# systemctl status -all
# systemctl status -all
rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD.
Install RKHunter which is the Rootkit Detection tool
# yum – -enablerepo=epel -y install rkhunter
# rkhunter – -update
# rkhunter – -propupd
# rkhunter – -check – -sk
Pre login banner is use for sending a warning message before authentication may be relevant for getting legal protection or just give out information to users. The contents of the specified file are sent to the remote user before authentication is allowed. This option is only available for protocol version 2. By default, no banner is displayed (if you are using latest version of Linux/UNIX then you do not have to worry about version issue).
Procedure to change OpenSSH pre login banner
1) By default sshd server turns off this feature.
2) Login as the root user; create your login banner file:
# vi /etc/ssh/sshd-banner
Welcome to nixCraft Remote Login!
3) Open sshd configuration file /etc/sshd/sshd_config using a text editor:
# vi /etc/sshd/sshd_config
4) Add/edit the following line:
5) Save file and restart the sshd server:
# /etc/init.d/sshd restart
WARNING : BE CAREFUL USING ARPWATCH,
IT MAY CAUSE IP CONFLIC!
Arpwatch is an open source computer software program that helps you to monitor Ethernet traffic activity (like Changing IP and MAC Addresses) on your network and maintains a database of ethernet/ip address pairings. It produces a log of noticed pairing of IP and MAC addresses information along with a timestamps, so you can carefully watch when the pairing activity appeared on the network. It also has the option to send reports via email to an network administrator when a pairing added or changed.
This tool is specially useful for Network administrators to keep a watch on ARP activity to detect ARP spoofing or unexpected IP/MAC addresses modifications.
By default, Arpwatch tool is not installed on any Linux distributions. We must install it manually using ‘yum‘ command on RHEL, CentOS, Fedora and ‘apt-get‘ on Ubuntu, Linux Mint and Debian.
# yum install arpwatch
Let’s focus on the some most important arpwatch files, the location of the files are slightly differ based on your operating system.
Type the following command to start the arpwatch service.
# chkconfig --level 35 arpwatch on # /etc/init.d/arpwatch start
Arpwatch Commands and Usage
To watch a specific interface, type the following command with ‘-i‘ and device name.
# arpwatch -i eth0
So, whenever a new MAC is plugged or a particular IP is changing his MAC address on the network, you will notice syslog entries at ‘/var/log/syslog‘ or ‘/var/log/message‘ file.
# tail -f /var/log/messages
You can also check current ARP table, by using following command.
# arp -a
If you want to send alerts to your custom email id, then open the main configuration file ‘/etc/sysconfig/arpwatch‘ and add the email as shown below.
# -u <username> : defines with what user id arpwatch should run # -e <email> : the <email> where to send the reports # -s <from> : the <from>-address OPTIONS="-u arpwatch -e firstname.lastname@example.org -s 'root (Arpwatch)'"
Lynis is an open source and much powerful auditing tool for Unix/Linux like operating systems. It scans system for security information, general system information, installed and available software information, configuration mistakes, security issues, user accounts without password, wrong file permissions, firewall auditing, etc.
Lynis is one of the most trusted automated auditing tool for software patch management, malware scanning and vulnerability detecting in Unix/Linux based systems. This tool is useful for auditors, network and system administrators, security specialists and penetration testers.
Installation of Lynis
Lynis doesn’t required any installation, it can be used directly from any directory. So, its good idea to create a custom directory for Lynis under
# mkdir /usr/local/lynis
Download stable version of Lynis source files from the trusted website using wget command and unpack it using tar command as shown below.
# cd /usr/local/lynis # wget https://cisofy.com/files/lynis-2.2.0.tar.gz
Unpack the tarball
# tar -xvf lynis-2.2.0.tar.gz
Running and using Lynis Basics
You must be root user to run Lynis, because it creates and writes output to
/var/log/lynis.log file. To run Lynis execute the following command.
# cd lynis # ./lynis
./lynis without any option, it will provide you a complete list of available parameters and goes back to the shell prompt.
To start Lynis process, you must define a
--check-all parameter to begin scanning of your entire Linux system. Use the following command to start scan with parameters as shown below.
# ./lynis --check-all
Once, you execute above command it will start scanning your system and ask you to Press [Enter] to continue, or [CTRL]+C to stop) every process it scans and completes.
To prevent such acknowledgment (i.e. “press enter to continue”) from user while scanning, you need use
-Q parameters as shown below.
# ./lynis -c -Q
It will do complete scan without waiting for any user acknowledgment. See the following screencast.
Creating Lynis CronJobs
If you would like to create a daily scan report of your system, then you need to set a cron job for it. Run the following command at the shell.
# crontab -e
Add the following cron job with option
--cronjob all the special characters will be ignored from the output and the scan will run completely automated.
30 22 * * * root /path/to/lynis -c -Q --auditor "automated" --cronjob
The above example cron job will run daily at 10:30pm in the night and creates a daily report under
Lynis Scanning Results
While scanning you will see output as [OK] or [WARNING]. Where [OK] considered as good result and [WARNING] as bad. But it doesn’t mean that [OK] result is correctly configured and [WARNING] doesn’t have to be bad. You should take corrective steps to fix those issues after reading logs at
In most cases, the scan provides suggestion to fix problems at the end of the scan. See the attached figure that provides a list of suggestion to fix problems.
If you want to update or upgrade current lynis version, simple type the following command it will download and install latest version of lynis.
# ./lynis update info [Show update details] # ./lynis update release [Update Lynis release]
Some of the Lynis parameters for your reference.
--checkall or -c : Start the scan.
--check-update : Checks for Lynis update.
--cronjob : Runs Lynis as cronjob (includes -c -Q).
--help or -h : Shows valid parameters
--quick or -Q : Don’t wait for user input, except on errors
--version or -V : Shows Lynis version.
That’s it, we hope this article will be much helpful you all to figure out security issues in running systems. For more information visit the official Lynis page at
You actually need to have the ipset module installed on your CentOS
# yum -y install ipset
Then set LF_IPSET=”1″ in the Firewall Configuration and restart CSF
PLEASE NOTE THAT I AM NOT USING MULTIPLE ACCOUNT ON THIS SERVER. IF YOU USE MULTIPLE ACCOUNTS YOU NEED TO MAKE THOSE STEP IN THE /HOME/(USER ACCOUNT NAME)
Here is what I do after, download the private key id_rsa to your computer. Open filezilla and add a new connection by using “LOGON TYPE: Key File”
Add the key file that you downloaded “id_rsa” then Filezilla will prompt you to created the final key file by converting it to .ppk “I named my keyfile filezilla.ppk”
When the new key is saved you will be able to login to the ftp server.
P.S Use the same filezilla.ppk key for PUTTY 😉
Also you will notice that if you use CSF you will have a stronger security!