Security hardening tools compared: CrowdSec, Fail2ban, Wazuh, UFW, Vault, Authentik, WireGuard, Lynis, rkhunter, ClamAV

What is security hardening?

Security hardening is the systematic reduction of the attack surface of a server or application. It is not a single measure but a combination of multiple protection layers: firewall at the perimeter, intrusion detection on the system, secrets management for credentials, SSO for identities, VPN for remote access, audit tools for compliance, and antivirus at entry points (mail, upload).

A Swiss SME with a Hetzner server, fiduciary clients, and professional-secrecy duties cannot get by with a default Linux installation. The minimum configuration in May 2026 covers six layers: (1) firewall (UFW/nftables), (2) intrusion detection (CrowdSec or Fail2ban), (3) SSH hardening, (4) secrets management (Vault or at least .env encryption), (5) identity (Authentik or Authelia for SSO/2FA), (6) remote access via VPN (WireGuard).

Without this, in 6-12 months you see SSH brute-force from bots (1000+ per hour), phishing attempts on employees (weekly), and a potential ransomware risk. By May 2026, most attacks are automated -- bots scan IPv4 ranges, login endpoints, and exposed databases. The hardening layer is therefore no luxury but a minimum duty under the standard of care of Art. 717 CO (board duties).

Why it matters

Three points make security tools essential for Swiss fiduciaries and law firms: regulatory duty, insurance requirements, cyber risk reality.

Regulatory duty: revFADP requires state-of-the-art protective measures (Art. 8 revFADP). Professional secrecy under Art. 321 SCC requires that no third party gains unauthorised access to client data -- open SSH without 2FA, an unprotected API endpoint, or a staff account without strong passwords does not meet this standard. By May 2026, with the EU AI Act and ISO 42001, additional audit requirements arrive: every AI application must have an audit trail, every login must be traceable.

Insurance requirements: Swiss cyber insurance (Helvetia, Mobiliar, AXA, Zurich) has required mandatory measures since 2025: 2FA on all admin accounts, backup strategy with 3-2-1 rule, patch management with documented cycle, intrusion detection. Without these, you either get no policy or the policy does not pay out on claim. The premium delta between a hardened and unhardened SME is 30-60 percent.

Cyber risk reality: By May 2026, the main attack vectors on Swiss SMEs are: (a) phishing with fake e-banking logins, (b) ransomware via cracked VPN or SSH access, (c) supply-chain attacks via compromised NPM packages or Docker images, (d) MFA bypass via push bombing or SIM swap. The tools compared here help on all four: WireGuard replaces insecure VPN solutions, CrowdSec/Wazuh detect anomalous logins, Vault prevents secrets leaks in code repositories, Authentik delivers FIDO2 hardware keys that defeat push bombing.

The ten tools in detail

CrowdSec (MIT, self-host): open-source WAF with a collaborative blocklist. Reads logs (Nginx, SSH, Postfix), detects attack patterns, and shares suspicious IPs with all other CrowdSec installations. The community blocklist holds over 2 million active IPs by 2026. Hetzner-friendly, blocks brute force within seconds. By May 2026, the market leader for SME setups -- replaces Fail2ban in most new installations.

Fail2ban (GPL-2, self-host): classic log-based IP banning. Reads auth.log, blocks via iptables after N failed attempts. Very simple, very stable since 2004. No crowdsource layer. In May 2026 still productively valuable for minimalist setups; beyond 3 services CrowdSec pays off.

Wazuh (GPL-2, self-host): SIEM plus EDR plus compliance toolkit. File integrity monitoring, vulnerability detection, automated PCI-DSS/GDPR reports. Very comprehensive -- setup effort 2-5 days. Often overkill for a 10-person fiduciary, right for a 100-person law firm with compliance duties.

UFW / iptables / nftables (GPL-2, self-host): Linux firewall base. UFW (Uncomplicated Firewall) is the default frontend in Ubuntu/Debian; nftables is the modern kernel backend. With UFW deny incoming, allow 22/443, default deny is a 5-minute configuration that blocks 90 percent of random scans.

HashiCorp Vault (BSL 1.1 since 2023, self-host + cloud): industry standard for secrets management. Stores API keys, DB passwords, certificates encrypted with auto-unseal via KMS. Dynamic secrets for DB access (TTL: 1 hour). BSL license blocks commercial competition, not SME own use. Alternative in May 2026: OpenBao (Linux Foundation fork of Vault under MPL).

Authelia / Authentik (Apache 2.0, self-host): SSO and 2FA for internal services. Authelia is small and simple (Go, < 30 MB), Authentik is larger (Python) with more features (Webauthn, SAML, OAuth2 provider, LDAP, webhooks). Both deliver FIDO2 hardware key support, which dramatically raises phishing resistance. By May 2026, the right identity layer for Swiss SMEs.

