Differences between revisions 5 and 17 (spanning 12 versions)
Revision 5 as of 2017-08-21 20:39:54
Size: 50160
Editor: ?Average-User-Prototype
Comment:
Revision 17 as of 2021-05-18 10:28:46
Size: 73842
Comment: Readd notice regarding the article being made for KDE users
Deletions are marked like this. Additions are marked like this.
Line 5: Line 5:
This page aims to be(come) a step-by-step guide for setting up a personal computer with Debian from scratch to a fully configured system with high security, usability, convenience and privacy-protection.  

It aims to be written in layman's terms without ''any'' required preknowledge and is mainly aimed at Debian newcomers - especially those who switched to Debian to evade backdoors in other operating systems (OS), malware and gaining control over their machines.

The steps don't need to be followed exactly - it is meant as an '''''orientation to speed up and ease the setup''''' to allow inexperienced GNU/Linux users and even casual computer users to get a fully free and open source (FOSS) operating system going by themselves. They can delve deeper once it is working. Ubuntu is not a solution.<<BR>>
This page aims to be(come) a step-by-step guide for setting up a personal computer with Debian from scratch to a fully configured system with high security, usability, convenience and privacy-protection.

It aims to be written in layman's terms without ''any'' required preknowledge and is mainly aimed at Debian newcomers---especially those who switched to Debian to evade backdoors in other operating systems (OS), malware and gaining control over their machines. It's written in a chronological step-by-step manner which when updated and tested appropriately and followed from top to bottom precisely will '''''simply get things working'''''.

The steps don't need to be followed exactly---it is meant as an '''''orientation to speed up and ease the setup''''' to allow inexperienced GNU/Linux users and even casual computer users to get a fully [[https://www.gnu.org/philosophy/free-sw.html|free, libre]] and open source (FLOSS) operating system going by themselves. They can delve deeper once it is working. Ubuntu is not a solution.<<BR>>
Line 16: Line 16:
The difficulty of properly setting up Debian is keeping away many users. The ultimate goal of guides such as this is to bring about a worldwide mass-migration to 100% FOSS operating system and to increase cybersecurity of citizens and infrastructure.<<BR>>
Security and privacy are human rights. Nobody denies that there are valid reasons for surveillance and most understand that secure communication can ''also'' be problematic sometimes by unwittingly helping those who decrease security of society. Those that harm or plan to harm society need to be confronted by society, innovative ways, and adequately. A fundamentally insecure society which also gives up its right to privacy in an intrusive way never possible before and allows for highly centralized, often or potentially AI-driven, control already somewhat "lost". And cybercrime is not prevented by suppressing information and keeping everyone insecure but by building technically secure infrastructure and systems.<<BR>>
Widespread vulnerabilities
, central control and mass-surveillance are a greater danger to society than ill-intentioned people using such information. Suppressing such information and obstructing citizens from gaining control over their machines and have them secured is not a solution.
The difficulty of properly setting up Debian is keeping away many users. The ultimate goal of guides such as this is to bring about a worldwide mass-migration to 100% libre operating system and to increase cybersecurity of citizens and infrastructure.<<BR>>
Security and privacy are human rights. There are valid reasons for surveillance and most understand that secure communication can ''also'' sometimes be problematic by unwittingly helping those who decrease security of society. Those that harm or plan to harm society need to be confronted by society in innovative ways, and adequately. A fundamentally insecure society which also gives up its right to privacy in an intrusive way never possible before and allows for highly centralized---often or potentially AI-driven---control is already somewhat "lost". And cybercrime is not prevented by suppressing information and keeping everyone insecure but by building technically secure infrastructure and systems.

Widespread vulnerabilities, central control and mass-surveillance are a greater danger to society than ill-intentioned people using such information. Suppressing such information and obstructing citizens from gaining control over their machines and have them secured is not a solution
.<<BR>>Society can't afford this current level of top-down control-structures and unrestrained, unprecedented loss of privacy. Surveillance, even mass-surveillance, and control may not necessarily be problematic but its purposes, transparency, steering and systemic context can make it so. Our current world is definitely not shaped in a way that would warrant an accepted conclusion that justifies current mass-surveillance and mass-vulnerability of billions of humans.
Line 23: Line 24:
At present a resilient society using ''technologically secure software by-design'' structures with a ''participative and collaborative culture'' is the ultimate goal. This requires getting society at large (average computer users) onboard.
Line 25: Line 28:
= Prior installation FAQ = = Pre-installation FAQ =
Line 28: Line 31:
A "Unix-like" operating system that is free and open source. Many variants of these operating systems exist and they are running on most servers (computers that serve content or services such as websites) and on android phones. Linux is the kernel of the GNU/Linux operating system and most people are referring to the GNU/Linux operating system when they're speaking of "Linux". GNU stands for "GNU's Not Unix!" as GNU's design is "Unix-like", but differs from Unix by being free software and containing no Unix code. The GNU project was founded by Richard Stallman. The Linux kernel was developed by Linus Torvalds.

'''What is free and open source software?'''<<BR>>
Software that allows anyone to freely use, copy, study, and change it in any way, and has its source code openly shared so that people are encouraged to voluntarily improve the design of the software. This is in contrast to proprietary software, where the software is under restrictive copyright and the source code is usually hidden from the users. Albeit rare some unfree software might have its source code public too.
GNU/Linux is a "Unix-like" operating system that is [[https://www.gnu.org/philosophy/free-sw.html|free, libre]] and open source. Many variants of this operating system exist and they are running on most servers (computers that serve content or services such as websites), supercomputers and many embedded computers. Linux is the kernel of the GNU/Linux operating system and most people mean the GNU/Linux operating system when they (incorrectly) speak of "Linux". The [[https://www.gnu.org/philosophy/android-and-users-freedom.html|Android]] OS for touchscreen mobile devices (such as smartphones and tablets) runs on the kernel Linux but is not GNU/Linux, because it lacks GNU. GNU is an operating system that is free (libre) software---that is, it respects users' freedom. GNU stands for "GNU's Not Unix!" as GNU's design is "Unix-like", but differs from Unix by being entirely free (libre) software and containing no Unix code. The GNU project was founded by Richard Stallman. Since GNU's kernel (Hurd) is work in progress, GNU (minus its kernel) is most often combined with the kernel Linux (developed by Linus Torvalds), forming the complete GNU/Linux OS.

'''What is [[https://www.gnu.org/philosophy/free-sw.html|free (libre) software]]?'''<<BR>>
Software that allows anyone to freely use, copy, study, and change it in any way, and therefore has its source code openly shared so that people are encouraged to voluntarily improve the design of the software. This is in contrast to proprietary software, where the software is under restrictive copyright and the source code is usually hidden from the users. Albeit rare some non-free software might have its source code public too.

Free software is often referred to as "open source". "Free software" and "open source" stand for almost the same range of programs, but the open source movement is [[https://www.gnu.org/philosophy/open-source-misses-the-point.html|fundamentally different]] from the free software movement as they have different goals.
Line 37: Line 42:
See [[WhyDebian]]. It's 100% FOSS, stability, security, your control, features, configurability, privacy, large community, largest upstream GNU/Linux distribution, many packages. It's aims to be the best operating system. [...] See [[WhyDebian]]. It's officially 100% FLOSS and features stability, security, user control, technical features, configurability, privacy, large community, largest upstream GNU/Linux distribution, many packages. It aims to be the best operating system. [...]
Line 40: Line 45:
Ubuntu is based on Debian but isn't as good and isn't 100% FOSS.[...] Ubuntu is based on Debian but isn't as good and isn't 100% FLOSS. Note you can still find help from most that anything that refers to Ubuntu as Debian is very similar to it (for instance most answers on Ask Ubuntu may help you out as well and instructions for Ubuntu often only need to be slightly altered for Debian). Note however that repositories for Ubuntu or Linux Mint are '''not''' compatible with Debian. Do not make a [[https://wiki.debian.org/DontBreakDebian#Don.27t_make_a_FrankenDebian|FrankenDebian]].
Line 44: Line 49:
 * Linux Mint: it includes nonfree software[...]  * Linux Mint: it includes non-free software[...]
Line 49: Line 54:
'''I want to try Debian first'''<<BR>> '''I want to try Debian before installing'''<<BR>>
Line 53: Line 58:
No. But do you really need to? Some of them maybe. PlayOnLinux / [[Wine]] / [[Steam]] are insecure. There are free [[Games|Linux games for Debian]] such as [[Games/Supertuxkart|SuperTuxKart]]. However you can play console games (gamecube, PS2) using an [[Emulator]] such as dolphin. There are free [[Games|GNU/Linux games for Debian]] such as [[Games/Supertuxkart|SuperTuxKart]]. And you can play console games (Gamecube, PS2, etc) using an [[Emulator]] such as [[https://wiki.dolphin-emu.org/index.php?title=Installing_Dolphin#Debian|Dolphin]].

You can also use [[https://www.playonlinux.com/en/|PlayOnLinux]] / [[Wine]] / [[Steam]] to play games. However they are somewhat insecure [[https://askubuntu.com/questions/562388/do-wine-viruses-only-work-while-wine-is-running|1]] [[https://security.stackexchange.com/questions/5119/can-windows-malware-harm-a-linux-computer-when-its-executed-with-wine|2]]. Consider if it's worth the effort and introduced security risks. Also consider if it's worth installing proprietary games despite the significant [[https://www.gnu.org/proprietary/|ethical shortcomings]].
Line 56: Line 63:
Don't do it. [...] Don't do it. Test Debian using a live CD instead.
Line 59: Line 66:
You need to check it first. If you already have a laptop you should try if you can boot and properly use the LiveCD. If you want to buy a laptop you need to research whether other people have reported having gotten GNU/Linux working on it. Many Dell laptops support Debian for example. In addition you need to apply pressure to laptop manufacturers to support it. You might find useful information [[CategoryLaptopComputer|here]]. You need to check it first. If you already have a laptop you should try if you can boot and properly use the live CD. If you want to buy a laptop you need to research whether other people have reported having gotten GNU/Linux working on it. Many Dell laptops support Debian for example (you could search for Ubuntu certified laptops and buy one of those). In addition you need to apply pressure to laptop manufacturers to support it and also create demand. You might find useful information [[CategoryLaptopComputer|here]].  Please give a strong preference to [[https://www.fsf.org/resources/hw|ethical devices]] that do not need non-free drivers or firmware to run under GNU/Linux.
Line 62: Line 69:
Yes. Please see [[TabletAndTouchScreen]]. Yes. Please see [[TabletAndTouchScreen]]. More developers are needed to improve support.
Line 65: Line 72:
In short: cybercrime, state-sponsored cyberintrusions, companies selling your personal data, uncertainty of the future, centralized control, activism, journalism, industrial espionage, having control over your own machines, infrastructure security, etc. In short: cybercrime, state-sponsored cyber intrusions, companies selling your personal data, ''uncertainty of the future'', centralized control, activism, journalism, journalism-like activities, corporate espionage, having control over your own machines, infrastructure security, cyber-pandemics/malware, being in any way involved in the free software or open source movements, putting corporate profits at risk and overhauling/challenging established structures etc.

'''But isn't GNU/Linux just for nerds and computer geeks?'''<<BR>>
It's not supposed to be like that. This guide is an attempt to make GNU/Linux (and in particular a secure setup) more accessible to average users. It needs more effort to build support for even casual computer users who want to never touch the command line and want their hardware to be working plug&play after they bought it. Furthermore even Windows can require big efforts to get working properly, especially if you want to gain some level of privacy and security and do essential things like backups and so on.

