Linux Security Tools (Top 100)
Based on reviews and automated analysis, these are currently the best Linux security tools. This list is populated with tools that are publicly available and updated weekly.
Lynis (system security scan)
Security auditing tool for systems running Linux or Unix-based to perform an in-depth health check.
BetterCAP (MitM tool and framework)
BetterCAP is a complete, modular, portable and easily extensible MitM tool and framework. It is maintained well and appreciated by many.
IVRE (reconnaissance for network traffic)
IVRE is a framework to perform reconnaissance for network traffic. It leverages other tools to pull in the data and show it in the web interface.
vFeed (vulnerability database and query engine)
vFeed is a set of tools around correlated vulnerability and threat intelligence. It provides a database, API, and supporting tools to store vulnerability data.
osquery (operating system query tool)
The osquery tool allows querying your Linux, Windows, and macOS infrastructure. It can help with intrusion detection, infrastructure reliability, or compliance.
ZAP (web application analysis)
The OWASP Zed Attack Proxy (ZAP) helps to find security vulnerabilities in web applications during development and testing.
Anchore (container analysis, inspection, and control)
Seccubus (automation of vulnerability scanning)
Seccubus automates vulnerability scanning with support for Nessus, OpenVAS, NMap, SSLyze, Medusa, SkipFish, OWASP ZAP, and SSLlabs.
YARA (malware identification and classification)
YARA is a security tool to help malware researchers to identify and classify malware samples. For example by defining malware families based on patterns.
KeePassXC (cross-platform password manager)
KeePassXC is a cross-platform platform to store sensitive data like passwords, keys, and other secrets. It has a graphical user interface and is written in C++.
O-Saft (OWASP SSL audit for testers)
O-Saft is a security tool to show information about SSL certificates. It tests the SSL connection with the given list of ciphers and configuration.
SpiderFoot is an open source intelligence automation tool (OSINT). It automates the process of gathering intelligence, like IP addresses, domains, and networks.
radare2 (reverse engineering tool and binary analysis)
radare2 is a tool to perform reverse engineering on files of all types. It can be used to analyze malware, firmware, or any other type of binary files.
Linux Malware Detect (LMD) is a malware scanner for systems running Linux. The open source software project is released with the GPLv2 license.
Cuckoo Sandbox (malware analysis tool)
Cuckoo Sandbox is a malware analysis system. By feeding it suspicious files, Cuckoo can provide detailed findings on what a file did and how it behaved.
Fail2ban (log parser and blocking utility)
Fail2Ban is an intrusion prevention software framework that protects computer servers from brute-force attacks
OpenStego (steganography tool)
OpenStego is a free steganography solution to hide data in other files like images, or add a watermark to them.
mitmproxy (TLS/SSL traffic interception)
The mitmproxy tool allows to intercept, inspect, modify, and replay traffic flows. It may be used for pentesting, troubleshooting, or learning about SSL/TLS.
The sqlmap performs automatic SQL injection and can take over a database. It is a valued tool for pentesters and those who want to test their web applications.
Arachni (web application scanner)
Web Application Security Scanner aimed towards helping users evaluate the security of web applications
mongoaudit (audit tool for MongoDB databases)
Mongoaudit performs a security audit on MongoDB instances. It can be used to test if the right security measures are taken and detect room for improvement.
Loki (file scanner to detect indicators or compromise)
Loki is security tool to find so-called indicators of compromise (IOC). It does this by scanning files and then uses pattern matching.
Brakeman (static code analyzer for Ruby on Rails)
Brakeman is a static code analysis tool for Ruby on Rails to perform a security review. It comes as an open source project with optional commercial support.
Nmap is a security scanner that can perform a port scan, network exploration, and determine vulnerabilities
SNARE (web application honeypot)
SNARE is a reactive honeypot for security research, detecting attacks, and respond to possible flaws within your environment. It is the successor of Glastopf.
ntopng is the successor of the original ntop utility. It shows network usage by capturing traffic and provide insights on the usage.
The WordPress Exploit Framework (WPXF) is a framework written in Ruby. As the name implies, it aids in pentesting WordPress installations.
Xplico (network traffic analyzer)
Xplico is a forensics analysis tool to investigate the traffic patterns in a pcap file. It is released as a GPL project, with some scripts under a CC license.
WPScan (WordPress vulnerability scanner)
WPScan is a security tool to perform black box WordPress vulnerability scans, including enumeration of used plugins
Suricata (network IDS, IPS and monitoring)
Network threat detection engine that acts as intrusion detection (IDS), inline intrusion prevention (IPS), and network security monitoring (NSM)
Wireshark (network traffic analyzer)
Wireshark is the well-known network protocol analyzer. It allows you to see what is happening on the network and zoom into the details of the network protocols.
ClamAV (malware scanner)
ClamAV is an open source antivirus engine. It can detect malicious software (malware) like trojans, viruses, backdoors and other related threats.
