Differences between revisions 1 and 2
Revision 1 as of 2017-08-21 17:58:40
Size: 49152
Editor: ?Average-User-Prototype
Comment: It took me way too long to set it up; this guide should help reduce the time others need for it
Revision 2 as of 2017-08-21 20:07:04
Size: 49334
Editor: ?Average-User-Prototype
Comment:
Deletions are marked like this. Additions are marked like this.
Line 248: Line 248:
Note: at [[IntegratedIntrusionDetectionSystem]] work is ongoing to improve IDS!
Line 273: Line 275:
 * Inser the USB stick. Open it with dolphin and close dolphin again.  * Insert the USB stick. Open it with dolphin and close dolphin again.
Line 318: Line 320:
 * GUFW is Debian's firewall GUI. Sadly it does not work properly when blocking outbound traffic. Hence it is recommended that you use iptables instead. But you could install it anyway and have it disabled.  * G[[Uncomplicated Firewall (ufw)|UFW]] is Debian's GUI firewall. Sadly it does not work properly when blocking outbound traffic. Also it is not packaged with DVD-1. Hence it is recommended that you use [[iptables]] instead. But you could install it anyway and have it disabled.
Line 370: Line 372:
 * Run {{{sudo kate /etc/iptables/rules.v4}}} and copy the contents of /etc/iptables.conf into it
  * An exemplary iptables contents can be found here:

 * Run {{{sudo iptables-restore < /etc/iptables/rules.v4}}}
 * Run {{{sudo kate /etc/iptables/rules.v4}}} and copy the contents of {{{/etc/iptables.conf}}} into it
 * Run {{{sudo iptables-restore < /etc/iptables/rules.v4}}} or {{{sudo ip6tables-restore < /etc/iptables/rules.v6}}}
Line 377: Line 378:
 ** Use {{{sudo fuser -v portnumber/tcp}}} to find out which application is causing an open port   * Use {{{sudo fuser -v portnumber/tcp}}} to find out which application is causing an open port
Line 478: Line 479:
 * Some special buttons of your input devices might not work. Typically you can use xbindkeys or the shortcuts to get them working.  * Some special buttons of your input devices might not work. Typically you can use {{{xbindkeys-config}}} or the shortcuts to get them working.
Line 502: Line 503:
 * Use VirtualBox if you have to use a virtual machine (such as Windows if absolutely necessary)  * Use [[VirtualBox]] if you have to use a virtual machine (such as Windows if absolutely necessary)

Introduction

This page aims to be(come) a step-by-step guide for setting up a personal computer with Debian from scratch to a fully configured system with high security, usability, convenience and privacy-protection.

It aims to be written in layman's terms without any required preknowledge and is mainly aimed at Debian newcomers - especially those who switched to Debian to evade backdoors in other operating systems (OS), malware and gaining control over their machines.

The steps don't need to be followed exactly - it is meant as an orientation to speed up and ease the setup to allow inexperienced GNU/Linux users and even casual computer users to get a fully free and open source (FOSS) operating system going by themselves. They can delve deeper once it is working. Ubuntu is not a solution.
It should not be split up as it aims to aggregate and summarize information for an all-in-one-place guide.

Much of this guide might be suboptimal or even false: please help by improving and correcting it. If you think it's not useful you can ignore it.

Goal

The difficulty of properly setting up Debian is keeping away many users. The ultimate goal of guides such as this is to bring about a worldwide mass-migration to 100% FOSS operating system and to increase cybersecurity of citizens and infrastructure.
Security and privacy are human rights. Nobody denies that there are valid reasons for surveillance and most understand that secure communication can also be problematic sometimes by unwittingly helping those who decrease security of society. Those that harm or plan to harm society need to be confronted by society, innovative ways, and adequately. A fundamentally insecure society which also gives up its right to privacy in an intrusive way never possible before and allows for highly centralized, often or potentially AI-driven, control already somewhat "lost". And cybercrime is not prevented by suppressing information and keeping everyone insecure but by building technically secure infrastructure and systems.
Widespread vulnerabilities, central control and mass-surveillance are a greater danger to society than ill-intentioned people using such information. Suppressing such information and obstructing citizens from gaining control over their machines and have them secured is not a solution.

Lengthy, incomplete, obscure, dispersed and sophisticated guides or even books only found and implementable by elitist/senior GNU/Linux users with much knowledge, interest and time are not a solution either.
This guide is not a solution but it could become part of it if it gets developed further, gets interconnected with potential Debian newcomers and potentially build into setup wizards or alike.

Prior installation FAQ

What is GNU/Linux?
A "Unix-like" operating system that is free and open source. Many variants of these operating systems exist and they are running on most servers (computers that serve content or services such as websites) and on android phones. Linux is the kernel of the GNU/Linux operating system and most people are referring to the GNU/Linux operating system when they're speaking of "Linux". GNU stands for "GNU's Not Unix!" as GNU's design is "Unix-like", but differs from Unix by being free software and containing no Unix code. The GNU project was founded by Richard Stallman. The Linux kernel was developed by Linus Torvalds.

What is free and open source software?
Software that allows anyone to freely use, copy, study, and change it in any way, and has its source code openly shared so that people are encouraged to voluntarily improve the design of the software. This is in contrast to proprietary software, where the software is under restrictive copyright and the source code is usually hidden from the users. Albeit rare some unfree software might have its source code public too.

What is Debian?
It is a distribution of GNU/Linux. A popular variant of the operating system.

Why Debian?
100% FOSS, stability, security, your control, features, configurability, privacy, large community, largest upstream GNU/Linux distribution, many packages. It's aims to be the best operating system. [...]

Why not Ubuntu?
Ubuntu is based on Debian but isn't as good and isn't 100% FOSS.[...]

Why not another GNU/Linux distribution?

  • Ubuntu: See above
  • Linux Mint: it includes nonfree software[...]
  • Arch Linux: smaller distribution, smaller community, fewer packages, harder to properly set up[...]
  • Fedora: smaller distribution, smaller community, fewer packages
  • Gentoo: for advanced users only

I want to try Debian first
Try the LiveCD.

Can I still play my games on Debian?
No. But do you really need to? Some of them maybe. ?PlayOnLinux / Wine / Steam are insecure. There are free Linux games for Debian such as SuperTuxKart. However you can play console games (gamecube, PS2) using an Emulator such as dolphin.

I only want to install Debian in addition to Windows (dual boot)
Don't do it. [...]

Does my laptop support Debian?
You need to check it first. If you already have a laptop you should try if you can boot and properly use the LiveCD. If you want to buy a laptop you need to research whether other people have reported having gotten GNU/Linux working on it. Many Dell laptops support Debian for example. In addition you need to apply pressure to laptop manufacturers to support it. You might find useful information here.

Does Debian support touchscreens and tablets?
Yes. Please see TabletAndTouchScreen.

Why would I need such a secure and privacy-protecting OS?
In short: cybercrime, state-sponsored cyberintrusions, companies selling your personal data, uncertainty of the future, centralized control, activism, journalism, industrial espionage, having control over your own machines, infrastructure security, etc.

Download & burn

  • Download a CD/DVD image of the "stable" release from: https://www.debian.org/CD/http-ftp/

    • It's recommended to use the DVD image as there are is more software packaged with it
    • If you have a 64bit machine you most likely need amd64 and if you have a 32bit one you need i386

      • On Windows you can find out whether you have 64bit or 32bit by going to Start menu -> All Programs -> Accessories -> System Tools -> System Information -> System Type or by pressing and holding the Windows key and the Pause key or by rightclicking on Computer -> Properties -> System type.

      • Most modern computers run 64bit
    • You only need one DVD and to download only the [...]DVD-1.iso

  • Once the .iso file has finished downloading you should checksum the file to verify that it has not been altered and is in a proper state. (A checksum is a short ID that is always the same if the data is exactly the same.) To do this open a terminal and type sha512sum {full path to the .iso file} if you are running a GNU/Linux or if you're running Windows download HashMyFiles and open the .iso with it. Then compare the hashsum to the one in the SHA512SUMS document from where you downloaded your CD/DVD (e.g. https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/). It has to be same ID. (Additionally you could also do a websearch for the ID. If the ID differs check if your download finished properly and if it did report it somewhere.)

  • Burn the .iso file to an empty CD/DVD. On Windows you could use InfraRecorder. On GNU/Linux you could use K3B.

  • K3B does checksum the CD/DVD to verify that it has been written properly
  • Label the CD/DVD so you don't confuse it later

Download software for offline use later

You should not connect to the Internet before you finished the setup and reached step "Go online". Hence you should download all the relevant (security) software packages beforehand and write them to a CD, DVD or USB stick. For laptops you might also need to download drivers beforehand. The DVD-1 contains many packages and to install them you simply need to insert it and install the software via Apper. However it is also missing many important packages. Which software you want to have running before you connect to the Internet depends on you. For instance the GUFW firewall is not DVD-1's packages but you don't need it if you'll use iptables instead. You could also install lynis before going online.

  • Download VeraCrypt, hash the downloaded file just like for the .iso above and verify the checksum (i.e. by searching for it)

  • Download Open Source Tripwire, hash the downloaded file just like for the .iso above and verify the checksum (i.e. by searching for it)

  • Copy those two files to an USB Stick (or a CD / DVD)

Backup, live CD & formatting

  • Before you install a new operating system to your computer you need to make absolutely sure that you have all your data backed up properly. (Besides if you install to a new computer of course.) Don't do this hastily - there might be files in locations you forgot about or the backup might not have worked properly. Once your backup is complete physically disconnect whatever medium you used for this (e.g. an external hard drive).
  • It is best to format your hard drive before starting the Debian installer. Some could not get Debian installer's partitioning tool to properly set up an encrypted hard drive without doing this. You could skip this step but should do this if you run into problems later.
  • If you have only one PC and no other Live CD/DVDs with relevant tools you should at least download and burn the live CD as you might need it later.
    • For this download SystemRescueCD and burn it to a CD/DVD or use another bootable CD/DVD with partitioning tools. Insert the CD/DVD and boot from it by starting your computer and pressing F10, F12, ESC or a similar key that is typically displayed during startup. Boot from the CD/DVD by selecting it and pressing enter or select CD/DVD to boot first (this varies per mainboard).

    • To start ?SystemRescueCd once you booted from it you only need to press enter a few times and then enter startx. Once the live CD is started open up GParted by clicking in the bottom left -> System tools -> GParted. Then format your hard drive by right clicking on all of its entries -> delete and confirming it with the green checkmark in the upper right. Make sure you selected the right hard drive in the upper right. There should be no other hard drives connected. Once everything is deleted there should be just one entry and the hard drive contents should be gray.

BIOS settings

  • Before installation you should decide whether you want to have your hard drives partitioned as GPT (new) or MBR (old). A GPT disk supports volumes larger than 2 TB, is more robust and allows for more partitions. However, GPT requires a mainboard that supports UEFI. UEFI is a successor of BIOS. Most modern mainboard support it. You can find out if your mainboard supports it by checking the specs of your mainboard or by checking whether it also says UEFI for boot mode somewhere in the BIOS settings. You could consider buying a new mainboard. If you would like to have GPT and UEFI set the bootmode to UEFI only or change the bootorder for UEFI CD/DVD being #1. If you did this right the Debian installer's splash screen will say it's the UEFI installer.

  • Debian might not support some of your BIOS (or UEFI) options so you might have to change some of them later or reset them back to the defaults.

Installation

  • Boot from the Debian installer as described here. Select graphical installation.

  • Select the keyboard layout of your language or else you might get problems with some keys such as the z and y keys.
  • Do not connect the Internet during installation! You should disconnect any LAN cable or WLAN adapter and remain offline until you have configured all the necessary things. Skip the network configuration step.

  • Select a hostname that other computers in your network can use to identify your machine. Don't name it "localhost".
  • You can leave the domain name empty.
  • Do not set a root password. Leave it empty. This will lock the root account (you can still unlock it later) which is best practice for most personal computers. Instead of using the root user you should use the sudo command. You can also lock the account later by running passwd -d root and sudo passwd -l root.

  • Create your user and password. Choose a long (> 14 chars) and good (some capitaliZed keys, numb3rs and $pecial characters) password and physically write it down somewhere.

Partitioning

Partitioning is the hardest part of the installation and you might have to rerun it a few times.

  • Select "Guided - use entire disk and set up encrypted LVM" (or "Manual").

  • Select Separate home partition

  • The root partition on which Debian gets installed to should be around 30GB. The home partition should take up all the rest of the hard drive space.
  • If you have UEFI note that you need a boot partition and an EFI partition with the bootable flag set to On.
  • If you're not installing on a laptop you should remove the swap partition as it isn't properly encrypted.
    • For this go to Configure logical volume group -> remove volume -> select the swap partition then click on the swap entry and delete the partition.

    • Let it delete prior data of the hard drive (this may take an hour or so) and set another good password again. It's best to have that password written down nowhere.

Software selection

The desktop environment is the graphical surface of your operating system. It is important that you select the one that fits best to you. You might want to try and compare multiple of them (e.g. via live CDs) and research them (e.g. watch videos showing them).

  • Select only one desktop environment (GNOME or Xfce or KDE or Cinnamon or MATE or LXDE)
    • KDE is arguably the best choice for a personal, modern computer. It has many features, looks great, highly configurable and extendable and is easy to use. Video presentation. This guide is tailored to KDE.

  • Most likely you shouldn't check "web server" and "SSH server"

Finish

  • Write the GRUB bootloader to the disk when it asks you about it
  • You can check the integrity of the CD in the installer by pressing back and selecting "Check integrity of CD"
  • Finish the installation, remove the CD/DVD and restart your PC. You should enter the graphical GRUB bootloader and it should automatically boot Debian.

Principles and preknolwedge

  • Do not connect to the Internet before you finished the setup and reached step "Go online".
  • Only by using root rights can important files be changed and specific commands be run. For this your password is needed. To run commands as root type sudo {command} into the terminal. Most often it will tell you when root rights are required for commands.
  • You should try to never run GUIs (graphical user interfaces / software with a window and controls) as root. Do not install gksu.
  • The terminal is where you enter commands. Debian's default terminal is konsole. You will need to use it often as many things are not yet possible via GUIs. It actually isn't hard to use.
    • By entering history you can find a list of commands you have executed under the current account. Entries can also be deleted from this log.

  • Your package-manager is how you find, install and update applications. Try to never install packages from outside the package manager if possible. The best package managers are Apper, Synaptic and Discover (Software Center).
  • Apply updates quickly and check for updates regularly.
  • Try to never install nonfree software except absolutely necessary. There can easily be backdoors and all sorts of malicious code in closed source software.
  • One of your best defenses is to report anything unusual that you noticed on your machine. Don't keep it to yourself.
  • If you don't know something and you can't find it via your search engine ask about it on places such as https://unix.stackexchange.com/ as this will help everyone finding an answer with the same question as you. Make sure to explain your question well and to make it well findable by those with the same question.

  • You can find more information about commands and programs by just entering the name of the program into the konsole, or the name and "--help" or "man" and the name or by reading the online documentation.
  • You can find logs under /var/log/. The most important one is /var/log/syslog which you can only open as root (via sudo). /var/log/apt/history.log is a log of installed packages.

  • Some additional important commands: mkdir {path} creates a directory, cd {directory} moves the context to a directory (cd .. moves you one directory up), sudo ifconfig displays information about your IP, sudo dpkg -i filepath to install .deb packages, sudo apt-get install packagename to install a package from terminal, sudo dpkg --add-architecture i386 to add 32bit architecture, sudo -i to start a sudo session, sudo cp -r path path to copy files as root, sudo mv path path to move files as root, bash filepath to execute a bash file, ls -l list files of a directory

Passwords

It's best to write them down physically on a paper (never or only partially/obscured&encrypted electronically). And that in a way that only you can read properly. For instance you could write down signs for words and alter the order in a specific way. Store them in a secure place and store them twice.
Furthermore try to enable two factor authentication (2FA) for as many of your relevant accounts as possible. Also calculate in the possibility of losing your phone (typically there are backup codes).

Initial setup

  • Click on the 3 strikes in the upper left -> configure desktop -> Layout -> Folder view if you want to see files on your desktop.

  • In the application starter in the bottom left you find all your applications and the buttons to switch off your computer
  • Open "dolphin" by entering it in the application starter's search bar or by clicking on its icon in the favorites. Dolphin is KDE's default filemanager. You can browse all of your computer's files by clicking "Root" under "Places" in the upper left and storage devices under "Devices". You can add places by dragging them into this panel and you can hide devices you don't need to see by rightlicking them -> hide. Your files should be stored under /home/yourusername/. You can search, change the view-type and settings via the options in the upper bar. To view your current location click next to the text below the upper bar.

  • You can pin applications that you use often to the taskbar. For this enter the name of the application into the search bar -> rightclick it -> select add to panel or add as launcher. It is recommended to add "dolphin", "konsole", "system monitor" and "apper" to the bar.

  • If you did create a root account you need to add yourself to the sudoers file. This is so that you can execute the sudo command. If you did not create the root account you can execute the sudo command already and don't need to do that. To add yourself to the sudoers file enter sudo kate /etc/sudoers -> enter your password -> add yourusername ALL=(ALL) ALL below %sudoers and save the file (ctrl+s). Instead of kate you could also use another texteditor such as nano.

  • If you have problems with your timezone and the time-display you can change it by entering tzselect into the konsole and by right clicking the clock in the bottom right.

  • If there are problems with your monitor/s / display enter "Displays" into search and check its settings and infos.
  • Enter mouse into the search and set it to "double click to open files"
  • You can add useful widgets (such as CPU Load Monitor and Network Monitor) to your desktop by clicking the 3 bars in the upper left -> Add Widgets.

  • Disable unneeded startup applications by entering startup applications into the search (e.g. bluetooth and mousepad)
  • Create a folder for software (such as scripts) that you download from the Internet under /home/username/. You could name it "Software", "Programs" or alike.

  • Open LibreOffice via the search -> Tools -> Options -> Security -> Set Macro Security to "High" and check all the options under Security Options likely except "Recommend password protection on saving"

  • Configure screenshots
    • Enter "Spectacle" into the search -> click on the right next to "Save & Exit" -> Preferences -> create a new folder in your Pictures folder and change the preferences as needed

    • Enter "Custom Shortcuts" into search -> Screenshots -> here you can change the buttons for screenshots (ctrl+print for a fullscreen screenshot by default)

  • Add custom shortcuts
    • Enter "Custom Shortcuts" into search -> Edit -> New Group -> name it "Custom" then Edit -> Add -> New -> Global shortcut -> Command/URL. Set a trigger (the keys to be pressed) and an action (for example enter "konsole" into Command/URL to have the konsole opened).

    • Enter "Global Shortcuts" into search -> click on Power management or KDE Daemon -> here you can configure shortcuts to suspend or power off you machine

  • Right click the bottom right clipboard icon -> Configure Clipboard -> Check "Ignore Selection"

  • Enter "Screen Locking" into search -> configure the time for the screen to lock automatically and the shortcut to lock it

  • The password for the "KDE wallet" is the same as your user password by default. But you could change/recreate it.
  • Enter Dekstop Theme into search -> you can your theme here

Security and tools

Set a GRUB password

Set a GRUB password as explained here:

  • Run kate /etc/grub.d/00_header /etc/grub.d/10_linux /etc/grub.d/30_os-prober

  • At the bottom of 00_header add this text:

cat << EOF
set superusers="somename"
password somename pw
EOF
Replace somename and pw with a name and a password. If you already encrypted your hard drive you might want to use a shorter one. Do not replace anything except these 3 words. The somename doesn't have to be your username - it can be any word you want.

