Introduction

This page aims to be(come) a step-by-step guide for setting up a personal computer with Debian from scratch to a fully configured system with high security, usability, convenience and privacy-protection.

It aims to be written in layman's terms without any required preknowledge and is mainly aimed at Debian newcomers - especially those who switched to Debian to evade backdoors in other operating systems (OS), malware and gaining control over their machines.

The steps don't need to be followed exactly - it is meant as an orientation to speed up and ease the setup to allow inexperienced GNU/Linux users and even casual computer users to get a fully free and open source (FOSS) operating system going by themselves. They can delve deeper once it is working. Ubuntu is not a solution.
It should not be split up as it aims to aggregate and summarize information for an all-in-one-place guide.

Much of this guide might be suboptimal or even false: please help by improving and correcting it. If you think it's not useful you can ignore it.

Goal

The difficulty of properly setting up Debian is keeping away many users. The ultimate goal of guides such as this is to bring about a worldwide mass-migration to 100% FOSS operating system and to increase cybersecurity of citizens and infrastructure.
Security and privacy are human rights. Nobody denies that there are valid reasons for surveillance and most understand that secure communication can also be problematic sometimes by unwittingly helping those who decrease security of society. Those that harm or plan to harm society need to be confronted by society, innovative ways, and adequately. A fundamentally insecure society which also gives up its right to privacy in an intrusive way never possible before and allows for highly centralized, often or potentially AI-driven, control already somewhat "lost". And cybercrime is not prevented by suppressing information and keeping everyone insecure but by building technically secure infrastructure and systems.
Widespread vulnerabilities, central control and mass-surveillance are a greater danger to society than ill-intentioned people using such information. Suppressing such information and obstructing citizens from gaining control over their machines and have them secured is not a solution.

Lengthy, incomplete, obscure, dispersed and sophisticated guides or even books only found and implementable by elitist/senior GNU/Linux users with much knowledge, interest and time are not a solution either.
This guide is not a solution but it could become part of it if it gets developed further, gets interconnected with potential Debian newcomers and potentially build into setup wizards or alike.

Prior installation FAQ

What is GNU/Linux?
A "Unix-like" operating system that is free and open source. Many variants of these operating systems exist and they are running on most servers (computers that serve content or services such as websites) and on android phones. Linux is the kernel of the GNU/Linux operating system and most people are referring to the GNU/Linux operating system when they're speaking of "Linux" (e.g. because people want a single short term and "GNU+Linux", while being more accurate, is two terms). GNU stands for "GNU's Not Unix!" as GNU's design is "Unix-like", but differs from Unix by being free software and containing no Unix code. The GNU project was founded by Richard Stallman. The Linux kernel was developed by Linus Torvalds.

What is free and open source software?
Software that allows anyone to freely use, copy, study, and change it in any way, and has its source code openly shared so that people are encouraged to voluntarily improve the design of the software. This is in contrast to proprietary software, where the software is under restrictive copyright and the source code is usually hidden from the users. Albeit rare some unfree software might have its source code public too.

What is Debian?
It is a distribution of GNU/Linux. A popular variant of the operating system.

Why Debian?
See WhyDebian. It's 100% FOSS, stability, security, your control, features, configurability, privacy, large community, largest upstream GNU/Linux distribution, many packages. It's aims to be the best operating system. [...]

Why not Ubuntu?
Ubuntu is based on Debian but isn't as good and isn't 100% FOSS. Note you can still find help from most that anything that refers to Ubuntu as Debian is very similar to it (for instance most answers on askubuntu may help you out as well and instructions for Ubuntu often only need to be slightly altered for Debian).

Why not another GNU/Linux distribution?

I want to try Debian first
Try the LiveCD.

Can I still play my games on Debian?
Do you really need to? Some of them maybe. But consider if it's worth the effort and introduced security risks. You can use PlayOnLinux / Wine / Steam to play games. However they are somewhat insecure 1 2.
But there are free Linux games for Debian such as SuperTuxKart. And you can play console games (Gamecube, PS2, etc) using an Emulator such as Dolphin.

I only want to install Debian in addition to Windows (dual boot)
Don't do it. Test Debian using a LiveCD instead.

