10 Essential Linux Security Commands Every Administrator Must Know

Linux server security starts with knowing the right commands. These 10 essential security commands should be in every system administrator's daily toolkit. Bookmark this page — you will use these commands regularly.

1. Check Failed Login Attempts

# Show failed SSH login attempts
sudo lastb | head -30

# Count failed attempts by IP
sudo lastb | awk '{print $3}' | sort | uniq -c | sort -rn | head -20

# Check authentication log
sudo journalctl _SYSTEMD_UNIT=sshd.service --since "1 hour ago" | grep "Failed"

Run this daily to identify brute force attacks. If you see thousands of attempts from a single IP, block it immediately with your firewall.

2. Find Files with SUID/SGID Bits

# Find all SUID files
sudo find / -type f -perm -4000 -ls 2>/dev/null

# Find all SGID files
sudo find / -type f -perm -2000 -ls 2>/dev/null

# Find world-writable files
sudo find / -type f -perm -0002 -ls 2>/dev/null

SUID files run with the file owner's permissions. Attackers often exploit SUID binaries for privilege escalation. Review this list regularly and remove unnecessary SUID bits.

3. List Open Ports and Connections

# Show all listening ports with process info
sudo ss -tulnp

# Show established connections
sudo ss -tunaep

# Alternative with netstat
sudo netstat -tulnp

Every open port is a potential attack vector. If you see unexpected listening services, investigate immediately.

4. Check Running Processes

# Show all processes with full details
ps auxf

# Find processes running as root
ps aux | awk '$1 == "root" {print}'

# Find high CPU/memory processes
ps aux --sort=-%cpu | head -10
ps aux --sort=-%mem | head -10

5. Audit User Accounts

# List all users with login shells
awk -F: '$7 !~ /nologin|false/ {print $1, $3, $7}' /etc/passwd

# Find users with UID 0 (root equivalent)
awk -F: '$3 == 0 {print $1}' /etc/passwd

# Check for empty passwords
sudo awk -F: '$2 == "" {print $1}' /etc/shadow

# List users with sudo access
getent group sudo

6. Check File Integrity

# Verify package integrity (Debian/Ubuntu)
sudo debsums -c 2>/dev/null

# Check RPM package integrity (RHEL/AlmaLinux)
sudo rpm -Va

# Find recently modified system files
sudo find /etc -type f -mtime -7 -ls

7. Review Firewall Rules

# iptables rules
sudo iptables -L -n -v

# nftables rules
sudo nft list ruleset

# UFW status
sudo ufw status verbose

8. Check Disk and Log Usage

# Check disk usage
df -h

# Find large files (potential log bombs)
sudo find / -type f -size +100M -ls 2>/dev/null

# Check log sizes
sudo du -sh /var/log/*

9. Review Cron Jobs

# List all user cron jobs
for user in $(cut -d: -f1 /etc/passwd); do
    crontab -u $user -l 2>/dev/null | grep -v "^#" | grep -v "^$" &&
    echo "--- User: $user ---"
done

# Check system cron directories
ls -la /etc/cron.d/ /etc/cron.daily/ /etc/cron.hourly/

10. Run Security Scan with Lynis

# Install Lynis
sudo apt install lynis  # Debian/Ubuntu
sudo dnf install lynis  # RHEL/AlmaLinux

# Run full system audit
sudo lynis audit system

# Show only warnings
sudo lynis audit system --quick 2>&1 | grep -E "Warning|Suggestion"

Make these commands part of your daily or weekly security routine, and your servers will be significantly more secure.

Learn More

• Linux Security Hardening — Comprehensive server security guide
• Linux System Hardening — Defense-in-depth strategies
• Linux Security Auditing — Professional audit procedures