Scan linux server security

5 Tools to Scan a Linux Server for Malware and Rootkits

There are constant level of high attacks and port scans on Linux servers all the time, while a properly configured firewall and regular security system updates adds a extra layer to keep the system safe, but you should also frequently watch if anyone got in. This will also helps to ensure that your server stays free of any program that aims at disrupting its normal operation.

The tools presented in this article are created for these security scans and they are able to identity Virus, Malwares, Rootkits, and Malicious behaviors. You can use these tools make regularly system scans e.g. every night and mail reports to your email address.

1. Lynis – Security Auditing and Rootkit Scanner

Lynis is a free, open source, powerful and popular security auditing and scanning tool for Unix/Linux like operating systems. It is a malware scanning and vulnerability detecting tool that scans systems for security information and issues, file integrity, configuration errors; performs firewall auditing, checks installed software, file/directory permissions and so much more.

Importantly, it doesn’t automatically perform any system hardening, however, it simply offers suggestions that enable you to harden your server.

We will install latest version of Lynis (i.e. 2.6.6) from the sources, using following commands.

# cd /opt/ # wget https://downloads.cisofy.com/lynis/lynis-2.6.6.tar.gz # tar xvzf lynis-2.6.6.tar.gz # mv lynis /usr/local/ # ln -s /usr/local/lynis/lynis /usr/local/bin/lynis

Now you can perform your system scanning with the command below.

To make run Lynis automatically at every night, add the following cron entry, which will run at 3am night and send reports to your email address.

2. Chkrootkit – A Linux Rootkit Scanners

Chkrootkit is also another free, open source rootkit detector that locally checks for signs of a rootkit on a Unix-like systems. It helps to detect hidden security holes. The chkrootkit package consists of a shell script that checks system binaries for rootkit modification and a number of programs that check various security issues.

The chkrootkit tool can be installed using following command on Debian-based systems.

$ sudo apt install chkrootkit

On CentOS-based systems, you need to install it from sources using following commands.

# yum update # yum install wget gcc-c++ glibc-static # wget -c ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz # tar –xzf chkrootkit.tar.gz # mkdir /usr/local/chkrootkit # mv chkrootkit-0.52/* /usr/local/chkrootkit # cd /usr/local/chkrootkit # make sense

To check your server with Chkrootkit run the following command.

$ sudo chkrootkit OR # /usr/local/chkrootkit/chkrootkit

Once run, it will start checking your system for known Malwares and Rootkits and after the process is finished, you can see the summary of report.

To make run Chkrootkit automatically at every night, add the following cron entry, which will run at 3am night and send reports to your email address.

Rkhunter – A Linux Rootkit Scanners

RKH (RootKit Hunter) is a free, open source, powerful, simple to use and well known tool for scanning backdoors, rootkits and local exploits on POSIX compliant systems such as Linux. As the name implies, it is a rootkit hunter, security monitoring and analyzing tool that is thoroughly inspects a system to detect hidden security holes.

The rkhunter tool can be installed using following command on Ubuntu and CentOS based systems.

$ sudo apt install rkhunter # yum install epel-release # yum install rkhunter

To check your server with rkhunter run the following command.

To make run rkhunter automatically at every night, add the following cron entry, which will run at 3am night and send reports to your email address.

4. ClamAV – Antivirus Software Toolkit

ClamAV is an open source, versatile, popular and cross-platform antivirus engine to detect viruses, malware, trojans and other malicious programs on a computer. It is one of the best free anti-virus programs for Linux and the open source standard for mail gateway scanning software that supports almost all mail file formats.

It supports virus database updates on all systems and on-access scanning on Linux only. In addition, it can scan within archives and compressed files and supports formats such as Zip, Tar, 7Zip, Rar among others and more other features.

The ClamAV can be installed using following command on Debian-based systems.

$ sudo apt-get install clamav

The ClamAV can be installed using following command on CentOS-based systems.

# yum -y update # yum -y install clamav

Once installed, you can update the signatures and scan a directory with the following commands.

# freshclam # clamscan -r -i DIRECTORY

Where DIRECTORY is the location to scan. The options -r , means recursively scan and the -i means to only show infected files.

5. LMD – Linux Malware Detect

LMD (Linux Malware Detect) is an open source, powerful and fully-featured malware scanner for Linux specifically designed and targeted at shared hosted environments, but can be used to detect threats on any Linux system. It can be integrated with ClamAV scanner engine for better performance.

It provides a full reporting system to view current and previous scan results, supports e-mail alert reporting after every scan execution and many other useful features.

That’s all for now! In this article, we shared a list of 5 tools to scan a Linux server for malware and rootkits. Let us know of your thoughts in the comments section.

