Skip to content

AnomalousBytes/linux-security-guides

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

67 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Linux Security Guides

A growing, documented collection of step-by-step guides and reference material I've built over years of architecting and deploying Linux environments, covering the tooling available for improving security and privacy.

The hands-on guides focus on Linux-based systems. The governance and standards topics (ISMS, ISO/IEC 27001, Shadow IT) are platform-agnostic and apply to any environment. Every guide is written to be followed end to end, carries a last verified date, and explains the reason behind each step, not just what to type.

Guides (hands-on, step-by-step)

1. Host hardening

1.1 Server baseline configuration

Foundational server setup (identity, time, admin user, automatic updates, logging and audit, mandatory access control), sequenced with the other guides and mapped to CIS, NIST, and ISO 27001

Debian Ubuntu RHEL · CIS NIST ISO 27001

1.2 Host firewall

Default-deny host firewall with firewalld, ufw, or nftables

Fedora RHEL Ubuntu CachyOS · CIS NIST

1.3 Kernel sysctl hardening

Network-stack kernel parameters for anti-spoofing, redirects, and SYN-flood defense

Fedora RHEL Ubuntu CachyOS · CIS NIST

2. Remote access

2.1 SSH + fail2ban

Key-only SSH, sshd hardening, and fail2ban brute-force protection

Fedora RHEL Ubuntu CachyOS · CIS NIST

3. Network privacy

3.1 Secure DNS

Encrypted DNS with DNS-over-TLS and DNSSEC validation via Quad9

Fedora RHEL Ubuntu CachyOS

3.2 Wi-Fi privacy

MAC randomization and IPv6 privacy to limit device tracking

Fedora RHEL Ubuntu CachyOS

4. VPN

4.1 WireGuard VPN

Self-hosted WireGuard VPN, full-tunnel or split-tunnel

Fedora RHEL Ubuntu CachyOS · NIST

5. Web & TLS

5.1 nginx reverse proxy on AWS

TLS-terminating proxy with Let's Encrypt in front of a private backend on AWS

Ubuntu Amazon Linux 2023 · Mozilla TLS AWS Well-Architected OWASP ASVS

6. Compliance

6.1 CIS with OpenSCAP

Scan and remediate against the CIS Benchmarks with OpenSCAP

Fedora RHEL Ubuntu · CIS

Topics (concepts & governance)

7. Governance & ISMS

7.1 Shadow IT

Why unapproved tools undermine an ISMS, and how to manage them, mapped to ISO/IEC 27001:2022

ISO/IEC 27001

7.2 ISMS documentation structure

A reference folder layout for an ISO/IEC 27001:2022 ISMS

ISO/IEC 27001

Frameworks and standards

The guides are written against published security frameworks and standards. See frameworks/ for the full list and official download links.

Roadmap (planned)

These topics are intended for this repository but are not written yet. They are listed so the direction is clear, not as available content.

Broader security & governance

  • Infrastructure as Code (IaC) and automation
  • DevOps and cloud security practices
  • Cybersecurity fundamentals and threat management
  • Governance, Risk, and Compliance (GRC)
  • Information Security Management Systems (ISMS): full implementation guidance, building on the structure and Shadow IT topics already published
  • ISO/IEC 27001: per-control deep dives and implementation guidance

Why this repository?

Good security takes deliberate effort, and the technical and governance sides are usually treated separately. This repository aims to connect them:

  • technical hardening and automation,
  • security standards and benchmarks, and
  • governance and risk management practices.

It is an early-stage, work-in-progress collection. The roadmap above shows where it is heading.

Conventions

  • File names use lowercase kebab-case, named by topic (for example, host-firewall-hardening.md). Each guide covers all the distributions it supports in a single file, with per-distribution commands where they differ.
  • guides/ holds hands-on, step-by-step procedures. topics/ holds conceptual and governance writing.
  • Every guide carries a Last verified date and the versions it was tested on, because security guidance goes stale.

Contributing

Corrections and improvements are welcome. If a guide is outdated, inaccurate, or unclear, open an issue or a pull request. Please keep the existing structure and update the Last verified date when you re-test a guide.

Disclaimer

These guides are provided as-is, without warranty, for educational purposes. They involve administrative (sudo) changes to system configuration. Read each step, understand what it does, and test on a non-critical system before applying it anywhere important. You are responsible for changes you make to your own systems.

License

The content in this repository is licensed under Creative Commons Attribution 4.0 International (CC BY 4.0). You may share and adapt it, including commercially, with attribution to anoBytes Technology Solutions.

© 2026 anoBytes Technology Solutions

About

A collection of practical Linux hardening guides: secure DNS (Quad9, DoT, DNSSEC), networking privacy, and CIS Benchmarks using OpenSCAP for standards-based security auditing.

Resources

License

Stars

2 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors