In this article, you will learn how to use rkhunter to detect rootkits, set up Fail2ban to prevent brute-force attacks, and why it is crucial to lock your screen when you leave.
You will also learn how to make sudo more secure by adjusting timeout settings to ensure it always requires a password. Let’s get started.
Using rkhunter to Monitor Rootkits
A rootkit is a cunning type of malware specifically designed to hide itself within your system.
In Linux systems, rootkits are particularly dangerous because they often replace core system commands such as <span>ls</span>, <span>ps</span>, or <span>netstat</span> to hide malicious processes from the user.
They may also install hidden backdoors, allowing attackers to maintain access to the system even if passwords are changed.
Using rkhunter
First, you need to install the tool on your system using the following command:
apt install rkhunter
Then scan your computer:
rkhunter --check
You will see it scanning different categories such as system commands, hidden files, and network ports.
For example, if a rootkit has replaced the <span>ls</span> command to hide malicious files, rkhunter will alert you.
Fail2ban: Preventing Brute-Force Attacks
Imagine someone standing at your front door, trying thousands of keys until one finally works.
On the internet, bots do the same thing; they repeatedly try random usernames and passwords on services like SSH.
Fail2ban monitors your system’s logs, and every time someone fails to log in, Fail2ban records it. If failures continue, it assumes this person is not you and temporarily bans their IP address.
To install and enable the tool, use the following commands:
sudo apt install fail2ban
sudo systemctl enable --now fail2ban
By default, it monitors services like SSH. You can configure it in <span>/etc/fail2ban/jail.conf</span>.
For example, you can set it to ban an IP for 10 minutes after 5 failed login attempts:
[sshd]
enabled = true
maxretry = 5
bantime = 600
Fail2ban Example
Suppose a bot is trying to brute-force your SSH login. After too many failed attempts, Fail2ban intervenes and blocks it.
You might see something like this in the log file:
2025-09-15 14:22:41 fail2ban.actions [1234]: NOTICE [sshd] Ban 203.0.113.45
2025-09-15 14:32:41 fail2ban.actions [1234]: NOTICE [sshd] Unban 203.0.113.45
This means the attacker from IP address 203.0.113.45 has been locked out for 10 minutes. If they continue to try, they will be banned again.
Locking the Screen When Leaving
On a desktop or laptop, locking the screen is as simple as pressing a combination of keys. Most Linux desktops use <span>Ctrl + Alt + L</span>. This immediately brings up the login screen, requiring your password or fingerprint to re-enter.
Example: Suppose you are working in a coffee shop and get up to buy another drink. If your screen is not locked, someone could sit down, plug in a USB device, and copy your personal files before you return.
Therefore, locking the screen is one of the simplest yet most effective security habits. It costs nothing and takes just a second to prevent others from using your computer while you are away.
Using Timeout to Limit sudo
On Linux, by default, once you enter your password for sudo, Linux remembers it for about 15 minutes. During this time, you can run more sudo commands without re-entering your password.
This is convenient, but imagine you leave to get coffee, and a colleague sits at your unlocked computer and runs malicious commands.
To prevent this, you can set the timeout to zero, meaning Linux will always require a password before running sudo commands. Therefore, open the nano text editor and edit <span>/etc/sudoers</span> to add the following line:
Defaults timestamp_timeout=0
Now, every time you use sudo, Linux will require you to enter your password. This is less convenient, but it is safer if you leave the machine.
Conclusion
Improving Linux security doesn’t have to be complicated. With just a few practical steps, such as checking for rootkits, preventing brute-force attacks, and locking your screen, you can guard against the most common ways attackers try to infiltrate.
Key Points:
- Prevention is better than cure: Regularly scanning for rootkits and monitoring failed logins is more effective than dealing with an intrusion after it happens.
- Simple habits, huge impact: Simple actions like locking your screen can prevent most physical access attacks.
- Balancing security and convenience: While entering the sudo password every time is less convenient, it is necessary in shared or insecure environments.
- Multi-layered protection: Combine these techniques to build a comprehensive security defense system.
By implementing these measures, your Linux system will be better equipped to withstand common attacks while maintaining good usability.
Follow our public account and give this article a thumbs up, a recommendation to support us! Every little heart from you is the greatest motivation for me to continue creating quality content.