Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Help with install Debian with security in mind.

New to Debian (Or Linux in general)? Ask your questions here!
Post Reply
Message
Author
jazzeroo
Posts: 12
Joined: 2022-05-23 19:06

Help with install Debian with security in mind.

#1 Post by jazzeroo »

So I have been trying debian in virtualbox for a while now and while I still have
several things to learn I am restricted by only using it in the VM.
So the next step is to install it as my main OS for a while.
So I am reading the Securing Debian Manual and it is pretty advanced (not very beginner friendly) and not that easy to follow sometimes.

It says Do not plug to the Internet until ready and suggests to block everything but updates with a firewall
B.6. Security update protected by a firewall
https://www.debian.org/doc/manuals/secu ... te.en.html

But wont I have to connect to the internet to install the firewall?

These lines also have confused

FIXME: This needs DNS to be working properly since it is required for security.
debian.org to work. You can add security.debian.org to /etc/hosts but now it is
a CNAME to several hosts (there is more than one security mirror)
FIXME: this will only work with HTTP URLs since ftp might need the ip_conntrack_ftp module, or use passive mode.

How do the more advanced users here install debian on your system? Tips is appreciated.

Aki
Global Moderator
Global Moderator
Posts: 2816
Joined: 2014-07-20 18:12
Location: Europe
Has thanked: 68 times
Been thanked: 382 times

Re: Help with install Debian with security in mind.

#2 Post by Aki »

Hello,
jazzeroo wrote: 2022-06-08 02:18 [..] I am reading the Securing Debian Manual and it is pretty advanced (not very beginner friendly) and not that easy to follow sometimes. It says Do not plug to the Internet until ready and suggests to block everything but updates with a firewall
B.6. Security update protected by a firewall
https://www.debian.org/doc/manuals/secu ... te.en.html
But wont I have to connect to the internet to install the firewall?
The basic commands to manually configure a firewall are usually already shipped with standard debian install images (ISO images), therefore you have not to get it from a repository on the internet. These basic commands have been updated (see https://wiki.debian.org/nftables) in respect to the ones listed in the aforementioned guide, but they are still supported with optional packages.

IMHO, standard installation of a Debian stable release is usually quite secure from network attacks, anyway. Therefore, firewall configuration is not strictly required for a standard personal computer in a controlled network (e.g. connected to a router with an embedded firewall), unless services or programs at risk are installed or unless the network is already compromised.

Usually, the basic "rule of the thumb" is activate only the strictly required network services.

Of course, not even a firewall can protect you from some kind of attacks that relies on user's deception (e.g. phishing), but they are not properly network attacks.
Last edited by Aki on 2022-06-11 05:41, edited 1 time in total.
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5343
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Help with install Debian with security in mind.

#3 Post by dilberts_left_nut »

+1
Stop worrying and just install it.

If you understand how a firewall works, you will know how to set it up for your needs.
If you don't know, you don't need one - it will only cause you grief and will not help with your "security".
AdrianTM wrote:There's no hacker in my grandma...

jazzeroo
Posts: 12
Joined: 2022-05-23 19:06

Re: Help with install Debian with security in mind.

#4 Post by jazzeroo »

Thank you both for the replies. I believe I do need a firewall though but I'll stick to setting it up with Ufw since I am able to use it at my skill level.

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5343
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Help with install Debian with security in mind.

#5 Post by dilberts_left_nut »

And what do you hope that will achieve?
AdrianTM wrote:There's no hacker in my grandma...

Aki
Global Moderator
Global Moderator
Posts: 2816
Joined: 2014-07-20 18:12
Location: Europe
Has thanked: 68 times
Been thanked: 382 times

Re: Help with install Debian with security in mind.

#6 Post by Aki »

jazzeroo wrote: 2022-06-11 02:15 Thank you both for the replies. I believe I do need a firewall though but I'll stick to setting it up with Ufw since I am able to use it at my skill level.
Experimenting is always interesting and useful to learn more. :wink:

Happy Debian & happy hacking
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀

User avatar
dilberts_left_nut
Administrator
Administrator
Posts: 5343
Joined: 2009-10-05 07:54
Location: enzed
Has thanked: 12 times
Been thanked: 66 times

Re: Help with install Debian with security in mind.

