Tooling

Server Hardening

Patching, fail2ban, CrowdSec, OpenSCAP — keeping Linux boxes locked down.

The "boring but matters" list of hardening practices and tools.

Auto-patching

  • unattended-upgrades (Debian / Ubuntu) — auto-apply security updates. Configure to install + reboot if needed.
  • dnf-automatic (Fedora / Rocky / Alma) — same niche.
  • livepatch / kpatch — kernel patching without reboot (paid Ubuntu Pro / RHEL).
  • kured — coordinated reboots across a cluster after package updates.
  • Ansible patching playbooks — for fleets; with maintenance windows.

Intrusion / abuse defense

  • CrowdSec — modern fail2ban replacement; community-shared blocklists; many parsers (SSH, web, DB). The default for new setups.
  • fail2ban — log-tail-based banning; classic; still widely used.
  • sshguard — alternative to fail2ban, only for SSH.
  • PortSentry — older.

Audit / compliance

  • Lynis — single-host audit; checks hundreds of items; gives you a score. The default for "is this box reasonably configured?"
  • OpenSCAP — official CIS / DISA STIG benchmarks; for compliance-driven envs.
  • Wazuh — open-source SIEM + HIDS; bigger scope.
  • OSSEC — older HIDS; Wazuh's predecessor.
  • AIDE — file integrity monitoring.

Mandatory access control

  • AppArmor — Ubuntu / SUSE default; profile-based.
  • SELinux — RHEL / Fedora default; label-based; powerful but steep.
  • Don't disable these in prod just because they're inconvenient.

SSH hardening

  • Disable password auth, root login, allow only key auth.
  • Move SSH off port 22. Doesn't stop targeted attackers but cuts noise massively.
  • Use SSH certs instead of authorized_keys; see SSH & Bastion.
  • AllowUsers / AllowGroups to limit who can SSH at all.
  • SSH only over Tailscale — best practice in 2026.

CVE / vulnerability scanning

  • See Security Scanning — Trivy, Grype, Snyk, etc.
  • vuls — agentless Linux vulnerability scanner; OSS.
  • Wazuh also does CVE detection.

Firewall

Patterns to adopt

  • Run Lynis once. Fix the highest-impact items. Run quarterly.
  • Auto-apply security updates daily. Restart at 4 AM if needed; you'll lose less sleep than from a known CVE.
  • CrowdSec on every public-facing box — it's free, low-effort, and shares knowledge across the community.
  • No password SSH. Key-only.
  • Tighter sysctls — IP forwarding off (unless you need it), reverse-path filtering on, ICMP echo-ignore-broadcasts, etc.
  • Logwatch / journalctl alerts sent to a log aggregator — read them.
  • Audit logging on (auditd / SELinux audit) for compliance shops.

CIS Benchmarks

  • CIS Benchmarks — comprehensive hardening checklists per OS.
  • OpenSCAP runs them.
  • bench-security scripts for various OSes.
  • CIS-CAT Lite — Center for Internet Security's free assessment tool.

Pick this if…

  • Default new server hardening: unattended-upgrades + Lynis + CrowdSec + ufw + Tailscale-only SSH.
  • Compliance-heavy: OpenSCAP + CIS Benchmarks + Wazuh.
  • Quick check on an existing box: Lynis.
  • Block scanning bots / failed-login waves: CrowdSec.
  • File integrity: AIDE.

On this page