How to Secure Linux

[JohnG]

1. Enable the firewall:

   1. List open ports: sudo lsof -i -P -n | grep LISTEN

   2. Allow only needed:

      sudo ufw allow 22/tcp     # Allow SSH connections
      sudo ufw allow 80/tcp     # Allow HTTP connections
      sudo ufw allow 443/tcp    # Allow HTTPS connections

      You can also restrict access to specific IP addresses or subnets:

      sudo ufw allow from 192.168.1.10 to any port 22  # Only allow SSH from this IP
      sudo ufw allow from 192.168.1.0/24 to any port 443 # Allow HTTPS from this subnet

   3. Verify Firewall Status: Check the firewall rules you've set:
      sudo ufw status verbose

2. sudo ufw enable
   

   UFW's default policy is to deny incoming connections and allow outgoing connections. This is generally what you want. Only open ports you explicitly need.
   
   Optional: Configure it to open only the necessary ports (if needed at all).

3. Remove any unnecessary preinstalled software.

4. Update the software to the latest versions:

   sudo apt update && sudo apt upgrade -y
   

5. Disable the printing service if it's not needed:

   sudo systemctl mask cups
   sudo systemctl mask cups-browsed
   

   Then, reboot the system.

   If you need it later, you can re-enable it:

   sudo systemctl unmask cups
   sudo systemctl unmask cups-browsed
   

   Then, reboot the system or run:

   sudo systemctl start cups
   

   or

   sudo systemctl start cups-browsed
   

   depending on your needs.

6. In all installed browsers:

   1. Enable the "HTTPS-Only" option, which disables unencrypted connections.

   2. Enable encrypted DNS (DoH).

   3. Disable third-party cookies.