Cli

You can shrink your Linux server’s attack surface in about 30 minutes. The recipe is simple. Harden SSH with Ed25519 keys, set up nftables with default-deny, turn on auto security updates, run auditd for kernel logs, and lock down accounts with faillock. A typical Lynis score jumps from 55-62 on a stock install to 75-84 after these changes.

Each section below takes 3-7 minutes. Work through it top to bottom on a fresh server. You will have a solid security baseline before your first app deploys, whether that is a database or a privacy-respecting analytics instance .

You can build a personalized Linux live USB image with your own packages, desktop, config files, and branding. Two tools cover this. Debian’s live-build runs on the command line and builds repeatable ISOs from config files, so it fits CI pipelines well. Cubic , the Custom Ubuntu ISO Creator, does the reverse: a GUI that opens an existing ISO, drops you into a chroot, then rebuilds it. Both make bootable ISOs you can flash with Ventoy , dd, or Balena Etcher .

Rust error handling in 2026 rests on four patterns. You use Result<T, E> with custom enums for libraries. You reach for thiserror to derive those enums with less boilerplate. You pick anyhow to pass errors up through application code. And you add miette or color-eyre for friendly diagnostic reports. The right choice depends on whether you write a library or an application. Most real Rust projects use both: thiserror in their library crates and anyhow in their binary crates.

Bubblewrap (bwrap) is a small, unprivileged tool that sandboxes untrusted Linux apps and CLI tools with no root and no SUID binary. You build the sandbox mount by mount, so you control exactly what a program can see. It’s the same engine Flatpak runs inside. There is no daemon and no container image.

This guide is built around Bubblewrap: sandboxing desktop apps, locking down CLI tools and build scripts, network isolation, and runtime overhead. It also weighs bwrap against Firejail , the friendlier SUID-root sandbox with 1,000-plus ready-made profiles. That way you can see which one fits your threat model.

Got a Lunar Lake laptop and went looking for Intel’s Arc Control app on Linux? It doesn’t exist. Intel only ships Arc Control for Windows. Linux users get a community tool instead: LACT , the Linux GPU Configuration and Monitoring Tool. It covers temperature, power limits, clock speeds, and voltage through a proper GUI. For live performance data, intel_gpu_top and nvtop handle the rest from the terminal.

Below: driver setup, LACT installation, CLI monitoring tools, power tuning, and the most common things that go wrong on a fresh install.

You can catch domain-specific anti-patterns that ESLint , Ruff , or golangci-lint miss by writing custom linter rules that parse your code into an Abstract Syntax Tree (AST), walk the tree to match specific node patterns, and report violations with auto-fix suggestions. The process is the same regardless of language: parse source into a tree, define the pattern you want to catch, walk the tree to find matches, and emit diagnostics. In JavaScript/TypeScript, this means writing an ESLint plugin with a visitor-pattern rule. In Python, you write a flake8 plugin using the ast module or a Ruff plugin in Rust. In Go, you use the go/ast and go/analysis packages.