Top 20 Linux Security Commands: System Hardening Guide

Imagine being a security guard in a massive building with thousands of doors, windows, and entry points. You need the right tools to check every lock, monitor every camera, and respond to every alert. In the Linux world, security commands are those essential tools that help you protect your system from threats, identify vulnerabilities, and respond to incidents.

Linux security commands are your eyes and ears on the system. They help you detect intruders, find misconfigurations, monitor suspicious activity, and harden your defenses. In 2026, with cyberattacks becoming more sophisticated, knowing these commands is crucial for every system administrator and security professional.

This comprehensive guide covers the top 20 Linux security commands you must know, complete with practical examples and real-world scenarios.

1. last - View Login History

The last command shows a list of all recent logins and system reboots, helping you identify unauthorized access.

# View all login attempts
last

# Show only successful logins with timestamps
last -a

# Show failed login attempts
lastb

# Limit output to specific number
last -10

# Display login history for specific user
last john

# Show full timestamps
last -F

# Show login in reverse order (newest first)
last -r

# View logins from specific terminal
last pts/0

# Monitor logins in real-time
watch -n 5 last

Security Use Case:

# Check for suspicious login times
last | grep "still logged in"

# Find unusual login patterns
last -a | awk '{print $1, $3, $4, $5, $6, $7}' | sort | uniq -c

# Identify failed login attempts
lastb -20

# Check for root logins
last | grep root

2. w - Who is Currently Logged In

Shows who is currently logged in and what they’re doing.

# Show current logged-in users
w

# Show without header
w -h

# Show only usernames
w -s

# Show IP addresses
w -i

# Show specific user
w john

Security Use Case:

# Check for suspicious processes
w | grep -v "bash\|sshd"

# Monitor active sessions
watch -n 2 w

# Check for users logged in from unusual locations
w -i | grep -v "192.168\|10.0"

3. who - Show Who is Logged In

Similar to w but provides more focused information.

# Show logged-in users
who

# Show boot time
who -b

# Show dead processes
who -d

# Show run level
who -r

# Show login names only
who -q

# Show hostnames (IP addresses)
who -u

4. ps - Process Status

The ps command is essential for identifying suspicious processes running on your system.

# Show all processes
ps aux

# Show process tree
ps auxf

# Show specific user's processes
ps -u john

# Show processes with full command line
ps auxww

# Show process in tree format
ps aux --forest

# Show processes by CPU usage
ps aux --sort=-%cpu

# Show processes by memory usage
ps aux --sort=-%mem

# Show processes with specific name
ps aux | grep sshd

# Show parent-child relationships
ps -ejH

# Show threads
ps -eLf

Security Use Case:

# Find processes running as root
ps -U root -u root

# Find processes with network connections
ps aux | grep -E "ssh|http|mysql|nginx"

# Check for hidden processes
ps aux | grep "^ "

# Identify CPU-intensive processes (potential malware)
ps aux --sort=-%cpu | head -10

# Find processes without controlling terminal
ps aux | grep " ? "

5. netstat - Network Statistics

Shows network connections, routing tables, and interface statistics.

# Show all listening ports
netstat -tulpn

# Show all connections
netstat -an

# Show routing table
netstat -rn

# Show interface statistics
netstat -i

# Show program using port
netstat -tulpn | grep :80

# Show all TCP connections
netstat -atn

# Show all UDP connections
netstat -aun

# Show listening ports with process info
netstat -tulpn | grep LISTEN

# Show connections with IP addresses only (no DNS)
netstat -ant

Security Use Case:

# Check for unauthorized listening ports
netstat -tulpn | grep -v "127.0.0.1\|::1"

# Find connections to suspicious IPs
netstat -an | grep -E "(10\.|192\.168\.|172\.16\.)"

# Identify process using suspicious port
netstat -tulpn | grep :1337

# Monitor new connections
watch -n 1 netstat -ant | grep ESTABLISHED

6. ss - Socket Statistics (Modern netstat)

The modern replacement for netstat, faster and more detailed.

# Show all listening ports
ss -tuln

# Show all connections
ss -tan

# Show process information
ss -tupn

# Show Unix sockets
ss -xln

# Show IPv4 listening ports
ss -4l

# Show IPv6 listening ports
ss -6l

# Show TCP connections with timers
ss -to

# Show raw sockets
ss -wan

# Filter by state
ss -t state established
ss -t state listening

Security Use Case:

# Check for unauthorized services
ss -tuln | grep LISTEN

# Identify processes using suspicious ports
ss -tupn | grep ":4444"

# Monitor connection states
ss -t state established,time-wait,close-wait

# Show connections from external IPs
ss -tan | grep -v "127.0.0.1\|::1"

7. lsof - List Open Files

Lists all open files and the processes using them.

# List all open files
lsof

# List files opened by specific user
lsof -u john

# List files opened by specific process
lsof -p 1234

# List processes using a specific file
lsof /etc/passwd

# List network connections
lsof -i

# List port 22 connections
lsof -i :22

# List all processes on TCP
lsof -i tcp

# List with IP addresses
lsof -i -n

# List files in a directory
lsof +D /var/log

Security Use Case:

# Check for deleted files still in use
lsof | grep deleted

# Find processes listening on all interfaces
lsof -i @0.0.0.0

# Identify processes using network
lsof -i -a | grep LISTEN

# Check for suspicious file access
lsof -u root | grep -v "/usr\|/lib\|/etc"

# Find processes accessing /tmp
lsof -u root | grep /tmp

8. find - File Search with Security

Powerful file search tool essential for security audits.

# Find SUID files
find / -perm /4000 -type f 2>/dev/null

# Find SGID files
find / -perm /2000 -type f 2>/dev/null

# Find world-writable files
find / -perm -0002 -type f 2>/dev/null

# Find files with no owner
find / -nouser -o -nogroup 2>/dev/null

# Find files modified in last 24 hours
find / -mtime -1 2>/dev/null

# Find files larger than 100MB
find / -size +100M 2>/dev/null

# Find .conf files modified recently
find /etc -name "*.conf" -mtime -7

# Find files with specific permissions
find / -perm 777 -type f 2>/dev/null

# Execute command on found files
find /tmp -name "*.log" -exec rm {} \;

# Find files by type
find / -type f -name "*.key"

Security Use Case:

# Find all SUID files for audit
find / -perm /4000 -type f -ls 2>/dev/null | tee suid-audit.txt

# Find world-writable files outside /tmp and /dev
find / -perm -0002 -type f 2>/dev/null | grep -v "/tmp\|/dev"

# Find files modified in the last 5 minutes
find / -mmin -5 2>/dev/null

# Find suspicious file names
find / -name "*rootkit*" 2>/dev/null
find / -name "*backdoor*" 2>/dev/null

9. chkrootkit - Rootkit Detection

Checks for rootkits and other malicious software.

# Install chkrootkit
sudo apt install chkrootkit

# Run basic scan
sudo chkrootkit

# Run specific tests
sudo chkrootkit -t

# Check for specific rootkits
sudo chkrootkit -q

# Run with less output
sudo chkrootkit -n

# Save output to file
sudo chkrootkit > chkrootkit-$(date +%Y%m%d).log

Security Use Case:

# Quick scan
sudo chkrootkit | grep INFECTED

# Full scan with logging
sudo chkrootkit -q | tee /var/log/chkrootkit.log

# Monitor changes over time
sudo chkrootkit | diff - chkrootkit-previous.log

10. rkhunter - Rootkit Hunter

Another powerful rootkit detection tool.

# Install rkhunter
sudo apt install rkhunter

# Run basic scan
sudo rkhunter --check

# Check with detailed output
sudo rkhunter --check --sk

# Update database
sudo rkhunter --update

# Check files only
sudo rkhunter --check --rwo

# Display system summary
sudo rkhunter --report-warnings-only

# Check with verbose output
sudo rkhunter --check --vl

Security Use Case:

# Daily scan
sudo rkhunter --check --cronjob

# Check specific directories
sudo rkhunter --check /bin /sbin

# Test with warnings
sudo rkhunter --check --report-mode

11. fail2ban-client - [Fail2ban](/blog/cybersecurity/fail2ban-guide-2026) Management

Monitor and manage Fail2ban for intrusion prevention.

# Check status
sudo fail2ban-client status

# Check specific jail
sudo fail2ban-client status sshd

# Ban an IP
sudo fail2ban-client set sshd banip 192.168.1.100

# Unban an IP
sudo fail2ban-client set sshd unbanip 192.168.1.100

# Reload configuration
sudo fail2ban-client reload

# Show banned IPs
sudo fail2ban-client status sshd | grep "Banned IP list"

# Stop Fail2ban
sudo fail2ban-client stop

# Start Fail2ban
sudo fail2ban-client start

12. auditd - Linux Auditing System

Kernel-level auditing for security monitoring.

