Security Audit
Daily security checks and audit routine.
Quick Security Check
# Failed logins
grep "Failed password" /var/log/auth.log | tail -10
# Root logins
grep "session opened for user root" /var/log/auth.log
# Listening ports
ss -tuln | grep -v 127.0.0.1Authentication Audit
Failed Logins
# Count failed logins by IP
grep "Failed password" /var/log/auth.log | \
awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head -10
# Failed logins today
grep "Failed password" /var/log/auth.log | grep "$(date +%b %d)"
# Invalid users
grep "Invalid user" /var/log/auth.log | tail -10Successful Logins
# Recent successful logins
last -a | head -20
# SSH accepted
grep "Accepted" /var/log/auth.log | tail -10
# Currently logged in
who
wsudo Usage
# sudo commands
grep "sudo:" /var/log/auth.log | tail -20
# Failed sudo attempts
grep "authentication failure" /var/log/auth.log | grep sudoSystem Audit
User Accounts
# Users with shells
grep -v "nologin\|false" /etc/passwd
# Users with UID 0 (besides root)
awk -F: '($3 == 0) {print}' /etc/passwd
# Empty passwords
sudo awk -F: '($2 == "") {print $1}' /etc/shadow
# Recent password changes
for user in $(cut -d: -f1 /etc/passwd); do
chage -l $user 2>/dev/null | grep "Last password change"
doneFile Permissions
# World-writable files
find / -type f -perm -002 -ls 2>/dev/null | head -20
# SUID files
find / -type f -perm -4000 -ls 2>/dev/null
# SGID files
find / -type f -perm -2000 -ls 2>/dev/null
# Unowned files
find / -nouser -o -nogroup 2>/dev/null | head -20Network Audit
Open Ports
# All listening ports
ss -tuln
# External facing only
ss -tuln | grep -v "127.0.0.1"
# Port to process mapping
sudo ss -tulnpFirewall Status
# UFW status
sudo ufw status verbose
# iptables rules
sudo iptables -L -n
# Recent blocked
grep -i "blocked" /var/log/ufw.log | tail -10Security Tools
fail2ban Status
# Overall status
sudo fail2ban-client status
# SSH jail
sudo fail2ban-client status sshd
# Banned IPs
sudo fail2ban-client get sshd bannedClamAV Scan
# Quick scan of critical dirs
clamscan -ri /home /var/www 2>/dev/null
# Check definitions age
sigtool --info /var/lib/clamav/main.cvdUpdate Status
# Available updates
apt list --upgradable 2>/dev/null | head -20
# Security updates
apt list --upgradable 2>/dev/null | grep -i security
# Last update
stat /var/cache/apt/pkgcache.binDaily Audit Script
#!/bin/bash
echo "=== Security Audit $(date) ==="
echo -e "\n--- Failed Logins (last 24h) ---"
grep "Failed password" /var/log/auth.log | \
grep "$(date +%b %d)" | wc -l
echo -e "\n--- Top Failed IPs ---"
grep "Failed password" /var/log/auth.log | \
awk '{print $(NF-3)}' | sort | uniq -c | sort -rn | head -5
echo -e "\n--- Banned IPs ---"
sudo fail2ban-client status sshd 2>/dev/null | grep "Banned IP"
echo -e "\n--- Open Ports ---"
ss -tuln | grep -v "127.0.0.1" | tail -10
echo -e "\n--- Security Updates ---"
apt list --upgradable 2>/dev/null | grep -c security
echo -e "\n--- Done ---"Audit Checklist
| Check | Frequency | Command |
|---|---|---|
| Failed logins | Daily | grep "Failed password" |
| Open ports | Daily | ss -tuln |
| fail2ban | Daily | fail2ban-client status |
| Updates | Daily | apt list --upgradable |
| Permissions | Weekly | find / -perm |
| Users | Weekly | cat /etc/passwd |
- security
- audit
- daily check
- vulnerability
- compliance