Linux Settings

Firewall

apt install ufw gufw(No need if it is a server)

ufw app list

ufw default deny incoming

ufw default allow outgoing

ufw allow ssh (No need if not a server)

ufw enable

ufw status

AppArmor

apt install apparmor apparmor-utils apparmor-profiles apparmor-profiles-extra

systemctl enable apparmor

systemctl start apparmor

aa-status

Kernel Support

cat /sys/module/apparmor/parameters/enabled

If it’s not enabled, check your GRUB configuration:

nano /etc/default/grub

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash apparmor=1 security=apparmor"

update-grub

reboot

Profiles Worth Enforcing

aa-enforce /etc/apparmor.d/usr.sbin.sshd

aa-enforce /etc/apparmor.d/usr.bin.man

aa-enforce /etc/apparmor.d/usr.bin.ping

aa-enforce /etc/apparmor.d/usr.sbin.cupsd

aa-enforce /etc/apparmor.d/usr.sbin.tcpdump

aa-enforce /etc/apparmor.d/usr.sbin.dnsmasq

aa-enforce /etc/apparmor.d/usr.sbin.ntpd

aa-enforce /etc/apparmor.d/usr.sbin.mysqld

apparmor_status

Fail2Ban

apt install fail2ban

systemctl enable --now fail2ban

Lynis

apt install lynis

lynis audit system

Install ClamAV Anti Virus

apt install clamav clamav-daemon

clamconf

dpkg-reconfigure clamav-freshclam

systemctl enable --now clamav-freshclam

freshclam

clamscan -r --bell -i /home/user/Downloads

RKHunter

apt install rkhunter

rkhunter --propupd

rkhunter --check --rwo

SSH

nano /etc/ssh/sshd_config

Change entries below

Protocol 2                     # Only allow SSHv2

PermitRootLogin no             # Disable direct root login

PasswordAuthentication no      # Only allow key-based login

AllowUsers username            # Only allow specific user(s)

ClientAliveInterval 180        # Disconnect inactive sessions

ClientAliveCountMax 2          # Optional: drop after ~6 minutes of inactivity

Port 2222                      # Optional: change SSH port from 22

restart

systemctl restart sshd

Turn Off IPv6

nano /etc/sysctl.conf

add line below

net.ipv6.conf.all.disable_ipv6 = 1

net.ipv6.conf.default.disable_ipv6 = 1

sysctl -p

Running Services & Network Ports

list active services

systemctl list-unit-files --type=service

disable services that you do not need

systemctl mask servicename

systemctl disable --now servicename

Check System Logs

journalctl -xe (Where whole system logs or current activity logs are available)

nano /var/log/auth.log (Authentication logs)

nano /var/log/kern.log (Kernel logs)

nano /var/log/boot.log (System boot log)

nano /var/log/utmp or /var/log/wtmp (Login records file)

Fonts

apt install fonts-ubuntu fonts-liberation fonts-dejavu-core fonts-noto-core fonts-noto-cjk fonts-noto-color-emoji ttf-mscorefonts-installer

# If it hangs, run: dpkg-reconfigure ttf-mscorefonts-installer

Gstreamer Codecs

apt install gstreamer1.0-plugins-base gstreamer1.0-plugins-good gstreamer1.0-plugins-bad gstreamer1.0-plugins-ugly gstreamer1.0-libav gstreamer1.0-vaapi

Codecs Extra

apt install ffmpeg libavcodec-extra faac flac wavpack x264 x265 libheif1 gdk-pixbuf2.0-bin

One Liner for All

apt update && apt install -y fonts-liberation fonts-dejavu-core fonts-noto-core fonts-noto-cjk fonts-noto-color-emoji ttf-mscorefonts-installer gstreamer1.0-plugins-base gstreamer1.0-plugins-good gstreamer1.0-plugins-bad gstreamer1.0-plugins-ugly gstreamer1.0-libav gstreamer1.0-vaapi ffmpeg libavcodec-extra faac flac wavpack x264 x265 libheif1 gdk-pixbuf2.0-bin && dpkg-reconfigure ttf-mscorefonts-installer

Install Conky

apt update

apt install -y conky-all curl lm-sensors smartmontools

Auto-Detect Hardware

# Detect network interfaces

ip link | grep -E '^[0-9]+: ' | awk -F': ' '{print $2}' | grep -v lo

# Detect battery

ls /sys/class/power_supply/ | grep -i bat

# Detect GPU

lspci | grep -i vga

Create Config Folder

mkdir -p ~/.conky

nano ~/.conky/conkyrc

Conky Settings (Paste this to conkyrc)

-- ================================================

-- Conky-Serdar 2025 – Full Color

-- ================================================

conky.config = {

    background = true,

    update_interval = 2,

    cpu_avg_samples = 2,

    net_avg_samples = 2,

    double_buffer = true,

    no_buffers = true,

    text_buffer_size = 4096,

    gap_x = 15,

    gap_y = 45,

    minimum_size = 260,

    maximum_width = 360,

    alignment = 'top_right',

    own_window = true,

    own_window_type = 'desktop',     -- Works on Wayland + X11

    own_window_transparent = true,

    own_window_hints = 'undecorated,below,sticky,skip_taskbar,skip_pager',

    use_xft = true,

    xftalpha = 0.9,

    font = 'DejaVu Sans:size=9',

    uppercase = false,

    default_color = 'DeepSkyBlue',

    color1 = 'Orange',

    color2 = 'Green',

    color3 = 'Red',

    color4 = 'Yellow',

    color5 = 'DDDDDD',

    color6 = 'AAAAAA',

    color7 = '888888',

    color8 = '666666',

    draw_shades = false,

    draw_outline = false,

    draw_borders = false,

    draw_graph_borders = true,

}

-- Auto-detect network & battery

local net_if = conky_parse('${if_up wlan0}wlan0${else}${if_up wlp3s0}wlp3s0${else}${if_up enp0s3}enp0s3${else}eth0${endif}${endif}${endif}')

local bat_name = conky_parse('${if_existing /sys/class/power_supply/BAT1}BAT1${else}BAT0${endif}')

conky.text = [[

${color1}${font DejaVu Sans Bold:size=16}${alignc}${time %H:%M}${font}

${color5}${font DejaVu Sans:size=10}${alignc}${time %a, %b %d, %Y}${font}

${color8}${stippled_hr 2}

${color4}SYSTEM${color8}

 ${color5}Uptime: ${uptime} ${alignr}${color5}Kernel: ${kernel}

 ${color6}${execi 600 lsb_release -ds | tr '[:upper:]' '[:lower:]'}

${color4}CPU${color8}

 ${color6}${execi 600 cat /proc/cpuinfo | grep 'model name' | head -1 | cut -d: -f2 | sed 's/^[ \t]*//'}${color8}

 ${color1}Temp: ${hwmon 1 temp 1}°C ${alignr}${color1}Load: ${cpu cpu0}%

${cpubar 6}

${color7}Core1: ${cpubar cpu1 6,85} ${color5}${cpu cpu1}% ${alignr}${cpu cpu2}%${cpubar cpu2 6,85} ${color7}:Core2

${color7}Core3: ${cpubar cpu3 6,85} ${color5}${cpu cpu3}% ${alignr}${cpu cpu4}%${cpubar cpu4 6,85} ${color7}:Core4

${color4}GPU${color8}

${color1}${execi 30 nvidia-smi -q -d temperature | grep 'GPU Current Temp' | awk '{print $5}' 2>/dev/null || echo "N/A"}°C

