#linuxsecurity

Install Unattended Upgrades and enable the "unattended-upgrades" service.

Install ClamAV and enable "clamav-freshclam" service.

Install and run Lynis to audit your OS.

Use the "last -20" command to see the last 20 users that have been on the system.

Install UFW and enable the service.

Check your repo sources (eg; /etc/apt/).

Check the /etc/passwd and /etc/shadow lists for any unusual accounts.

User the finger command to check on activity summaries.

Check /var/logs for unusual activity.

Use "ps -aux | grep TERM" or "ps -ef | grep TERM" to check for suspicious ongoing processes.

Check for failed sudo attempts with "grep "NOT in sudoers" /var/log/auth.log.

Check journalctl for system messages.

Check to make sure rsyslog is running with "sudo systemctl status rsyslog" (or "sudo service rsyslog status") and if it's not enable with "sudo systemctl enable rsyslog".

Perform an nmap scan on your machine/network.

Use netstat to check for unusual network activity.

Use various security apps to test you machine and network.

Change your config files for various services (ssh, apache2, etc) to non-standard configurations.

Disabled guest accounts.

Double up on ssh security by requiring both keys and passwords.

Check your package manager for any install suspicious apps (keyloggers, cleaners, etc).

Use Rootkit Scanners (chkrootkit, rkhunter).

Double SSH Security (Key + Password).

Use AES 256 Encryption on home folders/personal files.

Enabled Software Limiters (Fail2Ban, AppArmor).

Verify System Integrity via fsck.

Utilize ngrep/other networking apps to monitor traffic.

Utilize common honeypot software (endlessh).

Create new system-launch subroutines via crontab or shell scripts.

Ensure System Backups are Enabled (rsnapshot).

UNC2891 physically installed a Raspberry Pi inside bank networks, then hid backdoor processes using obscure Linux tricks—letting them bypass firewalls and forensic tools with alarming ease.

Source: Group-IB