Hardening of Linux

Introduction

Despite the fact that Linux is Open Source and Linux it comes as a surprise that in the default installation are some hidden trackers and spy software.

Hardening

There is a script that will remove all malware. Originally written for Linux, but it can easily adopted for other distributions.

Ubuntu Secure

This script does:

System update and software upgrade
Amazon & advert web apps removing
AptUrl Removing ( tool, which gives possibilities to start installation by clicking on url, can be executed with js, which is not secure)
Guest session disable for LightDM
Remote login disable for LightDm
DNS encryption (dnscrypt-proxy)
I don't recommend this, hence my DNS server is not working with encryption.
apt -y remove dnscrypt-proxy
FireWall (UFW)
Antivirus (ClamAV)
Brute Force protection (Fail2Ban)
Basic Telemetry Removing (ZeitGeist) and unsecure libs and pre-installed software with high and potentional risks

Here is a version for rpm based systems:

#!/bin/bash

# This script removes telemetry and enhances system security on an RPM-based Linux distribution.

# System Up to Date:
sudo dnf -y update
sudo dnf -y upgrade
# ========

# Remove any pre-installed telemetry or unwanted software (no direct equivalents for `unity-lens-shopping` and `unity-webapps-common` on RPM-based systems):
# Remove pre-installed software that may be tracking or unwanted:
sudo dnf -y remove gnome-online-accounts
sudo dnf -y remove gnome-shell-extension-prefs
sudo dnf -y remove gnome-software
# ========

# Disable Guest session & remote login for LightDM (if LightDM is in use):
if [ -f /etc/lightdm/lightdm.conf.d/50-no-guest.conf ]; then
    sudo sh -c 'printf "[Seat:*]\nallow-guest=false\ngreeter-show-remote-login=false\n" > /etc/lightdm/lightdm.conf.d/50-no-guest.conf'
    sudo dnf -y remove lightdm-remote-session-freerdp
    sudo dnf -y remove lightdm-remote-session-uccsconfigure
fi
# ========

# Remove any equivalent telemetry-related packages:
# Note: zeitgeist is generally specific to Ubuntu/Debian, so we focus on similar tools on RPM systems.

# Remove `tracker`, a GNOME-based file indexing and search tool that collects metadata:
sudo dnf -y remove tracker
sudo dnf -y remove tracker-miners
sudo dnf -y remove tracker3
sudo dnf -y remove tracker3-miners

# Remove `gnome-usage`, a system resource monitor that could collect usage data:
sudo dnf -y remove gnome-usage

# Remove `PackageKit`, which can send data back to package servers:
sudo dnf -y remove PackageKit
# ========

# DNS encryption:
sudo dnf -y install dnscrypt-proxy
# ========

# FireWall (using firewalld):
sudo dnf -y install firewalld
sudo systemctl start firewalld
sudo systemctl enable firewalld
sudo firewall-cmd --permanent --set-default-zone=block
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
# ========

# ClamAV Antivirus Installation:
sudo dnf -y install clamav
sudo dnf -y install clamav-daemon
sudo systemctl enable clamav-daemon
sudo systemctl start clamav-daemon
# ========

# Fail2Ban installation (protects from brute force login):
sudo dnf -y install fail2ban
sudo systemctl enable fail2ban
sudo systemctl start fail2ban
# ========

# Remove other potentially problematic or unused packages:
# Removing `cups` if you don't need printer support:
# sudo dnf -y remove cups

# Remove `remmina` if you don't use it for remote connections:
# sudo dnf -y remove remmina

# Remove unnecessary GNOME components:
sudo dnf -y remove evolution
sudo dnf -y remove evolution-data-server
sudo dnf -y remove gvfs-fuse
sudo dnf -y remove vino  # VNC server (remote desktop sharing)
sudo dnf -y remove gnome-shell-extension-background-logo  # Fedora logo on desktop background
sudo dnf -y remove gnome-user-share  # Potentially shares user data over the network
sudo dnf -y remove libreport-plugin-bugzilla  # Automatic bug reporting to Bugzilla
sudo dnf -y remove abrt-addon-xorg  # Automatic bug reporting for Xorg
sudo dnf -y remove abrt-cli  # Command-line tool for automatic bug reporting
sudo dnf -y remove abrt-addon-ccpp  # Automatic bug reporting for C/C++ programs
sudo dnf -y remove abrt-addon-kerneloops  # Automatic bug reporting for kernel oopses
sudo dnf -y remove abrt-addon-pstoreoops  # Automatic bug reporting for pstore oopses
# ========

# Autoremove unnecessary dependencies:
sudo dnf -y autoremove

# ========

# Troubleshooting:
# If the internet does not work, try restarting dnscrypt-proxy:
#   sudo systemctl restart dnscrypt-proxy
# Also, the tool may use another port, detect the port in this output:
#   sudo ss -ntulp
# Then add the port to firewalld:
#   sudo firewall-cmd --permanent --add-port=[portnumber]/tcp
#   sudo firewall-cmd --reload
# ========

Set system time automatically

Set correct Timezone

Flush DNS Cache Unbuntu

Start / Stop /Restart BIND DNS Server

Hardening of Linux

Tutorial on ufw

Fix Error fwupd-refresh

Enable ssh login with a public key

Mount SAMBA shares

Check for open ports

Network browsing not working

Display IP address on Panel in Xfce

Biometrics: Fingerprint

Disable SELinux on Fedora

Create boot USB

Install PVE-VDIClient on Arch Linux

Install network scanner on Archlinux

Install xrdp

Install Cockpit and Firewalld on Debian 12

Install xrdp on Fedora 42

Install send mail service on Fedora

How to Disable SIP

Boot into recovery mode

MacOS - Flush DNS Cache

MacOS - Privacy hint / OCSP patch

Map a shared drive on MacOS

PVE - VM does not stop

PVE - No quorum error

PVE - Can't lock file

Installation of Thunderbird

Add Microsoft Outlook Account/Teams to Thunderbird

Webflow User Guide

Hardening of Linux

Introduction

Hardening

No Comments