Linux Commands

Getting around
Command   Descrip/on   Tip  –  Tab  Comple/on  
cd logs Move  to  the  logs  directory,  which  is  located  in  the  current  directory.  
Use  tab  comple/on  to  type  filenames  faster.    
cd /logs Move  to  the  logs  directory,  which  is  located  in  the  top-­‐level  directory.   As  you’re  typing  a  filename  (or  directory),  hit  the  tab  key.  If  
cd .. Move  up  one  directory.   there’s  only  one  file  that  matches  what  you’ve  typed,  the  
cd ~ Move  to  your  home  directory  (the  “:lde”  character  is  le<  of  the  1  key).   rest  of  the  filename  will  be  filled  in.  If  nothing  happens  when  
cd - Move  to  the  directory  you  were  previously  in.   you  hit  tab,  simply  hit  tab  again  to  see  a  list  of  matches.  

Viewing and searching in files Navigating in less

Command   Descrip/on   Key  or  Command   Descrip/on  
cat data.txt Display  data.txt  
q Quit  
cat *.txt Display  all  files  that  end  with  .txt  
head data.txt Display  the  first  10  lines  of  data.txt.   Up/down arrow Move  up/down  one  line.  
head –n 20 data.txt Display  the  first  20  lines  of  data.txt.  
Left/right arrow Move  le</right  half  of  a  page.  
tail data.txt Display  the  last  10  lines  of  data.txt.   Note:  requires  less  –S  
tail –n 30 data.txt Display  the  last  20  lines  of  data.txt.   Page up/down Move  up/down  one  page.  
tail –F data.txt Display  the  last  10  lines  of  data.txt  and  con:nue  
running,  displaying  any  new  lines  in  the  file.   g Go  to  the  first  line  
Note:  Press  Ctrl+C  to  exit.  
G Go  to  the  last  line  
grep malware data.txt Display  all  lines  in  data.txt  that  contain  
‘malware’.   F Go  to  the  last  line,  and  display  any  new  lines  
grep –v malware data.txt Display  all  lines  that  do  not  contain  ‘malware’.   (similar  to  tail  –F).  
Note:  Press  Ctrl+C  to  exit.  
grep ‘mal ware’ data.txt To  search  for  phrases  with  spaces,  use  single   /malware Search  -­‐  go  to  the  next  line  containing  the  word  
quotes.   ‘malware.’  
grep –F 1.2.3.4 data.txt To  search  for  phrases  with  periods,  use  –F   /!malware Search  –  go  to  the  next  line  NOT  containing    the  
grep –c exe data.txt Display  how  many  lines  in  data.txt  contain   word  ‘malware.’  
‘exe’  (but  don’t  display  them).   ?malware Search  –  go  to  the  previous  line  containing  the  
grep –F –c 1.2.3.4 *.txt Display  the  number  of  lines  with  IP  1.2.3.4  in   word  ‘malware.’  
each  file  that  ends  in  .txt.  
n Repeat  a  previous  search.  
less large.file Display  large.file  in  less  (see  right).  
less –S large.file Display  large.file  in  less  (see  right),  and  allow  for   N Repeat  a  previous  search,  but  in  the  opposite  
side-­‐to-­‐side  scrolling.   direc:on.  

