Debian
Minimal instalation guide for old laptops
- Download ISO image
- Flash ISO image into USB stick
- dd if=debian-minimal.iso of=/dev/sdx; sync
- Setup BIOS to boot from USB
- Boot USB with ISO image
- Setup root password and add default user
- Setup Partitions using cfdisk
- For paranoid security we start defining several partitions.
- Lets imagine we have a 512GB Hard drive
- /boot/ - 200MB - IF BIOS EXT2/3/4 - IF UEFI FAT32
- / - 20GB EXT4
- /var - 20GB EXT4
- /var/log - 20GB EXT4
- /usr - 20GB EXT4
- /tmp - 10GB EXT4
- none - 2GB SWAP
- /home - 100%FREE
- We don’t select a default desktop
- Select SSH Server to boot with by default
- Install grub into your main hard drive
- Reboot and remove USB disk
- Connect to the machine with: ‘ssh user@host/ip’
- By default the default user is in the wheel group. We can su in: ‘su -l’
- Software Installation: apt update && apt upgrade -y
- Use ‘apt search’ to search packages, and ‘apt install’ to install them
- By default debian use the nano editor ( no vim ): ‘apt install vim’
I really like this example
wget https://raw.githubusercontent.com/sd65/MiniVim/master/vimrc
Install more useful software for our laptop
apt install \
cpufreq iptables tuned htop iotop strace lm-sensors fancontrol i2c-tools \
dosfstools git newsboat flawfinder pscan mutt msmtp isync irssi lynx elinks gnupg
- Manager boot services with: ‘update-rc.d’ / ‘service –status-all’
- Setup cpufreq with: ‘cpufreq-set -g powersave’ + echo “GOVERNATOR=’powersave’” » /etc/default/loadcpufreq
- Block kernel-image upgrades with: ‘apt-mark hold linux-image-{version}-{architecture}’
- Block kernel-headers upgrades with: ‘apt-mark hold linux-headers-{version}-{architecture}’
- Edit /etc/fstab and setup permissions to secure partitions
- /boot ro
- /home defaults,nosuid,nodev,async,auto
- /tmp defaults,nosuid,noexec,nodev
- /usr defaults,ro,nodev
- /var defaults,ro,nodev,nosuid
- /var/log defaults,nodev,nosuid,noexec
- Setup IPTables:
- https://tldp.org/HOWTO/Security-Quickstart-HOWTO/
- https://tldp.org/HOWTO/Security-HOWTO/
- https://tldp.org/HOWTO/IPCHAINS-HOWTO.html
- https://tldp.org/HOWTO/Firewall-HOWTO.html
- https://tldp.org/HOWTO/Secure-Programs-HOWTO/
- Don’t let root ssh into the machine
- ‘vim /etc/ssh/sshd config’: Permit root Login: NO
- From client-remove-machine do: ssh-copy-id .ssh/your_public_key.pub
- install postfix OR exim4 for Host-logging-reports
- Optional for security ( install SELinux modules or AppArmor )
- SELinux needs to be installed in Kernel ( default don’t have enable )
- AppArmor is the default security system, combined with PAN.
- If SELinux is wanted, you need to compile your own kernel.