12 Tools to Scan Linux Servers for Security Flaws and Malware
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.
Even though Linux-based systems are often considered impenetrable, there are still risks that need to be taken seriously.
Rootkits, viruses, ransomware, and many other harmful programs can often attack and cause problems to Linux servers.
No matter the operating system, taking security measures is a must for servers. Large brands and organizations have taken security measures in their hands and developed tools that not only detect flaws and malware but also correct them and take preventive actions.
Fortunately, there are tools available for a low price or for free that can help with this process. They can detect flaws in different sections of a Linux based server.
Lynis
Lynis is a renowned security tool and a preferred option for experts in Linux. It also works on systems based on Unix and macOS. It is an open-source software app that has been used since 2007 under a GPL license.
Lynis is capable of detecting security holes and configuration flaws. But it goes beyond that: instead of just exposing the vulnerabilities, it suggests corrective actions. That’s why, to get detailed auditing reports, it is necessary to run it on the host system.
Installation is not necessary for using Lynis. You can extract it from a downloaded package or a tarball and run it. You can also get it from a Git clone to have Access to the full documentation and source code.
Lynis was created by the original author of Rkhunter, Michael Boelen. It has two types of services based on individuals and enterprises. In either case, it has an outstanding performance.
Chkrootkit
As you may have already guessed, the chkrootkit is a tool to check for the existence of rootkits. Rootkits are a type of malicious software that can give server access to an unauthorized user. If you are running a Linux-based server, rootkits can be a problem.
chkrootkit is one of the most used Unix-based programs that can detect rootkits. It uses ‘strings’ and ‘grep’ (Linux tool commands) to detect issues.
It can either be used from an alternative directory or from a rescue disc, in case you want it to verify an already compromised system. The different components of Chkrootkit take care of looking for deleted entries in the “wtmp” and “lastlog” files, finding sniffer records or rootkit configuration files, and checking for hidden entries in “/proc” or calls to the “readdir” program.
To use chkrootkit, you should get the latest version from a server, extract the source files, compile them, and you’re ready to go.
Rkhunter
Developer Micheal Boelen was the person behind making Rkhunter (Rootkit Hunter) in 2003. It is a suitable tool for POSIX systems and can help with the detection of rootkits and other vulnerabilities. Rkhunter thoroughly goes through files (either hidden or visible), default directories, kernel modules, and misconfigured permissions.
After a routine checkup, it compares them to the safe and proper records of databases and looks for suspicious programs. Since the program is written in Bash, it can not only run on Linux machines but also on practically any version of Unix.
ClamAV
Written in C++, ClamAV is an open-source antivirus that can help with the detection of viruses, trojans, and many other types of malware. It is an entirely free tool; that’s why lots of people use it to scan their personal info, including emails, for any kind of malicious files. It also serves significantly as a server-side scanner.
The tool was initially developed especially for Unix. Still, it has third-party versions that can be used on Linux, BSD, AIX, macOS, OSF, OpenVMS, and Solaris. Clam AV does an automatic and regular update of its database in order to be able to detect even the most recent threats. It allows for command-line scanning, and it has a multi-threaded scalable demon to improve its scanning speed.
It can go through different kinds of files to detect vulnerabilities. It supports all kinds of compressed files, including RAR, Zip, Gzip, Tar, Cabinet, OLE2, CHM, SIS format, BinHex, and almost any type of email system.
LMD
Linux Malware Detect –or LMD, for short– is another renowned antivirus for Linux systems, specifically designed around the threats usually found on hosted environments. Like many other tools that can detect malware and rootkits, LMD uses a signature database to find any malicious running code and quickly terminate it.
LMD doesn’t limit itself to its own signature database. It can leverage ClamAV and Team Cymru’s databases to find even more viruses. To populate its database, LMD captures threat data from network edge intrusion detection systems. By doing this, it is capable of generating new signatures for malware that is being actively used in attacks.
LMD can be used through the “maldet” command line. The tool is specially made for Linux platforms and can easily search through Linux servers.
Radare2
Radare2 (R2) is a framework for analyzing binaries and doing reverse engineering with excellent detection abilities. It can detect malformed binaries, giving the user the tools to manage them, and neutralizing potential threats. It utilizes sdb, which is a NoSQL database. Software security researchers and software developers prefer this tool for its excellent data presentation ability.
One of the outstanding features of Radare2 is that the user is not forced to use the command line to accomplish tasks such as static/dynamic analysis and software exploitation. It is recommended for any type of research on binary data.
OpenVAS
Open Vulnerability Assessment System, or OpenVAS, is a hosted system for scanning vulnerabilities and managing them. It is designed for businesses of all sizes, helping them detect security issues hidden within their infrastructures. Initially, the product was known as GNessUs, until its current owner, Greenbone Networks, changed its name to OpenVAS.
Since version 4.0, OpenVAS allows continuous updating –usually in periods of less than 24 hours– of its Network Vulnerability Testing (NVT) base. As of June 2016, it had more than 47,000 NVTs.
Security experts use OpenVAS because of its ability to scan fast. It also features excellent configurability. OpenVAS programs can be used from a self-contained virtual machine for doing safe malware research.
Its source code is available under a GNU GPL license. Many other vulnerability detection tools depend on OpenVAS –that is why it is taken as an essential program in Linux based platforms.
REMnux
REMnux uses reverse-engineering methods for analyzing malware. It can detect many browser-based issues, hidden in JavaScript obfuscated code snippets and Flash applets. It is also capable of scanning PDF files and performing memory forensics. The tool helps with the detection of malicious programs inside folders and files that can’t be scanned easily with other virus-detection programs.
It is effective due to its decoding and reverse-engineering capabilities. It can determine the properties of suspicious programs, and for being lightweight, it is very much undetectable by smart malicious programs. It can be used on both Linux and Windows, and its functionality can be improved with the help of other scanning tools.
Tiger
In 1992, Texas A&M University started working on Tiger to increase their campus computers’ security. Now, it is a popular program for Unix-like platforms. A unique thing about the tool is that it is not only a security audit tool but also an intrusion detection system.
The tool is free to use under a GPL license. It is dependent on POSIX tools, and together they can create a perfect framework that can increase the security of your server significantly. Tiger is entirely written on shell language –that’s one of the reasons for its effectiveness. It is suitable for checking system status and configuration, and its multipurpose use makes it very popular amongst people who use POSIX tools.
Maltrail
Maltrail is a traffic detection system capable of keeping your server’s traffic clean and helping it avoid any kind of malicious threats. It performs that task by comparing the traffic sources with blacklisted sites published online.
Besides checking for blacklisted sites, It also uses advanced heuristic mechanisms for detecting different kinds of threats. Even though it is an optional feature, it comes in handy when you think your server has already been attacked.
It has a sensor capable of detecting the traffic a server gets and sending the information to the Maltrail server. The detection system verifies if the traffic is good enough to exchange data between a server and the source.
YARA
Made for Linux, Windows, and macOS, YARA (Yet Another Ridiculous Acronym) is one of the most essential tools used for the research and detection of malicious programs. It uses textual or binary patterns to simplify and accelerate the detection process, resulting in a fast and easy task.
YARA does have some extra features, but you need the OpenSSL library to use them. Even if you don’t have that library, you can use YARA for basic malware research through a rule-based engine. It can also be used in the Cuckoo Sandbox, a Python-based sandbox ideal for doing safe research of malicious software.
Vuls
Vuls is an advanced open-source vulnerability scanner designed specifically for Linux & FreeBSD systems. It is an agentless scanner – which means it doesn’t require any software installation on the target machines. It can be deployed on cloud platforms, on-premise systems, and also on Docker containers.
Vuls uses multiple vulnerability databases such as NVD, OVAL, FreeBSD-SA, and Changelog to perform high-quality scans. The best thing is it can even detect vulnerabilities for which patches have not yet been published by distributors.
It supports both remote & local scan modes. In remote scan mode – you set up a central Vuls server that connects to the target servers via SSH. However, if you prefer not to establish SSH connections from the central server, then you can use Vuls in local scan mode.
Vuls can also detect vulnerabilities in non-operating system packages. This includes packages you compiled yourself, language libraries, frameworks, etc., as long as they have been registered in the Common Platform Enumeration (CPE).
It has a tutorial that can help you get started with using the tool and also supports email & Slack notifications, so you can receive alerts about scan results or other information.
How to choose the best tool?
All the tools we have mentioned above work very well, and when a tool is popular in Linux environments, you can be pretty sure that thousands of experienced users are using it. One thing that system administrators should remember is that each application is usually dependent on other programs. For example, that is the case with ClamAV and OpenVAS.
You need to understand what your system needs and in which areas it can be having vulnerabilities. Firstly, use a lightweight tool to research what section needs attention. Then use the proper tool to solve the problem.