Every command a developer actually reaches for on a Debian box — package management, systemd, networking, permissions, monitoring, and the advanced tools that separate "it works" from "I know exactly why it works."
$ sudo apt update && sudo apt upgrade -y Reading package lists... Done Building dependency tree... Done $ systemctl status ssh ● ssh.service - OpenBSD Secure Shell server Active: active (running) $ journalctl -p err -S "1 hour ago" # nothing on fire. good.
Debian is the base layer under a huge share of the servers, containers, and CI runners developers touch every day — Ubuntu, Raspberry Pi OS, and countless Docker base images all trace back to it. This guide skips the "what is Linux" preamble and goes straight to the commands you'll actually type, grouped the way you'll actually need them, with the advanced flags most tutorials leave out.
1. Package Management: apt & dpkg
apt is the friendly, day-to-day frontend; dpkg is the low-level tool underneath it. Knowing both means you're never stuck when one of them can't do what you need.
Everyday apt
$ sudo apt update # refresh package index
$ sudo apt upgrade # upgrade installed packages
$ sudo apt full-upgrade # upgrade + resolve/remove conflicting pkgs
$ sudo apt install nginx # install a package
$ sudo apt remove nginx # remove, keep config files
$ sudo apt purge nginx # remove + config files
$ sudo apt autoremove # drop orphaned dependencies
$ apt search "web server" # search package descriptions
$ apt show nginx # version, deps, description
$ apt list --installed # everything currently installed
$ apt list --upgradable # what's pending an upgrade
Advanced apt
$ sudo apt-mark hold nginx # freeze a package's version
$ sudo apt-mark unhold nginx # release the hold
$ apt-cache policy nginx # show install candidates + priorities
$ apt-cache depends nginx # dependency tree
$ apt-cache rdepends nginx # what depends ON nginx
$ sudo apt-get build-dep nginx # pull build dependencies for a source pkg
$ apt-get source nginx # download source package to cwd
$ sudo apt install nginx=1.24.0-2 # pin an exact version at install time
Package: nginx, Pin: version 1.24.*, Pin-Priority: 1001.
dpkg — the layer underneath apt
$ dpkg -l | grep nginx # list installed packages matching a name
$ dpkg -L nginx # every file a package installed
$ dpkg -S /usr/sbin/nginx # which package owns this file
$ sudo dpkg -i package.deb # install a local .deb file
$ sudo dpkg --configure -a # finish interrupted installs
$ sudo dpkg-reconfigure tzdata # re-run a package's config prompts
$ dpkg-deb -c package.deb # inspect a .deb's file listing without installing
~/cheatsheet/services
2. Services & systemd
Since Debian 8, systemd has managed services, logging, and boot order. These are the commands worth memorizing.
$ systemctl status nginx # is it running, since when, recent logs
$ sudo systemctl start|stop|restart nginx
$ sudo systemctl reload nginx # re-read config without dropping connections
$ sudo systemctl enable --now nginx # start on boot AND start it right now
$ sudo systemctl disable nginx # don't start on boot
$ systemctl list-units --type=service --state=running
$ systemctl list-unit-files --state=enabled
$ systemctl is-active nginx # scriptable: prints active/inactive
$ systemctl is-enabled nginx
$ systemctl cat nginx # print the actual unit file
$ systemctl edit nginx # create a drop-in override safely
$ systemd-analyze blame # what's slowing down boot
$ systemd-analyze critical-chain # boot dependency chain
systemctl edit over hand-editing files in /lib/systemd/system/. Package updates overwrite that directory; drop-in overrides in /etc/systemd/system/<unit>.d/ survive upgrades.
~/cheatsheet/users-and-permissions
3. Users, Groups & Permissions
$ sudo adduser deploy # interactive, friendlier than useradd
$ sudo usermod -aG docker deploy # add to a group WITHOUT removing existing ones
$ groups deploy # list a user's groups
$ sudo deluser deploy # remove a user
$ sudo passwd -l deploy # lock an account (no password login)
$ id deploy # uid, gid, group membership
Permissions beyond chmod 755
$ chmod u+x deploy.sh # symbolic > numeric when readability matters
$ chmod g+s /srv/shared # setgid: new files inherit the dir's group
$ chown deploy:www-data app/ -R # change owner + group, recursively
$ getfacl /srv/shared # view ACLs (finer than owner/group/other)
$ setfacl -m u:alice:rwx /srv/shared # grant one user rwx without touching group perms
$ sudo visudo # the ONLY safe way to edit /etc/sudoers
visudo validates syntax before saving — a broken sudoers file can lock every user out of sudo on that box.
~/cheatsheet/networking
4. Networking
ifconfig and netstat are deprecated on modern Debian. ip and ss replaced them — worth relearning if you're still on muscle memory from a decade ago.
$ ip a # show all interfaces + addresses
$ ip r # routing table
$ ip link set eth0 up|down # bring an interface up/down
$ ss -tulpn # listening ports + owning process (replaces netstat -tulpn)
$ ss -s # socket usage summary
$ nmcli device status # NetworkManager overview
$ nmcli con up "MyWifi" # bring up a saved connection
$ dig example.com +short # quick DNS lookup
$ host example.com
$ traceroute example.com # hop-by-hop path
$ curl -Iv https://example.com # headers + TLS handshake, verbose
Firewalls
$ sudo ufw allow 22/tcp # ufw: simple, most Debian servers ship it
$ sudo ufw allow from 10.0.0.0/24 to any port 5432
$ sudo ufw status verbose
$ sudo nft list ruleset # nftables: what actually replaced iptables
$ sudo iptables -L -n -v # still around, still worth reading
~/cheatsheet/processes-and-performance
5. Processes & Performance
$ ps aux --sort=-%mem | head # top memory consumers
$ top # live view (press 1 for per-core)
$ htop # nicer top, install with apt
$ kill -15 1234 # SIGTERM: ask nicely
$ kill -9 1234 # SIGKILL: last resort, no cleanup
$ pkill -f "node server.js" # kill by matching command line
$ nice -n 10 ./batch-job.sh # start with lower CPU priority
$ renice -n -5 -p 1234 # raise priority of a running process
$ vmstat 2 5 # CPU/mem/swap snapshots, 5 times, 2s apart
$ iostat -xz 2 # per-disk I/O, needs sysstat package
$ sar -u 1 5 # historical CPU stats, also from sysstat
~/cheatsheet/disks-and-filesystems
6. Disks & Filesystems
$ df -h # disk space per mounted filesystem
$ du -sh * | sort -h # size of each item in cwd, human sorted
$ lsblk -f # block devices + filesystem types + mountpoints
$ sudo fdisk -l # partition tables on all disks
$ sudo parted /dev/sdb print # same idea, GPT-friendly
$ sudo mount /dev/sdb1 /mnt/data
$ sudo mkfs.ext4 /dev/sdb1 # format a partition (destructive!)
$ findmnt # tree view of everything currently mounted
$ rsync -avh --progress src/ dest/ # copy with checksums, resumable
$ tar -czvf backup.tar.gz /etc # compress
$ tar -xzvf backup.tar.gz -C /restore # extract
~/cheatsheet/logs-and-troubleshooting
7. Logs & Troubleshooting
$ journalctl -u nginx -f # follow one service's logs live
$ journalctl -p err -S "1 hour ago" # errors-and-above from the last hour
$ journalctl -k # kernel ring buffer messages, via systemd
$ journalctl --disk-usage # how much space logs are using
$ sudo journalctl --vacuum-time=7d # trim logs older than 7 days
$ dmesg -T | tail -50 # kernel messages, human timestamps
$ tail -f /var/log/syslog # classic, still useful outside journald
$ logrotate -d /etc/logrotate.conf # dry-run what logrotate would do
~/cheatsheet/scripting-and-automation
8. Scripting & Automation
$ crontab -e # edit your user's cron jobs
$ crontab -l # list them
$ 0 3 * * * /opt/scripts/backup.sh # run daily at 03:00
$ sudo systemctl list-timers # systemd timers, the modern cron alternative
$ export API_KEY="..." # session-only env var
$ echo 'export PATH="$HOME/.local/bin:$PATH"' >> ~/.bashrc
$ alias gs='git status' # add to ~/.bashrc to persist
$ xargs -I{} echo "processing {}" < list.txt
$ watch -n 2 'systemctl status nginx' # re-run a command every 2s
~/cheatsheet/advanced-and-expert
9. Advanced & Expert Commands
The tools below solve the "why is this actually happening" problems — dependency conflicts, syscall-level debugging, and building isolated environments.
$ strace -f -e trace=network ./app # trace syscalls a process makes, filtered
$ ltrace ./app # same idea, for library calls
$ lsof -i :8080 # which process is holding this port
$ lsof -p 1234 # every file/socket a PID has open
$ sudo tcpdump -i eth0 port 443 -w cap.pcap
$ sudo debootstrap bookworm /mnt/rootfs http://deb.debian.org/debian
# build a minimal Debian root filesystem from scratch
$ sudo chroot /mnt/rootfs /bin/bash # enter that filesystem as if it booted
$ sudo update-alternatives --config editor
# switch the system default for a command group
$ systemd-cgtop # live cgroup resource usage, per service/slice
$ sudo apt-get check # verify dependency consistency across the system
$ ldd /usr/bin/nginx # shared libraries a binary is linked against
$ sudo needrestart # find services that need a restart after a library update
debootstrap is how Docker's own debian base images and most Debian derivatives get built — it's worth trying once even outside a container, just to see what a truly minimal Debian install looks like.
~/cheatsheet/security-hardening
10. Security Hardening Basics
$ sudo apt install unattended-upgrades
$ sudo dpkg-reconfigure --priority=low unattended-upgrades
# auto-apply security patches
$ sudo apt install fail2ban
$ sudo fail2ban-client status sshd # see banned IPs for a jail
$ sudo ssh-keygen -t ed25519 -C "deploy@server"
$ sudo passwd -l root # disable direct root login entirely
$ apt-key list # deprecated — prefer signed-by in sources.list.d
apt-key for new setups. Modern Debian expects repo keys in /etc/apt/keyrings/ referenced via a signed-by= option in the corresponding .sources file — the global keyring it used is deprecated.
~/cheatsheet/quick-reference
11. Quick Reference Table
| Task | Command |
|---|---|
| Update & upgrade system | sudo apt update && sudo apt full-upgrade |
| Find which package owns a file | dpkg -S /path/to/file |
| Restart a service | sudo systemctl restart svc |
| Follow a service's logs | journalctl -u svc -f |
| Show listening ports | ss -tulpn |
| Find what's using a port | lsof -i :PORT |
| Check disk usage | df -h / du -sh * |
| Trace a process's syscalls | strace -f -p PID |
| Safely edit sudoers | sudo visudo |
| Build a minimal rootfs | sudo debootstrap bookworm /mnt/rootfs |
~/cheatsheet/final-notes
12. Final Notes
None of this replaces reading the man page for a command you'll use often — man systemctl is worth ten blog posts. But bookmarking this page should cover the 90% of Debian work that's the same across a personal server, a CI runner, and a production box: install something, keep it running, know when it isn't, and dig in when it stops behaving.
If there's one habit worth building from this list, it's reaching for ss, ip, and journalctl by default instead of their deprecated ancestors — they're what every modern Debian release actually expects you to use.