Does my laptop support Debian?
You need to check it first. If you already have a laptop you should try if you can boot and properly use the LiveCD. If you want to buy a laptop you need to research whether other people have reported having gotten GNU/Linux working on it. Many Dell laptops support Debian for example. In addition you need to apply pressure to laptop manufacturers to support it. You might find useful information here.

Does Debian support touchscreens and tablets?
Yes. Please see TabletAndTouchScreen.

Why would I need such a secure and privacy-protecting OS?
In short: cybercrime, state-sponsored cyberintrusions, companies selling your personal data, uncertainty of the future, centralized control, activism, journalism, journalism-like activities, industrial espionage, having control over your own machines, infrastructure security, etc.

Download & burn

Download software for offline use later

You should not connect to the Internet before you finished the setup and reached step "Go online". Hence you should download all the relevant (security) software packages beforehand and write them to a CD, DVD or USB stick. For laptops you might also need to download drivers beforehand. The DVD-1 contains many packages and to install them you simply need to insert it and install the software via Apper. However it is also missing many important packages. Which software you want to have running before you connect to the Internet depends on you. For instance the GUFW firewall is not DVD-1's packages but you don't need it if you'll use iptables instead. You could also install lynis before going online.

Backup, live CD & formatting

BIOS settings

Installation

Partitioning

Partitioning is the hardest part of the installation and you might have to rerun it a few times.

Software selection (desktop environment)

The desktop environment is the graphical surface of your operating system. It is important that you select the one that fits best to you. You might want to try and compare multiple of them (e.g. via live CDs) and research them (e.g. watch videos showing them).

Finish

Principles and preknowledge

Passwords

It's best to write them down physically on a paper (never or only partially/obscured&encrypted electronically). And that in a way that only you can read properly. For instance you could write down signs for words and alter the order in a specific way. Store them in a secure place and try to store them twice.
You could also store them electronically with the password missing some words that you only store on piece of paper.
Furthermore try to enable two factor authentication (2FA) for as many of your relevant accounts as possible. Also calculate in the possibility of losing your phone (typically there are backup codes which you should write down).

Initial setup

Security and tools

Set a GRUB password

Set a GRUB password as explained here:

cat << EOF
set superusers="somename"
password somename pw
EOF
Replace somename and pw with a name and a password. If you already encrypted your hard drive you might want to use a shorter one. Do not replace anything except these 3 words. The somename doesn't have to be your username - it can be any word you want.

If you fail to do this correctly you may not be able to boot your system.

Encryption

You need such an encryption program to encrypt data on other storage devices and for the way our IDS is set up in the step below.

Anti malware

Kernel hardening

net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
kernel.sysrq=0
kernel.kptr_restrict=2
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.log_martians=1
net.ipv4.tcp_timestamps=0
net.ipv6.conf.default.accept_redirects=0
kernel.core_uses_pid=1
fs.suid_dumpable=0

Intrusion detection system

Note: at IntegratedIntrusionDetectionSystem work is ongoing to improve IDS!

You can find useful Tripwire Policy rules at: TripwirePolicyRules.

An intrusion detection system (IDS) helps you detect intrusions, allows you to help secure computers by reconstructing intrusions and along the way helps you better understand GNU/Linux / Debian. While some advanced form of IDS' are more or less the only way to reliably protect machines they haven't been developed so far as to allow fully secure personal computers in practice. But maybe they will get developed further to allow such.
Before doing this you need to have ?VeraCrypt (or a similar encryption program) installed.

Then once you used your computer you can do your first scan. It should be the same procedure every time and you should run them as often as possible to get smaller reports and to know which changes you have caused yourself in the meantime.

By setting this up properly and by knowing what to look for and helping improve tripwire to integrate better with Debian and to automate the steps above you could theoretically reach a very high level of security.

There are many ways IDS could get improved. This includes having two machines with the same packages installed and comparing whether they differ in any way or by making use of virtual machines. While few IT security specialists seem to be interested in implementing such improvements it is important that you get an IDS working as early as possible. And before going online. While the current implementation might be hard to use it's still useful and also deters potential adversaries merely by being set up properly.

File permissions

Security auditing tools

(OPTIONAL) Security auditing tools analyze your system to find vulnerabilities that you should fix and to propose you ways to further secure your system.

Other tools

Etckeeper

Bitcoin

(OPTIONAL)

Firewall

You can find useful firewall rules at: FirewallRules.

Sadly there doesn't seem to be a proper application-level firewall for Debian yet.

