Sysadmin Cheatsheet
①
Networking Fundamentals
OSI · IPv4 · TCP/UDP · DNS
OSI Model
| # | Layer | Protocol / Tech | Key Role |
|---|---|---|---|
| 7 | Application | HTTP, FTP, DNS, SMTP, SNMP | User-facing data exchange |
| 6 | Presentation | SSL/TLS, JPEG, ASCII | Encoding, encryption, compression |
| 5 | Session | NetBIOS, RPC, PPTP | Open/maintain/close sessions |
| 4 | Transport | TCP, UDP | Segmentation, ports, reliability |
| 3 | Network | IP, ICMP, OSPF, BGP | Logical addressing, routing |
| 2 | Data Link | Ethernet, MAC, ARP, VLANs | Physical addressing, framing |
| 1 | Physical | Cables, hubs, bits, NICs | Raw bit transmission |
IPv4 Address Ranges
| Range | Type | Notes |
|---|---|---|
10.0.0.0/8 | Private | Class A, large networks |
172.16.0.0/12 | Private | Class B (172.16-31.x) |
192.168.0.0/16 | Private | Class C, home/SOHO |
127.0.0.0/8 | Loopback | 127.0.0.1 = localhost |
169.254.0.0/16 | APIPA | Auto-assigned when DHCP fails |
224.0.0.0/4 | Multicast | One-to-many delivery |
0.0.0.0 | Unspecified | Two distinct uses: binding (0.0.0.0:80 = listen on all interfaces) vs routing (0.0.0.0/0 = default route / gateway of last resort) |
DNS Record Types
| Record | Purpose | Example |
|---|---|---|
| A | IPv4 address | example.com → 93.184.216.34 |
| AAAA | IPv6 address | example.com → 2606:… |
| CNAME | Canonical alias | www → example.com |
| MX | Mail server | Priority + mail host |
| NS | Nameservers | Delegates zone authority |
| TXT | Text data | SPF, DKIM, site verification |
| SOA | Zone authority | Primary NS, serial, TTLs |
| PTR | Reverse DNS | IP → hostname lookup |
| SRV | Service location | _sip._tcp.example.com |
TCP vs UDP
| Property | TCP | UDP |
|---|---|---|
| Connection | Connection-oriented (3-way handshake) | Connectionless, no handshake |
| Reliability | Guaranteed delivery, retransmits lost packets | Best-effort, packets may be lost |
| Ordering | Sequenced delivery guaranteed | Out-of-order delivery possible |
| Speed | Slower (overhead from acks, windowing) | Faster, minimal overhead |
| Use cases | HTTP/S, SSH, FTP, SMTP, RDP, databases | DNS, DHCP, VoIP, video streams, NTP |
Network Troubleshooting Workflow
Work through these steps in order - each layer rules out the one above it.
| Step | Command | What You're Checking |
|---|---|---|
| 1. Is the host up? | ping -c 4 <target> | Basic ICMP reachability - rules out total network failure |
| 2. What path does traffic take? | traceroute <target> / tracert | Hop-by-hop path - find where packets drop or latency spikes |
| 3. Does DNS resolve? | dig <hostname> / nslookup | Name resolution - wrong IP or NXDOMAIN means DNS problem |
| 4. Is the port open? | nc -zv <host> <port> / Test-NetConnection | TCP connectivity to specific port - rules out firewall or service down |
| 5. Is the service listening? | ss -tlnp / netstat -ano | What's bound to which port locally - service may not be started |
| 6. What does the traffic look like? | tcpdump -i eth0 host <target> | Actual packet capture - see resets, retransmits, TLS failures |
| 7. What do the logs say? | journalctl -u nginx -n 50 / tail -f /var/log/syslog | Application and system errors - often the exact answer |
| 8. Is a firewall blocking it? | iptables -L -n / ufw status / Get-NetFirewallRule | Local firewall rules - check both source and destination |
| 9. Is MTU causing fragmentation? | ping -M do -s 1472 <target> | Test for MTU/fragmentation issues on VPN or tunnel paths |
| 10. Is the cert valid? | openssl s_client -connect <host>:443 | TLS handshake, cert expiry, chain validity - for HTTPS issues |
HTTP Status Codes
| Code | Meaning | Common Cause |
|---|---|---|
200 | OK | Request succeeded |
201 | Created | POST succeeded, new resource created |
204 | No Content | Success, no body returned (DELETE, PUT) |
301 | Moved Permanently | URL changed forever - clients should update bookmarks |
302 | Found (Temporary Redirect) | Temporary redirect - client keeps using original URL |
304 | Not Modified | Cached version is still valid - no body sent |
400 | Bad Request | Malformed request syntax, invalid parameters |
401 | Unauthorized | Authentication required or failed |
403 | Forbidden | Authenticated but no permission - check ACLs, file permissions |
404 | Not Found | Resource doesn't exist at this URL |
405 | Method Not Allowed | Wrong HTTP verb (GET vs POST) for this endpoint |
408 | Request Timeout | Client too slow - network issue or overloaded server |
429 | Too Many Requests | Rate limit hit - back off and retry |
500 | Internal Server Error | Unhandled exception - check app logs |
502 | Bad Gateway | Upstream server returned invalid response - check backend/proxy |
503 | Service Unavailable | Server overloaded or down for maintenance |
504 | Gateway Timeout | Upstream server too slow - check backend latency and timeouts |
②
CIDR & Subnets
Subnet masks · Host counts · Block sizes
| CIDR | Subnet Mask | Hosts | Block Size | Example / Use |
|---|---|---|---|---|
/8 | 255.0.0.0 | 16,777,214 | 16M | 10.0.0.0/8 - large org |
/16 | 255.255.0.0 | 65,534 | 64K | 172.16.0.0/16 - campus |
/20 | 255.255.240.0 | 4,094 | 4K | AWS default VPC subnets |
/24 | 255.255.255.0 | 254 | 256 | 192.168.1.0/24 - typical LAN |
/25 | 255.255.255.128 | 126 | 128 | 192.168.1.0/25 - split /24 in half |
/26 | 255.255.255.192 | 62 | 64 | 192.168.1.0/26 - quarter of a /24 |
/27 | 255.255.255.224 | 30 | 32 | 192.168.1.0/27 - small dept segment |
/28 | 255.255.255.240 | 14 | 16 | 192.168.1.0/28 - server cluster |
/29 | 255.255.255.248 | 6 | 8 | Point-to-point link |
/30 | 255.255.255.252 | 2 | 4 | Router-to-router link |
/31 | 255.255.255.254 | 2 | 2 | RFC 3021 p2p (no broadcast) |
/32 | 255.255.255.255 | 1 | 1 | Single host route / loopback |
Tip: Usable hosts = 2n - 2 (subtract network + broadcast). /31 is the exception (RFC 3021).