'''But all of my software is for Windows/Mac only. Isn't there almost no software for GNU/Linux?'''<<BR>>
Most important Windows/Mac software has GNU/Linux equivalents which also are free of charge and---if they are in Debian's repositories---very easy and convenient to install. Some such software can be found at the bottom of this page. Free software has many advantages beyond being free of charge (see Q#2). If you think there's no equivalent for some specific software you use first research what kind of software that is and then search the web for {{{{type of the software} Debian}}} and if you can't find anything you should simply ask on places like [[https://softwarerecs.stackexchange.com|softwarerecs.stackexchange.com]]<<BR>>
Software on Debian also has package-management which is something that e.g. Windows lacks. It regularly scans for new updates and allows you to run updates for all of your software (which is essential for proper security) with a single click.
Line 76: Line 90:
 * Once the .iso file has finished downloading you should checksum the file to verify that it has not been altered and is in a proper state. (A checksum is a short ID that is always the same if the data is exactly the same.) To do this open a terminal and type {{{sha512sum {full path to the .iso file}}}} if you are running a GNU/Linux or if you're running Windows download [[http://www.nirsoft.net/utils/hash_my_files.html|HashMyFiles]] and open the .iso with it. Then compare the hashsum to the one in the SHA512SUMS document from where you downloaded your CD/DVD (e.g. https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/). It has to be same ID. (Additionally you could also do a websearch for the ID. If the ID differs check if your download finished properly and if it did report it somewhere.)  * Once the .iso file has finished downloading you should checksum the file to verify that it has not been altered and is in a proper state. (A checksum is a short ID that is always the same if the data is exactly the same.) To do this open a terminal and type {{{sha512sum {full path to the .iso file}}}} if you are running a GNU/Linux or if you're running Windows download [[http://www.nirsoft.net/utils/hash_my_files.html|HashMyFiles]] and open the .iso with it. Then compare the hashsum to the one in the SHA512SUMS document from where you downloaded your CD/DVD (e.g. https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/). It has to be same ID. If the ID differs check if your download finished properly and if it did report it somewhere.
Line 88: Line 102:
 * [[https://sourceforge.net/projects/tripwire/|Download Open Source Tripwire]], hash the downloaded file just like for the .iso above and verify the checksum (i.e. by searching for it)  * [[https://github.com/Tripwire/tripwire-open-source/releases|Download Open Source Tripwire]], hash the downloaded file just like for the .iso above and verify the checksum (i.e. by searching for it)
Line 93: Line 107:
 * Before you install a new operating system to your computer you need to make absolutely sure that you have all your data backed up properly. (Besides if you install to a new computer of course.) Don't do this hastily - there might be files in locations you forgot about or the backup might not have worked properly. Once your backup is complete physically disconnect whatever medium you used for this (e.g. an external hard drive).  * Before you install a new operating system to your computer you need to make absolutely sure that you have all your data backed up properly. (Besides if you install to a new computer of course.) Don't do this hastily---there might be files in locations you forgot about or the backup might not have worked properly. Once your backup is complete physically disconnect whatever medium you used for this (e.g. an external hard drive).
Line 139: Line 153:
 * Select only one desktop environment (GNOME or Xfce or KDE or Cinnamon or MATE or LXDE)
  * KDE is arguably the best choice for a personal, modern computer. It has many features, looks great, is highly configurable and extendable and is easy to use. [[https://www.youtube.com/watch?v=TXWUyUUx3ZE|Video presentation]]. This guide is tailored to KDE.
 * Select only one desktop environment (GNOME, Xfce, KDE, Cinnamon, MATE, LXDE, or LXQt)
  * The most popular desktop environments are [[GNOME]] and [[KDE]]. GNOME has a design more reminiscent of macOS with a focus on simplicity and polish, while KDE is more similar to Microsoft Windows with a focus on power and flexibility. [[Xfce]] and [[LXQt]] are popular lightweight desktops for older hardware, or those that just want a snappy experience. Other desktops have their own aesthetic and functional niches, and are worth looking into.
  * Much of this article is tailored to KDE, and may not apply if you choose another desktop.
Line 150: Line 165:
 * Do not connect to the Internet before you finished the setup and reached step "Go online".  * Do not connect to the Internet before you finished the setup and reached [[#Go_online|step "Go online"]].
Line 152: Line 167:
 * One of your best defenses is to report anything unusual that you noticed on your machine. Document everything strange including with the relevant logs (of syslog and alike). Then report it or ask about it. Don't keep it to yourself.
 * If you don't know something and you can't find it via your search engine ask about it on places such as https://unix.stackexchange.com/questions/tagged/debian as this will help everyone finding an answer with the same question as you. Make sure to explain your question well and to make it well findable by those with the same question.
Line 154: Line 171:
  * By entering {{{history}}} you can find a list of commands you have executed under the current account. Entries can also be deleted from this log.   * By entering {{{history}}} you can find a list of commands you have executed under the current account. Entries can also be deleted from this log by running {{{history -d line-number}}}.
Line 157: Line 174:
 * Try to never install nonfree software except absolutely necessary. There can easily be backdoors and all sorts of malicious code in closed source software.
 * One of your best defenses is to report anything unusual that you noticed on your machine. Don't keep it to yourself.
 * If you don't know something and you can't find it via your search engine ask about it on places such as https://unix.stackexchange.com/ as this will help everyone finding an answer with the same question as you. Make sure to explain your question well and to make it well findable by those with the same question.
 * Try to never install nonfree software except absolutely necessary. There can easily be backdoors and all sorts of malicious code in proprietary software.
Line 162: Line 177:
 * Don't execute commands just because somebody told you so or you read about it. Make sure you roughly know what it does. Some commands might destroy your system (e.g. {{{rm}}} to delete important files). 
 * You can find logs under {{{/var/log/}}}. The most important one is {{{/var/log/syslog}}} which you can only open as root (via sudo). {{{/var/log/apt/history.log}}} is a log of installed packages.
 * Some additional important commands: mkdir {path} creates a directory, cd {directory} moves the context to a directory ({{{cd ..}}} moves you one directory up), {{{sudo ifconfig}}} displays information about your IP, {{{sudo dpkg -i filepath}}} to install .deb packages, {{{sudo apt-get install packagename}}} to install a package from terminal, {{{sudo dpkg --add-architecture i386}}} to add 32bit architecture, {{{sudo -i}}} to start a sudo session, {{{sudo cp -r path path}}} to copy files as root, {{{sudo mv path path}}} to move files as root, {{{apt-get install packagename}}} to install a package from the konsole, {{{bash filepath}}} to execute a bash file, {{{ls -l}}} list files of a directory, some more [[https://www-uxsup.csx.cam.ac.uk/pub/doc/suse/suse9.0/userguide-9.0/ch24s04.html|here]]
 * Don't execute commands just because somebody told you so or you read about it. Make sure you roughly know what it does. Some commands might destroy your system (e.g. {{{rm}}} to delete important files).
 * You can find logs under {{{/var/log/}}}. The most important one is {{{/var/log/syslog}}} which you can only open (with a texteditor) as root (via sudo). {{{/var/log/apt/history.log}}} is a log of installed packages.
 * You can typically quit displays of text in the console by pressing {{{q}}} or {{{ctrl+x}}} (^ refers to the ctrl key).
 *
Some additional important commands: {{{mkdir {path}}}} creates a directory, {{{cd {directory}}}} moves the context to a directory ({{{cd ..}}} moves you one directory up), {{{sudo ifconfig}}} displays information about your IP, {{{sudo dpkg -i filepath}}} to install .deb packages, {{{sudo apt-get install packagename}}} to install a package from terminal, {{{sudo dpkg --add-architecture i386}}} to add 32bit architecture, {{{sudo -i}}} to start a sudo session, {{{sudo cp -r path path}}} to copy files as root, {{{sudo mv path path}}} to move files as root, {{{passwd}}} to change password, {{{apt-get install packagename}}} to install a package from the konsole, {{{bash filepath}}} to execute a bash file, {{{ls -l}}} list files of a directory, {{{sudo shutdown -h now}}} to shutdown, {{{groups username}}} to display the usergroups your user is part of. Some more [[https://www-uxsup.csx.cam.ac.uk/pub/doc/suse/suse9.0/userguide-9.0/ch24s04.html|here]]
 * You can save the output of any command by appending {{{> filepath}}} to a command. For example {{{ls -l > contents.txt}}} creates a file with information on the contents of the directory you're currently in. You can get information about commands by appending {{{--help}}} to them for instance {{{ls --help}}} shows you information about the {{{ls}}} command.
 * You don't need to know all of this by heart. Simply use this page or other pages. But you need to know where to ask for help and how to find the information needed. (Which after reading the above you should know or start looking for.)
Line 167: Line 185:
It's best to write them down physically on a paper (never or only partially/obscured&encrypted electronically). And that in a way that only you can read properly. For instance you could write down signs for words and alter the order in a specific way. Store them in a secure place and store them twice.<<BR>>
Furthermore try to enable two factor authentication (2FA) for as many of your relevant accounts as possible. Also calculate in the possibility of losing your phone (typically there are backup codes).
It's best to write them down physically on a paper (never or only partially/obscured&encrypted electronically). And that in a way that only you can read properly. For instance you could write down signs for words and alter the order in a specific way. Store them in a secure place and try to store them twice.<<BR>>
You could also store them electronically with the password missing some words that you only store on piece of paper
.<<BR>>
Furthermore try to enable two factor authentication (2FA) for as many of your relevant accounts as possible. Also calculate in the possibility of losing your phone (typically there are backup codes which you should write down).
Line 180: Line 199:
 * Immediately uninstall {{{kaccess}}}. This is to prevent people from spying on your screen and on what you type. Don't do it if you're literally blind. Otherwise open apper -> type kacccess -> remove -> apply -> enter your password and let it uninstall.
Line 182: Line 202:
 * Create a folder for software (such as scripts) that you download from the Internet under {{{/home/username/}}}. You could name it "Software", "Programs" or alike.
Line 191: Line 210:
 * Make sure you have the right soundcard selected under "Phonon Audio and Video" -> Device Preference and -> Audio Hardware Setup and "Audio Volume" -> "Output Device" -> Default and -> Configuration. (Also disable all Input besides if you want to record something with a micro.) Disable the sound when changing the volume in "Audio Volume" -> Volume feedback -> disable.
Line 204: Line 224:
Replace somename and pw with a name and a password. If you already encrypted your hard drive you might want to use a shorter one. Do not replace anything except these 3 words. The somename doesn't have to be your username - it can be any word you want. Replace somename and pw with a name and a password. If you already encrypted your hard drive you might want to use a shorter one. Do not replace anything except these 3 words. The somename doesn't have to be your username---it can be any word you want.
Line 210: Line 230:
 * At the bottom of 00_header replace "password" with "password_pbkdf2" and pw with the output of the previous command starting with {{{grub.pbkdf2.sha512.}}} - for example the full line should look like: {{{password_pbkdf2 John grub.pbkdf2.sha512.10000.FC58373BCA15A797C418C1EA7FFB007BF5A5}}}<<BR>>  * At the bottom of 00_header replace "password" with "password_pbkdf2" and pw with the output of the previous command starting with {{{grub.pbkdf2.sha512.}}}---for example the full line should look like: {{{password_pbkdf2 John grub.pbkdf2.sha512.10000.FC58373BCA15A797C418C1EA7FFB007BF5A5}}}<<BR>>
Line 221: Line 241:
 * Install ClamTk which also installs ClamAV - Debian's open source antivirus software  * Install ClamTk which also installs ClamAV---Debian's free antivirus software
Line 251: Line 271:
An intrusion detection system (IDS) helps you detect intrusions, allows you to help secure computers by reconstructing intrusions and along the way helps you better understand GNU/Linux / Debian. While some advanced form of IDS' are more or less the ''only'' way to ''reliably'' protect machines they haven't been developed so far as to allow fully secure personal computers in practice. But maybe they will get developed further to allow such.<<BR>> You can find useful Tripwire Policy rules at: [[TripwirePolicyRules]].

An intrusion detection system (IDS) helps you detect intrusions, allows you to help secure computers by reconstructing intrusions and along the way helps you better understand GNU/Linux / Debian. While some advanced form of IDS' are more or less the ''only'' way to ultimately ''reliably'' protect machines they haven't been developed so far as to allow fully secure personal computers in practice. But maybe they will get developed further to allow such.<<BR>>
Line 269: Line 291:
  * Run {{{./sbin/tripwire --init}}} again. Sadly you can't yet change the policy file again after initialization so you should make sure it is fine before you go online.   * Run {{{./sbin/tripwire --init}}} again. Sadly you can't yet change the policy file again after initialization so you should make sure it is fine before you [[#Go_online|go online]].
Line 274: Line 296:
 
Line 281: Line 303:
 * Inspect the changes by opening the generated file with a texteditor such as kate. Sadly Debian isn't yet integrated well with tripwire so there likely will be a lot of changes. Look for suspicious changes that you didn't cause yourself - especially modified critical files. By this you also learn more about the operating system by gaining more insight into what files change when.  * Inspect the changes by opening the generated file with a texteditor such as kate. Sadly Debian isn't yet integrated well with tripwire so there likely will be a lot of changes. Look for suspicious changes that you didn't cause yourself---especially modified critical files. By this you also learn more about the operating system by gaining more insight into what files change when.
Line 289: Line 311:
There are many ways IDS could get improved. This includes having two machines with the same packages installed and comparing whether they differ in any way or by making use of virtual machines. While few IT security specialists seem to be interested in implementing such improvements it is important that you get an IDS working as early as possible. And before going online. While the current implementation might be hard to use it's still useful and also deters potential adversaries merely by being set up properly.  There are many ways IDS could get improved. This includes having two machines with the same packages installed and comparing whether they differ in any way or by making use of virtual machines. While few IT security specialists seem to be interested in implementing such improvements it is important that you get an IDS working as early as possible. And before going online. While the current implementation might be hard to use it's still useful and also deters potential adversaries merely by being set up properly.
Line 295: Line 317:
  * Compilers: {{{sudo chmod 0444 /usr/bin/as}}} {{{sudo chmod 0444 /usr/bin/g++}}} {{{sudo chmod 0444 /usr/bin/gcc}}}   * Compilers: {{{sudo chmod 0444 /usr/bin/as}}} {{{sudo chmod 0444 /usr/bin/g++}}} {{{sudo chmod 0444 /usr/bin/gcc}}} {{{sudo chmod 0444 /usr/bin/g++-6}}} {{{sudo chmod 0444 /usr/bin/gcc-6}}}
   * See [[#Compilation|section Compilation]] on how to properly compile programs
Line 299: Line 322:
(OPTIONAL) (OPTIONAL)<<BR>>
Line 307: Line 330:
  * Run {{{debsums|grep -v OK}}}    * Run {{{debsums|grep -v OK}}}
Line 318: Line 341:
 * Electrum is a FOSS bitcoin client. If you want to use it anonymously install it, then go offline, then create a standard wallet, the go to network configurations, then set the proxy to {{{SOCKS5 localhost 9050}}}. If you want to have better security (given more or less that you trust TrustedCoin more than yourself) instead select "Multifactor authentication". But you might have problems getting it to work with your firewall if you go for the latter. It is best to store the wallet on an encrypted external medium such as a CD/DVD.  * Electrum is a FOSS bitcoin client. If you want to use it anonymously or have your firewall set up properly install it, then go offline, then create a standard wallet, the go to network configurations, then set the proxy to {{{SOCKS5 localhost 9050}}}. If you want to have better security (given more or less that you trust TrustedCoin more than yourself) instead select "Multifactor authentication". But you might have problems getting it to work with your firewall if you go for the latter. It is best to store the wallet on an encrypted external medium such as a CD/DVD.
Line 321: Line 344:
You can find useful firewall rules at: [[FirewallRules]].

