Server Hardening
Patching, fail2ban, CrowdSec, OpenSCAP — keeping Linux boxes locked down.
The "boring but matters" list of hardening practices and tools.
Auto-patching
- ★ unattended-upgrades (Debian / Ubuntu) — auto-apply security updates. Configure to install + reboot if needed.
- dnf-automatic (Fedora / Rocky / Alma) — same niche.
- livepatch / kpatch — kernel patching without reboot (paid Ubuntu Pro / RHEL).
- kured — coordinated reboots across a cluster after package updates.
- Ansible patching playbooks — for fleets; with maintenance windows.
Intrusion / abuse defense
- ★ CrowdSec — modern fail2ban replacement; community-shared blocklists; many parsers (SSH, web, DB). The default for new setups.
- ★ fail2ban — log-tail-based banning; classic; still widely used.
- sshguard — alternative to fail2ban, only for SSH.
- PortSentry — older.
Audit / compliance
- ★ Lynis — single-host audit; checks hundreds of items; gives you a score. The default for "is this box reasonably configured?"
- OpenSCAP — official CIS / DISA STIG benchmarks; for compliance-driven envs.
- Wazuh — open-source SIEM + HIDS; bigger scope.
- OSSEC — older HIDS; Wazuh's predecessor.
- AIDE — file integrity monitoring.
Mandatory access control
- AppArmor — Ubuntu / SUSE default; profile-based.
- SELinux — RHEL / Fedora default; label-based; powerful but steep.
- Don't disable these in prod just because they're inconvenient.
SSH hardening
- ★ Disable password auth, root login, allow only key auth.
- Move SSH off port 22. Doesn't stop targeted attackers but cuts noise massively.
- Use SSH certs instead of authorized_keys; see SSH & Bastion.
- AllowUsers / AllowGroups to limit who can SSH at all.
- SSH only over Tailscale — best practice in 2026.
CVE / vulnerability scanning
- See Security Scanning — Trivy, Grype, Snyk, etc.
- vuls — agentless Linux vulnerability scanner; OSS.
- Wazuh also does CVE detection.
Firewall
- See Firewalls — ufw / nftables on hosts.
Patterns to adopt
- ★ Run Lynis once. Fix the highest-impact items. Run quarterly.
- Auto-apply security updates daily. Restart at 4 AM if needed; you'll lose less sleep than from a known CVE.
- CrowdSec on every public-facing box — it's free, low-effort, and shares knowledge across the community.
- No password SSH. Key-only.
- Tighter sysctls — IP forwarding off (unless you need it), reverse-path filtering on, ICMP echo-ignore-broadcasts, etc.
- Logwatch / journalctl alerts sent to a log aggregator — read them.
- Audit logging on (auditd / SELinux audit) for compliance shops.
CIS Benchmarks
- CIS Benchmarks — comprehensive hardening checklists per OS.
- OpenSCAP runs them.
bench-securityscripts for various OSes.- CIS-CAT Lite — Center for Internet Security's free assessment tool.
Pick this if…
- Default new server hardening: unattended-upgrades + Lynis + CrowdSec + ufw + Tailscale-only SSH.
- Compliance-heavy: OpenSCAP + CIS Benchmarks + Wazuh.
- Quick check on an existing box: Lynis.
- Block scanning bots / failed-login waves: CrowdSec.
- File integrity: AIDE.