Tutorial: VPS Security Audits Using Lynis
We’ve written in the past about general security-focused steps you can take to protect your VPS, such as enabling SSH authentication or general server maintenance, but there comes a time when everyone should start taking more steps to harden their VPSs against potential attacks.
In the end, it doesn’t really matter if you’re running a personal blog or a SaaS application with highly sensitive customer data—you have a vested interest in keeping your data safe and ensuring your server isn’t shut down or used for malicious actions.
One way to figure out where your security is lacking is via a specialized tool that can audit common configurations and give recommendations on what to do moving forward. Lynis is one of those options.
Lynis is available on all our OS options—Ubuntu, Debian, and CentOS—and the installation/usage instructions are the same for every platform, so this tutorial is OS agnostic.
- A VPS running any of our available OS options.
- A non-root user account (commands requiring escalated privileges will use
Step 1: Installing Lynis
Downloading and “installing” Lynis is as simple as cloning the Github repository to your VPS. If you’re running a brand new VPS, you might not have Git installed yet. If you do, skip to the next step.
sudo apt-get install git # Ubuntu/Debian sudo yum install git # CentOS
Let’s clone the Lynis repository next:
git clone https://github.com/CISOfy/lynis
It’s recommended to run the script as the root user, so we’ll use
chown to change the ownership of the script. If you run the command with
su without changing ownership first, you’ll receive a security warning, which you can ignore by hitting
Enter or cancel with
Ctrl+C. And, if you try running the command using your normal users, you’ll get a warning that results will be incomplete due to some processing requiring higher privileges.
sudo chown -R 0:0 lynis cd lynis
Finally, we can simply execute the built-in script.
su - ./lynis audit system
Interpreting the results
When Lynis completes, it will output warnings, suggestions, and some at-a-glance details of your security scan, such as a “hardening index” that you can use to score your efforts.
For example, here’s the output for a newly-rebuilt CentOS 7 server, set up using the Ansible playbook from a previous tutorial.
Lynis security scan details: Hardening index : 70 [############## ] Tests performed : 208 Plugins enabled : 2 Components: - Firewall [V] - Malware scanner [X] Lynis Modules: - Compliance Status [?] - Security Audit [V] - Vulnerability Scan [V] Files: - Test and debug information : /var/log/lynis.log - Report data : /var/log/lynis-report.dat
A hardening index of 70 is respectable, but with a wide margin for improvement. Fortunately, Lynis also outputs any warnings and suggestions that you can use to inform yourself about improvements that could make your server more hardened to potential attack.
The following is a sample of the output, with some entries removed because they simply can’t be fixed on a VPS, such as placing
/var on a separate partition.
-[ Lynis 2.5.1 Results ]- Warnings (1): ---------------------------- ! iptables module(s) loaded, but no rules active [FIRE-4512] https://cisofy.com/controls/FIRE-4512/ Suggestions (30): ---------------------------- * Configure minimum password age in /etc/login.defs [AUTH-9286] https://cisofy.com/controls/AUTH-9286/ * Configure maximum password age in /etc/login.defs [AUTH-9286] https://cisofy.com/controls/AUTH-9286/ * Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027) [AUTH-9328] https://cisofy.com/controls/AUTH-9328/ [...] * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840] https://cisofy.com/controls/STRG-1840/ * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846] https://cisofy.com/controls/STRG-1846/ * Check DNS configuration for the dns domain name [NAME-4028] https://cisofy.com/controls/NAME-4028/ * Install package 'yum-utils' for better consistency checking of the package database [PKGS-7384] https://cisofy.com/controls/PKGS-7384/ * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032] https://cisofy.com/controls/NETW-3032/ * Consider hardening SSH configuration [SSH-7408] - Details : AllowTcpForwarding (YES --> NO) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : ClientAliveCountMax (3 --> 2) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : Compression (DELAYED --> NO) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : LogLevel (INFO --> VERBOSE) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : MaxAuthTries (6 --> 2) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : MaxSessions (10 --> 2) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : Port (22 --> ) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : TCPKeepAlive (YES --> NO) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : UseDNS (YES --> NO) https://cisofy.com/controls/SSH-7408/ * Consider hardening SSH configuration [SSH-7408] - Details : AllowAgentForwarding (YES --> NO) https://cisofy.com/controls/SSH-7408/ * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126] https://cisofy.com/controls/BANN-7126/ * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130] https://cisofy.com/controls/BANN-7130/ * Enable process accounting [ACCT-9622] https://cisofy.com/controls/ACCT-9622/ * Enable sysstat to collect accounting (no results) [ACCT-9626] https://cisofy.com/controls/ACCT-9626/ * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350] https://cisofy.com/controls/FINT-4350/ * Determine if automation tools are present for system management [TOOL-5002] https://cisofy.com/controls/TOOL-5002/ * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000] https://cisofy.com/controls/KRNL-6000/ * Harden compilers like restricting access to root user only [HRDN-7222] https://cisofy.com/controls/HRDN-7222/ * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230] - Solution : Install a tool like rkhunter, chkrootkit, OSSEC https://cisofy.com/controls/HRDN-7230/
You can also examine the full log of your scan at
Taking action on gaps in your security
As you can see, Lynis gave me one warning and 30 suggestions, all of which, when fixed, will help make my server more secure. Every warning and suggestion comes with a link to documentation that will help you understand the issue and example fixes, so be sure to take advantage of those resources.
Because all of us use
ssh to connect to our VPSs, let’s walk through some basic fixes that will help reduce the number of warnings we get. Note: Your default
sshd configuration might look slightly different depending on your OS, and any tweaks you might have already made.
sudo nano /etc/ssh/sshd_config
We can uncomment the lines about agent forwarding and TCP forwarding and explicitly disallow them.
#AllowAgentForwarding yes #AllowTcpForwarding yes --- AllowAgentForwarding no AllowTcpForwarding no
#ClientAliveCountMax 3 --- ClientAliveCountMax 2
And the compression settings:
#Compression delayed --- Compression no
Let’s change the
MaxSessions at the same time:
MaxAuthTries 6 MaxSessions 10 --- MaxAuthTries 2 MaxSessions 2
#TCPKeepAlive yes --- TCPKeepAlive no
And, finally, DNS:
#UseDNS yes --- UseDNS no
Now you can save the file and restart the
sshd service to ensure that these changes are applied, then, you can try running Lynis again to see the results.
sudo systemctl restart sshd su - sudo ./lynis audit system
After editing just a few lines in the
ssh configuration, my hardening index score has jumped to 77, and I’m down to 1 warning/23 suggestions. Not bad for just a few minutes of work!
Now, most of these warnings and suggestions are beyond the scope of this tutorial, but the basic idea is to tackle them one or two at at time, re-run Lynis, and keep working to make your server as secure as possible.
In a future tutorial, I’ll begin to address some of these warnings/suggestions with my server setup Ansible playbook, so stay tuned to that update, which will feature a new script that you can use to provision more battle-ready servers, all in a single command.