Security Audit Checklist
This checklist helps you verify and improve the security of your Linux server.
Quick Audit (5 minutes)
System
- System up to date:
sudo apt update && sudo apt upgrade - No pending restart:
ls /var/run/reboot-required - Reasonable uptime:
uptime
SSH Access
- SSH port changed (not 22)
- Password authentication disabled
- Root login forbidden or restricted
- Fail2ban active:
sudo fail2ban-client status
Firewall
- UFW active:
sudo ufw status - Only necessary ports are open
- Default policy = deny incoming
Users
- No unnecessary accounts:
cat /etc/passwd | grep -v nologin - No empty passwords:
sudo awk -F: '($2 == "") {print}' /etc/shadow
Complete Audit
1. System Updates
# Check available updates
sudo apt update
apt list --upgradable
# Check automatic security updates
cat /etc/apt/apt.conf.d/50unattended-upgrades
Recommended actions:
# Install updates
sudo apt upgrade -y
# Enable automatic security updates
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades
2. SSH Configuration
# Show current SSH configuration
sudo sshd -T | grep -E "passwordauthentication|permitrootlogin|port|pubkeyauthentication"
Recommended configuration (/etc/ssh/sshd_config):
Port 2222 # Non-standard port
PermitRootLogin prohibit-password # Or 'no'
PasswordAuthentication no # Keys only
PubkeyAuthentication yes
MaxAuthTries 3
X11Forwarding no
AllowTcpForwarding no
ClientAliveInterval 300
ClientAliveCountMax 2
3. UFW Firewall
# Detailed status
sudo ufw status verbose
# See numbered rules
sudo ufw status numbered
Recommended minimal configuration:
# Default policy
sudo ufw default deny incoming
sudo ufw default allow outgoing
# Allow SSH (your port)
sudo ufw allow 2222/tcp
# Allow HTTP/HTTPS if web server
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Enable
sudo ufw enable
4. Users and Permissions
# List users with shell
grep -v '/nologin\|/false' /etc/passwd
# Users with UID 0 (root)
awk -F: '($3 == "0") {print}' /etc/passwd
# Check sudoers
sudo cat /etc/sudoers
sudo ls -la /etc/sudoers.d/
# SUID files (can be dangerous)
sudo find / -perm -4000 -type f 2>/dev/null
# World-writable files
sudo find / -perm -0002 -type f ! -path "/proc/*" ! -path "/sys/*" 2>/dev/null
5. Active Services
# List running services
systemctl list-units --type=service --state=running
# Listening ports
sudo ss -tlnp
# or
sudo netstat -tlnp
Disable unnecessary services:
# Example: disable cups (printing)
sudo systemctl disable cups
sudo systemctl stop cups
6. Logs and Monitoring
# Recent logins
last -20
# Failed login attempts
sudo grep "Failed password" /var/log/auth.log | tail -20
# Current SSH connections
who
# Sudo command history
sudo cat /var/log/auth.log | grep sudo
7. Fail2ban
# Check status
sudo fail2ban-client status
# See active jails
sudo fail2ban-client status | grep "Jail list"
# Currently banned IPs
for jail in $(sudo fail2ban-client status | grep "Jail list" | sed 's/.*://;s/,//g'); do
echo "=== $jail ==="
sudo fail2ban-client status $jail | grep "Banned IP"
done
8. SSL Certificates
# Check certificate expiration
sudo find /etc/letsencrypt/live -name "cert.pem" -exec openssl x509 -enddate -noout -in {} \;
# Test renewal
sudo certbot renew --dry-run
9. File Integrity
# Install AIDE (Advanced Intrusion Detection Environment)
sudo apt install aide
# Initialize database
sudo aideinit
# Check integrity
sudo aide --check
10. Network Configuration
# Check security sysctl parameters
sysctl net.ipv4.conf.all.accept_redirects
sysctl net.ipv4.conf.all.send_redirects
sysctl net.ipv4.tcp_syncookies
Recommended configuration (/etc/sysctl.d/99-security.conf):
# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
# SYN flood protection
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog = 2048
# Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Log suspicious packets
net.ipv4.conf.all.log_martians = 1
Apply:
sudo sysctl -p /etc/sysctl.d/99-security.conf
Automated Audit Script
#!/bin/bash
# /usr/local/bin/security-audit.sh
echo "=== SECURITY AUDIT $(date) ==="
echo ""
echo "--- System ---"
echo "OS: $(cat /etc/os-release | grep PRETTY_NAME | cut -d'"' -f2)"
echo "Kernel: $(uname -r)"
echo "Uptime: $(uptime -p)"
echo ""
echo "--- Updates ---"
apt list --upgradable 2>/dev/null | grep -c upgradable
echo "packages need updating"
echo ""
echo "--- SSH ---"
sshd -T 2>/dev/null | grep -E "port |passwordauthentication|permitrootlogin"
echo ""
echo "--- Firewall ---"
ufw status | head -5
echo ""
echo "--- Fail2ban ---"
fail2ban-client status 2>/dev/null || echo "Not installed"
echo ""
echo "--- Open Ports ---"
ss -tlnp | grep LISTEN
echo ""
echo "--- Recent Logins ---"
last -5
echo ""
echo "--- SSL Certificates ---"
find /etc/letsencrypt/live -name "cert.pem" -exec sh -c 'echo "{}:" && openssl x509 -enddate -noout -in {}' \; 2>/dev/null
echo ""
echo "=== END OF AUDIT ==="
chmod +x /usr/local/bin/security-audit.sh
Recommended Frequency
| Check | Frequency |
|---|---|
| System updates | Weekly |
| Authentication logs | Daily |
| Fail2ban status | Daily |
| Complete audit | Monthly |
| SSL certificates | Monthly |
| User review | Quarterly |
Additional Tools
Lynis - Security Audit
sudo apt install lynis
sudo lynis audit system
RKHunter - Rootkit Detection
sudo apt install rkhunter
sudo rkhunter --update
sudo rkhunter --check
ClamAV - Antivirus
sudo apt install clamav clamav-daemon
sudo freshclam
sudo clamscan -r /home
Tip
Automate these checks with cron jobs and send yourself reports via email or Discord/Slack notifications.