Differences between revisions 1 and 6 (spanning 5 versions)
Revision 1 as of 2017-08-21 17:58:40
Size: 49152
Editor: ?Average-User-Prototype
Comment: It took me way too long to set it up; this guide should help reduce the time others need for it
Revision 6 as of 2017-09-03 11:47:42
Size: 62060
Editor: ?Average-User-Prototype
Comment: updates
Deletions are marked like this. Additions are marked like this.
Line 28: Line 28:
A "Unix-like" operating system that is free and open source. Many variants of these operating systems exist and they are running on most servers (computers that serve content or services such as websites) and on android phones. Linux is the kernel of the GNU/Linux operating system and most people are referring to the GNU/Linux operating system when they're speaking of "Linux". GNU stands for "GNU's Not Unix!" as GNU's design is "Unix-like", but differs from Unix by being free software and containing no Unix code. The GNU project was founded by Richard Stallman. The Linux kernel was developed by Linus Torvalds. A "Unix-like" operating system that is free and open source. Many variants of these operating systems exist and they are running on most servers (computers that serve content or services such as websites) and on android phones. Linux is the kernel of the GNU/Linux operating system and most people are referring to the GNU/Linux operating system when they're speaking of "Linux" (e.g. because people want a single short term and "GNU+Linux", while being more accurate, is two terms). GNU stands for "GNU's Not Unix!" as GNU's design is "Unix-like", but differs from Unix by being free software and containing no Unix code. The GNU project was founded by Richard Stallman. The Linux kernel was developed by Linus Torvalds.
Line 37: Line 37:
100% FOSS, stability, security, your control, features, configurability, privacy, large community, largest upstream GNU/Linux distribution, many packages. It's aims to be the best operating system. [...] See [[WhyDebian]]. It's 100% FOSS, stability, security, your control, features, configurability, privacy, large community, largest upstream GNU/Linux distribution, many packages. It's aims to be the best operating system. [...]
Line 40: Line 40:
Ubuntu is based on Debian but isn't as good and isn't 100% FOSS.[...] Ubuntu is based on Debian but isn't as good and isn't 100% FOSS. Note you can still find help from most that anything that refers to Ubuntu as Debian is very similar to it (for instance most answers on askubuntu may help you out as well and instructions for Ubuntu often only need to be slightly altered for Debian).
Line 53: Line 53:
No. But do you really need to? Some of them maybe. PlayOnLinux / [[Wine]] / [[Steam]] are insecure. There are free [[Games|Linux games for Debian]] such as [[Games/Supertuxkart|SuperTuxKart]]. However you can play console games (gamecube, PS2) using an [[Emulator]] such as dolphin. Do you really need to? Some of them maybe. But consider if it's worth the effort and introduced security risks. You can use [[https://www.playonlinux.com/en/|PlayOnLinux]] / [[Wine]] / [[Steam]] to play games. However they are somewhat insecure [[https://askubuntu.com/questions/562388/do-wine-viruses-only-work-while-wine-is-running|1]] [[https://security.stackexchange.com/questions/5119/can-windows-malware-harm-a-linux-computer-when-its-executed-with-wine|2]].<<BR>>But there are free [[Games|Linux games for Debian]] such as [[Games/Supertuxkart|SuperTuxKart]]. And you can play console games (Gamecube, PS2, etc) using an [[Emulator]] such as [[https://wiki.dolphin-emu.org/index.php?title=Installing_Dolphin#Debian|Dolphin]].
Line 56: Line 56:
Don't do it. [...] Don't do it. Test Debian using a LiveCD instead.
Line 65: Line 65:
In short: cybercrime, state-sponsored cyberintrusions, companies selling your personal data, uncertainty of the future, centralized control, activism, journalism, industrial espionage, having control over your own machines, infrastructure security, etc. In short: cybercrime, state-sponsored cyberintrusions, companies selling your personal data, uncertainty of the future, centralized control, activism, journalism, journalism-like activities, industrial espionage, having control over your own machines, infrastructure security, etc.
Line 88: Line 88:
 * [[https://sourceforge.net/projects/tripwire/|Download Open Source Tripwire]], hash the downloaded file just like for the .iso above and verify the checksum (i.e. by searching for it)  * [[https://github.com/Tripwire/tripwire-open-source/releases|Download Open Source Tripwire]], hash the downloaded file just like for the .iso above and verify the checksum (i.e. by searching for it)
Line 107: Line 107:
  * [...] /* ... */
Line 137: Line 137:
== Software selection ==
/* D
esktop environment */
== Software selection (desktop environment) ==
Line 141: Line 140:
  * KDE is arguably the best choice for a personal, modern computer. It has many features, looks great, highly configurable and extendable and is easy to use. [[https://www.youtube.com/watch?v=TXWUyUUx3ZE|Video presentation]]. This guide is tailored to KDE.   * KDE is arguably the best choice for a personal, modern computer. It has many features, looks great, is highly configurable and extendable and is easy to use. [[https://www.youtube.com/watch?v=TXWUyUUx3ZE|Video presentation]]. This guide is tailored to KDE.
Line 149: Line 148:
= Principles and preknolwedge = = Principles and preknowledge =
Line 153: Line 152:
 * One of your best defenses is to report anything unusual that you noticed on your machine. Document everything strange including with the relevant logs (of syslog and alike). Then report it or ask about it. Don't keep it to yourself.
 * If you don't know something and you can't find it via your search engine ask about it on places such as https://unix.stackexchange.com/ as this will help everyone finding an answer with the same question as you. Make sure to explain your question well and to make it well findable by those with the same question.
Line 155: Line 156:
  * By entering {{{history}}} you can find a list of commands you have executed under the current account. Entries can also be deleted from this log.   * By entering {{{history}}} you can find a list of commands you have executed under the current account. Entries can also be deleted from this log by running {{{history -d line-number}}}.
Line 159: Line 160:
 * One of your best defenses is to report anything unusual that you noticed on your machine. Don't keep it to yourself.
 * If you don't know something and you can't find it via your search engine ask about it on places such as https://unix.stackexchange.com/ as this will help everyone finding an answer with the same question as you. Make sure to explain your question well and to make it well findable by those with the same question.
Line 162: Line 161:
 * You can find logs under {{{/var/log/}}}. The most important one is {{{/var/log/syslog}}} which you can only open as root (via sudo). {{{/var/log/apt/history.log}}} is a log of installed packages.
 * Some additional important commands: mkdir {path} creates a directory, cd {directory} moves the context to a directory ({{{cd ..}}} moves you one directory up), {{{sudo ifconfig}}} displays information about your IP, {{{sudo dpkg -i filepath}}} to install .deb packages, {{{sudo apt-get install packagename}}} to install a package from terminal, {{{sudo dpkg --add-architecture i386}}} to add 32bit architecture, {{{sudo -i}}} to start a sudo session, {{{sudo cp -r path path}}} to copy files as root, {{{sudo mv path path}}} to move files as root, {{{bash filepath}}} to execute a bash file, {{{ls -l}}} list files of a directory
 * Don't install software without knowing what they do or if you don't need it. Don't install things like Flash.
 * Don't execute commands just because somebody told you so or you read about it. Make sure you roughly know what it does. Some commands might destroy your system (e.g. {{{rm}}} to delete important files).
* You can find logs under {{{/var/log/}}}. The most important one is {{{/var/log/syslog}}} which you can only open (with a texteditor) as root (via sudo). {{{/var/log/apt/history.log}}} is a log of installed packages.
 * You can typically quit displays of text in the console by pressing {{{q}}} or {{{ctrl+x}}} (^ refers to the ctrl key).
 *
Some additional important commands: {{{mkdir {path}}}} creates a directory, {{{cd {directory}}}} moves the context to a directory ({{{cd ..}}} moves you one directory up), {{{sudo ifconfig}}} displays information about your IP, {{{sudo dpkg -i filepath}}} to install .deb packages, {{{sudo apt-get install packagename}}} to install a package from terminal, {{{sudo dpkg --add-architecture i386}}} to add 32bit architecture, {{{sudo -i}}} to start a sudo session, {{{sudo cp -r path path}}} to copy files as root, {{{sudo mv path path}}} to move files as root, {{{passwd}}} to change password, {{{apt-get install packagename}}} to install a package from the konsole, {{{bash filepath}}} to execute a bash file, {{{ls -l}}} list files of a directory, {{{sudo shutdown -h now}}} to shutdown, {{{groups username}}} to display the usergroups your user is part of. Some more [[https://www-uxsup.csx.cam.ac.uk/pub/doc/suse/suse9.0/userguide-9.0/ch24s04.html|here]]
 * You can save the output of any command by appending {{{> filepath}}} to a command. For example {{{ls -l > contents.txt}}} creates a file with information on the contents of the directory you're currently in. You can get information about commands by appending {{{--help}}} to them for instance {{{ls --help}}} shows you information about the {{{ls}}} command.
 * You don't need to know all of this by heart or so. Simply frequent this page or other pages. But you need to know where to ask for help and how to find the information needed. (Which after reading the above you should know.)
Line 166: Line 170:
It's best to write them down physically on a paper (never or only partially/obscured&encrypted electronically). And that in a way that only you can read properly. For instance you could write down signs for words and alter the order in a specific way. Store them in a secure place and store them twice.<<BR>>
Furthermore try to enable two factor authentication (2FA) for as many of your relevant accounts as possible. Also calculate in the possibility of losing your phone (typically there are backup codes).
It's best to write them down physically on a paper (never or only partially/obscured&encrypted electronically). And that in a way that only you can read properly. For instance you could write down signs for words and alter the order in a specific way. Store them in a secure place and try to store them twice.<<BR>>
You could also store them electronically with the password missing some words that you only store on piece of paper
.<<BR>>
Furthermore try to enable two factor authentication (2FA) for as many of your relevant accounts as possible. Also calculate in the possibility of losing your phone (typically there are backup codes which you should write down).
Line 179: Line 184:
 * Immediately uninstall {{{kaccess}}}. This is to prevent people from spying on your screen and on what you type. Don't do it if you're literally blind. Otherwise open apper -> type kacccess -> remove -> apply -> enter your password and let it uninstall.
Line 181: Line 187:
 * Create a folder for software (such as scripts) that you download from the Internet under {{{/home/username/}}}. You could name it "Software", "Programs" or alike.
Line 190: Line 195:
 * Make sure you have the right soundcard selected under "Phonon Audio and Video" -> Device Preference and -> Audio Hardware Setup and "Audio Volume" -> "Output Device" -> Default and -> Configuration. (Also disable all Input besides if you want to record something with a micro.) Disable the sound when changing the volume in "Audio Volume" -> Volume feedback -> disable.
Line 248: Line 254:
Note: at [[IntegratedIntrusionDetectionSystem]] work is ongoing to improve IDS!