Sadly there doesn't seem to be a proper application-level firewall for Debian yet.
Line 371: Line 398:
 * Install {{{iptables-persistent}}}  * Install {{{iptables-persistent}}} via apper or {{{apt-get install}}}
Line 377: Line 404:
 * With these commands you can find out which applications on your machine are sending or receiving Internet traffic: {{{lsof -i}}} and {{{netstat -pln}}} or {{{sudo netstat -anp --tcp --udp | grep LISTEN}}}  * With these commands you can find out which applications on your machine are sending or receiving Internet traffic: {{{lsof -i}}} and {{{ss -pln}}} or {{{sudo ss -anp --tcp --udp | grep LISTEN}}}
Line 385: Line 412:
You can find out exactly which data is being sent by applications and to websites by making use of wireshark. You can use this to identify undesired data transmissions. After installing wireshark run {{{sudo dpkg-reconfigure wireshark-common}}} choose "Yes" and then run {{{sudo adduser $USER wireshark}}}. After running wireshark run {{{sudo dpkg-reconfigure wireshark-common}}} again and choose "No". You can find out exactly which data is being sent by applications and to websites by making use of wireshark. You can use this to identify undesired data transmissions. After installing wireshark run {{{sudo dpkg-reconfigure wireshark-common}}} choose "Yes" and then run {{{sudo adduser $USER wireshark}}}. After running wireshark run {{{sudo dpkg-reconfigure wireshark-common}}} again and choose "No" / {{{sudo deluser username wireshark}}}.
Line 388: Line 415:
 * To go online you likely need to connect your PC to your router with a LAN cable  * To go online you likely need to connect your PC to your router with a LAN cable. WLAN dongle are highly unlikely to work (apply pressure to manufacturers).
Line 397: Line 424:
You can leave out the torproject repository if you want to. Replace {{{CY}}} with the country code of the repository you would like to use. You can find a list of Debian's repositories [[https://www.debian.org/mirror/list|here]]. You can also leave out {{{contrib}}} which includes software that is not 100% FOSS or add {{{ non-free}}} after contrib which also includes non-free software (such as many proprietary drivers). {{{deb http://download.virtualbox.org/virtualbox/debian stretch contrib}}}<<BR>>

You can leave out the torproject and virtualbox repositories if you want to. Replace {{{CY}}} with the country code of the repository you would like to use. You can find a list of Debian's repositories [[https://www.debian.org/mirror/list|here]]. You can also leave out {{{contrib}}} which includes software that is not 100% FOSS or add {{{ non-free}}} after contrib which also includes non-free software (such as many proprietary drivers).
Line 406: Line 435:
 * Do a tripwire scan after the updates as explained [[#Intrusion detection system|here]]  * You could run a tripwire scan after the updates as explained [[#Intrusion detection system|here]] so that your next scan-results are not too long or to inspect changes the updates made
 * More info at [[PackageManagement]]
Line 412: Line 442:
  * For OpenDNS: run {{{kde5-nm-connection-editor}}} and choose your connection -> right click -> edit -> click on the IPv4 settings tab -> choose "Automatic (DHCP) addresses only" -> then enter IPs of DNS servers in the "DNS servers" field, separated by spaces -> "Apply". Use one of the IP addresses [[https://en.wikipedia.org/wiki/OpenDNS#Name_server_IP_addresses|here]] such as 208.67.222.222   * For OpenDNS: run {{{kde5-nm-connection-editor}}} (or right click the network icon in the bottom right -> Configure Network Connection) and choose your connection -> right click -> edit -> click on the IPv4 settings tab -> choose "Automatic (Only addresses)" -> then enter IPs of DNS servers in the "DNS servers" field, separated by spaces -> "Apply". Use one of the IP addresses [[https://en.wikipedia.org/wiki/OpenDNS#Name_server_IP_addresses|here]] such as 208.67.222.222. (or 2620:0:ccd::2 for IPv6).
  * Uncheck "automatically connect to this network when it is available" and "All users may connect to this network" and yourself as "Users allowed to activate this connection" under "Advanced".
Line 418: Line 449:
  * Note that some things might work differently with a sandboxed browser. You can only access files in your Downloads directory.
Line 420: Line 452:
   * Enabling HTTPS (for encrypting the data that is sent between your browser and a website) whenever possible: HTTPS Everywhere
   * Adblocker: uBlock Origin
   * Disabling Javascript by default (you need to allow it if websites you trust don't work): NoScript
   * Enabling HTTPS (for encrypting the data that is sent between your browser and a website) whenever possible: [[https://addons.mozilla.org/de/firefox/addon/https-everywhere/|HTTPS Everywhere]]
   * Adblocker: uBlock Origin (for the latest version of Firefox ESR you may need to download it [[https://addons.mozilla.org/firefox/downloads/file/685614/ublock_origin-1.13.8-an+fx+sm+tb.xpi|here]])
   * Disabling Javascript by default (you need to allow it if websites you trust don't work): [[https://addons.mozilla.org/de/firefox/addon/noscript/|NoScript]]
Line 435: Line 467:
 * Evolution and Thunderbird are two good email clients. Evolution comes preinstalled. Open port [...]  * Evolution and Thunderbird are two good email clients. Evolution comes preinstalled but Thunderbird is more popular and has more AddOns and features. Open port [...]
 * For Thunderbird install the {{{clamdrib LIN}}} AddOn for scanning emails for malware.
  * You may want to edit the {{{clamd.conf}}} to add
    {{{TCPSocket 3310}}}<<BR>>{{{TCPAddr localhost}}}<<BR>>and restart Thunderbird
 * In Thunderbird change the security settings so that it does not load images and so on by default
Line 438: Line 474:
(OPTIONAL)<<BR>>
Line 450: Line 487:
 * Know when Tor should be used and when it shouldn't. Tor is to provide anonymity and not to provide security. Don't use it for casual browsing and entering personal information. The exit-node may actually be spying on your traffic (and be able to easily eavesdrop if you aren't browsing HTTPS-protected or .onion sites). It's only there to provide anonymity.
Line 452: Line 490:
(OPTIONAL)<<BR>>
Line 453: Line 492:
 * Make sure the VPN has a Debian client  * Make sure you can use the VPN with [[OpenVPN]]. Do not use a company's VPN client.
Line 455: Line 494:
 * Connect to it with {{{sudo openvpn --config configuration-file.ovpn}}}
  * You can add exceptions for individual sites by adding routes to the ovpn file by appending {{{route website.org 255.255.255.255 192.168.1.2}}} to the bottom of the file where the ip is the ip of your router
 * VPNs are good for things like warez. They aren't as good as people think they are. [[https://gist.github.com/joepie91/5a9909939e6ce7d09e29|1]] [[http://www.makeuseof.com/tag/5-ways-vpn-not-secure-think/|2]] Don't use free VPNs.

== Join a meshnet ==
(OPTIONAL)<<BR>>
A mesh network is a resilient network in which each node cooperates in the distribution of data in the network by relaying data. Meshnets are decentralized and can withstand censorship and disasters.

 * [[https://www.youtube.com/watch?v=1tEkyLOh-tY|Introductory video]]
 * [[https://docs.meshwith.me/faq/general.html|Introductory FAQ]]
 * [[https://projectmeshnet.github.io/|Support community]]

 * Hyperboria meshnet based on CJDNS
  * [[https://docs.meshwith.me/install/debian-jessie.html|Guide for installing CJDNS on Debian]]
Line 460: Line 513:
 * Don't store data in clouds - at least no unencrypted data
 * Be aware that companies don't have to be evil to breach your privacy - the data they collect could also get stolen by cybercriminals
 * Don't store data in "clouds" (which are infrastructures of computer servers)---at least no unencrypted data
 * Be aware that companies don't have to be "evil" to breach your privacy---the data they collect could also get stolen by cybercriminals or eavesdropped on
Line 464: Line 517:
Getting your hardware and devices to work with GNU/Linux is the only thing that might be truly difficult. This is mainly due to the way the world screwed up with building proper standardizations and interoperability in general for hardware and due to manufacturers.
Some hardware and devices may work straightaway without any configurations, some might just require some package to be installed, others might require you to install multiple packages, locate some information online (such as on the manufacturer's page or entering the device name + linux into a search engine) and run some commands or even not work at all.
Line 465: Line 521:
 * WLAN driver Info here: [[WiFi]]  * WLAN driver Info here: [[WiFi]]. WLAN dongles are highly unlikely to work properly in Debian. You likely need a network card or a LAN cable.
 * For drivers you sometimes need to install kernel headers. For this install the relevant package by running: {{{sudo apt-get install linux-headers-$(uname -r|sed 's,[^-]*-[^-]*-,,')}}}
Line 470: Line 527:
 * Install simple scan for scanning  * Install {{{skanlite}}} for scanning
 * http://localhost:631/ should be the CUPS page where you can setup your printer
Line 474: Line 532:
  * For this you need the following iptables-rules: {{{}}}
 * [[mtp]]
  * For this you need the following iptables-rules:<<BR>>
{{{-A INPUT -p tcp -m tcp --dport 1714:1764 -j ACCEPT}}}<<BR>>
{{{-A INPUT -p udp -m udp --dport 1714:1764 -j ACCEPT}}}<<BR>>
{{{-A INPUT -p tcp -m tcp --sport 1714:1764 -j ACCEPT}}}<<BR>>
{{{-A INPUT -p udp -m udp --sport 1714:1764 -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p udp -m udp --dport 1714:1764 -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p tcp -m tcp --dport 1714:1764 -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p udp -m udp --sport 1714:1764 -j ACCEPT}}}<<BR>>
{{{-A OUTPUT -p tcp -m tcp --sport 1714:1764 -j ACCEPT}}}<<BR>>
 * [[MTP]]: you need the {{{mtp-tools}}} package. Sometimes this requires more work. Some info [[https://wiki.debian.org/mtp|here]]
Line 477: Line 543:
 * If you don't have your SD card encrypted you could move/copy files to the SD card of your phone and plug it into your computer
Line 479: Line 546:
/* TODO [[MIDI]] [[MidiHardware]] */ See: [[MIDI]] and [[https://en.wikipedia.org/wiki/List_of_Linux_audio_software|Wikipedia's List of Linux audio software]]

For DJing / mixing there is [[https://www.mixxx.org/|mixxx]] which you can install via your package-manager or by compiling from source to get the latest version as described [[https://www.mixxx.org/wiki/doku.php/compiling_on_linux|here]] and [[#Compilation|section Compilation]]. If your controller does not work with it there might not yet be mapping for it or you might have to edit the {{{/etc/udev/rules.d/mixxx.usb.rules}}} file.

For music production there is [[https://lmms.io/|LMMS]]. However if you want to use VST plugins with it you also need to install Wine (selected by default).

You can use a virtual machine with another operating system to get other software or instruments working.
Line 482: Line 555:
 * Some special buttons of your input devices might not work. Typically you can use {{{xbindkeys-config}}} or the shortcuts to get them working.

== Backups ==
 * You should create regular backups of your data onto an external storage device. The most important data should be backed up twice. The main storage device holding the backup needs to be physically disconnected from your computer except when you are running a backup. Obviously it needs to be encrypted too.
  * [[https://www.youtube.com/watch?v=oS5uH0mzMTg|Tutorial for rsync]]
 * Some special buttons of your input devices might not work. Typically you can use {{{xbindkeys-config}}} or the shortcuts to get them working. After installing {{{xbindkeys}}} you can edit the {{{.xbindkeysrc}}} file in your home directory.