${color4}RAM${color8}

 ${color6}$mem / $memmax ${alignr}${color1}$memperc%

${membar 6}

${color4}SWAP${color8}

 ${color6}$swap / $swapmax ${alignr}${color1}$swapperc%

${swapbar 6}

${color4}DISK${color8}

${color5}Root: ${color1}${fs_used /}/${fs_size /} ${alignr}${color1}${fs_used_perc /}%

${fs_bar 6 /}

${color4}NET ${color8}${if_up ${net_if}}${addr ${net_if}}${endif}

${if_up ${net_if}}

${color7}Down: ${color2}${downspeed ${net_if}} ${alignr}Up: ${color3}${upspeed ${net_if}}

${color2}${downspeedgraph ${net_if} 30,170} ${alignr}${color3}${upspeedgraph ${net_if} 30,170}

${color7}Total: ${color2}${totaldown ${net_if}} ${alignr}${color3}${totalup ${net_if}}${endif}

${color4}PROCESSES${color8} ${goto 180}${color1}${execbar xdotool search --onlyvisible --class "xterm" windowkill || xterm -e htop &}

${color6}${top name 1}${alignr}${top cpu 1}% ${top mem 1}%

${color7}${top name 2}${alignr}${top cpu 2}% ${top mem 2}%

${color8}${top name 3}${alignr}${top cpu 3}%

${color4}BATTERY ${color1}${battery_percent ${bat_name}}%${endif}

${if_existing /sys/class/power_supply/${bat_name}}${battery_bar 6 ${bat_name}}${endif}

]]

Test It

conky -c ~/.conky/conkyrc

Autostart

GNOME (Wayland/X11)

mkdir -p ~/.config/autostart

nano ~/.config/autostart/conky.desktop

XFCE / MATE / LXDE

nano ~/.config/autostart/conky.desktop

Copy/Paste

[Desktop Entry]

Type=Application

Name=Conky

Exec=conky -c /home/$USER/.conky/conkyrc

X-GNOME-Autostart-enabled=true

NoDisplay=false

or Autostart (All DEs)

mkdir -p ~/.config/autostart

cat > ~/.config/autostart/conky.desktop << 'EOF'

[Desktop Entry]

Type=Application

Name=Conky System Monitor

Exec=conky -c ~/.conky/conkyrc

X-GNOME-Autostart-enabled=true

NoDisplay=false

EOF

apt install imagemagick

Put all the images into a folder sequentially numbered in the order then go to the Folder and type command  below

convert -compress jpeg * outputFile.pdf

for the current release use "stable" for semi-rolling release use "testing" for rolling release use "sid" Optional Packages = Multimedia repo, contrib, non-free

Update the Source List

nano /etc/apt/sources.list

Debian Main Repos

## Debian – Main Repos

deb http://deb.debian.org/debian/ stable main contrib non-free non-free-firmware

deb-src http://deb.debian.org/debian/ stable main contrib non-free non-free-firmware

## Security Updates

deb http://security.debian.org/debian-security stable-security main contrib non-free non-free-firmware

deb-src http://security.debian.org/debian-security stable-security main contrib non-free non-free-firmware

## General Updates

deb http://deb.debian.org/debian/ stable-updates main contrib non-free non-free-firmware

deb-src http://deb.debian.org/debian/ stable-updates main contrib non-free non-free-firmware

## Backports

deb http://deb.debian.org/debian/ stable-backports main contrib non-free non-free-firmware

deb-src http://deb.debian.org/debian/ stable-backports main contrib non-free non-free-firmware

Backports Installation

apt update

apt install -t stable-backports firefox

apt update && apt install -y gparted gpart ntfs-3g dosfstools mtools exfatprogs btrfs-progs jfsutils xfsprogs parted cfdisk fdisk testdisk photorec udisks2 fuse3 cryptsetup lvm2 mdadm smartmontools hdparm usbutils pciutils

nano /etc/default/grub

Boot menu timeout (seconds)

