Auditing Your Linux Server with Lynis

You’ve hardened your server — SSH keys, firewall, fail2ban, automatic updates. But how do you know what you missed? Lynis is an open-source security auditing tool that scans your system and tells you exactly where to improve.

What Lynis Does

Lynis performs hundreds of individual tests across your system: kernel settings, authentication, file permissions, network configuration, running services, and more. It produces a hardening index (0–100) and a list of concrete suggestions with references to specific controls.

It doesn’t change anything — it only reads and reports.

Installation

On Ubuntu 22.04:

sudo apt install lynis

Running an Audit

Run a full system audit with root privileges:

sudo lynis audit system

The scan takes a few minutes. At the end you get:

  • A hardening index (e.g. 65/100)
  • A list of warnings (critical issues)
  • A list of suggestions (improvements)
  • References to detailed control descriptions

Results are also saved to /var/log/lynis.log and /var/log/lynis-report.dat.

Without root, some tests are skipped. Always run with sudo for the full picture.

What to Expect

On a freshly installed Ubuntu 22.04 server, expect a score around 55–60. After basic hardening (SSH, firewall, fail2ban), you’ll be in the low 60s. With targeted fixes, 65–75 is realistic for a single-purpose server.

Getting above 80 typically requires measures like full disk encryption, external log shipping, and separate partitions — overkill for most setups.

Acting on the Results

Not every suggestion is worth implementing. Here’s how to prioritize:

High Value — Do These

Kernel and network hardening via sysctl:

# /etc/sysctl.d/50-server-haertung.conf
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.tcp_rfc1337 = 1
kernel.dmesg_restrict = 1
kernel.randomize_va_space = 2

Apply with sudo sysctl --system.

SSH hardening — create a drop-in config at /etc/ssh/sshd_config.d/50-hardening.conf:

AllowTcpForwarding no
AllowAgentForwarding no
Compression no
MaxAuthTries 3
MaxSessions 2
LogLevel VERBOSE
TCPKeepAlive no
ClientAliveInterval 300
ClientAliveCountMax 2

Always test the config before reloading:

sudo sshd -t && sudo systemctl reload sshd

Keep your current session open and verify with a new connection before closing it.

Disable unused network protocols:

# /etc/modprobe.d/protocol-blacklist.conf
install dccp /bin/true
install sctp /bin/true
install rds /bin/true
install tipc /bin/true

Disable USB storage on servers that don’t need it:

# /etc/modprobe.d/usb-storage-blacklist.conf
install usb-storage /bin/true

Restrict compiler access to root only:

sudo chmod 700 /usr/bin/gcc /usr/bin/g++ /usr/bin/cc /usr/bin/make

Clean up old packages:

sudo apt autoremove --purge
dpkg -l | grep '^rc' | awk '{print $2}' | sudo xargs dpkg --purge

Medium Value — Consider These

  • Login banner in /etc/issue and /etc/issue.net — legal notice for unauthorized access
  • Umask 027 in /etc/login.defs — stricter default file permissions
  • needrestart — shows which services need restarting after updates
  • debsums — verifies package integrity against known good checksums

Skip These

  • Separate partitions for /home, /tmp, /var — not practical on cloud VPS
  • GRUB password — no physical access on cloud servers
  • External logging — overkill for a single server
  • Password aging — irrelevant when SSH is key-only
  • Changing the SSH port — security through obscurity, fail2ban handles brute force

Re-running After Changes

After applying fixes, run Lynis again to verify your improvements:

sudo lynis audit system

Compare the hardening index and check that your changes resolved the expected suggestions.

Quick Checklist

  • Install Lynis: sudo apt install lynis
  • Run full audit: sudo lynis audit system
  • Apply sysctl hardening for network and kernel
  • Harden SSH with a drop-in config
  • Blacklist unused kernel modules (protocols, USB)
  • Clean up old packages and kernel versions
  • Restrict compiler access
  • Re-run Lynis to verify improvements

Lynis won’t make your server secure by itself, but it shows you what you’re missing. Run it after every major change to your setup, and use the suggestions as a prioritized to-do list rather than a checklist to complete blindly.