DataSploit (OSINT framework)
DataSploit is a framework to perform intelligence gather to discover credentials, domain information, and other information related to the target.
THC Hydra (password discovery)
THC Hydra is a brute-force cracking tool for remote authentication services. It supports many protocols, including telnet, FTP, LDAP, SSH, SNMP, and others.
OWTF (offensive web testing framework)
The OWTF project (Offensive Web Testing Framework) unites tools for penetrating testing. Most parts are written in Python.
Volatility (memory forensics framework)
Volatile memory framework used for forensics and analysis purposes. The framework is written in Python and runs on almost all platforms.
SIMP (system integrity and configuration enforcement)
SIMP is short for System Integrity Management Platform. It is a project maintained by the NSA and released as an open source project.
Lemur manages TLS certificate creation and the underlying process that is required. It acts as a broker between a certificate authority (CA) and the environment
Vuls (agentless vulnerability scanner)
Vuls is a vulnerability scanner for Linux and FreeBSD. It is written in Go, agentless, and does a remote login to find any software vulnerabilities.
OpenSCAP (suite with tools and security data)
Tools to assist administrators and auditors with assessment, measurement and enforcement of security baselines
THC IPv6 Attack Toolkit (attack toolkit for IPv6 protocol)
THC IPv6 attack toolkit a set of utilities. It can be used for penetrating testing and security assessments of correct network implementations.
Detective (detect information disclosure and data exposure)
Detective helps to find information that you are not supposed to see. It focuses on information disclosure and sensitive data exposure vulnerabilities.
ATSCAN (search (dork) scanner for mass exploitation)
ATSCAN is a security tool to perform a mass exploitation scan on search engines. It discovers targets that may be susceptible to exploitation.
The ssh_scan utility is a SSH configuration and policy scanner maintained by the Mozilla Foundation. It helps to secure Linux systems running the OpenSSH.
Passmgr (password manager)
Passmgr is a simple portable password manager written in Go. It helps with storing secrets, like passwords and API keys.
Prowler (AWS CIS Benchmark Tool)
Prowler is a security tool to perform security audits on AWS configurations. It helps to find configuration flaws and improve system hardening.
HoneyPy is a low interaction honeypot written in Python, yet has additional capabilities. Plugins can be created to emulate services that run on UDP or TCP.
Belati (OSINT tool)
Belati is security tool to collect public data and information and calls itself a Swiss army knife for OSINT purposes.
APT2 (automation of pentest tasks)
APT2 is a tool written by Adam Compton and Austin Lane to help pentesters automate mundane scanning tasks. It leverages scan results from Nexpose, Nessus, or Nm
hsecscan (website headers extraction)
hsecscan performs a security scan of a website and analyses any discovered HTTP headers. For each header, it will provide details and recommendations.
TANNER is the 'brain' of the SNARE tool. It evaluates its events and alters the responses to incoming requests depending on the type of attacks.
bane (AppArmor profile generator)
The bane tool is an AppArmor profile generator for Docker containers. It helps with creating the appropriate profile for confinement on system level.
WPForce (WordPress scanner and exploiter)
WPForce is a suite of tools to attack Wordpress installations. One part focuses on brute forcing logins, the other to upload a shell upon finding credentials.
Security Monkey (security monitoring tool)
Security Monkey monitors AWS and GCP accounts for policy changes and alerts on insecure configurations.
SSLyze (SSL/TLS server scanning library)
SSLyze provides a library for scanning services that use SSL/TLS for encrypted communications. It can be used to test their implementation.
pshtt is a security tool to scan domains for the usage of HTTPS and applying best practices in their web configuration.
addrwatch (monitoring of ARP and IP addresses)
Addrwatch is a tool similar to arpwatch to monitor IPv4/IPv6 and ethernet address pairing.
Scout2 (Security auditing tool for AWS)
Scout2 is a security tool to assess the security of an AWS environment. It can be used for system hardening and IT audits.
Confidant (storage of secrets)
boofuzz (fuzzing framework)
Boofuzz is a fork of Sulley fuzzing framework after its maintenance dropped. Besides numerous bug fixes, boofuzz aims for extensibility.
OpenVAS (vulnerability scanner)
OpenVAS is a framework of several services and tools offering a vulnerability scanning and vulnerability management solution.
Findsploit (exploit search tool)
Findsploit is a simple script to search both local and online exploit databases. Typically this is used by penetration testers during a security assignment.
django-defender (defender against brute force login attempts)
Django-defender is a reusable app for Django that blocks people from performing brute forcing login attempts.
Gitrob (discovery of sensitive data in repositories)
Gitrob is a security tool to find sensitive information on GitHub. During the audit, it may detect passwords, API keys, or other secrets.
USB Canary (device monitoring)
USB Canary monitors the devices on a system for the addition or removal of USB devices. On such an event, then an alert will be sent.
changeme (credential scanner)
The tool changeme is a credential scanner for default usernames and passwords, or common combinations of these.
arping is a tool for the discovery of hosts on a computer network using the Address Resolution Protocol (ARP).