= Installing, compiling and running programs =
== Compilation ==
Sometimes you may need to compile programs if (latest) packages aren't available in Debian repositories.
To compile you need to make sure you have the right compilers installed. The compilers needed are typically displayed when you try to compile software. Some often needed packages for compilation are: g++, g++-6, gcc, gcc-6, as and build-essentials. You need to make sure they have the right permissions set before compilation by running {{{sudo chmod 0700 /usr/bin/g++}}} {{{sudo chmod 0700 /usr/bin/as}}} [...]. After compilation they should be set back to 0444. You need to compile as sudo. Instructions on how to compile can be found at the websites of the software.

== .deb files ==
First navigate to the place where the .deb file is located by {{{cd folder-path}}} then install the package by running {{{sudo dpkg -i package.deb}}}.

== The installation folder ==
 * Create a folder for software (including scripts) that you download from the Internet under {{{/home/username/}}}. You could name it "Software", "Programs", "Apps" or alike.
 * Run {{{sudo chown root:username /home/username/foldername}}} to make root the owner of the folder and oneself the group
 * Then run {{{sudo chmod -R 0750 /home/username/foldername}}} to change the permissions
 * Check permissions with {{{ls -l folderpath}}}
 * Move software into that directory by running {{{sudo mv folderpath1 /home/username/foldername/folderpath2}}}
 * '''Never run software as root.''' If programs don't work change permissions of individual software like so: {{{sudo chmod 0770 /home/username/foldername/programpath}}}

== Hashing ==
When downloading software from anywhere else than official repositories you should check the integrity of the software and verify that it's the actual software you intend to install and not a trojan for example. You should also do this for .iso files as described at the top of this page.

 * There are two ways that you can easily get a checksum of a file:
  * Right click on the file -> tab "Checksums" -> click on "Calculate" next to sha256 -> compare that "hash" to the hash on the official website or any other trusted source.
  * Run `sha256 path-to-file` (or sha512). You could also first use {{{cd}}} to move the context to the folder with the file
 * You should never use the MD5 hash. Also note that some software distributors may have neglected to publish hashes. In such cases you could do a web search for the hash.
 * https://www.cyberciti.biz/faq/pgp-tarball-file-signature-keys-verification/ /*TODO*/
 * https://www.openoffice.org/download/checksums.html

== Clean-ups ==
Cleanup deinstalled programs by running {{{dpkg --get-selections | grep deinstall}}} and then {{{sudo dpkg --purge package-name}}}. Also run {{{sudo apt-get autoremove}}} or cleanup using BleachBit.

= Sandboxing =
Sandboxing means that programs get somewhat isolated from the rest of the machine so that they can't cause great harm. For example their permissions and the directories they have access to can be limited.

 * Use {{{firejail}}} to sandbox software.
  * Firejail profiles for software can be found [[https://github.com/netblue30/firejail/tree/master/etc|here]].
   * Sandboxing your browser is essential. Sandboxing other software might not but it's always a good thing to do.
   * After you have the right profile in your {{{/etc/firejail/}}} folder you should be able to run a program sandboxed by running {{{firejail program-name}}}. You can also add a launcher for the sandboxed version by right-clicking on the KDE icon in the bottom left -> Edit Applications -> editing the command by prefixing it with {{{firejail}}}
 * Virtual machines can also be a form of sandboxing.

= Virtual machines =
(OPTIONAL)<<BR>>
For protecting your system you may want to use virtual machines. They could also help you out if you need to get Windows programs running. Virtual machines are simulated computers with their own "virtual" hardware that run isolated under your "host" OS.<<BR>>
Do not connect them to the Internet. Do not use "shared folders". Do not use drag & drop. Isolate the VM as much as possible.<<BR>>
 * [[VirtualBox]] is a popular "hypervisor" that you can use to create and run virtual machines.
  * After installation you may need to run {{{sudo usermod -a -G vboxusers username}}} to run it.
  * You then need an .iso or DVD of an operating system you wish to install as a virtual machine and some GBs of free storage space.
   * Use a Windows/Mac disc/.iso if you want to inspect, [[ReverseEngineer]] or test Windows/Mac software or need it to have some hardware or software running that only works under Windows/Mac (doing the former can help build GNU/Linux support).
   * Use a Kali Linux disc/.iso if you want to learn hacking
   * Use a Debian disc/.iso if you want to test things
  * For some features you need to install the VirtualBox Extension Pack
  * You can change resolutions and then do View->Fullscreen to make it display fullscreen
  * To move files from your host OS into the virtual machine do not use shared folders or drag&drop but instead create a new data project in K3B and create an .iso file with all the files. Then add that .iso file under Settings->Storage of the virtual machine.
  * Create snapshots for being able to rollback changes to the virtual machine.
  * After running it remove yourself from the vboxusers group by running {{{sudo deluser username vboxusers}}}
  * Make sure to disable Internet access for the virtual machine under the "Network" options besides if you want it enabled
  * You can also use VMs for things like inspecting suspicious files
 * [[KVM]] is an alternative "hypervisor"

= Backups =
You should create regular backups of your data onto an external storage device. The main storage device holding the backup needs to be physically disconnected from your computer except when you are running a backup. Obviously it needs to be encrypted too.

The most important data should be backed up twice. Backup important files to read-only media such as DVDs. You could create an encrypted container with VeraCrypt or dmcrypt/LUKS for these backups.

 * [[https://packages.debian.org/stretch/backintime-common|BackInTime]] is a convenient GUI for rsync that helps you manage backups.
  * After installing press the Settings button on top and choose the source path/s and the destination path. You can create multiple "profiles" for varying backup jobs. Exclude large directories that you don't want to have backed up and the trashbin under "Exclude". You can set it up to automatically remove old backups and run backups regularly. BackInTime does incremental backups which means that only the files that have been changed will be backed up in subsequent backups. If you have multiple backups you can also delete old backups within BackInTime which only removes the old versions of files and directories that have been changed. BackInTime also stores permissions of files separately to
  * Check whether a backup has worked correctly by inspecting folder-sizes and some of your important files. If some files are missing first check if they are "excluded". You can also run {{{diff -qr path1 backup-path}}} to compare directories.
  * Have your most important files backed up to an encrypted readonly medium you store offline such as VeraCrypt volumes on CDs.
 * [[https://www.youtube.com/watch?v=oS5uH0mzMTg|Tutorial for rsync]] if you want to use the command-line and do without BackInTime's features
 * Run {{{sudo sfdisk -l}}} and then {{{sudo sfdisk -d /dev/sda > part_sda.txt}}} for every partition (replace sda) with the partition name of your partition. Also run {{{sudo pvdisplay > pvdisplay.txt}}}. Backup these files, they might help you restore your hard drive in case of failure (you only need to run these once).

= File permissions =
To limit the amount of damage an intruder or exploit / malware can do to your system you can change the permissions of specific files and directories.

To make a directory accessible by root (or any specific user) only run:
 * {{{sudo chown root:root /path/}}} to change the owner of the directory or file
 * {{{sudo chmod 700 /path/}}} to change the permissions so that only the owner can read, write and execute the files.


 * Remember that you should not run programs as root.
 * You can calculate other chmod numbers on [[https://ss64.com/bash/chmod.html|this page]]

= Identify vulnerabilities =
You can use the {{{debsecan}}} package to find currently exploitable packages of your system.

 * Run {{{debsecan}}} to list all the exploits ("CVE"s) affecting your system
 * Run {{{debsecan | grep "remotely exploitable, high urgency"}}} to list all the exploits affecting your system rated having a "high urgency"
 * Run {{{debsecan | awk '/remotely exploitable/ { vuln[$2]++ } END { for (package in vuln) print package }' | sort}}} for a list of all exploitable packages in your system

You could also find a way to use the {{{debsecan-create-cron}}} package to get notified for new vulnerabilities of your system.

Scripts and tools could be used to display information on how to protect against the displayed vulnerabilities or to semi-automatically take protective measures.<<BR>>They could also be used to also identify additional vulnerabilities of one's system. Both of these are relevant to the yet unstarted [[IntegratedIntrusionDetectionSystem]] project as cybersecurity professionals are mostly busy with ephemeral, suboptimal, tailored solutions for protecting corporate profits and alike.

If you followed this guide this far you reached the most basic level of cybersecurity.

The results of debsecan may be desperate and make you think that a secure personal computer for average computer users is impossible. However everything has had to start at some point in spacetime. Securing computers across the globe starts right here and now if you want it to.
Line 490: Line 654:
 * PDF reader: Okular is your preinstalled PDF reader
 * Office / Word / Excel: LibreOffice is your preinstalled office suite
 * Image editor: GIMP is your preinstalled image editor that is as good as Photoshop
 * Image viewer: Gwenview is your preinstalled image-viewer
 * DVD-Burner: K3B is your preinstalled dvd-burning application.
 * Ebook reader: Calibre is a good ebook reader
 * File archiver: Ark is your preinstalled file archive (you don't need Winrar or 7zip)

 * IRC Chat: Hexchat is a good IRC client
 * Media player: VLC Player is a good media player, Amarok is a feature-rich music player
 * Compare text files: Diffuse merge
 * Video editor: Kdenlive
 * Encrypted chatting and sharing: Tox or RetroShare
 * PDF reader: {{{Okular}}} is your preinstalled PDF reader
 * Office / Word / Excel: {{{LibreOffice}}} is your preinstalled office suite
 * Image editor: {{{GIMP}}} is your preinstalled image editor that is as good as Photoshop
 * Image viewer: {{{Gwenview}}} is your preinstalled image-viewer
 * DVD-Burner: {{{K3B}}} is your preinstalled dvd-burning application.
 * Ebook reader: {{{Calibre}}} is a good ebook reader
 * File archiver: {{{Ark}}} is your preinstalled file archive (you don't need Winrar or 7zip)

 * IRC Chat: {{{Hexchat}}} is a good IRC client
 * Media player: {{{VLC Player}}} is a good media player, {{{Amarok}}} is a feature-rich music player
 * Compare text files: {{{Diffuse}}} merge
 * Show previews for videos in dolphin: {{{ffmpegthumbs}}}

 * Video editor: {{{Kdenlive}}}
 * Encrypted communication and sharing: {{{Tox}}} or {{{RetroShare}}}
Line 505: Line 670:
 * Read [[DontBreakDebian]]  * Read [[DontBreakDebian]] / watch [[https://www.youtube.com/watch?v=ThuIHDsxDYc|this]]
Line 507: Line 672:
 * Use [[VirtualBox]] if you have to use a virtual machine (such as Windows if absolutely necessary)  * Use [[VirtualBox]] if you have to use Windows / Mac
 * Useful links: [[https://ss64.com/bash/chmod.html|Chmod permissions calculator]]
Line 510: Line 676:
 * Get your school to use and teach GNU/Linux instead of proprietary software
 * Write findable tutorials (on this Wiki or stack exchange sites) whenever you got something working if the information on it is not as accessible or revisable as it could be such as too short or broad forum posts that are hard to find and even harder to make sense of for newcomers. Write useful readmes that do not make any assumptions of prerequisites but detail every step to get things working.
Line 511: Line 679:
 * Register on GitHub and alike and create issues if you witness bugs
 *
Also secure your other devices such as your mobile phone. Also secure your router.
 * Get an IDE such as Eclipse or NetBeans, read online tutorials for programming languages such as Java, C++, Python or Bash, register on stackoverflow and help program Debian's software
 * Share this page
 * Register on the various issue-tracking platforms such as GitHub to inform developers about bugs
 * Also secure
your other devices such as your mobile phone (e.g. NetGuard firewall for Android). You may also want to secure your router.
 * Get an IDE such as Eclipse or NetBeans, read online tutorials for programming languages such as Java, C++, Python or Bash, register on stackoverflow and get started with helping program Debian's software.
 * '''Share this page'''

Introduction

This page aims to be(come) a step-by-step guide for setting up a personal computer with Debian from scratch to a fully configured system with high security, usability, convenience and privacy-protection.

It aims to be written in layman's terms without any required preknowledge and is mainly aimed at Debian newcomers---especially those who switched to Debian to evade backdoors in other operating systems (OS), malware and gaining control over their machines. It's written in a chronological step-by-step manner which when updated and tested appropriately and followed from top to bottom precisely will simply get things working.

The steps don't need to be followed exactly---it is meant as an orientation to speed up and ease the setup to allow inexperienced GNU/Linux users and even casual computer users to get a fully free, libre and open source (FLOSS) operating system going by themselves. They can delve deeper once it is working. Ubuntu is not a solution.
It should not be split up as it aims to aggregate and summarize information for an all-in-one-place guide.

Much of this guide might be suboptimal or even false: please help by improving and correcting it. If you think it's not useful you can ignore it.

Goal

The difficulty of properly setting up Debian is keeping away many users. The ultimate goal of guides such as this is to bring about a worldwide mass-migration to 100% libre operating system and to increase cybersecurity of citizens and infrastructure.
Security and privacy are human rights. There are valid reasons for surveillance and most understand that secure communication can also sometimes be problematic by unwittingly helping those who decrease security of society. Those that harm or plan to harm society need to be confronted by society in innovative ways, and adequately. A fundamentally insecure society which also gives up its right to privacy in an intrusive way never possible before and allows for highly centralized---often or potentially AI-driven---control is already somewhat "lost". And cybercrime is not prevented by suppressing information and keeping everyone insecure but by building technically secure infrastructure and systems.