③
Ports & VPN Technologies
Well-known ports · VPN protocols
Well-Known Ports
| Port(s) | Protocol | Service | Notes |
|---|---|---|---|
| 20 / 21 | TCP | FTP | 20=data, 21=control. Use SFTP/FTPS instead |
| 22 | TCP | SSH / SFTP / SCP | Secure remote shell and file transfer |
| 23 | TCP | Telnet | Plaintext - disable, use SSH |
| 25 | TCP | SMTP | Mail relay between servers |
| 53 | TCP/UDP | DNS | UDP for queries, TCP for zone transfers/large |
| 67 / 68 | UDP | DHCP | 67=server, 68=client |
| 80 | TCP | HTTP | Unencrypted web - redirect to 443 |
| 88 | TCP/UDP | Kerberos | Authentication in AD environments |
| 110 | TCP | POP3 | Email retrieval - use POP3S (995) |
| 123 | UDP | NTP | Time sync - critical for Kerberos/logs |
| 143 | TCP | IMAP | Email access - use IMAPS (993) |
| 161 / 162 | UDP | SNMP | 161=poll, 162=trap. Use v3 with auth |
| 389 | TCP/UDP | LDAP | Directory services - use LDAPS (636) |
| 443 | TCP | HTTPS | HTTP over TLS. Also used by some VPNs |
| 445 | TCP | SMB | Windows file shares - block at perimeter |
| 465 / 587 | TCP | SMTPS / SMTP-TLS | Encrypted mail submission |
| 514 | UDP | Syslog | Log forwarding - use TLS syslog (6514) |
| 636 | TCP | LDAPS | LDAP over TLS |
| 993 | TCP | IMAPS | IMAP over TLS |
| 995 | TCP | POP3S | POP3 over TLS |
| 1433 | TCP | MS SQL Server | Default SQL Server port |
| 1521 | TCP | Oracle DB | Oracle database listener |
| 3306 | TCP | MySQL / MariaDB | Common web app database port |
| 3389 | TCP | RDP | Remote Desktop - never expose to internet |
| 5432 | TCP | PostgreSQL | Default Postgres port |
| 5900 | TCP | VNC | Remote desktop - use only over VPN/tunnel |
| 6379 | TCP | Redis | Historically no auth by default - always bind to localhost and set requirepass before any exposure |
| 8080 / 8443 | TCP | HTTP/S Alt | Dev servers, proxies, alt web services |
| 27017 | TCP | MongoDB | Historically no auth by default - modern versions enforce localhost binding; always enable auth and restrict access before exposing |
VPN Technologies
| Type | Protocol | Port(s) | Notes |
|---|---|---|---|
| IPSec / IKEv2 | ESP / IKE | UDP 500 / 4500 | Fast, native on most OS, preferred for site-to-site |
| OpenVPN | TLS | UDP/TCP 1194 | Flexible, open-source, common for remote access |
| WireGuard | UDP | 51820 | Modern, minimal code, fastest throughput. Key-based auth (Curve25519) - no certificates or CA needed, unlike IPSec/OpenVPN |
| SSL VPN | HTTPS | TCP 443 | Works through firewalls, browser or client-based |
| L2TP/IPSec | L2TP + ESP | UDP 1701 / 500 / 4500 | Common legacy, double-encapsulation overhead; 4500 for NAT-T |
| PPTP | GRE + TCP | TCP 1723 | Obsolete - broken crypto, avoid |
④
Security, Threats & Hardening
Attacks · Hardening · Crypto · Auth
Threat / Attack Reference
| Category | Attack | Description |
|---|---|---|
| Phishing | Phishing / Spear / Whaling | Fraudulent emails targeting all users / specific individuals / executives |
| Phishing | Vishing / Smishing | Voice call or SMS-based social engineering |
| Web App | SQL Injection | Malicious SQL inserted into input fields to query or corrupt the DB |
| Web App | XSS (Cross-Site Scripting) | Injected scripts execute in victim's browser via a trusted site |
| Web App | CSRF | Forged request tricks authenticated user into unwanted action |
| Web App | IDOR | Accessing objects by changing an ID in the URL/request |
| Malware | Ransomware | Encrypts files, demands payment for key |
| Malware | Rootkit | Hides malware presence at OS/kernel level |
| Malware | Keylogger | Records keystrokes to capture credentials |
| Network | MITM | Attacker intercepts communication between two parties |
| Network | ARP Spoofing | Links attacker MAC to legitimate IP to intercept LAN traffic |
| Network | DDoS / SYN Flood | Overwhelm target with traffic / half-open TCP connections |
| Social Eng. | Pretexting / Tailgating | Fabricated scenario to obtain info / following into secure area |
| Insider | Privilege Escalation | Exploiting vuln or misconfiguration to gain higher access |
Hardening Checklist
| Action | |
|---|---|
| DO | Disable unused ports and services |
| DO | Enable MFA / 2FA on all accounts |
| DO | Apply least privilege (PoLP) everywhere |
| DO | Patch OS promptly - critical/zero-day: hours to days; standard patches: within 30 days |
| DO | Enable host-based firewall (UFW/iptables) |
| DO | Use key-based SSH auth, disable password auth |
| DO | Disable root SSH login (PermitRootLogin no) |
| DO | Encrypt data at rest and in transit |
| DO | Log and monitor all auth events |
| DON'T | Use default credentials on any device |
| DON'T | Run services as root unnecessarily |
| DON'T | Expose RDP / management ports to internet |
| DON'T | Disable SELinux/AppArmor without a plan |
| DON'T | Store plaintext credentials in scripts/repos |
Cryptography Algorithms
| Algorithm | Type | Key Size / Notes |
|---|---|---|
| AES-256 | Symmetric | 256-bit. NIST standard, fastest for bulk data |
| ChaCha20 | Symmetric | Stream cipher, faster than AES on mobile |
| RSA | Asymmetric | 2048+ min (4096 recommended for long-term) |
| ECDSA / ECDH | Asymmetric | ECC - same security as RSA with shorter keys |
| Ed25519 | Asymmetric | Preferred for SSH keys, fast and secure |
| SHA-256 / SHA-3 | Hash | Use for integrity checks, digital signatures |
| bcrypt / Argon2 | Password hash | Argon2 is winner of Password Hashing Competition |
| TLS 1.3 / 1.2 | Protocol | TLS 1.3 preferred (faster, mandatory forward secrecy); TLS 1.2 still acceptable with modern ciphers. 1.0/1.1 deprecated - disable immediately |
Authentication Methods
| Method | Use Case |
|---|---|
| Password + MFA/TOTP | Baseline for all user accounts |
| SSH Key Pairs (Ed25519) | Server access, CI/CD pipelines |
| PKI / X.509 Certificates | TLS, client auth, code signing |
| OAuth 2.0 / OIDC | Web app delegation, "Sign in with Google" |
| SAML 2.0 | Enterprise SSO, IdP federation |
| Kerberos | Active Directory authentication (tickets) |
| RADIUS | Network access (WiFi 802.1X, VPN auth) |
| LDAP / Active Directory | Centralized user/group directory |
⑤
OS & Commands
Linux · Windows/PS · Storage · RAID · Backup · AD
Linux - Process & Performance - Reference: ss64.com/bash
| Command | Description |
|---|---|
top / htop | Real-time process monitor. htop is interactive |
ps aux | All processes with user and CPU/mem usage |
ps aux | grep nginx | Find process by name |
kill -9 <PID> | Force-kill process by PID (SIGKILL) |
pkill -f nginx | Kill all processes matching name pattern |
systemctl status sshd | Check service status (systemd) |
systemctl restart nginx | Restart a systemd service |
systemctl enable nginx | Enable service to start on boot |
journalctl -u nginx -f | Follow systemd logs for a service |
free -h | Memory usage in human-readable format |
vmstat 1 | CPU/IO/memory stats every 1 second |
uptime | System uptime and load averages (1/5/15 min) |
systemd Deep Dive
| Command | Description |
|---|---|
systemctl list-units --type=service --state=failed | Show all failed services - first thing to check after a reboot |
systemctl list-units --type=service --state=running | All currently running services |
systemctl disable --now nginx | Stop a service and prevent it starting on boot in one command |
systemctl mask nginx | Completely prevent a service from starting - stronger than disable, blocks manual start too |
systemctl cat nginx | Show the full unit file for a service - see ExecStart, dependencies, restart policy |
systemctl daemon-reload | Reload unit files after editing - required before restarting a modified service |
