Skip to content

zr00t-1001/arch-linux-hardened-server

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
configs
configs
 
 
diagrams
diagrams
 
 
docs
docs
 
 
screenshots
screenshots
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Arch Linux Hardened Server

Arch Linux Firewall SSH Fail2Ban Status

A practical hardening guide for deploying an Arch Linux server with a reduced attack surface.

This repository documents a minimal security baseline using:

  • linux-hardened
  • nftables
  • OpenSSH hardening
  • Fail2Ban
  • kernel/network sysctl tuning
  • secure AUR usage with paru

Warning

Test firewall and SSH changes before closing your active session. A mistake in nftables or sshd_config can lock you out of a remote server.

Architecture

Architecture

The baseline design is simple:

Internet
   │
   ▼
nftables firewall
   │
   ▼
Fail2Ban monitoring
   │
   ▼
OpenSSH key-only access
   │
   ▼
non-root administrative user
   │
   ▼
linux-hardened system

Documentation

Section Description
Installation Base Arch Linux installation and hardened-kernel preparation
nftables firewall Default-deny inbound firewall configuration
SSH hardening Key-only SSH, root login disabled, restricted users
Fail2Ban Brute-force protection for SSH
sysctl hardening Network/kernel security tuning
AUR security Safer use of paru and AUR packages
Threat model Assets, risks, mitigations, and assumptions

Repository Layout

.
├── README.md
├── docs/
│   ├── installation.md
│   ├── firewall-nftables.md
│   ├── ssh-hardening.md
│   ├── fail2ban.md
│   ├── sysctl-hardening.md
│   ├── aur-security.md
│   └── threat-model.md
├── configs/
│   ├── nftables.conf
│   ├── sshd_config.example
│   ├── jail.local
│   └── 99-hardening.conf
├── diagrams/
│   ├── architecture.svg
│   ├── firewall-flow.svg
│   └── ssh-security-flow.svg
└── screenshots/
    └── README.md

Security Goals

  • Drop unsolicited inbound traffic by default
  • Allow only required services
  • Protect SSH against brute-force attempts
  • Disable root SSH login
  • Prefer SSH keys over passwords
  • Keep firewall behavior predictable
  • Log blocked traffic for visibility
  • Use AUR packages with review and caution

Quick Start

Install core packages:

sudo pacman -Syu
sudo pacman -S base-devel linux-hardened-headers nftables openssh fail2ban sudo vim git logrotate

Enable services:

sudo systemctl enable nftables
sudo systemctl enable sshd
sudo systemctl enable fail2ban

Apply provided configs carefully:

sudo cp configs/nftables.conf /etc/nftables.conf
sudo cp configs/jail.local /etc/fail2ban/jail.local
sudo cp configs/99-hardening.conf /etc/sysctl.d/99-hardening.conf

sudo nft -f /etc/nftables.conf
sudo sysctl --system
sudo systemctl restart nftables
sudo systemctl restart fail2ban

Important

Do not blindly copy sshd_config.example over your real SSH config. Edit /etc/ssh/sshd_config manually and test from a second terminal before closing your existing session.

Monitoring

View firewall rules:

sudo nft list ruleset

Follow blocked-packet logs:

sudo journalctl -f | grep nftables-drop

Check Fail2Ban:

sudo fail2ban-client status
sudo fail2ban-client status sshd

Check kernel:

uname -r

Disclaimer

This repository is an educational hardening baseline, not a guarantee of security. Review every command before running it, adapt the rules to your environment, and keep recovery access available when working on remote servers.

About

Security-focused Arch Linux hardening guide using nftables, SSH hardening and Fail2Ban.

Resources

Readme

License

View license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors