Panduan Lengkap Instalasi Kali Linux: Dari Persiapan Hingga Konfigurasi Awal

I still remember the panic. It was 2016, roughly 3:15 AM on a Tuesday, and my phone was vibrating off the nightstand. Our primary database server—a beast running CentOS 7 with 128GB of RAM—had just decided to stop serving requests. The monitoring dashboard was a sea of red, but here’s the kicker: the server was up. I could SSH in. The CPU usage was sitting at a polite 5%. Memory was fine. But the application was dead in the water.

I spent twenty minutes staring at top and tail -f /var/log/messages, seeing absolutely nothing wrong. It was humiliating. I eventually rebooted the thing—the cardinal sin of systems administration—just to get us back online. It wasn't until three days later, after digging through sar logs, that I realized we were hitting a disk I/O saturation limit caused by a rogue backup script that triggered exactly at 3:10 AM.

That incident changed how I approach Linux systems. Most tutorials teach you the basics: check if the service is running, check the logs, maybe run htop. But in a real production environment, the problems are rarely that polite. They hide in the kernel queues, in the file descriptors, and in the network buffers. So, I want to walk you through the actual toolkit I use when things go sideways, beyond just checking if the lights are on.

The "USE" Method: Stop Guessing

Before we type a single command, we need a methodology. When I was starting out, I used the "shotgun approach"—randomly running commands hoping to see an error. That’s a waste of time. A few years back, I adopted Brendan Gregg’s USE Method, and honestly, it saved my sanity. It stands for Utilization, Saturation, and Errors.

For every resource (CPU, Memory, Disk, Network), you check these three metrics. Utilization is how busy the resource is. Saturation is the queue of work waiting to be processed. Errors are self-explanatory.

The biggest mistake I see? People look at Utilization (CPU is 90%) and panic. But if Saturation is zero, the system is actually doing fine—it's just working hard. Conversely, you can have 10% CPU usage but a massive Saturation queue (processes blocked on I/O), and the server will feel completely frozen. That 2016 crash I mentioned? That was low Utilization, high Saturation.

Load Averages: You're Probably Reading Them Wrong

Let's talk about the numbers that greet you when you log in. You type uptime and see something like load average: 4.50, 6.00, 12.00. Most folks think, "Oh, the CPU is overloaded."

Well, actually, on Linux, load average includes processes waiting for CPU and processes waiting for Disk I/O (uninterruptible sleep state, usually marked as 'D' in top). This is a distinct behavior from other Unix systems like Solaris.

I once spent an hour debugging a "CPU issue" on a web server because the load was 50 on a 4-core machine. It turned out the CPU was 98% idle. The issue was an NFS mount that had hung; 50 processes were stuck waiting for the network filesystem to respond. They count toward the load average.

The Fix: Don't trust load average blindly. run vmstat 1. Look at the b column (blocked processes) and the wa column (CPU time waiting for I/O). If wa is high and id (idle) is also high, you have a disk problem, not a CPU problem.

Strace: The Ultimate Truth Teller

If logs are silent, strace is the only way to know what a process is actually doing. It intercepts system calls between the process and the Linux kernel. It’s like an X-ray machine for software.

I recall debugging a PHP worker that would randomly hang for 30 seconds. No errors in the Nginx error log, nothing in the PHP-FPM slow log. I attached strace to the process ID:

strace -p 12345 -f -T -tt

Here’s what those flags do (and why you need them):

• -p: The PID to attach to.
• -f: Follow forks. Critical for web servers that spawn child processes.
• -T: Show the time spent in each system call.
• -tt: Print timestamps.

The output showed the process hanging on a connect() system call to an external API that had changed its IP address. The DNS resolver was timing out. Without strace, I would have been guessing at code issues for days.

A warning though: strace adds significant overhead. I once attached it to a high-traffic MySQL process in production (rookie mistake), and the latency jumped from 2ms to 150ms instantly. The application timed out, and I had to explain to the CTO why I caused a mini-outage while trying to fix a bug. Use it sparingly on high-load systems.

The Case of the Missing Disk Space

This one drives me crazy every time it happens, even though I know the cause. You get an alert: Disk Usage 99%. You rush in, run du -sh /* to find the culprit, but the numbers don't add up. The files on the disk only account for 40% usage. Where is the other 60%?

Here is the thing: In Linux, if you delete a file (like a massive 50GB log file) while a process is still writing to it, the directory entry is removed, but the inode remains allocated until the process releases it. The space is not freed.

I see this constantly with Java applications or older Apache setups where log rotation wasn't configured with a copytruncate or a post-rotate restart.

The Tool: lsof (List Open Files). specifically:

lsof +L1

This command lists open files with a link count of less than 1 (meaning they are deleted). You’ll see the process holding it (say, PID 4050). You don't even need to restart the service to fix it often; you can truncate the file descriptor directly via the /proc filesystem if you're feeling brave, but usually, reloading the service (systemctl reload nginx) is safer.

Networking: Retire netstat, use ss

If you are still typing netstat -tulpen, it’s time to upgrade. netstat has been deprecated for years. It’s slow because it reads from /proc files, which can be heavy when you have thousands of connections.

The replacement is ss (socket statistics). It talks directly to the kernel via netlink. It’s instant.

My go-to command for checking listening ports and associated processes is:

ss -tulpn

But here is a more advanced scenario. Last month, we had a weird issue where connections to our Redis server were dropping. I used tcpdump, but reading raw packets is like reading the Matrix. The trick is filtering.

tcpdump -i eth0 port 6379 -w redis_dump.pcap

I saved it to a file and opened it in Wireshark on my laptop. It turned out to be a TCP Window Full issue, indicating the client couldn't process data fast enough. You can't see that in logs; you only see it on the wire.

FAQ: Questions I Get Asked Constantly

Why is my Linux server using 99% of RAM?

Honestly, if I had a dollar for every time a client asked this, I'd retire. Linux is designed to use unused RAM for disk caching. This is a good thing. If your server has 64GB of RAM and your apps only use 4GB, Linux will use the remaining 60GB to cache files to make I/O faster. This is reported as "buff/cache" in free -h. It is technically "used" but instantly reclaimable if applications need it. If you see high usage under "available," you are fine. Panic only if "available" is near zero and swap usage is climbing.

What exactly is a Zombie process?

A zombie (marked as Z in top) is a process that has completed execution but still has an entry in the process table. This happens because the parent process hasn't read the child's exit status yet (via the wait() system call). You cannot kill a zombie with kill -9 because it's already dead. The only way to remove it is to kill the parent process (which forces the zombie to be adopted by init/systemd, which cleans it up) or fix the code in the parent process.

How do I check why my server rebooted unexpectedly?

First, check last reboot to confirm the time. Then, check /var/log/messages or journalctl --list-boots. If the logs just stop abruptly with no error messages, it was likely a hardware power loss or a kernel panic that couldn't write to disk. However, if you see "Out of memory: Kill process," that's the OOM Killer. Use dmesg -T | grep -i kill to confirm if the kernel assassinated your database to save the rest of the system.

Why does top show >100% CPU usage?

This confuses people coming from Windows. In Linux, 100% represents one single CPU core. If you have a 32-core server, the maximum CPU usage is 3200%. If you see a Java process using 400% CPU, it just means it is heavily multithreaded and utilizing 4 full cores. Hit 1 while in top to see the breakdown per core.

A Final Thought

Troubleshooting advanced Linux systems is less about memorizing every flag for tar and more about understanding the architecture. It's about visualizing the flow of data from the disk, to the memory, through the CPU, and out the network card.

Don't be afraid to break things in a dev environment. Install a stress-test tool like stress-ng and see what a 100 load average actually feels like. Fill up a disk partition and see how services react. The more you see these failure states in a controlled environment, the less your hands will shake when you see them in production at 3 AM. Just remember to check the logs first—sometimes the error message is actually telling you exactly what's wrong, and we're just too busy looking for a complex solution to notice.

Related Posts