Verifying Linux Server Security: What Every Admin Needs to Know
Linux is a widespread OS known for its robust data and network security. That being said, cybersecurity vulnerabilities are inevitable in any OS. Therefore, Linux system administrators must be vigilant about monitoring and verifying the safety of their servers on an ongoing basis in order to protect sensitive data and prevent attacks on network security. After all, the majority of exploits in cybersecurity on Linux systems resulted from poor administration.
The only way to be sure your server is as well protected as needed is to test it and verify it is working as you expect. This article will introduce LinuxSecurity’s top methods and tools for checking that your Linux server security is safe. We will cover port scanning, intrusion detection, penetration testing, reverse engineering, and auditing, and we will guide you in the direction of other valuable resources to help you get started on your journey to stronger security.
What Are the Top Methods for Verifying Linux Server Security?
Port scanning, or the process of evaluating ports on a server to identify cybersecurity vulnerabilities, is one method that administrators should employ when looking to evaluate the overall security of a Linux server. Port scanning Linux servers reveals what ports are open to receiving information and what security devices exist between the sender and the target. This information can be used to identify potential network security issues that could be exploited by attackers. Linux users have an array of excellent port scanners to choose from. In this section, we’ll introduce our three favorite open-source port scanners and direct you to some helpful tutorials demonstrating how to perform a port scan on your Linux servers.
Let’s take a look at three great port scanners available to Linux users:
Nmap, which stands for “Network Mapper,” is by far the most popular and versatile port scanner available, for good reason. The free and open-source port scanner offers an array of options for performing quick, effective scans on both local and remote networks. Nmap can be used for active port scanning to discover open ports on specific networks/hosts, as well as for host discovery to identify potential hosts that are responding to network requests. Linux Nmap’s capabilities extend beyond port scanning, as it can also be used for penetration testing, fingerprinting operating systems, vulnerability scanning, OS detection, and application version detection. Nmap has both CLI and GUI interfaces (the GUI is called Zenmap) and can also be run from the classic command line terminal. You can learn how to install Nmap on Linux here. Learn how to perform a ping scan, a host scan, and an OS and services scan with Nmap.
Unicornscan is the second most popular open-source port scanner after Nmap. It features renowned asynchronous TCP and UDP scanning capabilities as well as non-common network discovery patterns that provide alternative ways to find out important details about remote operating systems and services. Unicornscan can be used for both active and passive remote OS, application, and component identification. The fast, comprehensive port scanner offers custom module support, customized data-set views, and PCAP file logging and filtering. You can download Unicornscan here.
Angry IP Scanner
Thanks to its multi-thread approach that separates each scan, Angry IP Scanner is known for its impressive scanning speed. The free multi-platform scanner searches for open ports on any remote network and then exports scanned results into either TXT, XML, or CSV files. Angry IP Scanner has other notable features, including its web server and NetBIOS information detection capabilities and its easy, seamless plugin integration with Java. Angry IP Scanner Linux can be downloaded here.
Intrusion detection, or monitoring a network or system for malicious activity or policy violations, is a critical part of maintaining a secure Linux server. The information gathered through intrusion detection provides administrators with valuable insight into the attacks in network security that could potentially threaten their servers. This is valuable information to be aware of when setting up preventative defenses. In this section, we’ll examine a few great open-source Linux Intrusion Detection System (IDS) tools and honeypots that can help server administrators proactively identify and respond to network security threats to their systems, thus preventing data theft and system compromise. We’ll then explore the importance of monitoring logs.
Snort is the leader in free and open-source Network Intrusion Detection Systems (NIDS). The popular network security toolkit has various modes that can be used to analyze real-time traffic. The intrusion detection mode is based on a set of rules that the user can either create or download from the Snort community. Linux Snort can also be used for port scanning, OS fingerprinting, and detecting attacks in network security using signature-based and anomaly-based techniques. Snort is easy to install and supported by a large, vibrant community, which makes this cloud security scanner and detection service all the more reassuring. Snort can be downloaded here. Learn how to install and use Snort for intrusion detection in this LinuxHint tutorial.
In the realm of Host-based Intrusion Detection Systems (HIDS), OSSEC dominates. This full-featured open-source IDS tool is highly effective and extensible. OSSEC’s client/server-based management and logging architecture secures sensitive information against exploits in cybersecurity like tampering and theft by delivering alerts and logs to a centralized server. This server can analyze and notify regarding network security threats even if the host system is compromised or offline. A convenient benefit of this client/server design is one’s ability to centrally manage agents from a single server. OSSEC is very lightweight and is backed by a strong, supportive community. OSSEC can be downloaded here. Learn how to install and use OSSEC for intrusion detection in this LinuxHint tutorial.
Suricata is a modern NIDS that employs signature-based, anomaly-based, and policy-driven intrusion detection methods. It features multi-threading capabilities, GPU acceleration, and multiple-model statistical anomaly detection. Suricata can examine HTTP requests, TLS/SSL certificates, and DNS transactions. Suricata is compatible with Snort's data structure, enabling users to implement Snort policies in Suricata. Suricata can be downloaded here.
Cowrie is a medium interaction SSH and telnet honeypot that logs brute force attacks in network security and shell interaction. The open-source honeypot emulates a Unix system in Python and functions as a proxy to log malicious activity. Cowrie features JSON logging for easy processing in log management solutions.
Monitoring logs is an essential part of verifying the data and network security of a server. It must be done on a regular basis to ensure that your systems remain secure. Critical Linux log monitoring categories include application, event, service, and system logs. Many Linux distributions offer network security toolkits for automating this ongoing task.
The Logwatch Linux application, for instance, sends a daily email report of all of the logs on a server, providing administrators with valuable information, including potential malicious activity, SSH attempts, IPs causing errors, and the number of sent emails in the server. In a large corporate environment, it is a common practice to send Logwatch emails (along with other mail directed to the root user) to a single company email list. Administrators in the company then subscribe to this email list to stay informed of any notifications regarding suspicious activity detected in any of the company’s server logs. Logwatch can be downloaded here.
Fail2ban is another excellent application for monitoring logs and detecting intrusion attempts. This intrusion prevention software and cloud security framework keeps servers safe against brute-force attacks in network security by reacting to intrusion attempts. These reactions could be either installing firewall rules to reject potentially malicious IP addresses for a certain amount of time or blocking access to a specific port. Linux Fail2ban can be downloaded here.
Penetration testing (commonly referred to as pen testing or ethical hacking) is the practice of testing a computer system, network, or application to identify cybersecurity vulnerabilities that could be exploited by malicious actors. As you can imagine, information gathered in pen tests is invaluable in verifying the data and network security of a Linux server and preventing attacks. There are an array of excellent pentesting network security toolkits available to Linux users, and there is a certain group of Linux distro for penetration testing. In this section, we’ll introduce our top two distros for Linux penetration testing: Kali Linux and ParrotOS.
Kali Linux is one of the most popular Linux distros among pentesters, ethical hackers, and security researchers. The flexible, full-featured distro contains hundreds of pentesting tools, protects sensitive pentesting data with LUKS full-disk encryption, and offers high customization levels. Kali Linux also offers training and support through the Kali Linux Dojo training suite.
Key Features & Benefits:
- Kali Linux uses LUKS full-disk encryption to secure sensitive pentesting data against loss, tampering, and theft.
- “Forensics” mode makes this distro perfect for investigative work.
- Users can automate and customize their Kali Linux installations over the network.
- This flexible distro offers full customization with live-build.
- On the training suite, Kali Linux Dojo users can learn how to customize their own Kali ISO and learn the basics of pentesting. All of these resources are available on Kali’s website, free of charge. Kali Linux also offers a paid-for pentesting course that can be taken online with a 24-hour certification exam. Once you pass this exam, you’re a qualified pentester!
Parrot OS is a fully-portable laboratory for pentesting, reverse engineering, and digital forensics. The fast, lightweight distro is frequently updated and offers a wide array of hardening and privacy sandboxing options. ParrotOS tools and features are designed to be compatible with the majority of devices via containerization technologies such as Docker or Podman.
Key Features & Benefits:
- ParrotOS provides pentesters and digital forensics experts with a state-of-the-art “laboratory” featuring a full suite of tools accompanied by standard privacy and security features.
- Applications that run on Parrot OS are fully sandboxed and protected.
- Parrot OS is fast, lightweight, and compatible with most devices.
Reverse Engineering & Malware Scanning
Reverse engineering, or the process of deconstructing an artificial environment to gain insight into its design, architecture, and code, can be extremely helpful in securing or verifying the data and network security of a Linux server. This process plays a central role in malware detection and analysis, as it can help administrators identify network security threats like malware on their systems, which they can then study, eliminate, and learn from so they can apply the knowledge to prevent future attacks in network security. In this section, we will profile the six malware scanning and reverse engineering tools Linux favors, as well as some toolkits and utilities.
