Uptycs Blog | Cloud Security Insights for Linux and Containers

The Best Linux Security Monitoring Tools for Server Protection

Written by Amber Picotte | 2/4/20 1:00 PM

 

Infrastructure security at the server layer is a critical aspect of your organization’s overall security posture. When you know the best Linux resources to use, you can prevent attackers from taking over servers or compromising your databases.

 

In this article, we’ll cover some server security best practices, and explore the best Linux resources as they relate to each one.

 

What Are the Best Linux Resources for Infrastructure Security?

Security teams must consider the following practices when using Linux:

  1. Auditing and monitoring Linux
  2. Hardening the system and reducing the attack surface
  3. Securing network traffic and remote access
  4. Intrusion Detection Systems (IDS)
  5. Network/vulnerability scanning and testing tools
  6. Container security

 

Auditing & Monitoring Linux

The first area we’ll look at is all about auditing and monitoring Linux systems. This includes the best Linux tools to understand what's going on at the endpoints, so you can see what's running, who is logged in, etc.

  1. Osquery - Osquery is an operating system instrumentation framework that exposes an operating system as a high-performance relational database. It tracks events in real-time to let you know everything that happens on the server, which is useful as part of an incident response process. It lets you read data from the OS as if they were regular tables, containing things like processes running, users logged in, network connections being established and much, much more.
  2. OSSEC & Wazuh - For years, security teams have used OSSEC to monitor Linux systems for potential intrusions; Wazuh is a modern alternative to OSSEC. Although osquery’s distributed and real-time querying capabilities make it ideal for threat hunting, both these tools are good for analyzing log files performing file integrity monitoring (FIM).
  3. Auditd -Auditd, the user-facing component of the Linux Auditing System, is a useful feature of Linux that you can use to track security-related events, from processes to authentication. It provides a much more granular way of logging activity on systems than what is usually available on Linux systems without it.

 

Hardening the system & Reducing the Attack Surface

Server security best practices advise that you minimize the number of things running, because fewer processes mean fewer vulnerabilities. This practice is known as reducing your attack surface. (Tweet this!)

 

Linux resources that can help reduce your attack surface include:

  1. CoreOS - This Linux distribution is a lightweight operating system which is excellent for performance purposes. As it's only meant to run containers, it doesn't need a lot of additional components.
  2. Ubuntu Minimal - You can minimize the attack surface with Ubuntu Minimal, a smaller base installation of Ubuntu. It allows you to start from the smallest install, remove everything you don’t need, then create your own image from that. Most distributions now have such an installation type, and some are dedicated to being lightweight, like Arch Linux.
  3. SELinux - This tool lets you configure mandatory access controls on Linux, limiting users to a precise level of access. In the event of a service or user being compromised, SELinux ensures the attacker can't escalate the privilege and get access to data outside the scope of that service’s initial setting. Furthermore, SELinux logs are a useful source of information on potentially compromised systems. For example, a series of SELinux failures could indicate a config issue or suggest that someone is trying to run commands they don't have permission to run.
  4. CIS Benchmarks for Linux - This resource is available for most distributions, providing guidance on which built-in services you should disable and core files you can safely remove, as well as to how to configure most security parameters.

 

Securing Network Traffic & Remote Access

Ideally, all traffic between your server and other systems should be encrypted. If people authenticate on your server, you need those actions to remain secure too, by using encrypted protocols, configured safely.

  1. Hardening SSH - This article discusses how to secure SSH from a network service point of view, and also on how to configure authentication properly with two-factor using free tools.
  2. SSLLabs - Securing SSL/TLS - Without deep knowledge, securing SSL or TLS without breaking compatibility with some important clients is virtually impossible, as there are so many different cipher suites. This guide from SSLLabs allows you to configure everything in TLS, from protocols to cipher suites.
  3. SSLScan - This is a command-line tool you can use to scan SSL/TLS services to test their configuration.

 

Network IDS (Intrusion Detection System)

Network IDS refers to software and devices that monitor network traffic for threats and malicious activity. These are the best Linux resources to get a view of your network connections and security at this level.

  1. Zeek - The IDS formerly known as Bro is a flexible network analysis tool you can use to monitor network traffic and perform many tasks, including but not limited to intrusion detection. Zeek offers a centralized environment to log alerts and inspect traffic from multiple Linux servers. As such, it requires the central hub to be a powerful Linux server with a lot of memory. Zeek has a complicated set-up process, but it is worth the effort.
  2. Snort - First created in 1998, Snort is a popular network IDS. While it lacks the flexibility of Zeek, Snort is regularly updated.
  3. Security Onion - This Linux distribution is ideal for beginners, as it is essentially a user-friendly package that makes it easier to deploy Zeek or Snort. You can build distributed environments and graphical interfaces to respond to alerts and perform centralized logging.

 

Network/Vulnerability Scanning & Testing Tools

The more you know about vulnerabilities in your network, the better prepared you will be to defend against incoming attacks. With regular scanning and testing using the following tools, you can identify flaws before attackers do.

  1. Nmap - You can use this powerful network scanning tool to check the services running and identify vulnerabilities. It includes a scripting language, and you can map your own systems to the network security layer to ensure you have more coverage of the network.
  2. Masscan - An extremely fast network scanning tool, Masscan is one of the best Linux resources for scanning vast networks with a large number of IP addresses and ports. It has fewer features than Nmap, but it is much faster.
  3. Metasploit - Imagine you detect a vulnerability, and you're not sure if the service really is exploitable in its current configuration. You can use Metasploit to test your system. This framework comprises an easy to use console and an array of built-in open-source exploits that you can use to try and break into your own system if you suspect it is vulnerable. This tool also simplifies post-exploitation testing, by providing many different tools to establish persistence, escalate privileges and package payloads in multiple file formats.
  4. Batea - This tool can take Nmap’s output, build machine learning models, and detect systems in your environment that might be more valuable or vulnerable, which it refers to as gold nuggets.
  5. OpenVAS - This is a full, open-source vulnerability management solution that allows you to scan systems with or without authentication, track vulnerabilities, manage results, and produce reports.

 

Container Security

The final area we will look at is container security, which is vital because containers make it easy to build and use applications in an orchestrated manner. By improving security in your container pipeline, you improve the defense of your infrastructure, and ensure your containers remain reliable and scalable. Here are a few Linux resources that can help strengthen your container security posture:

  1. Docker Bench - This tool tests your Docker environment against security best practices, including CIS Benchmarks for Docker.
  2. Clair - You can use Clair to perform static analysis on your containers, which allows you to discover known vulnerabilities within them.
  3. Docker tables for osquery - These tables allow you to gather a lot of security information on containers, from inventory to processes and connections—without installing osquery in the container itself.

 

What if D-I-Y Linux Infrastructure Security Isn’t for You?

While the resources above represent the best free tools and resources, for many reasons, doing it all in house may not be the right option for protecting and monitoring your Linux infrastructure. Uptycs is a security analytics platform that empowers teams to deploy osquery at scale while also providing the analytical backend to actually make meaningful use of all that endpoint telemetry. Our platform allows you to easily identify unusual behavior and suspicious connections at Linux endpoints (as well as macOS, Windows and containers).

 

Uptycs also makes it easier to understand how your system is configured, which is useful for hardening and reducing the attack surface. You can check what is installed and what can be cleaned up to improve your defenses. Want to learn more about server security best practices with Linux? Read our case study on Linux Server Security at Scale to see how Uptycs helped a client with over 100,000 servers to go into production.