Transmitting DNS traffic unencrypted over the internet represents a significant security vulnerability. Additionally, modern operating systems and internet browsers have become increasingly bloated with unnecessary and potentially insecure components.
Historically, building Linux systems from source (such as Hardened Linux From Scratch) provided robust security. However, such approaches prove impractical for real-world enterprise or carrier-grade deployments due to the substantial effort required for stable, continuous updates and maintenance.
Experience has demonstrated that while established Linux distributions like Ubuntu offer numerous advantages, they also present significant security concerns and default configurations unsuitable for production environments without proper hardening.
This repository addresses these shortcomings by providing a comprehensive hardening solution for Ubuntu 25.10 workstation systems, enabling production-ready deployment within minutes.
Additional Resources:
- For detailed information about Hardened Ubuntu and NextDNS security configuration, see: Hardened Ubuntu NextDNS Security Guide
- 1. Abstract
- 2. Hardened Ubuntu 25.10 (Desktop)
- 3. Secure DNS Configuration with NextDNS
- 4. Installation Instructions
- 5. Automated USB Installation
- XServer-less, 100% Wayland architecture (GNOME 49)
- Enhanced service dependency management and customization (systemd)
- Significantly improved YAML-based auto-installation
- Hardware-based hard drive encryption using TPM 2.0+ (experimental)
Ubuntu 25.10 ships with several security-relevant features enabled by default that provide insufficient administrative control:
- Fully automated unattended upgrades
- Automated UEFI firmware updates
- Ubuntu FAN networking (VXLAN, UDP tunneling)
- Telemetry services (ubuntu-report, ubuntu-insights)
- SNAP package management system
- NetworkManager-controlled networking (non-netplan)
- HTTP-based mirror URLs (non-HTTPS)
Warning
Automated update processes combined with DNS poisoning attacks present severe security risks.
This repository provides comprehensive hardening configurations for default Ubuntu 25.10 Desktop installations, specifically designed for software development and workstation environments.
The solution aims to achieve an optimal balance between usability and security.
- Complete DNS traffic encryption using DNS-over-HTTPS (DoH), including shell traffic
- Strict IOMMU hardening
- Netplan-based network management
- USB attack protection via USBGuard
- Disabled multicast capabilities (including DNS resolution)
- Disabled kernel debugging
- Disabled core dumps
- Blacklisted unnecessary kernel modules (e.g., Intel ME)
- Firefox ESR from native repository (non-SNAP)
- Complete SNAP and snapd removal
- Global hardened Firefox configuration
- Disabled automated unattended upgrades
- Hardened global sysctl parameters
- Disabled Thunderbolt
- Disabled Internet Protocol version 6 (IPv6)
- systemd
- CUPS (printing system)
Tip
For systemd-free Linux distributions, consider Devuan (https://www.devuan.org/).
- Ubuntu 25.10 Desktop ISO image
- USB bootable installer (UNetbootin or Rufus)
- GPT-only mode enabled in Rufus for UEFI/Secure Boot configurations
- Optional: EFI partition encryption (Ubuntu 25.10 supports TPM 2.0)
- Local DHCP configuration with NTP option (DHCP option 42)
NextDNS represents a modern DNS security solution designed with privacy and security as primary considerations. It provides comprehensive DNS security with advanced filtering capabilities, including:
- Tracking site blocking
- Advertisement filtering
- Community-maintained security templates
The configuration prioritizes DNS-over-HTTPS (DoH) for all DNS queries.
- Active NextDNS account
- Secure SDNS stamp (available from NextDNS account dashboard)
- SDNS stamp configured in dnscrypt-proxy.toml template
To establish secure DNS infrastructure and prevent DNS-based attacks:
- Route all DNS traffic to NextDNS DoH servers
- Block unencrypted DNS queries to internal and external routers
- Verify DoH requests are directed to correct IP addresses
This section provides step-by-step instructions for installing and configuring the hardened Ubuntu 25.10 system.
The installation process consists of three main scripts that must be executed in sequence:
- installer-step1.sh - Initial system hardening (no network required)
- System reboot - Required to apply kernel and boot configurations
- installer-step2.sh - Network-dependent security components (requires network)
- DNS verification - Validate DNS-over-HTTPS functionality
- installer-step3.sh - Final package installation and user configuration
IMPORTANT: Before running any installer scripts, you must configure your system-specific parameters in config.sh.
