Omarchy Hardening

A few weeks ago, I came across A Word on Omarchy which highlighted some security gaps in Omarchy’s default configuration. Things like LLMNR being enabled, UFW configured but not actually running, and relaxed login attempt limits.

The post resonated with me. Omarchy is a fantastic opinionated setup for Arch Linux with Hyprland, but like any distribution that prioritises convenience, some security defaults get loosened in the process. That’s not necessarily wrong, it’s a trade-off, but it’s worth knowing about.

So I built Omarchy Hardening.

What it does

It’s an interactive terminal script that walks you through five hardening options:

1. Disable LLMNR - Prevents name poisoning attacks on local networks
2. Enable UFW Firewall - For earlier Omarchy versions where UFW wasn’t enabled by default
3. Tailscale-only SSH - Restricts SSH to your Tailscale network, making it invisible to the public internet
4. Limit Login Attempts - Reduces failed attempts from 10 back to 3 before lockout
5. Configure Git Signing - Enables SSH commit signing for verified commits

Each option shows exactly what will change before you confirm. Nothing is selected by default.

A word of caution

The script opens with a warning, and I’ll repeat it here: you should not rely on automation to secure your system.

The best approach is to understand your distribution and make these changes yourself. Read the source code. Run the commands manually. This builds knowledge you’ll need when things go wrong.

The tool exists to demonstrate what these changes look like and to make them easier to apply consistently. But it’s not a substitute for understanding.

What’s next

If you’re curious about going further, the README includes a section on additional hardening steps. OpenSnitch is worth particular attention. It’s an application-level firewall that prompts you whenever a program tries to make a network connection. Educational and practical.

The code is on GitHub: dannymcc/omarchy-hardening