REMnux is a free, community-powered toolkit for reverse engineering and malware analysis. The toolkit conveniently enables analysts to investigate malware without having to find, install, and configure the tools needed to do so. REMnux offers a distro that can be downloaded as a VM in the OVO format and then imported into your hypervisor, installed from scratch on a dedicated host, added to an existing system running a compatible version of Ubuntu, or run as a Docker container.
Chkrootkit is a free and open-source rootkit detector that locally scans for signs of a rootkit and hidden security holes on Unix/Linux systems. The scanner consists of a shell script that checks system binaries for rootkit modification along with a selection of programs designed to scan systems for different network security issues. Chkrootkit can be downloaded here.
Rkhunter is a powerful and user-friendly open-source tool designed to scan Linux systems for rootkits, backdoors, and local exploits in cybersecurity. The comprehensive cloud security scanner inspects and analyzes a system to detect hidden security holes. Rkhunter Linux can be downloaded here.
Lynis is a powerful and popular malware and vulnerability scanning and auditing tool for Unix/Linux operating systems. The free and open-source scanner detects network security issues and configuration errors, performs firewall auditing, checks file/directory permissions, and verifies file integrity and installed software. Lynis can be downloaded here. Learn how to scan your Linux system with Lynis in this Opensource.com tutorial.
Linux Malware Detect (LMD) is a full-featured, open-source malware scanner designed specifically for hosted environments; however, this tool can be used to detect network security threats on any Linux system. Linux LMD includes a full reporting system, where administrators can view both current and past scan results accompanied by email alerts after every scan and an array of other useful features. The scanner can be integrated with the ClamAV scanner engine for stronger performance and improved security posture.
Microsoft recently announced Project Freta, a free cloud-based malware scanning tool for Linux. The tool uses snapshot-based memory forensics, comparing thousands of images of Linux VMs to identify previously undetected malware.
Conducting frequent cloud security audits is an essential part of establishing the data and network security of your Linux servers. System auditing Linux enables administrators to discover security bugs, breaches, or policy violations on their systems. In this section, we’ll take a look at the Linux Auditing System (AuditD) and the insight that this valuable feature can provide administrators into the security, stability, and functionality of their systems.
What is the Linux Auditing System?
The Linux Auditing System (AuditD) is a native feature of the Linux kernel that collects information on system activity to facilitate the investigation of potential network security issues. AduditD works on the kernel level, where it can oversee all system processes and activities and uses the AuditD daemon to log what it finds. In most Linux distributions, AuditD is installed by default and runs automatically with the system. It logs information according to auditing and added rules. AuditD monitors three categories of events: system calls, file access, and select, pre-configured auditable events within the kernel. It enables administrators to audit activity using these categories of events, including authentications, failed cryptographic operations, abnormal terminations, SELinux modification, and program execution. When any one of the audit rules in place is triggered, AuditD outputs a comprehensive record that can be used to investigate the incident.
When implementing the Linux Auditing System, you will likely need to create some of your own rules. There are two types of rules that administrators can write: file system and system call rules. System activities like specific scripts executed, userland events, and internal kernel behaviors cannot be triggered using AuditD. When writing rules, it is critical to remember that audit rules work on a “first match wins” basis. In other words, once audited activity matches a rule, no further rules will be evaluated. Thus, the order in which rules are written is of utmost importance.
To view the audit records generated by a triggered rule, administrators can use the native ausearch and aureport utilities. Ausearch lets you search your audit log files for specific criteria, and aureport creates summary reports from the audit log files.
It is crucial for administrators to ensure that AuditD is properly configured and hardened to provide genuine, reliable information. Begin by checking that AuditD’s configuration is immutable using the control option “-e 2.” Then, confirm that logs are stored in a centralized, secure location - ideally, a server dedicated to accepting remote syslog events.
AuditD is a very useful and free feature for facilitating investigations, especially historical investigations, in response to an incident. That being said, AuditD does have some serious weaknesses that should be taken into consideration, namely bugginess, excessive overhead, lack of granularity, missing container support, and onerous output.
Final Thoughts on Verifying Linux Server Security
Regardless of the OS you’re running, securing your servers is an ongoing process that requires vigilant monitoring, testing, verification, and maintenance. In recent years, Linux has become an increasingly popular target among cybercriminals due to its growing popularity. However, the good news is that the majority of attacks in network security on Linux systems can be attributed to poor administration and can thus be prevented with greater attention to security and system hardening.
Frequently verifying the data and network security of your Linux servers using methods such as port scanning, intrusion detection, penetration testing, reverse engineering, and auditing is the only way to confirm that your servers are indeed as secure as you need them to be.