Tutorial: VPS Security Audits Using Lynis

We've written in the past about general security-focused steps you can take to protect your VPS, such as enabling SSH authentication or general server maintenance, but there comes a time when everyone should start taking more steps to harden their VPSs against potential attacks. In the end, it doesn't really matter if you're running a personal blog or a SaaS application with highly sensitive customer data—you have a vested interest in keeping your data safe and ensuring your server isn't shut down or used for malicious actions. One way to figure out where your security is lacking is via a specialized tool that can audit common configurations and give recommendations on what to do moving forward. Lynis is one of those options. Lynis is available on all our OS options—Ubuntu, Debian, and CentOS—and the installation/usage instructions are the same for every platform, so this tutorial is OS agnostic.


  • A VPS running any of our available OS options.
  • A non-root user account (commands requiring escalated privileges will use sudo).

Step 1: Installing Lynis

Downloading and "installing" Lynis is as simple as cloning the Github repository to your VPS. If you're running a brand new VPS, you might not have Git installed yet. If you do, skip to the next step.
$ sudo apt-get install git   # Ubuntu/Debian
$ sudo yum install git       # CentOS
Let's clone the Lynis repository next:
$ git clone https://github.com/CISOfy/lynis
It's recommended to run the script as the root user, so we'll use chown to change the ownership of the script. If you run the command with sudo or su without changing ownership first, you'll receive a security warning, which you can ignore by hitting Enter or cancel with Ctrl+C. And, if you try running the command using your normal users, you'll get a warning that results will be incomplete due to some processing requiring higher privileges.
$ sudo chown -R 0:0 lynis
$ cd lynis
Finally, we can simply execute the built-in script.
$ su -
# ./lynis audit system

Interpreting the results

When Lynis completes, it will output warnings, suggestions, and some at-a-glance details of your security scan, such as a "hardening index" that you can use to score your efforts. For example, here's the output for a newly-rebuilt CentOS 7 server, set up using the Ansible playbook from a previous tutorial.
Lynis security scan details:

Hardening index : 70 [##############      ]
Tests performed : 208
Plugins enabled : 2

- Firewall               [V]
- Malware scanner        [X]

Lynis Modules:
- Compliance Status      [?]
- Security Audit         [V]
- Vulnerability Scan     [V]

- Test and debug information      : /var/log/lynis.log
- Report data                     : /var/log/lynis-report.dat
A hardening index of 70 is respectable, but with a wide margin for improvement. Fortunately, Lynis also outputs any warnings and suggestions that you can use to inform yourself about improvements that could make your server more hardened to potential attack. The following is a sample of the output, with some entries removed because they simply can't be fixed on a VPS, such as placing /var on a separate partition.
-[ Lynis 2.5.1 Results ]-

 Warnings (1):
 ! iptables module(s) loaded, but no 
Continue reading this article
by subscribing to our newsletter.
Subscribe now