Transcript of 10 Linux Tools to Lock Down Your System (Most Users Ignore These)

If you run Linux your machine might be more exposed than you realize. So let me show you how to fix that. So Linux users love to say their system is secure by default. But here is the truth, Linux is powerful, but it's not perfect. One bad config, one forgotten port, one lazy setup, and suddenly your secure system isn't so secure anymore. So today we're going through 10 underrated Linux tools and we are following the same path real security people use, which means audit, hardening, detection, debugging, encryption, cleanup, and network visibility. And even if you are not a Linux master, you are not doing it alone, I will show a Linux GPT that walks you through every command, fixes errors in real time, and explains what is happening under the hood. And throughout this video, I will actually use it a few times as an example so you can see exactly how it helps. So alright, let's harden your Linux system the right way and let's jump in. So we start with Linus, the system auditor. This is under the auditing part. We start with visibility and Linus, which is a security scanning tool that helps you scan your server for vulnerabilities. So think of it like taking your Linux machine to a security doctor, but the doctor has an x-ray, a vision, and absolutely no chill. So to run it, what you do is sudo linus audit system. Here you go, you put the password, and it starts scanning your system. And while Linus runs, here is what it's actually doing behind the scenes. It's scanning your kernel parameters. So it's auditing your SSH settings, it's checking your file permissions, it's inspecting your crypto libraries, it's validating your firewall rules, and basically judging every decisions you have ever made as an admin. When the audit finishes, look at the suggestion section. And this is where Linus becomes your personal security consultant. It can tell you things like harden SSH, enable firewalls, update crypto policies, and each item comes with Linus code. You can Google for the exact fix. So you can see, for me, I got two warnings, 58 suggestions, and then it tells me exactly what I need to install or what I need to run to harden my configuration. Okay, so next up, let's talk about one of the best defenders in my view. You can have watching your Linux called fail to bane, and this is the hardening part. So every day bots and bad actors are scanning the internet for open SSH ports. Many just try logging in over and over, guessing passwords. So fail to bane is like a security camera, guard dog and bouncer all in one. It watches your logs for patterns. Too many failed login attempts, it automatically blocks the IP using your firewall. No scripts, no Chrome jobs, just pure automatic defense. So what are the comments? Okay, so the first one is sudo app install fail to bane if you don't have it already. Here it's updated and then sudo system and CTL, okay, enable fail to bane minus now. What does it do? It's actually starts fail to bane and make sure it always starts on boot. The last one is actually to check if fail to bane is protecting the SSH and how many attackers were banned. For doing that, we do sudo fail to bane, as you can see here, client status. SSHD, we get these inputs, which means no one is currently trying to get in. I have one totally in bane, but if you don't know what it means, so what I do suggest is you copy that and here I'm going to the chat GPT on the Linux side. So let me help you doing this. Let me switch. Okay, so this is my chat GPT and on the left side under the GPTs in explore, you can search the Linux specialist. I already have it. So I will click it and then what I do, I will just ask him what does it mean and can copy the selection that I did in my Linux terminal. So we can see now this output is from the fail to bane client status, and then it can explain line by line. And summary, fail to bane is working as expected. It's activity monitoring the attempts. One IP was banned in the past, but currently no bans are in effect. No suspicious or failed logging attempts are currently happening. And it gives you more of a suggestion and you can take it forward. So by the way, you can even configure fail to bane, to bane IPs permanently, send email alerts or hook it into services to bane attackers before they reach your systems. And if you're not sure, use this Linux GPT. So we have reached hardening and for that I don't want to use the Kali Linux for a second, but I do want to speak about two tools related to it. One is SBCTL and second is AppArmor. And I want to show it through the GPT, Linux GPT, because I do want you to use it when possible. So before, already you can see I asked, can you explain briefly on AppArmor and SBCTL why and how to use it and real life use case example. So it's saying, for example, AppArmor. AppArmor is a Linux security module that controls what application can access such as files, network or system resources using security profile. Why to use it? If a program is compromised, AppArmor limits the damage it can do. It reduces the attack surface by enforcing least privilege. It's like a firewall, but for application, not just traffic. And then how to use it. And it shows the commands and gives some information about it along with the real life use case. And then it speaks