Ultimate Guide to Hardening Linux: Boost Security & Privacy

Introduction

This guide explains how to maximize Linux security and privacy without focusing on performance or usability. All commands require root privileges and variables are shown with a leading $.

Choosing the Right Distribution

Avoid frozen package repositories.

Prefer distributions that do not use Systemd.

Use musl as the default C library for a smaller attack surface.

Prefer LibreSSL over OpenSSL.

Gentoo provides the most configurable hardening options; Void Linux with musl is a good compromise.

Kernel

The kernel is the most attack‑prone component. Harden it wherever possible.

Stable vs LTS Kernel

Stable kernels contain all security fixes but have a larger attack surface due to new features. LTS kernels have fewer features and a smaller attack surface, though they may lack some recent fixes. Use the newest LTS branch (e.g., 4.19) when possible.

Sysctl Hardening

Use sysctl to configure kernel security settings. Example commands:

sysctl -w $tunable=$value

Kernel Self‑Protection

kernel.kptr_restrict=2

Hides kernel pointers from unprivileged processes. kernel.dmesg_restrict=1 Restricts access to the kernel log. kernel.printk=3 3 3 3 Limits kernel messages during boot.

kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2

Reduces the eBPF attack surface. dev.tty.ldisc_autoload=0 Prevents unprivileged loading of TTY line‑discipline modules. vm.unprivileged_userfaultfd=0 Limits the userfaultfd syscall to privileged processes. kernel.kexec_load_disabled=1 Disables the kexec system call. kernel.sysrq=4 Restricts SysRq key usage. kernel.unprivileged_userns_clone=0 Limits unprivileged user namespaces. kernel.perf_event_paranoid=3 Restricts performance events to privileged users.

Network Hardening

net.ipv4.tcp_syncookies=1

Mitigates SYN‑flood attacks. net.ipv4.tcp_rfc1337=1 Prevents TIME‑WAIT attacks.

net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1

Enables source address verification.

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0

Disables ICMP redirects. net.ipv4.icmp_echo_ignore_all=1 Ignores all ICMP echo requests.

net.ipv4.conf.all.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0

Disables source routing.

net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0

Disables IPv6 router advertisements.

net.ipv4.tcp_sack=0
net.ipv4.tcp_dsack=0
net.ipv4.tcp_fack=0

Disables TCP SACK.

Boot Parameters

Pass secure boot parameters to the kernel. Examples:

slab_nomerge
slub_debug=FZ
init_on_alloc=1 init_on_free=1
page_alloc.shuffle=1
pti=on
vsyscall=none
debugfs=off
oops=panic
module.sig_enforce=1
lockdown=confidentiality
mce=0
quiet loglevel=0

These improve kernel self‑protection, disable debugging interfaces, and enforce module signing.

Reducing Kernel Attack Surface

Blacklist unnecessary kernel modules and filesystems, e.g.:

install dccp /bin/false
install sctp /bin/false
install rds /bin/false
install tipc /bin/false
install n-hdlc /bin/false
install ax25 /bin/false
install netrom /bin/false
install x25 /bin/false
install rose /bin/false
install decnet /bin/false
install econet /bin/false
install af_802154 /bin/false
install ipx /bin/false
install appletalk /bin/false
install psnap /bin/false
install p8023 /bin/false
install p8022 /bin/false
install can /bin/false
install atm /bin/false

Also blacklist rarely used filesystems (cramfs, freevxfs, jffs2, hfs, hfsplus, squashfs, udf) and drivers (vivid, bluetooth, btusb, uvcvideo).

RFKill

rfkill block all

Disables all wireless devices; use rfkill unblock wifi to re‑enable Wi‑Fi.

Other Kernel Pointer Leak Mitigations

Restrict access to /boot, /usr/src, and module directories, remove System.map, and limit journal access by removing users from the adm group:

gpasswd -d $user adm

Restricting sysfs Access

Use scripts such as Whonix’s hide‑hardware‑info to limit sysfs visibility, and create a systemd service to whitelist required services:

[Service]
SupplementaryGroups=sysfs

Linux Hardening Packages

Consider using hardened kernel packages (e.g., Arch’s linux‑hardened) or Grsecurity patches (commercial).

Kernel Runtime Guard (LKRG)

LKRG can detect runtime kernel compromises but is not a perfect solution.

Custom Kernel Compilation

Compile your own kernel with minimal modules and enable security‑focused options.

Memory Allocator Hardening

Use hardened_malloc via LD_PRELOAD or system‑wide /etc/ld.so.preload. Adjust kernel parameters such as vm.max_map_count=524240 to accommodate the allocator.

Compiler Hardening Flags

When building native C/C++ programs, use Clang with flags like -flto -fvisibility=hidden -fsanitize=cfi for control‑flow integrity, -fsanitize=shadow-call-stack (ARM64) or -fsanitize=safe-stack, and zero‑initialize variables with -ftrivial-auto-var-init=zero.

Memory‑Safe Languages

Prefer Rust, Swift, or Java for new code to avoid common memory‑corruption bugs.

Root Account Hardening

Securetty

Leave /etc/securetty empty to prevent root logins on consoles.

Limit su

auth required pam_wheel.so use_uid

Restrict su to the wheel group.

Lock Root Account

passwd -l root

SSH Root Login

PermitRootLogin no

Increase Password Hash Rounds

password required pam_unix.so sha512 shadow nullok rounds=65536

Restrict Xorg Root Access

needs_root_rights = no

Secure Root Editing

sudoedit $path_to_file

Firewall

Use a strict iptables or nftables policy that drops all inbound traffic by default and only allows necessary services.

Identity & Privacy

Use generic hostnames/usernames, set timezone to UTC, use generic locales, replace the machine ID with a generic value, and spoof MAC addresses (preserve OUI, randomize the device portion).

Time‑Based Attacks

Disable TCP timestamps ( net.ipv4.tcp_timestamps=0) and consider using the tirdad module for random ISNs.

Key‑Stroke Fingerprinting

Mitigate with tools like KeyTrac and Kloak which add random delays to keystrokes.

Sandboxing Applications

Prefer Bubblewrap with AppArmor/SELinux, or use gVisor for stronger isolation. Avoid Firejail. Container solutions like Docker/LXC are not sufficient for strong sandboxing.

Memory‑Safety Tools

Install additional entropy sources (haveged, jitterentropy) and disable CPU‑based RNG if untrusted ( random.trust_cpu=off).

Core Dumps

Disable core dumps via sysctl ( kernel.core_pattern=|/bin/false), systemd ( Storage=none), and ulimit ( * hard core 0). Also set fs.suid_dumpable=0 for set‑uid processes.

Swap

Reduce swap usage with vm.swappiness=1.

PAM Hardening

Enforce strong passwords with pam_pwquality and add login delay with pam_faildelay (e.g., delay=4000000).

Microcode Updates

Install CPU microcode packages from your distribution to patch Spectre/Meltdown.

IPv6 Privacy Extensions

net.ipv6.conf.all.use_tempaddr=2
net.ipv6.conf.default.use_tempaddr=2

Enable in NetworkManager or systemd‑networkd as appropriate.

Filesystem Mount Options

Use nodev, nosuid, and noexec where possible (e.g., /home, /tmp, /boot).

Entropy Sources

Install haveged or jitterentropy and load the jitterentropy kernel module.

Physical Security

Enable full‑disk encryption (dm‑crypt), set BIOS/UEFI passwords, disable unused boot options, keep firmware up‑to‑date, and protect bootloaders with passwords (GRUB, Syslinux, systemd‑boot). Use verified boot (UEFI Secure Boot plus Intel Boot Guard or AMD Secure Boot) and consider dm‑verity for OS verification.

USB & DMA Protection

Whitelist USB devices with USBGuard, optionally disable all USB ( kernel.deny_new_usb=1), and enable IOMMU ( intel_iommu=on amd_iommu=on) plus early PCI bus‑master disable ( efi=disable_early_pci_dma). Blacklist Thunderbolt and FireWire modules.

Cold‑Boot Attack Mitigation

Power off machines completely, consider soldered RAM, and rely on kernel zero‑on‑free and firmware reset mitigation where supported.

Best Practices

Remove unnecessary software to shrink attack surface.

Keep the system updated automatically.

Never disclose identifying information.

Follow general security and privacy recommendations.

Further Reading

Consult additional resources such as the Arch Linux Security wiki, Whonix documentation, NSA hardening guides, KSPP kernel settings, and the kconfig‑hardened‑check tool.