Introduction

This page aims to be(come) a step-by-step guide for setting up a personal computer with Debian from scratch to a fully configured system with high security, usability, convenience and privacy-protection.

It aims to be written in layman's terms without any required preknowledge and is mainly aimed at Debian newcomers - especially those who switched to Debian to evade backdoors in other operating systems (OS), malware and gaining control over their machines. It's written in a chronological step-by-step manner which when updated and tested appropriately and followed from top to bottom precisely will simply get things working.

The steps don't need to be followed exactly - it is meant as an orientation to speed up and ease the setup to allow inexperienced GNU/Linux users and even casual computer users to get a fully free and open source (FOSS) operating system going by themselves. They can delve deeper once it is working. Ubuntu is not a solution.
It should not be split up as it aims to aggregate and summarize information for an all-in-one-place guide.

Much of this guide might be suboptimal or even false: please help by improving and correcting it. If you think it's not useful you can ignore it.

Goal

The difficulty of properly setting up Debian is keeping away many users. The ultimate goal of guides such as this is to bring about a worldwide mass-migration to 100% FOSS operating system and to increase cybersecurity of citizens and infrastructure.
Security and privacy are human rights. Nobody denies that there are valid reasons for surveillance and most understand that secure communication can also be problematic sometimes by unwittingly helping those who decrease security of society. Those that harm or plan to harm society need to be confronted by society, innovative ways, and adequately. A fundamentally insecure society which also gives up its right to privacy in an intrusive way never possible before and allows for highly centralized, often or potentially AI-driven, control already somewhat "lost". And cybercrime is not prevented by suppressing information and keeping everyone insecure but by building technically secure infrastructure and systems.

Widespread vulnerabilities, central control and mass-surveillance are a greater danger to society than ill-intentioned people using such information. Suppressing such information and obstructing citizens from gaining control over their machines and have them secured is not a solution.
Society can't afford this current level of top-down control-structures and an unrestrained, unprecedented loss of privacy during these times. Surveillance, even mass-surveillance, and controllability may not necessarily be problematic but its purposes, transparency, steering and systemic context can make it so. Our current world is definitely not shaped in a way that would warrant an accepted conclusion that justifies current mass-surveillability and mass-vulnerability of billions of humans.

Lengthy, incomplete, obscure, dispersed and sophisticated guides or even books only found and implementable by elitist/senior GNU/Linux users with much knowledge, interest and time are not a solution either.
This guide is not a solution but it could become part of it if it gets developed further, gets interconnected with potential Debian newcomers and potentially build into setup wizards or alike.

At present a resilient society using technologically secure software by-design structures with a participative and collaborative culture is the ultimate goal. This requires getting society at large (average computer users) onboard.

Prior installation FAQ

What is GNU/Linux?
A "Unix-like" operating system that is free and open source. Many variants of these operating systems exist and they are running on most servers (computers that serve content or services such as websites) and on android phones. Linux is the kernel of the GNU/Linux operating system and most people are referring to the GNU/Linux operating system when they're speaking of "Linux" (e.g. because people want a single short term and "GNU+Linux", while being more accurate, is two terms). GNU stands for "GNU's Not Unix!" as GNU's design is "Unix-like", but differs from Unix by being free software and containing no Unix code. The GNU project was founded by Richard Stallman. The Linux kernel was developed by Linus Torvalds.

What is free and open source software?
Software that allows anyone to freely use, copy, study, and change it in any way, and has its source code openly shared so that people are encouraged to voluntarily improve the design of the software. This is in contrast to proprietary software, where the software is under restrictive copyright and the source code is usually hidden from the users. Albeit rare some unfree software might have its source code public too.

What is Debian?
It is a distribution of GNU/Linux. A popular variant of the operating system.

Why Debian?
See WhyDebian. It's 100% FOSS, stability, security, your control, features, configurability, privacy, large community, largest upstream GNU/Linux distribution, many packages. It's aims to be the best operating system. [...]

Why not Ubuntu?
Ubuntu is based on Debian but isn't as good and isn't 100% FOSS. Note you can still find help from most that anything that refers to Ubuntu as Debian is very similar to it (for instance most answers on askubuntu may help you out as well and instructions for Ubuntu often only need to be slightly altered for Debian).

Why not another GNU/Linux distribution?

I want to try Debian first
Try the LiveCD.

Can I still play my games on Debian?
Do you really need to? Some of them maybe. But consider if it's worth the effort and introduced security risks. You can use PlayOnLinux / Wine / Steam to play games. However they are somewhat insecure 1 2.
But there are free Linux games for Debian such as SuperTuxKart. And you can play console games (Gamecube, PS2, etc) using an Emulator such as Dolphin.

I only want to install Debian in addition to Windows (dual boot)
Don't do it. Test Debian using a LiveCD instead.

Does my laptop support Debian?
You need to check it first. If you already have a laptop you should try if you can boot and properly use the LiveCD. If you want to buy a laptop you need to research whether other people have reported having gotten GNU/Linux working on it. Many Dell laptops support Debian for example (you could search for Ubuntu certified laptops and buy one of those). In addition you need to apply pressure to laptop manufacturers to support it and also create demand. You might find useful information here.

Does Debian support touchscreens and tablets?
Yes. Please see TabletAndTouchScreen. More developers are needed to improve support.

Why would I need such a secure and privacy-protecting OS?
In short: cybercrime, state-sponsored cyberintrusions, companies selling your personal data, uncertainty of the future, centralized control, activism, journalism, journalism-like activities, corporate espionage, having control over your own machines, infrastructure security, cyber-pandemics/malware, being in any way involved in the open source revolution, putting corporate profits at risk and overhauling/challenging established structures etc.

But isn't GNU/Linux just for nerds and computer geeks?
It's not supposed to be like that. This guide is an attempt to make GNU/Linux (and in particular a secure setup) more accessible to average users. It needs more effort to build support for even casual computer users who want to never touch the command line and want their hardware to be working plug&play after they bought it. Furthermore even Windows can require big efforts to get working properly, especially if you want to gain some level of privacy and security and do essential things like backups and so on.

But all of my software is for Windows/Mac only. Isn't there almost no software for GNU/Linux?
Most important Windows/Mac software has GNU/Linux equivalents which also are free of charge and - if they are in Debian's repositories - very easy and convenient to install. Some such software can be found at the bottom of this page. Free software has many advantages beyond being free of charge (see Q#2). If you think there's no equivalent for some specific software you use first research what kind of software that is and then search the web for {type of the software} Debian and if you can't find anything you should simply ask on places like softwarerecs.stackexchange.com
Software on Debian also has package-management which is something that e.g. Windows lacks. It regularly scans for new updates and allows you to run updates for all of your software with a single click which is necessary for proper security.

Download & burn

Download software for offline use later

You should not connect to the Internet before you finished the setup and reached step "Go online". Hence you should download all the relevant (security) software packages beforehand and write them to a CD, DVD or USB stick. For laptops you might also need to download drivers beforehand. The DVD-1 contains many packages and to install them you simply need to insert it and install the software via Apper. However it is also missing many important packages. Which software you want to have running before you connect to the Internet depends on you. For instance the GUFW firewall is not DVD-1's packages but you don't need it if you'll use iptables instead. You could also install lynis before going online.

Backup, live CD & formatting

BIOS settings

Installation

Partitioning

Partitioning is the hardest part of the installation and you might have to rerun it a few times.

Software selection (desktop environment)

The desktop environment is the graphical surface of your operating system. It is important that you select the one that fits best to you. You might want to try and compare multiple of them (e.g. via live CDs) and research them (e.g. watch videos showing them).

Finish

Principles and preknowledge

Passwords

It's best to write them down physically on a paper (never or only partially/obscured&encrypted electronically). And that in a way that only you can read properly. For instance you could write down signs for words and alter the order in a specific way. Store them in a secure place and try to store them twice.
You could also store them electronically with the password missing some words that you only store on piece of paper.
Furthermore try to enable two factor authentication (2FA) for as many of your relevant accounts as possible. Also calculate in the possibility of losing your phone (typically there are backup codes which you should write down).

Initial setup

Security and tools

Set a GRUB password

Set a GRUB password as explained here:

cat << EOF
set superusers="somename"
password somename pw
EOF
Replace somename and pw with a name and a password. If you already encrypted your hard drive you might want to use a shorter one. Do not replace anything except these 3 words. The somename doesn't have to be your username - it can be any word you want.

If you fail to do this correctly you may not be able to boot your system.

Encryption

You need such an encryption program to encrypt data on other storage devices and for the way our IDS is set up in the step below.

Anti malware

Kernel hardening

net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
kernel.sysrq=0
kernel.kptr_restrict=2
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.default.accept_source_route=0
net.ipv4.conf.default.log_martians=1
net.ipv4.tcp_timestamps=0
net.ipv6.conf.default.accept_redirects=0
kernel.core_uses_pid=1
fs.suid_dumpable=0

Intrusion detection system

Note: at IntegratedIntrusionDetectionSystem work is ongoing to improve IDS!

You can find useful Tripwire Policy rules at: TripwirePolicyRules.

An intrusion detection system (IDS) helps you detect intrusions, allows you to help secure computers by reconstructing intrusions and along the way helps you better understand GNU/Linux / Debian. While some advanced form of IDS' are more or less the only way to ultimately reliably protect machines they haven't been developed so far as to allow fully secure personal computers in practice. But maybe they will get developed further to allow such.
Before doing this you need to have ?VeraCrypt (or a similar encryption program) installed.

Then once you used your computer you can do your first scan. It should be the same procedure every time and you should run them as often as possible to get smaller reports and to know which changes you have caused yourself in the meantime.

By setting this up properly and by knowing what to look for and helping improve tripwire to integrate better with Debian and to automate the steps above you could theoretically reach a very high level of security.

There are many ways IDS could get improved. This includes having two machines with the same packages installed and comparing whether they differ in any way or by making use of virtual machines. While few IT security specialists seem to be interested in implementing such improvements it is important that you get an IDS working as early as possible. And before going online. While the current implementation might be hard to use it's still useful and also deters potential adversaries merely by being set up properly.

File permissions

Security auditing tools

(OPTIONAL)
Security auditing tools analyze your system to find vulnerabilities that you should fix and to propose you ways to further secure your system.

Other tools

Etckeeper

Bitcoin

(OPTIONAL)

Firewall

You can find useful firewall rules at: FirewallRules.

Sadly there doesn't seem to be a proper application-level firewall for Debian yet.

*filter
#DROP everything by default
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
#And explicitly allow the following:
#LOCAL
-A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#HTTP
-A INPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 8080 -m state --state ESTABLISHED -j ACCEPT
#-A INPUT -p tcp -m tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT
#HTTPS
-A INPUT -p tcp -m tcp --dport 443 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
#DNS
-A INPUT -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#PING
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
#LOG 3 dropped packets per minute to /var/log/syslog
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "~~~~IP INPUT DROP: "
-A INPUT -j DROP
#LOCAL
-A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#HTTP
-A OUTPUT -p tcp -m tcp --sport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -p tcp -m tcp --sport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
#-A OUTPUT -p tcp -m tcp --dport 8080 -m state --state NEW,ESTABLISHED -j ACCEPT
#HTTPS
-A OUTPUT -p tcp -m tcp --sport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
#DNS
-A OUTPUT -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#PING
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
#LOG 3 dropped packets per minute to /var/log/syslog
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "~~~~IP OUTPUT DROP: "
-A OUTPUT -j DROP
COMMIT

Close ports and inspect traffic

Wireshark

(OPTIONAL)
You can find out exactly which data is being sent by applications and to websites by making use of wireshark. You can use this to identify undesired data transmissions. After installing wireshark run sudo dpkg-reconfigure wireshark-common choose "Yes" and then run sudo adduser $USER wireshark. After running wireshark run sudo dpkg-reconfigure wireshark-common again and choose "No" / sudo deluser username wireshark.

Go online

deb http://security.debian.org/debian-security stretch/updates main contrib
deb-src http://security.debian.org/debian-security stretch/updates main contrib
deb http://ftp.CY.debian.org/debian/ stretch main contrib
deb-src http://ftp.CY.debian.org/debian/ stretch main contrib
deb http://ftp.CY.debian.org/debian/ stretch-updates main contrib
deb-src http://ftp.CY.debian.org/debian/ stretch-updates main contrib
deb http://deb.torproject.org/torproject.org stretch main
deb http://download.virtualbox.org/virtualbox/debian stretch contrib

You can leave out the torproject and virtualbox repositories if you want to. Replace CY with the country code of the repository you would like to use. You can find a list of Debian's repositories here. You can also leave out contrib which includes software that is not 100% FOSS or add  non-free after contrib which also includes non-free software (such as many proprietary drivers).

Run updates

DNS

Before a computer can connect to an external network resource (say, for example, a web server), it must have a means of converting any alpha-numeric names (e.g. wiki.debian.org) into numeric network addresses (e.g. 140.211.166.4). More information.

Configure Firefox

Public keys

Email client

Get Tor

(OPTIONAL)

Get a VPN

(OPTIONAL)

Join a meshnet

(OPTIONAL)
A mesh network is a resilient network in which each node cooperates in the distribution of data in the network by relaying data. Meshnets are decentralized and can withstand censorship and disasters.