about SBCTL, which is a utility to help you manage secure bot on Linux. It lets you create sign and verify secure bot keys and sign kernel of or boot files. Why? Because it ensures that only trusted code running during system boot. And it helps prevent rootkits, boot time malware or unauthorized kernel tampering. I will not run it because of a time limit, but I do want you to be aware of that and try it and ask the Linux expert in the GPT style about it. Okay, so next is rootkithunter called RKhunter. And this is a warning system that tells you when something ugly is hiding under the floorboards. And to run it fast, again, I need the sudo RKhunter check. And this will start checking the system as you can see. And what actually it does, it scan your system for known rootkits, check for modified binaries, compares your commands against the trusted signatures, and looks for hidden files, suspicious strings, and backdoor the services. In other words, if malware tries to replace a system binary like SSH, login, password, so RKhunter will light up it like a Christmas tree. So if something even smells off, the RKhunter screams louder than my kids, I must say, when the Wi-Fi drops. Now a few things on rootkits. Rootkits are especially dangerous because they run before your security tools do. They hide processes, they hide network connections, and pretend everything is normal. That's why tools like RKhunter are critical. They check the integrity of your system at the deepest level. And now it's finished. I got the summary up, how many files check, what is the suspected file, possible rootkits, etc. There are many things you can do on this RKhunter. And if you need some help, use the chat GPT that I showed you before, which will help you and guide you for hardening and better detection on your system. Okay, next is, and let's clear it as well, ClaimAV. This is a malware detection. Yes, Linux gets malware too. Surprise, huh? So not as much as Windows, but enough that you don't want to ignore it. And ClaimAV is basically the classic virus scanner for Linux. It checks your files, download scripts, even mail attachment, and alerts you if something malicious is hiding on your machine, how it works from files to claim antivirus to malware flagged. How we do it? Very easy. ClaimV, ClaimScan minus R at my, let's say, home directory. And then it performs that. It uses signature-based detection, meaning it compares files on your system to huge database of known malware fingerprints. So if someone tries to upload a malicious PHP shell, for example, or you accidentally download a trojan, claim antivirus supposed to catch it before it's spread. Now, of course, it will not catch every advanced threat, but it will catch the stuff you really don't want leaving and free on your servers. And yes, it's free open source and used on mail servers worldwide. So even big companies rely on it to scan incoming attachments. Since we don't have all the time here, I will break it and we will continue with a different tool. Okay, so next I want to speak about debugging, especially about a command called strace. I want to see exactly what's going on with my processes, what's happening behind the scene. The easiest way, I think, to demonstrate it is the following. First, I want to ping Google, google.com. The end is to allow it to run at the back end. And I want to see also the PID. And the PID is here. One seven seven five five three seven. Now I'm moving to a second terminal. Then what I want to do is I want indeed to run the strace with my PID number. And that's it. It's pulling the entire processes that are running behind. And what you can see is you are tracing now the exact ping command running in terminal one. So it shows all system calls it performs in real time, like file access, network activity, memory operations, and waits. It lets you see exactly what the process is doing or why it's stuck behind the scene. So now I want to speak about encryption or encrypting your sensitive files. And for that, I will use a tool called the eCryptFS, which is a built-in Linux tool that lets you create a folder where everything is automatically encrypted. Files are encrypted on the disk, but look and act normal while you are using them. So it's perfect for protecting sensitive data without encrypting the whole system. So we'll do it in a few steps. Step one, I want to create a custom encrypted folder, and we will call it, we'll do sudo make dir am slash fault. Okay, great. Second, and this will be our encrypted folder. So anything you put in here will be protected. Now we want to mount it with encryption, right? So again, sudo mount minus t eCryptFS, right? I want to do it with the vault. I tried it before and again, vault. Did I do it okay? Yes. So I want to follow with passphrase. And then what is the passphrase? Everyone, you can do whatever you want. And then I want to select an AES cipher. I want to use 16 bytes for the key. Then enable PlantXPress with no need. And file name, encryption, yes. And then I can just clicking enter, and we mounting the vault as encrypted folder. So everything written here is now stored on the encrypted, on the disk. Okay. So now we want to add a secret file for that. I will write it as a sudo and the root because the directory is in the root currently. And I did that. Now I want to unmount what I