Источник

5 Tools to Scan a Linux Server for Malware and Rootkits

As a Linux server owner, it’s important to ensure your system is secure from malware and rootkits that can harm your data or steal sensitive information. Luckily, there are several tools available to help you scan your Linux server and detect any threats lurking in your system. In this article, we’ll discuss five tools you can use to scan your Linux server for malware and rootkits.

ClamAV

ClamAV is an open-source antivirus software that can be used to scan Linux servers for malware. It’s a lightweight and easy-to-use tool that can detect viruses, Trojans, and other malicious software. ClamAV supports various file formats, including compressed files and email attachments. It also supports integration of email servers, which allows you to scan incoming and outgoing emails for malware.

To use ClamAV, you need to install it on your Linux server. installation process varies depending on Linux distribution you’re using. Once installed, you can use clamscan command to scan specific directories or files. For example, to scan /var directory, you can run following command −

The -r option tells ClamAV to scan directory recursively. You can also use clamdscan command to scan files on-demand. For example, to scan a file called example.tar.gz, you can run following command −

If ClamAV detects any malware or rootkits, it will quarantine or remove infected files, depending on your configuration.

Rkhunter

Rkhunter (Rootkit Hunter) is a command-line tool that can scan Linux servers for rootkits, backdoors, and other malicious software. It uses various techniques to detect suspicious files and processes, such as comparing checksums of system binaries and scanning for hidden files and directories.

To use Rkhunter, you need to install it on your Linux server. installation process varies depending on Linux distribution you’re using. Once installed, you can run rkhunter command to scan your system. For example, to perform a full system scan, you can run following command −

Rkhunter will then scan your system and generate a report with any suspicious files and processes it detects. You should review report and take action on any findings.

Chkrootkit

Chkrootkit is a command-line tool that can scan Linux servers for rootkits and other malicious software. It uses various techniques to detect suspicious files and processes, such as scanning for known rootkit signatures and checking integrity of system binaries.

To use Chkrootkit, you need to install it on your Linux server. installation process varies depending on Linux distribution you’re using. Once installed, you can run chkrootkit command to scan your system. For example, to perform a full system scan, you can run following command −

Chkrootkit will then scan your system and generate a report with any suspicious files and processes it detects. You should review report and take action on any findings.

Lynis

Lynis is a command-line tool that can perform security audits on Linux servers. It scans your system for vulnerabilities and provides recommendations on how to improve your system’s security. Lynis can also detect malware and rootkits by scanning for suspicious files and processes.

To use Lynis, you need to install it on your Linux server. installation process varies depending on Linux distribution you’re using. Once installed, you can run lynis command to perform a security audit. For example, to perform a full system audit, you can run the following command −

Lynis Audit System

Lynis will then scan your system and generate a report with any vulnerabilities and recommendations it detects. It will also flag any suspicious files and processes it finds, which could be malware or rootkits.

OSSEC

OSSEC is an open-source host-based intrusion detection system (HIDS) that can be used to detect and respond to security incidents on Linux servers. It uses various techniques to monitor your system, including file integrity checking, log analysis, and rootkit detection.

To use OSSEC, you need to install it on your Linux server and set up an agent to monitor your system. installation process varies depending on Linux distribution you’re using. Once installed, you can configure OSSEC to monitor your system and send alerts if it detects any suspicious activity, such as presence of a rootkit.

Tripwire

Tripwire is a file integrity checking tool that can be used to detect changes to your system files. It can help you detect unauthorized modifications to your system files, which could be an indication of a malware or rootkit infection. To use Tripwire, you need to install it on your Linux server and configure it to monitor your system files.

AIDE

AIDE (Advanced Intrusion Detection Environment) is another file integrity checking tool that can be used to detect changes to your system files. Like Tripwire, it can help you detect unauthorized modifications to your system files, which could be an indication of a malware or rootkit infection. To use AIDE, you need to install it on your Linux server and configure it to monitor your system files.

RKDetector

RKDetector is a rootkit detection tool that can be used to detect rootkits on your Linux server. It uses various techniques to detect rootkits, such as scanning for hidden processes and files. To use RKDetector, you need to install it on your Linux server and run rkdetect command.

LMD

LMD (Linux Malware Detect) is a malware scanner that can be used to detect malware on your Linux server. It uses various techniques to detect malware, such as signature scanning and heuristic analysis. To use LMD, you need to install it on your Linux server and run maldet command.

Conclusion

Scanning your Linux server for malware and rootkits is an important part of maintaining a secure system. By using tools discussed in this article, you can detect and respond to any threats that may be lurking in your system. Remember to keep your system up-to-date with latest security patches and follow best practices for securing your Linux server.

Источник