Check the settings of your webaccounts and switch providers

Drivers

Getting your hardware and devices to work with GNU/Linux is the only thing that might be truly difficult. This is mainly due to the way the world screwed up with building proper standardizations and interoperability in general for hardware and due to manufacturers. Some hardware and devices may work straightaway without any configurations, some might just require some package to be installed, others might require you to install multiple packages, locate some information online (such as on the manufacturer's page or entering the device name + linux into a search engine) and run some commands or even not work at all.

Connect your devices

Printer

Android phone

-A INPUT -p tcp -m tcp --dport 1714:1764 -j ACCEPT
-A INPUT -p udp -m udp --dport 1714:1764 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1714:1764 -j ACCEPT
-A INPUT -p udp -m udp --sport 1714:1764 -j ACCEPT
-A OUTPUT -p udp -m udp --dport 1714:1764 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 1714:1764 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 1714:1764 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 1714:1764 -j ACCEPT

Music instruments

See: MIDI and Wikipedia's List of Linux audio software

For DJing / mixing there is mixxx which you can install via your package-manager or by compiling from source to get the latest version as described here and section Compilation. If your controller does not work with it there might not yet be mapping for it or you might have to edit the /etc/udev/rules.d/mixxx.usb.rules file.

For music production there is LMMS. However if you want to use VST plugins with it you also need to install Wine (selected by default).

You can use a virtual machine with another operating system to get other software or instruments working.

Input devices

Installing, compiling and running programs

Compilation

Sometimes you may need to compile programs if (latest) packages aren't available in Debian repositories. To compile you need to make sure you have the right compilers installed. The compilers needed are typically displayed when you try to compile software. Some often needed packages for compilation are: g++, g++-6, gcc, gcc-6, as and build-essentials. You need to make sure they have the right permissions set before compilation by running sudo chmod 0700 /usr/bin/g++ sudo chmod 0700 /usr/bin/as [...]. After compilation they should be set back to 0444. You need to compile as sudo. Instructions on how to compile can be found at the websites of the software.

.deb files

First navigate to the place where the .deb file is located by cd folder-path then install the package by running sudo dpkg -i package.deb.

The installation folder

Hashing

When downloading software from anywhere else than official repositories you should check the integrity of the software and verify that it's the actual software you intend to install and not a trojan for example. You should also do this for .iso files as described at the top of this page.

Clean-ups

Cleanup deinstalled programs by running dpkg  --get-selections | grep deinstall and then sudo dpkg --purge package-name. Also run sudo apt-get autoremove or cleanup using ?BleachBit.

Sandboxing

Sandboxing means that programs get somewhat isolated from the rest of the machine so that they can't cause great harm. For example their permissions and the directories they have access to can be limited.

Virtual machines

(OPTIONAL)
For protecting your system you may want to use virtual machines. They could also help you out if you need to get Windows programs running. Virtual machines are simulated computers with their own "virtual" hardware that run isolated under your "host" OS.
Do not connect them to the Internet. Do not use "shared folders". Do not use drag & drop. Isolate the VM as much as possible.

Backups

You should create regular backups of your data onto an external storage device. The main storage device holding the backup needs to be physically disconnected from your computer except when you are running a backup. Obviously it needs to be encrypted too.

The most important data should be backed up twice. Backup important files to read-only media such as DVDs. You could create an encrypted container with ?VeraCrypt or dmcrypt/LUKS for these backups.

File permissions

To limit the amount of damage an intruder or exploit / malware can do to your system you can change the permissions of specific files and directories.

To make a directory accessible by root (or any specific user) only run:

Identify vulnerabilities

You can use the debsecan package to find currently exploitable packages of your system.

You could also find a way to use the debscan-create-cron package to get notified for new vulnerabilities of your system.

Scripts and tools could be used to display information on how to protect against the displayed vulnerabilities or to semi-automatically take protective measures.
They could also be used to also identify additional vulnerabilities of one's system. Both of these are relevant to the yet unstarted IntegratedIntrusionDetectionSystem project as cybersecurity professionals are mostly busy with ephemeral, suboptimal, tailored solutions for protecting corporate profits and alike.

If you followed this guide this far you reached the most basic level of cybersecurity.

The results of debscan may be desperate and make you think that a secure personal computer for average computer users is impossible. However everything has had to start at some point in spacetime. Securing computers across the globe starts right here and now if you want it to.

Tools

Basic software that you might be looking for.

Further


CategoryDesktopComputer