Linux Sysadmin Command Cheatsheet

This rather large document is my collection of Linux system administration notes, here for my own convenience but also for fellow Linux users. Many of these commands were collected as part of my study notes for the Red Hat Certified Engineer (RHCE) certification. These days I find this little collection particularly useful during cybersecurity ‘capture the flag’ competitions.

The bulk of these commands were written for Red Hat Enterprise Linux 6 (RHEL), and will apply equally to CentOS and also Amazon Linux. Many of these commands require root privileges to work as intended.

This is a large document so remember the table of contents menu can be accessed using the menu drop down in the upper right area of the page (bottom of screen on mobile devices).

Linux Networking

  • mtr - ‘My Traceroute’, like normal traceroute but better.
  • kernel [...] biosdevname=0 - In grub.conf or at bootloader screen menu, stops Linux renaming eth0 to p0m0 etc.
  • ip addr show eth0 - Show details for interface eth0.
  • ip neigh - Equivalent to arp -a command.
  • netstat -tulnp - Most useful netstat options.
  • tcpdump -i eth0 - Run console tcpdump for eth0.
  • iptables -vnL - Show running iptables status.
  • cat /etc/sysconfig/iptables - Shows the iptables rules which are loaded at boot.
  • iptables -P INPUT DROP - Use default deny firewall mode for incoming connections.
  • iptables -F - Will flush (delete) all live firewall rules (until reboot).
  • iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT - Append new rule to firewall to allow incoming SSH connections.
  • To set a secondary IP address to an interface, either:
    • ip addr add 192.168.10.34/24 dev eth0
    • Or, add to …/network-scripts/ifcfg_eth0:
      IPADDR2=192.168.10.34
      PREFIX2=24
  • NetworkManager service does not support adapter bonding, must be done manually:
    • Create …/network-scripts/ifcfg-bond0:
      DEVICE=bond0
      IPADDR=10.1.1.5
      PREFIX=24
      ONBOOT=yes
      BOOTPROTO=none
      USERCTL=no
      BONDING_OPTS="mode=1 miimon=50"
    • Then, for each slave device change ifcfg-ethN file to include:
      SLAVE=yes
      MASTER=bond0
    • Setup the kernel: echo "alias bond0 bonding" > /etc/modprobe.d/bonding.conf
    • Check the operation: ifconfig bond0 and cat /proc/net/bonding/bond0
  • ip route add 1.2.3.4/24 via 3.4.5.6 - Temporarily setup a TCP/IP routing table entry.
  • /etc/sysconfig/network-scripts/route_iface - Configuration file for permanent TCP/IP route entries.
  • dig @nameserver - Query DNS records at nameserver.
  • dig @nameserver domain.com -t AXFR - Assuming not disallowed, this will do a full domain/hostname dump (transfer).
  • echo 'oui() { grep -i "$1" /var/lib/ieee-data/oui.txt; }' >> ~/.bashrc; source ~/.bashrc; oui 7c9122 - Create a Bash function called oui which can be used for quick MAC address lookups.
  • NAT types (iptables):
    • 1:1 NAT = Source NAT
    • Port Forwarding = Destination NAT
    • 1:N NAT = Masquerading NAT

Yum & RPM

  • rpm -qd openssh-server - Query documentation for a given package.
  • rpm -qc openssh-server - List the configuration files provided by a package.
  • rpm -q -a - List all installed packages.
  • rpm -q -f <filename> - Show what package has provided filename.
  • rpm -q -l <package> - Show all files installed by package.
  • rpm -q -c <package> - Show all configuration files installed by package.
  • rpm -ivh package.rpm - Install specified RPM file.
  • rpm -qpl package.rpm - List files that will be installed by specified RPM file.
  • yum provides *bin/sshd - Show what package provides specified binary.
  • yum provides /etc/services - Show what package provides specified file.
  • yum grouplist - List the available package groups.
  • yum groupinfo - Given more information on a package group.
  • yum groupinstall - Install a given package group.
  • yum grouperase - Uninstall a given package group.
  • yum groupupdate - Update packages within a specified package group.
  • yum history - Show history of executed yum operations.
  • yum verify-all packagename - Show differences between repo’s file set and local file set for packagename.
  • RPMs can be made with the rpmbuild and createrepo commands. A GPG key is needed to sign the RPM as part of the process.

SSH

  • ssh -L localport:remotehost:remoteport sshserver.org - Establish port forwarding to remotehost:remote port via sshserver.org (client connects to localhost:localport).
  • clusterssh - Handy one-to-many SSH client.
  • ssh-copy-id user@host - Automates process of setting up key auth, scripts use of ssh-keygen (RHEL).
  • vncviewer -via bob@server9 localhost:1 - Connects to VNC using SSH, as setup within /etc/sysconfig/vncservers.

NTPD

  • yum install ntp - Installs NTP
  • cat /etc/ntp.conf - Show NTP software configuration file.
  • chkconfig ntpd on - Enable NTP to start at every boot.
  • iptables -A INPUT -p udp --dport 123 -j ACCEPT - Allow NTP traffic in through firewall.
  • ntpq -p - Verify NTP operation.

LVM

  • lvextend -l +512M vg0/lv123 - Increase size of a logical volume by 512MB.
  • resize2fs /dev/mapper/vg0-lv123 - Grow ext3/ext4 filesystem to match new LV size.
  • vgextend vg0 /dev/sda4 - Add partition to existing volume group.
  • vgdisplay -v - Show volume groups in detail.
  • pvmove vg0 /dev/vda1 && vgreduce vg0 /dev/vda1 - Remove vda1 from a volume group.

NFS Client

  • showmount -e hostname - Show the NFS mountpoints available on target host.
  • mkdir /mnt/stuff && mount host.domain:/stuff /mnt/stuff - Mount remote NFS share stuff on local mountpoint /mnt/stuff.
  • chkconfig rpcbind on && chkconfig nfslock on - Permanently enable services needed for NFS servers.
  • The root_squash filesystem mount option changes root permissions to nobody when accessed remotely (c.f., no_root_squash option).
  • The hard/soft filesystem mount options tell NFS what to do when a connection to an NFS server does not come up (can hang booting of client systems).

NFS Server

  • yum install @nfs-file-server - Install server components of NFS.
  • exportfs -v - List all live NFS exports.
  • exportfs -r - Reload the /etc/exports file.
  • nano /etc/exports - Configure the NFS shares provided by this machine.
  • tcp/2049 must be allowed through any firewall(s) for NFS to work over the network.
  • For NFS permissions to work correctly, all UID/GID numbers must align across all systems.

NFS AutoFS

  • autofs is a program for automatically mounting NFS mounts on-demand. Auto-mounts are mounted only as they are accessed, and are unmounted after a period of inactivity.
  • service autofs start - Start the autofs service.
  • cd /net/hostname/nfssharename/file - Changing directory with this path structure will cause autofs to set it up as a mountpoint in the background.
  • cat /etc/auto.master - Primary configuration file for autofs; references child config files.
    • echo "(name) -ro server.name:/var/ ftp/pub" > /etc/auto.ftpexample
    • echo "* -rw host:/path/&" > /etc/auto.ldapexample (* means wildcard user’s ID as a generic mount statement).
  • NFSv4 can do what autofs does, so is obsolete.