# Install auditd
sudo apt install auditd audispd-plugins

# Check auditd status
sudo auditctl -s

# Add audit rule for file access
sudo auditctl -w /etc/passwd -p rwxa -k passwd_changes

# Add rule for command execution
sudo auditctl -a always,exit -F path=/bin/bash -F perm=x -k shell_exec

# Add rule for network changes
sudo auditctl -a always,exit -S socket -S connect -S accept

# List all rules
sudo auditctl -l

# Remove rules
sudo auditctl -D

# Search audit logs
sudo ausearch -k passwd_changes -ts recent

# View audit logs
sudo aureport --summary

# Monitor user changes
sudo ausearch -m USER_CHACCT -ts today

Security Use Case:

# Monitor sudo usage
sudo auditctl -w /usr/bin/sudo -p x -k sudo_usage

# Watch sensitive directories
sudo auditctl -w /root/.ssh -p rwxa -k root_ssh
sudo auditctl -w /etc/shadow -p rwxa -k shadow_changes

# Monitor login events
sudo auditctl -a always,exit -S login -S login_tty -S loginuid

# Generate report
sudo aureport -f -i | grep "File accesses"

13. tripwire - File Integrity Monitoring

Detect unauthorized file changes.

# Install tripwire
sudo apt install tripwire

# Initialize database
sudo tripwire --init

# Check integrity
sudo tripwire --check

# Update policy
sudo tripwire --update-policy

# Check with report
sudo tripwire --check --interactive

# Generate report
sudo tripwire --check --report /var/lib/tripwire/report

# View last report
sudo twprint -m r -r /var/lib/tripwire/report/*.twr

# Email report
sudo tripwire --check --email-report

14. systemctl - Service Management

Manage and monitor system services.

# List all services
systemctl list-units --type=service

# Check service status
systemctl status sshd

# Start/Stop service
sudo systemctl start sshd
sudo systemctl stop sshd

# Enable/Disable service
sudo systemctl enable sshd
sudo systemctl disable sshd

# List failed services
systemctl --failed

# Show service dependencies
systemctl list-dependencies sshd

# Check security of service
systemd-analyze security sshd

Security Use Case:

# Find enabled services not running
systemctl list-units --type=service --state=inactive

# Check for services listening on network
systemctl list-sockets

# Audit service security
systemd-analyze security --no-pager

# Find recently changed services
systemctl list-units --state=changed

15. grep - Pattern Search (Security Logs)

Essential for analyzing log files and finding security events.

# Search for failed SSH attempts
grep "Failed password" /var/log/auth.log

# Search for successful logins
grep "Accepted password" /var/log/auth.log

# Search for root actions
grep "sudo" /var/log/auth.log | grep "COMMAND"

# Count failed attempts by IP
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c

# Search with context
grep -C 5 "error" /var/log/syslog

# Search recursively
grep -r "ssh" /var/log/

# Combine with other commands
tail -f /var/log/auth.log | grep --line-buffered "Failed"

Security Use Case:

# Find brute-force attempts
grep "Failed password" /var/log/auth.log | cut -d' ' -f9 | sort | uniq -c | sort -nr

# Check for suspicious user creation
grep "useradd" /var/log/auth.log

# Monitor sudo abuse
grep "sudo:" /var/log/auth.log | grep "COMMAND"

# Check for failed su attempts
grep "su:" /var/log/auth.log | grep "FAILED"

16. openssl - SSL/TLS Management

Manage certificates and encryption.

# Generate SSL certificate
openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout key.pem

# Check certificate details
openssl x509 -in cert.pem -text -noout

# Verify certificate
openssl verify -CAfile ca.crt cert.crt

# Test SSL connection
openssl s_client -connect google.com:443

# Generate private key
openssl genrsa -aes256 -out key.pem 2048

# Create CSR
openssl req -new -key key.pem -out request.csr

# Check certificate expiration
openssl x509 -in cert.pem -enddate -noout

# Encrypt/Decrypt files
openssl enc -aes-256-cbc -in file.txt -out file.enc
openssl enc -d -aes-256-cbc -in file.enc -out file.txt

Security Use Case:

# Check SSL certificate of any domain
openssl s_client -connect example.com:443 -showcerts

# Check certificate expiry
openssl x509 -in cert.pem -noout -dates

# Generate strong password
openssl rand -base64 32

# Verify file integrity
openssl dgst -sha256 file.txt

17. md5sum / sha256sum - File Integrity

Verify file integrity with checksums.

