Introduction

This page aims to be(come) a step-by-step guide for setting up a personal computer with Debian from scratch to a fully configured system with high security, usability, convenience and privacy-protection.

It aims to be written in layman's terms without any required preknowledge and is mainly aimed at Debian newcomers - especially those who switched to Debian to evade backdoors in other operating systems (OS), malware and gaining control over their machines.

The steps don't need to be followed exactly - it is meant as an orientation to speed up and ease the setup to allow inexperienced GNU/Linux users and even casual computer users to get a fully free and open source (FOSS) operating system going by themselves. They can delve deeper once it is working. Ubuntu is not a solution.
It should not be split up as it aims to aggregate and summarize information for an all-in-one-place guide.

Much of this guide might be suboptimal or even false: please help by improving and correcting it. If you think it's not useful you can ignore it.

Goal

The difficulty of properly setting up Debian is keeping away many users. The ultimate goal of guides such as this is to bring about a worldwide mass-migration to 100% FOSS operating system and to increase cybersecurity of citizens and infrastructure.
Security and privacy are human rights. Nobody denies that there are valid reasons for surveillance and most understand that secure communication can also be problematic sometimes by unwittingly helping those who decrease security of society. Those that harm or plan to harm society need to be confronted by society, innovative ways, and adequately. A fundamentally insecure society which also gives up its right to privacy in an intrusive way never possible before and allows for highly centralized, often or potentially AI-driven, control already somewhat "lost". And cybercrime is not prevented by suppressing information and keeping everyone insecure but by building technically secure infrastructure and systems.
Widespread vulnerabilities, central control and mass-surveillance are a greater danger to society than ill-intentioned people using such information. Suppressing such information and obstructing citizens from gaining control over their machines and have them secured is not a solution.

Lengthy, incomplete, obscure, dispersed and sophisticated guides or even books only found and implementable by elitist/senior GNU/Linux users with much knowledge, interest and time are not a solution either.
This guide is not a solution but it could become part of it if it gets developed further, gets interconnected with potential Debian newcomers and potentially build into setup wizards or alike.

Prior installation FAQ

What is GNU/Linux?
A "Unix-like" operating system that is free and open source. Many variants of these operating systems exist and they are running on most servers (computers that serve content or services such as websites) and on android phones. Linux is the kernel of the GNU/Linux operating system and most people are referring to the GNU/Linux operating system when they're speaking of "Linux". GNU stands for "GNU's Not Unix!" as GNU's design is "Unix-like", but differs from Unix by being free software and containing no Unix code. The GNU project was founded by Richard Stallman. The Linux kernel was developed by Linus Torvalds.

What is free and open source software?
Software that allows anyone to freely use, copy, study, and change it in any way, and has its source code openly shared so that people are encouraged to voluntarily improve the design of the software. This is in contrast to proprietary software, where the software is under restrictive copyright and the source code is usually hidden from the users. Albeit rare some unfree software might have its source code public too.

What is Debian?
It is a distribution of GNU/Linux. A popular variant of the operating system.

Why Debian?
See WhyDebian. It's 100% FOSS, stability, security, your control, features, configurability, privacy, large community, largest upstream GNU/Linux distribution, many packages. It's aims to be the best operating system. [...]

Why not Ubuntu?
Ubuntu is based on Debian but isn't as good and isn't 100% FOSS.[...]

Why not another GNU/Linux distribution?

I want to try Debian first
Try the LiveCD.

Can I still play my games on Debian?
No. But do you really need to? Some of them maybe. ?PlayOnLinux / Wine / Steam are insecure. There are free Linux games for Debian such as SuperTuxKart. However you can play console games (gamecube, PS2) using an Emulator such as dolphin.

I only want to install Debian in addition to Windows (dual boot)
Don't do it. [...]

Does my laptop support Debian?
You need to check it first. If you already have a laptop you should try if you can boot and properly use the LiveCD. If you want to buy a laptop you need to research whether other people have reported having gotten GNU/Linux working on it. Many Dell laptops support Debian for example. In addition you need to apply pressure to laptop manufacturers to support it. You might find useful information here.

Does Debian support touchscreens and tablets?
Yes. Please see TabletAndTouchScreen.

Why would I need such a secure and privacy-protecting OS?
In short: cybercrime, state-sponsored cyberintrusions, companies selling your personal data, uncertainty of the future, centralized control, activism, journalism, industrial espionage, having control over your own machines, infrastructure security, etc.

Download & burn

Download software for offline use later

You should not connect to the Internet before you finished the setup and reached step "Go online". Hence you should download all the relevant (security) software packages beforehand and write them to a CD, DVD or USB stick. For laptops you might also need to download drivers beforehand. The DVD-1 contains many packages and to install them you simply need to insert it and install the software via Apper. However it is also missing many important packages. Which software you want to have running before you connect to the Internet depends on you. For instance the GUFW firewall is not DVD-1's packages but you don't need it if you'll use iptables instead. You could also install lynis before going online.

Backup, live CD & formatting

BIOS settings

Installation

Partitioning

Partitioning is the hardest part of the installation and you might have to rerun it a few times.