SMB/CIFS Client

  • smbclient -L host - List the CIFS shares available on the target server.
  • mkdir /mnt/stuff && mount //host/share /mnt/stuff - Mount remote CIFS share to local mountpoint.
  • mount -t cifs -o user=dave //host/share /mnt/stuff - Alternative mounting command to include a username.
  • smbclient -U username //host/share /mnt/stuff - Alternative method of mounting remote CIFS share.
  • To mount CIFS shares persistently at boot:
    • echo "user=bob" > /root/creds
    • echo "pass=password123" >> /root/creds
    • echo "//host/share /mnt/stuff cifs credentials=/root/creds 0 0" >> /etc/fstab

SMB/CIFS Server

  • yum install samba-common samba samba-cli - Install the Samba server software.
  • Configure the /etc/samba/smb.conf file accordingly (create share names etc.)
  • chkconfig smb on && chkconfig nmb on - Enable Samba services to start at boot.
  • service smb start && service nmb start - Start the Samba services.
  • semanage boolean -l | grep samba - List SELinux settings for Samba
  • setsebool -P samba_enable_home_dirs=1 - Tell SELinux to allow remote users to access their home directories using Samba.
  • Enable tcp/445 and optionally tcp/137-139 ports on any relevant firewalls to allow connections to the server.

vsftpd

  • yum install vsftpd - Install the vsftpd FTP server software.
  • chkconfig vsftpd on - Enable vsftpd to start at boot time.
  • If iptables is being used, allow access:
    • iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j ACCEPT
    • iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 20 -j ACCEPT
    • iptables -A INPUT -m state --state ESTABLISHED,RELATED -m tcp -p tcp --dport 21 -j ACCEPT
    • iptables -A INPUT -m state --state ESTABLISHED,RELATED -m tcp -p tcp --dport 20 -j ACCEPT
    • echo IPTABLES_MODULES="nf_conntrack_ftp" >> /etc/sysconfig/iptables_config - Enable the connection tracking module for iptables which is required for proper operation.
  • mkdir /var/ftp/shared && chgrp ftp /var/ftp/shared && chmod 730 /var/ftp/shared - Setup a shared directory for FTP users.
  • semanage fcontext public_content_rw_t /var/ftp/shared - Change SELinux context for shared directory to allow read/write access remotely.
  • restorecon -Rv /var/ftp/shared - Ensure that the new shared folder has correct SELinux context.
  • setsebool -P allow_ftpd_anon_write=1 - Tell SELinux vsftpd is allowed to make anonymous user writes to disk.
  • service vsftp start - Startup the FTP server.

Apache

  • yum install @web-server - Installs Apache and related packages via the group package.
  • chkconfig httpd on - Make Apache start at bootup.
  • semanage fcontext -l | grep /var/www/html - Review SELinux file contexts for web server content files.
  • restorecon -vR /var/www/html - Restore the SELinux file contexts for (new) web server content files.
  • curl http://localhost/ - Command line testing for web server operation.
  • To configure virtual hosting, edit the httpd.conf file and then add virtual hosts to the /etc/hosts file (probably all with the same IP address as the physical server).
  • service httpd configtest - Validates the httpd.conf file.
  • To configure SSL/TLS for Apache:
    • yum install mod_ssl - Install the SSL module for Apache
    • nano /etc/httpd/conf.d/ssl.conf - Tell mod_ssl where to find the server’s SSL certificate files.
    • genkey server.example.com - Creates a self signed cert if proper certificates are not in use.
    • restorecon -vR /etc/pki/tls/ - May be required if new certificate files have been created here.
  • openssl x509 -in file.crt -text - Shows information about a given SSL certificate .crt file.
  • To configure basic authentication:

    • Use htpasswd to create a .htpasswd file containing user:passwordhash entries.
    • Add this to a virtualhost block in the chosen Apache configuration file:

      httpd.conf
      <Directory /var/www/virtual/www5/html/>
      AuthName "secrets"
      AuthType Basic
      AuthUserFile /etc/httpd/.htpasswd
      Require valid-user
      </Directory>
    • Refer to AuthUserFile in Apache documentation for more info.

  • To configure LDAP authentication:

    • Same as above, except replace the AuthUserFile line with:

      httpd.conf
      AuthBasicProvider ldap
      AuthLDAPURI "ldap://abc/dc=exam,dc=com" tls
    • echo "LDAPTrustedGlobalCert CA_BASE64 /etc/pki/tls/example.crt" >> httpd.conf

Postfix

  • yum install postfix - Install postfix mail server.
  • chkconfig postfix on - Enable postfix startup at boot.
  • nano /etc/postfix/main.cf - Main configuration file for postfix.
  • postfix flush - Tell postfix to retry queued mail.
  • postconf -n - Show non-default config settings in effect.
  • cd /usr/share/doc/postfix-2.6.6/README_FILES/ - Lots of readme files.