Widespread vulnerabilities, central control and mass-surveillance are a greater danger to society than ill-intentioned people using such information. Suppressing such information and obstructing citizens from gaining control over their machines and have them secured is not a solution.
Society can't afford this current level of top-down control-structures and unrestrained, unprecedented loss of privacy. Surveillance, even mass-surveillance, and control may not necessarily be problematic but its purposes, transparency, steering and systemic context can make it so. Our current world is definitely not shaped in a way that would warrant an accepted conclusion that justifies current mass-surveillance and mass-vulnerability of billions of humans.

Lengthy, incomplete, obscure, dispersed and sophisticated guides or even books only found and implementable by elitist/senior GNU/Linux users with much knowledge, interest and time are not a solution either.
This guide is not a solution but it could become part of it if it gets developed further, gets interconnected with potential Debian newcomers and potentially build into setup wizards or alike.

At present a resilient society using technologically secure software by-design structures with a participative and collaborative culture is the ultimate goal. This requires getting society at large (average computer users) onboard.

Pre-installation FAQ

What is GNU/Linux?
GNU/Linux is a "Unix-like" operating system that is free, libre and open source. Many variants of this operating system exist and they are running on most servers (computers that serve content or services such as websites), supercomputers and many embedded computers. Linux is the kernel of the GNU/Linux operating system and most people mean the GNU/Linux operating system when they (incorrectly) speak of "Linux". The Android OS for touchscreen mobile devices (such as smartphones and tablets) runs on the kernel Linux but is not GNU/Linux, because it lacks GNU. GNU is an operating system that is free (libre) software---that is, it respects users' freedom. GNU stands for "GNU's Not Unix!" as GNU's design is "Unix-like", but differs from Unix by being entirely free (libre) software and containing no Unix code. The GNU project was founded by Richard Stallman. Since GNU's kernel (Hurd) is work in progress, GNU (minus its kernel) is most often combined with the kernel Linux (developed by Linus Torvalds), forming the complete GNU/Linux OS.

What is free (libre) software?
Software that allows anyone to freely use, copy, study, and change it in any way, and therefore has its source code openly shared so that people are encouraged to voluntarily improve the design of the software. This is in contrast to proprietary software, where the software is under restrictive copyright and the source code is usually hidden from the users. Albeit rare some non-free software might have its source code public too.

Free software is often referred to as "open source". "Free software" and "open source" stand for almost the same range of programs, but the open source movement is fundamentally different from the free software movement as they have different goals.

What is Debian?
It is a distribution of GNU/Linux. A popular variant of the operating system.

Why Debian?
See WhyDebian. It's officially 100% FLOSS and features stability, security, user control, technical features, configurability, privacy, large community, largest upstream GNU/Linux distribution, many packages. It aims to be the best operating system. [...]

Why not Ubuntu?
Ubuntu is based on Debian but isn't as good and isn't 100% FLOSS. Note you can still find help from most that anything that refers to Ubuntu as Debian is very similar to it (for instance most answers on Ask Ubuntu may help you out as well and instructions for Ubuntu often only need to be slightly altered for Debian). Note however that repositories for Ubuntu or Linux Mint are not compatible with Debian. Do not make a FrankenDebian.

Why not another GNU/Linux distribution?

  • Ubuntu: See above
  • Linux Mint: it includes non-free software[...]
  • Arch Linux: smaller distribution, smaller community, fewer packages, harder to properly set up[...]
  • Fedora: smaller distribution, smaller community, fewer packages
  • Gentoo: for advanced users only

I want to try Debian before installing
Try the LiveCD.

Can I still play my games on Debian?
There are free GNU/Linux games for Debian such as SuperTuxKart. And you can play console games (Gamecube, PS2, etc) using an Emulator such as Dolphin.

You can also use PlayOnLinux / Wine / Steam to play games. However they are somewhat insecure 1 2. Consider if it's worth the effort and introduced security risks. Also consider if it's worth installing proprietary games despite the significant ethical shortcomings.

I only want to install Debian in addition to Windows (dual boot)
Don't do it. Test Debian using a live CD instead.

Does my laptop support Debian?
You need to check it first. If you already have a laptop you should try if you can boot and properly use the live CD. If you want to buy a laptop you need to research whether other people have reported having gotten GNU/Linux working on it. Many Dell laptops support Debian for example (you could search for Ubuntu certified laptops and buy one of those). In addition you need to apply pressure to laptop manufacturers to support it and also create demand. You might find useful information here. Please give a strong preference to ethical devices that do not need non-free drivers or firmware to run under GNU/Linux.

Does Debian support touchscreens and tablets?
Yes. Please see TabletAndTouchScreen. More developers are needed to improve support.

Why would I need such a secure and privacy-protecting OS?
In short: cybercrime, state-sponsored cyber intrusions, companies selling your personal data, uncertainty of the future, centralized control, activism, journalism, journalism-like activities, corporate espionage, having control over your own machines, infrastructure security, cyber-pandemics/malware, being in any way involved in the free software or open source movements, putting corporate profits at risk and overhauling/challenging established structures etc.

But isn't GNU/Linux just for nerds and computer geeks?
It's not supposed to be like that. This guide is an attempt to make GNU/Linux (and in particular a secure setup) more accessible to average users. It needs more effort to build support for even casual computer users who want to never touch the command line and want their hardware to be working plug&play after they bought it. Furthermore even Windows can require big efforts to get working properly, especially if you want to gain some level of privacy and security and do essential things like backups and so on.

But all of my software is for Windows/Mac only. Isn't there almost no software for GNU/Linux?
Most important Windows/Mac software has GNU/Linux equivalents which also are free of charge and---if they are in Debian's repositories---very easy and convenient to install. Some such software can be found at the bottom of this page. Free software has many advantages beyond being free of charge (see Q#2). If you think there's no equivalent for some specific software you use first research what kind of software that is and then search the web for {type of the software} Debian and if you can't find anything you should simply ask on places like softwarerecs.stackexchange.com
Software on Debian also has package-management which is something that e.g. Windows lacks. It regularly scans for new updates and allows you to run updates for all of your software (which is essential for proper security) with a single click.

Download & burn

  • Download a CD/DVD image of the "stable" release from: https://www.debian.org/CD/http-ftp/

    • It's recommended to use the DVD image as there are is more software packaged with it
    • If you have a 64bit machine you most likely need amd64 and if you have a 32bit one you need i386

      • On Windows you can find out whether you have 64bit or 32bit by going to Start menu -> All Programs -> Accessories -> System Tools -> System Information -> System Type or by pressing and holding the Windows key and the Pause key or by rightclicking on Computer -> Properties -> System type.

      • Most modern computers run 64bit
    • You only need one DVD and to download only the [...]DVD-1.iso

  • Once the .iso file has finished downloading you should checksum the file to verify that it has not been altered and is in a proper state. (A checksum is a short ID that is always the same if the data is exactly the same.) To do this open a terminal and type sha512sum {full path to the .iso file} if you are running a GNU/Linux or if you're running Windows download HashMyFiles and open the .iso with it. Then compare the hashsum to the one in the SHA512SUMS document from where you downloaded your CD/DVD (e.g. https://cdimage.debian.org/debian-cd/current/amd64/iso-dvd/). It has to be same ID. If the ID differs check if your download finished properly and if it did report it somewhere.

  • Burn the .iso file to an empty CD/DVD. On Windows you could use InfraRecorder. On GNU/Linux you could use K3B.

  • K3B does checksum the CD/DVD to verify that it has been written properly
  • Label the CD/DVD so you don't confuse it later

Download software for offline use later

You should not connect to the Internet before you finished the setup and reached step "Go online". Hence you should download all the relevant (security) software packages beforehand and write them to a CD, DVD or USB stick. For laptops you might also need to download drivers beforehand. The DVD-1 contains many packages and to install them you simply need to insert it and install the software via Apper. However it is also missing many important packages. Which software you want to have running before you connect to the Internet depends on you. For instance the GUFW firewall is not DVD-1's packages but you don't need it if you'll use iptables instead. You could also install lynis before going online.

  • Download VeraCrypt, hash the downloaded file just like for the .iso above and verify the checksum (i.e. by searching for it)

  • Download Open Source Tripwire, hash the downloaded file just like for the .iso above and verify the checksum (i.e. by searching for it)

  • Copy those two files to an USB Stick (or a CD / DVD)

Backup, live CD & formatting

  • Before you install a new operating system to your computer you need to make absolutely sure that you have all your data backed up properly. (Besides if you install to a new computer of course.) Don't do this hastily---there might be files in locations you forgot about or the backup might not have worked properly. Once your backup is complete physically disconnect whatever medium you used for this (e.g. an external hard drive).
  • It is best to format your hard drive before starting the Debian installer. Some could not get Debian installer's partitioning tool to properly set up an encrypted hard drive without doing this. You could skip this step but should do this if you run into problems later.
  • If you have only one PC and no other Live CD/DVDs with relevant tools you should at least download and burn the live CD as you might need it later.
    • For this download SystemRescueCD and burn it to a CD/DVD or use another bootable CD/DVD with partitioning tools. Insert the CD/DVD and boot from it by starting your computer and pressing F10, F12, ESC or a similar key that is typically displayed during startup. Boot from the CD/DVD by selecting it and pressing enter or select CD/DVD to boot first (this varies per mainboard).

    • To start ?SystemRescueCd once you booted from it you only need to press enter a few times and then enter startx. Once the live CD is started open up GParted by clicking in the bottom left -> System tools -> GParted. Then format your hard drive by right clicking on all of its entries -> delete and confirming it with the green checkmark in the upper right. Make sure you selected the right hard drive in the upper right. There should be no other hard drives connected. Once everything is deleted there should be just one entry and the hard drive contents should be gray.

BIOS settings

  • Before installation you should decide whether you want to have your hard drives partitioned as GPT (new) or MBR (old). A GPT disk supports volumes larger than 2 TB, is more robust and allows for more partitions. However, GPT requires a mainboard that supports UEFI. UEFI is a successor of BIOS. Most modern mainboard support it. You can find out if your mainboard supports it by checking the specs of your mainboard or by checking whether it also says UEFI for boot mode somewhere in the BIOS settings. You could consider buying a new mainboard. If you would like to have GPT and UEFI set the bootmode to UEFI only or change the bootorder for UEFI CD/DVD being #1. If you did this right the Debian installer's splash screen will say it's the UEFI installer.

  • Debian might not support some of your BIOS (or UEFI) options so you might have to change some of them later or reset them back to the defaults.

Installation

  • Boot from the Debian installer as described here. Select graphical installation.

  • Select the keyboard layout of your language or else you might get problems with some keys such as the z and y keys.
  • Do not connect the Internet during installation! You should disconnect any LAN cable or WLAN adapter and remain offline until you have configured all the necessary things. Skip the network configuration step.

  • Select a hostname that other computers in your network can use to identify your machine. Don't name it "localhost".
  • You can leave the domain name empty.
  • Do not set a root password. Leave it empty. This will lock the root account (you can still unlock it later) which is best practice for most personal computers. Instead of using the root user you should use the sudo command. You can also lock the account later by running passwd -d root and sudo passwd -l root.

  • Create your user and password. Choose a long (> 14 chars) and good (some capitaliZed keys, numb3rs and $pecial characters) password and physically write it down somewhere.

Partitioning

Partitioning is the hardest part of the installation and you might have to rerun it a few times.

  • Select "Guided - use entire disk and set up encrypted LVM" (or "Manual").

  • Select Separate home partition

  • The root partition on which Debian gets installed to should be around 30GB. The home partition should take up all the rest of the hard drive space.
  • If you have UEFI note that you need a boot partition and an EFI partition with the bootable flag set to On.
  • If you're not installing on a laptop you should remove the swap partition as it isn't properly encrypted.
    • For this go to Configure logical volume group -> remove volume -> select the swap partition then click on the swap entry and delete the partition.

    • Let it delete prior data of the hard drive (this may take an hour or so) and set another good password again. It's best to have that password written down nowhere.

Software selection (desktop environment)

The desktop environment is the graphical surface of your operating system. It is important that you select the one that fits best to you. You might want to try and compare multiple of them (e.g. via live CDs) and research them (e.g. watch videos showing them).

  • Select only one desktop environment (GNOME, Xfce, KDE, Cinnamon, MATE, LXDE, or LXQt)
    • The most popular desktop environments are GNOME and KDE. GNOME has a design more reminiscent of macOS with a focus on simplicity and polish, while KDE is more similar to Microsoft Windows with a focus on power and flexibility. Xfce and LXQt are popular lightweight desktops for older hardware, or those that just want a snappy experience. Other desktops have their own aesthetic and functional niches, and are worth looking into.

    • Much of this article is tailored to KDE, and may not apply if you choose another desktop.
  • Most likely you shouldn't check "web server" and "SSH server"

Finish

  • Write the GRUB bootloader to the disk when it asks you about it
  • You can check the integrity of the CD in the installer by pressing back and selecting "Check integrity of CD"
  • Finish the installation, remove the CD/DVD and restart your PC. You should enter the graphical GRUB bootloader and it should automatically boot Debian.