You can find useful Tripwire Policy rules at: [[TripwirePolicyRules]].
Line 273: Line 283:
 * Inser the USB stick. Open it with dolphin and close dolphin again.  * Insert the USB stick. Open it with dolphin and close dolphin again.
Line 292: Line 302:
  * Compilers: {{{sudo chmod 0444 /usr/bin/as}}} {{{sudo chmod 0444 /usr/bin/g++}}} {{{sudo chmod 0444 /usr/bin/gcc}}}   * Compilers: {{{sudo chmod 0444 /usr/bin/as}}} {{{sudo chmod 0444 /usr/bin/g++}}} {{{sudo chmod 0444 /usr/bin/gcc}}} {{{sudo chmod 0444 /usr/bin/g++-6}}} {{{sudo chmod 0444 /usr/bin/gcc-6}}}
   * See section "Compiling programs" on how to properly compile programs
Line 315: Line 326:
 * Electrum is a FOSS bitcoin client. If you want to use it anonymously install it, then go offline, then create a standard wallet, the go to network configurations, then set the proxy to {{{SOCKS5 localhost 9050}}}. If you want to have better security (given more or less that you trust TrustedCoin more than yourself) instead select "Multifactor authentication". But you might have problems getting it to work with your firewall if you go for the latter. It is best to store the wallet on an encrypted external medium such as a CD/DVD.  * Electrum is a FOSS bitcoin client. If you want to use it anonymously or have your firewall set up properly install it, then go offline, then create a standard wallet, the go to network configurations, then set the proxy to {{{SOCKS5 localhost 9050}}}. If you want to have better security (given more or less that you trust TrustedCoin more than yourself) instead select "Multifactor authentication". But you might have problems getting it to work with your firewall if you go for the latter. It is best to store the wallet on an encrypted external medium such as a CD/DVD.
Line 318: Line 329:
 * GUFW is Debian's firewall GUI. Sadly it does not work properly when blocking outbound traffic. Hence it is recommended that you use iptables instead. But you could install it anyway and have it disabled. You can find useful firewall rules at: [[FirewallRules]].

Sadly there doesn't seem to be a proper application-level firewall for Debian yet.

* G[[Uncomplicated Firewall (ufw)|UFW]] is Debian's GUI firewall. Sadly it does not work properly when blocking outbound traffic. Also it is not packaged with DVD-1. Hence it is recommended that you use [[iptables]] instead. But you could install it anyway and have it disabled.
Line 328: Line 343:
{{{-A INPUT -p tcp -m tcp -m state --state ESTABLISHED -j ACCEPT}}}<<BR>>
Line 369: Line 383:
 * Install {{{iptables-persistent}}}
 * Run {{{sudo kate /etc/iptables/rules.v4}}} and copy the contents of /etc/iptables.conf into it
  * An exemplary iptables contents can be found here:
 *
Run {{{sudo iptables-restore < /etc/iptables/rules.v4}}}
 * Install {{{iptables-persistent}}} via apper or {{{apt-get install}}}
 * Run {{{sudo kate /etc/iptables/rules.v4}}} and copy the contents of {{{/etc/iptables.conf}}} into it
 * Run {{{sudo iptables-restore < /etc/iptables/rules.v4}}} or {{{sudo ip6tables-restore < /etc/iptables/rules.v6}}}
Line 377: Line 390:
 ** Use {{{sudo fuser -v portnumber/tcp}}} to find out which application is causing an open port   * Use {{{sudo fuser -v portnumber/tcp}}} to find out which application is causing an open port
Line 384: Line 397:
You can find out exactly which data is being sent by applications and to websites by making use of wireshark. You can use this to identify undesired data transmissions. After installing wireshark run {{{sudo dpkg-reconfigure wireshark-common}}} choose "Yes" and then run {{{sudo adduser $USER wireshark}}}. After running wireshark run {{{sudo dpkg-reconfigure wireshark-common}}} again and choose "No". You can find out exactly which data is being sent by applications and to websites by making use of wireshark. You can use this to identify undesired data transmissions. After installing wireshark run {{{sudo dpkg-reconfigure wireshark-common}}} choose "Yes" and then run {{{sudo adduser $USER wireshark}}}. After running wireshark run {{{sudo dpkg-reconfigure wireshark-common}}} again and choose "No" / {{{sudo deluser username wireshark}}}.
Line 387: Line 400:
 * To go online you likely need to connect your PC to your router with a LAN cable  * To go online you likely need to connect your PC to your router with a LAN cable. WLAN dongle are highly unlikely to work (apply pressure to manufacturers).
Line 411: Line 424:
  * For OpenDNS: run {{{kde5-nm-connection-editor}}} and choose your connection -> right click -> edit -> click on the IPv4 settings tab -> choose "Automatic (DHCP) addresses only" -> then enter IPs of DNS servers in the "DNS servers" field, separated by spaces -> "Apply". Use one of the IP addresses [[https://en.wikipedia.org/wiki/OpenDNS#Name_server_IP_addresses|here]] such as 208.67.222.222   * For OpenDNS: run {{{kde5-nm-connection-editor}}} (or right click the network icon in the bottom right -> Configure Network Connection) and choose your connection -> right click -> edit -> click on the IPv4 settings tab -> choose "Automatic (Only addresses)" -> then enter IPs of DNS servers in the "DNS servers" field, separated by spaces -> "Apply". Use one of the IP addresses [[https://en.wikipedia.org/wiki/OpenDNS#Name_server_IP_addresses|here]] such as 208.67.222.222. (or 2620:0:ccd::2 for IPv6).
  * Uncheck "automatically connect to this network when it is available" and "All users may connect to this network" and yourself as "Users allowed to activate this connection" under "Advanced".
Line 419: Line 433:
   * Enabling HTTPS (for encrypting the data that is sent between your browser and a website) whenever possible: HTTPS Everywhere
   * Adblocker: uBlock Origin
   * Disabling Javascript by default (you need to allow it if websites you trust don't work): NoScript
   * Enabling HTTPS (for encrypting the data that is sent between your browser and a website) whenever possible: [[https://addons.mozilla.org/de/firefox/addon/https-everywhere/|HTTPS Everywhere]]
   * Adblocker: uBlock Origin (for the latest version of Firefox ESR you may need to download it [[https://addons.mozilla.org/firefox/downloads/file/685614/ublock_origin-1.13.8-an+fx+sm+tb.xpi|here]])
   * Disabling Javascript by default (you need to allow it if websites you trust don't work): [[https://addons.mozilla.org/de/firefox/addon/noscript/|NoScript]]
Line 434: Line 448:
 * Evolution and Thunderbird are two good email clients. Evolution comes preinstalled. Open port [...]  * Evolution and Thunderbird are two good email clients. Evolution comes preinstalled but Thunderbird is more popular and has more AddOns and features. Open port [...]
 * For Thunderbird install the {{{clamdrib LIN}}} AddOn for scanning emails for malware.
  * You may want to edit the {{{clamd.conf}}} to add
    {{{TCPSocket 3310}}}<<BR>>{{{TCPAddr localhost}}}<<BR>>and restart Thunderbird
Line 448: Line 465:
 * Set the security level to highest by clicking the Tor button next to the NoScript button -> Tor settings
 * Know when Tor should be used and when it shouldn't. Tor is to provide anonymity and not to provide security. Don't use it for casual browsing and entering personal information. The exit-node may actually be spying on your traffic (and be able to easily eavesdrop if you aren't browsing HTTPS-protected or .onion sites). It's only there to provide anonymity.
Line 451: Line 470:
 * Make sure the VPN has a Debian client  * Make sure you can use the VPN with [[OpenVPN]]. Do not use a company's VPN client.
Line 453: Line 472:
 * Connect to it with {{{sudo openvpn --config configuration-file.ovpn}}}
 * VPNs are good for things like warez. They aren't as good as people think they are. [[https://gist.github.com/joepie91/5a9909939e6ce7d09e29|1]] [[http://www.makeuseof.com/tag/5-ways-vpn-not-secure-think/|2]] Don't use free VPNs.
Line 463: Line 484:
 * WLAN driver Info here: [[WiFi]]  * WLAN driver Info here: [[WiFi]]. WLAN dongles are highly unlikely to work properly in Debian.
 * For drivers you ''sometimes'' need to install kernel headers. For this install the relevant package by running: {{{sudo apt-get install linux-headers-$(uname -r|sed 's,[^-]*-[^-]*-,,')}}
Line 468: Line 490:
 * Install simple scan for scanning  * Install {{{simple-scan}}} for scanning
 * http://localhost:631/ should be the CUPS page where you can setup your printer
Line 472: Line 495:
  * For this you need the following iptables-rules: {{{-A INPUT -p tcp -m tcp --dport 1714:1764 -j ACCEPT}}}<<BR>
{{{-A INPUT -p udp -m udp --dport 1714:1764 -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p udp -m udp --dport 1714:1764 -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p tcp -m tcp --dport 1714:1764 -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p udp -m udp --sport 1714:1764 -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p tcp -m tcp --sport 1714:1764 -j ACCEPT}}}<<BR>>
 * [[MTP]]: you need the {{{libmtp-common}}} package. Sometimes this requires more work. Some info [[https://www.howtoforge.com/tutorial/how-to-connect-your-android-device-on-linux/|here]]
Line 475: Line 505:
/* TODO [[MIDI]] [[MidiHardware]] */ See: [[MIDI]] and [[https://en.wikipedia.org/wiki/List_of_Linux_audio_software|Wikipedia's List of Linux audio software]]

For DJing / mixing there is [[https://www.mixxx.org/|mixxx]].

If nothing works for Debian you could consider using a virtual machine to get it working.
Line 478: Line 512:
 * Some special buttons of your input devices might not work. Typically you can use xbindkeys or the shortcuts to get them working.  * Some special buttons of your input devices might not work. Typically you can use {{{xbindkeys-config}}} or the shortcuts to get them working.

== Installing, compiling and running programs ==
=== Compilation ===
Sometimes you may need to compile programs if (latest) packages aren't available in Debian repositories.
To compile you need to make sure you have the right compilers installed. The compilers needed are typically displayed when you try to compile software. Some often needed packages for compilation are: g++, g++-6, gcc, gcc-6, as and build-essentials. You need to make sure they have the right permissions set before compilation by running {{{sudo chmod 0700 /usr/bin/as}}}. After compilation they should be set back to 0444. You need to compile as sudo.

=== .deb files ===
First navigate to the place where the .deb file is located by {{{cd folder-path}}} then install the package by running {{{sudo dpkg -i package.deb}}}.

=== The installation folder ===
 * Create a folder for software (including scripts) that you download from the Internet under {{{/home/username/}}}. You could name it "Software", "Programs", "Apps" or alike.
 * Run {{{sudo chown root:username /home/username/foldername}}} to make root the owner of the folder and oneself the group
 * Then run {{{sudo chmod -R 0750 /home/username/foldername}}} to change the permissions
 * Check permissions with {{{ls -l folderpath}}}
 * Move software into that directory by running {{{sudo mv folderpath1 /home/username/foldername/folderpath2}}}
 * '''Never run software as root.''' If programs don't work change permissions of individual software like so: {{{sudo chmod 0770 /home/username/foldername/programpath}}}

=== Clean-ups ===
Cleanup deinstalled programs by running {{{dpkg --get-selections | grep deinstall}}} and then {{{sudo dpkg --purge package-name}}}. Also run {{{sudo apt-get autoremove}}} or cleanup using BleachBit.

== Sandboxing ==
Sandboxing means that programs get somewhat isolated from the rest of the machine so that they can't cause great harm. For example their permissions and the directories they have access to can be limited.

 * Use {{{firejail}}} to sandbox software.
  * Firejail profiles for software can be found [[https://github.com/netblue30/firejail/tree/master/etc|here]].
   * Sandboxing your browser is essential. Sandboxing other software might not but it's always a good thing to do.
   * After you have the right profile in your {{{/etc/firejail/}}} folder you should be able to run a program sandboxed by running {{{firejail program-name}}}. You can also add a launcher for the sandboxed version by right-clicking on the KDE icon in the bottom left -> Edit Applications -> editing the command by prefixing it with {{{firejail}}}
 * Virtual machines can also be a form of sandboxing.

== Virtual machines ==
(OPTIONAL)<<BR>>
For protecting your system you may want to use virtual machines. They could also help you out if you need to get Windows programs running. Virtual machines are simulated computers with their own "virtual" hardware that run isolated under your "host" OS.<<BR>>
Do not connect them to the Internet. Do not use "shared folders". Do not use drag & drop. Isolate the VM as much as possible.<<BR>>
 * [[VirtualBox]] is a popular "hypervisor" that you can use to create and run virtual machines.
  * After installation you need to run {{{sudo usermod -a -G vboxusers username}}} to run it.
  * You then need an .iso or DVD of an operating system you wish to install as a virtual machine and some GBs of free storage space.
   * Download a Windows/Mac .iso if you want to inspect, [[ReverseEngineer]] or test Windows/Mac software or need it to have some hardware or software running that only works under Windows/Mac (doing the former can help build GNU/Linux support).
   * Download a Kali Linux .iso if you want to learn hacking
  * To move files from your host OS into the virtual machine do not use shared folders or drag&drop but instead create a new data project in K3B and create an .iso file with all the files. Then add that .iso file under Settings->Storage of the virtual machine.
  * Create snapshots for being able to rollback changes to the virtual machine.
  * After running it remove yourself from the vboxusers group by running {{{sudo deluser username vboxusers}}}
 * KVM is an alternative "hypervisor"
Line 481: Line 557:
 * You should create regular backups of your data onto an external storage device. The most important data should be backed up twice. The main storage device holding the backup needs to be physically disconnected from your computer except when you are running a backup. Obviously it needs to be encrypted too.
  * [[https://www.youtube.com/watch?v=oS5uH0mzMTg|Tutorial for rsync]]
You should create regular backups of your data onto an external storage device. The most important data should be backed up twice. The main storage device holding the backup needs to be physically disconnected from your computer except when you are running a backup. Obviously it needs to be encrypted too.
 * [[https://packages.debian.org/stretch/backintime-common|BackInTime]] is a convenient GUI for rsync that helps you manage backups.
  * After installing press the Settings button on top and choose the source path/s and the destination path. You can create multiple "profiles" for varying backup jobs. Exclude large directories that you don't want to have backed up and the trashbin under "Exclude". You can set it up to automatically remove old backups and run backups regularly. BackInTime does incremental backups which means that only the files that have been changed will be backed up in subsequent backups. If you have multiple backups you can also delete old backups within BackInTime which only removes the old versions of files and directories that have been changed. BackInTime also stores permissions of files separately to
  * Check whether a backup has worked correctly by inspecting folder-sizes and some of your important files. If some files are missing first check if they are "excluded". You can also run {{{diff -qr path1 backup-path}}} to compare directories.
  * Have your most important files backed up to an encrypted readonly medium you store offline such as VeraCrypt volumes on CDs.
 * [[https://www.youtube.com/watch?v=oS5uH0mzMTg|Tutorial for rsync]] if you want to use the command-line and do without BackInTime's features
 * Run {{{sudo sfdisk -l}}} and then {{{sudo sfdisk -d /dev/sda > part_sda.txt}}} for every partition (replace sda) with the partition name of your partition. Also run {{{sudo pvdisplay > pvdisplay.txt}}}. Backup these files, they might help you restore your hard drive in case of failure (you only need to run these once).
Line 501: Line 582:
 * Read [[DontBreakDebian]]
 * Use VirtualBox if you have to use a virtual machine (such as Windows if absolutely necessary)
 * Read [[DontBreakDebian]] / watch [[https://www.youtube.com/watch?v=ThuIHDsxDYc|this]]
 * See the full and lengthy [[https://www.debian.org/releases/stable/amd64/index.html.en|Debian GNU/Linux Installation Guide]] and [[QuickInstall]] and [[DebianIntroduction]] and [[DebianDesktopHowTo]]
 * Use [[VirtualBox]] if you have to use Windows / Mac
 * Useful links: [[https://ss64.com/bash/chmod.html|Chmod permissions calculator]]
Line 507: Line 590:
 * Also secure your other devices such as your mobile phone. Also secure your router.
 * Get an IDE such as Eclipse or NetBeans, read online tutorials for programming languages such as Java, C++, Python or Bash, register on stackoverflow and help program Debian's software
 * Share this page
 * Also secure your other devices such as your mobile phone (e.g. NetGuard firewall for Android). You may also want to secure your router.
 * Get an IDE such as Eclipse or NetBeans, read online tutorials for programming languages such as Java, C++, Python or Bash, register on stackoverflow and get started with helping program Debian's software.
 * '''Share this page'''

Introduction

This page aims to be(come) a step-by-step guide for setting up a personal computer with Debian from scratch to a fully configured system with high security, usability, convenience and privacy-protection.