#7 Post by dilberts_left_nut »

AdrianTM wrote:There's no hacker in my grandma...

jazzeroo
Posts: 12
Joined: 2022-05-23 19:06

Re: Help with install Debian with security in mind.

#8 Post by jazzeroo »

I am back to pester you with more questions.

I am making the usb iso to install debian as I type this and I get that you probably think that I am overly concerned about things but in the guide it says to validate the installation with checksum, which I did and it was correct but then it also said:

To ensure that the checksums files themselves are correct, use GnuPG to verify them against the accompanying signature files.

I was not able to do this since I am using Windows and cold not find a comprehensive guide to do it on Windows if it is possible at all.

How important is this step? And if it is important can it be done in Windows?
Last edited by jazzeroo on 2022-06-11 10:29, edited 1 time in total.

jazzeroo
Posts: 12
Joined: 2022-05-23 19:06

Re: Help with install Debian with security in mind.

#9 Post by jazzeroo »

dilberts_left_nut wrote: 2022-06-11 03:11 And what do you hope that will achieve?
Protection from someone hacking my computer and using it as a zombie machine for example. I have been subjected to a number of probably random port scans lately and I rather be safe then sorry.
I know that a firewall is not a protect against everything solution but they must be doing some good.
I will read the article you provided but I haven't yet.

User avatar
Head_on_a_Stick
Posts: 14114
Joined: 2014-06-01 17:46
Location: London, England
Has thanked: 81 times
Been thanked: 132 times

Re: Help with install Debian with security in mind.

#10 Post by Head_on_a_Stick »

I would take issue with this because it doesn't cover common desktop use cases where the only ports required are 80 (http) & 443 (https), which will always be open for established and related connections (ie, those opened by the user) even with restrictive rulesets.

The only way nftable's supplied "workstation" ruleset (basic default-deny) would cause any problems is if the desktop user wanted to run a server or something and in that case they would know which port(s) to open. Otherwise a restrictive ruleset just prevents inadvertent exposure, for example if a service was installed that listened to ports but the user was unaware of this the firewall blocks the ports with no action required. Yes the service would break but that's a good thing. Without a firewall the service would be left running and exposed without the user's knowledge.

The resource overhead for nftables is so small that I really do think it's worth running in default-deny if you know you don't ever want to expose listening services.
jazzeroo wrote:I have been subjected to a number of probably random port scans lately
They can scan all the ports they want, it will be completely ineffective unless you have any services listening to the ports and keeping them open. A firewall is not needed to keep ports closed unless an installed service is trying to use them.

Firewalls are a nice fallback but the best approach is to make sure you know exactly which ports are open and exactly what is listening to them:

Code: Select all

# netstat -tulpn | grep LISTEN
Then plan your defences accordingly.

EDIT:
jazzeroo wrote:To ensure that the checksums files themselves are correct, use GnuPG to verify them against the accompanying signature files.

I was not able to do this since I am using Windows and cold not find a comprehensive guide to do it on Windows if it is possible at all.
GNUPG is available for Windows:

https://gnupg.org/download/
deadbang

User avatar
fabien
Forum Helper
Forum Helper
Posts: 604
Joined: 2019-12-03 12:51
Location: Anarres (Toulouse, France actually)
Has thanked: 60 times
Been thanked: 141 times

Re: Help with install Debian with security in mind.

#11 Post by fabien »

Head_on_a_Stick wrote: 2022-06-11 10:34A firewall is not needed to keep ports closed
But it is needed to keep ports stealth.
I accept (almost) everything over IPv4 because it is already on a private network behind NAT (filtering would lead to unexpected behaviours with certain protocols or complicated rules). I filter IPv6 in input.
But I don't worry too much during the install (I always start with minimal installs), it's more of a long term measure. However, the rules could be applied early.

Code: Select all

#!/usr/sbin/nft -f

flush ruleset

# ----- IPv4 -----
table ip filter {
   chain INPUT {

      ### accept all ipv4 traffic which should be on the local network behind the gateway
      type filter hook input priority 0; policy drop;
      ct state invalid counter drop
      iif lo accept comment "accept loopback"
      iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
      ### Force SYN checks.
      tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop
      ### Drop XMAS packets.
      tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
      ### Drop NULL packets.
      tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
      tcp dport 22 ct state new limit rate over 5/minute log prefix "NFT_IPV4_input_ssh22_RateLimit_drop " drop
      tcp dport 22 ct state new log prefix "NFT_IPV4_input_ssh22_accept " accept
      ct state {new, established, related} accept
   }

   chain FORWARD {
      type filter hook forward priority 0; policy drop;
      counter comment "NFT ipv4 forward dropped packets count"
   }

   chain OUTPUT {
      type filter hook output priority 0; policy accept;
      ct state invalid counter drop
      #counter comment "count accepted packets"
   }
}


# ----- IPv6 -----
table ip6 filter {
   chain INPUT {
      type filter hook input priority 0; policy drop;
      ct state invalid counter drop comment "NFT ipv6 early drop of invalid packets"
      iif lo accept comment "NFT ipv6 accept loopback"
      iif != lo ip6 daddr ::1/128 counter drop comment "NFT ipv6 drop connections to loopback not coming from loopback"
      ### Force SYN checks.
      tcp flags & (fin|syn|rst|ack) != syn ct state new counter drop comment "Force SYN checks"
      ### Drop XMAS packets.
      tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop comment "Drop XMAS packets"
      ### Drop NULL packets.
      tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop comment "Drop NULL packets"
      ### ICMP - accept all but echo requests
      icmpv6 type {echo-request} counter drop comment "NFT ipv6 drop input icmp echo-request"
      ip6 nexthdr icmpv6 accept comment "NFT ipv6 accept all ICMP types"
      ### Rules with “limit” need to be put before rules accepting “established” connections
      tcp dport 22 ct state new limit rate 5/minute counter log prefix "NFT_IPV6_input_ssh22_accept " accept comment "NFT ipv6 accept SSH22"
      ct state {established, related} accept
      counter comment "count dropped packets"
   }

   chain FORWARD {
      type filter hook forward priority 0; policy drop;
      counter comment "NFT ipv6 forward dropped packets count"
   }

   chain OUTPUT {
      type filter hook output priority 0; policy accept;
      icmpv6 type {echo-reply} counter drop comment "NFT ipv6 drop output icmp echo-reply"
      ct state invalid counter drop
      #counter comment "count accepted packets"
   }
}
I actually use another port for SSH (a simple measure to avoid having logs overwhelmed by brute force ssh port scanning).
I also have a /etc/sysctl.d/98-networking.conf file as follow (caveat: some settings are subject to discussions, always document yourself beforehand):

Code: Select all

# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
#######################################################

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to prevent some spoofing attacks
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.enp2s0.rp_filter=1   ### to be adapted to interface name (see /proc/sys/net/ipv4/conf/)

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4 (router)
#net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6 (router)
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.

# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.enp2s0.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.enp2s0.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# net.ipv4.conf.all.secure_redirects = 1

# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.enp2s0.send_redirects = 0

# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.enp2s0.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.enp2s0.accept_source_route = 0

# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
jazzeroo wrote: 2022-06-11 10:20To ensure that the checksums files themselves are correct, use GnuPG to verify them against the accompanying signature files.
[...]
How important is this step?
If you access checksum files over say https, there's already a security layer. And if the entire Debian architecture is compromised, global scandal should reach you.

edit: revised nftables rules order
Last edited by fabien on 2022-06-13 00:30, edited 1 time in total.

User avatar
craigevil
Posts: 5391
Joined: 2006-09-17 03:17
Location: heaven
Has thanked: 28 times
Been thanked: 39 times

Re: Help with install Debian with security in mind.