# Generate MD5 checksum
md5sum file.txt

# Generate SHA256 checksum
sha256sum file.txt

# Verify checksum
md5sum -c checksums.txt

# Generate checksums for directory
find /path -type f -exec sha256sum {} \; > checksums.txt

# Compare files
md5sum file1.txt file2.txt

# Verify downloaded file
sha256sum -c download.checksum

Security Use Case:

# Create baseline of system files
find /bin /sbin /usr/bin /usr/sbin -type f -exec sha256sum {} \; > system-baseline.txt

# Verify system integrity
sha256sum -c system-baseline.txt 2>&1 | grep FAILED

# Check downloaded ISO
sha256sum ubuntu.iso

18. nmap - Network Scanner

Network discovery and security auditing.

# Install nmap
sudo apt install nmap

# Ping scan
nmap -sP 192.168.1.0/24

# Port scan
nmap -p 1-1000 192.168.1.100

# Service version detection
nmap -sV 192.168.1.100

# OS detection
nmap -O 192.168.1.100

# Scan specific ports
nmap -p 22,80,443 192.168.1.100

# Aggressive scan
nmap -A 192.168.1.100

# Scan multiple hosts
nmap 192.168.1.1-254

# Save output
nmap -oN scan.txt 192.168.1.100

Security Use Case:

# Quick vulnerability scan
nmap -sV --script=vuln 192.168.1.100

# Check for open ports
nmap -sT -p- 192.168.1.100

# Identify services
nmap -sV -sC 192.168.1.100

# Check SSH version
nmap -p 22 -sV --script=ssh2-enum-algos 192.168.1.100

19. iptables / ufw - firewall Management

Manage firewall rules to control network access.

# UFW commands
sudo ufw enable
sudo ufw status verbose
sudo ufw allow 22/tcp
sudo ufw deny 23/tcp
sudo ufw allow from 192.168.1.100
sudo ufw limit ssh
sudo ufw delete allow 22

# IPTables commands
sudo iptables -L -n
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -j DROP
sudo iptables -I INPUT 1 -s 192.168.1.100 -j ACCEPT
sudo iptables -D INPUT -s 192.168.1.100 -j DROP

# Save rules
sudo iptables-save > /etc/iptables/rules.v4
sudo iptables-restore < /etc/iptables/rules.v4

Security Use Case:

# Block a suspicious IP
sudo ufw deny from 203.0.113.5
sudo iptables -A INPUT -s 203.0.113.5 -j DROP

# Rate limit SSH
sudo ufw limit 22/tcp

# Allow only specific IP for SSH
sudo ufw allow from 192.168.1.100 to any port 22

# List all rules
sudo ufw status numbered
sudo iptables -L -n -v --line-numbers

20. journalctl - System Log Management

View and analyze system logs.

# View all logs
journalctl

# View logs since boot
journalctl -b

# View kernel messages
journalctl -k

# View logs for specific service
journalctl -u sshd

# View logs from last hour
journalctl --since "1 hour ago"

# Follow logs in real-time
journalctl -f

# Show logs with priority
journalctl -p err

# Display output with no pagination
journalctl --no-pager

# Show logs in JSON format
journalctl -o json

# Show logs for specific user
journalctl _UID=1000

Security Use Case:

# Check failed SSH attempts
journalctl -u sshd | grep "Failed"

# Find authentication failures
journalctl -p auth | grep -i fail

# Monitor sudo usage
journalctl -u sudo | grep COMMAND

# Check for kernel errors
journalctl -k -p err

# Monitor security events in real-time
journalctl -f _SYSTEMD_UNIT=sshd.service _SYSTEMD_UNIT=auditd.service

# Find suspicious IPs in logs
journalctl | grep -E "([0-9]{1,3}\.){3}[0-9]{1,3}" | cut -d' ' -f7 | sort | uniq -c | sort -nr | head -20

Bonus: Security Assessment Script

Combine these commands into a comprehensive security assessment script:

#!/bin/bash
# security-audit.sh
# Comprehensive security assessment script

echo "=== Security Audit Report - $(date) ==="
echo

echo "=== 1. System Information ==="
uname -a
cat /etc/os-release

echo -e "\n=== 2. Current Users ==="
w
echo

echo "=== 3. Last Logins ==="
last -20
echo

echo "=== 4. Failed Logins ==="
lastb -20
echo

echo "=== 5. Open Ports ==="
ss -tuln
echo

echo "=== 6. Listening Services ==="
lsof -i -P -n | grep LISTEN
echo

echo "=== 7. Running Processes ==="
ps aux --sort=-%cpu | head -20
echo

echo "=== 8. SUID/SGID Files ==="
find / -perm /4000 -o -perm /2000 -type f 2>/dev/null | head -20
echo

echo "=== 9. World-Writable Files ==="
find / -perm -0002 -type f 2>/dev/null | head -20
echo

echo "=== 10. Files with No Owner ==="
find / -nouser -o -nogroup 2>/dev/null | head -20
echo

echo "=== 11. Recent File Changes ==="
find / -mtime -1 2>/dev/null | head -20
echo

echo "=== 12. SSH Configuration ==="
grep -v "^#" /etc/ssh/sshd_config | grep -v "^$"
echo

echo "=== 13. Firewall Status ==="
sudo ufw status 2>/dev/null || sudo iptables -L -n
echo

echo "=== 14. Failed SSH Attempts (last 24h) ==="
grep "Failed password" /var/log/auth.log | grep "$(date +%b)" | cut -d' ' -f11 | sort | uniq -c | sort -nr
echo

echo "=== 15. Sudo Usage ==="
grep "sudo:" /var/log/auth.log | tail -20
echo

echo "=== 16. Disk Usage ==="
df -h
echo

echo "=== 17. Memory Usage ==="
free -h
echo

echo "=== 18. System Load ==="
uptime
echo

echo "=== 19. Active Network Connections ==="
ss -tanp | grep ESTABLISHED
echo

echo "=== 20. Audit Summary ==="
echo "Security audit completed. Review any suspicious entries above."

Command Reference Table

Best Practices

1. Regular Command Usage Schedule

# Daily checks
crontab -e
# Add:
0 8 * * * /usr/bin/last -10 > /var/log/security/daily-logins.txt
0 9 * * * /usr/bin/w > /var/log/security/daily-users.txt
0 10 * * * /usr/bin/ss -tuln > /var/log/security/daily-ports.txt

# Weekly scans
0 2 * * 0 /usr/bin/rkhunter --check --cronjob
0 3 * * 0 /usr/bin/chkrootkit -q
0 4 * * 0 /path/to/security-audit.sh

2. Command Output Analysis Tips

# Always redirect and diff outputs
today=$(date +%Y%m%d)
command > /tmp/scan-$today.txt
diff /tmp/scan-yesterday.txt /tmp/scan-$today.txt

# Use grep with context
grep -B 5 -A 5 "error" /var/log/syslog

# Combine commands with pipes
ps aux | grep -v root | grep -v user | wc -l

Conclusion

Mastering these 20 Linux security commands is essential for protecting your systems in 2026. Each command serves a specific purpose in your security toolkit:

• Detection: Commands like ps, netstat, and lsof help identify suspicious activity
• Prevention: iptables, ufw, and fail2ban-client block threats
• Auditing: auditd, tripwire, and last track system changes
• Investigation: grep, journalctl, and find help analyze security incidents

Key Takeaways:

• Regularly use these commands for system monitoring
• Automate security checks where possible
• Keep command outputs for trend analysis
• Combine multiple commands for comprehensive insights
• Stay updated on new security tools and techniques

Remember: Security is a process, not a destination. Regular use of these commands, combined with proper configuration and monitoring, will help you maintain a secure Linux environment.

Continue your security learning: Explore our Complete Linux Security Guide for more advanced topics.

Frequently Asked Questions (FAQs)

Q: How often should I run these security commands? A: Critical commands like last, w, and ss should be run daily. Rootkit checks weekly, and comprehensive audits monthly.

Q: Can these commands detect all types of malware? A: No single tool detects everything. Use multiple tools (rkhunter, chkrootkit, tripwire) and combine with log analysis.

Q: What should I do if I find suspicious activity? A: Immediately isolate the system, preserve logs and outputs, investigate the source, and implement remediation measures.

Q: How do I keep these commands updated? A: Regularly update your system: sudo apt update && sudo apt upgrade. Security tools update through standard package repositories.

Q: Are there GUI alternatives to these commands? A: Tools like Webmin, Cockpit, and various monitoring dashboards provide GUI interfaces but the CLI commands offer more control and detail.

Q: Should I run all commands as root? A: Most security commands require root privileges to see complete information. Use sudo for commands that need elevated access.