Useful Programs
Introduction
This page provides a list of programs useful for configuring and maintaining the security of Linux systems. The included programs are either open-source (the majority) or commercial, but with freely available limited features sufficient to address core security tasks (a smaller portion).
The tools listed below are selected for their practicality, reliability, and efficiency. They can be installed and configured with minimal effort — suitable even for users who are not deeply involved in Linux or cybersecurity.
Automated Audit Systems
Lynis — an open-source security auditing tool for Unix-based systems that helps identify configuration weaknesses, compliance issues, and system hardening opportunities.
- CLI-based, no GUI dependencies
- License: GPL (Free Software)
Availability: Included in Debian repositories — install via apt install lynis.
More info: Wikipedia
Nessus — a widely used vulnerability scanner developed by Tenable, Inc.; proprietary software, with a free (limited) version available, and paid commercial editions.
- License: Proprietary (Community Edition partially free)
- Availability: Requires manual installation from the vendor site.
More info: Wikipedia
Traffic Capture & Analysis Tools
Tcpdump — command-line packet analyzer distributed as free software under the BSD license; captures network traffic on Unix-like systems.
- CLI-based, no GUI dependencies
- License: BSD (Free Software)
Availability: Included in Debian repositories — install via apt install tcpdump.
More info: Wikipedia
Wireshark — a free, open-source graphical packet analyzer (GPL-licensed) for troubleshooting, protocol development, and network inspection.
- License: GPL (Free Software)
Availability: Included in Debian repositories — install via apt install wireshark.
More info: Wikipedia
Zeek — an open-source network security monitoring framework (formerly known as Bro) under the BSD license; useful for live traffic inspection, log generation, and advanced analysis.
- CLI-based, no GUI dependencies
- License: BSD (Free Software)
Availability: Included in Debian repositories — install via apt install zeek.
More info: Wikipedia
Firewalls
iptables — a legacy packet-filtering and NAT interface for the Netfilter framework in Linux.
- CLI-based, no GUI dependencies
- License: GPL (Free Software)
Availability: Included in Debian repositories — install via apt install iptables.
Note: In modern Debian releases, nftables is preferred, but iptables remains available for compatibility.
More info: [https://en.wikipedia.org/wiki/Iptables Wikipedia]
nftables — the newer unified firewalling framework replacing iptables, ip6tables, and related tools.
- CLI-based, no GUI dependencies
- License: GPL (Free Software)
Availability: Included in Debian repositories and often pre-installed (e.g., Debian 12). Enable via systemctl enable --now nftables.
More info: Wikipedia
Antivirus & Rootkit Scanners
chkrootkit — a CLI-based tool to locally check for signs of a rootkit on Unix-like systems.
- CLI-based, no GUI dependencies
- License: GPL (Free Software)
Availability: Included in Debian repositories — install via apt install chkrootkit.
More info: Wikipedia
rkhunter — Rootkit Hunter, a CLI tool for scanning Unix-like systems for rootkits, backdoors, and local exploits.
- CLI-based, no GUI dependencies
- License: GPL (Free Software)
Availability: Included in Debian repositories — install via apt install rkhunter.
More info: Wikipedia
ClamAV — an open-source antivirus engine for detecting trojans, viruses, malware, and other malicious threats.
- CLI-based, no GUI dependencies (optional GUI frontends available)
- License: GPL (Free Software)
Availability: Included in Debian repositories — install via apt install clamav clamav-daemon.
More info: Wikipedia
Host-based IDS/IPS and Integrity Monitoring Systems
auditd — a lightweight Linux auditing and security event logging tool.
- CLI-based, part of the Linux Audit subsystem
- License: GPL (Free Software)
- Provides real-time monitoring and detailed logging of system events
Availability: Included in Debian repositories — install via apt install auditd.
More info: ArchWiki – Audit Framework
Falco — a kernel-level behavioral threat detection system.
- Real-time monitoring of syscalls and process behavior (HIDS)
- License: Apache 2.0 (Open Source)
- Detects anomalies: privilege escalation, code injection, suspicious network activity
- Availability: Installed via the official Falco repository — instructions are available on the Falco website.
More info: GitHub – Falco Security Project
OSSEC — an open-source host-based intrusion detection and prevention system (HIDS/HIPS).
- CLI-based, but includes an optional lightweight Web UI for monitoring and alert visualization
- License: GPL (Free Software)
- Provides real-time alerting, log analysis, rootkit detection, and active response capabilities
- Availability: Packages available via official repositories and upstream installers
More info: Wikipedia – OSSEC
Wazuh — an advanced open-source security platform and a modern fork of OSSEC, providing IDS/IPS, SIEM, and vulnerability detection features.
- CLI-based core, but includes a full-featured web dashboard (Wazuh Dashboard) for event management and visualization
- License: GPL (Free Software)
- Supports host-based and network-level monitoring, real-time alerting, and centralized log analysis
- Availability: Packages available via official repositories and upstream installers
More info: Wikipedia – Wazuh
AIDE — a file integrity checking system.
- CLI-based, no GUI dependencies
- License: GPL (Free Software)
- Records and verifies file hashes to detect unauthorized modifications
Availability: Included in Debian repositories — install via apt install aide.
More info: Wikipedia – AIDE
- However, if your system is still being actively configured, AIDE may produce multiple false positives — in this case, it’s better to disable it temporarily or use it only after the system setup is finalized.