A growing, documented collection of step-by-step guides and reference material I've built over years of architecting and deploying Linux environments, covering the tooling available for improving security and privacy.
The hands-on guides focus on Linux-based systems. The governance and standards topics (ISMS, ISO/IEC 27001, Shadow IT) are platform-agnostic and apply to any environment. Every guide is written to be followed end to end, carries a last verified date, and explains the reason behind each step, not just what to type.
|
Foundational server setup (identity, time, admin user, automatic updates, logging and audit, mandatory access control), sequenced with the other guides and mapped to CIS, NIST, and ISO 27001
|
|
Default-deny host firewall with firewalld, ufw, or nftables
|
Network-stack kernel parameters for anti-spoofing, redirects, and SYN-flood defense
|
|
Key-only SSH,
|
|
Encrypted DNS with DNS-over-TLS and DNSSEC validation via Quad9
|
MAC randomization and IPv6 privacy to limit device tracking
|
|
Self-hosted WireGuard VPN, full-tunnel or split-tunnel
|
|
TLS-terminating proxy with Let's Encrypt in front of a private backend on AWS
|
|
Scan and remediate against the CIS Benchmarks with OpenSCAP
|
|
Why unapproved tools undermine an ISMS, and how to manage them, mapped to ISO/IEC 27001:2022
|
A reference folder layout for an ISO/IEC 27001:2022 ISMS
|
The guides are written against published security frameworks and standards. See frameworks/ for the full list and official download links.
These topics are intended for this repository but are not written yet. They are listed so the direction is clear, not as available content.
Broader security & governance
- Infrastructure as Code (IaC) and automation
- DevOps and cloud security practices
- Cybersecurity fundamentals and threat management
- Governance, Risk, and Compliance (GRC)
- Information Security Management Systems (ISMS): full implementation guidance, building on the structure and Shadow IT topics already published
- ISO/IEC 27001: per-control deep dives and implementation guidance
Good security takes deliberate effort, and the technical and governance sides are usually treated separately. This repository aims to connect them:
- technical hardening and automation,
- security standards and benchmarks, and
- governance and risk management practices.
It is an early-stage, work-in-progress collection. The roadmap above shows where it is heading.
- File names use lowercase
kebab-case, named by topic (for example,host-firewall-hardening.md). Each guide covers all the distributions it supports in a single file, with per-distribution commands where they differ. guides/holds hands-on, step-by-step procedures.topics/holds conceptual and governance writing.- Every guide carries a Last verified date and the versions it was tested on, because security guidance goes stale.
Corrections and improvements are welcome. If a guide is outdated, inaccurate, or unclear, open an issue or a pull request. Please keep the existing structure and update the Last verified date when you re-test a guide.
These guides are provided as-is, without warranty, for educational purposes. They
involve administrative (sudo) changes to system configuration. Read each step,
understand what it does, and test on a non-critical system before applying it
anywhere important. You are responsible for changes you make to your own systems.
The content in this repository is licensed under Creative Commons Attribution 4.0 International (CC BY 4.0). You may share and adapt it, including commercially, with attribution to anoBytes Technology Solutions.
© 2026 anoBytes Technology Solutions