In today’s connected world, securing your Linux servers is non-negotiable. Whether you’re running a public-facing API, a web application, or internal systems, even a brief intrusion can result in serious damage. If you’re managing infrastructure on Debian 12 (Bookworm), it’s crucial to know how to assess whether your server has been compromised. This article walks through a practical and layered approach to check for possible breaches.

Why One Tool Isn’t Enough

Tools like chkrootkit or rkhunter are great starting points, but relying on them alone can leave you blind to advanced threats. A sophisticated attacker may erase logs, mask processes, or even install kernel-level rootkits that evade standard checks. That said, layering multiple methods gives you the best chance of detecting compromise.

1. Scan for Rootkits with chkrootkit

chkrootkit is a lightweight tool that looks for known rootkits and common signs of tampering.

sudo apt update
sudo apt install chkrootkit
sudo chkrootkit

Look for output lines containing warnings or suspicious activity. If it reports “INFECTED”, it deserves immediate investigation.

2. Add a Second Layer: rkhunter

rkhunter complements chkrootkit by scanning for altered binaries, hidden files, and unauthorized kernel modules.

sudo apt install rkhunter
sudo rkhunter --update
sudo rkhunter --check --sk --rwo

Use the --rwo flag to only display actual warnings, which makes the output easier to scan.

3. Check Login History and Active Sessions

Use the following commands to look for unusual login activity:

last -a | head -20       # Recent logins with originating IPs
who                      # Currently logged-in users
lastlog                  # Last login for all users
sudo journalctl -u ssh   # SSH logs

Be alert for:

  • Logins at odd hours
  • Unknown users or accounts
  • IP addresses from unexpected locations

4. Validate System File Integrity with debsums

debsums checks whether any files installed from Debian packages have been modified:

sudo apt install debsums
sudo debsums -s

If you see any output, those files differ from the package defaults — possibly because of a breach.

Note: This does not detect tampering of manually installed binaries or scripts.

5. Review Authentication and System Logs

Your logs are your first line of defense. Check for repeated failed login attempts, unexpected sudo actions, or tampering:

sudo grep 'Failed password' /var/log/auth.log
sudo grep 'Accepted password' /var/log/auth.log

Also look for commands executed with elevated privileges:

sudo grep 'COMMAND=' /var/log/auth.log

Use log rotation and external logging services to avoid tampering.

6. Inspect Running Processes and Open Ports

Unknown or suspicious processes and listening ports can be a red flag:

ps aux --sort=-%mem | head -15       # Top memory-consuming processes
sudo netstat -tulnp                  # List open ports
sudo ss -tunap                       # Alternative to netstat

Watch for unexpected services or binaries running from temp directories or home folders.

7. Optional, File Access Auditing with auditd

If you’re serious about tracking user and system activity:

sudo apt install auditd
sudo systemctl enable auditd --now

Generate reports:

sudo aureport -au       # Authentication events
sudo aureport -x        # Executed commands

This lets you trace what was run and when — even by root.

Automate with a Daily Scan Script

You can automate rootkit scans and integrity checks with a daily cron job. A basic example:

#!/bin/bash
LOG=/var/log/daily-security.log
{
  echo "\n=== chkrootkit ==="
  chkrootkit
  echo "\n=== rkhunter ==="
  rkhunter --update
  rkhunter --check --sk --rwo
  echo "\n=== debsums ==="
  debsums -s
} >> "$LOG" 2>&1

Schedule it:

echo "0 3 * * * root /path/to/scan.sh" | sudo tee /etc/cron.d/daily-security

Final Thoughts

No tool can give a 100% guarantee that your server is breach-free. But by combining vulnerability scanners, rootkit detectors, integrity verification, and manual log analysis, you significantly increase your chances of catching an intrusion before it escalates.

Security is a process, not a product. Make this checklist part of your routine and consider layering in more robust solutions like fail2ban, intrusion detection systems (e.g. OSSEC, Wazuh), and offsite log aggregation.

Stay secure, stay vigilant.

Related posts:

  1. Installing and Setting Up RabbitMQ Master-Slave Cluster on Debian 12 RabbitMQ is a robust message broker widely used in distributed...
  2. How to Install Kimai 2 on Debian 12 with PHP 8.2 and Nginx Hey there! If you’re looking to set up Kimai 2—the...
  3. How to Install Invoice Ninja On Debian 12 Bookworm Invoice Ninja is a popular open-source platform for managing invoices,...
  4. How to setup Docker and run Docker Compose for Managing multi-container on Debian 12 Bookworm Part 1, Install Docker and Docker Compose Here’s a step-by-step...
  5. Reliable Cloud Backups with Restic, Wasabi, and Debian 12 When it comes to safeguarding your data, simplicity and reliability...
  6. PostgreSQL Storage Paths to Consider for Mounting on Debian 12 When setting up a PostgreSQL master-slave replication or general database...
  7. Running Laravel with PHP 7.4 and PHP 8.2 on Debian 12 Using Nginx, with Cloudflare SSL If you’re hosting Laravel apps on Debian 12, you may...
  8. Adjust The Log Rotation Settings on Debian 12 Bookworm to Save Space To adjust the log rotation settings on Debian 12 Bookworm...

Leave A Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.