#12 Post by craigevil »

If you are truly paranoid you might like Opensnitch.
https://github.com/evilsocket/opensnitch/releases

Some truly hardening packages:
https://salsa.debian.org/corsac/hardeni ... ter/debian
https://gitlab.com/taggart/lockdown
https://usbguard.github.io/

Security scanners:
https://www.enyo.de/fw/software/debsecan/
https://cisofy.com/lynis/

https://madaidans-insecurities.github.i ... ening.html

My /etc/sysctl.conf

Code: Select all

#
# /etc/sysctl.conf - Configuration file for setting system variables
# See /etc/sysctl.d/ for additional system variables.
# See sysctl.conf (5) for information.
# https://madaidans-insecurities.github.io/guides/linux-hardening.html

#kernel.domainname = example.com

# Uncomment the following to stop low-level messages on console
kernel.printk = 3 3 3 3
kernel.unprivileged_bpf_disabled=1


##############################################################3
# Functions previously found in netbase
#

# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

# Uncomment the next line to enable TCP/IP SYN cookies
# See http://lwn.net/Articles/277146/
# Note: This may impact IPv6 TCP sessions too
net.ipv4.tcp_syncookies=1

# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1


###################################################################
# Additional settings - these settings can improve the network
# security of the host and prevent against some network attacks
# including spoofing attacks and man in the middle attacks through
# redirection. Some network environments, however, require that these
# settings are disabled so review and enable them as needed.
#
# Do not accept ICMP redirects (prevent MITM attacks)
  net.ipv4.conf.all.accept_redirects = 0
  net.ipv6.conf.all.accept_redirects = 0
# _or_
# Accept ICMP redirects only for gateways listed in our default
# gateway list (enabled by default)
# protects against IP spoofing
  net.ipv4.conf.all.secure_redirects = 0

# Do not send ICMP redirects (we are not a router)
  net.ipv4.conf.all.send_redirects = 0
  net.ipv4.conf.default.accept_redirects=0
  net.ipv4.conf.all.secure_redirects=0
  net.ipv4.conf.default.secure_redirects=0
  net.ipv6.conf.all.accept_redirects=0
  net.ipv6.conf.default.accept_redirects=0
  net.ipv4.conf.all.send_redirects=0
  net.ipv4.conf.default.send_redirects=0

# Do not accept IP source route packets (we are not a router)
  net.ipv4.conf.all.accept_source_route =0
  net.ipv4.conf.default.accept_source_route=0
  net.ipv6.conf.all.accept_source_route =0
  net.ipv6.conf.default.accept_source_route=0

# Malicious IPv6 router advertisements can result in a man-in-the-middle attack so they should be disabled.
 net.ipv6.conf.all.accept_ra= 0
 net.ipv6.conf.default.accept_ra=0 

# Log Martian Packets
 net.ipv4.conf.all.log_martians = 1

# Protect IP Spoofing
 net.ipv4.conf.all.rp_filter=1
 net.ipv4.conf.default.rp_filter=1

# Prevent Clock Fingerprinting
 net.ipv4.icmp_echo_ignore_all=1
###################################################################
# Magic system request Key
# 0=disable, 1=enable all, >1 bitmask of sysrq functions
# See https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
# for what other values do
#kernel.sysrq=438
###################################################################
# Manual settings - these settings are to optimize for SSD drive
# Ref: https://wiki.archlinux.org/index.php/Solid_State_Drives
vm.swappiness=20
vm.vfs_cache_pressure=50

# Restrict useage of ptrace
# kernel.yama.ptrace_scope=2

# Disble TCP SACK
# net.ipv4.tcp_sack=0
# net.ipv4.tcp_dsack=0
# net.ipv4.tcp_fack=0

# Increase entrop used for mmap ASLR
# vm.mmap_rnd_bits=32
# vm.mmap_rnd_compat_bits=16

# Prevent TOCTOU races
# fs.protected_symlinks=1
# fs.protected_hardlinks=1

# Prevent creating files in potentially attacker-controlled environments
# fs.protected_fifos=2
# fs.protected_regular=2

# File watch for vscode
fs.inotify.max_user_watches=524288
My ufw config is just the default; Deny Incoming Allow Outgoing.