It aims to be written in layman's terms without any required preknowledge and is mainly aimed at Debian newcomers - especially those who switched to Debian to evade backdoors in other operating systems (OS), malware and gaining control over their machines.

The steps don't need to be followed exactly - it is meant as an orientation to speed up and ease the setup to allow inexperienced GNU/Linux users and even casual computer users to get a fully free and open source (FOSS) operating system going by themselves. They can delve deeper once it is working. Ubuntu is not a solution.
It should not be split up as it aims to aggregate and summarize information for an all-in-one-place guide.

Much of this guide might be suboptimal or even false: please help by improving and correcting it. If you think it's not useful you can ignore it.

Goal

The difficulty of properly setting up Debian is keeping away many users. The ultimate goal of guides such as this is to bring about a worldwide mass-migration to 100% FOSS operating system and to increase cybersecurity of citizens and infrastructure.
Security and privacy are human rights. Nobody denies that there are valid reasons for surveillance and most understand that secure communication can also be problematic sometimes by unwittingly helping those who decrease security of society. Those that harm or plan to harm society need to be confronted by society, innovative ways, and adequately. A fundamentally insecure society which also gives up its right to privacy in an intrusive way never possible before and allows for highly centralized, often or potentially AI-driven, control already somewhat "lost". And cybercrime is not prevented by suppressing information and keeping everyone insecure but by building technically secure infrastructure and systems.
Widespread vulnerabilities, central control and mass-surveillance are a greater danger to society than ill-intentioned people using such information. Suppressing such information and obstructing citizens from gaining control over their machines and have them secured is not a solution.

Lengthy, incomplete, obscure, dispersed and sophisticated guides or even books only found and implementable by elitist/senior GNU/Linux users with much knowledge, interest and time are not a solution either.
This guide is not a solution but it could become part of it if it gets developed further, gets interconnected with potential Debian newcomers and potentially build into setup wizards or alike.

Prior installation FAQ

What is GNU/Linux?
A "Unix-like" operating system that is free and open source. Many variants of these operating systems exist and they are running on most servers (computers that serve content or services such as websites) and on android phones. Linux is the kernel of the GNU/Linux operating system and most people are referring to the GNU/Linux operating system when they're speaking of "Linux" (e.g. because people want a single short term and "GNU+Linux", while being more accurate, is two terms). GNU stands for "GNU's Not Unix!" as GNU's design is "Unix-like", but differs from Unix by being free software and containing no Unix code. The GNU project was founded by Richard Stallman. The Linux kernel was developed by Linus Torvalds.

What is free and open source software?
Software that allows anyone to freely use, copy, study, and change it in any way, and has its source code openly shared so that people are encouraged to voluntarily improve the design of the software. This is in contrast to proprietary software, where the software is under restrictive copyright and the source code is usually hidden from the users. Albeit rare some unfree software might have its source code public too.

What is Debian?
It is a distribution of GNU/Linux. A popular variant of the operating system.

Why Debian?
See WhyDebian. It's 100% FOSS, stability, security, your control, features, configurability, privacy, large community, largest upstream GNU/Linux distribution, many packages. It's aims to be the best operating system. [...]

Why not Ubuntu?
Ubuntu is based on Debian but isn't as good and isn't 100% FOSS. Note you can still find help from most that anything that refers to Ubuntu as Debian is very similar to it (for instance most answers on askubuntu may help you out as well and instructions for Ubuntu often only need to be slightly altered for Debian).

Why not another GNU/Linux distribution?

  • Ubuntu: See above
  • Linux Mint: it includes nonfree software[...]
  • Arch Linux: smaller distribution, smaller community, fewer packages, harder to properly set up[...]
  • Fedora: smaller distribution, smaller community, fewer packages
  • Gentoo: for advanced users only

I want to try Debian first
Try the LiveCD.

Can I still play my games on Debian?
Do you really need to? Some of them maybe. But consider if it's worth the effort and introduced security risks. You can use PlayOnLinux / Wine / Steam to play games. However they are somewhat insecure 1 2.
But there are free Linux games for Debian such as SuperTuxKart. And you can play console games (Gamecube, PS2, etc) using an Emulator such as Dolphin.

I only want to install Debian in addition to Windows (dual boot)
Don't do it. Test Debian using a LiveCD instead.

Does my laptop support Debian?
You need to check it first. If you already have a laptop you should try if you can boot and properly use the LiveCD. If you want to buy a laptop you need to research whether other people have reported having gotten GNU/Linux working on it. Many Dell laptops support Debian for example. In addition you need to apply pressure to laptop manufacturers to support it. You might find useful information here.

Does Debian support touchscreens and tablets?
Yes. Please see TabletAndTouchScreen.

Why would I need such a secure and privacy-protecting OS?
In short: cybercrime, state-sponsored cyberintrusions, companies selling your personal data, uncertainty of the future, centralized control, activism, journalism, journalism-like activities, industrial espionage, having control over your own machines, infrastructure security, etc.

Download & burn

  • Download a CD/DVD image of the "stable" release from: https://www.debian.org/CD/http-ftp/

    • It's recommended to use the DVD image as there are is more software packaged with it
    • If you have a 64bit machine you most likely need amd64 and if you have a 32bit one you need i386

      • On Windows you can find out whether you have 64bit or 32bit by going to Start menu -> All Programs -> Accessories -> System Tools -> System Information -> System Type or by pressing and holding the Windows key and the Pause key or by rightclicking on Computer -> Properties -> System type.

      • Most modern computers run 64bit
    • You only need one DVD and to download only the [...]DVD-1.iso

  • Once the .iso file has finished downloading you should checksum the file to verify that it has not been altered and is in a proper state. (A checksum is a short ID that is always the same if the data is exactly the same.) To do this open a terminal and type sha512sum {full path to the .iso file} if you are running a GNU/Linux or if you're running Windows download HashMyFiles and open the .iso with it. Then compare the hashsum to the one in the SHA512SUMS document from where you downloaded your CD/DVD (e.g. https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/). It has to be same ID. (Additionally you could also do a websearch for the ID. If the ID differs check if your download finished properly and if it did report it somewhere.)

  • Burn the .iso file to an empty CD/DVD. On Windows you could use InfraRecorder. On GNU/Linux you could use K3B.

  • K3B does checksum the CD/DVD to verify that it has been written properly
  • Label the CD/DVD so you don't confuse it later

Download software for offline use later

You should not connect to the Internet before you finished the setup and reached step "Go online". Hence you should download all the relevant (security) software packages beforehand and write them to a CD, DVD or USB stick. For laptops you might also need to download drivers beforehand. The DVD-1 contains many packages and to install them you simply need to insert it and install the software via Apper. However it is also missing many important packages. Which software you want to have running before you connect to the Internet depends on you. For instance the GUFW firewall is not DVD-1's packages but you don't need it if you'll use iptables instead. You could also install lynis before going online.

  • Download VeraCrypt, hash the downloaded file just like for the .iso above and verify the checksum (i.e. by searching for it)

  • Download Open Source Tripwire, hash the downloaded file just like for the .iso above and verify the checksum (i.e. by searching for it)

  • Copy those two files to an USB Stick (or a CD / DVD)

Backup, live CD & formatting

  • Before you install a new operating system to your computer you need to make absolutely sure that you have all your data backed up properly. (Besides if you install to a new computer of course.) Don't do this hastily - there might be files in locations you forgot about or the backup might not have worked properly. Once your backup is complete physically disconnect whatever medium you used for this (e.g. an external hard drive).
  • It is best to format your hard drive before starting the Debian installer. Some could not get Debian installer's partitioning tool to properly set up an encrypted hard drive without doing this. You could skip this step but should do this if you run into problems later.
  • If you have only one PC and no other Live CD/DVDs with relevant tools you should at least download and burn the live CD as you might need it later.
    • For this download SystemRescueCD and burn it to a CD/DVD or use another bootable CD/DVD with partitioning tools. Insert the CD/DVD and boot from it by starting your computer and pressing F10, F12, ESC or a similar key that is typically displayed during startup. Boot from the CD/DVD by selecting it and pressing enter or select CD/DVD to boot first (this varies per mainboard).

    • To start ?SystemRescueCd once you booted from it you only need to press enter a few times and then enter startx. Once the live CD is started open up GParted by clicking in the bottom left -> System tools -> GParted. Then format your hard drive by right clicking on all of its entries -> delete and confirming it with the green checkmark in the upper right. Make sure you selected the right hard drive in the upper right. There should be no other hard drives connected. Once everything is deleted there should be just one entry and the hard drive contents should be gray.

BIOS settings

  • Before installation you should decide whether you want to have your hard drives partitioned as GPT (new) or MBR (old). A GPT disk supports volumes larger than 2 TB, is more robust and allows for more partitions. However, GPT requires a mainboard that supports UEFI. UEFI is a successor of BIOS. Most modern mainboard support it. You can find out if your mainboard supports it by checking the specs of your mainboard or by checking whether it also says UEFI for boot mode somewhere in the BIOS settings. You could consider buying a new mainboard. If you would like to have GPT and UEFI set the bootmode to UEFI only or change the bootorder for UEFI CD/DVD being #1. If you did this right the Debian installer's splash screen will say it's the UEFI installer.