WireGuard (GPL-2 in Linux kernel since 5.6, self-host): modern VPN. 4000 lines of code, integrated in the Linux kernel, performance 3-10x over OpenVPN. Setup per client 5 minutes. Replaces OpenVPN and IPsec setups almost entirely in 2026. Swiss fiduciaries with home-office staff set WireGuard as standard -- VPN-plus-2FA via Authentik is the right combo.

Lynis (GPL-3, self-host): audit script for Linux server hardening. Runs as a single-file bash script, checks 300+ security checkpoints (kernel parameters, file permissions, cron jobs, SSH config, firewall rules). Generates report with recommendations. By May 2026, the fastest tool for a monthly audit routine.

rkhunter (GPL-2, self-host): rootkit hunter. Searches for hidden backdoors, manipulated system binaries, unusual network sockets. Classic and stable. Less relevant in 2026 since modern rootkits are kernel modules hard for rkhunter to detect -- still useful as second layer next to Wazuh or OSSEC.

ClamAV (GPL-2, self-host): open-source antivirus, mainly for mail servers. Scans incoming attachments, complements Brevo/Postmark filters. On endpoints (workstations) ClamAV is insufficient in 2026 -- Defender (Windows) or XDR solutions (CrowdStrike, SentinelOne) are used there. ClamAV belongs on the mail gateway.

Hardening workflow in 6 steps

1. 01Run a Lynis audit on all servers and note the hardening score (baseline).
2. 02Configure UFW or nftables: default deny incoming, allow 22/443/80, then verify strictly.
3. 03Install CrowdSec with bouncers for Nginx and SSH; check logs after 24 hours.
4. 04Set up a WireGuard VPN server, distribute employee profiles with QR codes.
5. 05Introduce Authentik or Authelia as SSO layer, procure FIDO2 keys for admin accounts (YubiKey 5C, around CHF 80 per piece).
6. 06Set up Vault, migrate all .env secrets, enable dynamic secrets for DB access; monthly Lynis re-audit as routine.

Recommendation by layer

Minimum stack for Swiss fiduciary office (5-20 staff): UFW (firewall) + CrowdSec (intrusion detection) + WireGuard (VPN) + Authentik (SSO/2FA) + Vault (secrets) + Lynis (audit routine) + ClamAV (mail gateway). Setup effort 3-5 days, running maintenance 2-4 hours per month. Meets revFADP minimum standard and cyber insurance prerequisites.

Extended stack for 50+ staff law firm: minimum stack plus Wazuh (SIEM with compliance reports) plus dedicated patch management plus pentest routine. Setup effort 1-2 weeks, running maintenance 8-15 hours per month. Meets ISO 27001 prerequisites and notably reduces cyber insurance premiums.

Quick hardening of an existing server: run Lynis, fix top 10 findings (mostly SSH config, sudo rules, cron permissions). Then install CrowdSec and configure UFW. Done in one day, blocks 95 percent of automated attacks.

Minimalist setups (solo, 1-3 staff): UFW + Fail2ban + WireGuard + Bitwarden (password manager) as a pragmatic setup. Vault and Authentik can be retrofitted on growth. Most important point: no admin account without 2FA, no password reused.

When these tools do not suffice

Open-source security tools are a minimum baseline, not full protection. They do not help against: social engineering (staff training, not software), zero-day exploits in closed software (Defender/XDR and fast patching), targeted attacks with insider knowledge (regular pentests and threat modeling).

ClamAV on workstations is insufficient -- Windows Defender or a paid XDR (CrowdStrike, SentinelOne, Sophos Intercept-X) is required for employee PCs. Wazuh does not replace professional SOC monitoring (human in the loop) either -- it delivers data, not interpretation.

The tools presented here are all open-source and free in license, but not in operations. Whoever wants to run them without Linux DevOps experience needs either an external managed service partner or must build the capacity internally. Half-hearted setups (Vault installed but never integrated; CrowdSec without update routine) can be worse than nothing -- because they create security theatre that calms management without truly protecting.

Trade-offs

FAQ

Related topics

Sources

1. CrowdSec Documentation -- collaborative intrusion detection · 2026-05
2. Wazuh Documentation -- SIEM and XDR · 2026-04
3. HashiCorp Vault -- BSL 1.1 license terms · 2026-03
4. OpenBao -- Linux Foundation fork of Vault · 2026-04
5. WireGuard -- Whitepaper and benchmarks · 2026-02
6. CISA Hardening Guide for Small Business 2026 · 2026-03