did in the vault. Command not found. Of course, because I don't need the n. Okay. And then ls vault. So what we can see is that it's gibberish. Okay. Okay. Let's do it again. Now I want to see what's in the vault. So here I see gibberish, but either I will get permission denied or something else. But here I see the gibberish. So to unlock it, what I need to do is sudo mount minus t. Yes. Again, at the vault and vault. And then I do again and everything again. I want to do 16 and no. And yes. And if I want to be cut and vault plan dot txt, top secret project plan. I can see it. So what gets encrypted? So inside the vault, both the file content and the file name are encrypted. Even if someone steals your disk, they won't see readable data or names. Just encrypted the bluffs. Or gibberish, as we say. And with just one command, ecryptfs gives you strong encryption. No special tools, no external drives. Everything stays in home directory, safe and secure. It's simple, native and effective. So now we reach clean up stage. And here is something people do not realize. And when you delete a file, it doesn't really delete it. It more hides it like sweeping dirt under a rug. So anyone with the right tool can pull that data back. So what I want to show is a few steps on how to do it right. And really wipe files or directories. And I will give a simple example. Okay. So first step is let's create a sensitive file. And echo my top secret password is enter two. We'll put it in a secret txt file. I did this. And now I want to remove the secret txt file. And that's a normal delete like most users will do. But guess what? As I said before, the data isn't really gone. Just unlinked from the file system. So with the right forensic tools or disk editors, we could still recover the data because it's still sitting on the disk. Now I will not show it because of time. If you do want to see how to do it, write me in the comments and I will create a short video on that. So how do I really wipe this one? Again, let's create it. And then what I would do is sudo minus u minus n. I will explain. Don't worry. Secret dot s, i d dot, no, dot txt. Let's do clear. So let's create again the file to wipe it permanently. I can do secret dot txt minus r. He will ask me if this is what I want to do. I will tell him yes. And that's it. By the way, if I want to wipe the entire directory, I write the directory here as well. And with that said, that's how you really delete and remove files or content from your drive. So now that we can debug processes, let's see who is talking to the outside world. And in Linux, it's important to know what services are running on your machine, what ports they are using, and which processes are listening for incoming connection. This is especially critical for security troubleshooting or just general awareness of your system activity. And we'll start with the first command ss. And ss stands for socket statistics. It's built in Linux tool that shows you network connections, open ports, and listening services. Think about it like a modern faster version of the old netstat command. It goes like this, sudo ss minus tulpn. And I will put my password there. But before I explain what we see, the tulpn shows the TCP connection, U shows the UDP connection, then the L shows listening sockets, P shows the processors, and N shows the numeric ports that need to be addressed. At the end, this command shows every service that is listening for connection on your system and which processes on its socket. And here we can see the sshd process. That's the sshdmon is listening on port 2022, the default ssh port, of course. And it's listening on both IPv4 and IPv6. And the process ID is 1785013. So next is the lsoft command. And lsoft, which stands for list of open files. In Linux, everything is a file, remember? And that includes the network socket. So lsoft can show you which processes have open network connections or ports. So actually, to run it, I need a sudo lsoft minus i, then the port itself. And it shows us any processes that are using port 22, as we know already, ssh. And then we see the same sshd processes here, listening again on both IPv4 and IPv6. The FD column shows the file descriptors, and the ssh listens tell us it's accepting connections from any interface on port 22. So with ssh and lsoft, you get full visibility into what your system is doing on the network. Again, ssh shows what's listening and who owns it. And the lsoft shows who is using which port. And together, they let you spot misconfiguration, find suspicious, or just verify that your system is behaving the way you expect. And the best part, again, these tools are built in, no extra software needed. So there you go, 10 underrated Linux tools to lock down your system properly. This is how you turn a Linux machine from probably fine into, I don't want to say bulletproof, but much more secure. So which tool surprised you the most? Drop it in the comments, I read all of them, or I try to read all of them. And if you get stuck with any command, I remind you, asklinuxgpt inside the chatgpt exploration tab, and it's your perfect Linux assistance. Thanks for watching. If you are still not a subscriber, you like what I showed here, please do it. It will take only a second. Like the video, leave your comments, share, and I will see you in the next one.