  • Debian might not support some of your BIOS (or UEFI) options so you might have to change some of them later or reset them back to the defaults.

Installation

  • Boot from the Debian installer as described here. Select graphical installation.

  • Select the keyboard layout of your language or else you might get problems with some keys such as the z and y keys.
  • Do not connect the Internet during installation! You should disconnect any LAN cable or WLAN adapter and remain offline until you have configured all the necessary things. Skip the network configuration step.

  • Select a hostname that other computers in your network can use to identify your machine. Don't name it "localhost".
  • You can leave the domain name empty.
  • Do not set a root password. Leave it empty. This will lock the root account (you can still unlock it later) which is best practice for most personal computers. Instead of using the root user you should use the sudo command. You can also lock the account later by running passwd -d root and sudo passwd -l root.

  • Create your user and password. Choose a long (> 14 chars) and good (some capitaliZed keys, numb3rs and $pecial characters) password and physically write it down somewhere.

Partitioning

Partitioning is the hardest part of the installation and you might have to rerun it a few times.

  • Select "Guided - use entire disk and set up encrypted LVM" (or "Manual").

  • Select Separate home partition

  • The root partition on which Debian gets installed to should be around 30GB. The home partition should take up all the rest of the hard drive space.
  • If you have UEFI note that you need a boot partition and an EFI partition with the bootable flag set to On.
  • If you're not installing on a laptop you should remove the swap partition as it isn't properly encrypted.
    • For this go to Configure logical volume group -> remove volume -> select the swap partition then click on the swap entry and delete the partition.

    • Let it delete prior data of the hard drive (this may take an hour or so) and set another good password again. It's best to have that password written down nowhere.

Software selection (desktop environment)

The desktop environment is the graphical surface of your operating system. It is important that you select the one that fits best to you. You might want to try and compare multiple of them (e.g. via live CDs) and research them (e.g. watch videos showing them).

  • Select only one desktop environment (GNOME or Xfce or KDE or Cinnamon or MATE or LXDE)
    • KDE is arguably the best choice for a personal, modern computer. It has many features, looks great, is highly configurable and extendable and is easy to use. Video presentation. This guide is tailored to KDE.

  • Most likely you shouldn't check "web server" and "SSH server"

Finish

  • Write the GRUB bootloader to the disk when it asks you about it
  • You can check the integrity of the CD in the installer by pressing back and selecting "Check integrity of CD"
  • Finish the installation, remove the CD/DVD and restart your PC. You should enter the graphical GRUB bootloader and it should automatically boot Debian.

Principles and preknowledge

  • Do not connect to the Internet before you finished the setup and reached step "Go online".
  • Only by using root rights can important files be changed and specific commands be run. For this your password is needed. To run commands as root type sudo {command} into the terminal. Most often it will tell you when root rights are required for commands.
  • One of your best defenses is to report anything unusual that you noticed on your machine. Document everything strange including with the relevant logs (of syslog and alike). Then report it or ask about it. Don't keep it to yourself.
  • If you don't know something and you can't find it via your search engine ask about it on places such as https://unix.stackexchange.com/ as this will help everyone finding an answer with the same question as you. Make sure to explain your question well and to make it well findable by those with the same question.

  • You should try to never run GUIs (graphical user interfaces / software with a window and controls) as root. Do not install gksu.
  • The terminal is where you enter commands. Debian's default terminal is konsole. You will need to use it often as many things are not yet possible via GUIs. It actually isn't hard to use.
    • By entering history you can find a list of commands you have executed under the current account. Entries can also be deleted from this log by running history -d line-number.

  • Your package-manager is how you find, install and update applications. Try to never install packages from outside the package manager if possible. The best package managers are Apper, Synaptic and Discover (Software Center).
  • Apply updates quickly and check for updates regularly.
  • Try to never install nonfree software except absolutely necessary. There can easily be backdoors and all sorts of malicious code in closed source software.
  • You can find more information about commands and programs by just entering the name of the program into the konsole, or the name and "--help" or "man" and the name or by reading the online documentation.
  • Don't install software without knowing what they do or if you don't need it. Don't install things like Flash.
  • Don't execute commands just because somebody told you so or you read about it. Make sure you roughly know what it does. Some commands might destroy your system (e.g. rm to delete important files).

  • You can find logs under /var/log/. The most important one is /var/log/syslog which you can only open (with a texteditor) as root (via sudo). /var/log/apt/history.log is a log of installed packages.

  • You can typically quit displays of text in the console by pressing q or ctrl+x (^ refers to the ctrl key).

  • Some additional important commands: mkdir {path} creates a directory, cd {directory} moves the context to a directory (cd .. moves you one directory up), sudo ifconfig displays information about your IP, sudo dpkg -i filepath to install .deb packages, sudo apt-get install packagename to install a package from terminal, sudo dpkg --add-architecture i386 to add 32bit architecture, sudo -i to start a sudo session, sudo cp -r path path to copy files as root, sudo mv path path to move files as root, passwd to change password, apt-get install packagename to install a package from the konsole, bash filepath to execute a bash file, ls -l list files of a directory, sudo shutdown -h now to shutdown, groups username to display the usergroups your user is part of. Some more here

  • You can save the output of any command by appending > filepath to a command. For example ls -l > contents.txt creates a file with information on the contents of the directory you're currently in. You can get information about commands by appending --help to them for instance ls --help shows you information about the ls command.

  • You don't need to know all of this by heart or so. Simply frequent this page or other pages. But you need to know where to ask for help and how to find the information needed. (Which after reading the above you should know.)

Passwords

It's best to write them down physically on a paper (never or only partially/obscured&encrypted electronically). And that in a way that only you can read properly. For instance you could write down signs for words and alter the order in a specific way. Store them in a secure place and try to store them twice.
You could also store them electronically with the password missing some words that you only store on piece of paper.
Furthermore try to enable two factor authentication (2FA) for as many of your relevant accounts as possible. Also calculate in the possibility of losing your phone (typically there are backup codes which you should write down).

Initial setup

  • Click on the 3 strikes in the upper left -> configure desktop -> Layout -> Folder view if you want to see files on your desktop.

  • In the application starter in the bottom left you find all your applications and the buttons to switch off your computer
  • Open "dolphin" by entering it in the application starter's search bar or by clicking on its icon in the favorites. Dolphin is KDE's default filemanager. You can browse all of your computer's files by clicking "Root" under "Places" in the upper left and storage devices under "Devices". You can add places by dragging them into this panel and you can hide devices you don't need to see by rightlicking them -> hide. Your files should be stored under /home/yourusername/. You can search, change the view-type and settings via the options in the upper bar. To view your current location click next to the text below the upper bar.

  • You can pin applications that you use often to the taskbar. For this enter the name of the application into the search bar -> rightclick it -> select add to panel or add as launcher. It is recommended to add "dolphin", "konsole", "system monitor" and "apper" to the bar.

  • If you did create a root account you need to add yourself to the sudoers file. This is so that you can execute the sudo command. If you did not create the root account you can execute the sudo command already and don't need to do that. To add yourself to the sudoers file enter sudo kate /etc/sudoers -> enter your password -> add yourusername ALL=(ALL) ALL below %sudoers and save the file (ctrl+s). Instead of kate you could also use another texteditor such as nano.

  • If you have problems with your timezone and the time-display you can change it by entering tzselect into the konsole and by right clicking the clock in the bottom right.

  • If there are problems with your monitor/s / display enter "Displays" into search and check its settings and infos.
  • Enter mouse into the search and set it to "double click to open files"
  • Immediately uninstall kaccess. This is to prevent people from spying on your screen and on what you type. Don't do it if you're literally blind. Otherwise open apper -> type kacccess -> remove -> apply -> enter your password and let it uninstall.

  • You can add useful widgets (such as CPU Load Monitor and Network Monitor) to your desktop by clicking the 3 bars in the upper left -> Add Widgets.

  • Disable unneeded startup applications by entering startup applications into the search (e.g. bluetooth and mousepad)
  • Open LibreOffice via the search -> Tools -> Options -> Security -> Set Macro Security to "High" and check all the options under Security Options likely except "Recommend password protection on saving"

  • Configure screenshots
    • Enter "Spectacle" into the search -> click on the right next to "Save & Exit" -> Preferences -> create a new folder in your Pictures folder and change the preferences as needed

    • Enter "Custom Shortcuts" into search -> Screenshots -> here you can change the buttons for screenshots (ctrl+print for a fullscreen screenshot by default)

  • Add custom shortcuts
    • Enter "Custom Shortcuts" into search -> Edit -> New Group -> name it "Custom" then Edit -> Add -> New -> Global shortcut -> Command/URL. Set a trigger (the keys to be pressed) and an action (for example enter "konsole" into Command/URL to have the konsole opened).

    • Enter "Global Shortcuts" into search -> click on Power management or KDE Daemon -> here you can configure shortcuts to suspend or power off you machine

  • Right click the bottom right clipboard icon -> Configure Clipboard -> Check "Ignore Selection"

  • Make sure you have the right soundcard selected under "Phonon Audio and Video" -> Device Preference and -> Audio Hardware Setup and "Audio Volume" -> "Output Device" -> Default and -> Configuration. (Also disable all Input besides if you want to record something with a micro.) Disable the sound when changing the volume in "Audio Volume" -> Volume feedback -> disable.

  • Enter "Screen Locking" into search -> configure the time for the screen to lock automatically and the shortcut to lock it

  • The password for the "KDE wallet" is the same as your user password by default. But you could change/recreate it.
  • Enter Dekstop Theme into search -> you can your theme here

Security and tools

Set a GRUB password

Set a GRUB password as explained here:

  • Run kate /etc/grub.d/00_header /etc/grub.d/10_linux /etc/grub.d/30_os-prober

  • At the bottom of 00_header add this text:

cat << EOF
set superusers="somename"
password somename pw
EOF
Replace somename and pw with a name and a password. If you already encrypted your hard drive you might want to use a shorter one. Do not replace anything except these 3 words. The somename doesn't have to be your username - it can be any word you want.

  • In 10_linux after {CLASS} for the 2 lines that say menuentry add:

    --users '' So for example printf "menuentry '${title}' ${CLASS} --users '' {\n" "${os}" "${version}"

  • Run sudo sed 's/--class os /--class os --users /' -i /etc/grub.d/30_os-prober

  • Run grub-mkpasswd-pbkdf2 and enter the password you set earlier

  • At the bottom of 00_header replace "password" with "password_pbkdf2" and pw with the output of the previous command starting with grub.pbkdf2.sha512. - for example the full line should look like: password_pbkdf2 John grub.pbkdf2.sha512.10000.FC58373BCA15A797C418C1EA7FFB007BF5A5

If you fail to do this correctly you may not be able to boot your system.

  • Run sudo update-grub to apply your changes and restart your computer

Encryption

You need such an encryption program to encrypt data on other storage devices and for the way our IDS is set up in the step below.

  • Install VeraCrypt, ?ZuluCrypt or another good encryption program.

  • Checksum ?VeraCrypt before installation and check the hash.

  • You can encrypt whole devices and partitions or just create encrypted volumes.

Anti malware

  • Install ?ClamTk which also installs ClamAV - Debian's open source antivirus software

    • Once you are online you need to update it
    • in the settings have everything checked (if you check PUAs you likely get many false positives though)

  • Install rkhunter
    • To integrate rkhunter with package updates run sudo kate /etc/default/rkhunter and set APT_AUTOGEN="true"

    • Initially run rkhunter --propupd

    • To run a scan run rkhunter -c

  • Install chkrootkit
    • Run a scan sudo chkrootkit

Kernel hardening

  • Run sudo kate /etc/sysctl.conf and make sure the settings are set like so (if not either change the relevant lines or append to the bottom of the file) (please improve):

net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
kernel.sysrq=0
kernel.kptr_restrict=2
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.log_martians=1
net.ipv4.tcp_timestamps=0
net.ipv6.conf.default.accept_redirects=0
kernel.core_uses_pid=1
fs.suid_dumpable=0

  • Then run sysctl -p to save your changes.

  • You can use Lynis for checking your kernel settings.

Intrusion detection system

Note: at IntegratedIntrusionDetectionSystem work is ongoing to improve IDS!

You can find useful Tripwire Policy rules at: TripwirePolicyRules.

An intrusion detection system (IDS) helps you detect intrusions, allows you to help secure computers by reconstructing intrusions and along the way helps you better understand GNU/Linux / Debian. While some advanced form of IDS' are more or less the only way to reliably protect machines they haven't been developed so far as to allow fully secure personal computers in practice. But maybe they will get developed further to allow such.
Before doing this you need to have ?VeraCrypt (or a similar encryption program) installed.

  • Insert an USB stick, open it with dolphin, close dolphin again, open ?VeraCrypt, then select Volumes -> Create new volume -> Create an encrypted file container. When it asks for the volume location navigate into your USB stick and enter a filename. Create a new volume with a size of around 500MB (50MB would probably be enough too). Once it has finished mount the volume by first clicking the slot number you want to mount it, selecting the file and entering 2 passwords.

  • Set up tripwire
    • Copy the file that you downloaded earlier from your USB stick (or CD / DVD)
    • cd into the directory you copied the file to then run unzip tripwire-open-source-2.4.3.5.tar.gz (the version might differ) then cd tripwire-open-source-2.4.3.5

    • Run kate ./installer/install.cfg and replace the value of TWBIN, TWPOLICY, TWDB, TWSITEKEYDIR, TWLOCALKEYDIR, TWREPORT (between the two ") to /media/veracrypt10/ (or subdirectories of it respectively such as "/media/veracrypt10/report/"; also make sure to replace 10 with your slot-number). You could also set TWEDITOR to your preferred texteditor such as kate. Save the file.

    • Run ./configure --prefix=/etc/tripwire

    • Make sure it runs through. You might have to install packages such as postfix or a compiler from the DVD-1.
    • Run make install

    • Set the password for your local and site keys. If you run into problems there run ./twinstall.sh Help here.

    • If you need to recreate the cfgfile run ./sbin/twadmin --create-cfgfile -S site.key /media/veracrypt10/twcfg.txt (edit the twcfg.txt like the install.cfg file beforehand)

    • Edit twpol.txt to insert the default twpol.txt contents for Debian

    • Run ./sbin/twadmin -m P -S site.key /media/veracrypt10/twpol.txt

    • Run ./sbin/tripwire --init to see if it's working. At the bottom you'll see plenty of errors.

    • Edit twpol.txt and comment out the lines that have generated these errors under "Root config files" and "System boot changes". Watch this video. Add your own rules to watch important files (such as the sudoers file) or directories if you want to. Suggestions for tripwire rules can be found here.

    • Run ./sbin/twadmin -m P -S site.key /media/veracrypt10/twpol.txt again

    • Run ./sbin/tripwire --init again. Sadly you can't yet change the policy file again after initialization so you should make sure it is fine before you go online.

    • Close the konsole or cd out of the mounted directory and dismount the volume in veracrypt
    • Create a backup of the encrypted volume (1 file) to your hard drive (but always use the USB stick)

Then once you used your computer you can do your first scan. It should be the same procedure every time and you should run them as often as possible to get smaller reports and to know which changes you have caused yourself in the meantime.

  • Disconnect from the Internet
  • Insert the USB stick. Open it with dolphin and close dolphin again.
  • Open ?VeraCrypt click on the slot you selected earlier, select the volume-file on the USB stick and mount it using 2 passwords.

  • Run cd /media/veracrypt10/

  • Run sudo ./sbin/tripwire --check and let it run through

  • Run sudo ./sbin/twprint -m r --twrfile pathtothegeneratedtwrfile > nameofthegeneratedtwrfile-descriptionofwhatyoudidinthemeantime (for example sudo ./sbin/twprint -m r --twrfile ./report/name-20170808.twr > name-20170808-installed-firefox-and-removed-kdeconnect)

  • Inspect the changes by opening the generated file with a texteditor such as kate. Sadly Debian isn't yet integrated well with tripwire so there likely will be a lot of changes. Look for suspicious changes that you didn't cause yourself - especially modified critical files. By this you also learn more about the operating system by gaining more insight into what files change when.
  • Update your database by running export DISPLAY=:0; sudo ./sbin/tripwire --update -Z low -V nano --twrfile ./report/filename.twr, pressing ctrl+x and entering your local key

  • Run cd ../.. and dismount the encrypted volume in ?VeraCrypt

  • Backup the file again. You could store it on a read-only medium (CD/DVD) once in a while in case your database file becomes corrupted.
  • Reconnect to the Internet

By setting this up properly and by knowing what to look for and helping improve tripwire to integrate better with Debian and to automate the steps above you could theoretically reach a very high level of security.

There are many ways IDS could get improved. This includes having two machines with the same packages installed and comparing whether they differ in any way or by making use of virtual machines. While few IT security specialists seem to be interested in implementing such improvements it is important that you get an IDS working as early as possible. And before going online. While the current implementation might be hard to use it's still useful and also deters potential adversaries merely by being set up properly.

File permissions

  • Change the file permissions of critical files to prevent unwanted changes to or reading of them
    • CUPS printer configuration file: sudo chmod 0700 /etc/cups/cupsd.conf

    • Kernel configuration: sudo chmod 600 /etc/sysctl.conf

    • Compilers: sudo chmod 0444 /usr/bin/as sudo chmod 0444 /usr/bin/g++ sudo chmod 0444 /usr/bin/gcc sudo chmod 0444 /usr/bin/g++-6 sudo chmod 0444 /usr/bin/gcc-6

      • See section "Compiling programs" on how to properly compile programs
    • Sudoers file: sudo chmod 0440 /etc/sudoers

Security auditing tools

(OPTIONAL) Security auditing tools analyze your system to find vulnerabilities that you should fix and to propose you ways to further secure your system.

  • One such is Lynis, installation instructions here

    • It might misdetect some things and you don't need to follow all its suggestions but it can help you further secure your system
    • Once installed run it via sudo lynis audit system

Other tools

  • Install Debsums to verify your installed Debian package files against the MD5 checksum lists from /var/lib/dpkg/info/*.md5sums.
    • Run debsums|grep -v OK

  • Install GPA for de- and encrypting texts and for managing your keys
  • Install ?BleachBit to securely wipe data and to free disk space and clean cookies etc

  • arpwatch, scanlogd, checksecurity, apt-listchanges

Etckeeper

  • To set up etckeeper you need to tun these commands: cd /etc/ sudo etckeeper init sudo etckeeper commit "Initial etc commit"

  • To view the git history of a file that etckeeper keeps for you install qgit and then enter qgit locationofthefile &. This allows you to notice malicious changes and to manage your configurations.

Bitcoin

(OPTIONAL)

  • Electrum is a FOSS bitcoin client. If you want to use it anonymously or have your firewall set up properly install it, then go offline, then create a standard wallet, the go to network configurations, then set the proxy to SOCKS5 localhost 9050. If you want to have better security (given more or less that you trust ?TrustedCoin more than yourself) instead select "Multifactor authentication". But you might have problems getting it to work with your firewall if you go for the latter. It is best to store the wallet on an encrypted external medium such as a CD/DVD.

Firewall

You can find useful firewall rules at: FirewallRules.

Sadly there doesn't seem to be a proper application-level firewall for Debian yet.

  • GUFW is Debian's GUI firewall. Sadly it does not work properly when blocking outbound traffic. Also it is not packaged with DVD-1. Hence it is recommended that you use iptables instead. But you could install it anyway and have it disabled.

  • Run sudo kate /etc/iptables.conf and configure your firewall rules. The following rules allow for downloading of packages and browsing of the Internet but not much more (please improve them):

*filter
#DROP everything by default
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#And explicitly allow the following:
#LOCAL
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#HTTP
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 8080 -m state --state ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT
#HTTPS
-A INPUT -p tcp -m tcp --dport 443 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
#DNS
-A INPUT -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#PING
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
#LOG 3 dropped packets per minute to /var/log/syslog
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "~~~~IP INPUT DROP: "
-A INPUT -j DROP
#LOCAL
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#HTTP
-A OUTPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -p tcp -m tcp --sport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
#HTTPS
-A OUTPUT -p tcp -m tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#DNS
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#PING
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#LOG 3 dropped packets per minute to /var/log/syslog
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "~~~~IP OUTPUT DROP: "
-A OUTPUT -j DROP
COMMIT

  • When done run iptables-restore < /etc/iptables.conf. Note that these rules are reset at each restart so either do the next step before the next restart or have your Internet disabled on startup.

  • Install iptables-persistent via apper or apt-get install

  • Run sudo kate /etc/iptables/rules.v4 and copy the contents of /etc/iptables.conf into it

  • Run sudo iptables-restore < /etc/iptables/rules.v4 or sudo ip6tables-restore < /etc/iptables/rules.v6

  • If your applications have problems connecting to the Internet you need to find out which protocol and ports you need to open via iptables rules to get them working. Alternatively you could allow all outbound traffic. But this isn't recommended for security purposes.

Close ports and inspect traffic

  • With these commands you can find out which applications on your machine are sending or receiving Internet traffic: lsof -i and netstat -pln or sudo netstat -anp --tcp --udp | grep LISTEN

    • Use sudo fuser -v portnumber/tcp to find out which application is causing an open port

  • With zenmap you can scan your own computer for open ports. Install it and then do a full scan on 127.0.0.1. Do not scan machines that do not belong to you.
  • If you don't have network printers you can disable CUPS like so: sudo systemctl disable cups.socket cups.path cups.service sudo systemctl kill --signal=SIGKILL cups.service sudo systemctl stop cups.socket cups.path

  • You can use BUM to disable apps that start automatically.

Wireshark

(OPTIONAL)
You can find out exactly which data is being sent by applications and to websites by making use of wireshark. You can use this to identify undesired data transmissions. After installing wireshark run sudo dpkg-reconfigure wireshark-common choose "Yes" and then run sudo adduser $USER wireshark. After running wireshark run sudo dpkg-reconfigure wireshark-common again and choose "No" / sudo deluser username wireshark.

Go online

  • To go online you likely need to connect your PC to your router with a LAN cable. WLAN dongle are highly unlikely to work (apply pressure to manufacturers).
  • Edit the SourcesList so that you can find and download packages: run sudo kate /etc/apt/sources.list and comment out the CD / DVD sources which allowed you to install packages by inserting DVD-1. Add these sources instead:

deb http://security.debian.org/debian-security stretch/updates main contrib
deb-src http://security.debian.org/debian-security stretch/updates main contrib
deb http://ftp.CY.debian.org/debian/ stretch main contrib
deb-src http://ftp.CY.debian.org/debian/ stretch main contrib
deb http://ftp.CY.debian.org/debian/ stretch-updates main contrib
deb-src http://ftp.CY.debian.org/debian/ stretch-updates main contrib
deb http://deb.torproject.org/torproject.org stretch main
You can leave out the torproject repository if you want to. Replace CY with the country code of the repository you would like to use. You can find a list of Debian's repositories here. You can also leave out contrib which includes software that is not 100% FOSS or add  non-free after contrib which also includes non-free software (such as many proprietary drivers).

Run updates

  • Run apt-transport-https

  • Run sudo apt-get remove firefox-esr and sudo apt-get install firefox-esr

  • Run sudo apt-get update and sudo apt-get upgrade

  • You might need to run this multiple times and fix some issues until it says 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded and that no packages have been held back.

  • Open Apper -> Check for updates should say that no updates are available

  • Run sudo freshclam

  • Do a tripwire scan after the updates as explained here

DNS

Before a computer can connect to an external network resource (say, for example, a web server), it must have a means of converting any alpha-numeric names (e.g. wiki.debian.org) into numeric network addresses (e.g. 140.211.166.4). More information.

  • Run sudo kate /etc/NetworkManager/NetworkManager.conf and add dns=no below the [main] section

  • Use OpenDNS or OpenNIC
    • For OpenDNS: run kde5-nm-connection-editor (or right click the network icon in the bottom right -> Configure Network Connection) and choose your connection -> right click -> edit -> click on the IPv4 settings tab -> choose "Automatic (Only addresses)" -> then enter IPs of DNS servers in the "DNS servers" field, separated by spaces -> "Apply". Use one of the IP addresses here such as 208.67.222.222. (or 2620:0:ccd::2 for IPv6).

    • Uncheck "automatically connect to this network when it is available" and "All users may connect to this network" and yourself as "Users allowed to activate this connection" under "Advanced".

Configure Firefox

  • Sandbox your browser so vulnerabilities can't easily cause harm to your system
    • Download firejail
    • Right-click on the KDE icon in the bottom left -> Edit Applications -> right click on Internet -> New item -> Name: Sandboxed Firefox-ESR Command: firejail firefox-esr -p

  • Install useful ?AddOns:

    • Security-related
      • Enabling HTTPS (for encrypting the data that is sent between your browser and a website) whenever possible: HTTPS Everywhere

      • Adblocker: uBlock Origin (for the latest version of Firefox ESR you may need to download it here)

      • Disabling Javascript by default (you need to allow it if websites you trust don't work): NoScript

      • Instead of fetching resources from external content delivery networks again and again store them locally: Decentraleyes
      • Prevent people from identifying you across websites due to more or less unique HTTP headers: Blender
      • Delete cookies of a website after leaving it automatically: Self-Destructing Cookies
    • Other: ?TabMixPlus for many useful tab functionalities, ?SessionManager for managing your browser sessions, Greasemonkey for adding userscripts, ?RedditEnhancementSuite if you use reddit, ?FlashGot for downloading streamed videos

    • Don't just download and install ?AddOns but also configure them properly

Public keys

  • A list of keyservers can be found here.

  • Open port 11371 in iptables[...] for being able to fetch keys/* TODO */

  • Create a public key under you real name and potentially for pseudonyms for being able to prove your identity. For this you need to have a good password and store your private key securely. Upload the public keys to a keyserver and/or give it to people you want to communicate privately or to which you want to prove your identity.

Email client

  • Evolution and Thunderbird are two good email clients. Evolution comes preinstalled but Thunderbird is more popular and has more ?AddOns and features. Open port [...]

  • For Thunderbird install the clamdrib LIN ?AddOn for scanning emails for malware.

    • You may want to edit the clamd.conf to add

      • TCPSocket 3310
        TCPAddr localhost
        and restart Thunderbird

Get Tor

  • Follow this guide to add keys (see section #Public keys first), add the tor repository and download tor

  • Download the TorBrowser

  • Checksum the downloaded file
  • Move the tor-browser to your software folder
  • Firejail it
    • Download the firejail profile for start-tor-browser

    • Move that textfile into /etc/firejail

    • Right-click on the KDE icon in the bottom left -> Edit Applications -> right click on Internet -> New item -> Name: Sandboxed Tor Browser Command: cd /home/username/foldername/tor-browser_en-US/ && firejail --profile=/etc/firejail/start-tor-browser.profile /home/username/foldername/tor-browser_en-US/start-tor-browser.desktop (replace username and foldername)

  • Edit /etc/tor/torrc and append FascistFirewall 1 to the bottom of it to get it working with iptables blocking outbound traffic

  • Start it and check for updates (and apply them)
  • Disallow scripts globally by clicking on the ?NoScript button in the upper right

  • Set the security level to highest by clicking the Tor button next to the ?NoScript button -> Tor settings

  • Know when Tor should be used and when it shouldn't. Tor is to provide anonymity and not to provide security. Don't use it for casual browsing and entering personal information. The exit-node may actually be spying on your traffic (and be able to easily eavesdrop if you aren't browsing HTTPS-protected or .onion sites). It's only there to provide anonymity.