  • In 10_linux after {CLASS} for the 2 lines that say menuentry add:

    --users '' So for example printf "menuentry '${title}' ${CLASS} --users '' {\n" "${os}" "${version}"

  • Run sudo sed 's/--class os /--class os --users /' -i /etc/grub.d/30_os-prober

  • Run grub-mkpasswd-pbkdf2 and enter the password you set earlier

  • At the bottom of 00_header replace "password" with "password_pbkdf2" and pw with the output of the previous command starting with grub.pbkdf2.sha512. - for example the full line should look like: password_pbkdf2 John grub.pbkdf2.sha512.10000.FC58373BCA15A797C418C1EA7FFB007BF5A5

If you fail to do this correctly you may not be able to boot your system.

  • Run sudo update-grub to apply your changes and restart your computer

Encryption

You need such an encryption program to encrypt data on other storage devices and for the way our IDS is set up in the step below.

  • Install VeraCrypt, ?ZuluCrypt or another good encryption program.

  • Checksum ?VeraCrypt before installation and check the hash.

  • You can encrypt whole devices and partitions or just create encrypted volumes.

Anti malware

  • Install ?ClamTk which also installs ClamAV - Debian's open source antivirus software

    • Once you are online you need to update it
    • in the settings have everything checked (if you check PUAs you likely get many false positives though)

  • Install rkhunter
    • To integrate rkhunter with package updates run sudo kate /etc/default/rkhunter and set APT_AUTOGEN="true"

    • Initially run rkhunter --propupd

    • To run a scan run rkhunter -c

  • Install chkrootkit
    • Run a scan sudo chkrootkit

Kernel hardening

  • Run sudo kate /etc/sysctl.conf and make sure the settings are set like so (if not either change the relevant lines or append to the bottom of the file) (please improve):

net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
kernel.sysrq=0
kernel.kptr_restrict=2
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.log_martians=1
net.ipv4.tcp_timestamps=0
net.ipv6.conf.default.accept_redirects=0
kernel.core_uses_pid=1
fs.suid_dumpable=0

  • Then run sysctl -p to save your changes.

  • You can use Lynis for checking your kernel settings.

Intrusion detection system

Note: at IntegratedIntrusionDetectionSystem work is ongoing to improve IDS!

An intrusion detection system (IDS) helps you detect intrusions, allows you to help secure computers by reconstructing intrusions and along the way helps you better understand GNU/Linux / Debian. While some advanced form of IDS' are more or less the only way to reliably protect machines they haven't been developed so far as to allow fully secure personal computers in practice. But maybe they will get developed further to allow such.
Before doing this you need to have ?VeraCrypt (or a similar encryption program) installed.

  • Insert an USB stick, open it with dolphin, close dolphin again, open ?VeraCrypt, then select Volumes -> Create new volume -> Create an encrypted file container. When it asks for the volume location navigate into your USB stick and enter a filename. Create a new volume with a size of around 500MB (50MB would probably be enough too). Once it has finished mount the volume by first clicking the slot number you want to mount it, selecting the file and entering 2 passwords.

  • Set up tripwire
    • Copy the file that you downloaded earlier from your USB stick (or CD / DVD)
    • cd into the directory you copied the file to then run unzip tripwire-open-source-2.4.3.5.tar.gz (the version might differ) then cd tripwire-open-source-2.4.3.5

    • Run kate ./installer/install.cfg and replace the value of TWBIN, TWPOLICY, TWDB, TWSITEKEYDIR, TWLOCALKEYDIR, TWREPORT (between the two ") to /media/veracrypt10/ (or subdirectories of it respectively such as "/media/veracrypt10/report/"; also make sure to replace 10 with your slot-number). You could also set TWEDITOR to your preferred texteditor such as kate. Save the file.

    • Run ./configure --prefix=/etc/tripwire

    • Make sure it runs through. You might have to install packages such as postfix or a compiler from the DVD-1.
    • Run make install

    • Set the password for your local and site keys. If you run into problems there run ./twinstall.sh Help here.

    • If you need to recreate the cfgfile run ./sbin/twadmin --create-cfgfile -S site.key /media/veracrypt10/twcfg.txt (edit the twcfg.txt like the install.cfg file beforehand)

    • Edit twpol.txt to insert the default twpol.txt contents for Debian

    • Run ./sbin/twadmin -m P -S site.key /media/veracrypt10/twpol.txt

    • Run ./sbin/tripwire --init to see if it's working. At the bottom you'll see plenty of errors.

    • Edit twpol.txt and comment out the lines that have generated these errors under "Root config files" and "System boot changes". Watch this video. Add your own rules to watch important files (such as the sudoers file) or directories if you want to. Suggestions for tripwire rules can be found here.

