Linux Hardening Against MAC and Fingerprint Leaks
Harden Linux against MAC and fingerprinting leaks by randomizing wifi MAC per connection, disabling IPv6, running DNS-over-TLS, hardening Firefox with resistFingerprinting, encrypting disk with LUKS, and rotating /etc/machine-id. This is the exact setup I run on my travel laptop.
Why does a nomad founder need this?
A laptop that bounces between coffee shops, hotels, coworking spaces, and airport lounges is constantly introducing itself to networks. The default posture leaks your real MAC address, your hostname, every domain you visit, your exact system clock, and enough browser-level quirks to re-identify you across sessions. For a founder running real businesses over public WiFi, that's not a theoretical risk. Every venue your laptop visits becomes another data point someone can correlate.
How do you randomize a MAC address on Linux?
Configure NetworkManager to clone a new locally-administered MAC for every connection. Create /etc/NetworkManager/conf.d/wifi.conf with wifi.scan-rand-mac-address=yes under [device], then wifi.cloned-mac-address=random, ethernet.cloned-mac-address=random, and connection.stable-id=${CONNECTION}/${BOOT} under [connection]. Then disable DHCP hostname broadcast with ipv4.dhcp-send-hostname=no and ipv4.dhcp-client-id=perconnection. Restart NetworkManager. Your hardware MAC never touches the air again.
Forget every saved network
Every SSID you've ever connected to lives in your NetworkManager profiles. Anyone with physical access — or any local exploit — can read that list and reconstruct your travel history across months. Delete the lot and let new connections inherit the hardened defaults. For a nomad laptop this is closer to essential than optional.
Why disable IPv6 for privacy?
IPv6 addresses are easier to fingerprint than IPv4 because SLAAC can embed your MAC into the address. Privacy extensions mitigate this but add moving parts. If you don't actively need IPv6, disable it at the kernel level in /etc/sysctl.d/40-ipv6-disable.conf with net.ipv6.conf.all.disable_ipv6=1, then enforce it in NetworkManager with ipv6.method=disabled. One less protocol surface, one less fingerprint vector, zero loss of function.
How do you stop DNS leaks?
Route every DNS query through systemd-resolved with DNS-over-TLS, and tell NetworkManager to ignore DHCP-pushed DNS servers. In /etc/systemd/resolved.conf set DNS=1.1.1.2#security.cloudflare-dns.com, DNSOverTLS=yes, DNSSEC=allow-downgrade. Symlink /etc/resolv.conf to /run/systemd/resolve/stub-resolv.conf. Then add ipv4.ignore-auto-dns=true to the NetworkManager connection defaults so the router's resolver never gets used. Verify with resolvectl query example.com — the response should say "acquired via local or encrypted transport: yes".
What Firefox settings block fingerprinting?
Flip privacy.resistFingerprinting=true in about:config. That single setting unifies your canvas hash, timezone, screen dimensions, user-agent, and font list with every other RFP user — you join a much larger crowd instead of standing out. Add privacy.trackingprotection.fingerprinting.enabled=true, privacy.partition.network_state=true, network.cookie.cookieBehavior=5, webgl.disabled=true, media.peerconnection.enabled=false (kills WebRTC local-IP leaks), network.trr.mode=3 pointed at a DoH endpoint, and network.http.http3.enable=false (HTTP/3 has its own distinct fingerprint). Do not pile on extensions — each one adds uniqueness. Install uBlock Origin and nothing else.
Why change your hostname?
Your hostname still leaks through mDNS, NetBIOS, SMB broadcasts, and DHCP if you haven't disabled it. A unique hostname like "ray-laptop" or "founder-thinkpad" is a persistent identifier across every network you join. Use a Windows-style default: hostnamectl set-hostname DESKTOP-XXXXXXXX with eight random uppercase alphanumerics. That's the largest hostname population on earth. Blend in, don't stand out.
What about NTP leaks?
The default systemd-timesyncd ships plaintext NTP packets to distro-branded pool servers every 60–1024 seconds. That's a liveness beacon, a distro identifier, and an MITM vector — an attacker can roll your clock to invalidate TLS certs or break 2FA. Replace it with chrony over NTS (NTP wrapped in TLS authentication). Install chrony, point it at time.cloudflare.com, nts.netnod.se, and ptbtime1.ptb.de with nts flags, and your clock syncs over encrypted, tamper-proof channels to infrastructure that doesn't advertise your distro.
