Essential Linux Commands for Security

Practice these commands regularly so that they become second nature when troubleshooting or responding to incidents. A solid grasp of the Linux command line is indispensable for cybersecurity professionals. Many administrative and investigative tasks rely on the ability to parse logs, inspect network connections, and manage system resources efficiently. Here we will explore several commands that are particularly useful for security work, while providing examples of how to combine them to streamline day-to-day operations.

The grep command is a staple for searching through files. Security analysts often use grep -i for case-insensitive searches when looking for specific error messages or suspicious strings in log files. You can pipe the output of other commands directly into grep to narrow down results. For instance, dmesg | grep -i usb helps identify when removable media was connected, while grep -r "SSH" /var/log/ scans multiple log files for any mention of SSH-related activity.

netstat and ss are essential for examining network connections. By running netstat -tulpn, you can list active listening ports along with the corresponding processes. This is invaluable for spotting unexpected services that may indicate malware or misconfigurations. The ss utility is a faster, more modern replacement that supports additional filtering. Try ss -t state listening to view all listening TCP ports, or ss -u -a to check UDP ports.

Managing firewall rules is another critical skill. On many distributions, iptables remains the default user-space tool for controlling packet filtering. To see current rules, use iptables -L -v and pay close attention to the policy chains. When you need to allow or block traffic quickly, commands such as iptables -A INPUT -p tcp --dport 22 -j ACCEPT are straightforward, but it is usually better to create persistent rules using scripts or the iptables-save command so that they survive reboots. For newer systems that leverage nftables, the nft command provides a unified interface for filtering, NAT, and other packet manipulation tasks.

File integrity monitoring is another area where command-line tools shine. The sha256sum command calculates cryptographic hashes, allowing you to verify whether files have been tampered with. Use sha256sum <filename> before and after a critical operation, or maintain a baseline of known-good hashes to compare against. For more comprehensive monitoring, tools like AIDE (Advanced Intrusion Detection Environment) utilize these hashing functions to maintain databases of file checksums.

When it comes to process management, ps aux is the go-to command. Pair it with grep to pinpoint suspicious processes: ps aux | grep python will show all Python scripts currently running. Another powerful tool is lsof, which reveals which files or sockets a process has open. lsof -i :80 tells you which applications are listening on port 80, while lsof -p <pid> lists the file descriptors for a specific process, helping you determine whether it interacts with sensitive data.

Finally, journalctl deserves special mention on systems that use systemd. It consolidates logs from a variety of services, making it easy to search for patterns or specific events. Use journalctl -u ssh.service to review all logs related to the SSH server, or journalctl --since "1 hour ago" to monitor recent activity. Combining journalctl with grep is a powerful way to narrow down findings during an investigation.

Mastering these tools requires practice. Create a cheat sheet of your most-used command options and experiment in a controlled environment. As you encounter new scenarios, refine your command combinations and take notes. A well-honed command line toolkit allows you to respond swiftly to incidents, analyze data more effectively, and demonstrate a level of technical proficiency that is indispensable in the field of cybersecurity.