Linux Tactic

10 Essential Linux Commands for Enhanced Device Security

10 Basic Linux Commands for Device Security

If you are a Linux system administrator or a user, then you must know the basics of Linux commands. Understanding Linux commands can help you in securing your device, monitoring processes, and diagnosing issues.

In this article, we will discuss ten basic Linux commands that can be used for device security. From monitoring network traffic to setting up basic security rules, these commands will provide you with the necessary tools to secure your Linux device.

1. Monitoring device with netstat

Netstat is a command-line utility tool used to monitor and display network connections and routing tables.

It can be used to show open ports on your device, which can help in troubleshooting networking issues. To see all open ports on your device, use the following command:

$ netstat -tulpen

This command displays all listening ports, including their protocols, PID, and process name.

It also shows the remote address of established connections. 2.

Setting basic rules with UFW

UFW (Uncomplicated Firewall) is a front-end tool for configuring iptables rules. It is used to set up basic firewall rules on your device, which can help in protecting it from unauthorized access.

To install UFW, use the following command:

$ sudo apt-get install ufw

To enable UFW to protect your device, turn it on and allow essential traffic (SSH, HTTP, HTTPS) using the following commands:

$ sudo ufw enable

$ sudo ufw allow ssh

$ sudo ufw allow http

$ sudo ufw allow https

3. Auditing with nmap

Nmap is a network scanner that can be used for auditing your device for open ports and services.

It can also be used to identify potential vulnerabilities in your device. To scan your device using nmap, use the following command:

$ sudo nmap -sS

This command scans your device for TCP connections and flags open ports.

Nmap also displays information on detected operating systems and services. 4.

Checking for chrootkit infections with chkrootkit

Chkrootkit is a rootkit scanner that can be used to detect any rootkit infections in your device. It can scan for all rootkit-related files and hidden processes that could pose as security threats.

To install and run chkrootkit, use the following command:

$ sudo apt-get install chkrootkit

$ sudo chkrootkit

5. Checking processes with top

Top is a utility tool used to monitor and display all running processes in your device, as well as their resource utilization.

To view all running processes in real-time, use the following command:

$ top

This command displays all running processes in descending order of resource utilization, from highest to lowest. 6.

Monitoring network traffic with iftop

Iftop is a command-line utility tool used to monitor and display all network traffic on your device. It is used to identify any suspicious network activity.

To install and run iftop, use the following command:

$ sudo apt install iftop

$ sudo iftop

This command displays all network traffic on your device, including the source and destination IP addresses, as well as the ports used. 7.

Checking for open files and processes with lsof

Lsof is a command-line utility tool used to display all open files and processes in your device. It can be used to identify any suspicious files or processes running on your device.

To display all open files and processes, use the following command:

$ sudo lsof

This command displays all open files and processes in your device, including their command names, PIDs, and file descriptors. 8.

Identifying logged in users with who and w

Who and w are command-line utility tools used to display the currently logged-in users in your device. They can help in identifying any unauthorized access to your device.

To display all currently logged-in users, use the following commands:

$ who

$ w

These commands display the currently logged-in users, including their username, terminal, IP address, and login time. 9.

Checking login activity with last

Last is a command-line utility tool used to display the login activity of users on your device. It shows the login times, duration, and terminal used by each user.

To display the login activity of users on your device, use the following command:

$ sudo last

This command displays the login activity of users on your device, including their usernames, login times, and terminals used. 10.

Using SELinux for restriction and security

SELinux is a security enhancement to the Linux kernel that enforces mandatory access control policies. It can be used to restrict access to resources and files on your device, as well as protect it from unauthorized access.

To enable and configure SELinux on your device, use the following commands:

$ sudo apt-get install selinux

$ sudo selinux

Conclusion

By knowing and using these basic Linux commands, you can greatly enhance the security of your Linux device. They can help you to monitor network traffic, identify potential threats, and secure your device from unauthorized access.

Incorporating these commands into your device’s security protocols can help ensure a safe and secure computing experience.

3) UFW and Firewallsto UFW and firewalls

Firewalls, such as UFW, are essential for securing your Linux device from unauthorized access. UFW is a front-end tool for configuring iptables rules, which is a firewall program built into the Linux kernel.

It can be used to manage incoming and outgoing traffic, allowing authorized traffic and blocking unauthorized traffic.

Enabling firewall at startup

To enable your firewall at startup, you need to ensure that UFW is installed and running on your device. To install UFW, use the following command:

$ sudo apt-get install ufw

Once it is installed, you can enable UFW at startup by using the following command:

$ sudo systemctl enable ufw

This command ensures that UFW starts automatically on system boot-up.

Applying a restrictive policy with UFW

UFW can be used to apply a restrictive policy on your device, which can help in protecting it from unauthorized access. To apply a restrictive policy, you need to deny all incoming traffic and allow only authorized traffic through.

To apply a restrictive policy, use the following commands:

$ sudo ufw default deny incoming

$ sudo ufw default allow outgoing

These commands deny all incoming traffic and allow only outgoing traffic from your device.

Manually opening ports with UFW

UFW can be used to open specific ports on your device so that authorized traffic can pass through. To manually open a port, you need to specify the protocol and port number.

To open a port, use the following command:

$ sudo ufw allow /

For example, to open port 22 (SSH), use the following command:

$ sudo ufw allow ssh

4) Nmap for Network Security Auditingto Nmap

Nmap is a powerful open-source network scanner that can be used for network exploration, security auditing, and vulnerability scanning. It is designed to detect open ports, running services, and operating systems on any host connected to a network.

Scanning for open ports with Nmap

One of the main uses of Nmap is detecting open ports on a target device or network. The command for scanning all open ports on a device with Nmap is:

$ sudo nmap -p-

This command scans all ports on the target device, regardless of whether they are open or not.

The output displays each open port, the protocol used, and the service running on that port.

Additional capabilities of Nmap

Aside from detecting open ports, Nmap has other features that make it a versatile tool for network security auditing. For example, Nmap can be used to detect the operating system of the target device, as well as identify the services that are running on each open port.

Another feature of Nmap is it’s ability to scan for vulnerabilities on the target device. Using Nmap’s scripting engine, it can be configured to run specific scripts that can detect common vulnerabilities in services running on open ports.

This can help in identifying any potential security threats and patching them before they are exploited.

Using Nmap for vulnerability scans

One of the most popular uses of Nmap is conducting vulnerability scans on a target device or network. This involves scanning for open ports, identifying services running on each port, and determining whether any of those services have any known vulnerabilities.

Nmap can be used for vulnerability scanning by using specific scripts, such as the Vulnerability Scanner Script (vulscan). This script utilizes the National Vulnerability Database (NVD) to search for known vulnerabilities in services running on open ports.

To use the vulscan script, use the following commands:

$ git clone https://github.com/scipag/vulscan

$ sudo nmap -sS –script=vulscan/vulscan.nse

This command clones the vulscan repository, then runs the script against the target device. The output displays any vulnerabilities detected and provides links to more information on the specific vulnerability.

Conclusion:

UFW and Nmap are two powerful tools for securing your Linux device and conducting network security audits. By understanding how to apply a restrictive policy with UFW, manually open ports, and using Nmap for open port scanning and vulnerability detection, you can enhance the security of your device and prevent any potential security threats.

5) Chkrootkit Command for Checking Rootkitsto rootkits

Rootkits are among the most malicious and sophisticated forms of malware that can give an attacker full control over a compromised system while keeping their presence hidden from users and system administrators. Once installed, rootkits can perform a wide range of actions, including bypassing security mechanisms, stealing sensitive data, and launching attacks on other computers.

Using chkrootkit to detect known rootkits

Chkrootkit is an open-source tool that can be used to detect known rootkits on a Linux-based system. It checks for signs of rootkits by scanning core system files, libraries, and executables.

To install and run chkrootkit, use the following commands:

$ sudo apt-get install chkrootkit

$ sudo chkrootkit

This command runs a scan on your system and reports any suspicious activity that may be indicative of rootkit presence. Chkrootkit checks for altered system binaries, hidden files, and network connections used by rootkits.

When the scan is complete, chkrootkit outputs any possible signs of a rootkit infection, with recommendations on what to do next. It is important to note that not all suspicious activity is necessarily indicative of a rootkit, and some legitimate system activities can also trigger warning messages.

6) Monitoring Resources and Network Traffic

Checking running processes with top

Top is a system monitor that shows real-time information about the processes running on your system. It can be used to monitor and diagnose performance issues.

To open the top utility, use the following command:

$ top

This command displays a list of processes sorted by their resource usage, with the most resource-intensive processes listed at the top. Top provides additional information on each process, including the process ID (PID), CPU and memory usage, and user ownership.