Edit the configuration file with your environment settings:
# edit config.sh with your system configuration
vim config.shConfigure the following parameters:
# network interface configuration
export NET_IF_NAME=enp2s0 # NIC name
export NET_IF_MACADDRESS=12:34:56:78:9a:9b # interface MAC
export NET_IF_MTU=9000 # MTU size
# NextDNS configuration
export NEXTDNS_ID="abcdef" # NextDNS configuration ID
export NEXTDNS_STAMP="" # SDNS stamp
# kernel configuration
export KERNEL_DOMAIN_NAME="domain.name" # kernel domain name
# system users
export USER_IDS="user1 user2" # space-separated user IDs to processTo find your network interface name:
ip link showTo find your network interface MAC address:
ip link show <interface_name>The first installer script performs the initial hardening configuration. This script must be executed without network access to prevent potential security issues during configuration.
What it does:
- Patches Ubuntu mirror URLs to use HTTPS
- Configures static NextDNS addresses in
/etc/hosts - Sets up netplan network configuration
- Removes unwanted packages (avahi, bluez, telemetry services, etc.)
- Disables insecure system and D-Bus services
- Blacklists unnecessary kernel modules
- Configures system limits and sysctl parameters
- Sets kernel command line parameters in GRUB
Execute the script:
# clone or download the repository
git clone https://github.com/WEBcodeX1/hardened-ubuntu.git
cd hardened-ubuntu
# make sure config.sh is properly configured (see step 0)
# run the first installer script as root
sudo ./installer-step1.shAfter completion, reboot the system:
sudo rebootAfter rebooting, the second installer script must be executed. This script requires network access and will install base security requirements.
What it does:
- Updates and upgrades system packages
- Installs USBGuard for USB attack protection
- Installs dnscrypt-proxy for DNS-over-HTTPS
- Installs libnss-resolve for command-line DNS resolution
- Configures systemd-resolved to use local dnscrypt-proxy
- Configures dnscrypt-proxy with your NextDNS settings
- Disables and masks the dnscrypt-proxy-resolvconf service
Execute the script:
cd hardened-ubuntu
sudo ./installer-step2.shAfter installer-step2.sh completes, you must verify that DNS encryption is working correctly.
Check dnscrypt-proxy service status:
systemctl status dnscrypt-proxyThe service should be active (running) and show no errors.
Verify DNS resolution is working:
# test dns resolution
nslookup github.com
# check that dns queries are going through dnscrypt-proxy
sudo journalctl -u dnscrypt-proxy -n 50If the service is not running or shows errors, troubleshoot before proceeding to Step 4.
The final installer script installs additional packages and applies user-based security settings.
What it does:
- Updates and upgrades all system packages
- Installs essential packages (aptitude, intel-microcode, vim, kate, xterm, foot)
- Installs development tools (docker.io, build-essential, debhelper, pbuilder, devscripts)
- Installs applications (GIMP, OpenSC, VLC)
- Installs Firefox ESR from Mozilla repository (non-SNAP version)
- Applies global hardened Firefox configuration
- Removes SNAP desktop applications and icons
- Enables custom systemd security service
- Disables ubuntu-fan network service
Execute the script:
cd hardened-ubuntu
sudo ./installer-step3.shAfter completing all steps, your Ubuntu 25.10 system is hardened and ready for use. The system includes:
- Encrypted DNS traffic via DNS-over-HTTPS
- Enhanced security configurations
- Hardened kernel parameters
- Removed telemetry and unnecessary services
- USB attack protection
- Firefox ESR with security-focused configuration
For automated deployments, you can integrate the hardening scripts into a USB installation medium using Ubuntu's autoinstall feature.
