Security audit with Lynis Audit your HolyCloud VPS security with Lynis: hardening, compliance, and actionable recommendations. ~10 min read Intermediate #lynis #security #audit #hardening Security audit with Lynis Lynis analyzes a Linux system and produces a hardening report, useful on any HolyCloud Linux VPS before production or after an incident. It does not replace a pentest, but provides a prioritized checklist. Prerequisites HolyCloud VPS Ubuntu/Debian, root or sudo access HolyCloud snapshot recommended before mass changes suggested by the report 5 to 15 minutes runtime depending on system size Step 1: Installation Via repository or package: sudo apt update sudo apt install -y lynis lynis show version Upstream script install (recent version): cd /tmp curl -sL https://downloads.cisofy.com/lynis/lynis-3.0.9.tar.gz -o lynis.tar.gz tar xzf lynis.tar.gz cd lynis sudo ./lynis audit system Step 2: Full audit sudo lynis audit system Useful options: sudo lynis audit system --quick sudo lynis audit system --profile /etc/lynis/default.prf The report appears at the end with a hardening index (score) and [ ] suggestions. Step 3: Read the report Detailed report: sudo grep -E 'suggestion|warning' /var/log/lynis-report.dat | tail -30 less /var/log/lynis.log Test summary: sudo lynis show details sudo lynis report Important files: | File | Content | |---------|---------| | /var/log/lynis.log | Execution log | | /var/log/lynis-report.dat | Structured results | Step 4: Common actions after Lynis (HolyCloud VPS) SSH Lynis often recommends: sudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config sudo sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config sudo systemctl reload sshd Keep an open SSH session and test a new connection before closing the old one. Updates sudo apt update && sudo apt upgrade -y sudo apt install -y unattended-upgrades sudo dpkg-reconfigure -plow unattended-upgrades Firewall sudo ufw default deny incoming sudo ufw allow OpenSSH sudo ufw allow 80/tcp sudo ufw allow 443/tcp sudo ufw enable Fail2ban sudo apt install -y fail2ban sudo systemctl enable --now fail2ban Permissions sudo chmod 600 /etc/ssh/sshd_config sudo find /home -maxdepth 2 -name '.ssh' -type d -exec chmod 700 {} \; sudo find /home -path '*/.ssh/authorized_keys' -exec chmod 600 {} \; Step 5: Scheduled audit Weekly cron with email report (if mail is configured): echo '0 4 * * 0 root /usr/sbin/lynis audit system --cronjob > /var/log/lynis-weekly.log 2>&1' | sudo tee /etc/cron.d/lynis-audit Compare score over time: sudo grep hardening_index /var/log/lynis.log Step 6: Interpretation on a VPS Some Lynis recommendations target physical servers (GRUB, reserved sectors) — ignore or adapt on a HolyCloud VPS. Prioritize: SSH, updates, firewall, accounts, unused services. Services to disable if unused: sudo systemctl list-unit-files --state=enabled | grep -E 'bluetooth|cups' sudo systemctl disable --now cups 2>/dev/null || true Verification sudo lynis audit system --quick sudo lynis show details SSH-7408 HolyCloud support Low score despite hardening: rerun after fixes; some points require reboot SSH lockout: use VNC/KVM console HolyCloud if available in the customer area HolyCloud support: lynis.log excerpt (no sensitive data), OS version, exposed services (ports 80/443/22) Continue reading Previous article Secure SSH Read Next article Swap and ZRAM Read
FR