Essential Advanced Linux Commands Every Sysadmin Should Master

Linux offers thousands of commands, but 99% of daily operational challenges can be solved with a curated set of 100 advanced commands. The selection criteria focus on advanced functionality beyond basic tools, irreplaceability for specific scenarios, cross‑distribution compatibility (CentOS/Ubuntu), and high frequency of use derived from a decade of sysadmin experience.

1. File System & Storage Management (20 commands)

Efficient File Operations

# Recursive copy with progress bar (more reliable than cp)
rsync -ah --progress /data/backup/ [email protected]:/remote/backup/

# Find logs older than 7 days larger than 1 GB and compress
find /var/log -mtime +7 -size +1G -name "*.log" -exec gzip {} \;

# Add execute permission while preserving existing rights
chmod -R a+x --preserve-root /usr/local/bin/

# Locate SUID files (security audit)
find / -perm -4000 -type f -exec ls -la {} \; 2>/dev/null

Advanced Storage Management

# Show detailed disk I/O (identify slow disks)
iostat -x 5 3

# LVM expansion (practical resize workflow)
lvresize -L +50G /dev/mapper/centos-root && xfs_growfs /

# Non‑destructive bad block detection
badblocks -v /dev/sda1 > bad_sectors.txt

# Mount ISO without burning
mount -o loop /tmp/ubuntu.iso /mnt/iso/

# Check inode usage (solve "disk full but cannot create files")
df -i

Archiving & Compression Techniques

# Exclude specific directories when creating a backup
tar -czvf backup.tar.gz --exclude=node_modules /home/project/

# Split large archive for cloud upload
split -b 100M large_file.tar.gz "large_file_part_"

# Reassemble split archives
cat large_file_part_* | tar -xzvf -

# Compute file hash for integrity verification
sha256sum ubuntu.iso > ubuntu.sha256 && sha256sum -c ubuntu.sha256

2. Network Diagnosis & Configuration (20 commands)

Connection State Analysis

# Summarize TCP connection states (detect TIME‑WAIT buildup)
ss -tan | awk '{print $1}' | sort | uniq -c

# Find process using port 80 (more efficient than netstat)
ss -tulnp | grep :80

# Real‑time traffic monitoring per port
iftop -P -i eth0

# Show full routing table with gateway priorities
ip route show table all

# Flush ARP cache (resolve MAC conflicts)
ip neigh flush dev eth0

Fault‑Finding Tools

# Combined ping & traceroute
mtr -w github.com

# Capture HTTP requests for API debugging
tcpdump -i eth0 -s 0 -A 'tcp port 80 and (((tcp[12:1] & 0xf0) >> 2) = 0x47455420)'

# Test port connectivity (including UDP)
nc -zv -u 192.168.1.1 53

# Deep DNS trace
dig +trace www.baidu.com

# Scan LAN for live hosts
nmap -sn 192.168.1.0/24

Advanced Network Configuration

# Temporarily change MTU (fix jumbo‑frame issues)
ip link set eth0 mtu 9000

# Configure virtual IP for high‑availability
ip addr add 192.168.1.100/24 dev eth0 label eth0:0

# Show interface statistics (detect packet loss)
ip -s link show eth0

# Disable TCP timestamps for high‑concurrency tuning
sysctl -w net.ipv4.tcp_timestamps=0

# Set temporary DNS server
echo "nameserver 8.8.8.8" > /etc/resolv.conf

3. System Monitoring & Performance Tuning (15 commands)

Resource Monitoring Tools

# List top memory‑hungry processes
ps aux --sort=-%mem | head -10

# Real‑time system resource view (including disk I/O)
htop -s PERCENT_MEM

# Show CPU model, frequency and core count
lscpu | grep -E "Model name|CPU MHz|CPU cores"

# Monitor memory paging activity
vmstat 1 5

# Display load averages for 1/5/15 minutes
uptime

Performance Analysis Commands

# Count open file handles for a process (fix "too many open files")
lsof -p 1234 | wc -l

# Trace system calls of a process
strace -p 1234 -c

# Monitor disk IOPS
iostat -d 1 5

# Analyze network throughput per protocol
nload -m

# Search kernel logs for errors
dmesg | grep -i error

System Information Queries

# Show OS release information (works on all distros)
cat /etc/*release

# List kernel parameters with current values
sysctl -a | grep net.ipv4.tcp_max_tw_buckets

# Dump memory hardware details
dmidecode -t memory

# Show system boot time and uptime
systemd-analyze

# List installed packages with versions (Debian/Ubuntu)
dpkg --list | grep nginx
# (CentOS/RHEL)
rpm -qa | grep nginx

4. Security Auditing & Permission Management (15 commands)

Account Security Checks

# Find all accounts with UID 0 (hidden root)
awk -F: '($3 == 0) {print}' /etc/passwd

# Locate accounts with empty passwords
awk -F: '($2 == "") {print}' /etc/shadow

# List users with sudo privileges
grep -v "^#" /etc/sudoers | grep "ALL=(ALL)"

# Lock an account (prevent login, keep files)
passwd -l testuser

# Show recent login records
last -n 20

Login & Access Control

# Detect SSH brute‑force attempts (failed password IPs)
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -nr

# Show current logged‑in users with IPs and commands
w

# Restrict SSH login to specific IP range
echo "AllowUsers [email protected].*" >> /etc/ssh/sshd_config

# Follow SSH daemon logs in real time
journalctl -u sshd -f

# Disable direct root SSH login
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config

File & Permission Audits

# Find world‑writable directories without sticky bit (security risk)
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print

