Tommaso Croce

⦿ about me | ✎ blog | [♫ music (wip)] | ▦ photos | ... more

• 15 Dec, 2025 *

Regarding the intentions I expressed in my previous post, I had to backtrack and confront my laziness.

Reinstalling another distro is something that occasionally appeals to me (distro-hopping, anyone?), but when it’s forced by malfunctions and security issues, it’s never fun. That’s why I decided to harden the various vulnerabilities mentioned in the post that sparked my reflection and keep Omarchy as if it were just another Arch derivative. After all, Omarchy is essentially Arch with heavy customizations and intentional security holes.

Here’s the list of tasks I completed after performing a full system update with Pacman:

• Enabled GPG signature verification for packages
• Activated UFW firewall (deny incoming, allow outgoing)
• Disabled SSH login as root
• Disabled SSH password authentication
• Installed and started Fail2Ban
• Installed and started auditd
• Verified and corrected permissions on /tmp and /etc/crontab
• Disabled systemd-resolved and the local DNS stub
• Manually set DNS with direct control of /etc/resolv.conf
• Disabled NetworkManager wait-online
• Reduced active systemd services at boot to the bare minimum
• Limited the use of sudo and elevated privileges
• Fixed permissions for Omarchy’s scripts and executable files
• Acknowledged that some Omarchy file modifications may be overwritten by updates
• Prepared, as a precaution, a "post-update" script to reapply changes in case of overwrites

For now, I’ll stick with Omarchy because its compatibility with my old MacBook Air 13" is genuinely excellent (even the webcam works, which isn’t a given) and because I don’t feel like going through the hassle of installing another full distro (even though I already have a USB ready with the latest version of Cybr Linux).

#cybersecurity #distro-hopping #it #linux #notebook #omarchy