By monitoring the top output regularly, you can identify potential problems with system resource usage, such as a CPU-intensive process or memory leak.

Monitoring network traffic with iftop

Iftop is a command-line network monitoring tool that shows real-time bandwidth usage for each connection on your device. It lists all active network connections by interface, along with the amount of data transfer and the current transfer rate.

To install and run iftop, use the following commands:

$ sudo apt install iftop

$ sudo iftop

This command displays incoming and outgoing network connections, ordered by the amount of data transferred. Iftop provides additional information, including the source and destination IP addresses, port numbers, and the protocol used.

By monitoring network traffic with iftop, you can identify any unusual network activity, such as a high rate of incoming or outgoing traffic from unknown sources. If you notice any suspicious activity, you can investigate it further and take necessary actions to prevent any security threats.

Conclusion:

By using these tools to monitor and diagnose system resource usage and network traffic, you can stay on top of potential security threats and system performance issues. Rootkit detection using chkrootkit is an essential component of device security as rootkits can be incredibly damaging if left undetected.

Using top and iftop can aid in diagnosing and resolving issues with process resource usage and identifying any unusual network activity that may pose a security risk. Incorporating these tools into your device security protocol is vital to keep your system safe and secure.

7) Checking Files, Users, and Login Activity

Listing open files and associated processes with lsof

Lsof (List Open Files) is a command-line utility that lists all open files and the processes using them on a Linux system. It provides valuable information about which files are open, the processes that have them open, and the associated file descriptors.

To use lsof, simply run the following command:

$ lsof

The output of the lsof command includes the process ID (PID), user, file type, file size, and file name. It can be sorted and filtered to obtain specific information.

For example, to list all open network connections, use the following command:

$ lsof -i

This command displays all open network connections, including the protocol used, local and remote IP addresses, and port numbers. Lsof is a powerful tool for monitoring file and process activity on your system.

It can be particularly helpful in identifying processes that are holding onto files and may be causing issues or security concerns.

Identifying logged in users with who and w

The “who” and “w” commands provide information about currently logged in users on a Linux system. They display details such as the username, terminal, IP address, and login time.

To use the “who” command, simply run the following command:

$ who

The output of the “who” command displays all logged-in users in a concise format, including their usernames, terminal numbers, login times, and IP addresses. The “w” command provides similar information but in a more detailed and user-friendly format.

It provides additional details such as the load average, the time the user has been idle, and the JCPU (the time used by all processes attached to the user’s terminal).

Checking login activity with last

The “last” command displays a list of previous login activity on a Linux system. It provides information about when users logged in and logged out, as well as the duration of their sessions.

To use the “last” command, simply run the following command:

$ last

The output of the “last” command shows a chronological list of previous logins, including the username, terminal, and time of login and logout. This information can be useful in auditing user activity, detecting unauthorized access, or tracking login patterns.

Monitoring user activity with history

The “history” command allows you to view the command history of a specific user on a Linux system. It shows a list of previous commands executed by the user, along with the time and date of execution.

To view the command history of a user, use the following command:

$ history

By default, the “history” command shows only the most recent commands executed in the current shell session. To view the complete command history, including commands executed in previous sessions, you can append the “-a” option:

$ history -a

The command history is particularly useful for tracking user activity, troubleshooting issues, or reproducing a series of commands.

However, keep in mind that the command history is stored in plain text in the user’s home directory and can be viewed by anyone with access to the system.

Conclusion

By utilizing tools such as lsof, who, w, last, and history, you can gain valuable insights into file usage, the presence of logged-in users, login activity, and user command history on your Linux system. Monitoring these aspects can help you identify potential security threats, troubleshoot issues, and track user activity.

Incorporating these tools into your device security and monitoring strategies can enhance the overall security and stability of your system. In conclusion, monitoring and securing your Linux device through various commands is crucial for maintaining its security and stability.

By using tools like netstat, UFW, nmap, chkrootkit, top, iftop, lsof, who, w, last, and history, you can identify open ports, set up firewall rules, audit network security, detect rootkits, monitor resource usage and network traffic, and track login and user activity. These tools provide insights into potential security threats, help troubleshoot issues, and enable proactive measures for mitigating risks.

By incorporating these practices into your device security protocol, you can enhance the protection of your system and ensure a safer computing environment. Remember, staying vigilant and proactive in securing your Linux device is essential for a secure and successful user experience.

Popular Posts