Privacy Tools #Linux#hardening#privacy

Hardening Your Linux Desktop for Privacy: Complete Guide 2026

Harden a Linux desktop for privacy with kernel parameters, DNS encryption, firewall rules, MAC policies, and browser hardening.

8 min read

A freshly installed Linux desktop is more private than Windows out of the box, but it still sends telemetry, uses cleartext DNS, has an open firewall, and leaves sensitive data accessible. These hardening steps transform a default Ubuntu, Fedora, or Debian installation into a privacy-respecting, attack-resistant daily driver.

1. Choose a Privacy-Respecting Distro Base

Fedora Workstation: SELinux enforcing by default, minimal telemetry, Red Hat security patches. Debian Stable: Minimal telemetry, conservative updates, AppArmor available. Ubuntu: Larger attack surface, some telemetry — disable it:

# Ubuntu: Remove telemetry packages
sudo apt remove apport whoopsie ubuntu-report popularity-contest -y
sudo apt remove snapd -y  # Optional: remove Snap if not needed

2. Enable Full Disk Encryption

Enable LUKS disk encryption during installation — it’s the only reliable way to ensure data at rest is protected. Most installers offer this as an option during partitioning.

For an existing system, you cannot encrypt in place without reinstalling. Consider this a reason to encrypt on fresh installs only.

3. Kernel Hardening via Sysctl

Add privacy and security-focused kernel parameters:

sudo nano /etc/sysctl.d/99-hardening.conf

Add:

# Disable IP forwarding (not a router)
net.ipv4.ip_forward = 0

# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0

# Enable SYN flood protection
net.ipv4.tcp_syncookies = 1

# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

# Log suspicious packets
net.ipv4.conf.all.log_martians = 1

# Disable IPv6 if unused
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1

# Restrict dmesg to root
kernel.dmesg_restrict = 1

# Restrict ptrace (prevents process inspection by other processes)
kernel.yama.ptrace_scope = 1

# Disable core dumps
fs.suid_dumpable = 0

# Randomize memory layout (ASLR)
kernel.randomize_va_space = 2

Apply:

sudo sysctl -p /etc/sysctl.d/99-hardening.conf

4. DNS Privacy: Enable DoH or DoT

Prevent your ISP from seeing DNS queries:

systemd-resolved with DNS-over-TLS

sudo nano /etc/systemd/resolved.conf
[Resolve]
DNS=9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net
FallbackDNS=1.1.1.1#cloudflare-dns.com
DNSSEC=yes
DNSOverTLS=yes
sudo systemctl restart systemd-resolved
# Link resolv.conf
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Local Pi-hole or AdGuard Home

For network-wide DNS filtering and DoH/DoT, set up AdGuard Home locally:

curl -s -S -L https://raw.githubusercontent.com/AdguardTeam/AdGuardHome/master/scripts/install.sh | sh -s -- -v

5. Firewall with UFW

sudo apt install ufw
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw enable

# Allow SSH only from specific IP if remote access needed
sudo ufw allow from 192.168.1.0/24 to any port 22

# Check status
sudo ufw status verbose

For more granular control, use nftables directly.

6. MAC Enforcement: AppArmor or SELinux

AppArmor (Debian/Ubuntu):

sudo apt install apparmor apparmor-utils
sudo aa-enforce /etc/apparmor.d/*  # Set all profiles to enforce mode
sudo systemctl enable --now apparmor

Check status:

sudo aa-status

SELinux (Fedora/RHEL — already enforcing by default):

# Verify enforcing mode
getenforce  # Should return "Enforcing"
sestatus    # Detailed status

7. Disable Unnecessary Services

# List enabled services
systemctl list-unit-files --state=enabled

# Disable common unnecessary services
sudo systemctl disable bluetooth.service  # If no Bluetooth devices
sudo systemctl disable cups.service       # If no printer
sudo systemctl disable avahi-daemon       # mDNS/Bonjour — disable if not needed
sudo systemctl disable rpcbind           # NFS — disable if not using NFS

8. Secure SSH (If Applicable)

sudo nano /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
AllowUsers yourusername
X11Forwarding no
MaxAuthTries 3
Protocol 2
sudo systemctl restart sshd

9. Privacy-Respecting Browser Setup

Install Firefox and harden it (or use LibreWolf — pre-hardened Firefox):

# Essential extensions
# uBlock Origin: content blocking
# Privacy Badger: tracker blocking (EFF)
# LocalCDN: serve common JS libraries locally

# Firefox about:config tweaks
# privacy.resistFingerprinting = true
# network.cookie.cookieBehavior = 1 (block third-party cookies)
# geo.enabled = false (disable geolocation)
# media.peerconnection.enabled = false (disable WebRTC)

10. Automatic Security Updates

# Debian/Ubuntu
sudo apt install unattended-upgrades
sudo dpkg-reconfigure unattended-upgrades
# Select "Yes" to automatic updates

# Fedora
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic-install.timer

11. Audit Your Setup

# Check open ports
sudo ss -tulnp

# Check running services with network connections
sudo lsof -i -n -P

# Lynis security audit tool
sudo apt install lynis
sudo lynis audit system

Lynis provides a security score and specific recommendations for your configuration.

Linux privacy hardening is iterative — start with disk encryption and firewall, then progressively add layers. Each step addresses a real attack surface without requiring a complete security overhaul.

#firewall #AppArmor #SELinux #privacy #hardening #Linux

// related articles

privacy-tools OpenSnitch: Linux Application Firewall Setup Guide 7 min read privacy-tools Linux System Privacy Hardening Guide 7 min read privacy-tools Self-Hosted OpenVPN Server: Setup Guide for Privacy and Remote Access 8 min read