A safer hardening script for Linux Mint 22.x and Ubuntu 24.04 LTS desktops.
Linux Mint 22.x is based on Ubuntu 24.04, so this script targets the Ubuntu 24.04 package base.
- Updates the system
- Installs common security tools
- Enables UFW firewall
- Enables Fail2Ban
- Enables AppArmor
- Enables auditd
- Enables unattended upgrades
- Applies safe sysctl hardening
- Sets password quality rules
- Runs Lynis audit
- Runs RKHunter checks
- Creates backups before changing config files
- Logs everything to
/var/log/mint_hardening.log
By default, the script avoids changes that commonly break normal desktop use.
It does not disable Bluetooth, printing, Avahi, or SSH unless you ask it to.
Clone the repo:
git clone https://github.com/AmirIqbal1/hardening-debian.git
cd hardening-debianMake the script executable:
chmod +x mint_hardening.shRun the safe desktop baseline:
sudo ./mint_hardening.shRun with safe Lynis-style fixes applied automatically:
sudo ./mint_hardening.sh --apply-lynis-baselineFor a server/headless machine:
sudo ./mint_hardening.sh --server-mode --harden-ssh --apply-lynis-baselinePreview without changing anything:
sudo ./mint_hardening.sh --dry-run| Option | What it does |
|---|---|
--apply-lynis-baseline |
Applies safe extra changes commonly suggested by Lynis |
--server-mode |
Disables desktop/network convenience services such as CUPS, Avahi and Bluetooth |
--harden-ssh |
Applies stricter SSH settings if OpenSSH server is installed |
--dry-run |
Shows commands without making changes |
Lynis is an auditing tool, not a one-click automatic fixer. This script applies a safe baseline that commonly improves Lynis results, but it deliberately does not blindly apply every Lynis suggestion.
Some Lynis recommendations can break desktop usability, printing, local networking, Bluetooth, or SSH access.
Log file:
/var/log/mint_hardening.logBackups:
/root/mint-hardening-backups/sudo lynis audit system
sudo ufw status verbose
systemctl status fail2ban --no-pager
systemctl status apparmor --no-pager