Principles and preknowledge

  • Do not connect to the Internet before you finished the setup and reached step "Go online".

  • Only by using root rights can important files be changed and specific commands be run. For this your password is needed. To run commands as root type sudo {command} into the terminal. Most often it will tell you when root rights are required for commands.
  • One of your best defenses is to report anything unusual that you noticed on your machine. Document everything strange including with the relevant logs (of syslog and alike). Then report it or ask about it. Don't keep it to yourself.
  • If you don't know something and you can't find it via your search engine ask about it on places such as https://unix.stackexchange.com/questions/tagged/debian as this will help everyone finding an answer with the same question as you. Make sure to explain your question well and to make it well findable by those with the same question.

  • You should try to never run GUIs (graphical user interfaces / software with a window and controls) as root. Do not install gksu.
  • The terminal is where you enter commands. Debian's default terminal is konsole. You will need to use it often as many things are not yet possible via GUIs. It actually isn't hard to use.
    • By entering history you can find a list of commands you have executed under the current account. Entries can also be deleted from this log by running history -d line-number.

  • Your package-manager is how you find, install and update applications. Try to never install packages from outside the package manager if possible. The best package managers are Apper, Synaptic and Discover (Software Center).
  • Apply updates quickly and check for updates regularly.
  • Try to never install nonfree software except absolutely necessary. There can easily be backdoors and all sorts of malicious code in proprietary software.
  • You can find more information about commands and programs by just entering the name of the program into the konsole, or the name and "--help" or "man" and the name or by reading the online documentation.
  • Don't install software without knowing what they do or if you don't need it. Don't install things like Flash.
  • Don't execute commands just because somebody told you so or you read about it. Make sure you roughly know what it does. Some commands might destroy your system (e.g. rm to delete important files).

  • You can find logs under /var/log/. The most important one is /var/log/syslog which you can only open (with a texteditor) as root (via sudo). /var/log/apt/history.log is a log of installed packages.

  • You can typically quit displays of text in the console by pressing q or ctrl+x (^ refers to the ctrl key).

  • Some additional important commands: mkdir {path} creates a directory, cd {directory} moves the context to a directory (cd .. moves you one directory up), sudo ifconfig displays information about your IP, sudo dpkg -i filepath to install .deb packages, sudo apt-get install packagename to install a package from terminal, sudo dpkg --add-architecture i386 to add 32bit architecture, sudo -i to start a sudo session, sudo cp -r path path to copy files as root, sudo mv path path to move files as root, passwd to change password, apt-get install packagename to install a package from the konsole, bash filepath to execute a bash file, ls -l list files of a directory, sudo shutdown -h now to shutdown, groups username to display the usergroups your user is part of. Some more here

  • You can save the output of any command by appending > filepath to a command. For example ls -l > contents.txt creates a file with information on the contents of the directory you're currently in. You can get information about commands by appending --help to them for instance ls --help shows you information about the ls command.

  • You don't need to know all of this by heart. Simply use this page or other pages. But you need to know where to ask for help and how to find the information needed. (Which after reading the above you should know or start looking for.)

Passwords

It's best to write them down physically on a paper (never or only partially/obscured&encrypted electronically). And that in a way that only you can read properly. For instance you could write down signs for words and alter the order in a specific way. Store them in a secure place and try to store them twice.
You could also store them electronically with the password missing some words that you only store on piece of paper.
Furthermore try to enable two factor authentication (2FA) for as many of your relevant accounts as possible. Also calculate in the possibility of losing your phone (typically there are backup codes which you should write down).

Initial setup

  • Click on the 3 strikes in the upper left -> configure desktop -> Layout -> Folder view if you want to see files on your desktop.

  • In the application starter in the bottom left you find all your applications and the buttons to switch off your computer
  • Open "dolphin" by entering it in the application starter's search bar or by clicking on its icon in the favorites. Dolphin is KDE's default filemanager. You can browse all of your computer's files by clicking "Root" under "Places" in the upper left and storage devices under "Devices". You can add places by dragging them into this panel and you can hide devices you don't need to see by rightlicking them -> hide. Your files should be stored under /home/yourusername/. You can search, change the view-type and settings via the options in the upper bar. To view your current location click next to the text below the upper bar.

  • You can pin applications that you use often to the taskbar. For this enter the name of the application into the search bar -> rightclick it -> select add to panel or add as launcher. It is recommended to add "dolphin", "konsole", "system monitor" and "apper" to the bar.

  • If you did create a root account you need to add yourself to the sudoers file. This is so that you can execute the sudo command. If you did not create the root account you can execute the sudo command already and don't need to do that. To add yourself to the sudoers file enter sudo kate /etc/sudoers -> enter your password -> add yourusername ALL=(ALL) ALL below %sudoers and save the file (ctrl+s). Instead of kate you could also use another texteditor such as nano.

  • If you have problems with your timezone and the time-display you can change it by entering tzselect into the konsole and by right clicking the clock in the bottom right.

  • If there are problems with your monitor/s / display enter "Displays" into search and check its settings and infos.
  • Enter mouse into the search and set it to "double click to open files"
  • Immediately uninstall kaccess. This is to prevent people from spying on your screen and on what you type. Don't do it if you're literally blind. Otherwise open apper -> type kacccess -> remove -> apply -> enter your password and let it uninstall.

  • You can add useful widgets (such as CPU Load Monitor and Network Monitor) to your desktop by clicking the 3 bars in the upper left -> Add Widgets.

  • Disable unneeded startup applications by entering startup applications into the search (e.g. bluetooth and mousepad)
  • Open LibreOffice via the search -> Tools -> Options -> Security -> Set Macro Security to "High" and check all the options under Security Options likely except "Recommend password protection on saving"

  • Configure screenshots
    • Enter "Spectacle" into the search -> click on the right next to "Save & Exit" -> Preferences -> create a new folder in your Pictures folder and change the preferences as needed

    • Enter "Custom Shortcuts" into search -> Screenshots -> here you can change the buttons for screenshots (ctrl+print for a fullscreen screenshot by default)

  • Add custom shortcuts
    • Enter "Custom Shortcuts" into search -> Edit -> New Group -> name it "Custom" then Edit -> Add -> New -> Global shortcut -> Command/URL. Set a trigger (the keys to be pressed) and an action (for example enter "konsole" into Command/URL to have the konsole opened).

    • Enter "Global Shortcuts" into search -> click on Power management or KDE Daemon -> here you can configure shortcuts to suspend or power off you machine

  • Right click the bottom right clipboard icon -> Configure Clipboard -> Check "Ignore Selection"

  • Make sure you have the right soundcard selected under "Phonon Audio and Video" -> Device Preference and -> Audio Hardware Setup and "Audio Volume" -> "Output Device" -> Default and -> Configuration. (Also disable all Input besides if you want to record something with a micro.) Disable the sound when changing the volume in "Audio Volume" -> Volume feedback -> disable.

  • Enter "Screen Locking" into search -> configure the time for the screen to lock automatically and the shortcut to lock it

  • The password for the "KDE wallet" is the same as your user password by default. But you could change/recreate it.
  • Enter Dekstop Theme into search -> you can your theme here

Security and tools

Set a GRUB password

Set a GRUB password as explained here:

  • Run kate /etc/grub.d/00_header /etc/grub.d/10_linux /etc/grub.d/30_os-prober

  • At the bottom of 00_header add this text:

cat << EOF
set superusers="somename"
password somename pw
EOF
Replace somename and pw with a name and a password. If you already encrypted your hard drive you might want to use a shorter one. Do not replace anything except these 3 words. The somename doesn't have to be your username---it can be any word you want.

  • In 10_linux after {CLASS} for the 2 lines that say menuentry add:

    --users '' So for example printf "menuentry '${title}' ${CLASS} --users '' {\n" "${os}" "${version}"

  • Run sudo sed 's/--class os /--class os --users /' -i /etc/grub.d/30_os-prober

  • Run grub-mkpasswd-pbkdf2 and enter the password you set earlier

  • At the bottom of 00_header replace "password" with "password_pbkdf2" and pw with the output of the previous command starting with grub.pbkdf2.sha512.---for example the full line should look like: password_pbkdf2 John grub.pbkdf2.sha512.10000.FC58373BCA15A797C418C1EA7FFB007BF5A5

If you fail to do this correctly you may not be able to boot your system.

  • Run sudo update-grub to apply your changes and restart your computer

Encryption

You need such an encryption program to encrypt data on other storage devices and for the way our IDS is set up in the step below.

  • Install VeraCrypt, ?ZuluCrypt or another good encryption program.

  • Checksum ?VeraCrypt before installation and check the hash.

  • You can encrypt whole devices and partitions or just create encrypted volumes.

Anti malware

  • Install ?ClamTk which also installs ClamAV---Debian's free antivirus software

    • Once you are online you need to update it
    • in the settings have everything checked (if you check PUAs you likely get many false positives though)

  • Install rkhunter
    • To integrate rkhunter with package updates run sudo kate /etc/default/rkhunter and set APT_AUTOGEN="true"

    • Initially run rkhunter --propupd

    • To run a scan run rkhunter -c

  • Install chkrootkit
    • Run a scan sudo chkrootkit

Kernel hardening

  • Run sudo kate /etc/sysctl.conf and make sure the settings are set like so (if not either change the relevant lines or append to the bottom of the file) (please improve):

net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
kernel.sysrq=0
kernel.kptr_restrict=2
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.log_martians=1
net.ipv4.tcp_timestamps=0
net.ipv6.conf.default.accept_redirects=0
kernel.core_uses_pid=1
fs.suid_dumpable=0

  • Then run sysctl -p to save your changes.

  • You can use Lynis for checking your kernel settings.

Intrusion detection system

Note: at IntegratedIntrusionDetectionSystem work is ongoing to improve IDS!

You can find useful Tripwire Policy rules at: TripwirePolicyRules.

An intrusion detection system (IDS) helps you detect intrusions, allows you to help secure computers by reconstructing intrusions and along the way helps you better understand GNU/Linux / Debian. While some advanced form of IDS' are more or less the only way to ultimately reliably protect machines they haven't been developed so far as to allow fully secure personal computers in practice. But maybe they will get developed further to allow such.
Before doing this you need to have ?VeraCrypt (or a similar encryption program) installed.

  • Insert an USB stick, open it with dolphin, close dolphin again, open ?VeraCrypt, then select Volumes -> Create new volume -> Create an encrypted file container. When it asks for the volume location navigate into your USB stick and enter a filename. Create a new volume with a size of around 500MB (50MB would probably be enough too). Once it has finished mount the volume by first clicking the slot number you want to mount it, selecting the file and entering 2 passwords.

  • Set up tripwire
    • Copy the file that you downloaded earlier from your USB stick (or CD / DVD)
    • cd into the directory you copied the file to then run unzip tripwire-open-source-2.4.3.5.tar.gz (the version might differ) then cd tripwire-open-source-2.4.3.5

    • Run kate ./installer/install.cfg and replace the value of TWBIN, TWPOLICY, TWDB, TWSITEKEYDIR, TWLOCALKEYDIR, TWREPORT (between the two ") to /media/veracrypt10/ (or subdirectories of it respectively such as "/media/veracrypt10/report/"; also make sure to replace 10 with your slot-number). You could also set TWEDITOR to your preferred texteditor such as kate. Save the file.

    • Run ./configure --prefix=/etc/tripwire

    • Make sure it runs through. You might have to install packages such as postfix or a compiler from the DVD-1.
    • Run make install

    • Set the password for your local and site keys. If you run into problems there run ./twinstall.sh Help here.

    • If you need to recreate the cfgfile run ./sbin/twadmin --create-cfgfile -S site.key /media/veracrypt10/twcfg.txt (edit the twcfg.txt like the install.cfg file beforehand)

    • Edit twpol.txt to insert the default twpol.txt contents for Debian

    • Run ./sbin/twadmin -m P -S site.key /media/veracrypt10/twpol.txt

    • Run ./sbin/tripwire --init to see if it's working. At the bottom you'll see plenty of errors.

    • Edit twpol.txt and comment out the lines that have generated these errors under "Root config files" and "System boot changes". Watch this video. Add your own rules to watch important files (such as the sudoers file) or directories if you want to. Suggestions for tripwire rules can be found here.

    • Run ./sbin/twadmin -m P -S site.key /media/veracrypt10/twpol.txt again

    • Run ./sbin/tripwire --init again. Sadly you can't yet change the policy file again after initialization so you should make sure it is fine before you go online.

    • Close the konsole or cd out of the mounted directory and dismount the volume in veracrypt
    • Create a backup of the encrypted volume (1 file) to your hard drive (but always use the USB stick)

Then once you used your computer you can do your first scan. It should be the same procedure every time and you should run them as often as possible to get smaller reports and to know which changes you have caused yourself in the meantime.

  • Disconnect from the Internet
  • Insert the USB stick. Open it with dolphin and close dolphin again.
  • Open ?VeraCrypt click on the slot you selected earlier, select the volume-file on the USB stick and mount it using 2 passwords.

  • Run cd /media/veracrypt10/

  • Run sudo ./sbin/tripwire --check and let it run through

  • Run sudo ./sbin/twprint -m r --twrfile pathtothegeneratedtwrfile > nameofthegeneratedtwrfile-descriptionofwhatyoudidinthemeantime (for example sudo ./sbin/twprint -m r --twrfile ./report/name-20170808.twr > name-20170808-installed-firefox-and-removed-kdeconnect)

  • Inspect the changes by opening the generated file with a texteditor such as kate. Sadly Debian isn't yet integrated well with tripwire so there likely will be a lot of changes. Look for suspicious changes that you didn't cause yourself---especially modified critical files. By this you also learn more about the operating system by gaining more insight into what files change when.
  • Update your database by running export DISPLAY=:0; sudo ./sbin/tripwire --update -Z low -V nano --twrfile ./report/filename.twr, pressing ctrl+x and entering your local key

  • Run cd ../.. and dismount the encrypted volume in ?VeraCrypt

  • Backup the file again. You could store it on a read-only medium (CD/DVD) once in a while in case your database file becomes corrupted.
  • Reconnect to the Internet

By setting this up properly and by knowing what to look for and helping improve tripwire to integrate better with Debian and to automate the steps above you could theoretically reach a very high level of security.

There are many ways IDS could get improved. This includes having two machines with the same packages installed and comparing whether they differ in any way or by making use of virtual machines. While few IT security specialists seem to be interested in implementing such improvements it is important that you get an IDS working as early as possible. And before going online. While the current implementation might be hard to use it's still useful and also deters potential adversaries merely by being set up properly.

File permissions

  • Change the file permissions of critical files to prevent unwanted changes to or reading of them
    • CUPS printer configuration file: sudo chmod 0700 /etc/cups/cupsd.conf

    • Kernel configuration: sudo chmod 600 /etc/sysctl.conf

    • Compilers: sudo chmod 0444 /usr/bin/as sudo chmod 0444 /usr/bin/g++ sudo chmod 0444 /usr/bin/gcc sudo chmod 0444 /usr/bin/g++-6 sudo chmod 0444 /usr/bin/gcc-6

    • Sudoers file: sudo chmod 0440 /etc/sudoers

Security auditing tools

(OPTIONAL)
Security auditing tools analyze your system to find vulnerabilities that you should fix and to propose you ways to further secure your system.

  • One such is Lynis, installation instructions here

    • It might misdetect some things and you don't need to follow all its suggestions but it can help you further secure your system
    • Once installed run it via sudo lynis audit system

Other tools

  • Install Debsums to verify your installed Debian package files against the MD5 checksum lists from /var/lib/dpkg/info/*.md5sums.
    • Run debsums|grep -v OK

  • Install GPA for de- and encrypting texts and for managing your keys
  • Install ?BleachBit to securely wipe data and to free disk space and clean cookies etc

  • arpwatch, scanlogd, checksecurity, apt-listchanges

Etckeeper

  • To set up etckeeper you need to tun these commands: cd /etc/ sudo etckeeper init sudo etckeeper commit "Initial etc commit"

  • To view the git history of a file that etckeeper keeps for you install qgit and then enter qgit locationofthefile &. This allows you to notice malicious changes and to manage your configurations.

Bitcoin

(OPTIONAL)

  • Electrum is a FOSS bitcoin client. If you want to use it anonymously or have your firewall set up properly install it, then go offline, then create a standard wallet, the go to network configurations, then set the proxy to SOCKS5 localhost 9050. If you want to have better security (given more or less that you trust ?TrustedCoin more than yourself) instead select "Multifactor authentication". But you might have problems getting it to work with your firewall if you go for the latter. It is best to store the wallet on an encrypted external medium such as a CD/DVD.

Firewall

You can find useful firewall rules at: FirewallRules.

Sadly there doesn't seem to be a proper application-level firewall for Debian yet.

  • GUFW is Debian's GUI firewall. Sadly it does not work properly when blocking outbound traffic. Also it is not packaged with DVD-1. Hence it is recommended that you use iptables instead. But you could install it anyway and have it disabled.

  • Run sudo kate /etc/iptables.conf and configure your firewall rules. The following rules allow for downloading of packages and browsing of the Internet but not much more (please improve them):

*filter
#DROP everything by default
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#And explicitly allow the following:
#LOCAL
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#HTTP
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 8080 -m state --state ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT
#HTTPS
-A INPUT -p tcp -m tcp --dport 443 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
#DNS
-A INPUT -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#PING
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
#LOG 3 dropped packets per minute to /var/log/syslog
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "~~~~IP INPUT DROP: "
-A INPUT -j DROP
#LOCAL
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#HTTP
-A OUTPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -p tcp -m tcp --sport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
#HTTPS
-A OUTPUT -p tcp -m tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#DNS
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#PING
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#LOG 3 dropped packets per minute to /var/log/syslog
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "~~~~IP OUTPUT DROP: "
-A OUTPUT -j DROP
COMMIT

  • When done run iptables-restore < /etc/iptables.conf. Note that these rules are reset at each restart so either do the next step before the next restart or have your Internet disabled on startup.

  • Install iptables-persistent via apper or apt-get install

  • Run sudo kate /etc/iptables/rules.v4 and copy the contents of /etc/iptables.conf into it

  • Run sudo iptables-restore < /etc/iptables/rules.v4 or sudo ip6tables-restore < /etc/iptables/rules.v6

  • If your applications have problems connecting to the Internet you need to find out which protocol and ports you need to open via iptables rules to get them working. Alternatively you could allow all outbound traffic. But this isn't recommended for security purposes.

Close ports and inspect traffic

  • With these commands you can find out which applications on your machine are sending or receiving Internet traffic: lsof -i and ss -pln or sudo ss -anp --tcp --udp | grep LISTEN

    • Use sudo fuser -v portnumber/tcp to find out which application is causing an open port

  • With zenmap you can scan your own computer for open ports. Install it and then do a full scan on 127.0.0.1. Do not scan machines that do not belong to you.
  • If you don't have network printers you can disable CUPS like so: sudo systemctl disable cups.socket cups.path cups.service sudo systemctl kill --signal=SIGKILL cups.service sudo systemctl stop cups.socket cups.path

  • You can use BUM to disable apps that start automatically.

Wireshark

(OPTIONAL)
You can find out exactly which data is being sent by applications and to websites by making use of wireshark. You can use this to identify undesired data transmissions. After installing wireshark run sudo dpkg-reconfigure wireshark-common choose "Yes" and then run sudo adduser $USER wireshark. After running wireshark run sudo dpkg-reconfigure wireshark-common again and choose "No" / sudo deluser username wireshark.

Go online

  • To go online you likely need to connect your PC to your router with a LAN cable. WLAN dongle are highly unlikely to work (apply pressure to manufacturers).
  • Edit the SourcesList so that you can find and download packages: run sudo kate /etc/apt/sources.list and comment out the CD / DVD sources which allowed you to install packages by inserting DVD-1. Add these sources instead:

deb http://security.debian.org/debian-security stretch/updates main contrib
deb-src http://security.debian.org/debian-security stretch/updates main contrib
deb http://ftp.CY.debian.org/debian/ stretch main contrib
deb-src http://ftp.CY.debian.org/debian/ stretch main contrib
deb http://ftp.CY.debian.org/debian/ stretch-updates main contrib
deb-src http://ftp.CY.debian.org/debian/ stretch-updates main contrib
deb http://deb.torproject.org/torproject.org stretch main
deb http://download.virtualbox.org/virtualbox/debian stretch contrib

You can leave out the torproject and virtualbox repositories if you want to. Replace CY with the country code of the repository you would like to use. You can find a list of Debian's repositories here. You can also leave out contrib which includes software that is not 100% FOSS or add  non-free after contrib which also includes non-free software (such as many proprietary drivers).

Run updates

  • Run apt-transport-https

  • Run sudo apt-get remove firefox-esr and sudo apt-get install firefox-esr

  • Run sudo apt-get update and sudo apt-get upgrade

  • You might need to run this multiple times and fix some issues until it says 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded and that no packages have been held back.

  • Open Apper -> Check for updates should say that no updates are available

  • Run sudo freshclam

  • You could run a tripwire scan after the updates as explained here so that your next scan-results are not too long or to inspect changes the updates made

  • More info at PackageManagement

DNS

Before a computer can connect to an external network resource (say, for example, a web server), it must have a means of converting any alpha-numeric names (e.g. wiki.debian.org) into numeric network addresses (e.g. 140.211.166.4). More information.

  • Run sudo kate /etc/NetworkManager/NetworkManager.conf and add dns=no below the [main] section

  • Use OpenDNS or OpenNIC
    • For OpenDNS: run kde5-nm-connection-editor (or right click the network icon in the bottom right -> Configure Network Connection) and choose your connection -> right click -> edit -> click on the IPv4 settings tab -> choose "Automatic (Only addresses)" -> then enter IPs of DNS servers in the "DNS servers" field, separated by spaces -> "Apply". Use one of the IP addresses here such as 208.67.222.222. (or 2620:0:ccd::2 for IPv6).

    • Uncheck "automatically connect to this network when it is available" and "All users may connect to this network" and yourself as "Users allowed to activate this connection" under "Advanced".

Configure Firefox

  • Sandbox your browser so vulnerabilities can't easily cause harm to your system
    • Download firejail
    • Right-click on the KDE icon in the bottom left -> Edit Applications -> right click on Internet -> New item -> Name: Sandboxed Firefox-ESR Command: firejail firefox-esr -p

    • Note that some things might work differently with a sandboxed browser. You can only access files in your Downloads directory.
  • Install useful ?AddOns:

    • Security-related
      • Enabling HTTPS (for encrypting the data that is sent between your browser and a website) whenever possible: HTTPS Everywhere

      • Adblocker: uBlock Origin (for the latest version of Firefox ESR you may need to download it here)

      • Disabling Javascript by default (you need to allow it if websites you trust don't work): NoScript

      • Instead of fetching resources from external content delivery networks again and again store them locally: Decentraleyes
      • Prevent people from identifying you across websites due to more or less unique HTTP headers: Blender
      • Delete cookies of a website after leaving it automatically: Self-Destructing Cookies
    • Other: ?TabMixPlus for many useful tab functionalities, ?SessionManager for managing your browser sessions, Greasemonkey for adding userscripts, ?RedditEnhancementSuite if you use reddit, ?FlashGot for downloading streamed videos

    • Don't just download and install ?AddOns but also configure them properly

Public keys

  • A list of keyservers can be found here.

  • Open port 11371 in iptables[...] for being able to fetch keys/* TODO */

  • Create a public key under you real name and potentially for pseudonyms for being able to prove your identity. For this you need to have a good password and store your private key securely. Upload the public keys to a keyserver and/or give it to people you want to communicate privately or to which you want to prove your identity.

Email client

  • Evolution and Thunderbird are two good email clients. Evolution comes preinstalled but Thunderbird is more popular and has more ?AddOns and features. Open port [...]

  • For Thunderbird install the clamdrib LIN ?AddOn for scanning emails for malware.

    • You may want to edit the clamd.conf to add

      • TCPSocket 3310
        TCPAddr localhost
        and restart Thunderbird

  • In Thunderbird change the security settings so that it does not load images and so on by default

Get Tor

(OPTIONAL)

  • Follow this guide to add keys (see section #Public keys first), add the tor repository and download tor

  • Download the TorBrowser

  • Checksum the downloaded file
  • Move the tor-browser to your software folder
  • Firejail it
    • Download the firejail profile for start-tor-browser

    • Move that textfile into /etc/firejail

    • Right-click on the KDE icon in the bottom left -> Edit Applications -> right click on Internet -> New item -> Name: Sandboxed Tor Browser Command: cd /home/username/foldername/tor-browser_en-US/ && firejail --profile=/etc/firejail/start-tor-browser.profile /home/username/foldername/tor-browser_en-US/start-tor-browser.desktop (replace username and foldername)

  • Edit /etc/tor/torrc and append FascistFirewall 1 to the bottom of it to get it working with iptables blocking outbound traffic

  • Start it and check for updates (and apply them)
  • Disallow scripts globally by clicking on the ?NoScript button in the upper right

  • Set the security level to highest by clicking the Tor button next to the ?NoScript button -> Tor settings

  • Know when Tor should be used and when it shouldn't. Tor is to provide anonymity and not to provide security. Don't use it for casual browsing and entering personal information. The exit-node may actually be spying on your traffic (and be able to easily eavesdrop if you aren't browsing HTTPS-protected or .onion sites). It's only there to provide anonymity.

Get a VPN

(OPTIONAL)

  • Compare VPNs and select a good one
  • Make sure you can use the VPN with OpenVPN. Do not use a company's VPN client.

  • Use tor & bitcoin to buy it

  • Connect to it with sudo openvpn --config configuration-file.ovpn

    • You can add exceptions for individual sites by adding routes to the ovpn file by appending route website.org 255.255.255.255 192.168.1.2 to the bottom of the file where the ip is the ip of your router

  • VPNs are good for things like warez. They aren't as good as people think they are. 1 2 Don't use free VPNs.

Join a meshnet

(OPTIONAL)
A mesh network is a resilient network in which each node cooperates in the distribution of data in the network by relaying data. Meshnets are decentralized and can withstand censorship and disasters.

Check the settings of your webaccounts and switch providers

  • Check the settings of your accounts such as Google
  • Make use of trash mail sites
  • Switch providers (such as your email provider; you can forward your emails from your old account) if your provider doesn't take security and privacy seriously
  • Don't store data in "clouds" (which are infrastructures of computer servers)---at least no unencrypted data

  • Be aware that companies don't have to be "evil" to breach your privacy---the data they collect could also get stolen by cybercriminals or eavesdropped on

Drivers

Getting your hardware and devices to work with GNU/Linux is the only thing that might be truly difficult. This is mainly due to the way the world screwed up with building proper standardizations and interoperability in general for hardware and due to manufacturers. Some hardware and devices may work straightaway without any configurations, some might just require some package to be installed, others might require you to install multiple packages, locate some information online (such as on the manufacturer's page or entering the device name + linux into a search engine) and run some commands or even not work at all.

  • If you have a graphics card it might not achieve full performance under Debian. Consider selling it. If you really want to keep it and get highest possible performance you might need to install unfree, proprietary drivers for it. Info here: GraphicsCard

  • WLAN driver Info here: WiFi. WLAN dongles are highly unlikely to work properly in Debian. You likely need a network card or a LAN cable.

  • For drivers you sometimes need to install kernel headers. For this install the relevant package by running: sudo apt-get install linux-headers-$(uname -r|sed 's,[^-]*-[^-]*-,,')

Connect your devices

Printer

  • The website of the manufacturer should have information on how to install the driver for your printer on Debian
  • Install skanlite for scanning

  • http://localhost:631/ should be the CUPS page where you can setup your printer

Android phone

  • KDE Connect [...]
    • For this you need the following iptables-rules:

-A INPUT -p tcp -m tcp --dport 1714:1764 -j ACCEPT
-A INPUT -p udp -m udp --dport 1714:1764 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1714:1764 -j ACCEPT
-A INPUT -p udp -m udp --sport 1714:1764 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1714:1764 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1714:1764 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 1714:1764 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1714:1764 -j ACCEPT

  • ?MTP: you need the mtp-tools package. Sometimes this requires more work. Some info here

  • Other tools
  • If you don't have your SD card encrypted you could move/copy files to the SD card of your phone and plug it into your computer

Music instruments

See: MIDI and Wikipedia's List of Linux audio software

For DJing / mixing there is mixxx which you can install via your package-manager or by compiling from source to get the latest version as described here and section Compilation. If your controller does not work with it there might not yet be mapping for it or you might have to edit the /etc/udev/rules.d/mixxx.usb.rules file.

For music production there is LMMS. However if you want to use VST plugins with it you also need to install Wine (selected by default).

You can use a virtual machine with another operating system to get other software or instruments working.

Input devices

  • Some special buttons of your input devices might not work. Typically you can use xbindkeys-config or the shortcuts to get them working. After installing xbindkeys you can edit the .xbindkeysrc file in your home directory.

Installing, compiling and running programs

Compilation

Sometimes you may need to compile programs if (latest) packages aren't available in Debian repositories. To compile you need to make sure you have the right compilers installed. The compilers needed are typically displayed when you try to compile software. Some often needed packages for compilation are: g++, g++-6, gcc, gcc-6, as and build-essentials. You need to make sure they have the right permissions set before compilation by running sudo chmod 0700 /usr/bin/g++ sudo chmod 0700 /usr/bin/as [...]. After compilation they should be set back to 0444. You need to compile as sudo. Instructions on how to compile can be found at the websites of the software.

.deb files

First navigate to the place where the .deb file is located by cd folder-path then install the package by running sudo dpkg -i package.deb.

The installation folder

  • Create a folder for software (including scripts) that you download from the Internet under /home/username/. You could name it "Software", "Programs", "Apps" or alike.

  • Run sudo chown root:username /home/username/foldername to make root the owner of the folder and oneself the group

  • Then run sudo chmod -R 0750 /home/username/foldername to change the permissions

  • Check permissions with ls -l folderpath

  • Move software into that directory by running sudo mv folderpath1 /home/username/foldername/folderpath2

  • Never run software as root. If programs don't work change permissions of individual software like so: sudo chmod 0770 /home/username/foldername/programpath

Hashing

When downloading software from anywhere else than official repositories you should check the integrity of the software and verify that it's the actual software you intend to install and not a trojan for example. You should also do this for .iso files as described at the top of this page.

  • There are two ways that you can easily get a checksum of a file:
    • Right click on the file -> tab "Checksums" -> click on "Calculate" next to sha256 -> compare that "hash" to the hash on the official website or any other trusted source.

    • Run sha256 path-to-file (or sha512). You could also first use cd to move the context to the folder with the file

  • You should never use the MD5 hash. Also note that some software distributors may have neglected to publish hashes. In such cases you could do a web search for the hash.
  • https://www.cyberciti.biz/faq/pgp-tarball-file-signature-keys-verification/ /*TODO*/

  • https://www.openoffice.org/download/checksums.html

Clean-ups

Cleanup deinstalled programs by running dpkg  --get-selections | grep deinstall and then sudo dpkg --purge package-name. Also run sudo apt-get autoremove or cleanup using ?BleachBit.

Sandboxing

Sandboxing means that programs get somewhat isolated from the rest of the machine so that they can't cause great harm. For example their permissions and the directories they have access to can be limited.

  • Use firejail to sandbox software.

    • Firejail profiles for software can be found here.

      • Sandboxing your browser is essential. Sandboxing other software might not but it's always a good thing to do.
      • After you have the right profile in your /etc/firejail/ folder you should be able to run a program sandboxed by running firejail program-name. You can also add a launcher for the sandboxed version by right-clicking on the KDE icon in the bottom left -> Edit Applications -> editing the command by prefixing it with firejail

  • Virtual machines can also be a form of sandboxing.

Virtual machines

(OPTIONAL)
For protecting your system you may want to use virtual machines. They could also help you out if you need to get Windows programs running. Virtual machines are simulated computers with their own "virtual" hardware that run isolated under your "host" OS.
Do not connect them to the Internet. Do not use "shared folders". Do not use drag & drop. Isolate the VM as much as possible.

  • VirtualBox is a popular "hypervisor" that you can use to create and run virtual machines.

    • After installation you may need to run sudo usermod -a -G vboxusers username to run it.

    • You then need an .iso or DVD of an operating system you wish to install as a virtual machine and some GBs of free storage space.
      • Use a Windows/Mac disc/.iso if you want to inspect, ?ReverseEngineer or test Windows/Mac software or need it to have some hardware or software running that only works under Windows/Mac (doing the former can help build GNU/Linux support).

      • Use a Kali Linux disc/.iso if you want to learn hacking
      • Use a Debian disc/.iso if you want to test things
    • For some features you need to install the VirtualBox Extension Pack

    • You can change resolutions and then do View->Fullscreen to make it display fullscreen

    • To move files from your host OS into the virtual machine do not use shared folders or drag&drop but instead create a new data project in K3B and create an .iso file with all the files. Then add that .iso file under Settings->Storage of the virtual machine.

    • Create snapshots for being able to rollback changes to the virtual machine.
    • After running it remove yourself from the vboxusers group by running sudo deluser username vboxusers

    • Make sure to disable Internet access for the virtual machine under the "Network" options besides if you want it enabled
    • You can also use VMs for things like inspecting suspicious files
  • KVM is an alternative "hypervisor"

Backups

You should create regular backups of your data onto an external storage device. The main storage device holding the backup needs to be physically disconnected from your computer except when you are running a backup. Obviously it needs to be encrypted too.

The most important data should be backed up twice. Backup important files to read-only media such as DVDs. You could create an encrypted container with ?VeraCrypt or dmcrypt/LUKS for these backups.

  • BackInTime is a convenient GUI for rsync that helps you manage backups.

    • After installing press the Settings button on top and choose the source path/s and the destination path. You can create multiple "profiles" for varying backup jobs. Exclude large directories that you don't want to have backed up and the trashbin under "Exclude". You can set it up to automatically remove old backups and run backups regularly. ?BackInTime does incremental backups which means that only the files that have been changed will be backed up in subsequent backups. If you have multiple backups you can also delete old backups within ?BackInTime which only removes the old versions of files and directories that have been changed. ?BackInTime also stores permissions of files separately to

    • Check whether a backup has worked correctly by inspecting folder-sizes and some of your important files. If some files are missing first check if they are "excluded". You can also run diff -qr path1 backup-path to compare directories.

    • Have your most important files backed up to an encrypted readonly medium you store offline such as ?VeraCrypt volumes on CDs.

  • Tutorial for rsync if you want to use the command-line and do without ?BackInTime's features

  • Run sudo sfdisk -l and then sudo sfdisk -d /dev/sda > part_sda.txt for every partition (replace sda) with the partition name of your partition. Also run sudo pvdisplay > pvdisplay.txt. Backup these files, they might help you restore your hard drive in case of failure (you only need to run these once).

File permissions

To limit the amount of damage an intruder or exploit / malware can do to your system you can change the permissions of specific files and directories.

To make a directory accessible by root (or any specific user) only run:

  • sudo chown root:root /path/ to change the owner of the directory or file

  • sudo chmod 700 /path/ to change the permissions so that only the owner can read, write and execute the files.

  • Remember that you should not run programs as root.
  • You can calculate other chmod numbers on this page

Identify vulnerabilities

You can use the debsecan package to find currently exploitable packages of your system.

  • Run debsecan to list all the exploits ("CVE"s) affecting your system

  • Run debsecan | grep "remotely exploitable, high urgency" to list all the exploits affecting your system rated having a "high urgency"

  • Run debsecan | awk '/remotely exploitable/ { vuln[$2]++ } END { for (package in vuln) print package }' | sort for a list of all exploitable packages in your system

You could also find a way to use the debsecan-create-cron package to get notified for new vulnerabilities of your system.

Scripts and tools could be used to display information on how to protect against the displayed vulnerabilities or to semi-automatically take protective measures.
They could also be used to also identify additional vulnerabilities of one's system. Both of these are relevant to the yet unstarted IntegratedIntrusionDetectionSystem project as cybersecurity professionals are mostly busy with ephemeral, suboptimal, tailored solutions for protecting corporate profits and alike.

If you followed this guide this far you reached the most basic level of cybersecurity.

The results of debsecan may be desperate and make you think that a secure personal computer for average computer users is impossible. However everything has had to start at some point in spacetime. Securing computers across the globe starts right here and now if you want it to.

Tools

Basic software that you might be looking for.

  • PDF reader: Okular is your preinstalled PDF reader

  • Office / Word / Excel: LibreOffice is your preinstalled office suite

  • Image editor: GIMP is your preinstalled image editor that is as good as Photoshop

  • Image viewer: Gwenview is your preinstalled image-viewer

  • DVD-Burner: K3B is your preinstalled dvd-burning application.

  • Ebook reader: Calibre is a good ebook reader

  • File archiver: Ark is your preinstalled file archive (you don't need Winrar or 7zip)

  • IRC Chat: Hexchat is a good IRC client

  • Media player: VLC Player is a good media player, Amarok is a feature-rich music player

  • Compare text files: Diffuse merge

  • Show previews for videos in dolphin: ffmpegthumbs

  • Video editor: Kdenlive

  • Encrypted communication and sharing: Tox or RetroShare

Further

  • Read DontBreakDebian / watch this

  • See the full and lengthy Debian GNU/Linux Installation Guide and QuickInstall and DebianIntroduction and DebianDesktopHowTo

  • Use VirtualBox if you have to use Windows / Mac

  • Useful links: Chmod permissions calculator

  • You could subscribe to vulnerability lists to protect or be aware of the latest vulnerabilities
  • You can get new Widgets by clicking on the 3 strikes in the upper left -> add widgets -> Get new widgets -> Download New Plasma Widgets. For example you could get Event Calendar to replace your default calendar. It has many features for better organization and productivity.

  • Get your school to use and teach GNU/Linux instead of proprietary software
  • Write findable tutorials (on this Wiki or stack exchange sites) whenever you got something working if the information on it is not as accessible or revisable as it could be such as too short or broad forum posts that are hard to find and even harder to make sense of for newcomers. Write useful readmes that do not make any assumptions of prerequisites but detail every step to get things working.
  • Register and contribute to this wiki
  • Register on the various issue-tracking platforms such as ?GitHub to inform developers about bugs

  • Also secure your other devices such as your mobile phone (e.g. ?NetGuard firewall for Android). You may also want to secure your router.

  • Get an IDE such as Eclipse or ?NetBeans, read online tutorials for programming languages such as Java, C++, Python or Bash, register on stackoverflow and get started with helping program Debian's software.

  • Share this page


CategoryDesktopComputer