{"id":18555873,"url":"https://github.com/ianonymous3000/popos-hardening-guide","last_synced_at":"2026-01-27T18:42:07.923Z","repository":{"id":215364767,"uuid":"738745181","full_name":"iAnonymous3000/popos-hardening-guide","owner":"iAnonymous3000","description":"A step-by-step guide to securing Pop!_OS Linux desktops. Covering system updates, user security, network hardening, disk encryption, and more, this guide is tailored for users looking to enhance their Pop!_OS security posture.","archived":false,"fork":false,"pushed_at":"2024-11-28T07:20:37.000Z","size":24,"stargazers_count":48,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-01T18:18:08.490Z","etag":null,"topics":["hardening-guides","popos","system76"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc-by-sa-4.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/iAnonymous3000.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"iAnonymous3000","liberapay":"Pr0f1nc0gn1t0"}},"created_at":"2024-01-04T00:20:28.000Z","updated_at":"2025-05-31T03:28:57.000Z","dependencies_parsed_at":"2024-11-28T08:36:33.683Z","dependency_job_id":null,"html_url":"https://github.com/iAnonymous3000/popos-hardening-guide","commit_stats":null,"previous_names":["ianonymous3000/popos-hardening-guide"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/iAnonymous3000/popos-hardening-guide","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iAnonymous3000%2Fpopos-hardening-guide","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iAnonymous3000%2Fpopos-hardening-guide/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iAnonymous3000%2Fpopos-hardening-guide/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iAnonymous3000%2Fpopos-hardening-guide/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/iAnonymous3000","download_url":"https://codeload.github.com/iAnonymous3000/popos-hardening-guide/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/iAnonymous3000%2Fpopos-hardening-guide/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28818727,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-27T18:01:38.485Z","status":"ssl_error","status_checked_at":"2026-01-27T18:01:27.499Z","response_time":168,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hardening-guides","popos","system76"],"created_at":"2024-11-06T21:28:06.031Z","updated_at":"2026-01-27T18:42:07.885Z","avatar_url":"https://github.com/iAnonymous3000.png","language":null,"funding_links":["https://github.com/sponsors/iAnonymous3000","https://liberapay.com/Pr0f1nc0gn1t0"],"categories":[],"sub_categories":[],"readme":"# Pop!_OS Desktop Hardening Guide\n\nThis guide covers security hardening steps for beginner and intermediate Pop!_OS Linux desktop users. [Pop!_OS](https://pop.system76.com) is a Ubuntu-based distribution from System76, focusing on reliability, speed, and security. \n\n## Introduction\n\nPop!_OS balances usability with security. However, production deployments require reducing attack surface through:  \n\n- Service hardening\n- Disk encryption  \n- Access controls\n- Frequent software updates\n- Application sandboxing\n\nThis guide helps harden Pop!_OS desktops by covering those key areas.  \n\n**Target Audience**: Linux beginners to intermediate administrators securing desktop systems.\n\n**Contents**:\n\n- [System Updates](#system-updates)\n- [User Accounts](#user-accounts)\n- [Service Hardening](#service-hardening) \n- [Network Hardening](#network-hardening)\n- [Disk Encryption](#disk-encryption)\n- [Additional Hardening](#additional-hardening) \n- [General Tips](#general-tips)\n- [Contributing](#contributing)\n\n## System Updates  \n\nKeep all software updated:\n\n```\nsudo apt update  \nsudo apt dist-upgrade\n```\n\n- Regularly review update logs to understand changes and potential issues.\n- Check [Pop!_OS site](https://pop.system76.com/) weekly for updates   \n- Backup user data before major OS upgrades  \n- Reboot after kernel updates\n- If upgrade errors, see [Pop!_OS forum](https://chat.pop-os.org/landing#/) or ask the community  \n\nEnable automatic security updates:  \n\n```\nsudo dpkg-reconfigure -p low unattended-upgrades  \n```\n\nRelated Tutorials:\n\n- [Backing Up Your System](https://support.system76.com/articles/backup-files)\n- [Updating System Firmware](https://support.system76.com/articles/system-firmware)\n\n\n\nKeep accurate time using NTS (Network Time Security):   \n\n```\n# Review for at least 4 NTS peers, no clear IPs  \ncurl -o /tmp/chrony.conf https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf  \n\n# Apply after inspection passes  \nsudo cp /etc/chrony.conf /etc/chrony.conf.orig \nsudo curl -o /etc/chrony.conf https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf   \n\n# Verify with 4+ sources prefixed by *\nsudo systemctl restart chrony  \nchronyc sourcestats   \n```\n\n\n\n## User Accounts   \n\nEnforce strong password policies:  \n\n```\nsudo apt install libpam-pwquality  \nsudo pam-auth-update --enable remember=5 rounds=65536\n```\n\n- 16+ characters, reuse after 5 passwords  \n- Increase computation cost for cracking   \n- Use 2FA like [ente auth](https://github.com/ente-io/auth)\n\nAudit and reduce excessive permissions:   \n\n```\nsudo grep -vE \"^(#|$)\" /etc/group | cut -d: -f1 | sort -u | less   \n```\n\n*Review user group assignments closely*   \n\nAuto-logout after 10 mins inactive:   \n\n```  \nsudo nano /etc/lightdm/lightdm.conf\n[Seat:*] \nautologin-user=\nautologin-session=  \nautologin-user-timeout=600\n```  \n\nAudit and remove unneeded accounts.