Verifying Linux Server Security: What Every Admin Needs to Know

Linux is a widespread OS known for its robust security. That being said, vulnerabilities are inevitable in any OS, and Linux system administrators must be vigilant about monitoring and verifying the security of their servers on an ongoing basis in order to protect sensitive data and prevent attacks. After all, the majority of attacks on Linux systems can be attributed to poor administration. 

The only way to be sure your server is as well protected as you think it is - or as it needs to be - is to actually test it and verify it is working as you expect. This article will introduce LinuxSecurity’s top methods and tools for verifying the security of your Linux servers - specifically, port scanning, intrusion detection, penetration testing, reverse engineering and auditing - and will point you in the direction of some other valuable resources to help you get started on this journey.

Let's examine some great methods for verifying Linux server security.

Port Scanning

Port scanning, or the process of evaluating ports on a server to identify vulnerabilities, is one method that administrators should employ when looking to evaluate the overall security of a Linux server. Running a port scan on a server reveals which ports are open and receiving information, as well as the security devices that exist between the sender and the target, and can be used to identify potential weak points that could be exploited by attackers. There are an array of excellent port scanners - or applications designed to probe a server or host for open ports - available to Linux users. In this section, we’ll introduce our three favorite open-source port scanners, and direct you to some helpful tutorials demonstrating how to perform a port scan on your Linux servers. 

Let’s take a look at three great port scanners available to Linux users:

Nmap

Nmap, which stands for “Network Mapper”, is by far the most popular and versatile port scanner available - and for good reason. The free and open-source port scanner offers an array of options for performing quick, effective scans on both local and remote networks. Nmap can be used for active port scanning to discover open ports on specific networks/hosts, as well as for host discovery to identify potential hosts that are responding to network requests. Nmap’s capabilities extend beyond port scanning - it can also be used for penetration testing, fingerprinting operating systems and vulnerability scanning, as well as for OS detection and application version detection. Nmap has both CLI and GUI interfaces (the GUI called Zenmap is pictured to the right), and can also be run from the classic command line terminal.

You can learn how to install Nmap on your system here.

Learn how to perform a ping scan, a host scan and an OS and services scan with Nmap.

Unicornscan

Unicornscan is the second most popular open-source port scanner (after Nmap). It features renowned asynchronous TCP and UDP scanning capabilities, as well as non-common network discovery patterns that provide alternative ways to find out important details about remote operating systems and services. Unicornscan can be used for both active and passive remote OS, application and component identification. The fast, comprehensive port scanner offers custom module support, customized data-set views and PCAP file logging and filtering.

You can download Unicornscan here.

Angry IP Scanner

Thanks to its multi-thread approach which separates each scan, Angry IP Scanner is known for its impressive scanning speed. The free multi platform scaner searches for open ports on any remote network, and then exports scan results into either TXT, XML or CSV files. Other notable features of Angry IP Scanner include its web server & NetBIOS information detection capabilities and its easy, seamless plugin integration with Java.

Angry IP Scanner for Linux can be downloaded here.

Intrusion Detection

Intrusion detection, or monitoring a network or system for malicious activity or policy violations, is a critical part of maintaining a secure Linux server. The information gathered through intrusion detection provides administrators with valuable insight into the types of attacks that could potentially threaten their servers, which is critically important information for setting up preventative defenses. In this section, we’ll begin by examining some great open-source intrusion detection system (IDS) tools and honeypots that can help Linux server administrators proactively identify and respond to threats to their systems - preventing data theft and system compromise. We’ll then explore the importance of monitoring logs and take a look at how Logwatch can be used for this purpose.

Top Open-Source IDS Tools & Honeypots

Snort

Snort is the leader in free and open-source network intrusion detection systems (NIDS). The popular tool has three modes that can be used to analyze real-time traffic: intrusion detection mode, packet sniffer mode and packet logger mode. The intrusion detection mode is based on a set of rules that the user can either create or download from the Snort community. Snort can be used for port scanning, OS fingerprinting and detecting attacks using signature-based and anomaly-based techniques. Snort is easy to install and supported by a large, vibrant community. 

Snort can be downloaded here.

OSSEC

In the realm of host-based intrusion detection systems (HIDS), OSSEC dominates. This full-featured open-source IDS tool is highly effective and extensible. OSSEC’s client/server based management and logging architecture secures sensitive information against tampering and theft by delivering alerts and logs to a centralized server where analysis and notification can occur even in the event that the host system is compromised or taken offline. A convenient benefit of this client/server design is the ability to centrally manage agents from a single server. OSSEC is very lightweight and is backed by a strong, supportive community.

OSSEC can be downloaded here.