*filter
#DROP everything by default
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#And explicitly allow the following:
#LOCAL
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#HTTP
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 8080 -m state --state ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT
#HTTPS
-A INPUT -p tcp -m tcp --dport 443 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
#DNS
-A INPUT -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#PING
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
#LOG 3 dropped packets per minute to /var/log/syslog
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "~~~~IP INPUT DROP: "
-A INPUT -j DROP
#LOCAL
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#HTTP
-A OUTPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -p tcp -m tcp --sport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
#HTTPS
-A OUTPUT -p tcp -m tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#DNS
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#PING
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#LOG 3 dropped packets per minute to /var/log/syslog
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "~~~~IP OUTPUT DROP: "
-A OUTPUT -j DROP
COMMIT

Close ports and inspect traffic

Wireshark

(OPTIONAL)
You can find out exactly which data is being sent by applications and to websites by making use of wireshark. You can use this to identify undesired data transmissions. After installing wireshark run sudo dpkg-reconfigure wireshark-common choose "Yes" and then run sudo adduser $USER wireshark. After running wireshark run sudo dpkg-reconfigure wireshark-common again and choose "No" / sudo deluser username wireshark.

Go online

deb http://security.debian.org/debian-security stretch/updates main contrib
deb-src http://security.debian.org/debian-security stretch/updates main contrib
deb http://ftp.CY.debian.org/debian/ stretch main contrib
deb-src http://ftp.CY.debian.org/debian/ stretch main contrib
deb http://ftp.CY.debian.org/debian/ stretch-updates main contrib
deb-src http://ftp.CY.debian.org/debian/ stretch-updates main contrib
deb http://deb.torproject.org/torproject.org stretch main
You can leave out the torproject repository if you want to. Replace CY with the country code of the repository you would like to use. You can find a list of Debian's repositories here. You can also leave out contrib which includes software that is not 100% FOSS or add  non-free after contrib which also includes non-free software (such as many proprietary drivers).

Run updates

DNS

Before a computer can connect to an external network resource (say, for example, a web server), it must have a means of converting any alpha-numeric names (e.g. wiki.debian.org) into numeric network addresses (e.g. 140.211.166.4). More information.

Configure Firefox

Public keys

Email client

Get Tor

Get a VPN

Check the settings of your webaccounts and switch providers

Drivers

Connect your devices

Printer

Android phone

-A INPUT -p udp -m udp --dport 1714:1764 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1714:1764 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1714:1764 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 1714:1764 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1714:1764 -j ACCEPT

Music instruments

See: MIDI and Wikipedia's List of Linux audio software

For DJing / mixing there is mixxx.

If nothing works for Debian you could consider using a virtual machine to get it working.

Input devices

Installing, compiling and running programs

Compilation

Sometimes you may need to compile programs if (latest) packages aren't available in Debian repositories. To compile you need to make sure you have the right compilers installed. The compilers needed are typically displayed when you try to compile software. Some often needed packages for compilation are: g++, g++-6, gcc, gcc-6, as and build-essentials. You need to make sure they have the right permissions set before compilation by running sudo chmod 0700 /usr/bin/as. After compilation they should be set back to 0444. You need to compile as sudo.

.deb files

First navigate to the place where the .deb file is located by cd folder-path then install the package by running sudo dpkg -i package.deb.

The installation folder

Clean-ups

Cleanup deinstalled programs by running dpkg  --get-selections | grep deinstall and then sudo dpkg --purge package-name. Also run sudo apt-get autoremove or cleanup using ?BleachBit.

Sandboxing

Sandboxing means that programs get somewhat isolated from the rest of the machine so that they can't cause great harm. For example their permissions and the directories they have access to can be limited.

Virtual machines

(OPTIONAL)
For protecting your system you may want to use virtual machines. They could also help you out if you need to get Windows programs running. Virtual machines are simulated computers with their own "virtual" hardware that run isolated under your "host" OS.
Do not connect them to the Internet. Do not use "shared folders". Do not use drag & drop. Isolate the VM as much as possible.

Backups

You should create regular backups of your data onto an external storage device. The most important data should be backed up twice. The main storage device holding the backup needs to be physically disconnected from your computer except when you are running a backup. Obviously it needs to be encrypted too.

Tools

Basic software that you might be looking for.

Further


CategoryDesktopComputer