Securing Debian HOWTO: Before and during the installation

-->

Securing Debian HOWTO: Before and during the installation Next Previous Contents

2. Before and during the installation

2.1 Choose a BIOS password

Before you install any operating system on your computer, set up a BIOS password and change the boot sequence to disable booting from a floppy. Otherwise a cracker only needs a bootdisk to access your entire system.

Disabling booting without a password is even better. This can be very effective if you run a server, because it is not rebooted very often. The downside to this last tactic is that rebooting requires human intervention which can cause problems if the machine is not easily accessible.

2.2 Choose an intelligent partition scheme

An intelligent partition scheme depends on the how the machine is used. A good rule of thumb is to be fairly liberal with your partitions and to pay attention to the following factors:

Any partition a user has write permissions to, should be a separate partition, e.g. /home and /tmp. This reduces the risk of a user DoS by filling up your "/" mount point and rendering the system unusable.
Any partition which can fluctuate, e.g. /var (especially /var/log). In Debian context you should create /var a little bit bigger than normal because downloaded packages (the apt cache) are stored in /var/apt/cache/archives.
Any partition where you want to install non-distribution software. According to the File Hierarchy Standard this is /opt or /usr/local. If these are separate partitions, they will not be erased if you reinstall.

2.3 Set a root password

Setting a good root password is the most basic requirement for having a secure system.

2.4 Activate shadow passwords and MD5 passwords

At the end of the installation, you will be asked if shadow passwords should be enabled. Answer yes to this question, so passwords will be kept in the file /etc/shadow. Only the root user and the group shadow have read access to this file, so no users will be able to grab a copy of this file in order to run a password cracker against it. You can switch between shadow passwords and normal passwords at any time by using 'shadowconfig'. Furthermore you are queried during installation whether you want to use MD5 hashed passwords. This is generally a very good idea since it allows longer passwords and better encryption.

2.5 Run the minimum number of services required

You should not install services on your machine, which are not needed. Every installed service introduces new, perhaps not obvious, but existent security holes to your machine. If you still want to have some services but you use these rarely, use the update-commands, e.g. 'update-inetd' for removing them from the startup process. This section needs a list of services,and what they do and the risk level involved, as newbies don't have a clue, what is considered a security risk.

2.6 Read the debian security mailinglists

It is never wrong to take a look at either the debian-security-announce mailinglist, where advisories and fixes to released packages are announced by the Debian security team or to debian-security@lists.debian.org, where you can participate about discussing debian security related things.

Next Previous Contents