GRUB_TIMEOUT=3

Save last choice as default

GRUB_DEFAULT=saved

GRUB_SAVEDEFAULT=true

Optional: Hide menu (uncomment if you want it hidden)

# GRUB_TIMEOUT_STYLE=hidden

# GRUB_HIDDEN_TIMEOUT_QUIET=true

Update Grub

grub-mkconfig -o /boot/grub/grub.cfg

hostnamectl

hostnamectl set-hostname NAME

nano /etc/hosts

127.0.0.1    localhost NAME

apt install firmware-iwlwifi

iwlwifi firmware: failed to load iwl-debug-yoyo.bin (-2) error

nano /etc/modprobe.d/iwlwifi.conf

add the line below

options iwlwifi enable_ini=0

run

update-initramfs -u

nano /etc/lightdm/lightdm.conf

Show username

greeter-hide-users=false

greeter-show-manual-login=true

allow-guest=false

numlock on

apt install numlockx

add

greeter-setup-script=/usr/bin/numlockx on

Auto login

groupadd -r autologin

gpasswd -a username autologin

nano /etc/lightdm/lightdm.conf

add lines below

autologin-user=username

autologin-user-timeout=0

apt install minidlna

ufw allow 8200/tcp

ufw allow 1900/udp

ufw allow from 239.255.255.250 to any port 1900 proto udp

ufw status verbose

nano /etc/minidlna.conf

media_dir=V,/data/Media/Movies

media_dir=A,/data/Media/Music

# Auto-rescan on file changes (recommended)

inotify=yes

Restart the daemon for changes to take effect:

systemctl restart minidlna

systemctl enable minidlna

To rebuild the database use:

systemctl reload minidlna

apt install network-manager network-manager-gnome

Configure

nano /etc/NetworkManager/NetworkManager.conf

Copy/Paste

[main]

plugins=ifupdown,keyfile

dns=systemd-resolved

[ifupdown]

managed=false

Enable / Start

systemctl enable --now systemd-resolved

systemctl enable NetworkManager

systemctl restart NetworkManager

Fix DNS

rm -f /etc/resolv.conf

ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

apt install libreoffice-writer libreoffice-calc libreoffice-impress

apt install cups cups-pdf system-config-printer simple-scan

systemctl enable --now cups

cupsctl --remote-admin --remote-any --share-printers

Cups Address

http://localhost:631

apt install samba

samba -V

systemctl status nmbd

ufw allow Samba

ufw app info Samba

ufw status

cp /etc/samba/smb.conf ~/Documents smb_backup.conf

---------------------------------------------------

sync the system users to the Samba user database

apt install libpam-winbind

---------------------------------------------------

nano /etc/samba/smb.conf

workgroup = WORKGROUP

Private Share, add end of the file;

[User]

path = /Location/User

available = yes

browsable = yes

public = no

writable = yes

​read only = no

valid users = user1,user2

read list = user1,user2

write list = user1

---------------------------------------------------

Groups

groupadd family

usermod -aG family user1 (sudo deluser USER GROUP)

grep family /etc/group

Private Share, add end of the file;

[File]

comment = File

​path = /Location/Location

available = yes

​browsable = yes

public = no

​writable = no

​read only = yes

​valid users = @family

dpkg --get-selections > Packages.txt

Copy the Packages.txt to the computer that you want to install your saved packages.(Copy it to the Home Folder) 

dpkg --set-selections < Packages.txt

apt -u dselect-upgrade

apt-get install sudo

groupadd sudo

gpasswd -a username sudo

visudo /etc/sudoers

## Uncomment to allow members of group sudo to execute any command

 %sudo ALL=(ALL) ALL

dd if=/dev/zero of=/swapfile bs=1024k count=1024

(count=1024 for 1GB swap memory) 

(count=2048 for 2GB swap memory) 

(count=3072 for 3GB swap memory) 

(count=4096 for 4GB swap memory) 

chmod 600 /swapfile && mkswap /swapfile && swapon /swapfile 

nano /etc/fstab

(Add the line below at the end of the page, Save & Exit) 