\n\nFor remote access, set up passwordless SSH authentication using public keys instead of password authentication.\n\n## Service Hardening   \n\n**Unnecessary Services**: Debug, unused hardware, obsolete protocols  \n**Examples of Unnecessary Services**: Bluetooth, printing, sound, Thunderbolt, debug logging, SNMP, NFS\n\n\nDisable services:\n\n```\nsudo systemctl list-unit-files --state=enabled \nsudo systemctl disable \u003cservice\u003e\nsudo systemctl disable bluetooth.service cups.service pulseaudio.service\n```\n\nPrevent restarting:  \n\n```\nsudo systemctl mask \u003cservice\u003e   \n``` \n\n*Test changes safely before system-wide rollout*\n\n## Network Hardening   \n\nEmploy firewall to filter access:\n\n```\nsudo ufw enable \nsudo ufw default deny incoming  \nsudo ufw default allow outgoing\n```\n\nCommon Unnecessary Open Ports: NETBIOS - 139, SNMP - 161, mDNS - 5353\n\nLimit exposed ports:  \n\n```\nsudo nmap localhost  \nsudo ufw deny \u003cunneeded_port\u003e\nsudo ufw deny 139\nsudo ufw deny 161 \nsudo ufw deny 5353\n```  \n\nWhen on untrusted networks, use a commercial VPN with:\n\n- Strict no-logs policy\n- Strong data encryption   \n- Leak protection, custom DNS, etc\n\nRelated Resources:\n\n- [Choosing a VPN Service](https://www.privacyguides.org/en/vpn/#criteria) \n- [Port Scanning with Nmap](https://nmap.org/book/port-scanning-tutorial.html)\n\n## Disk Encryption   \n\nUse LUKS to encrypt sensitive data:\n\n``` \nsudo apt install cryptsetup\nsudo cryptsetup luksFormat /dev/\u003cdisk\u003e  \nsudo cryptsetup luksOpen /dev/\u003cdisk\u003e name\n```\n  \n- Can noticeably lower disk performance \n- Backup data before enabling encryption\n- Record passphrases/keys offline  \n\nFor user data, create an encrypted home partition separate from the OS:\n```\nsudo cryptsetup luksFormat /dev/\u003chome_partition\u003e\n```\n\nConsider performance impacts and recovery strategies for encrypted data.\n\n*Irrecoverable if encryption keys are lost*  \n\n\nRelated Resource:\n  \n- [Pop!_OS Disk Encryption](https://support.system76.com/articles/advanced-luks)\n\n\n## Additional Hardening  \n\n- **Important Note on Secure Boot**\n\u003e \n\u003e As of the current release, Pop!_OS does not support Secure Boot. Enabling Secure Boot may interfere with the boot process, leading to potential issues with accessing the BIOS setup.\n\u003e \n\u003e **Recommendation**:\n\u003e - Users should **disable Secure Boot** when using Pop!_OS to ensure a smooth operating experience.\n\u003e - For the most up-to-date information and detailed instructions, please refer to [System76's official documentation on installing Pop!_OS](https://support.system76.com/articles/install-pop).\n\n- Use application sandboxing tools like Firejail.\n- Install security tools like antivirus, IDS.\n- Antivirus: ClamAV (opensource antivirus engine for detecting various malicious threats. It's a standard choice for Linux users due to its effectiveness and flexibility)\n\n#### Installation:\n\n```bash\nsudo apt install clamav clamav-daemon\n```\n\n#### Running a Scan:\n\nExecute a recursive scan with:\n\n```bash\nsudo clamscan -r /path/to/scan\n```\n\n#### Automating Virus Definitions Updates:\n\nEnable automatic updates for virus definitions:\n\n```bash\nsudo systemctl enable clamav-freshclam.service\n```\n\n#### Considerations:\n\n- Schedule scans during low-usage times to minimize impact on system performance.\n- Regularly review scan logs for potential threats or false positives.\n------------------------------------------------------------------------------------------\n\n- Check logs/alerts for intrusion signs.\n- Keep system and firmware updated.\n- Perform security audits/training\n- Consider hardware security features like TPMs.\n- Refine BIOS/UEFI settings for security.\n- Manage user privileges through sudoers configuration for refined access control.\n\nAuditing Tools: Lynis, CIS-CAT Benchmark\n```\nsudo apt install lynis\nlynis audit system\n```\n\n## General Tips \n\n- Avoid running as root, use `sudo` for privileges  \n- Practice safe web browsing habits\n- Use VPNs/firewalls on public networks \n- Backup data regularly and store offline  \n- Encrypt disks and enable full disk encryption  \n\n## Contributing  \n\nTo suggest improvements:\n- Open a clearly documented issue/PR\n- Follow Python style guides and test contributions  \n- Use commit messages like: \"$Area: Implement $feature\"\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fianonymous3000%2Fpopos-hardening-guide","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fianonymous3000%2Fpopos-hardening-guide","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fianonymous3000%2Fpopos-hardening-guide/lists"}