When it comes to running a Linux server, security should be one of your top priorities. Whether it's hosting a website, running applications, or storing sensitive data, a misconfigured or vulnerable server can open the door to devastating cyberattacks. Performing regular security audits is a proactive step toward minimizing risk and maintaining system integrity.
In this guide, we’ll walk you through how to perform a full security audit on your Linux server—from pre-audit preparation to using advanced tools for vulnerability scanning.
Before jumping into the steps, here are a few reasons why security audits are essential:
Before diving into the technical bits, complete the following checklist:
Outdated packages are low-hanging fruit for attackers. Use these commands:
sudo apt update && sudo apt upgrade # Debian/Ubuntu
sudo yum update # CentOS/RHEL
sudo dnf update # Fedora
Also, look for kernel updates:
uname -r # Check current version
sudo apt install --only-upgrade linux-image-generic
Run the following to check for inactive or suspicious accounts:
cat /etc/passwd | cut -d: -f1
sudo lastlog
sudo passwd -S username
Lock or remove unnecessary accounts:
sudo usermod -L username # Lock
sudo userdel -r username # Delete
Also, verify sudo privileges:
sudo cat /etc/sudoers
Use netstat or ss to check open ports:
sudo netstat -tuln
sudo ss -tuln
Or, install nmap and scan from another machine:
nmap -sS <server_ip>
Disable unused services:
sudo systemctl disable service_name
Install chkrootkit and rkhunter:
sudo apt install chkrootkit rkhunter
sudo chkrootkit
sudo rkhunter --update && sudo rkhunter --check
Scan for malware:
sudo apt install clamav
sudo freshclam
sudo clamscan -r /
Verify file and directory permissions:
find / -perm -4000 -type f 2>/dev/null # SUID files
ls -l /etc/shadow # Should be -rw-------
Check for world-writable files:
find / -type f -perm -o+w 2>/dev/null
Use AIDE (Advanced Intrusion Detection Environment) to monitor file changes:
sudo apt install aide
sudo aideinit
Ensure logging is enabled:
sudo systemctl status rsyslog
sudo systemctl status auditd
Check logs:
sudo less /var/log/auth.log
sudo less /var/log/syslog
sudo aureport -au
Look for repeated failed login attempts, privilege escalations, or strange behavior.
Here are essential tools for comprehensive auditing:
An all-in-one auditing tool for Unix-based systems.
sudo apt install lynis
sudo lynis audit system
Provides a full security audit and hardening suggestions.
A powerful open-source vulnerability scanner.
# Install from PPA or package manager (complex setup)
# Use via Greenbone Docker or Kali Linux
Scans for CVEs, misconfigurations, and more.
Security audit and intrusion detection tool.
sudo apt install tiger
sudo tiger
Edit /etc/ssh/sshd_config to harden SSH:
PermitRootLogin no
PasswordAuthentication no
AllowUsers youruser
Port 2222 # Change default port
Restart SSH:
sudo systemctl restart sshd
Use a firewall (like ufw or iptables) to restrict access:
sudo ufw allow 2222/tcp
sudo ufw enable
Ensure SELinux or AppArmor is in enforcing mode:
# For SELinux
getenforce
# For AppArmor
sudo aa-status
Use cron to schedule periodic scans:
sudo crontab -e
# Weekly Lynis scan
0 3 * * 0 /usr/bin/lynis audit system > /var/log/lynis-weekly.log
Consider integrating with security monitoring dashboards or SIEM tools.
Performing a full security audit on your Linux server is not a one-time task. It’s a continual process of:
With the right tools and vigilance, you can significantly reduce your attack surface and ensure your Linux environment remains secure.
Need help with automated security audits and patching? SecOps Solution offers agentless vulnerability management and patch automation tailored for Linux environments. Reach out to simplify your server hardening process.
SecOps Solution is a Full-stack Patch and Vulnerability Management Platform that helps organizations identify, prioritize, and remediate security vulnerabilities and misconfigurations in seconds.
To learn more, get in touch.