LDAP Client

  • The LDAP service is called sssd.
  • To connect to a LDAP service, client needs to know:
    • LDAP server’s FQDN
    • LDAP “Base DN”
    • LDAP server’s CA certificate
  • To set up LDAP client:
    • yum install @directory-client
    • system-config-authentication (brings up LDAP client config. GUI)
    • In the GUI set:
      • User account database = “ldap”
      • Search base DN = “dc=example,dc=com”
      • LDAP server = “ldap://fqdn/“
      • Download the server’s CA cert via HTTP (using the download button)
      • Click Apply, the sssd service should now start.
    • Optionally configure autofs dynamic mounting of home directories via NFS as described earlier in this document.
  • getent passwd ldapusername - Tests connection to LDAP server.

Kerberos

  • yum install openldap-clients krb5-workstation - Install packages for Kerberos usage.
  • authconfig - Configure LDAP/Kerberos.
  • system-config-authentication - GUI for configuring LDAP/Kerberos.
  • cat /etc/sssd.conf - Configuration location for LDAP/Kerberos client.
  • getent passwd - Test LDAP/Kerberos operation.

iSCSI

  • iscsiadm --mode discoverydb --type sendtargets --portal 192.168.1.10 --discover - Show iSCSI targets available at a given iSCSI server address.
  • iscsiadm --mode node --targetname iqn.2001-05.com.doe:test --portal 192.168.1.1:3260 --login - Connect to target found using the above discovery command.
  • Important to use the blkid value in /etc/fstab when setting up mounting of iSCSI LUNs.
  • Use the _netdev filesystem mount option when mounting iSCSI devices.
  • man iscsiadm - Some good examples on how to set up iSCSI devices.

LUKS Encrypted Partitions

  1. fdisk (create new empty partition for encrypted volume)
  2. cryptsetup luksFormat /dev/vda1
  3. cryptsetup luksOpen /dev/vda1 mycrypt
  4. mkfs.ext4 /dev/mapper/mycrypt
  5. touch /root/key; chmod 600 /root/key
  6. echo "mycrypt /dev/vda1 /root/key" >> /etc/crypttab
  7. echo "/dev/mapper/mycrypt /mnt/pnt ext4 0 0" >> /etc/fstab
  8. cryptsetup luksAddKey /dev/vda1 /root/key (luksAddKey places key inside filesystem superblock, not a file)

SELinux

  • getenforce - Determine SELinux operation mode.
  • setenforce 1 - Turn on/off SELinux until reboot.
  • nano /etc/sysconfig/selinux - Insert SELINUX=DISABLED to permanently turn off SELinux.
  • getsebool -a file - Show boolean flags for an object.
  • setsebool -P file - Set boolean flags for an object.
  • setsebool ftp_home_dir on - Set ftp_home_dir boolean for current directory.
  • ls -Z - Show SELinux context for current directory.
  • ps -Z - Show SELinux context info for running processes.
  • semanage fcontext -a -t <context> <files> - Set SELinux context info for file(s) in the database. Run restorecon afterwards.
  • semanage boolean -l | grep ftp - Show SELinux boolean info for any ftp flags.
  • semanage port -l | grep 80 - Show SELinux context info for TCP/IP ports.
  • restorecon -Rv /var/www/html - Set SELinux context info for file given semanage defined settings.
  • chcon - Don’t use this, use semanage.
  • man http_selinux - SELinux specific man pages for services such as Apache.
  • yum install setroubleshoot-server - Install the SELinux troubleshooter
  • tail /var/log/messages; sealert -l <errorcode> - Get information about possible SELinux misbehaviour.
  • man -k '_selinux' - Get various SELinux manpage info.
  • When in single user mode, it may be necessary to run setenforce 0 before passwd can be used for account resets.

Syslogd

  • cat /etc/rsyslog.conf - Configuration file for the syslog daemon.
    • facility.severity /logs/destination - Basic syntax of the syslog routing commands.
  • cat /etc/logrotate.conf - Configuration for the log rotation program.
  • logwatch --range today - Runs the logwatch monitoring program and sends report to email address from logwatch config file.
  • cat /etc/logwatch/conf/logwatch.conf - Configuration file for the log watch program.
  • cat /usr/share/logwatch/default.conf/logwatch.conf - Default configuration example for logwatch program.
  • man rsyslog.conf - Man page info for the syslogd configuration file.
  • man logrotate - Man page info for the log rotation program.
  • logger --prio <n> "message" - Manually inject message to the logging daemon (for testing).

Linux File Management

  • tar cfvJ - Compress a file as whatever.tar.xz, xz is the *nix equivalent to 7zip’s LZMA2.
  • With Linux ACLs, group permissions in ls show the ACL mask, not actual group permissions (defaults to showing ‘worst case’).
  • During installation, RHEL will add acl mount option to all ext4 partitions automatically, but manually created partitions after installation will need to have acl manually added to /etc/fstab if desired.
  • getfacl filename - Show Linux filesystem ACLs.
  • setfacl -m [ugo]:username:rw filename - Set Linux filesystem ACLs.
  • setfacl -m d:[ugo]:username:rw filename - Set Linux filesystem default ACLs for file or directory tree.
  • setfacl -m mask::r filename - Set Linux filesystem ACL mask value.
  • fuser - Find who is locking a partition.
  • rsync -av <src> <dst> - Synchronises two file paths.
  • Some *nix file permission notes:
    • ugo : The precedence is left to right.
    • Directories need g:grp:x ACL to be traversable by users in that group.
    • SUID: 4xxx files only run as the owner (chmod u+s)
    • SGID: 2xxx files only run as the group, or, in a SGID directory, new files are set to parent group ID (chmod g+s)
    • Sticky: 1xxx directories only; users can only delete files they own, not other files with +w perms (chmod o+t)
  • dumpe2fs /dev/sda1 | grep Default - Check Linux ACL status for a given partition.
  • tune2fs -o acl,user_xattr /dev/sda1 - Fix/correct the operation of Linux ACLs for a given partition.
  • /bin/sed -i '/AllowUsers/c\AllowUsers dave god mike' /etc/ssh/sshd_config - This replaces each full line whose beginning matches the first side of regex with the entire text in the second side of the regex.
  • for x in *.conf; do; cat x - Operate on all .conf files.
  • file readme.txt - Get file type info.
  • find / -cmin +2500 -cmin -2800 - Find all files modified between 2500 and 2800 minutes ago.
  • find / -ctime +20 -ctime -21 - Find all files modified between 20 and 21 days ago.
  • lsof | grep "deleted" - Show running processes which have binaries no longer present on the filesystem.
  • When viewing files with less, press v to open the file in an editor (uses $EDITOR environment variable).
  • vinetto Thumbs.db -o images - Extract Windows thumbnail images from Thumbs.db file to ./images/