# Check critical file permissions
ls -la /etc/passwd /etc/shadow /etc/sudoers

# Monitor file changes (e.g., nginx config)
watch -n 1 "md5sum /etc/nginx/nginx.conf"

# Restore file permissions using RPM database (CentOS/RHEL)
rpm -Va nginx

# Find recently modified sensitive files under /etc
find /etc -mtime -1 -type f

5. Container & Virtualization Management (10 commands)

Docker Core Commands

# Show container resource usage sorted by CPU
docker stats --no-stream --format "{{.Name}} {{.CPUPerc}} {{.MemUsage}}" | sort -k2 -r

# Prune unused images, containers, networks, and volumes
docker system prune -a -f

# Inspect container details (network, mounts, etc.)
docker inspect nginx-container

# Exec into a container with environment variables
docker exec -it --env "TERM=xterm" nginx-container /bin/bash

# Backup a container's data volume
docker run --rm -v nginx-data:/source -v $(pwd):/backup alpine tar -czvf /backup/nginx-backup.tar.gz -C /source .

Kubernetes Basic Operations

# Show pod resource usage (requires metrics‑server)
kubectl top pod -n default

# Describe a pod to troubleshoot start failures
kubectl describe pod nginx-pod

# Exec into a pod container
kubectl exec -it nginx-pod -c nginx-container -- /bin/sh

# Copy a file into a pod
kubectl cp local-file.txt nginx-pod:/tmp/

# Show node resource status
kubectl describe node node-1

6. Text Processing & Log Analysis (10 commands)

Advanced "Three Musketeers" Usage

# Extract 404 requests from Nginx access log
awk '$9 == 404 {print $1, $7}' /var/log/nginx/access.log

# Batch replace a domain across configuration files
sed -i 's/old_domain.com/new_domain.com/g' `grep -rl "old_domain.com" /etc/`

# Highlight ERROR lines in real‑time log stream
tail -f /var/log/syslog | grep --color=auto -i "error"

# Count requests per HTTP status code
awk '{count[$9]++} END {for(code in count) print code, count[code]}' /var/log/nginx/access.log

# Extract specific fields from JSON logs
jq '.timestamp, .message' /var/log/app/json.log

Log Management Tips

# Find most frequent IPs in logs (possible attacks)
grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" /var/log/nginx/access.log | sort | uniq -c | sort -nr | head -10

# Filter logs by ISO‑format time range
sed -n '/2025-12-01T00:00:00/,/2025-12-01T06:00:00/p' /var/log/syslog

# Compress logs older than 30 days
find /var/log -name "*.log" -mtime +30 -exec gzip {} \;

# Merge split log files in chronological order
ls -tr access.log.* | xargs cat > access.log.full

7. Backup, Recovery & Automation (10 commands)

Backup Strategies

# Incremental backup using hard‑link technique
rsync -av --link-dest=/backup/last /data /backup/current

# MySQL dump with automatic compression
mysqldump -u root -p'password' --all-databases | gzip > /backup/mysql_$(date +%Y%m%d).sql.gz

# Verify backup integrity
md5sum /backup/backup.tar.gz > /backup/backup.tar.gz.md5 && md5sum -c /backup/backup.tar.gz.md5

# Schedule daily backup and retain last 7 days
echo "0 1 * * * root /usr/local/bin/backup.sh && find /backup -name '*.tar.gz' -mtime +7 -delete" >> /etc/crontab

Automation & Scripting Tools

# List all users' crontabs
for user in $(cut -f1 -d: /etc/passwd); do echo "User: $user"; crontab -u $user -l 2>/dev/null; done

# Memory usage monitor with email alert
while true; do if [ $(free | awk '/Mem/{print $3/$2*100}' | cut -d. -f1) -gt 80 ]; then echo "Memory alert" | mail -s "Alert" [email protected]; fi; sleep 60; done

# Execute a command on multiple hosts
for host in $(cat hosts.txt); do ssh $host "uptime"; done

# Search cron logs for debugging
grep CRON /var/log/syslog

# Generate random password for scripts
openssl rand -hex 16

The 100 commands are tools; the real power lies in combining them—e.g., ss + awk + sort to pinpoint connection bottlenecks or find + xargs + gzip to clean up logs. Mastering the man pages and --help output is essential, as effective operations depend on using the right command to solve the problem, not merely memorizing syntax.