Software selection (desktop environment)

The desktop environment is the graphical surface of your operating system. It is important that you select the one that fits best to you. You might want to try and compare multiple of them (e.g. via live CDs) and research them (e.g. watch videos showing them).

Finish

Principles and preknowledge

Passwords

It's best to write them down physically on a paper (never or only partially/obscured&encrypted electronically). And that in a way that only you can read properly. For instance you could write down signs for words and alter the order in a specific way. Store them in a secure place and store them twice.
Furthermore try to enable two factor authentication (2FA) for as many of your relevant accounts as possible. Also calculate in the possibility of losing your phone (typically there are backup codes).

Initial setup

Security and tools

Set a GRUB password

Set a GRUB password as explained here:

cat << EOF
set superusers="somename"
password somename pw
EOF
Replace somename and pw with a name and a password. If you already encrypted your hard drive you might want to use a shorter one. Do not replace anything except these 3 words. The somename doesn't have to be your username - it can be any word you want.

If you fail to do this correctly you may not be able to boot your system.

Encryption

You need such an encryption program to encrypt data on other storage devices and for the way our IDS is set up in the step below.

Anti malware

Kernel hardening

net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
kernel.sysrq=0
kernel.kptr_restrict=2
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.log_martians=1
net.ipv4.tcp_timestamps=0
net.ipv6.conf.default.accept_redirects=0
kernel.core_uses_pid=1
fs.suid_dumpable=0

Intrusion detection system

Note: at IntegratedIntrusionDetectionSystem work is ongoing to improve IDS!

An intrusion detection system (IDS) helps you detect intrusions, allows you to help secure computers by reconstructing intrusions and along the way helps you better understand GNU/Linux / Debian. While some advanced form of IDS' are more or less the only way to reliably protect machines they haven't been developed so far as to allow fully secure personal computers in practice. But maybe they will get developed further to allow such.
Before doing this you need to have ?VeraCrypt (or a similar encryption program) installed.

Then once you used your computer you can do your first scan. It should be the same procedure every time and you should run them as often as possible to get smaller reports and to know which changes you have caused yourself in the meantime.

By setting this up properly and by knowing what to look for and helping improve tripwire to integrate better with Debian and to automate the steps above you could theoretically reach a very high level of security.

There are many ways IDS could get improved. This includes having two machines with the same packages installed and comparing whether they differ in any way or by making use of virtual machines. While few IT security specialists seem to be interested in implementing such improvements it is important that you get an IDS working as early as possible. And before going online. While the current implementation might be hard to use it's still useful and also deters potential adversaries merely by being set up properly.

File permissions

Security auditing tools

(OPTIONAL) Security auditing tools analyze your system to find vulnerabilities that you should fix and to propose you ways to further secure your system.

Other tools

Etckeeper

Bitcoin

(OPTIONAL)

Firewall

*filter
#DROP everything by default
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#And explicitly allow the following:
#LOCAL
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#HTTP
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 8080 -m state --state ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT
#HTTPS
-A INPUT -p tcp -m tcp --dport 443 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
#DNS
-A INPUT -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#PING
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
#LOG 3 dropped packets per minute to /var/log/syslog
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "~~~~IP INPUT DROP: "
-A INPUT -j DROP
#LOCAL
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#HTTP
-A OUTPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -p tcp -m tcp --sport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
#HTTPS
-A OUTPUT -p tcp -m tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#DNS
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#PING
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#LOG 3 dropped packets per minute to /var/log/syslog
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "~~~~IP OUTPUT DROP: "
-A OUTPUT -j DROP
COMMIT

Close ports and inspect traffic

Wireshark

(OPTIONAL)
You can find out exactly which data is being sent by applications and to websites by making use of wireshark. You can use this to identify undesired data transmissions. After installing wireshark run sudo dpkg-reconfigure wireshark-common choose "Yes" and then run sudo adduser $USER wireshark. After running wireshark run sudo dpkg-reconfigure wireshark-common again and choose "No".

Go online

deb http://security.debian.org/debian-security stretch/updates main contrib
deb-src http://security.debian.org/debian-security stretch/updates main contrib
deb http://ftp.CY.debian.org/debian/ stretch main contrib
deb-src http://ftp.CY.debian.org/debian/ stretch main contrib
deb http://ftp.CY.debian.org/debian/ stretch-updates main contrib
deb-src http://ftp.CY.debian.org/debian/ stretch-updates main contrib
deb http://deb.torproject.org/torproject.org stretch main
You can leave out the torproject repository if you want to. Replace CY with the country code of the repository you would like to use. You can find a list of Debian's repositories here. You can also leave out contrib which includes software that is not 100% FOSS or add  non-free after contrib which also includes non-free software (such as many proprietary drivers).

Run updates

DNS

Before a computer can connect to an external network resource (say, for example, a web server), it must have a means of converting any alpha-numeric names (e.g. wiki.debian.org) into numeric network addresses (e.g. 140.211.166.4). More information.

Configure Firefox

Public keys

Email client

Get Tor

Get a VPN

Check the settings of your webaccounts and switch providers

Drivers

Connect your devices

Printer

Android phone

Music instruments

Input devices

Backups

Tools

Basic software that you might be looking for.

Further


CategoryDesktopComputer