    • Run ./sbin/twadmin -m P -S site.key /media/veracrypt10/twpol.txt again

    • Run ./sbin/tripwire --init again. Sadly you can't yet change the policy file again after initialization so you should make sure it is fine before you go online.

    • Close the konsole or cd out of the mounted directory and dismount the volume in veracrypt
    • Create a backup of the encrypted volume (1 file) to your hard drive (but always use the USB stick)

Then once you used your computer you can do your first scan. It should be the same procedure every time and you should run them as often as possible to get smaller reports and to know which changes you have caused yourself in the meantime.

  • Disconnect from the Internet
  • Insert the USB stick. Open it with dolphin and close dolphin again.
  • Open ?VeraCrypt click on the slot you selected earlier, select the volume-file on the USB stick and mount it using 2 passwords.

  • Run cd /media/veracrypt10/

  • Run sudo ./sbin/tripwire --check and let it run through

  • Run sudo ./sbin/twprint -m r --twrfile pathtothegeneratedtwrfile > nameofthegeneratedtwrfile-descriptionofwhatyoudidinthemeantime (for example sudo ./sbin/twprint -m r --twrfile ./report/name-20170808.twr > name-20170808-installed-firefox-and-removed-kdeconnect)

  • Inspect the changes by opening the generated file with a texteditor such as kate. Sadly Debian isn't yet integrated well with tripwire so there likely will be a lot of changes. Look for suspicious changes that you didn't cause yourself - especially modified critical files. By this you also learn more about the operating system by gaining more insight into what files change when.
  • Update your database by running export DISPLAY=:0; sudo ./sbin/tripwire --update -Z low -V nano --twrfile ./report/filename.twr, pressing ctrl+x and entering your local key

  • Run cd ../.. and dismount the encrypted volume in ?VeraCrypt

  • Backup the file again. You could store it on a read-only medium (CD/DVD) once in a while in case your database file becomes corrupted.
  • Reconnect to the Internet

By setting this up properly and by knowing what to look for and helping improve tripwire to integrate better with Debian and to automate the steps above you could theoretically reach a very high level of security.

There are many ways IDS could get improved. This includes having two machines with the same packages installed and comparing whether they differ in any way or by making use of virtual machines. While few IT security specialists seem to be interested in implementing such improvements it is important that you get an IDS working as early as possible. And before going online. While the current implementation might be hard to use it's still useful and also deters potential adversaries merely by being set up properly.

File permissions

  • Change the file permissions of critical files to prevent unwanted changes to or reading of them
    • CUPS printer configuration file: sudo chmod 0700 /etc/cups/cupsd.conf

    • Kernel configuration: sudo chmod 600 /etc/sysctl.conf

    • Compilers: sudo chmod 0444 /usr/bin/as sudo chmod 0444 /usr/bin/g++ sudo chmod 0444 /usr/bin/gcc

    • Sudoers file: sudo chmod 0440 /etc/sudoers

Security auditing tools

(OPTIONAL) Security auditing tools analyze your system to find vulnerabilities that you should fix and to propose you ways to further secure your system.

  • One such is Lynis, installation instructions here

    • It might misdetect some things and you don't need to follow all its suggestions but it can help you further secure your system
    • Once installed run it via sudo lynis audit system

Other tools

  • Install Debsums to verify your installed Debian package files against the MD5 checksum lists from /var/lib/dpkg/info/*.md5sums.
    • Run debsums|grep -v OK

  • Install GPA for de- and encrypting texts and for managing your keys
  • Install ?BleachBit to securely wipe data and to free disk space and clean cookies etc

  • arpwatch, scanlogd, checksecurity, apt-listchanges

Etckeeper

  • To set up etckeeper you need to tun these commands: cd /etc/ sudo etckeeper init sudo etckeeper commit "Initial etc commit"

  • To view the git history of a file that etckeeper keeps for you install qgit and then enter qgit locationofthefile &. This allows you to notice malicious changes and to manage your configurations.

Bitcoin

(OPTIONAL)

  • Electrum is a FOSS bitcoin client. If you want to use it anonymously install it, then go offline, then create a standard wallet, the go to network configurations, then set the proxy to SOCKS5 localhost 9050. If you want to have better security (given more or less that you trust ?TrustedCoin more than yourself) instead select "Multifactor authentication". But you might have problems getting it to work with your firewall if you go for the latter. It is best to store the wallet on an encrypted external medium such as a CD/DVD.

Firewall

  • GUFW is Debian's GUI firewall. Sadly it does not work properly when blocking outbound traffic. Also it is not packaged with DVD-1. Hence it is recommended that you use iptables instead. But you could install it anyway and have it disabled.

  • Run sudo kate /etc/iptables.conf and configure your firewall rules. The following rules allow for downloading of packages and browsing of the Internet but not much more (please improve them):

*filter
#DROP everything by default
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#And explicitly allow the following:
#LOCAL
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
-A INPUT -p tcp -m tcp -m state --state ESTABLISHED -j ACCEPT
#HTTP
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 8080 -m state --state ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT
#HTTPS
-A INPUT -p tcp -m tcp --dport 443 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
#DNS
-A INPUT -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#PING
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
#LOG 3 dropped packets per minute to /var/log/syslog
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "~~~~IP INPUT DROP: "
-A INPUT -j DROP
#LOCAL
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#HTTP
-A OUTPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -p tcp -m tcp --sport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
#HTTPS
-A OUTPUT -p tcp -m tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#DNS
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#PING
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#LOG 3 dropped packets per minute to /var/log/syslog
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "~~~~IP OUTPUT DROP: "
-A OUTPUT -j DROP
COMMIT

  • When done run iptables-restore < /etc/iptables.conf. Note that these rules are reset at each restart so either do the next step before the next restart or have your Internet disabled on startup.

  • Install iptables-persistent

  • Run sudo kate /etc/iptables/rules.v4 and copy the contents of /etc/iptables.conf into it

  • Run sudo iptables-restore < /etc/iptables/rules.v4 or sudo ip6tables-restore < /etc/iptables/rules.v6

  • If your applications have problems connecting to the Internet you need to find out which protocol and ports you need to open via iptables rules to get them working. Alternatively you could allow all outbound traffic. But this isn't recommended for security purposes.

Close ports and inspect traffic

  • With these commands you can find out which applications on your machine are sending or receiving Internet traffic: lsof -i and netstat -pln or sudo netstat -anp --tcp --udp | grep LISTEN

    • Use sudo fuser -v portnumber/tcp to find out which application is causing an open port

  • With zenmap you can scan your own computer for open ports. Install it and then do a full scan on 127.0.0.1. Do not scan machines that do not belong to you.
  • If you don't have network printers you can disable CUPS like so: sudo systemctl disable cups.socket cups.path cups.service sudo systemctl kill --signal=SIGKILL cups.service sudo systemctl stop cups.socket cups.path

  • You can use BUM to disable apps that start automatically.

Wireshark

(OPTIONAL)
You can find out exactly which data is being sent by applications and to websites by making use of wireshark. You can use this to identify undesired data transmissions. After installing wireshark run sudo dpkg-reconfigure wireshark-common choose "Yes" and then run sudo adduser $USER wireshark. After running wireshark run sudo dpkg-reconfigure wireshark-common again and choose "No".

Go online

  • To go online you likely need to connect your PC to your router with a LAN cable
  • Edit the SourcesList so that you can find and download packages: run sudo kate /etc/apt/sources.list and comment out the CD / DVD sources which allowed you to install packages by inserting DVD-1. Add these sources instead:

deb http://security.debian.org/debian-security stretch/updates main contrib
deb-src http://security.debian.org/debian-security stretch/updates main contrib
deb http://ftp.CY.debian.org/debian/ stretch main contrib
deb-src http://ftp.CY.debian.org/debian/ stretch main contrib
deb http://ftp.CY.debian.org/debian/ stretch-updates main contrib
deb-src http://ftp.CY.debian.org/debian/ stretch-updates main contrib
deb http://deb.torproject.org/torproject.org stretch main
You can leave out the torproject repository if you want to. Replace CY with the country code of the repository you would like to use. You can find a list of Debian's repositories here. You can also leave out contrib which includes software that is not 100% FOSS or add  non-free after contrib which also includes non-free software (such as many proprietary drivers).

Run updates

  • Run apt-transport-https

  • Run sudo apt-get remove firefox-esr and sudo apt-get install firefox-esr

  • Run sudo apt-get update and sudo apt-get upgrade

  • You might need to run this multiple times and fix some issues until it says 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded and that no packages have been held back.

  • Open Apper -> Check for updates should say that no updates are available

  • Run sudo freshclam

  • Do a tripwire scan after the updates as explained here

DNS

Before a computer can connect to an external network resource (say, for example, a web server), it must have a means of converting any alpha-numeric names (e.g. wiki.debian.org) into numeric network addresses (e.g. 140.211.166.4). More information.

  • Run sudo kate /etc/NetworkManager/NetworkManager.conf and add dns=no below the [main] section

  • Use OpenDNS or OpenNIC
    • For OpenDNS: run kde5-nm-connection-editor and choose your connection -> right click -> edit -> click on the IPv4 settings tab -> choose "Automatic (DHCP) addresses only" -> then enter IPs of DNS servers in the "DNS servers" field, separated by spaces -> "Apply". Use one of the IP addresses here such as 208.67.222.222

Configure Firefox

  • Sandbox your browser so vulnerabilities can't easily cause harm to your system
    • Download firejail
    • Right-click on the KDE icon in the bottom left -> Edit Applications -> right click on Internet -> New item -> Name: Sandboxed Firefox-ESR Command: firejail firefox-esr -p

  • Install useful ?AddOns:

    • Security-related
      • Enabling HTTPS (for encrypting the data that is sent between your browser and a website) whenever possible: HTTPS Everywhere
      • Adblocker: uBlock Origin
      • Disabling Javascript by default (you need to allow it if websites you trust don't work): ?NoScript

      • Instead of fetching resources from external content delivery networks again and again store them locally: Decentraleyes
      • Prevent people from identifying you across websites due to more or less unique HTTP headers: Blender
      • Delete cookies of a website after leaving it automatically: Self-Destructing Cookies
    • Other: ?TabMixPlus for many useful tab functionalities, ?SessionManager for managing your browser sessions, Greasemonkey for adding userscripts, ?RedditEnhancementSuite if you use reddit, ?FlashGot for downloading streamed videos

    • Don't just download and install ?AddOns but also configure them properly

Public keys

  • A list of keyservers can be found here.

