20+ Linux Commands and explanation on how to use them – step by step

A Security Operations Center (SOC) analyst plays a pivotal role in monitoring and responding to security incidents in an organization. Understanding Linux commands is crucial for several reasons, primarily because a vast number of servers, tools, and systems run on Linux-based operating systems. Let’s delve into the significance of the commands mentioned earlier and their relevance for a SOC analyst:

1. Understanding the Environment: Many corporate servers, cloud instances, and even cybersecurity tools run on Linux or Unix-like environments. Understanding basic and advanced Linux commands helps an analyst navigate and manage these environments.
2. Investigation and Forensics: When security incidents happen, an analyst needs to investigate what took place, which often involves deep dives into system logs, network traffic captures, and system behaviors. Commands like tcpdump, grep, awk, find, and strings allow analysts to inspect network traffic, search through vast logs quickly, and extract relevant data from files.
3. System Monitoring: Keeping an eye on active processes (ps), network connections (netstat or ss), and disk activities (lsof) are pivotal. These can give insights into any anomalies or unexpected activities on a system, which could indicate a security breach or malware activity.
4. Network Monitoring: Tools like tcpdump, nmap, and iptables help in understanding, inspecting, and controlling network activities. They can be used to spot unusual traffic, understand the network landscape, or even implement rapid containment actions.
5. Incident Response: During an ongoing security incident, quick and decisive actions are often needed. Commands like iptables for blocking specific network traffic, kill for stopping suspicious processes, or chown and chmod for altering file permissions can be vital for containing threats.
6. Auditing and Hardening: Periodic security checks and system hardening are a part of proactive security measures. Tools like lynis help in system auditing, while commands such as chmod, chown, and iptables assist in system hardening.
7. Threat Hunting: Proactively searching for signs of malicious activities often requires a combination of commands. For example, correlating data from various logs, checking system integrity with hashing tools like hashdeep, or searching for indicators of compromise in files.
8. Operational Tasks: Routine tasks like checking system performance, managing scheduled tasks (crontab), or configuring network interfaces (ifconfig) are essential to ensure the smooth operation of security tools and systems.
9. Data Analysis: With the amount of data that SOCs deal with, quick on-the-fly analysis using grep, awk, or tail can be invaluable. They can filter out the noise and zoom in on the actual issues.
10. Automation: Basic understanding of Linux and shell scripting can help in automating mundane tasks or even customizing alerts and responses. Many of the commands can be combined in scripts to automate repetitive tasks or produce formatted reports.

In summary, understanding and mastering Linux commands empowers a SOC analyst to perform their job more effectively. Whether it’s responding to incidents, investigating breaches, proactively hunting threats, or maintaining and optimizing the security infrastructure, these commands provide the fundamental building blocks. The versatility of the Linux command line, combined with the open nature of the operating system, allows for endless combinations and solutions tailored to unique security challenges.

1. netstat: Display network connections, routing tables, and network statistics.
   • Example 1: List all active connections: netstat -at
   • Example 2: Show listening ports with numeric values: netstat -lnt
2. tcpdump: Capture and inspect network packets.
   • Example 1: Capture the first 100 packets on the eth0 interface: tcpdump -i eth0 -c 100
   • Example 2: Capture TCP packets on port 80: tcpdump tcp port 80
3. nmap: Discover devices running on a network and find open ports along with various attributes of the network.
   • Example 1: Scan a specific host: nmap 192.168.1.5
   • Example 2: Scan a range of IPs for open ports: nmap 192.168.1.1-20
4. grep: Search specific patterns within files.
   • Example 1: Search for “error” in a logfile: grep 'error' /var/log/syslog
   • Example 2: Use with regular expression: grep '^2023' /var/log/auth.log
5. awk: Extract, filter, and report on data in files.
   • Example 1: Extract the fifth column from a space-separated file: awk '{print $5}' file.txt
   • Example 2: Sum values in a column: awk '{sum+=$1} END {print sum}' file.txt
6. ps: Show current processes.
   • Example 1: View all processes: ps aux
   • Example 2: Show processes for a specific user: ps -u username
7. find: Search for files based on criteria like name, size, or modification date.
   • Example 1: Find files modified in the last day: find / -mtime -1
   • Example 2: Find files with a specific name: find / -name filename.txt
8. chmod & chown: Change file permissions and ownership.
   • Example 1: Make a script executable: chmod +x script.sh
   • Example 2: Change ownership of a file: chown user:group filename.txt
9. diff: Compare the contents of files or directories.
   • Example 1: Compare two configuration files: diff old.conf new.conf
   • Example 2: Compare directories recursively: diff -r dir1/ dir2/
10. iptables: Manage Linux firewall rules.

• Example 1: Block incoming traffic from an IP: iptables -A INPUT -s ip_address -j DROP
• Example 2: Allow traffic on a specific port: iptables -A INPUT -p tcp --dport 22 -j ACCEPT

11. ss: Display socket statistics.

• Example 1: Show listening TCP sockets: ss -lt
• Example 2: Show UDP sockets: ss -lu

12. whois: Query databases for domain or IP information.

• Example 1: Look up a domain: whois example.com
• Example 2: Look up an IP address: whois 192.168.1.5

13. dig: Query DNS records.

• Example 1: Fetch A record for a domain: dig example.com A
• Example 2: Fetch MX records: dig example.com MX

14. last: Display the list of last logged-in users.

• Example 1: Show recent logins: last
• Example 2: Show reboots: last reboot

15. tail: Display the last part of a file.

• Example 1: View the last 50 lines of a log file: tail -n 50 /var/log/syslog
• Example 2: Monitor a log file in real-time: tail -f /var/log/syslog

16. lynis: Security auditing and hardening tool.

• Example 1: Perform a system audit: lynis audit system
• Example 2: Check for available updates: lynis update info

17. lsof: List open files and their associated processes.

• Example 1: See who’s accessing a file: lsof /path/to/file
• Example 2: Find processes using a specific port: lsof -i :22

18. dd: Disk dumping and data copying.

• Example 1: Create an image of a disk: dd if=/dev/sda of=/path/to/image.img
• Example 2: Backup MBR: dd if=/dev/sda of=/backup/mbr_backup bs=512 count=1

19. strings: Extract strings from binary files.

• Example 1: Extract readable content from a binary: strings executable.bin
• Example 2: Extract strings and write to a file: strings malware_sample > output.txt

20. hashdeep: Compute, match, and audit hashsets.

• Example 1: Compute MD5, SHA-1, and SHA-256 hashes of files in a directory: hashdeep -rlc md5,sha1,sha256 *
• Example 2: Check hashes against a known list: hashdeep -k known_hashes.txt -x *

21. ifconfig: Interface configuration tool for network interfaces.

• Example 1: Display information on all network interfaces: ifconfig -a
• Example 2: Set IP address for an interface: ifconfig eth0 192.168.1.5

22. crontab: Schedule tasks.

• Example 1: List scheduled jobs for the current user: crontab -l
• Example 2: Edit the list of jobs: crontab -e

23. alias: Create shortcuts for commands.

• Example 1: Make an alias for checking open ports: alias ports='netstat -tuln'
• Example 2: Make an alias for updating the system: alias update='sudo apt update && sudo apt upgrade'

24. journalctl: Query the systemd journal.

• Example 1: Show all logs since last boot: journalctl -b
• Example 2: Show logs for a specific service: journalctl -u nginx

25. cat: Concatenate and display the content of files.

• Example 1: Display the content of a file: cat /etc/passwd
• Example 2: Combine two files into one: cat file1.txt file2.txt > combined.txt

26. kill: Send a signal to a process.

• Example 1: Kill a process with PID 1234: `kill -9 1234

—–Get started with cybersecurity TODAY!!!

Linux training for SOC analysts, Security Operations Center Linux courses, Cybersecurity Linux command training, SOC analyst Linux tutorials, Linux command line for cybersecurity, Linux tools for security monitoring, Cybersecurity incident response Linux training,  Network security Linux command courses,  Linux forensic investigation tutorials,  Advanced Linux for SOC professionals,  Security system auditing Linux workshops, Threat hunting with Linux commands, Linux-based security tool training,  Linux for cybersecurity threat containment,  Security Operations Linux certification, Cybersecurity Linux operational training, Proactive Linux threat detection courses, Cyber threat analysis using Linux commands, Linux command mastery for cybersecurity, SOC Linux command line bootcamp

Related posts:

Top 100 Kali Linux Commands and How to use them: Cyber Security Training in Nigeria CISCO CyberOps lab – Getting Familiar with the Linux Shell; cybersecurity training How to Install Kali Linux on VMware VM : Cyber Security Training Programs Abuja Nigeria CISCO CyberOps lab – Navigating the Linux Filesystem and Permission Settings; cybersecurity training Clearing Logs On Linux