How do you reduce kernel-level attack surface?
Drop a file in /etc/sysctl.d/50-kernel-harden.conf with kernel.kptr_restrict=2, kernel.dmesg_restrict=1, kernel.unprivileged_bpf_disabled=1, kernel.yama.ptrace_scope=2, kernel.kexec_load_disabled=1, kernel.perf_event_paranoid=3, and vm.unprivileged_userfaultfd=0. That blocks the common local-privilege-escalation primitives — kernel pointer leaks, ptrace snooping, unprivileged eBPF abuse, kexec rootkits, userfaultfd exploits — without breaking daily use. Do not set kernel.unprivileged_userns_clone=0: it breaks Firefox's sandbox, Flatpak, and several other apps that legitimately need user namespaces.
What should you encrypt?
Every partition that touches disk. Check with lsblk — if / and /home aren't on crypto_LUKS, your disk is plaintext to anyone who steals the laptop. Swap must be encrypted separately, either via /etc/crypttab with a random key each boot or as a LUKS volume. Disable core dumps so they can't write memory contents — including keys and session cookies — to disk: mask systemd-coredump and set kernel.core_pattern=|/bin/false in sysctl.
Why rotate /etc/machine-id?
Systemd generates /etc/machine-id at install time and any unprivileged process can read it. It's a stable 32-character ID that identifies your specific install forever — more persistent than any cookie. Regenerate it with dd if=/dev/urandom bs=16 count=1 | od -An -tx1 | tr -d ' \n' > /etc/machine-id, keep /var/lib/dbus/machine-id as a symlink to it, then reboot. Anything that previously keyed off your machine-id now sees a brand new install.
Related: Why Swiss Banking Is a Must for Security-Oriented Founders
Verdict
Do the MAC randomization, DHCP-hostname suppression, DoT, LUKS, and Firefox resistFingerprinting pass as a baseline — that's an afternoon of work and you've closed the loudest leaks. Add machine-id rotation, kernel sysctls, chrony NTS, and coredump masking if you travel or work from untrusted networks. A VPN is still the single biggest remaining win after all of this, because none of the local hardening hides your real IP from the rest of the internet. If your threat model is public WiFi at coffee shops and airports, this is the setup.
Frequently Asked Questions
Does MAC randomization break WiFi captive portals?
Sometimes. Captive portals often bind your session to your MAC, so a new random MAC on reconnect forces you to log in again. If that becomes painful at a specific venue, switch that one connection from "random" to "stable" in NetworkManager — stable gives you a consistent MAC per SSID without revealing your hardware MAC.
Is Firefox resistFingerprinting enough on its own?
Mostly. It unifies canvas, fonts, screen size, timezone, and user-agent so you match every other RFP user. It does not block tracker domains or third-party requests at the network level — for that, install uBlock Origin and enable the Privacy and Annoyances filter lists. Skip extra extensions beyond uBO, because each one adds uniqueness.
Do I need to disable IPv6 if I have privacy extensions enabled?
Only if you actively use IPv6 services. Privacy extensions (RFC 4941) rotate your IPv6 interface identifier on a schedule, which handles the MAC-embedding problem. If you don't use IPv6, fully disabling it removes a whole protocol stack from your attack surface with zero loss of functionality.
Why not just use a VPN or Tor and skip all this?
VPN and Tor protect your IP and encrypt transport, but neither hides your real MAC from the local WiFi, your hostname from mDNS broadcasts, your DNS queries from a hostile router, or your browser fingerprint from websites. Network-level privacy and host-level privacy are stacked layers — you want both.
Will kernel hardening sysctls break any normal app?
The set listed here won't. kernel.yama.ptrace_scope=2 means sudo is required to attach a debugger — fine on a personal laptop, mildly annoying on a developer machine. Avoid kernel.unprivileged_userns_clone=0, which breaks Firefox's sandbox, Flatpak, and any app that legitimately uses unprivileged user namespaces.
This is a personal travel-laptop setup on Manjaro Linux. Adapt to your distro and threat model — commands and config paths may differ slightly on Arch, Fedora, or Debian-family systems.