Tutorial: VPS Security Audits Using Lynis

We’ve written in the past about general security-focused steps you can take to protect your VPS, such as enabling SSH authentication or general server maintenance, but there comes a time when everyone should start taking more steps to harden their VPSs against potential attacks.

In the end, it doesn’t really matter if you’re running a personal blog or a SaaS application with highly sensitive customer data—you have a vested interest in keeping your data safe and ensuring your server isn’t shut down or used for malicious actions.

One way to figure out where your security is lacking is via a specialized tool that can audit common configurations and give recommendations on what to do moving forward. Lynis is one of those options.

Lynis is available on all our OS options—Ubuntu, Debian, and CentOS—and the installation/usage instructions are the same for every platform, so this tutorial is OS agnostic.

Prerequisites

  • A VPS running any of our available OS options.
  • A non-root user account (commands requiring escalated privileges will use sudo).

Step 1: Installing Lynis

Downloading and “installing” Lynis is as simple as cloning the Github repository to your VPS. If you’re running a brand new VPS, you might not have Git installed yet. If you do, skip to the next step.

$ sudo apt-get install git   # Ubuntu/Debian
$ sudo yum install git       # CentOS

Let’s clone the Lynis repository next:

$ git clone https://github.com/CISOfy/lynis

It’s recommended to run the script as the root user, so we’ll use chown to change the ownership of the script. If you run the command with sudo or su without changing ownership first, you’ll receive a security warning, which you can ignore by hitting Enter or cancel with Ctrl+C. And, if you try running the command using your normal users, you’ll get a warning that results will be incomplete due to some processing requiring higher privileges.

$ sudo chown -R 0:0 lynis
$ cd lynis

Finally, we can simply execute the built-in script.

$ su -
# ./lynis audit system

Interpreting the results

When Lynis completes, it will output warnings, suggestions, and some at-a-glance details of your security scan, such as a “hardening index” that you can use to score your efforts.

For example, here’s the output for a newly-rebuilt CentOS 7 server, set up using the Ansible playbook from a previous tutorial.

Lynis security scan details:

Hardening index : 70 [##############      ]
Tests performed : 208
Plugins enabled : 2

Components:
- Firewall               [V]
- Malware scanner        [X]

Lynis Modules:
- Compliance Status      [?]
- Security Audit         [V]
- Vulnerability Scan     [V]

Files:
- Test and debug information      : /var/log/lynis.log
- Report data                     : /var/log/lynis-report.dat

A hardening index of 70 is respectable, but with a wide margin for improvement. Fortunately, Lynis also outputs any warnings and suggestions that you can use to inform yourself about improvements that could make your server more hardened to potential attack.

The following is a sample of the output, with some entries removed because they simply can’t be fixed on a VPS, such as placing /var on a separate partition.

-[ Lynis 2.5.1 Results ]-

 Warnings (1):
 ----------------------------
 ! iptables module(s) loaded, but no rules active [FIRE-4512]
     https://cisofy.com/controls/FIRE-4512/

 Suggestions (30):
 ----------------------------
 * Configure minimum password age in /etc/login.defs [AUTH-9286]
     https://cisofy.com/controls/AUTH-9286/

 * Configure maximum password age in /etc/login.defs [AUTH-9286]
     https://cisofy.com/controls/AUTH-9286/

 * Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027) [AUTH-9328]
     https://cisofy.com/controls/AUTH-9328/

[...]

 * Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft [STRG-1840]
     https://cisofy.com/controls/STRG-1840/

 * Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft [STRG-1846]
     https://cisofy.com/controls/STRG-1846/

 * Check DNS configuration for the dns domain name [NAME-4028]
     https://cisofy.com/controls/NAME-4028/

 * Install package 'yum-utils' for better consistency checking of the package database [PKGS-7384]
     https://cisofy.com/controls/PKGS-7384/

 * Consider running ARP monitoring software (arpwatch,arpon) [NETW-3032]
     https://cisofy.com/controls/NETW-3032/

 * Consider hardening SSH configuration [SSH-7408]
   - Details  : AllowTcpForwarding (YES --> NO)
     https://cisofy.com/controls/SSH-7408/

 * Consider hardening SSH configuration [SSH-7408]
   - Details  : ClientAliveCountMax (3 --> 2)
     https://cisofy.com/controls/SSH-7408/

 * Consider hardening SSH configuration [SSH-7408]
   - Details  : Compression (DELAYED --> NO)
     https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : LogLevel (INFO --> VERBOSE)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : MaxAuthTries (6 --> 2)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : MaxSessions (10 --> 2)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : Port (22 --> )
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : TCPKeepAlive (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : UseDNS (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Consider hardening SSH configuration [SSH-7408]
    - Details  : AllowAgentForwarding (YES --> NO)
      https://cisofy.com/controls/SSH-7408/

  * Add a legal banner to /etc/issue, to warn unauthorized users [BANN-7126]
      https://cisofy.com/controls/BANN-7126/

  * Add legal banner to /etc/issue.net, to warn unauthorized users [BANN-7130]
      https://cisofy.com/controls/BANN-7130/

  * Enable process accounting [ACCT-9622]
      https://cisofy.com/controls/ACCT-9622/

  * Enable sysstat to collect accounting (no results) [ACCT-9626]
      https://cisofy.com/controls/ACCT-9626/

  * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350]
      https://cisofy.com/controls/FINT-4350/

  * Determine if automation tools are present for system management [TOOL-5002]
      https://cisofy.com/controls/TOOL-5002/

  * One or more sysctl values differ from the scan profile and could be tweaked [KRNL-6000]
      https://cisofy.com/controls/KRNL-6000/

  * Harden compilers like restricting access to root user only [HRDN-7222]
      https://cisofy.com/controls/HRDN-7222/

  * Harden the system by installing at least one malware scanner, to perform periodic file system scans [HRDN-7230]
    - Solution : Install a tool like rkhunter, chkrootkit, OSSEC
      https://cisofy.com/controls/HRDN-7230/

You can also examine the full log of your scan at /var/log/lynis.log.

Taking action on gaps in your security

As you can see, Lynis gave me one warning and 30 suggestions, all of which, when fixed, will help make my server more secure. Every warning and suggestion comes with a link to documentation that will help you understand the issue and example fixes, so be sure to take advantage of those resources.

Because all of us use ssh to connect to our VPSs, let’s walk through some basic fixes that will help reduce the number of warnings we get. Note: Your default sshd configuration might look slightly different depending on your OS, and any tweaks you might have already made.

$ sudo nano /etc/ssh/sshd_config

We can uncomment the lines about agent forwarding and TCP forwarding and explicitly disallow them.

#AllowAgentForwarding yes
#AllowTcpForwarding yes
---
AllowAgentForwarding no
AllowTcpForwarding no

Same with ClientAliveCountMax:

#ClientAliveCountMax 3
---
ClientAliveCountMax 2

And the compression settings:

#Compression delayed
---
Compression no

Let’s change the MaxAuthTries and MaxSessions at the same time:

#MaxAuthTries 6
#MaxSessions 10
---
MaxAuthTries 2
MaxSessions 2

Disabling TCPKeepAlive:

#TCPKeepAlive yes
---
TCPKeepAlive no

And, finally, DNS:

#UseDNS yes
---
UseDNS no

Now you can save the file and restart the sshd service to ensure that these changes are applied, then, you can try running Lynis again to see the results.

$ sudo systemctl restart sshd
$ su -
# sudo ./lynis audit system

After editing just a few lines in the ssh configuration, my hardening index score has jumped to 77, and I’m down to 1 warning/23 suggestions. Not bad for just a few minutes of work!

Now, most of these warnings and suggestions are beyond the scope of this tutorial, but the basic idea is to tackle them one or two at at time, re-run Lynis, and keep working to make your server as secure as possible.

In a future tutorial, I’ll begin to address some of these warnings/suggestions with my server setup Ansible playbook, so stay tuned to that update, which will feature a new script that you can use to provision more battle-ready servers, all in a single command.

New monthly VPS plans

Starting at $4.99/month

  • Tons of resources
  • Instant root access
  • 100% SSD cloud
  • No long-term contracts

See all the plans