journalctl -u nginx -n 100 --no-pager | Last 100 log lines for a service without paging |
journalctl -u nginx --since "1 hour ago" | Service logs from the last hour - accepts natural language time |
journalctl -p err -b | Only error-level (and above) messages from current boot |
journalctl -b -1 | Logs from the previous boot - useful after a crash or unexpected reboot |
journalctl --disk-usage | How much disk space journal logs are consuming |
journalctl --vacuum-time=7d | Delete journal entries older than 7 days to free disk space |
Linux - Networking & Firewall
| Command | Description |
|---|---|
ip addr show | Show all network interfaces and IP addresses |
ip route show | Display routing table |
ss -tulnp | TCP/UDP listening ports with process names |
netstat -tulnp | Listening ports (legacy, use ss on modern systems) |
ping -c 4 8.8.8.8 | Test connectivity (4 packets) |
traceroute 8.8.8.8 | Trace route hops to destination |
nmap -sV -p 1-1000 <IP> | Scan top 1000 ports with service version |
dig example.com A | DNS lookup for A record |
curl -I https://example.com | Fetch HTTP response headers only |
Linux - Files, Permissions & Users
| Command | Description |
|---|---|
chmod 755 file | rwxr-xr-x - owner full, group/other read+exec |
chmod u+x script.sh | Add execute permission for owner |
chown user:group file | Change file owner and group |
find / -perm -4000 | Find all SUID binaries (privilege escalation risk) |
useradd -m -s /bin/bash u | Create user with home dir and bash shell |
usermod -aG sudo username | Add user to sudo group |
passwd username | Set or change user password |
grep -r "error" /var/log/ | Recursively search logs for "error" |
tail -f /var/log/syslog | Follow log file in real-time |
df -h | Disk usage by filesystem in human-readable |
du -sh /var/log/* | Size of each item in /var/log |
tar -czf out.tar.gz /dir | Create gzipped tarball of directory |
rsync -avz src/ dest/ | Sync files with verbose output and compression |
Common Linux Config Files
| File | What it Controls |
|---|---|
/etc/hosts | Static hostname-to-IP mappings - checked before DNS, useful for local overrides |
/etc/resolv.conf | DNS server addresses and search domains - often managed by NetworkManager or systemd-resolved |
/etc/fstab | Filesystems mounted at boot - device, mount point, type, options, dump, fsck order |
/etc/hostname | System hostname - change here then run hostnamectl set-hostname to apply |
/etc/sudoers | Sudo access rules - always edit with visudo to prevent syntax errors locking you out |
/etc/passwd | User accounts: username, UID, GID, home dir, shell - no passwords stored here |
/etc/shadow | Hashed passwords and password policy per user - root-readable only |
/etc/group | Group definitions and membership lists |
/etc/ssh/sshd_config | SSH server config - PermitRootLogin, PasswordAuthentication, Port, AllowUsers |
/etc/crontab | System-wide cron schedule - user crons live in /var/spool/cron/crontabs/ |
/etc/cron.d/ | Drop-in cron files for packages and services - same format as /etc/crontab |
/etc/environment | System-wide environment variables set at login - plain KEY=value format, no export needed |
/etc/profile.d/ | Shell scripts sourced at login for all users - drop custom env vars and aliases here |
/etc/logrotate.conf | Log rotation policy - frequency, retention count, compression settings |
/etc/nsswitch.conf | Name service switch - controls lookup order for hosts, users, groups (files vs DNS vs LDAP) |
SSH Key Management
| Command / File | Description |
|---|---|
ssh-keygen -t ed25519 -C "user@host" | Generate Ed25519 key pair - preferred over RSA for new keys |
ssh-keygen -t rsa -b 4096 -C "user@host" | Generate 4096-bit RSA key pair - use when Ed25519 not supported |
ssh-copy-id user@host | Copy public key to remote host's authorized_keys in one step |
cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys | Manually append public key to authorized_keys (manual alternative) |
eval $(ssh-agent -s) && ssh-add ~/.ssh/id_ed25519 | Start ssh-agent and load a key - avoids repeated passphrase prompts |
ssh-add -l | List keys currently loaded in ssh-agent |
ssh -J bastion user@target | ProxyJump - SSH through a bastion/jump host to reach internal servers |
ssh -L 8080:internal:80 user@bastion | Local port forward - tunnel local 8080 through bastion to internal:80 |
~/.ssh/config | Per-user SSH config - define Host aliases, IdentityFile, ProxyJump, Port per host |
~/.ssh/authorized_keys | Public keys allowed to authenticate to this account - must be chmod 600 |
~/.ssh/known_hosts | Fingerprints of hosts you've connected to - mismatch = MITM warning |
/etc/ssh/sshd_config | Server-side SSH config - PermitRootLogin, PasswordAuthentication, AllowUsers |
Package Management
| Task | apt (Debian/Ubuntu) | dnf/yum (RHEL/CentOS) | zypper (SUSE) |
|---|---|---|---|
| Install package | apt install nginx | dnf install nginx | zypper install nginx |
| Remove package | apt remove nginx | dnf remove nginx | zypper remove nginx |
| Remove + config | apt purge nginx | dnf remove nginx | zypper remove --clean-deps nginx |
| Update all | apt update && apt upgrade | dnf upgrade | zypper update |
| Search package | apt search nginx | dnf search nginx | zypper search nginx |
| Package info | apt show nginx | dnf info nginx | zypper info nginx |
| List installed | apt list --installed | dnf list installed | zypper packages --installed |
| Which pkg owns file | dpkg -S /usr/bin/nginx | rpm -qf /usr/sbin/nginx | rpm -qf /usr/sbin/nginx |
| List pkg files | dpkg -L nginx | rpm -ql nginx | rpm -ql nginx |
| Add repo | add-apt-repository ppa:x | dnf config-manager --add-repo URL | zypper addrepo URL alias |
| Clean cache | apt clean | dnf clean all | zypper clean |
Linux Filesystem Hierarchy
| Path | What Lives Here |
|---|---|
/ | Root of the entire filesystem tree - everything hangs off here |
/bin | Essential user binaries (ls, cp, mv, bash) needed before /usr is mounted |
/sbin | Essential system binaries for root (fdisk, ifconfig, init, fsck) |
/usr | Read-only user data: most installed apps, libraries, and docs go here |
/usr/bin | Non-essential user commands (gcc, python3, git, curl, vim) |
/usr/local | Locally compiled or admin-installed software - not managed by the package manager |
/etc | System-wide configuration files (/etc/ssh/sshd_config, /etc/hosts, /etc/cron.d) |
/var | Variable data that grows: logs (/var/log), mail, spool, databases, package cache |
/var/log | System and service logs (syslog, auth.log, dmesg, journald writes here) |
/tmp | Temporary files - cleared on reboot, world-writable, no exec in hardened configs |
/home | User home directories (/home/alice). Root's home is /root, not here |
/root | Home directory for the root account |
/dev | Device files: disks (/dev/sda), terminals (/dev/tty), null (/dev/null) |
/proc | Virtual FS exposing kernel and process info (/proc/cpuinfo, /proc/meminfo) |
/sys | Virtual FS for kernel devices and drivers - used by udev and hardware management |
/boot | Kernel images, initramfs, and GRUB config - keep separate partition for safety |
/lib | Shared libraries needed by /bin and /sbin at boot |
/opt | Optional third-party software installed as self-contained packages (e.g. /opt/splunk) |
/mnt | Temporary mount point for manually mounted filesystems |
/media | Auto-mount point for removable media (USB drives, DVDs) |
/srv | Service data served to the network (web root, FTP files) |
/run | Runtime data since last boot: PID files, sockets, lock files (tmpfs) |
Windows Filesystem Hierarchy
Drive-letter based (C:, D:). NTFS is standard - supports permissions, ACLs, compression, and encryption.