The repository includes a template autoinstall configuration at /autoinstall/autoinstall.yaml. This file can be customized and integrated into an Ubuntu 25.10 installation ISO.
autoinstall:
version: 1
timezone: "Europe/Berlin"
locale: "en_US.UTF-8"
keyboard:
layout: de
variant: ""
toggle: null
identity:
realname: 'User Name'
username: userid
password: '$y$j9T$u2.Sxog5EGXbH1sqVnrVD.$Qi76Enig/FpDS92jEhxsa6fLSZh4KwOMSEqfr8TH8L.'
hostname: ubuntu
storage:
layout:
name: direct
kernel-crash-dumps:
enabled: false
shutdown: poweroff- Edit the autoinstall.yaml file with your specific settings:
vim autoinstall/autoinstall.yaml-
Customize the following parameters:
timezone: Your timezone (e.g., "America/New_York", "Europe/London")locale: Your system locale (e.g., "en_US.UTF-8", "de_DE.UTF-8")keyboard.layout: Your keyboard layout (e.g., "us", "de", "fr")identity.realname: User's full nameidentity.username: System usernameidentity.password: Encrypted password (generate with:mkpasswd -m yescrypt)identity.hostname: System hostnamestorage.layout: Disk partitioning layout
-
Generate encrypted password:
# install mkpasswd if not available
sudo apt-get install whois
# generate encrypted password
mkpasswd -m yescrypt-
Download Ubuntu 25.10 Desktop ISO from the official Ubuntu website.
-
Create the autoinstall ISO by adding your customized autoinstall.yaml:
# extract Ubuntu ISO
mkdir -p /tmp/ubuntu-iso /tmp/ubuntu-custom
sudo mount -o loop ubuntu-25.10-desktop-amd64.iso /tmp/ubuntu-iso
cp -rT /tmp/ubuntu-iso /tmp/ubuntu-custom
# add autoinstall configuration
mkdir -p /tmp/ubuntu-custom/autoinstall
cp autoinstall/autoinstall.yaml /tmp/ubuntu-custom/autoinstall/
# copy hardening scripts to ISO
mkdir -p /tmp/ubuntu-custom/hardening
cp *.sh *.conf *.toml *.yaml *.js /tmp/ubuntu-custom/hardening/
# create custom ISO
sudo apt-get install xorriso isolinux
cd /tmp/ubuntu-custom
sudo xorriso -as mkisofs -r -V "Ubuntu 25.10 Hardened" \
-o /tmp/ubuntu-25.10-hardened.iso \
-b isolinux/isolinux.bin -c isolinux/boot.cat \
-no-emul-boot -boot-load-size 4 -boot-info-table \
-eltorito-alt-boot -e boot/grub/efi.img \
-no-emul-boot -isohybrid-gpt-basdat .- Write the ISO to USB using tools like Rufus (Windows) or dd (Linux):
Using Rufus (Windows):
- Download Rufus from https://rufus.ie/
- Select your USB drive
- Select the custom ISO file
- Important: Set Partition scheme to "GPT" for UEFI/Secure Boot
- Click "Start"
Using dd (Linux):
# find your usb device
lsblk
# write the iso to usb (replace sdx with your usb device)
sudo dd if=/tmp/ubuntu-25.10-hardened.iso of=/dev/sdX bs=4M status=progress oflag=syncAfter the automated installation completes:
- If using late-commands automation, the hardening scripts are already in
/opt/hardening/:
cd /opt/hardening- If not using late-commands, copy the hardening scripts from the USB or download from the repository:
# if scripts are on the iso
sudo mount /dev/cdrom /mnt
cp -r /mnt/hardening ~/hardened-ubuntu
cd ~/hardened-ubuntu
# or clone from repository
git clone https://github.com/WEBcodeX1/hardened-ubuntu.git
cd hardened-ubuntu- Follow the manual installation steps starting from Step 0 (configure config.sh) through Step 4 to apply all hardening configurations.
For a fully automated installation, you can add late-commands to the autoinstall.yaml to run the hardening scripts automatically:
autoinstall:
version: 1
# ... other configuration ...
late-commands:
# copy hardening scripts from iso to target system
- curtin in-target -- mkdir -p /opt/hardening
- curtin in-target -- cp -r /cdrom/hardening/* /opt/hardening/
# run first installer step
- curtin in-target -- bash -c "cd /opt/hardening && ./installer-step1.sh"
# note: installer-step2.sh and installer-step3.sh require manual execution after rebootNote
Important: Due to the reboot requirement between installation steps and the need for DNS verification, it is recommended to run installer-step2.sh and installer-step3.sh manually after the initial automated installation and reboot. The hardening scripts will be available in /opt/hardening/ on the installed system.
