Linux hardening tools

The standard SSH server and client; sshd_config is where most remote-access hardening lives.

openssh-server (preinstalled)

PAM module that adds TOTP one-time codes as a second factor for SSH and console logins.

apt install libpam-google-authenticator

Runs commands as another user under fine-grained policy; scope it in /etc/sudoers.d for least privilege.

sudo (preinstalled)

Enforces password complexity and length rules at change time via PAM and pwquality.conf.

apt install libpam-pwquality

Locks accounts after repeated failed logins to blunt brute-force and credential-stuffing attacks.

pam (preinstalled)

User and password database tools; chage sets aging policy and login.defs the system-wide defaults.

passwd / login.defs (preinstalled)

The modern in-kernel packet filter that replaces iptables; build a default-deny ruleset in /etc/nftables.conf.

apt install nftables

Zone-based firewall manager (RHEL/Fedora default) with a friendly firewall-cmd front end over nftables.

dnf install firewalld

Uncomplicated Firewall — a simple front end to iptables/nftables, popular on Ubuntu servers.

apt install ufw

Reads and sets kernel parameters at runtime; drop hardening keys into /etc/sysctl.d and apply with sysctl --system.

procps (preinstalled)

Audits your kernel config and sysctls against KSPP and CIS hardening recommendations.

pip install kernel-hardening-checker

Restricts root's ability to modify the running kernel; pairs with Secure Boot for an integrity boundary.

built into the kernel

Verifies installed Debian package files against their recorded checksums to catch tampering.

apt install debsums

POSIX access control lists for permissions beyond owner/group/other on sensitive paths.

apt install acl

Scores how well a systemd unit is sandboxed and lists the directives that would tighten it.

systemd (preinstalled)

Label-based mandatory access control that confines processes to an explicit policy; keep it enforcing.

default on RHEL/Fedora

Path-based mandatory access control (Ubuntu/SUSE default) using per-application confinement profiles.

apt install apparmor-utils

SELinux policy tooling: read AVC denials and generate targeted policy with audit2allow and semanage.

dnf install policycoreutils-python-utils

The kernel audit framework's userspace daemon; records security-relevant events via rules in /etc/audit/rules.d.

apt install auditd

High-throughput syslog daemon for centralizing and forwarding logs to a tamper-resistant collector.

apt install rsyslog

Parses system logs into a daily human-readable summary so anomalies surface without log diving.

apt install logwatch

Automatically installs Debian/Ubuntu security updates so hosts patch without manual intervention.

apt install unattended-upgrades

The RHEL/Fedora equivalent: timer-driven automatic security updates configured in automatic.conf.

dnf install dnf-automatic

Detects services still running outdated libraries after an update and restarts them.

apt install needrestart

Manages LUKS full-disk encryption so a stolen or decommissioned drive reveals nothing.

apt install cryptsetup

The bootloader; set a password to stop edits to boot parameters and recovery/single-user entries.

grub2 (preinstalled)

Inspects and manages Secure Boot state and Machine Owner Keys for verified boot chains.

apt install mokutil

Advanced Intrusion Detection Environment — builds a file-integrity baseline and reports unexpected changes.

apt install aide

Watches logs and bans IPs that repeatedly fail authentication, throttling brute-force at the firewall.

apt install fail2ban

Scans for rootkits, backdoors, and suspicious local changes against a known-good properties database.

apt install rkhunter

A lightweight, signature-based rootkit checker useful as a second opinion alongside rkhunter.

apt install chkrootkit

Agentless audit tool that scores a system's hardening and prints prioritized, actionable suggestions.

apt install lynis

Evaluates a host against SCAP profiles (CIS, STIG) and generates HTML reports plus remediation scripts.

apt install openscap-scanner

Ready-made SCAP content and Ansible roles implementing CIS, STIG, and ANSSI baselines per distribution.

apt install ssg-debian / ssg-base

The Center for Internet Security's official assessor that scores systems directly against CIS Benchmarks.

CIS membership (proprietary)