| Path | What Lives Here |
|---|---|
C:\ | Root of the drive - each volume has its own root under a drive letter |
C:\Windows | OS root containing system binaries, configuration files, and critical subdirectories |
C:\Windows\System32 | 64-bit system executables, DLLs, and management tools (cmd.exe, notepad.exe, etc.) |
C:\Windows\SysWOW64 | 32-bit system binaries for backward compatibility on 64-bit Windows |
C:\Windows\System32\drivers | Kernel-mode drivers (.sys files) loaded at boot |
C:\Windows\Temp | System-wide temporary files - safe to clear periodically |
C:\Program Files | Default install directory for 64-bit applications |
C:\Program Files (x86) | Default install directory for 32-bit applications on 64-bit Windows |
C:\ProgramData | System-wide app data and config shared across all users (hidden by default) |
C:\Users\Public | Shared folder accessible to all local users |
C:\Users\%USERNAME% | Per-user profile root - contains all personal folders and app data |
...\AppData\Roaming | Per-user config that follows domain profiles (Outlook, VS Code settings, etc.) |
...\AppData\Local | Local-only app data: cache, application state, Temp subfolder |
...\AppData\Local\Temp | User-specific temp files - a common target for malware drops |
...\Desktop / Downloads | Standard personal folders inside each user profile |
PowerShell Essentials - Reference: ss64.com/ps
| Command | Description |
|---|---|
Get-Help Get-Process -Full | Full documentation for any cmdlet - add -Examples for just examples, -Online to open browser docs |
Get-Help *network* | Wildcard search across all help topics - how you discover cmdlets you don't know yet |
Update-Help | Download latest help files - run once after a fresh install, requires internet |
Get-Command -Verb Get -Noun *DNS* | Find cmdlets by verb, noun, or wildcard - the right way to discover what's available |
Get-Command -Module ActiveDirectory | List every cmdlet in a specific module |
Get-Module -ListAvailable | All modules installed on the system, whether loaded or not |
Import-Module ActiveDirectory | Load a module into the current session |
Get-Process | Get-Member | Inspect every property and method on an object - essential for building pipelines |
Get-Service | Select-Object -Property * | Reveal all properties on an object, not just the default display columns |
Get-History | Command history for the current session with execution IDs |
Invoke-History 42 | Re-run a command by its history ID |
Get-PSReadLineOption | View persistent history path - PSReadLine saves history across sessions by default |
Set-ExecutionPolicy RemoteSigned -Scope CurrentUser | Allow local scripts to run; remote scripts must be signed. Safest policy for daily use |
Get-ExecutionPolicy -List | Show policy at every scope (MachinePolicy, UserPolicy, Process, CurrentUser, LocalMachine) |
Windows / PowerShell & CMD - Reference: ss64.com/ps · ss64.com/nt
| Command | Description |
|---|---|
Get-Process | List all running processes (PS) |
Stop-Process -Name notepad | Kill process by name (PS) |
Get-Service | Where Status -eq Running | List only running services (PS) |
systeminfo | OS version, RAM, hotfixes, uptime |
net user /domain | List domain users |
net localgroup administrators | List local admins |
Get-HotFix | Sort-Object InstalledOn -Descending | Installed Windows Updates and KBs, newest first |
Get-ExecutionPolicy | Check current PowerShell script execution policy |
Get-CimInstance Win32_OperatingSystem | select LastBootUpTime | When the system last rebooted |
Get-WinEvent -LogName Security -MaxEvents 50 | Recent Security event log entries (PS) |
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 20 | Failed logon events only - faster and more precise than Where-Object filtering |
Test-NetConnection -ComputerName dc01 -Port 443 | Test TCP connectivity to a host/port - modern replacement for telnet port tests |
Invoke-Command -ComputerName srv01,srv02 -ScriptBlock { Get-Service spooler } | Run commands on one or many remote machines simultaneously over WinRM |
Enter-PSSession -ComputerName srv01 | Interactive remote PowerShell session - like SSH for Windows |
Get-Printer -ComputerName printserver | List all printers on a print server |
Add-Printer -Name "HP-Floor2" -DriverName "HP Universal" -PortName "IP_10.0.1.50" | Add a network printer from CLI - no GUI needed |
Install-Module PSWindowsUpdate -Force; Get-WindowsUpdate | Check pending Windows Updates from PowerShell - requires PSWindowsUpdate module |
Install-WindowsUpdate -AcceptAll -AutoReboot | Install all available updates and reboot if required (PSWindowsUpdate module) |
Windows Networking
| Command | Description |
|---|---|
ipconfig /all | Full adapter info including MAC address, DNS servers, DHCP lease, and gateway |
netstat -ano | All active TCP/UDP connections with associated PIDs (legacy but universal) |
Get-NetTCPConnection | Modern netstat equivalent - active TCP connections with state and owning process ID |
Get-DnsClientCache | View locally cached DNS records - useful for diagnosing stale or poisoned entries |
Get-NetRoute | Display the full routing table - equivalent to route print |
Get-NetAdapter | List physical and virtual network adapters with link speed and status |
(Invoke-RestMethod ipinfo.io/json).ip | Retrieve public egress IP address from PowerShell - no browser needed |
Restart-Computer -ComputerName "PC01" -Force | Remotely restart a machine by name - requires WinRM or admin share access |
Windows Storage & Services
| Command | Description |
|---|---|
Get-Disk | List all physical disks with size, partition style (MBR/GPT), and health status |
Get-Volume | Show all volumes with drive letter, filesystem, total size, and free space |
Get-PhysicalDisk | select FriendlyName, HealthStatus, OperationalStatus | SMART-based health status per physical disk - spot failing drives early |
Get-ChildItem C:\Path -Recurse | Measure-Object -Sum Length | Calculate total disk usage of a directory tree in bytes |
Get-Service | Where Status -eq Running | List only services currently in a Running state |
Get-Service | where Status -eq 'StartPending' | Find services stuck in Starting - indicates a hung or deadlocked service |
Restart-Service -Name sshd | Restart a named service by its service name (not display name) |
Get-CimInstance Win32_Service | select Name, PathName, StartMode | Service binary path and start mode - useful for spotting malicious service installs |
RAID Types
| RAID | Method | Min Disks | Fault Tolerance |
|---|---|---|---|
| RAID 0 | Striping | 2 | None — any disk failure = total loss |
| RAID 1 | Mirroring | 2 | 1 disk failure tolerated |
| RAID 5 | Stripe + parity | 3 | 1 disk failure tolerated |
| RAID 6 | Stripe + dual parity | 4 | 2 disk failures tolerated |
| RAID 10 | Stripe of mirrors | 4 | 1 per mirror pair |
Backup Strategy Types
| Type | What It Backs Up | Speed | Restore |