I also have Apparmor setup.https://help.ubuntu.com/community/AppArmor
Raspberry PI 400 Distro: Raspberry Pi OS Base: Debian Sid Kernel: 5.15.69-v8+ aarch64 DE: MATE Ram 4GB
Debian - "If you can't apt install something, it isn't useful or doesn't exist"
My Giant Sources.list

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2020
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 138 times
Been thanked: 204 times

Re: Help with install Debian with security in mind.

#13 Post by Hallvor »

Don't worry so much. I sense a Windows mindset. 99,99% (=random number pulled out of my arse) of all malware won't run on GNU/Linux. Bad things can still happen, though.

* Install a firewall to block access to inadvertently started (or unconfigured) services.
* Only install services you really need, and then configure them with maximum security in mind. (NOT SSH server on port 22 with "root" as password) :wink:
* Use unattended-upgrades to install security upgrades automatically.
* Don't install themes and random applications from outside the repositories.

Can you still get hacked? Yes. However, it is very unlikely.
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

Bulkley
Posts: 6382
Joined: 2006-02-11 18:35
Has thanked: 2 times
Been thanked: 39 times

Re: Help with install Debian with security in mind.

#14 Post by Bulkley »

A couple of practical tips. First, install Debian Stable (Bullseye). Use only software you download from the Stable repositories. It is called Stable for a reason. It has been tested for performance and security.

Next, if your router has a built-in firewall set it to the strongest setting. It may not accomplish much but you will feel better.

Harden your browser. This is, in my opinion, the major weak spot. As they come browsers leak your data left, right and centre. If you use Firefox browser or one of the FF clones install the Ublock Origin extension.

Most importantly, stay away from questionable Web sites.

User avatar
fabien
Forum Helper
Forum Helper
Posts: 604
Joined: 2019-12-03 12:51
Location: Anarres (Toulouse, France actually)
Has thanked: 60 times
Been thanked: 141 times

Re: Help with install Debian with security in mind.

#15 Post by fabien »

craigevil wrote: 2022-06-11 17:58My /etc/sysctl.conf

Code: Select all

[...]
# Malicious IPv6 router advertisements can result in a man-in-the-middle attack so they should be disabled.
 net.ipv6.conf.all.accept_ra= 0
 net.ipv6.conf.default.accept_ra=0 
[...]
Note that this setting prevents IPv6 address configuration via DHCP (I tested and can confirm, no IPv6 address). A static IPv6 address is of course always possible.

User avatar
craigevil
Posts: 5391
Joined: 2006-09-17 03:17
Location: heaven
Has thanked: 28 times
Been thanked: 39 times

Re: Help with install Debian with security in mind.

#16 Post by craigevil »

Nice catch! I have commented it and added the blog post as a note.
Raspberry PI 400 Distro: Raspberry Pi OS Base: Debian Sid Kernel: 5.15.69-v8+ aarch64 DE: MATE Ram 4GB
Debian - "If you can't apt install something, it isn't useful or doesn't exist"
My Giant Sources.list

vladuna
Posts: 4
Joined: 2022-06-26 16:51

Re: Help with install Debian.. in VirtualBox

#17 Post by vladuna »

Could you, please, advice me your VB setting.
I used both debian-11.3.0-amd64-DVD-1.iso and debian-11.3.0-amd64-netinst.iso for installation and getting the same error:
After -> Choose the sw ti install: Debian desktop, SSH, standard system utilities
-> Installation step failed
Running Debian Pure Blend (GIS edition) with no problems.

User avatar
Hallvor
Global Moderator
Global Moderator
Posts: 2020
Joined: 2009-04-16 18:35
Location: Kristiansand, Norway
Has thanked: 138 times
Been thanked: 204 times

Re: Help with install Debian with security in mind.

#18 Post by Hallvor »

Please start your own thread.
[HowTo] Install and configure Debian bookworm
Debian 12 | KDE Plasma | ThinkPad T440s | 4 × Intel® Core™ i7-4600U CPU @ 2.10GHz | 12 GiB RAM | Mesa Intel® HD Graphics 4400 | 1 TB SSD

Post Reply