

Quick process debugging

These are the commands you reach for when a service misbehaves and logs aren't enough. See the lsof & strace page for the full guide.

# What is listening on port 80?
lsof -i :80
ss -tlnp | grep :80

# What files does a process have open?
lsof -p 1234

# Who has /var/log/nginx/access.log open?
lsof /var/log/nginx/access.log

# What is a process trying to read? (trace file syscalls)
strace -e trace=openat -p 1234 2>&1 | grep -E "ENOENT|EACCES"