Suricata

Suricata is a modern NIDS that employs signature-based, anomaly-based and policy driven intrusion detection methods. It features multi-threading capabilities, GPU acceleration and multiple model statistical anomaly detection. Suricata can examine HTTP requests, TLS/SSL certificates and DNS transactions. Suricata is compatible with Snort's data structure, enabling users to implement Snort policies in Suricata. 

Suricata can be downloaded here.

Cowrie

Cowrie is a medium interaction ssh and telnet honeypot that logs brute force attacks and shell interaction. The open-source honeypot emulates a Unix system in Python and functions as a proxy to log malicious activity. Cowrie features JSON logging for easy processing in log management solutions.

Monitoring Logs 

Monitoring logs is an essential part of verifying the security of a server, and must be done on a regular basis to ensure that your systems remain secure. Critical log categories that should be monitored for all Linux servers include application logs, event logs, service logs and system logs. Many Linux distributions offer tools for automating this ongoing task. 

The Logwatch application, for instance, sends a daily email report of all of the logs on a server - providing administrators with valuable information including potential malicious activity, SSH attempts and IPs causing errors, as well as the number of emails that have been sent. In a large corporate environment it is common practice to send Logwatch emails (along with other mail directed to the root user) to a single company email list. Administrators in the company then subscribe to this email list to stay informed of any notifications regarding suspicious activity detected in any of the company’s server’s logs.

Logwatch can be downloaded here.

Fail2ban is another excellent application for monitoring logs and detecting intrusion attempts. This intrusion prevention software framework secures servers against brute-force attacks by reacting to intrusion attempts by either installing firewall rules to reject potentially-malicious IP addresses for a certain amount of time or by blocking access to a specific port.

Fail2ban can be downloaded here.

Penetration Testing

Penetration testing (commonly referred to as pen testing or ethical hacking) is the practice of testing a computer system, network, or application to identify security vulnerabilities that could be exploited by malicious actors. As you can imagine, information gathered in pen tests is invaluable in verifying the security of a Linux server, securing data and preventing attacks. There are an array of excellent pen testing tools available to Linux users, and certain Linux distros specialize in this area. In this section, we’ll introduce our top two distros for pen testing: Kali Linux and ParrotOS.

Kali Linux

Kali Linux is one of the most popular Linux distros among pentesters, ethical hackers and security researchers. The flexible, full-featured distro contains hundreds of pentesting tools, protects sensitive pentesting data with LUKS full-disk encryption and offers a high level of customization. Kali Linux also offers training and support through the Kali Linux Dojo training suite.

Key Features & Benefits:

• Kali Linux uses LUKS full-disk encryption to secure sensitive pentesting data against loss, tampering and theft.
• “Forensics” mode makes this distro perfect for forensics work.
• Users can automate and customize their Kali Linux installations over the network.
• This flexible distro offers full customization with live-build.
• There’s a Kaili Linux training suite available called Kali Linux Dojo, where users can learn how to customize their own Kali ISO and learn the basics of pentesting. All of these resources are available on Kali’s website, free of charge. Kali Linux also offers a paid-for pentesting course that can be taken online, with a 24-hour certification exam. Once you pass this exam, you’re a qualified pentester!

ParrotOS

Parrot OS is a fully-portable laboratory for pentesting, reverse engineering and digital forensics. The fast, lightweight distro is frequently updated and offers a wide array of hardening and sandboxing options. ParrotOS tools and features are designed to be compatible with the majority of devices via containerization technologies such as Docker or Podman. 

Key Features & Benefits:

• ParrotOS provides pentesters and digital forensics experts with a state-of-the-art “laboratory” featuring a full suite of tools accompanied by standard privacy and security features. 
• Applications that run on Parrot OS are fully sandboxed and protected.
• Parrot OS is fast, lightweight and compatible with most devices.

Reverse Engineering & Malware Scanning

Reverse engineering, or the process of deconstructing an artificial environment such as a Linux system to gain insight into its design, architecture and code, can be extremely helpful in securing or verifying the security of a Linux server. This process plays a central role in malware detection and analysis, as it can help administrators identify security risks such as malware on their systems, which they can then study, eliminate and apply the knowledge they have gained to prevent future attacks. In this section, we will profile our six favorite tools, toolkits and utilities for reverse engineering and malware scanning available to Linux users.

Top Toolkits, Tools & Utilities for Reverse Engineering & Malware Scanning on Linux

REMnux

REMnux is a free, community-powered toolkit for reverse-engineering and malware analysis. The toolkit conveniently enables analysts to investigate malware without having to find, install and configure the tools needed to do so. REMnux offers a distro which can be either downloaded as a VM in the OVO format and then imported into your hypervisor, installed from scratch on a dedicated host, added to an existing system running a compatible version of Ubuntu, or run as a Docker container.