|---|---|---|---|
| Full | All data every time | Slowest | Single set — fastest restore |
| Incremental | Changes since last backup (any) | Fastest | Need all incrementals + last full |
| Differential | Changes since last full only | Medium | Last full + latest differential |
| Snapshot | Point-in-time copy (CoW) | Instant | Instant rollback, storage overhead |
Active Directory
| Command | Description |
|---|---|
Get-ADUser -Identity jsmith -Properties * | Full user details: last logon, locked status, group membership |
Get-ADUser -Filter {Enabled -eq $true} -Properties LastLogonDate | Where {$_.LastLogonDate -lt (Get-Date).AddDays(-90)} | Active accounts with no logon in 90+ days — stale account audit |
Set-ADUser -Identity jsmith -Enabled $false | Disable a user account |
Unlock-ADAccount -Identity jsmith | Unlock a locked-out account |
Set-ADAccountPassword -Identity jsmith -Reset -NewPassword (ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force) | Reset a user password from PowerShell |
Get-ADGroupMember -Identity "Domain Admins" -Recursive | List group members including nested members |
Add-ADGroupMember -Identity "VPN Users" -Members jsmith | Add a user to a group |
Get-ADComputer -Filter * -Properties LastLogonDate | Sort LastLogonDate | All computers sorted by last logon — spot stale machine accounts |
Test-ComputerSecureChannel -Repair | Fix broken domain trust without removing from domain |
Reset-ComputerMachinePassword | Fixes "trust relationship failed" — no domain rejoin needed |
gpupdate /force | Force immediate Group Policy refresh |
gpresult /r | Show applied GPOs for current user and computer (RSoP) |
dcdiag /test:replications | Test AD replication health across domain controllers |
repadmin /replsummary | Replication summary — spot failing DC partners quickly |
⑥
Logs & Monitoring
Linux logs · Windows Event IDs · Cron
Linux Log Paths
| Path / Command | Contents |
|---|---|
/var/log/auth.log | SSH logins, sudo, auth failures (Debian/Ubuntu) |
/var/log/secure | Same as auth.log on RHEL/CentOS |
/var/log/syslog | General system messages and daemon output |
/var/log/messages | Kernel + system messages (RHEL/CentOS) |
/var/log/kern.log | Kernel ring buffer messages |
/var/log/nginx/access.log | HTTP requests to Nginx web server |
/var/log/nginx/error.log | Nginx errors and connection issues |
/var/log/apache2/error.log | Apache web server errors |
/var/log/cron | Cron job execution history |
journalctl -u nginx | Systemd journal for a specific service |
journalctl -b -p err | All errors since last boot (systemd) |
Windows Event IDs
| Event ID | Log | Meaning |
|---|---|---|
| 4624 | Security | Successful logon |
| 4625 | Security | Failed logon attempt |
| 4648 | Security | Logon with explicit credentials (runas) |
| 4672 | Security | Special privileges assigned to new logon |
| 4688 | Security | New process created (process tracking) |
| 4720 | Security | User account created |
| 4740 | Security | Account locked out |
| 4776 | Security | DC validated credentials (NTLM) |
| 7045 | System | New service installed on the system |
| 1102 | Security | Audit log cleared - investigate immediately |
Log Query Tools
| Tool / Command | Use |
|---|---|
Event Viewer (eventvwr.msc) | Windows GUI for all event logs |
Get-WinEvent -LogName Security | PowerShell security log access |
grep "Failed" /var/log/auth.log | Filter failed SSH attempts |
last -n 20 | Last 20 logins from /var/log/wtmp |
lastb | Failed login attempts (/var/log/btmp) |
Cron Job Syntax
| Field | Range | Example | Meaning |
|---|---|---|---|
| Minute | 0-59 | 30 | At minute 30 |
| Hour | 0-23 | 14 | At 14:00 (2pm) |
| Day/Month | 1-31 | 1 | On the 1st of month |
| Month | 1-12 | */3 | Every 3 months |
| Day/Week | 0-7 | 1-5 | Mon-Fri (0=7=Sunday) |
* | any | * | Every value in field |
*/n | step | */15 | Every n units |
, | list | 1,15,30 | At specific values |
| Cron Expression | Schedule |
|---|---|
0 2 * * * | Every day at 02:00 |
*/5 * * * * | Every 5 minutes |
0 0 1 * * | First day of every month, midnight |
30 8 * * 1-5 | Weekdays at 08:30 |
0 */4 * * * | Every 4 hours on the hour |
@reboot /path/script | Run once at system startup |
0 3 * * 0 | Weekly Sunday at 03:00 |
0 12 1 1 * | Yearly - January 1st at noon |
Monitoring Platforms
| Tool | Type | Best For |
|---|---|---|
| Zabbix | Open source, agent-based | Full infrastructure monitoring - servers, network, VMs, SNMP. Self-hosted, no license cost |
| PRTG | Commercial, agentless | Windows-centric environments, easy setup, strong network/SNMP monitoring. Licensed by sensor count |
| Nagios / Icinga | Open source, plugin-based | Highly customisable, large plugin ecosystem. Icinga2 is the modern fork with better config and clustering |
| Grafana + Prometheus | Open source, metrics stack | Modern cloud-native monitoring - Prometheus scrapes metrics, Grafana visualises. Standard in Kubernetes environments |
| Datadog | SaaS | Full-stack observability - infrastructure, APM, logs, synthetics. Expensive but minimal setup overhead |
| Elastic Stack (ELK) | Open source / SaaS | Log aggregation and search at scale - Elasticsearch + Logstash + Kibana. Strong for SIEM use cases |
| Graylog | Open source / commercial | Centralised log management - easier to operate than ELK for log-focused use cases |
| Uptime Kuma | Open source, self-hosted | Lightweight uptime/status monitoring with a clean UI - good for small teams or personal use |
⑦
Certificates & Firewall
OpenSSL · UFW · iptables
OpenSSL Certificate Commands
| Command | Purpose |
|---|---|
openssl x509 -in cert.pem -text -noout | Inspect cert: expiry, SAN, issuer, subject |
openssl req -new -key key.pem -out csr.pem | Generate CSR from existing private key |
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 | Self-signed cert with new 4096-bit RSA key |
openssl verify -CAfile ca.pem cert.pem | Verify cert chain against a CA bundle |
openssl s_client -connect host:443 | Test TLS handshake, view cert chain live |
openssl pkcs12 -export -out bundle.pfx | Export cert + key to PFX/PKCS12 format |
openssl dhparam -out dh.pem 2048 | Generate Diffie-Hellman params for TLS |
certbot renew --dry-run | Test Let's Encrypt auto-renewal (Certbot) |
certbot certonly --nginx -d example.com | Issue/renew cert for nginx domain |
UFW / iptables Rules
| Command | Action |
|---|---|
ufw enable | Activate UFW firewall |
ufw status verbose | Show all rules with details |
ufw allow 22/tcp | Allow SSH (TCP port 22) |
ufw allow from 10.0.0.0/8 | Allow all traffic from subnet |
ufw deny 23 | Block Telnet port |
ufw delete allow 80/tcp | Remove a specific allow rule |
iptables -L -n -v | List all iptables rules with packet counts |
iptables -A INPUT -p tcp --dport 443 -j ACCEPT | Accept HTTPS inbound traffic |
iptables -A INPUT -j DROP | Drop all other inbound (default deny) |
iptables-save > /etc/iptables.rules | Persist iptables rules across reboots |