Get a VPN

  • Compare VPNs and select a good one
  • Make sure you can use the VPN with OpenVPN. Do not use a company's VPN client.

  • Use tor & bitcoin to buy it

  • Connect to it with sudo openvpn --config configuration-file.ovpn

  • VPNs are good for things like warez. They aren't as good as people think they are. 1 2 Don't use free VPNs.

Check the settings of your webaccounts and switch providers

  • Check the settings of your accounts such as Google
  • Make use of trash mail sites
  • Switch providers (such as your email provider; you can forward your emails from your old account) if your provider doesn't take security and privacy seriously
  • Don't store data in clouds - at least no unencrypted data
  • Be aware that companies don't have to be evil to breach your privacy - the data they collect could also get stolen by cybercriminals

Drivers

  • If you have a graphics card it might not achieve full performance under Debian. Consider selling it. If you really want to keep it and get highest possible performance you might need to install unfree, proprietary drivers for it. Info here: GraphicsCard

  • WLAN driver Info here: WiFi. WLAN dongles are highly unlikely to work properly in Debian.

  • For drivers you sometimes need to install kernel headers. For this install the relevant package by running: sed 's,[^-]*-[^-]*-,,')

Connect your devices

Printer

  • The website of the manufacturer should have information on how to install the driver for your printer on Debian
  • Install simple-scan for scanning

  • http://localhost:631/ should be the CUPS page where you can setup your printer

Android phone

  • KDE Connect [...]
    • For this you need the following iptables-rules: -A INPUT -p tcp -m tcp --dport 1714:1764 -j ACCEPT<<BR>

-A INPUT -p udp -m udp --dport 1714:1764 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1714:1764 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1714:1764 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 1714:1764 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1714:1764 -j ACCEPT

  • ?MTP: you need the libmtp-common package. Sometimes this requires more work. Some info here

  • Other tools

Music instruments

See: MIDI and Wikipedia's List of Linux audio software

For DJing / mixing there is mixxx.

If nothing works for Debian you could consider using a virtual machine to get it working.

Input devices

  • Some special buttons of your input devices might not work. Typically you can use xbindkeys-config or the shortcuts to get them working.

Installing, compiling and running programs

Compilation

Sometimes you may need to compile programs if (latest) packages aren't available in Debian repositories. To compile you need to make sure you have the right compilers installed. The compilers needed are typically displayed when you try to compile software. Some often needed packages for compilation are: g++, g++-6, gcc, gcc-6, as and build-essentials. You need to make sure they have the right permissions set before compilation by running sudo chmod 0700 /usr/bin/as. After compilation they should be set back to 0444. You need to compile as sudo.

.deb files

First navigate to the place where the .deb file is located by cd folder-path then install the package by running sudo dpkg -i package.deb.

The installation folder

  • Create a folder for software (including scripts) that you download from the Internet under /home/username/. You could name it "Software", "Programs", "Apps" or alike.

  • Run sudo chown root:username /home/username/foldername to make root the owner of the folder and oneself the group

  • Then run sudo chmod -R 0750 /home/username/foldername to change the permissions

  • Check permissions with ls -l folderpath

  • Move software into that directory by running sudo mv folderpath1 /home/username/foldername/folderpath2

  • Never run software as root. If programs don't work change permissions of individual software like so: sudo chmod 0770 /home/username/foldername/programpath

Clean-ups

Cleanup deinstalled programs by running dpkg  --get-selections | grep deinstall and then sudo dpkg --purge package-name. Also run sudo apt-get autoremove or cleanup using ?BleachBit.

Sandboxing

Sandboxing means that programs get somewhat isolated from the rest of the machine so that they can't cause great harm. For example their permissions and the directories they have access to can be limited.

  • Use firejail to sandbox software.

    • Firejail profiles for software can be found here.

      • Sandboxing your browser is essential. Sandboxing other software might not but it's always a good thing to do.
      • After you have the right profile in your /etc/firejail/ folder you should be able to run a program sandboxed by running firejail program-name. You can also add a launcher for the sandboxed version by right-clicking on the KDE icon in the bottom left -> Edit Applications -> editing the command by prefixing it with firejail

  • Virtual machines can also be a form of sandboxing.

Virtual machines

(OPTIONAL)
For protecting your system you may want to use virtual machines. They could also help you out if you need to get Windows programs running. Virtual machines are simulated computers with their own "virtual" hardware that run isolated under your "host" OS.
Do not connect them to the Internet. Do not use "shared folders". Do not use drag & drop. Isolate the VM as much as possible.

  • VirtualBox is a popular "hypervisor" that you can use to create and run virtual machines.

    • After installation you need to run sudo usermod -a -G vboxusers username to run it.

    • You then need an .iso or DVD of an operating system you wish to install as a virtual machine and some GBs of free storage space.
      • Download a Windows/Mac .iso if you want to inspect, ?ReverseEngineer or test Windows/Mac software or need it to have some hardware or software running that only works under Windows/Mac (doing the former can help build GNU/Linux support).

      • Download a Kali Linux .iso if you want to learn hacking
    • To move files from your host OS into the virtual machine do not use shared folders or drag&drop but instead create a new data project in K3B and create an .iso file with all the files. Then add that .iso file under Settings->Storage of the virtual machine.

    • Create snapshots for being able to rollback changes to the virtual machine.
    • After running it remove yourself from the vboxusers group by running sudo deluser username vboxusers

  • KVM is an alternative "hypervisor"

Backups

You should create regular backups of your data onto an external storage device. The most important data should be backed up twice. The main storage device holding the backup needs to be physically disconnected from your computer except when you are running a backup. Obviously it needs to be encrypted too.

  • BackInTime is a convenient GUI for rsync that helps you manage backups.

    • After installing press the Settings button on top and choose the source path/s and the destination path. You can create multiple "profiles" for varying backup jobs. Exclude large directories that you don't want to have backed up and the trashbin under "Exclude". You can set it up to automatically remove old backups and run backups regularly. ?BackInTime does incremental backups which means that only the files that have been changed will be backed up in subsequent backups. If you have multiple backups you can also delete old backups within ?BackInTime which only removes the old versions of files and directories that have been changed. ?BackInTime also stores permissions of files separately to

    • Check whether a backup has worked correctly by inspecting folder-sizes and some of your important files. If some files are missing first check if they are "excluded". You can also run diff -qr path1 backup-path to compare directories.

    • Have your most important files backed up to an encrypted readonly medium you store offline such as ?VeraCrypt volumes on CDs.

  • Tutorial for rsync if you want to use the command-line and do without ?BackInTime's features

  • Run sudo sfdisk -l and then sudo sfdisk -d /dev/sda > part_sda.txt for every partition (replace sda) with the partition name of your partition. Also run sudo pvdisplay > pvdisplay.txt. Backup these files, they might help you restore your hard drive in case of failure (you only need to run these once).

Tools

Basic software that you might be looking for.

  • PDF reader: Okular is your preinstalled PDF reader
  • Office / Word / Excel: LibreOffice is your preinstalled office suite

  • Image editor: GIMP is your preinstalled image editor that is as good as Photoshop
  • Image viewer: Gwenview is your preinstalled image-viewer
  • DVD-Burner: K3B is your preinstalled dvd-burning application.
  • Ebook reader: Calibre is a good ebook reader
  • File archiver: Ark is your preinstalled file archive (you don't need Winrar or 7zip)
  • IRC Chat: Hexchat is a good IRC client
  • Media player: VLC Player is a good media player, Amarok is a feature-rich music player
  • Compare text files: Diffuse merge
  • Video editor: Kdenlive
  • Encrypted chatting and sharing: Tox or ?RetroShare

Further

  • Read DontBreakDebian / watch this

  • See the full and lengthy Debian GNU/Linux Installation Guide and QuickInstall and DebianIntroduction and DebianDesktopHowTo

  • Use VirtualBox if you have to use Windows / Mac

  • Useful links: Chmod permissions calculator

  • You could subscribe to vulnerability lists to protect or be aware of the latest vulnerabilities
  • You can get new Widgets by clicking on the 3 strikes in the upper left -> add widgets -> Get new widgets -> Download New Plasma Widgets. For example you could get Event Calendar to replace your default calendar. It has many features for better organization and productivity.

  • Register and contribute to this wiki
  • Register on ?GitHub and alike and create issues if you witness bugs

  • Also secure your other devices such as your mobile phone (e.g. ?NetGuard firewall for Android). You may also want to secure your router.

  • Get an IDE such as Eclipse or ?NetBeans, read online tutorials for programming languages such as Java, C++, Python or Bash, register on stackoverflow and get started with helping program Debian's software.

  • Share this page


CategoryDesktopComputer