/swapfile none swap sw 0 0

memory info

free -m

For Removing 

swapoff /swapfile

nano /etc/fstab

(Delete the Entry) 

/swapfile none swap sw 0 0

apt install apt-xapian-index && update-apt-xapian-index -vf

Software

Current Distribution & Version

cat /etc/issue

Linux Kernel Version

uname -r

All Kernel Details

uname -a

Packagename’s Version & Dependencies

apt-cache showpkg packagename

Processor

All Processors' Information

cat /proc/cpuinfo

Memory

Ram & Swap Information

cat /proc/meminfo

Free Memory

free -m

Graphics

Graphic Card, OpenGL info

glxinfo

Graphics Card Model

lspci | grep VGA

Graphics Card Vendor

glxinfo | grep vendor

Direct 3D Rendering?

glxinfo | grep direct

Supported Display Resolutions

xrandr

Audio

Audio Controller

lspci | grep Audio

Audio Device Information

aplay --list-devices

Networking

Ethernet Controllers

lspci | grep Ethernet

Networking Interfaces, IP Addresses

ifconfig

Hard Disks

All APrtitions' Information

fdisk -l

Partitions Mount Points

df -H

USB Devices

USB Devices' Information

lsusb

PCI Devices

lspci

Software for Hardware info

apt install hwinfo

hwinfo

Another Software

apt install lshw

lshw -html > System-Info.html

timedatectl list-timezones

timedatectl set-timezone America/Chicago

timedatectl

Wiping The Entire Disk

Writing 0

dd if=/dev/zero of=/dev/sdX bs=1M

Writing Random

dd if=/dev/urandom of=/dev/sdX bs=1M

alternative

shred -v -n1 -z /dev/sdX  dd if=/dev/urandom of=/dev/sdX bs=1M

Wiping Partitions

Writing 0

dd if=/dev/zero of=/dev/sdaX bs=1M

Writing Random

dd if=/dev/urandom of=/dev/sdaX bs=1M

Wiping the Master Boot Record (MBR)

dd if=/dev/zero of=/dev/sda bs=446 count=1

apt install vcdimager

vcdxrip -i /dev/sr0

Show Windows Key

strings /sys/firmware/acpi/tables/MSDM

Change password Win7

apt install chntpw

Go to Windows\System32\Config Right-click blank space and select Open in Terminal. 

chntpw -l SAM  > chntpw -u user_name SAM

 1>q>y

Install

apt install linux-headers-amd64

apt install zfsutils-linux

whereis zfs

fdisk -l

Create the Volume

USE SerialNumber-based IDs (Using mirroring)

ls -lh /dev/disk/by-id/

zpool create poolname mirror Serialnumber1 Serialnumber2

zpool status -v

Scrub

zpool scrub poolname

zpool status -v poolname

TRIM

zpool status -t poolname

autotrim property

zpool set autotrim=on poolname

Replace a Drive

zpool replace poolname GUID

ZFS import

zpool import -f poolname

zpool status

zpool online

Creating snapshots

zfs snapshot create poolname/filesystem@snapname

Listing snapshots

zfs list -t snapshot

Renaming snapshots

zfs rename poolname/filesystem@snapname poolname/filesystem@snapname

Deleting snapshots

zfs destroy poolname/filesystem@snapname

Rolling back a snapshot

zfs rollback -r poolname/filesystem@snapname

Creating a clone

zfs clone poolname/filesystem@snapname poolname/clone

Deleting clones 

(All clones of a snapshot must be deleted before the snapshot can be deleted.)

zfs destroy poolname/clone

Encryption

zfs create -o encryption=on -o keyformat=passphrase poolname/secret

zfs send poolname/data | zfs recv -o encryption=on -o keylocation=file:///path/to/my/raw/key backup/data

zfs mount -l poolname/secret