Putting it all together

Command   Descrip/on  
| (AKA “pipe”) Pass  the  output  of  one  command  to  another  command.  
Note:  For  the  “pipe”  character,  use  the  key  above  enter  (same  key  as  backslash).  
grep malware data.txt | tail –n 30 Display  the  last  30  lines  in  data.txt  that  contain  the  word  ‘malware.’  
grep malware data.txt | grep blaster Display  lines  in  data.txt  that  contain  ‘malware’  and  also  contain  ‘blaster.’  
cat data.txt | sort Display  data.txt,  sorted  alphabe:cally.  
cat data.txt | sort | uniq Display  data.txt,  sorted  alphabe:cally,  with  duplicates  removed.  
cat data.txt | sort | uniq –c Sort,  remove  duplicates,  and  display  the  number  of  :mes  each  line  occurred.  
cat data.txt | sort | uniq –c | sort –n Sort,  remove  duplicates,  and  display  the  most  frequent  lines.  
è cat data.txt | sort | uniq –c | sort –n | tail –n 20 Sort,  remove  duplicates,  and  display  the  20  most  frequent  lines.  
cat conn.log | bro-cut id.resp_h proto service Only  display  the  id.resp_h,  proto  and  service  columns  of  the  conn  Bro  log.  
cat http.log | bro-cut –d ts method host uri Only  display  the  :mestamp,  method,  host  and  uri  columns,  and  convert  the  
/mestamp  to  human-­‐readable  format.  

Tip  –  Compressed  Files   Tip  –  Documenta/on   Tip  –  Working  With  Big  Files  
Files  that  end  in  .gz  are  compressed,  and   Linux  commands  are  all  well   Commands  take  longer  to  run  on  larger  
might  require  some  different  commands:   documented.  To  view  the   files.  Some  things  to  keep  in  mind  are:  
 
documenta:on:   • Use  grep  –F  instead  of  plain  grep.    
 
Command   Modifica/on  for  .gz   • For  viewing  the  file,  use  less  instead  of  cat.  
• Run  the  command  with  -­‐-­‐help  (e.g.  tail  
cat  or  grep   Use  zcat  or  zgrep.     -­‐-­‐help)  to  see  the  op:ons.   • Try  to  use  grep  as  early  as  possible,  so  if  
• Use  the  manual  pages  for  more  detail   you  pipe  to  other  tools,  there’s  less  data  to  
head  or  tail   Use  zcat  |  head  or  zcat  |  tail   (e.g.  man  tail).  Note:  these  open  in  less.   crunch.  

In  order  to  promote  its  wide  distribu:on,  this  work  is  licensed  under  the  Crea:ve  Commons  Abribu:on-­‐NonCommercial-­‐ShareAlike  4.0  Interna:onal  License  (hbp://
crea:vecommons.org/licenses/by-­‐nc-­‐sa/4.0/).  We  at  Broala  are  commibed  to  helping  you  understand  Bro  to  the  fullest  so  you  can  be  a  monitoring  hero.  

©  Broala  LLC.     78
65
 Basic Linux Commands
SYSTEM
uname -a =>Displaylinux system information NETWORK
uname -r =>Display kernel release information ip addr show =>Display all network interfaces and ip address
uptime =>Show how long the system has been running + load ip address add 192.168.0.1 dev eth0 =>Set ip address
hostname =>Show system host name ethtool eth0 =>Linux tool to show ethernet status
hostname -i =>Display the IP address of the host mii-tool eth0 =>Linux tool to show ethernet status
last reboot =>Show system reboot history ping host =>Send echo request to test connection
date =>Show the current date and time whois domain =>Get who is information for domain
cal =>Show this month calendar dig domain =>Get DNS information for domain
w =>Display who is online dig -x host =>Reverse lookup host
whoami =>Who you are logged in as host google.com =>Lookup DNS ip address for the name
finger user =>Display information about user hostname –i =>Lookup local ip address
HARDWARE wget file =>Download file
dmesg =>Detected hardware and boot messages netstat -tupl =>Listing all active listening ports
cat /proc/cpuinfo =>CPU model COMPRESSION / ARCHIVES
cat /proc/meminfo =>Hardware memory tar cf home.tar home =>Create tar named home.tar containing home/
cat /proc/interrupts =>Lists the number of interrupts per CPU per I/O device tar xf file.tar =>Extract the files from file.tar
lshw =>Displays information on hardware configuration of tar czf file.tar.gz files =>Create a tar with gzip compression
the system gzip file =>Compress file and renames it to file.gz
lsblk =>Displays block device related information in Linux INSTALL PACKAGE
free -m =>Used and free memory (-m for MB) rpm -i pkgname.rpm =>Install rpm based package
lspci -tv =>Show PCI devices rpm -e pkgname =>Remove package
lsusb -tv =>Show USB devices INSTALL FROM SOURCE
dmidecode =>Show hardware info from the BIOS ./configure
hdparm -i /dev/sda =>Show info about disk sda make
hdparm -tT /dev/sda =>Do a read speed test on disk sda make install
badblocks -s /dev/sda =>Test for unreadable blocks on disk sda SEARCH
USERS grep pattern files =>Search for pattern in files
id =>Show the active user id with login and group grep -r pattern dir =>Search recursively for pattern in dir
last =>Show last logins on the system locate file =>Find all instances of file
who =>Show who is logged on the system find /home/tom -name 'index*' =>Find files names that start with "index"
groupadd admin =>Add group "admin" find /home -size +10000k =>Find files larger than 10000k in /home
useradd -c "Sam" =>g admin -m sam #Create user "sam" LOGIN (SSH AND TELNET)
userdel sam =>Delete user sam ssh user@host =>Connect to host as user
adduser sam =>Add user "sam" ssh -p port user@host =>Connect to host using specific port
usermod =>Modify user information telnet host =>Connect to the system using telnet port
chgrp => Changes a users group FILE TRANSFER
FILE COMMANDS sftp 192.16875.2 =>Connect remote host
ls –al =>Display all information about files/ directories scp
pwd =>Show the path of current directory scp file.txt server2:/tmp =>Secure copy file.txt to remote host /tmp
mkdir directory-name =>Create a directory folder
rm file-name =>Delete file rsync
rm -r directory-nam =>Delete directory recursively rsync -a /home/apps /backup/ =>Synchronize source to destination
rm -f file-name =>Forcefully remove file DISK USAGE
rm -rf directory-name =>Forcefully remove directory recursively df –h =>Show free space on mounted filesystems
cp file1 file2 =>Copy file1 to file2 df -i =>Show free inodes on mounted filesystems
cp -r dir1 dir2 =>Copy dir1 to dir2, create dir2 if it doesn’t exist fdisk -l =>Show disks partitions sizes and types
mv file1 file2 =>Rename source to dest / move source to directory du -ah =>Display disk usage in human readable form
ln –s /path/to/file-name link-name #Create symbolic link to file-name du -sh =>Display total disk usage on the current directory
touch file =>Create or update file findmnt =>Displays target mount point for all filesystem
cat > file =>Place standard input into file mount device-path mount-point =>Mount a device
more file =>Output contents of file DIRECTORY TRAVERSE
head file =>Output first 10 lines of file cd .. =>To go up one level of the directory tree
tail file =>Output last 10 lines of file cd =>Go to $HOME directory
tail -f file =>Output contents of file as it grows starting with the cd /test =>Change to /test directory
last 10 lines
gpg -c file =>Encrypt file
gpg file.gpg =>Decrypt file
wc =>print the number of bytes, words, and lines in files
xargs =>Execute command lines from standard input
PROCESS RELATED
ps =>Display your currently active processes
ps aux | grep 'telnet' =>Find all process id related to telnet process
pmap =>Memory map of process
top =>Display all running processes
kill pid =>Kill process with mentioned pid id
killall proc =>Kill all processes named proc
pkill process-name =>Send signal to a process with its name
bg =>Resumes suspended jobs without bringing them to
foreground
fg =>Brings the most recent job to foreground
fg n =>Brings job n to the foreground

FILE PERMISSION RELATED

chmod octal file-name =>Change the permissions of file to octal
Example
chmod 777 /data/test.c =>Set rwx permission for owner,group,world
chmod 755 /data/test.c =>Set rwx permission for owner,rx for group
and world
chown owner-user file =>Change owner of the file
chown owner-user:owner-group file-name =>Change owner and group
owner of the file
chown owner-user:owner-group directory =>Change owner and group
owner of the directory

79
66