⑧
DevOps Tools
Git · Docker · kubectl · IaC
Git
Core Workflow
| Command | Description |
|---|---|
git init | Initialize new local repository |
git remote add origin <url> | Link local repo to remote |
git status | Show working tree and staging area status |
git add . | Stage all changes in current directory |
git commit -m "message" | Commit staged changes with message |
git log --oneline | Compact one-line commit history |
git push origin main | Push local commits to remote |
Sync
| Command | Description |
|---|---|
git fetch | Download remote changes without merging |
git pull | Fetch and merge remote changes |
git pull --rebase | Fetch and rebase onto remote (cleaner history) |
Branching
| Command | Description |
|---|---|
git branch | List local branches |
git branch -av | List all branches with last commit |
git switch -c new-branch | Create and switch to new branch |
git switch main | Switch back to main branch |
git merge feature-branch | Merge feature branch into current branch |
git branch -d branch-name | Delete merged branch |
Undo
| Command | Description |
|---|---|
git restore <file> | Discard working directory changes to file |
git restore --staged <file> | Unstage a file (keep working copy) |
git revert <commit> | Create new commit that undoes a past commit |
git switch --detach <commit> | Inspect repo at a past commit (read-only) |
git switch main | Return from detached HEAD to main |
Docker
Core Workflow
| Command | Description |
|---|---|
docker run -d -p 8080:80 --name web nginx | Run detached container, map host:container port |
docker ps | List running containers |
docker ps -a | List all containers (running + stopped) |
docker stop web | Gracefully stop container (SIGTERM) |
docker rm web | Remove stopped container |
docker exec -it web /bin/bash | Open interactive shell in running container |
docker logs -f web | Stream live log output from container |
Volumes & Ports
| Command | Description |
|---|---|
docker run -p 8080:80 nginx | Map host port 8080 → container port 80 |
docker run -v /host:/container nginx | Bind-mount host directory into container |
docker volume ls | List all named volumes |
docker volume create data | Create a named volume |
docker volume prune | Remove all unused volumes |
Docker Compose
| Command | Description |
|---|---|
docker compose up -d | Start all services in docker-compose.yml (detached) |
docker compose down | Stop and remove containers, networks |
docker compose ps | List status of compose services |
docker compose logs -f | Stream logs from all compose services |
Images
| Command | Description |
|---|---|
docker images | List locally stored images |
docker pull nginx | Pull image from Docker Hub |
docker build -t myapp:1 . | Build image from Dockerfile in current dir |
docker tag myapp:1 myrepo/myapp:latest | Tag image for registry push |
docker push myrepo/myapp:latest | Push image to registry |
docker rmi myapp:1 | Delete local image |
docker image prune | Remove dangling (untagged) images |
Troubleshooting
| Command | Description |
|---|---|
docker logs -f container | Stream live logs |
docker exec -it container sh | Shell into running container (sh fallback) |
docker inspect container | Full JSON metadata: network, mounts, env |
docker stats | Live CPU/memory/net/disk usage per container |
docker system df | Show disk usage by images, containers, volumes |
docker system prune | Remove all stopped containers, unused images/networks |
kubectl ↗ kubernetes.io
Core
| Command | Description |
|---|---|
kubectl get pods | List pods in current namespace |
kubectl get nodes | List all nodes and their status |
kubectl get all | List all common resources in namespace |
kubectl describe pod <pod> | Detailed info: events, limits, conditions |
kubectl logs <pod> | Print logs from a pod |
kubectl logs -f <pod> | Stream live logs from a pod |
kubectl exec -it <pod> -- /bin/sh | Open interactive shell inside pod |
Deployments
| Command | Description |
|---|---|
kubectl apply -f app.yaml | Create or update resources from YAML |
kubectl delete -f app.yaml | Delete resources defined in YAML |
kubectl get deployments | List deployments in current namespace |
kubectl rollout status deployment/app | Watch rollout progress |
kubectl rollout restart deployment/app | Trigger rolling restart (picks up new config/image) |
Scaling
| Command | Description |
|---|---|
kubectl scale deployment app --replicas=3 | Scale deployment to N replicas |
Debugging
| Command | Description |
|---|---|
kubectl get events | Recent cluster events (failures, pulls, restarts) |
kubectl describe pod <pod> | Events + resource limits + container states |
kubectl top pods | Live CPU/memory usage per pod |
Context
| Command | Description |
|---|---|
kubectl config get-contexts | List all kubeconfig contexts (clusters) |
kubectl config use-context <context> | Switch active cluster/context |
DevOps Tool Landscape
| Category | Tools |
|---|---|
| Containers | Docker, Podman, containerd |
| Orchestration | Kubernetes, Docker Swarm, Nomad |
| CI/CD | GitHub Actions, GitLab CI, Jenkins, CircleCI |
| IaC | Terraform, Pulumi, CloudFormation, Bicep |
| Config Mgmt | Ansible, Chef, Puppet, SaltStack |
| Monitoring | Prometheus, Grafana, Datadog, New Relic |
| Logging | ELK Stack, Loki, Splunk, CloudWatch |
| Secrets | HashiCorp Vault, AWS Secrets Manager, SOPS |
⑨
Networking Deep Dive
DNS resolution · Cables · WiFi 802.11
DNS Resolution - 8-Step Process
| Step | Who Acts | What Happens |
|---|---|---|
| 1 | Browser / OS | Check local DNS cache (TTL-based). If hit, done. |
| 2 | OS | Check /etc/hosts (Linux) or C:\Windows\System32\drivers\etc\hosts |
| 3 | OS to Resolver | Query sent to configured recursive resolver (ISP or 8.8.8.8) |
| 4 | Resolver to Root | Resolver queries a root server (.) - 13 root server clusters |
| 5 | Resolver to TLD | Root refers resolver to .com / .org / .io TLD server |
| 6 | Resolver to Auth NS | TLD refers resolver to the authoritative nameserver for the domain |
| 7 | Auth NS responds | Returns A/AAAA record (the actual IP address) |
| 8 | Resolver caches | Stores result per TTL, returns to client. Client caches too. |
Cable Types
| Cable | Max Speed | Max Length | Notes |
|---|---|---|---|
| Cat5 | 100 Mbps | 100m | Obsolete, avoid for new installs |
| Cat5e | 1 Gbps | 100m | Minimum current standard |
| Cat6 | 10 Gbps | 55m | Common for new installs |
| Cat6A | 10 Gbps | 100m | 10G at full 100m distance |
| Cat7 | 10 Gbps | 100m | Shielded, proprietary connectors |
| Fiber MM | 10+ Gbps | 2km | Multimode, shorter runs, cheaper |
| Fiber SM | 100+ Gbps | 100km | Single-mode, long distance, datacenter |
| T568B | Std | - | Orange-wh, Orange, Green-wh, Blue… (standard) |
| T568A | Std | - | Crossover: swap pairs 2 and 3 from T568B |
WiFi 802.11 Standards
| Standard | Band | Max Speed | Notes |
|---|---|---|---|