Chkrootkit

Chkrootkit is a free and open-source rootkit detector that locally scans for signs of a rootkit and hidden security holes on Unix/Linux systems. The scanner consists of a shell script that checks system binaries for rootkit modification, along with a selection of programs designed to scan systems for different security issues.

Chkrootkit can be downloaded here.

Rkhunter

Rkhunter is a powerful and user-friendly open-source tool designed to scan for rootkits, backdoors and local exploits on Linux systems. The comprehensive scanner inspects and analyzes a system to detect hidden security holes.

Rkhunter can be downloaded here.

Lynis

Lynis is a powerful and popular malware and vulnerability scanning and auditing tool for Unix/Linux operating systems. The free and open-source scanner detects security issues and configuration errors, performs firewall auditing, checks file/directory permissions, file integrity and installed software - and much more.

Lynis can be downloaded here.

LMD

Linux Malware Detect (LMD) is a full-featured, open-source malware scanner designed specifically for hosted environments; however, this tool can be used to detect threats on any Linux system. LMD includes a full reporting system where administrators can view both current and past scan results accompanied by email alerts after every scan - along with an array of other useful features. The scanner can be integrated with the ClamAV scanner engine for improved performance.

Project Freta

Microsoft recently announced Project Freta, a free cloud-based malware scanning tool for Linux. The tool uses snapshot-based memory forensics, comparing thousands of images of Linux VMs to identify previously undetected malware.

Auditing

Conducting frequent audits is an essential part of establishing the security of your Linux servers. System auditing enables administrators to discover security bugs, breaches or policy violations on their systems. In this section, we’ll take a look at the Linux Auditing System (AuditD) and the insight that this valuable feature can provide administrators into the security, stability and functionality of their systems. 

What is the Linux Auditing System?

The Linux Auditing System (AuditD) is a native feature to the Linux kernel that collects information on system activity to facilitate the investigation of potential security incidents. AduditD works on the kernel level - where it can oversee all system processes and activities - and uses the AuditD daemon to log what it finds. In most Linux distributions, AuditD is installed by default and runs automatically with the system. It logs information according to its auditing rules as well as any rules that have been added. AuditD monitors three categories of events: system calls, file access and select, pre-configured auditable events within the kernel. It enables administrators to audit activity using these categories of events including authentications, failed cryptographic operations, abnormal terminations, SELinux modification and program execution. When any of the audit rules in place is triggered, AuditD outputs a comprehensive record that can be used to investigate the incident.

When implementing the Linux Auditing System, you will likely need to create some of your own rules. There are two types of rules that administrators can write: file system and system call rules. Other system activities including specific scripts executed, userland events and internal kernel behaviors that can be triggered independently of syscalls are out of the scope of AuditD. When writing rules, it is critical to remember that audit rules work on a “first match wins” basis. In other words, once audited activity matches a rule, no further rules will be evaluated. Thus, the order in which rules are written is of utmost importance.

To view the audit records generated by a triggered rule, administrators can use the native ausearch and aureport utilities. Ausearch lets you search your audit log files for specific criteria, while aureport creates summary reports from the audit log files. 

It is crucial for administrators to ensure that AuditD is properly configured and hardened to provide genuine, reliable information. Begin by checking that AuditD’s configuration is immutable using the control option “-e 2”. Then, confirm that logs are stored in a centralized, secure location - ideally a server dedicated to accepting remote syslog events.

AuditD is a very useful - and free - feature for facilitating investigations, especially historical investigations in response to an incident. That being said, AuditD does have some serious weaknesses that should be taken into consideration - namely, bugginess, excessive overhead, lack of granularity, missing container support and onerous output.

Final Thoughts on Verifying Linux Server Security

Regardless of the OS you’re running, securing your servers is an ongoing process that requires vigilant monitoring, testing, verification and maintenance. In recent years, Linux has become an increasingly popular target among cyber criminals due to its growing popularity. However, the good news is that the majority of attacks on Linux systems can be attributed to poor administration - and can thus be prevented with greater attention to security and system hardening.

Frequently verifying the security of your Linux servers using methods such as port scanning, intrusion detection, penetration testing, reverse engineering and auditing is the only way to confirm that your servers are indeed as secure as you think they are or would like them to be.

Have additional questions about any of the topics covered in this article? Connect with LinuxSecurity on social media and don’t hesitate to ask. Open-source security is our passion and we’d love to help!

Connect with LinuxSecurity:

Twitter | Facebook | LinkedIn