Most ad blockers work per-app or per-browser. That means ads still slip through in other apps, games, and system-level telemetry. A better approach is to block ads and trackers at the DNS level — before the connection is even established.

This post explains how to set up AdGuard Home as a DNS server on a VPS, accessible only through a WireGuard VPN tunnel. The result: every device connected to your VPN gets network-wide ad blocking with zero client-side configuration beyond changing the DNS server.

Email was never designed to be private. By default, messages travel across the internet in plain text — readable by anyone in between. OpenPGP changes that by adding end-to-end encryption to email, so only you and your recipient can read the content.

This guide walks you through setting up OpenPGP email encryption on macOS using GPG Suite (GPGTools) and Apple Mail.

How OpenPGP Works

OpenPGP uses asymmetric cryptography — a pair of mathematically linked keys:

Most people reuse passwords. They know they shouldn’t, but managing dozens of unique, strong passwords without help is impractical. A password manager solves this — it generates, stores, and fills passwords for you, all protected by a single master password.

KeePassXC is a free, open-source, offline password manager. Unlike cloud-based alternatives like 1Password or Bitwarden, your passwords never leave your machine. There is no account, no subscription, and no server that could be breached. Just an encrypted file on your disk.

macOS has a reputation for being secure out of the box. And compared to some alternatives, it is. But the default settings leave plenty of room for improvement — especially when it comes to privacy.

This guide walks you through hardening your Mac, from disk encryption to app permissions. Most steps take just a few minutes and don’t require any technical expertise.

FileVault: Encrypt Your Disk

If someone steals your Mac, they can remove the disk and read your files — unless the disk is encrypted. FileVault encrypts your entire startup volume with XTS-AES-128 encryption.

A compact checklist for hardening a fresh Ubuntu 22.04 server. These steps cover the essentials — from SSH lockdown to automatic updates.

SSH

• Disable password authentication — use key-based auth only:

  PasswordAuthentication no
  

• Disable root login:

  PermitRootLogin no
  

• Restrict to IPv4 if you don’t need IPv6:

  AddressFamily inet
  

• Disable X11 forwarding:

  X11Forwarding no
  

• Reload after changes: sudo systemctl reload sshd

Firewall (UFW)

• Enable UFW and allow only what you need:

You’ve hardened your server — SSH keys, firewall, fail2ban, automatic updates. But how do you know what you missed? Lynis is an open-source security auditing tool that scans your system and tells you exactly where to improve.

What Lynis Does

Lynis performs hundreds of individual tests across your system: kernel settings, authentication, file permissions, network configuration, running services, and more. It produces a hardening index (0–100) and a list of concrete suggestions with references to specific controls.