| 802.11b | 2.4 GHz | 11 Mbps | Legacy, long range, slow |
| 802.11g | 2.4 GHz | 54 Mbps | Backward compat with b |
| 802.11n | 2.4/5 GHz | 600 Mbps | MIMO, dual band - WiFi 4 |
| 802.11ac | 5 GHz | 3.5 Gbps | Wave 2, MU-MIMO - WiFi 5 |
| 802.11ax | 2.4/5/6 GHz | 9.6 Gbps | OFDMA, BSS coloring - WiFi 6/6E |
| 802.11be | 2.4/5/6 GHz | 46 Gbps | Multi-link operation - WiFi 7 |
Cloud Service Models
| Model | You Manage | Examples |
|---|---|---|
| IaaS | OS, runtime, apps, data | AWS EC2, Azure VMs, GCP Compute |
| PaaS | App and data only | Heroku, Azure App Service, App Engine |
| SaaS | Nothing (just use it) | Office 365, Salesforce, Gmail |
| FaaS | Code only | AWS Lambda, Azure Functions, Cloud Run |
⑩
Cloud Platforms - AWS & Azure
Core services · IAM · VNet/VPC · Shared responsibility
AWS Core Services
| Service | Category | What it Does |
|---|---|---|
EC2 | Compute | Virtual machines - pay-as-you-go, reserved, or spot pricing |
Lambda | Compute | Serverless functions - event-driven, pay-per-execution |
ECS / EKS | Containers | ECS = managed containers; EKS = managed Kubernetes |
S3 | Storage | Object storage - 11-nines durability, unlimited scale |
EBS | Storage | Block storage volumes attached to EC2 instances |
EFS | Storage | Managed NFS for Linux - shared across multiple EC2s |
RDS | Database | Managed SQL DB - MySQL, Postgres, SQL Server, Oracle, Aurora |
DynamoDB | Database | Fully managed NoSQL - key-value and document model |
VPC | Networking | Isolated virtual network with subnets, route tables, NACLs, SGs |
Route 53 | Networking | DNS + health checks + routing policies (failover, latency, geo) |
CloudFront | Networking | CDN with 400+ PoPs, caches S3/EC2 content globally |
IAM | Security | Users, groups, roles, and policies for access control |
CloudWatch | Monitoring | Metrics, logs, alarms, dashboards for all AWS services |
CloudFormation | IaC | Infrastructure as Code using JSON/YAML templates |
Azure Core Services
| Service | Category | What it Does |
|---|---|---|
| Virtual Machines | Compute | IaaS VMs - VM Scale Sets for autoscaling, Availability Zones for HA |
| App Service | Compute | PaaS web hosting - no OS management, built-in autoscale, deployment slots |
| Azure Functions | Compute | Serverless event-driven code - pay-per-execution |
| ACI / AKS | Containers | ACI = serverless containers; AKS = managed Kubernetes cluster |
| Blob Storage | Storage | Object store - Hot/Cool/Archive tiers, lifecycle management |
| Azure Disk | Storage | Managed disks: Standard HDD, Standard SSD, Premium SSD |
| Azure Files | Storage | Managed SMB/NFS file shares - cloud and hybrid use |
| Azure SQL / Cosmos DB | Database | Managed SQL; Cosmos = multi-model NoSQL (DynamoDB equivalent) |
| VNet | Networking | Isolated virtual network with subnets, NSGs, route tables, peering |
| Azure DNS | Networking | Host DNS zones, manage records, private DNS zones for VNets |
| Azure CDN / Front Door | Networking | CDN delivery + global load balancing with WAF |
| Azure AD (Entra ID) | Identity | Cloud identity: users, groups, MFA, SSO, Conditional Access |
| Azure Monitor | Monitoring | Metrics, Log Analytics workspace, alerts, Application Insights |
| ARM Templates / Bicep | IaC | JSON/Bicep Infrastructure as Code for Azure resources |
AWS vs Azure Service Mapping
| AWS | Azure | Category |
|---|---|---|
EC2 | Virtual Machines | Compute |
Lambda | Azure Functions | Serverless |
ECS / EKS | ACI / AKS | Containers |
S3 | Blob Storage | Object Store |
EBS | Azure Disk | Block Storage |
EFS | Azure Files | File Share |
RDS | Azure SQL Database | Managed SQL |
DynamoDB | Cosmos DB | NoSQL DB |
VPC | VNet | Networking |
Security Groups | NSG (Network Security Group) | Firewall |
Route 53 | Azure DNS | DNS |
CloudFront | Azure CDN / Front Door | CDN |
IAM | Azure AD + RBAC | Identity |
CloudWatch | Azure Monitor | Monitoring |
CloudFormation | ARM Templates / Bicep | IaC |
Direct Connect | ExpressRoute | Private Link |
AWS VPN Gateway | Azure VPN Gateway | VPN |
AWS Config | Azure Policy | Compliance |
Azure RBAC Built-in Roles
| Role | Read | Grant | Create/Del | Scope |
|---|---|---|---|---|
| Owner | ✓ | ✓ | ✓ | Full control of all resources |
| Contributor | ✓ | ✓ | All actions except access grants | |
| Reader | ✓ | View only, no changes | ||
| User Access Admin | ✓ | ✓ | Manage user access only | |
| Global Admin (AAD) | - | - | - | All Azure AD resources |
| User Admin (AAD) | - | - | - | Users, groups, passwords |
AWS vs Azure Pricing
| Model | AWS | Azure |
|---|---|---|
| Pay-as-you-go | On-Demand | Pay-as-you-go |
| Reserved (1-3yr) | Reserved Instances | Reserved Instances |
| Spot / Preemptible | Spot Instances | Spot VMs (up to 90% off) |
| Savings Plans | Compute Savings Plans | Azure Savings Plan |
| Ingress | Free | Free |
| Egress | Charged (per GB) | Charged (per GB out) |
Shared Responsibility Model
| Layer | On-Premises | IaaS | PaaS | SaaS |
|---|---|---|---|---|
| Physical DC / Hardware | YOU | Provider | Provider | Provider |
| Hypervisor / Host OS | YOU | Provider | Provider | Provider |
| Guest OS / Runtime | YOU | YOU | Provider | Provider |
| Middleware / Application | YOU | YOU | YOU (app) | Provider |
| Data / Content | YOU | YOU | YOU | YOU |
| Network Configuration | YOU | Shared | Shared | Provider |
| Identities / Accounts | YOU | YOU | YOU | YOU |
VNet / VPC Key Concepts
| Concept | AWS (VPC) | Azure (VNet) |
|---|---|---|
| Address Space | CIDR block (e.g. 10.0.0.0/16) | CIDR block, can add multiple prefixes |
| Subnets | Public (IGW route) / Private | Any subnet - NSG controls inbound/outbound |
| Firewall (stateful) | Security Groups (instance level) | Network Security Groups (NSG) |
| Firewall (stateless) | NACLs (subnet level) | NSG has stateful rules, no separate NACL |
| Peering | VPC Peering (same/cross-region) | VNet Peering / Global VNet Peering |
| Private WAN | Direct Connect | ExpressRoute |
| VPN | AWS VPN Gateway | Azure VPN Gateway |
| NAT | NAT Gateway (managed, per-AZ) | NAT Gateway (managed) |
| DNS | Route 53 / VPC DNS (169.254.169.253) | Azure DNS / Private DNS Zones |
| Flow Logs | VPC Flow Logs to S3/CloudWatch | NSG Flow Logs to Storage/Log Analytics |
HA vs Fault Tolerance vs Disaster Recovery
| Concept | Goal | Downtime | AWS Example | Azure Example |
|---|---|---|---|---|
| High Availability | Keep running despite single failures | Minutes (auto-heal) | Multi-AZ RDS, ALB across AZs | Availability Zones, Azure Load Balancer |
| Fault Tolerance | Zero downtime, no errors, continuous | Near zero | S3 (11-nines), DynamoDB, Global Tables | Cosmos DB, Storage LRS/ZRS/GRS |
| Disaster Recovery | Restore after regional catastrophe | Hours (RTO goal) | Pilot light, warm standby, multi-region | Azure Site Recovery, geo-replication |
RPO (Recovery Point Objective) = max acceptable data loss in time. RTO (Recovery Time Objective) = max acceptable downtime after disaster.
