How to Perform a Comprehensive Security Audit on Your Linux Server: Tools and Techniques


4 views

When it comes to server security, checking Unix permissions is just the tip of the iceberg. A proper security audit should examine multiple attack vectors including open ports, outdated services, misconfigurations, and potential vulnerabilities.

Here are some powerful tools every sysadmin should know:

# Basic port scanning with nmap
nmap -sV -T4 -p- your_server_ip

# Vulnerability scanning with OpenVAS
openvas-setup
openvas-start
# Then access web interface at https://127.0.0.1:9392

# Automated security auditing with Lynis
lynis audit system

Beyond automated tools, manual checks are crucial:

# Check for world-writable files
find / -xdev -type f -perm -0002 -exec ls -ld {} \;

# Verify SSH security settings
grep -i "PermitRootLogin" /etc/ssh/sshd_config
grep -i "PasswordAuthentication" /etc/ssh/sshd_config

# Review active services
systemctl list-units --type=service --state=running

Even if users can't upload files, other web vulnerabilities might exist:

# Sample .htaccess hardening for Apache
<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
</IfModule>

# Nginx security headers example
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";

Create a cron job for regular security checks:

# Weekly security scan script
0 3 * * 0 /usr/bin/lynis audit system --cronjob > /var/log/lynis-report-$(date +\%Y\%m\%d).log

Implement real-time monitoring with tools like:

  • OSSEC for host-based intrusion detection
  • Fail2ban for brute force protection
  • Logwatch for daily security summaries
# Sample fail2ban configuration for SSH
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

Security isn't a one-time task. Subscribe to:

  • Your Linux distribution's security announcements
  • CVE databases (cve.mitre.org)
  • Security mailing lists like Bugtraq

When assessing server security, we need a multi-layered approach that covers various attack surfaces. Here's a breakdown of essential testing components:


# Basic server security checklist
1. Port scanning
2. Service version detection
3. Vulnerability assessment 
4. Configuration auditing
5. Authentication testing
6. Log analysis

The de facto standard for network discovery and security auditing:


# Basic Nmap scan
nmap -sS -p 1-65535 -T4 -A -v your-server-ip

# Common useful flags:
# -sS: TCP SYN scan (stealth)
# -p : Port range
# -T4: Aggressive timing
# -A : Enable OS detection and version detection
# -v : Verbose output

For comprehensive automated scanning, consider these tools:


# Using OpenVAS (now Greenbone Vulnerability Management)
gvm-cli socket --xml ""

# Using Nessus (commercial solution)
nessuscmd --scan your-server-ip --policy "Basic Network Scan"

Linux servers benefit from these configuration checkers:


# Lynis system auditing
lynis audit system

# Sample output checking for SSH hardening:
[+] Hardening components
- Checking PermitRootLogin... [ OK ]
- Checking PasswordAuthentication... [ WARNING ]
- Checking X11Forwarding... [ OK ]

Even without file uploads, test your WAF rules:


# Simple WAF test with curl
curl -X POST http://yourserver.com/login \
-H "User-Agent: malicious-scanner" \
--data "username=admin' OR 1=1--"

# Expected blocked response:
{"error": "Invalid request detected"}

Implement automated security monitoring:


# Sample logwatch configuration (/usr/share/logwatch/default.conf/logwatch.conf)
MailTo = admin@yourdomain.com
Detail = High
Service = "-zz-network" # Exclude network services
Service = "-zz-sys" 
Service = "httpd" # Focus on web server
Service = "sshd"  # And SSH service