Server security isn't a one-time setup — it's an ongoing process. Misconfigurations creep in through updates, new software installations, and hurried troubleshooting sessions. A security scanner that checks the fundamentals — SSH configuration, SUID binaries, kernel parameters, and file permissions — catches these regressions before attackers do.
This guide covers Linux security scanning with dargslan-security-scan, a free Python tool that performs essential security checks and gives you an actionable security score.
What dargslan-security-scan Checks
- SSH Configuration — Root login, password authentication, empty passwords, default port
- SUID/SGID Binaries — Find SUID files and flag unknown/unexpected ones
- Kernel Parameters — IP forwarding, ICMP redirects, SYN cookies, ASLR
- File Permissions — /etc/passwd, /etc/shadow, sshd_config, crontab
- World-Writable Files — Files in /etc and /var writable by everyone
- Security Score — 0-100 score based on all checks
Installing dargslan-security-scan
pip install dargslan-security-scan
# Or install the complete toolkit with all 15 tools
pip install dargslan-toolkitCLI Usage
# Full security report with score
dargslan-secscan report
# Check SSH configuration only
dargslan-secscan ssh
# Find SUID/SGID binaries
dargslan-secscan suid
# Check kernel security parameters
dargslan-secscan kernel
# Check file permissions
dargslan-secscan perms
# Get security score (0-100)
dargslan-secscan score
# JSON output for automation
dargslan-secscan jsonPython API
from dargslan_security_scan import SecurityScanner
ss = SecurityScanner()
# Full security report
ss.print_report()
# Get security score
score = ss.score()
print(f"Security Score: {score}/100")
# Check SSH configuration
ssh_issues = ss.check_ssh_config()
for issue in ssh_issues:
print(f" [{issue['severity']}] {issue['message']}")
# Find SUID binaries
suid_files = ss.find_suid_files()
unknown = [s for s in suid_files if not s['known']]
if unknown:
print(f"WARNING: {len(unknown)} unknown SUID binaries!")
# Check kernel parameters
for param in ss.check_kernel_params():
status = "OK" if param['secure'] else "INSECURE"
print(f" [{status}] {param['param']} = {param['value']}")
# Check important file permissions
perm_issues = ss.check_important_perms()
for p in perm_issues:
print(f" [!!] {p['message']}")SSH Hardening Guide
SSH is the most attacked service on any internet-facing Linux server. Proper configuration is essential:
# /etc/ssh/sshd_config — Security hardened
# Disable root login
PermitRootLogin no
# Disable password authentication (use keys only)
PasswordAuthentication no
# Never allow empty passwords
PermitEmptyPasswords no
# Disable X11 forwarding
X11Forwarding no
# Limit authentication attempts
MaxAuthTries 3
# Limit concurrent sessions
MaxSessions 3
# Allow only specific users
AllowUsers admin deploy
# Use only Protocol 2
Protocol 2
# Idle timeout (5 minutes)
ClientAliveInterval 300
ClientAliveCountMax 0
# Apply changes
systemctl restart sshdSUID Binary Audit
SUID (Set User ID) binaries run with the permissions of the file owner (usually root). A compromised SUID binary gives an attacker instant root access.
# Find all SUID files
find / -perm -4000 -type f 2>/dev/null
# Find all SGID files
find / -perm -2000 -type f 2>/dev/null
# Known safe SUID binaries:
# /usr/bin/sudo, /usr/bin/su, /usr/bin/passwd,
# /usr/bin/mount, /usr/bin/umount, /usr/bin/ping
# Remove unnecessary SUID
chmod u-s /usr/bin/unnecessary-binary
# Log SUID usage with audit
auditctl -a always,exit -F arch=b64 -S execve -F euid=0 -k suid_execKernel Security Parameters
# /etc/sysctl.d/99-security.conf
# Disable IP forwarding (unless this is a router)
net.ipv4.ip_forward = 0
# Disable ICMP redirects (prevent MITM)
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
# Enable SYN cookies (prevent SYN flood attacks)
net.ipv4.tcp_syncookies = 1
# Enable full ASLR (Address Space Layout Randomization)
kernel.randomize_va_space = 2
# Log martian packets (suspicious source addresses)
net.ipv4.conf.all.log_martians = 1
# Ignore ICMP broadcasts
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Apply immediately
sysctl -p /etc/sysctl.d/99-security.confFile Permission Security
# Critical file permissions
chmod 644 /etc/passwd # Readable by all, writable by root
chmod 640 /etc/shadow # Readable by root and shadow group
chmod 644 /etc/group # Readable by all
chmod 640 /etc/gshadow # Readable by root and shadow group
chmod 600 /etc/ssh/sshd_config # Root only
# Find world-writable files (security risk)
find /etc -perm -o+w -type f 2>/dev/null
find /var -perm -o+w -type f 2>/dev/null
# Find files without owner
find / -nouser -o -nogroup 2>/dev/null | head -20Automated Security Scanning
#!/usr/bin/env python3
# /opt/scripts/security-audit.py
from dargslan_security_scan import SecurityScanner
ss = SecurityScanner()
score = ss.score()
# Alert on low security score
if score < 50:
print(f"CRITICAL: Security score is {score}/100!")
elif score < 75:
print(f"WARNING: Security score is {score}/100")
else:
print(f"OK: Security score is {score}/100")
# Check for critical SSH issues
ssh = ss.check_ssh_config()
for issue in ssh:
if issue['severity'] in ('critical', 'warning'):
print(f" SSH: {issue['message']}")
# Check for unknown SUID binaries
suid = ss.find_suid_files()
unknown = [s for s in suid if not s['known']]
if unknown:
print(f" SUID: {len(unknown)} unknown SUID binaries found!")
for s in unknown[:5]:
print(f" {s['path']}")🛡️ Master Linux Security
Our cybersecurity eBooks cover server hardening, penetration testing, intrusion detection, SELinux/AppArmor, and comprehensive security audit frameworks.
Browse Security Books →Security scanning should be part of your regular maintenance routine. dargslan-security-scan gives you a quick, comprehensive overview of your server's security posture — SSH configuration, SUID binaries, kernel parameters, file permissions, and a numeric score you can track over time.
Install now: pip install dargslan-security-scan — or get all 15 tools: pip install dargslan-toolkit
Download our free Linux Security Scanner Cheat Sheet for quick reference.