Linux OS Management

  • vmstat 1 3 - Run memory stats at 1 sec interval, 3 times.
  • swapon -p <prio> /dev/sdaN - Enable swap including priority option.
  • grub-crypt - Generate a hashed password which can be inserted in to grub.conf for password option.
  • ksvalidator - Checks RHEL kickstart files for syntax errors.
  • partx - Tell kernel to refresh the live partition table.
  • renice -n 10 -u username - Renice all processes owned by username. -20 is highest priority, 19 is lowest.
  • kill -l - List available signals that kill can send to processes.
  • renice +5 'pidof crond' - Increase niceness of crond process by 5.
  • modprobe <module> - Install kernel module (e.g. vfat).
  • modprobe -r <module> - Remove kernel module.
  • nano /etc/modprobe.d/local.conf - Configuration file for modules which should be loaded at boot.
  • cat /proc/cmdline - Shows the boot time arguments used for the running kernel.
  • lsmod - Show available kernel modules.
  • ls -la /lib/modules - Show available kernel modules.
  • find /lib/modules/<kernel>/ -name \*.ko - Show available kernel modules.
  • modinfo <module> - Show information on a kernel module.
  • Gathering information about kernel(s):
    • cat /etc/redhat-release
    • cat /proc/cmdline
    • uname -r
    • yum list installed kernel\*
    • uname -m
    • arch
  • visudo - Edit the sudoers file.
  • grep -lR --color -A3 -B3 "IPADDR" /usr/share/doc/* - Search documentation files for occurrences of IPADDR.
  • yum install kernel-doc - Install kernel documentation files.
  • sysctl -n - Show live kernel settings.
  • sar -A - Show today’s system accounting data.
  • sar -r -f /var/log/sa/sa22 - Show memory usage from yesterday’s accounting data.
  • dstat - System utilisation monitoring program.
  • /usr/sbin/adduser -u 555 -g users -G dave,wheel,adm --comment="dave smith" -s /bin/bash -m -p '$6$EJ...l9n52IK.' dave - Creates new user, dave, with UID of 555, the password is specified in the command too, generated beforehand with crypt.

Linux Task Scheduling

  • export EDITOR="/usr/bin/nano" - Change editor program for commands e.g. crontab -e.
  • crontab -e - Edit current user’s cron table.
  • crontab -l - List current user’s cron table.
  • crontab -r - Remove current user’s cron table.
  • man 5 crontab - Show manual pages for crontab.
  • cron entry format: Min Hour DoM Month DoW <cmdline>
  • The at command (via atd service) can schedule tasks independently of cron; usually for one offs:
    • at now+10min
      • echo "this is a script essentially"
      • shutdown
      • <CTRL+D>
  • atq - Query the job queue of the atd service
  • atrm - Delete a scheduled job from the atd queue.
  • /tmp and /var/tmp are emptied by /etc/cron.daily/tmpwatch.

Interesting Linux Files, Locations & Trivia

  • /etc/rc.sysinit/ - Single user mode startup scripts
  • /etc/rc.1/ - Maintenance runlevel startup scripts (not the same thing as single user mode)
  • /dev/fd - A symlink to the /proc structure.
  • /etc/sysconfig/selinux - SELinux settings.
  • /etc/sysconfig/network - Hostname is defined here.
  • /etc/sysconfig/networking-scripts/ifcfg-eth0 - Interface specific networking settings.
  • /etc/nsswitch.conf - Controls the order of host resolution sources.
  • /proc/partitions - Show live running disk info.
  • /etc/exports - NFS mount points.
  • /etc/fstab - Disk mount points.
  • /proc/cmdline - Shows the boot time arguments used for the running kernel.
  • /proc/<pid>/ - Shows information about a running process, including command line args and environment variables at runtime.
  • /etc/sysctl.conf - Kernel operating parameters.
  • /etc/sysconfig/iptables - Shows the iptables rules which are loaded at boot.
  • /etc/iscsi/iscsid.conf - iSCSI bootup configuration.
  • /home/<user>/.sqlite_history - May contain sensitive info previously entered in to a SQLite database.
  • Transient services are dynamically managed by xinetd and are therefore not assigned start/stop scripts in the rc.d folders.
  • etc‘ stands for editable text configuration.
  • usr‘ stands for UNIX system resources.
  • Press ALT + SYSRQ + <key> - Do magic sysrq calls to the kernel (see Wikipedia for full list of options). Reboot after crash: R,E,I,S,U,B.
  • Press ALT+. at the shell to cycle previous command line arguments.
  • Press CTRL+L to clear the console screen.

Well, there you have it. If you have any suggestions for additional entries get in touch.

Did you like this article? Please consider supporting this site.

Page last updated: