12 Essential Tools to Scan Linux Servers for Security Flaws and Malware

default image

Even though Linux-based systems are often considered highly secure, there are still risks that system administrators need to take seriously. Malicious threats like rootkits, viruses, ransomware, and more can attack Linux servers and cause major problems. No matter the operating system, implementing proper security measures is a must for servers, especially those used by large organizations and enterprises.

Fortunately, there are many great tools available for free or at low cost that can help scan Linux servers for vulnerabilities, malware, and other security issues. These tools focus on different aspects of Linux security, with capabilities to detect flaws in configurations, files, software, network traffic, and more. They can find hidden threats and prevent attacks by providing alerts, analysis reports, and even automatic remediation in some cases.

In this comprehensive guide, we will explore the top 12 tools to scan Linux servers for security flaws, malware, and other vulnerabilities.

Lynis – Security Auditing and Rootkit Detection

Lynis is a widely used open source security auditing tool for Linux, macOS, and Unix systems. It has been actively developed since 2007 under the GPL license.

Lynis interface showing scanning results

Lynis security auditing tool

Lynis performs comprehensive system scans to find security issues and configuration flaws. Rather than just identifying vulnerabilities, it also provides suggestions for improvements and remediation. To get full auditing reports, Lynis needs to run directly on the target system.

It can be extracted and executed from a downloaded package or tarball without requiring installation. Lynis is also available via Git clone for access to complete documentation and source code.

The tool was created by Michael Boelen, who also developed the renowned rootkit hunter Rkhunter. Lynis offers individual and enterprise packages with extensive capabilities for security auditing.

Key Features

  • Detects vulnerabilities and suggests fixes
  • Open source software with GPL license
  • Works on Linux, macOS, BSD, and Unix systems
  • Can run directly without installation
  • Enterprise support available

Chkrootkit – Rootkit Detection

As the name suggests, Chkrootkit is a popular tool for detecting rootkits on Unix-based systems like Linux. Rootkits are a type of malware that can give attackers unauthorized remote access and control over a system.

Chkrootkit command line interface

Chkrootkit rootkit detection tool

It uses system programs like strings and grep to identify issues. Chkrootkit can run off an alternative directory or rescue disk to scan compromised systems. Different components check for suspicious entries in system files, sniffer activity, rootkit configuration files, hidden directories, and other signs of infection.

To use chkrootkit, you need to download the latest version, extract the source, compile it, and run the scanner. It is one of the most widely used rootkit detection tools for Linux and Unix platforms.

Key Features

  • Detects rootkits and backdoors
  • Runs on Linux and Unix systems
  • Command line interface
  • Uses grep and strings for scans
  • Can run off rescue CD or disk

Rkhunter – Linux Rootkit Scanner

Rkhunter (Rootkit Hunter) was created in 2003 by developer Michael Boelen. It works on Linux and other POSIX-based operating systems to detect rootkits, backdoors, and possible security issues.

Rkhunter scan results in terminal

Rkhunter malware and rootkit scanner

It scans through the filesystem (hidden and visible files), default directories, kernel modules, and permissions for anything suspicious. Rkhunter compares scanned data to its own reliable databases and whitelists to detect unauthorized changes and malware.

Since Rkhunter is written in Bash, it runs on practically any Unix/Linux version. It is a top choice for administrators and security professionals looking to monitor Linux servers for signs of compromise.

Key Features

  • Detects rootkits and malware
  • Open source tool for Linux/Unix
  • Uses filesystem scans to find issues
  • Command line interface
  • Whitelist-based detection

ClamAV – Open Source Antivirus

ClamAV is a widely used open source antivirus engine for detecting trojans, viruses, malware, and other threats on Linux and Unix systems. It offers comprehensive scan capabilities to protect servers and users for free.

ClamAV web management dashboard

ClamAV antivirus and antimalware scanner

Originally developed for Unix, ClamAV has third-party versions available across many platforms including Linux, BSD, AIX, macOS, Solaris, and more. It features automatic updates to its malware signature database for detecting the latest threats.

ClamAV includes command line scanning, multi-threaded daemon for fast scans, and broad file format support including documents, compressed files, disk images, mail files, executables, and more.

Key Features

  • Open source antivirus engine
  • Detects trojans, viruses, malware
  • Automatic signature updates
  • Works on Unix, Linux, macOS, etc
  • Command line and daemon modes
  • Comprehensive file scanning

LMD – Linux Malware Detect

Linux Malware Detect (LMD) is another malware scanner designed specifically to protect Linux systems in shared hosted environments. It uses malware signature databases to identify threats and terminate any malicious processes found.

LMD admin interface showing malware detection

Linux Malware Detect scanner

In addition to its own signatures, LMD can also leverage the ClamAV and Team Cymru malware databases for enhanced detection capabilities. It captures threat intelligence from networks and security systems to generate signatures for new malware strains seen in the wild.

The maldet command allows for malware scans via the CLI. LMD is focused on Linux platforms with hosted servers in mind during development.

Key Features

  • Specialized for Linux web hosting providers
  • Detects malware via signature database
  • Integrates with ClamAV and Cymru DBs
  • Generates signatures for new malware
  • Command line scanning interface

Radare2 – Binary Analysis Framework

Radare2 (r2) is a powerful reverse engineering framework for analyzing binaries to detect vulnerabilities, backdoors, and malware. It leverages advanced static and dynamic analysis techniques.

Radare2 displaying disassembly

Radare2 reverse engineering framework

One of its key capabilities is identifying malformed binaries so they can be further assessed for threats. It also provides interfaces for managing infected programs and neutralizing issues. Radare2 uses a NoSQL database (SDB) for data representation.

The framework is highly extensible and intended for security researchers, malware analysts, developers, and more. It avoids forcing users into only a command line and provides multiple interface options.

Key Features

  • Static and dynamic analysis
  • Detects malware via binary inspection
  • Interfaces for data analysis
  • NoSQL database for data presentation
  • Highly extensible and customizable
  • Useful for security research and malware analysis

OpenVAS – Vulnerability Scanner

OpenVAS (Open Vulnerability Assessment System) is a widely used vulnerability scanner and manager. It helps organizations identify security flaws across their networks and assets.

OpenVAS dashboard showing high risk vulnerabilities

OpenVAS vulnerability scanning tool

Originally named GNessUs, OpenVAS is currently maintained by Greenbone Networks. It features continuous feed updates, with new Network Vulnerability Tests (NVTs) added in less than 24 hours. The NVT database contained over 47,000 tests as of June 2016.

OpenVAS is renowned for its high-speed scanning capabilities and configurability. Security experts utilize it for safe malware analysis through virtual machines. The source code is available under the GPL license.

Key Features

  • Finds vulnerabilities across networks
  • Fast scanning capabilities
  • Regular feed updates with new tests
  • Configurable for advanced use cases
  • Open source tool with GPL license
  • Useful for malware research

REMnux – Linux Distro for Malware Analysis

REMnux is a lightweight Linux distribution focused on reverse engineering and analyzing malware. It includes tools for detecting malware in web traffic, JavaScript, PDFs, obfuscated code, memory, and more.

REMnux Linux distro running in a virtual machine

REMnux malware analysis distribution

The distro features static and dynamic analysis capabilities to assess suspicious files that evade traditional malware scanners. It uses browser emulation, decoding tools, disassemblers, debuggers, and other utilities to uncover threats.

REMnux supports environments like virtual machines, docker containers, and cloud platforms. It can be used for safer analysis of advanced malware samples on Linux and Windows systems.

Key Features

  • Linux distro for reverse engineering malware
  • Detects malware in web code, PDFs, etc.
  • Static and dynamic analysis tools
  • Disassemblers, decoders, debuggers
  • Useful for analyzing evasive malware
  • Supports VMs, docker, cloud environments

Tiger – Security Audit and IDS Tool

Tiger is a vintage security toolkit first developed at Texas A&M University in 1992. It serves as both a security audit tool and intrusion detection system for Unix-like platforms.

Tiger utilizes POSIX-compliant tools to implement a robust framework for assessing system security configurations. The entire package is written in shell scripting language for effectiveness on Linux and Unix.

