Many small businesses run critical workloads on Linux—web servers, databases, CI/CD systems—but have no visibility into whether those systems are compromised.
The good news: expensive enterprise tools aren't required for meaningful security visibility. Free, well-maintained tools can catch most of what you'd worry about. The key is actually using them.
Here's a recommended toolkit for small teams managing Linux systems.
The Core Toolkit
rkhunter: Rootkit Detection
Rootkits are malware designed to hide themselves while giving attackers persistent access. They're nasty because they're hard to detect—that's literally their purpose.
rkhunter checks for known rootkit signatures and suspicious system modifications. It's not perfect, but it catches the common stuff.
# Install (Debian/Ubuntu)
sudo apt update && sudo apt install rkhunter
# Install (RHEL/Rocky/Alma)
sudo yum install epel-release && sudo yum install rkhunter
# Update signatures and run
sudo rkhunter --update
sudo rkhunter --propupd
sudo rkhunter --check
Run it weekly. Review the output—false positives happen, but repeated warnings deserve investigation.
chkrootkit: A Second Opinion
Two rootkit scanners are better than one. They use different detection methods and catch different things.
# Install
sudo apt install chkrootkit # Debian/Ubuntu
sudo yum install chkrootkit # RHEL variants
# Run
sudo chkrootkit
If both tools flag something, pay attention.
Lynis: Full Security Audit
Lynis goes beyond malware detection to assess your overall security configuration. It checks for missing patches, weak permissions, unnecessary services, and configuration hardening opportunities.
# Install
sudo apt install lynis # or yum install lynis
# Run full audit
sudo lynis audit system
The output includes a hardening index score and specific recommendations. Work through the suggestions—you don't need to address everything, but the high-priority items deserve attention.
Review the detailed log at /var/log/lynis.log.
ClamAV: Malware Scanning
ClamAV is particularly useful for systems that handle files from external sources—file servers, email servers, web upload directories. It catches known malware signatures in files.
# Install (Debian/Ubuntu)
sudo apt install clamav clamav-daemon
sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam
# Scan
sudo clamscan -r -i /path/to/scan
The -i flag shows only infected files. The -r flag is recursive.
For systems handling user uploads, schedule regular scans of upload directories.
Linux Malware Detect (LMD/Maldet)
LMD is designed specifically for shared hosting and web server environments where PHP malware and web shells are common threats.
# Install
sudo apt install maldet # or yum install maldet
# Scan
sudo maldet -a /var/www
Reports go to /usr/local/maldetect/sessions/. Review them.
AIDE: File Integrity Monitoring
AIDE takes a snapshot of your system's critical files and alerts you when something changes. If an attacker modifies system binaries or adds backdoors, AIDE catches it.
# Install
sudo apt install aide # or yum install aide
# Initialize database
sudo aide --init
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# Check for changes
sudo aide --check
The initial database should be created after a clean install and stored securely (ideally off-system). Regular checks compare current state against the baseline.
False positives happen after legitimate updates—rebuild the database after patching.
Logwatch: Log Summaries
Logs contain evidence of attacks and anomalies, but nobody has time to read raw logs daily. Logwatch generates readable summaries.
# Install
sudo apt install logwatch # or yum install logwatch
# Generate summary
sudo logwatch --detail medium --service all --range today
Set it up as a daily cron job that emails you. Actually read the emails.
A Realistic Schedule
Running everything constantly isn't necessary. A reasonable schedule:
| Tool | Frequency | Why |
|---|---|---|
| rkhunter | Weekly | Catches rootkits before they establish persistence |
| chkrootkit | Weekly | Second opinion on rootkit detection |
| Lynis | Monthly | Configuration drift happens slowly |
| ClamAV/LMD | Weekly (or daily for upload dirs) | Catches malware in files |
| AIDE | Daily | Catches unauthorized changes quickly |
| Logwatch | Daily | Keeps you aware of what's happening |
Automate with cron. Review outputs. The tools are only useful if someone looks at the results.
When to Escalate
These tools help you detect problems. They don't automatically fix them. Escalate to professional help when you see:
- Multiple tools flagging the same issue
- Unknown user accounts or processes
- Unexpected open network ports
- AIDE reporting changes you didn't make
- Authentication anomalies in logs
- Anything you don't understand
Better to investigate a false positive than to ignore a real compromise.
The Bigger Picture
These tools are detective controls—they help you find problems. They're most effective when combined with preventive controls:
- Keep systems patched
- Minimize installed software
- Restrict network access
- Use key-based SSH authentication
- Disable root login
- Run services with least privilege
A hardened system is easier to monitor because there's less noise.
Need help securing your Linux infrastructure or building a monitoring program? Our cloud security services include Linux hardening and monitoring setup. Let's talk.
