Skip to content

Instantly share code, notes, and snippets.

@devovh

devovh/README.md

Last active May 9, 2026 23:13
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save devovh/44f39ae9e9fdc413c9e53b5da88926bd to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save devovh/44f39ae9e9fdc413c9e53b5da88926bd to your computer and use it in GitHub Desktop.
Download ZIP
Fix.sh Cachyos
Raw
README.md

Start:

sudo sh fix.sh

sudo nano fix.sh:

#!/bin/bash
sudo pacman -Syyu --noconfirm

sudo systemctl disable --now avahi-daemon.service avahi-daemon.socket
sudo systemctl mask avahi-daemon.service avahi-daemon.socket

sudo systemctl disable --now bluetooth.service
sudo systemctl mask bluetooth.service

sudo systemctl disable --now obex.service
sudo systemctl mask obex.service

sudo systemctl disable --now sshd && sudo systemctl mask sshd

sudo systemctl mask kexec.target

sudo mkdir -p /etc/systemd/resolved.conf.d

printf "[Resolve]\nLLMNR=no\n" | sudo tee /etc/systemd/resolved.conf.d/disable-llmnr.conf >/dev/null
printf "[Resolve]\nMulticastDNS=no\n" | sudo tee /etc/systemd/resolved.conf.d/disable-mdns.conf >/dev/null

printf "net.ipv4.icmp_echo_ignore_all = 1\n" | sudo tee /etc/sysctl.d/99-stealth.conf >/dev/null
printf "net.ipv6.conf.all.disable_ipv6 = 1\nnet.ipv6.conf.default.disable_ipv6 = 1\n" | sudo tee /etc/sysctl.d/99-disable-ipv6.conf >/dev/null
printf "kernel.kptr_restrict = 2\n" | sudo tee /etc/sysctl.d/99-kptr.conf >/dev/null
printf "kernel.dmesg_restrict = 1\n" | sudo tee /etc/sysctl.d/99-dmesg.conf >/dev/null
printf "kernel.unprivileged_userns_clone = 0\n" | sudo tee /etc/sysctl.d/99-userns.conf >/dev/null
printf "kernel.randomize_va_space = 2\n" | sudo tee /etc/sysctl.d/99-aslr.conf >/dev/null
printf "fs.protected_symlinks = 1\nfs.protected_hardlinks = 1\n" | sudo tee /etc/sysctl.d/99-fs.conf >/dev/null
printf "net.ipv4.tcp_syncookies = 1\n" | sudo tee /etc/sysctl.d/99-syn.conf >/dev/null
printf "net.ipv4.conf.all.rp_filter = 1\n" | sudo tee /etc/sysctl.d/99-rpfilter.conf >/dev/null
printf "PasswordAuthentication no\nPermitRootLogin no\nProtocol 2\nAllowAgentForwarding no\nAllowTcpForwarding no\nX11Forwarding no\n" | sudo tee /etc/ssh/sshd_config.d/hardening.conf >/dev/null
printf "net.ipv4.conf.all.log_martians = 1\nnet.ipv4.conf.default.log_martians = 1\n" | sudo tee /etc/sysctl.d/99-martians.conf >/dev/null
printf "net.ipv4.conf.all.accept_redirects = 0\nnet.ipv4.conf.default.accept_redirects = 0\n" | sudo tee /etc/sysctl.d/99-redirects.conf >/dev/null
printf "net.ipv4.conf.all.send_redirects = 0\nnet.ipv4.conf.default.send_redirects = 0\n" | sudo tee /etc/sysctl.d/99-sendredirects.conf >/dev/null
printf "kernel.yama.ptrace_scope = 2\n" | sudo tee /etc/sysctl.d/99-ptrace.conf >/dev/null

printf "blacklist firewire-core\nblacklist thunderbolt\nblacklist btusb\nblacklist bluetooth\nblacklist uvcvideo\n" | sudo tee /etc/modprobe.d/blacklist-extra.conf >/dev/null
printf "fs.suid_dumpable = 0\n" | sudo tee /etc/sysctl.d/99-suid.conf >/dev/null
printf "fs.protected_fifos = 1\nfs.protected_regular = 1\n" | sudo tee /etc/sysctl.d/99-fifos.conf >/dev/null
printf "kernel.kexec_load_disabled = 1\n" | sudo tee /etc/sysctl.d/99-kexec.conf >/dev/null

sudo mkdir -p /etc/systemd/journald.conf.d
printf "[Journal]\nStorage=persistent\nCompress=yes\nSeal=yes\nForwardToSyslog=no\nForwardToWall=no\nMaxRetentionSec=1month\n" | sudo tee /etc/systemd/journald.conf.d/hardening.conf >/dev/null && sudo systemctl restart systemd-journald

sudo systemctl mask systemd-coredump.socket
sudo systemctl mask systemd-journal-upload.service

sudo mv /usr/share/dbus-1/services/org.kde.ktmpd5.service /usr/share/dbus-1/services/org.kde.ktmpd5.service.disabled
sudo systemctl disable --now kmtpd5.service
sudo systemctl mask kmtpd5.service

sudo rm -r ~/.cache/mozilla

sudo pacman -R --noconfirm kdeconnect
sudo pacman -R --noconfirm vlc-plugin-sftp vlc-plugins-extra vlc-plugins-all
sudo pacman -R --noconfirm openvpn networkmanager-vpn-plugin-openvpn networkmanager-openvpn

sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw logging off
sudo ufw --force enable

sudo pacman -S --noconfirm gufw nvme-cli rkhunter fail2ban apparmor firejail audit

sudo systemctl enable --now apparmor

sudo sed -i '/^GRUB_CMDLINE_LINUX_DEFAULT=/ { /debugfs=off/! s/[\"'\'']$/ debugfs=off&/; /apparmor=1/! s/[\"'\'']$/ apparmor=1 security=apparmor&/; /lockdown=integrity/! s/[\"'\'']$/ lockdown=integrity&/ }' /etc/default/grub

sudo grub-mkconfig -o /boot/grub/grub.cfg

sudo systemctl enable --now fail2ban

sudo systemctl enable --now auditd

sudo systemctl enable systemd-tmpfiles-clean.timer

sudo getent group proc >/dev/null || sudo groupadd proc
sudo usermod -aG proc "$USER"
grep -q hidepid=2 /etc/fstab || echo "proc /proc proc defaults,hidepid=2,gid=proc 0 0" | sudo tee -a /etc/fstab >/dev/null

sudo systemctl --type=service --state=running | grep -E "ssh|samba|nmb|smb|nfs|cups"

sudo ss -tulnp

sudo rkhunter --update --check --versioncheck --enable all --disable none --rwo
sudo rkhunter --propupd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment