Security Tools: Fail2ban and RKHunter

Overview

This guide covers the installation and configuration of two essential Linux security tools:

  1. Fail2ban: Protects your server from brute-force attacks by banning IPs after repeated failed login attempts.
  2. RKHunter: Scans your system for rootkits and suspicious files.

Both tools work together to enhance your server's security.


1. Fail2ban

Installation

On Debian/Ubuntu:

sudo apt update
sudo apt install fail2ban

On RHEL/CentOS:

sudo dnf install epel-release
sudo dnf install fail2ban

Configuration

  1. Copy the default configuration file:

    sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
  2. Edit the jail.local file:

    sudo vi /etc/fail2ban/jail.local

    Example configuration for SSH:

    [sshd]
    enabled = true
    port = ssh
    logpath = /var/log/auth.log
    maxretry = 5
    bantime = 3600
  3. Restart Fail2ban:

    sudo systemctl restart fail2ban

Monitoring

  • Check the status of Fail2ban:

    sudo fail2ban-client status
  • View details for a specific jail:

    sudo fail2ban-client status sshd

2. RKHunter

Installation

On Debian/Ubuntu:

sudo apt update
sudo apt install rkhunter

On RHEL/CentOS:

sudo dnf install epel-release
sudo dnf install rkhunter

Usage

  1. Update the RKHunter database:

    sudo rkhunter --update
  2. Run a system check:

    sudo rkhunter --check
  3. View the scan report: The results are displayed directly in the terminal. Look for warnings that require attention.

Automating Scans

Set up a daily cron job to run RKHunter:

sudo crontab -e

Add the following line:

0 3 * * * /usr/bin/rkhunter --check --skip-keypress

3. Combining Fail2ban and RKHunter

Both tools can work together:

  • Fail2ban protects your server by banning suspicious IPs in real-time.
  • RKHunter provides periodic scans to ensure no malware or rootkits are present.

You can use Ansible to automate the setup and configuration of both tools.


Conclusion

Fail2ban and RKHunter are powerful tools to secure your Linux server. Using them together provides both real-time protection and periodic security audits. For a fully automated setup, use the provided Ansible role.