Run a Server Security Audit in 5 Minutes
You just got a new server — or finished deploying a fresh VPS — and the first question that pops up is: is this thing wide open to hackers? Lynis answers that question with exactly 3 commands:
# Install Lynis (Ubuntu/Debian)
sudo apt install lynis -y
# Run a full system audit
sudo lynis audit system
# View the summary results
sudo lynis show detailsThe scan takes about 2–3 minutes. At the end of the output you’ll see a Hardening index line — your security score out of 100. A freshly installed Ubuntu server typically scores 55–65. The realistic goal is to push it above 80.
Why Lynis Is Different from Other Scanners
Nessus and OpenVAS scan your server from the outside — like taking an X-ray from a distance. Lynis works differently: it runs directly inside the server, reading configuration files, kernel parameters, user permissions, and over 200 checkpoints that a remote scanner simply can’t see.
After auditing 10+ real-world servers, I’ve noticed most of them share the same set of vulnerabilities: SSH still allows root login, the firewall isn’t enabled, log rotation isn’t configured, and SUID/SGID files are left unchecked. Each one takes only 5–10 minutes to fix — but without a scanning tool, they’re incredibly easy to miss.
What Does Lynis Check?
- Authentication: SSH config, PAM, sudo rules, password policy
- File systems: mount options, world-writable files, SUID/SGID binaries
- Kernel: sysctl parameters, kernel hardening
- Networking: open ports, firewall status, TCP/IP stack settings
- Software: package updates, malware scanners, log daemons
- Users & groups: UID 0 accounts, empty passwords, home directory permissions
Reading Lynis Results — Understanding Every Line of Output
The terminal output after a scan can look intimidating — a colorful wall of text several hundred lines long. The structure is actually quite simple; you just need to remember 4 symbols:
[OK]— Passed, nothing to do[WARNING]— There’s an issue, fix it soon[SUGGESTION]— Improvement suggestion, prioritize as needed[FOUND]— Something noteworthy was detected, needs further review
Scroll to the bottom of the output for the most important section — Suggestions and Warnings:
# View warning details
grep -A 3 "Warning" /var/log/lynis.log
# View the full report
cat /var/log/lynis-report.datThe file /var/log/lynis-report.dat contains all results in machine-readable format, making it convenient for automated parsing or feeding into a monitoring script.
Common Warnings and How to Fix Them
1. SSH root login is permitted
# Fix: disable SSH root login
sudo sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo systemctl reload sshd2. Firewall is not active
# Enable UFW
sudo ufw enable
sudo ufw allow ssh
sudo ufw status3. Kernel hardening — sysctl not optimized
# Add to /etc/sysctl.conf
cat >> /etc/sysctl.conf << 'EOF'
# Disable IP forwarding (if this is not a router)
net.ipv4.ip_forward = 0
# Protect against SYN flood attacks
net.ipv4.tcp_syncookies = 1
# Hide kernel pointers in /proc
kernel.kptr_restrict = 2
# Restrict dmesg access
kernel.dmesg_restrict = 1
EOF
sudo sysctl -p4. No malware scanner installed
# Install rkhunter
sudo apt install rkhunter -y
sudo rkhunter --update
sudo rkhunter --checkAdvanced: Customizing Lynis for Production
Running Lynis Non-Interactively (for Cron Jobs)
# Run silently, no Enter prompts
sudo lynis audit system --quiet --no-colors 2>&1 | tee /tmp/lynis-$(date +%Y%m%d).log
# Save report with timestamp
sudo cp /var/log/lynis-report.dat /var/backups/lynis-report-$(date +%Y%m%d).datSetting Up a Weekly Audit Cron Job
# Add to crontab
sudo crontab -e
# Run every Monday at 3:00 AM
0 3 * * 1 /usr/bin/lynis audit system --quiet > /var/log/lynis-weekly.log 2>&1Custom Profile — Skipping Irrelevant Checks
Running Docker and intentionally have IP forwarding enabled? You don’t need Lynis warning you about it every scan. Create a custom profile to exclude it:
# Create a custom profile
sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
# Add an exception to custom.prf
echo 'skip-test=NETW-3012' >> /etc/lynis/custom.prf
# Run with the custom profile
sudo lynis audit system --profile /etc/lynis/custom.prfTest IDs (like NETW-3012) can be found in the output or in the /var/log/lynis-report.dat file.
Tracking Your Hardening Score Over Time
# Get the hardening index from the report
grep 'hardening_index' /var/log/lynis-report.dat
# Output looks like: hardening_index=67
# After fixing warnings, re-run and comparePractical Tips for Using Lynis
Don’t fix all suggestions at once. Lynis typically generates 30–50 suggestions, but not all of them are necessary. Handle Warnings first, then Suggestions. Within Suggestions, prioritize anything related to authentication and networking — those are your largest attack surfaces.
Test on staging before touching production. Some changes — like sysctl or PAM config — can affect running services. Lesson learned the hard way: once applied kernel hardening changes directly on production and broke network connectivity in several containers because IP forwarding got disabled. Staging first, production second — no exceptions.
Lynis audits configuration, not package vulnerabilities — that’s an important limitation to know. For comprehensive coverage, combine it with:
unattended-upgradesto automatically apply security patchesfail2banto block brute-force attemptsClamAVorrkhunterto scan for malware
Save a baseline as soon as you’re done setting up. Once you’ve fixed the critical warnings and reached a hardening index of 80+, save that report as your baseline. The next time you make major changes, re-run the audit and diff — it’s the fastest way to catch configuration drift.
# Save the baseline
sudo lynis audit system
sudo cp /var/log/lynis-report.dat /root/lynis-baseline-$(date +%Y%m%d).dat
# Compare later
diff /root/lynis-baseline-20240101.dat /var/log/lynis-report.dat | grep '^[<>]'Every time you onboard a new server, running Lynis should be your very first step — before you even deploy any code. Thirty minutes of scanning and basic fixes today can save you an entire night of incident tracing down the road.
