← All articles
LinuxSysadminReference

The 20 Linux Commands That Actually Matter for Sysadmins

23 February 2026 · 8 min

Most "Linux commands" lists are 200 entries of trivia. In real work you lean on a much smaller set — and knowing when to reach for each matters more than memorising flags. Here are the 20 that earn their place.

Orient yourself

  • ls -l / stat — ownership and permissions are behind a huge share of "permission denied". stat gives you the exact mode and timestamps.
  • cd / pwd — know where you are before you run anything destructive.
  • find — locate files by name/size/age. The backbone of "where did that come from?".

Read what's happening

  • ps aux — what's running, who owns it, how much it's using.
  • top (or htop) — live CPU/memory, and crucially the wa (I/O wait) figure.
  • journalctl -u <svc> — the single most useful command for "why did this service fail?".
  • grep — pull the relevant lines out of huge logs. Pair with -i, -n, -r.
  • tail -f / less — follow a log live, or page through one without loading it all.

Manage services

  • systemctl status/start/stop/restart — the front door to services. status first, always.
  • systemctl daemon-reload — the command everyone forgets after editing a unit file.

Storage and space

  • df -h / df -i — bytes and inodes. You can run out of either.
  • du -xsh /* — find what's eating space. If it disagrees with df, suspect a deleted-but-open file.
  • lsof — what files/sockets a process holds. lsof | grep deleted and lsof -i :PORT are gold.

Network

  • ss -tulpn — what's listening and which PID owns the port. (Forget netstat.)
  • dig — resolve names, compare resolvers, +trace to the authoritative answer.
  • curl -v — test HTTP/HTTPS end to end, see headers, status, and TLS.
  • ip a / ip route — addresses and the routing table; ip route get <ip> shows the chosen path.

Permissions and access

  • chmod / chown — fix access the least-privilege way (never chmod 777).
  • sudo — run privileged commands deliberately; read what you're about to run.

The meta-skill

The commands are easy. The skill is the sequence: confirm the symptom, scope it, read the evidence (journalctl, top, df), narrow to a layer, then change one thing with a reason. A junior knows the flags; an engineer knows the order.

If you only truly internalise five, make them: journalctl -u, ss -tulpn, df -h + du, top (watch wa), and lsof. They cover an astonishing fraction of real incidents.

Drill these in context across the Linux track and the reference library.

Liked this? ShellQuest turns these mental models into puzzles and labs you can actually practise.

Join the waitlist