Lynis audit system package recommendation

I audit the system with lynis and it recommended following packages:

libpam-tmpdir, apt-listbugs, debian-goodies, debsecan, debsums, libapache2-mod-evasive, fail2ban, libapache2-mod-security2

I wouldnt recommend libapache2-mod-security2 because it broke my apache.
fail2ban would also be nice but it seem to have problems :

Fetched 421 kB in 1s (333 kB/s)            
Retrieving bug reports... Done
Parsing Found/Fixed information... Done
serious bugs of fail2ban (→ 0.10.2-2.1) <Outstanding>
 b1 - #933749 - fail2ban: ever-growing fail2ban sqlite database
Summary:
 fail2ban(1 bug)
Are you sure you want to install/upgrade the above packages? [Y/n/?/...] y       
Selecting previously unselected package fail2ban.
(Reading database ... 507261 files and directories currently installed.)
Preparing to unpack .../fail2ban_0.10.2-2.1_all.deb ...
Unpacking fail2ban (0.10.2-2.1) ...
Selecting previously unselected package python3-systemd.
Preparing to unpack .../python3-systemd_234-3_amd64.deb ...
Unpacking python3-systemd (234-3) ...
Setting up fail2ban (0.10.2-2.1) ...
Created symlink /etc/systemd/system/multi-user.target.wants/fail2ban.service → /lib/systemd/sy
stem/fail2ban.service.
[fail2ban-tmpfiles.conf:1] Line references path below legacy directory /var/run/, updating /va
r/run/fail2ban → /run/fail2ban; please update the tmpfiles.d/ drop-in file accordingly.
update-rc.d: We have no instructions for the fail2ban init script.
update-rc.d: It looks like a network service! YOU SHALL NOT PASS!
insserv: Script ntp has overlapping Default-Start and Default-Stop runlevels (2 3 4 5) and (2 
3 4 5). This should be fixed.
insserv: Script ssh has overlapping Default-Start and Default-Stop runlevels (2 3 4 5) and (2 
3 4 5). This should be fixed.
insserv: warning: current start runlevel(s) (empty) of script `fail2ban' overrides LSB default
s (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `fail2ban' overrides LSB 
defaults (0 1 6).
insserv: Script ntp has overlapping Default-Start and Default-Stop runlevels (2 3 4 5) and (2 
3 4 5). This should be fixed.
insserv: Script ssh has overlapping Default-Start and Default-Stop runlevels (2 3 4 5) and (2 
3 4 5). This should be fixed.
Setting up python3-systemd (234-3) ...
Processing triggers for man-db (2.8.7-3) ...
Processing triggers for systemd (242-7) ...
Scanning application launchers
Updating active launchers
Done

So the question is could/should we add these packages?

fail2ban is for protecting publicly accessible web servers it’s not something most will have any need for.

Please understand what do you need, what did Lynis say instead of do everything it said blindly. Mod security is a waf for apache2 but it runs like a plugin (different from standalone WAF that can deployed outside network).
Fail2ban description:

Fail2ban monitors log files (e.g. /var/log/auth.log,
 /var/log/apache/access.log) and temporarily or persistently bans
 failure-prone addresses by updating existing firewall rules.  Fail2ban
 allows easy specification of different actions to be taken such as to ban
 an IP using iptables or hostsdeny rules, or simply to send a notification
 email.
1 Like

I have a similar situation.
Let’s just say, for the fun of it, that I wanted to take this scenario and change the runlevels. How would I go about doing so?
I have looked at other resources and cannot find an answer that works.
update-rc.d doesn’t help.
Would it be possible to change the runlevels for ntp ssh and fail2ban to stop the error messages?

wouldn` t it be better to disable the test (whitelisting)?

It might be, but, I would still like to know how to do it from the commandline just for the heck of it. I am looking to change the runlevel on several processes so I am interested in how to do that one thing and do it well…

by do it from the commandline, I mean just simply change the runlevels from the commandline…

I think I figured it out… Most of the sources I checked said change it in the process file in /etc/inittab but there is no such file in my filesystem…so, I did the same in init.d…hopefully that fixes it…