In today’s connected world, securing your Linux servers is non-negotiable. Whether you’re running a public-facing API, a web application, or internal systems, even a brief intrusion can result in serious damage. If you’re managing infrastructure on Debian 12 (Bookworm), it’s crucial to know how to assess whether your server has been compromised. This article walks through a practical and layered approach to check for possible breaches.
Why One Tool Isn’t Enough
Tools like chkrootkit or rkhunter are great starting points, but relying on them alone can leave you blind to advanced threats. A sophisticated attacker may erase logs, mask processes, or even install kernel-level rootkits that evade standard checks. That said, layering multiple methods gives you the best chance of detecting compromise.
1. Scan for Rootkits with chkrootkit
chkrootkit is a lightweight tool that looks for known rootkits and common signs of tampering.
|
0 1 2 3 4 |
sudo apt update sudo apt install chkrootkit sudo chkrootkit |
Look for output lines containing warnings or suspicious activity. If it reports “INFECTED”, it deserves immediate investigation.
2. Add a Second Layer: rkhunter
rkhunter complements chkrootkit by scanning for altered binaries, hidden files, and unauthorized kernel modules.
|
0 1 2 3 4 |
sudo apt install rkhunter sudo rkhunter --update sudo rkhunter --check --sk --rwo |
Use the --rwo flag to only display actual warnings, which makes the output easier to scan.
3. Check Login History and Active Sessions
Use the following commands to look for unusual login activity:
|
0 1 2 3 4 5 |
last -a | head -20 # Recent logins with originating IPs who # Currently logged-in users lastlog # Last login for all users sudo journalctl -u ssh # SSH logs |
Be alert for:
- Logins at odd hours
- Unknown users or accounts
- IP addresses from unexpected locations
4. Validate System File Integrity with debsums
debsums checks whether any files installed from Debian packages have been modified:
|
0 1 2 3 |
sudo apt install debsums sudo debsums -s |
If you see any output, those files differ from the package defaults — possibly because of a breach.
Note: This does not detect tampering of manually installed binaries or scripts.
5. Review Authentication and System Logs
Your logs are your first line of defense. Check for repeated failed login attempts, unexpected sudo actions, or tampering:
|
0 1 2 3 |
sudo grep 'Failed password' /var/log/auth.log sudo grep 'Accepted password' /var/log/auth.log |
Also look for commands executed with elevated privileges:
|
0 1 2 |
sudo grep 'COMMAND=' /var/log/auth.log |
Use log rotation and external logging services to avoid tampering.
6. Inspect Running Processes and Open Ports
Unknown or suspicious processes and listening ports can be a red flag:
|
0 1 2 3 4 |
ps aux --sort=-%mem | head -15 # Top memory-consuming processes sudo netstat -tulnp # List open ports sudo ss -tunap # Alternative to netstat |
Watch for unexpected services or binaries running from temp directories or home folders.
7. Optional, File Access Auditing with auditd
If you’re serious about tracking user and system activity:
|
0 1 2 3 |
sudo apt install auditd sudo systemctl enable auditd --now |
Generate reports:
|
0 1 2 3 |
sudo aureport -au # Authentication events sudo aureport -x # Executed commands |
This lets you trace what was run and when — even by root.
Automate with a Daily Scan Script
You can automate rootkit scans and integrity checks with a daily cron job. A basic example:
|
0 1 2 3 4 5 6 7 8 9 10 11 12 |
#!/bin/bash LOG=/var/log/daily-security.log { echo "\n=== chkrootkit ===" chkrootkit echo "\n=== rkhunter ===" rkhunter --update rkhunter --check --sk --rwo echo "\n=== debsums ===" debsums -s } >> "$LOG" 2>&1 |
Schedule it:
|
0 1 2 |
echo "0 3 * * * root /path/to/scan.sh" | sudo tee /etc/cron.d/daily-security |
Final Thoughts
No tool can give a 100% guarantee that your server is breach-free. But by combining vulnerability scanners, rootkit detectors, integrity verification, and manual log analysis, you significantly increase your chances of catching an intrusion before it escalates.
Security is a process, not a product. Make this checklist part of your routine and consider layering in more robust solutions like fail2ban, intrusion detection systems (e.g. OSSEC, Wazuh), and offsite log aggregation.
Stay secure, stay vigilant.