⑫
M365 & Entra ID
Identity · Graph PowerShell · Exchange Online · Intune
Entra ID Core Concepts
| Concept | What it Is | Key Notes |
|---|---|---|
| Tenant | Your organisation's dedicated Entra ID instance | Identified by a tenant ID (GUID) and domain (contoso.onmicrosoft.com) |
| User | Person or shared account in the directory | Can be cloud-only or synced from on-prem AD via Entra Connect |
| Service Principal | Identity for an application or automated process | Like a service account, but for apps - has its own permissions |
| App Registration | How you register an app to use Entra ID auth | Creates a service principal in your tenant - defines API permissions |
| Managed Identity | Auto-managed service principal for Azure resources | No credentials to manage - Azure handles rotation. Use this over service accounts for Azure workloads |
| Entra ID Roles vs Azure RBAC | Two separate role systems | Entra roles control directory objects (users, groups, apps). Azure RBAC controls Azure resources (VMs, storage). Global Admin != Owner |
| Conditional Access | Policy engine for access decisions | If user + location + device + app + risk = conditions then grant/block/MFA |
| PIM (Privileged Identity Management) | Just-in-time privileged access | Roles are assigned but not active - user must "activate" with justification and optional approval |
Microsoft Graph PowerShell
Replaces the deprecated AzureAD and MSOnline modules. Install: Install-Module Microsoft.Graph -Scope CurrentUser
| Command | Description |
|---|---|
Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All" | Authenticate to Microsoft Graph - specify only the scopes you need |
Get-MgUser -UserId jsmith@contoso.com -Property * | Full user object including last sign-in, assigned licenses, account status |
Get-MgUser -Filter "accountEnabled eq false" | All disabled accounts in the tenant |
Update-MgUser -UserId jsmith@contoso.com -AccountEnabled $false | Disable a user account |
Get-MgGroup -Filter "displayName eq 'VPN Users'" | Find a group by display name |
Get-MgGroupMember -GroupId <GroupId> | List all members of a group |
New-MgGroupMember -GroupId <GroupId> -DirectoryObjectId <UserId> | Add a user to a group |
Get-MgUserAuthenticationMethod -UserId jsmith@contoso.com | List registered MFA methods for a user |
Get-MgAuditLogSignIn -Filter "userPrincipalName eq 'jsmith@contoso.com'" -Top 20 | Recent sign-in activity for a user including location, device, and result |
Get-MgSubscribedSku | All M365 license SKUs in the tenant with consumed vs available counts |
Entra Connect (AD Sync)
Run on the Entra Connect server. Requires the ADSync module (installed automatically with Entra Connect).
| Command | Description |
|---|---|
Start-ADSyncSyncCycle -PolicyType Delta | Sync only changes since the last cycle - fast, use this for most manual syncs |
Start-ADSyncSyncCycle -PolicyType Initial | Full sync of all objects - slower, use after major AD changes or connector reconfiguration |
Get-ADSyncScheduler | Show sync schedule, next run time, and whether sync is enabled |
Set-ADSyncScheduler -SyncCycleEnabled $false | Pause automatic sync cycles - useful during maintenance or bulk AD changes |
Get-ADSyncConnectorRunStatus | Check if a sync cycle is currently running before triggering a manual one |
Export-ADSyncToolsHybridAadJoinReport | Report on Hybrid Azure AD Join status for domain-joined devices |
Exchange Online Essentials
Install: Install-Module ExchangeOnlineManagement then Connect-ExchangeOnline
| Command | Description |
|---|---|
Get-Mailbox -Identity jsmith | Mailbox details - type, quota, forwarding, aliases |
Get-Mailbox -RecipientTypeDetails SharedMailbox | List all shared mailboxes in the org |
Add-MailboxPermission -Identity shared@ -User jsmith -AccessRights FullAccess | Grant full access to a shared mailbox |
Get-MessageTrace -SenderAddress user@contoso.com -StartDate (Get-Date).AddDays(-2) | Trace sent mail - check delivery status, routing, spam filtering decisions |
Set-Mailbox -Identity jsmith -ForwardingSmtpAddress "" -DeliverToMailboxAndForward $false | Remove email forwarding - check all mailboxes for unauthorised forwarding |
Get-Mailbox -ResultSize Unlimited | Where {$_.ForwardingSmtpAddress -ne $null} | Audit all mailboxes with forwarding configured - security check |
Intune / Endpoint Manager
| Concept | Description |
|---|---|
| Enrollment | How devices join Intune - Autopilot (new devices), MDM enrollment (existing), or BYOD via Company Portal |
| Compliance Policy | Rules a device must meet (encrypted, PIN, OS version) - non-compliant devices can be blocked by Conditional Access |
| Configuration Profile | Push settings to devices - WiFi, VPN, certificates, restrictions, BitLocker enforcement |
| App Protection Policy | MAM - protect org data in apps without full device enrolment (BYOD scenario) |
| Autopilot | Zero-touch Windows provisioning - device ships to user, they sign in, Intune does the rest |
| Device Actions | Remote wipe, sync, restart, BitLocker key rotation - available per device in Intune portal |
| Scope Tags | RBAC for Intune - limit what admins can see and manage to their region or team |
⑫
Resources & Tools
Communities · Core tools · Diagnostics
Communities & Learning
| Resource | URL / Location | What it Covers |
|---|---|---|
| r/sysadmin · r/linux · r/linuxadmin · r/netsec | reddit.com | Community Q&A, incident threads, war stories, tooling discussions |
| Brutalist Report | brutalist.report | Daily tech & security headlines, aggregated and unformatted |
| Microsoft Learn | learn.microsoft.com | Free official docs, learning paths, and certifications for Azure, Windows, and M365 |
| O'Reilly Topics | oreilly.com/topics | Broad technical learning - books, videos, courses |
| Ask Ubuntu | askubuntu.com | Ubuntu-focused Q&A, highly indexed by search engines |
| DigitalOcean Tutorials | digitalocean.com | Clear, practical guides for Linux, OSS, and infra topics |
| ServerFault | serverfault.com | Stack Exchange for professional sysadmins and network engineers |
Core Tools
| Tool | URL / Source | What it Does |
|---|---|---|
| MX Toolbox | mxtoolbox.com | DNS, mail, SPF / DMARC / DKIM checks in one place |
| Sysinternals Suite | learn.microsoft.com | Windows diagnostics & troubleshooting (Process Monitor, Autoruns, TCPView…) |
| PuTTY | chiark.greenend.org.uk | SSH, Telnet, serial - still essential for Cisco and console work |
| WinSCP | winscp.net | Fast file transfer over FTP / SFTP / SSH with GUI |
| Angry IP Scanner | angryip.org | Quick network sweeps - host discovery and port scan |
| WinDbg | learn.microsoft.com | Windows kernel and crash dump debugging |
| Wireshark | wireshark.org | Packet capture and deep protocol analysis |
| Rufus | rufus.ie | Write bootable USB images (ISO to USB) on Windows |
| Nmap | nmap.org | Network scanning, host discovery, OS fingerprinting, port enumeration |
| OpenSSL | openssl.org | TLS, certificate generation, cert inspection, and crypto utilities |
| Git | git-scm.com | Version control for scripts, configs, and infrastructure-as-code |
| M365 Maps | m365maps.com | Visual map of M365 service dependencies and license feature inclusions |
| cmd.ms | cmd.ms | Shortcut directory for Microsoft admin portals - cmd.ms/intune, cmd.ms/aad, etc. |
| Crontab Guru | crontab.guru | Cron expression editor and validator - instant visual feedback |
| cheat.sh | cheat.sh | Instant CLI cheatsheets from the terminal: curl cheat.sh/tar |
| End-of-Life Info | endoflife.date | Support and EoL timelines for OS, runtimes, databases, and tools |
Diagnostics & Security
| Tool | URL | What it Does |
|---|---|---|
| WhatIsMyIPAddress | whatismyipaddress.com | IP lookup with strong GeoIP resolution - useful for egress verification |
| Cloudflare Speed Test | speed.cloudflare.com | Clean download / upload / latency test - no ads, no Flash |
| VirusTotal | virustotal.com | Malware and URL scanning across 60+ antivirus engines simultaneously |
| ANY.RUN | app.any.run | Interactive sandbox for malware and phishing analysis - watch execution live |
No results found. Try a different search term.