It performs comprehensive security checks for system settings, configuration issues, vulnerabilities, and other flaws. Tiger is still actively maintained and widely used today alongside other POSIX-based tools.

Key Features

  • Security audit tool and IDS
  • Checks configurations for flaws
  • Written fully in shell scripting
  • Used with POSIX tools for Linux/Unix
  • Comprehensive system security checks
  • Actively maintained and supported

Maltrail – Traffic Analysis and Threat Detection

Maltrail operates as a network traffic analyzer to detect threats and block cyberattacks. It monitors traffic and compares sources against blacklists of known malicious sites and activities.

Maltrail dashboard displaying alerts for suspicious traffic

Maltrail network traffic analysis system

In addition to blacklists, Maltrail uses other heuristic mechanisms to identify threats. It serves as an optional intrusion detection feature, but becomes very useful for investigating breaches and cleaning up compromised systems.

A sensor component passively monitors network traffic, sending data to the analyzer. If any suspicious sources are detected, Maltrail can block the traffic to prevent infections.

Key Features

  • Sniffs network traffic for threats
  • Compares traffic against blacklists
  • Advanced heuristics identify new malware
  • Can block malicious traffic
  • Passive monitoring sensor
  • Useful for post-breach analysis

YARA – Pattern Matching for Malware Detection

YARA (Yet Another Ridiculous Acronym) is a tool used to identify malware samples and perform pattern matching across suspicious files. It utilizes text and binary patterns to accelerate detection.

YARA scan results displaying malware detections

YARA malware detection tool

YARA works on Linux, Windows, and macOS systems. Some advanced features require OpenSSL, but the basic signature-based scanning works out of the box. It can integrate into sandboxes like Cuckoo for safe malware analysis.

The tool was developed to enrich and streamline detection capabilities for security researchers and malware analysts. YARA is useful for quickly recognizing viruses, trojans, and other threats based on code signatures.

Key Features

  • Pattern matching using signatures
  • Detects malware based on code patterns
  • Works on Linux, Windows, and macOS
  • Integrates with Cuckoo sandbox
  • Useful for malware research/analysis
  • Fast detection capabilities

Vuls – Agentless Vulnerability Scanner

Vuls is an advanced open-source vulnerability scanner designed for Linux and FreeBSD systems. It is agentless and does not require any software on target machines. You can deploy it on-premises, in the cloud, or with docker containers.

Vuls dashboard showing vulnerability scan results

Vuls vulnerability scanning tool

Vuls leverages vulnerability databases like NVD, OVAL, FreeBSD-SA, and others to perform scans. It can even detect vulnerabilities without published patches.

You can use Vuls in remote or local scan modes. For remote scanning, it connects to target machines over SSH from the central Vuls server. The local scan mode avoids SSH connections for air-gapped networks.

It also scans non-OS packages, including your own compiled software, language libs, frameworks, etc. The tutorial helps get started using Vuls, which also supports email and Slack notifications.

Key Features

  • Agentless vulnerability scanner
  • Compatible with Linux and FreeBSD
  • Uses multiple vulnerability databases
  • Detects unpatched vulnerabilities
  • Remote and local scan modes
  • Scans custom compiled packages
  • Email and Slack notifications

How to Choose the Right Tool

All of these security tools are very effective at what they do. With so many options available, system administrators need to evaluate their specific needs and environments to select the right scanner.

Lightweight tools can initially uncover the general area of concern. You can then leverage more advanced programs that focus directly on the discovered problem for remediation. Some applications also work well together in stacks.

For example, Lynis, Tiger, and Vuls help find configuration issues, vulnerabilities, and patch status across Linux systems. Tools like Rkhunter, Maltrail, and YARA focus on malware detection through different techniques. ClamAV, LMD, and OpenVAS specialize in finding viruses, trojans, vulnerabilities, and other specific threats.

The most important factors are understanding your use cases, requirements, and infrastructure to choose the best security scanners for Linux servers. Start with recommendations from trusted resources and the Linux community when evaluating tools. Combining multiple solutions can significantly improve coverage across different aspects of Linux security.

Written by