Rootkit Hunter (malware scanner)
Security tool to search for traces of rootkits, backdoors, and other malicious components on systems running Linux and other flavors of Unix
OSSEC (host-based intrusion detection system)
OSSEC is an open source host-based intrusion detection system (HIDS). It performs log analysis, integrity checking, rootkit detection, and more.
Cppcheck (static code analyzer)
Cppcheck is a static code analysis tool for C and C++ code. It helps to discover bugs that would not be picked up by compilers, yet avoid any false positives.
chkrootkit (malware scanner)
chkrootkit is a malware scanner to locally check for signs of a rootkit. It is written in shell script and runs on the host system itself.
nftables is a subsystem of the Linux kernel to filter and classify network traffic and supposed to replace netfilter.
Snort (network intrusion detection system)
Snort is a network intrusion detection system (NIDS) that runs on Linux and other platforms.
DBShield (database security shield)
DBShield is a gateway between an application and actual database engine. Its goal is to protect against SQL injections and other database attacks.
Vulnreport (security review tool)
Vulnreport is a tool to automate and manage all the data involved security reviews. In particular, it focuses on discovered vulnerabilities.
SearchSploit (exploit search tool)
Exploit-DB's CLI search tool to find any exploits from the database. The tool is written in shell script and maintained by Offensive Security.
Clair (container vulnerability scanner and analyzer)
Clair is an open source container analyzer. It performs static analysis of container images and correlates their contents with public vulnerability databases.
WPSeku (WordPress vulnerability scanner)
WPSeku is a WordPress vulnerability scanner that can be used to scan remote WordPress installations.
Nix-Auditor is a tool to help with scanning Linux systems and test them against CIS benchmarks.
Douane (application firewall)
Douane is an application firewall that interacts with the user to allow or deny new network connections.
XSS Hunter (Cross-site scripting scanner)
XSS Hunter helps with finding XSS attacks and trigger a warning when one is succesful. It exists as an online service, or self-hosted installation.
sslsniff (SSL traffic sniffing)
The sslsniff tool helps with performing man-in-the-middle (MitM) attacks on SSL/TLS traffic. It can be used for security assignments.
Zenmap (graphical user interface for Nmap)
The graphical user interface for the well-known network and vulnerability scanner nmap.
SSLMap is a TLS/SSL cipher suite scanner. It provides a way to detect weak ciphers enabled on SSL endpoints and can be used during security assessments.
Scapy (network packet generator and analyzer)
Scapy is an interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols and send and capture them.
SSLsplit (SSL/TLS MitM tool)
SSLsplit is a security tool to perform transparent SSL/TLS interception by using a so-called man-in-the-middle (MitM) attack.
Metasploit Framework (penetration toolkit)
Metasploit is a framework that consists of tools to perform security assignments. It focuses on the offensive side of security and leverages exploit modules.
Malscan is a tool that sells itself as the robust ClamAV-based malware scanner for web servers. It can use signatures from multiple sources to perform scanning.
Docker Bench for Security (Docker security scanner)
Docker Bench for Security is a small security scanner to perform several tests that are part of the Docker CIS benchmark.
The pick tool provides a minimal password manager on the terminal for systems running macOS and Linux.
arch-audit (detection of vulnerable packages on Arch Linux)
Utility like pkg-audit for Arch Linux to find vulnerable packages on the system
0d1n (fuzzing tool for web applications)
0d1n is a security tool to perform fuzzing of web applications and discover potential security issues. It is commonly used during security assignments.
django-axes (track failed login attempts for Django)
Django-axes is a reusable app for Django to limit the brute force login attempts for your web application.
XSSER (Cross-site scripting scanner)
XXSER leverages the execution of arbitrary code on the web server when an administrative user inadvertently triggers a hidden XSS payload.
PHP Malware Finder (PHP malware scanner)
PHP Malware Finder is a tool to find malicious PHP scripts. This threat is common for most web hosters and websites of their customers.
TLS-Attacker (analyzer for TLS libraries)
TLS-Attacker is a framework to analyze TLS libraries. It is written in Java and developed by the Ruhr University Bochum and Hackmanit GmbH.
Vault (storage of secrets)
Vault is a tool created by HashiCorp to store secrets like keys and passwords. These secrets are typically used by other software components and scripts.
Viproy (VoIP security testing)
Viproy is a VoIP penetration testing and exploitation kit. It helps with testing VoIP protocols like SIP and Cisco Skinny and related IP phone services.
hping (network packet generator and analyzer)
hping is a tool to assemble and analyze TCP/IP packets. The interface is looks like the common ping command, yet allows more than just ICMP echo requests.
BleachBit (system cleaner and privacy tool)
BleachBit is an open source tool focused on maintaining your privacy by cleaning up sensitive data on the system.
Want to learn about new tools when we add them? Follow the RSS feed, or social media. See the footer of this page for the links.