  • Open port 11371 in iptables[...] for being able to fetch keys/* TODO */

  • Create a public key under you real name and potentially for pseudonyms for being able to prove your identity. For this you need to have a good password and store your private key securely. Upload the public keys to a keyserver and/or give it to people you want to communicate privately or to which you want to prove your identity.

Email client

  • Evolution and Thunderbird are two good email clients. Evolution comes preinstalled. Open port [...]

Get Tor

  • Follow this guide to add keys (see section #Public keys first), add the tor repository and download tor

  • Download the TorBrowser

  • Checksum the downloaded file
  • Move the tor-browser to your software folder
  • Firejail it
    • Download the firejail profile for start-tor-browser

    • Move that textfile into /etc/firejail

    • Right-click on the KDE icon in the bottom left -> Edit Applications -> right click on Internet -> New item -> Name: Sandboxed Tor Browser Command: cd /home/username/foldername/tor-browser_en-US/ && firejail --profile=/etc/firejail/start-tor-browser.profile /home/username/foldername/tor-browser_en-US/start-tor-browser.desktop (replace username and foldername)

  • Edit /etc/tor/torrc and append FascistFirewall 1 to the bottom of it to get it working with iptables blocking outbound traffic

  • Start it and check for updates (and apply them)
  • Disallow scripts globally by clicking on the ?NoScript button in the upper right

Get a VPN

  • Compare VPNs and select a good one
  • Make sure the VPN has a Debian client
  • Use tor & bitcoin to buy it

Check the settings of your webaccounts and switch providers

  • Check the settings of your accounts such as Google
  • Make use of trash mail sites
  • Switch providers (such as your email provider; you can forward your emails from your old account) if your provider doesn't take security and privacy seriously
  • Don't store data in clouds - at least no unencrypted data
  • Be aware that companies don't have to be evil to breach your privacy - the data they collect could also get stolen by cybercriminals

Drivers

  • If you have a graphics card it might not achieve full performance under Debian. Consider selling it. If you really want to keep it and get highest possible performance you might need to install unfree, proprietary drivers for it. Info here: GraphicsCard

  • WLAN driver Info here: WiFi

Connect your devices

Printer

  • The website of the manufacturer should have information on how to install the driver for your printer on Debian
  • Install simple scan for scanning

Android phone

  • KDE Connect [...]
  • Other tools

Music instruments

Input devices

  • Some special buttons of your input devices might not work. Typically you can use xbindkeys-config or the shortcuts to get them working.

Backups

  • You should create regular backups of your data onto an external storage device. The most important data should be backed up twice. The main storage device holding the backup needs to be physically disconnected from your computer except when you are running a backup. Obviously it needs to be encrypted too.

Tools

Basic software that you might be looking for.

  • PDF reader: Okular is your preinstalled PDF reader
  • Office / Word / Excel: LibreOffice is your preinstalled office suite

  • Image editor: GIMP is your preinstalled image editor that is as good as Photoshop
  • Image viewer: Gwenview is your preinstalled image-viewer
  • DVD-Burner: K3B is your preinstalled dvd-burning application.
  • Ebook reader: Calibre is a good ebook reader
  • File archiver: Ark is your preinstalled file archive (you don't need Winrar or 7zip)
  • IRC Chat: Hexchat is a good IRC client
  • Media player: VLC Player is a good media player, Amarok is a feature-rich music player
  • Compare text files: Diffuse merge
  • Video editor: Kdenlive
  • Encrypted chatting and sharing: Tox or ?RetroShare

Further

  • Read DontBreakDebian

  • Use VirtualBox if you have to use a virtual machine (such as Windows if absolutely necessary)

  • You could subscribe to vulnerability lists to protect or be aware of the latest vulnerabilities
  • You can get new Widgets by clicking on the 3 strikes in the upper left -> add widgets -> Get new widgets -> Download New Plasma Widgets. For example you could get Event Calendar to replace your default calendar. It has many features for better organization and productivity.

  • Register and contribute to this wiki
  • Register on ?GitHub and alike and create issues if you witness bugs

  • Also secure your other devices such as your mobile phone. Also secure your router.
  • Get an IDE such as Eclipse or ?NetBeans, read online tutorials for programming languages such as Java, C++, Python or Bash, register on stackoverflow and help program Debian's software

  • Share this page


CategoryDesktopComputer