DESCRIPTION
First day on a new server. You connect via SSH — and you are staring at a black screen with a blinking cursor. No buttons, no menus, no file explorer. Just the command line. This is where real Linux work begins. The command line is not an inconvenient relic of the past — it is the fastest and most precise tool for managing a server. In 15 minutes you will be navigating the system like you own it.
WHAT YOU WILL LEARN
How to navigate the filesystem
How to work with files and directories
How to read file contents
How to search for files and text inside them
How to get help right in the terminal
Which commands are critical for security analysis
NAVIGATION
The first thing you need to know is where you are. In Linux you are always inside some directory — this is called the working directory.
pwd — shows where you are right now. Print Working Directory. Run this command whenever you lose your bearings.
cd — change directory. The core navigation command.
pwd # where am I?
cd /etc # go to /etc
cd .. # go one level up
cd ~ # go to home directory
cd - # go back to previous directory
cd /var/log/nginx # go to an absolute path
ls — list files and directories. The most used command in Linux.
ls # simple list
ls -l # detailed list with permissions, size, date
ls -la # including hidden files (starting with a dot)
ls -lh # sizes in human-readable format (KB, MB, GB)
ls -lt # sort by modification time
ls -ltr # sort by time, oldest first
ls /etc/ssh # list a specific directory
Hidden files in Linux start with a dot — .bashrc, .ssh, .config. They do not show up with a plain ls. The -a flag shows them all. Attackers often hide their tools in exactly these hidden files and directories.
WORKING WITH FILES AND DIRECTORIES
mkdir logs # create a directory
mkdir -p /opt/app/logs # create the entire directory chain
touch file.txt # create an empty file
cp file.txt backup.txt # copy a file
cp -r /etc/nginx /tmp/nginx-backup # copy a directory recursively
mv file.txt newname.txt # rename a file
mv file.txt /tmp/ # move a file
rm file.txt # delete a file
rm -rf /tmp/old-dir # delete a directory with all its contents
A separate word about rm -rf. This is one of the most dangerous commands in Linux. On modern systems rm -rf / is protected — the system throws an “Operation not permitted” error. But rm -rf /tmp/mydir/ or rm -rf /var/www/ will delete everything instantly with no confirmation and no way to recover. One extra space or slash and you can destroy critical data. Always verify the path before running — do an ls on the path you are about to delete.
READING FILES
cat /etc/hostname # print the entire file
cat /etc/ssh/sshd_config # read the SSH config
less /var/log/auth.log # paginated view (q to quit)
head /var/log/syslog # first 10 lines of a file
head -20 /var/log/syslog # first 20 lines
tail /var/log/auth.log # last 10 lines
tail -50 /var/log/auth.log # last 50 lines
tail -f /var/log/auth.log # follow the file in real time
tail -f is a command you will use constantly for monitoring. It shows new log lines in real time as they appear. Run tail -f /var/log/auth.log and watch login attempts as they happen right now.
SEARCHING FOR FILES AND TEXT
# searching for files
find / -name "sshd_config" # find a file by name
find /etc -name "*.conf" # find all .conf files in /etc
find /tmp -type f -newer /tmp/marker # files newer than marker
find / -perm -4000 -type f # find all SUID files (critical for security!)
find /home -name "*.key" -o -name "*.pem" # find keys and certificates
# searching for text inside files
grep "Failed password" /var/log/auth.log # find failed logins
grep -r "password" /etc/ # recursive search in a directory
grep -i "error" /var/log/nginx/error.log # case-insensitive search
grep -n "root" /etc/passwd # with line numbers
grep -v "^#" /etc/ssh/sshd_config # exclude comment lines
find / -perm -4000 is a command worth memorising. SUID files run with the permissions of their owner, not the user who launched them. Attackers hunt for SUID files to escalate to root privileges. You need to know which SUID files exist on your system and why they are there.
FILE PERMISSIONS AND OWNERSHIP
ls -la /etc/ssh/sshd_config # view file permissions
chmod 600 ~/.ssh/id_rsa # set permissions on a private key
chmod 755 /usr/local/bin/script.sh # make a script executable
chown user:group file.txt # change file owner
chown -R www-data:www-data /var/www # recursively for a directory
Reading ls -la output: -rwxr-xr-- — the first character is the file type (- file, d directory, l symlink), then three sets of permissions for owner, group, and everyone else. r — read, w — write, x — execute.
GETTING HELP
You do not need to memorise every flag of every command. You need to know how to find the information you need right in the terminal.
man ls # full command documentation
man ssh # SSH documentation
ls --help # quick reference
info ls # alternative documentation format
whatis ls # one line — what the command does
which nginx # where the executable lives
type cd # command type (built-in, external, alias)
man is your best friend. Any problem with a command — read man first. Inside man: space — next page, b — previous page, /word — search, q — quit.
USEFUL COMBINATIONS
# pipe — pass output of one command into another
ls -la /etc | grep "ssh" # find ssh files in /etc
cat /var/log/auth.log | grep "Failed" | wc -l # count failed logins
ps aux | grep nginx # find nginx processes
# output redirection
ls -la /etc > /tmp/etc-list.txt # save output to a file
grep "error" /var/log/nginx/error.log >> /tmp/errors.txt # append to a file
cat /etc/nonexistent 2>/dev/null # suppress error messages
COMMAND HISTORY
history # list all previously run commands
history | grep ssh # search through history
!! # repeat the last command
!grep # repeat the last command starting with grep
Ctrl+R # interactive history search
Command history is stored in ~/.bash_history. When investigating incidents this is a valuable source of information about what a user did. Attackers often clear history with history -c or delete ~/.bash_history entirely. An empty history for a user is a reason to be suspicious.
COMMON MISTAKES
Confusing / and ~. / is the root of the filesystem. ~ is the home directory of the current user. cd / and cd ~ take you to completely different places.
Running rm without checking the path. Always do an ls on the path you are about to delete — make sure it contains exactly what you want to remove. rm -rf is irreversible.
Ignoring man. Half of all “how do I do X in Linux” questions are answered in 30 seconds by reading man. Get into the habit of reading documentation right in the terminal.
Working in / or /etc without a reason. Always be aware of where you are (pwd) before running commands with rm, mv, or cp.
IMPORTANT TO KNOW
Tab — autocomplete. Start typing a path or command and press Tab. Linux will complete it automatically. Double Tab shows all available options. Use it constantly — saves time and prevents typos.
Ctrl+C — stop a running command. Ctrl+D — exit the current session or interpreter. Ctrl+L — clear the screen.
Up/down arrows — move through command history. Never type the same thing twice.
A dot at the start of a filename makes it hidden. .bashrc, .ssh, .config — normal hidden files. .malware, .backdoor — red flags to look for during a security audit.
CHECK YOURSELF
1. Which command shows the current working directory?
2. How do you show hidden files with ls?
3. What is the difference between tail and tail -f?
4. What does find / -perm -4000 do and why is it important for security?
5. Where is a user’s command history stored and why does this matter when investigating incidents?
CONCLUSIONS
The Linux command line is not scary and not complicated. A dozen commands cover 80% of an administrator’s daily tasks. pwd and ls to navigate, cat and tail to read files, grep and find to search, man to figure out the rest. These commands are your basic toolkit for every situation. The sooner they become reflexes — the faster you will react when something goes wrong.