In this blog post, we will explore some of the steps we can take to harden our Debian desktop for more secure daily work and enhanced privacy. Hardening is the process of reducing the attack surface and increasing the resilience of a system by applying security measures and best practices. By hardening our Debian desktop, we can protect our data, identity, and communication from malicious actors and unwanted surveillance.
Some of the topics we will cover are:
- Encrypting our disk and home directory
- Setting up a firewall and apparmor
- Installing security updates and using trusted repositories
- Using strong passwords and a password manager
- Avoiding unnecessary services and software
- Using Tor and VPN for anonymous browsing
- Using encryption and authentication for email and chat
Encrypting our disk and home directory
One of the most important steps to harden our Debian desktop is to encrypt our disk and home directory. Encryption is the process of transforming data into an unreadable form that can only be decrypted with a secret key. By encrypting our disk and home directory, we can prevent unauthorized access to our files, even if our device is lost, stolen, or compromised.
To encrypt our disk, we can use the LUKS (Linux Unified Key Setup) tool, which is integrated with the Debian installer. During the installation process, we can choose to encrypt the entire disk or a specific partition. We will need to enter a passphrase to unlock the encrypted disk every time we boot our system.
To encrypt our home directory, we can use the ecryptfs tool, which is also available in the Debian installer. Alternatively, we can install it later with the command:
apt install ecryptfs-utils
To set up ecryptfs, we can run the command:
ecryptfs-migrate-home -u username
where username is our login name. This will create an encrypted copy of our home directory and mount it over the original one. We will need to enter our login password to access our encrypted home directory every time we log in.
Setting up a firewall and apparmor
Another step to harden our Debian desktop is to set up a firewall and apparmor. A firewall is a software or hardware device that filters incoming and outgoing network traffic based on rules and policies. By setting up a firewall, we can block unwanted connections and limit the exposure of our system to potential attacks.
To set up a firewall on Debian, we can use the ufw (Uncomplicated Firewall) tool, which provides a simple and user-friendly interface to manage iptables, the underlying firewall system in Linux. To install ufw, we can run the command:
apt install ufw
To enable ufw, we can run the command:
ufw enable
To check the status of ufw, we can run the command:
ufw status
To allow or deny a specific port or service, we can use commands like:
ufw allow sshufw deny telnet
To allow or deny a specific IP address or subnet, we can use commands like:
ufw allow from 192.168.1.0/24
ufw deny from 10.0.0.0/8
Apparmor is a security module that enforces mandatory access control (MAC) policies on processes and files. By setting up apparmor, we can restrict what applications can do and access on our system, preventing them from performing unauthorized actions or exploiting vulnerabilities.
To set up apparmor on Debian, we can install it with the command:
apt install apparmor apparmor-profiles apparmor-utils
To enable apparmor, we can run the command:
aa-enforce /etc/apparmor.d/*
To check the status of apparmor, we can run the command:
aa-status
To create or edit apparmor profiles for specific applications, we can use tools like:
aa-genprof firefox
aa-logprof
Installing security updates and using trusted repositories
A third step to harden our Debian desktop is to install security updates and use trusted repositories. Security updates are patches that fix bugs or vulnerabilities in software that could compromise our system’s security or functionality. By installing security updates regularly, we can keep our system up-to-date and protected from known threats.
To install security updates on Debian, we can use the apt (Advanced Package Tool) tool, which manages software packages on our system. To update the list of available packages from the repositories, we can run the command:
apt update
To upgrade all installed packages to their latest versions, we can run the command:
apt upgrade
To upgrade only packages that have security updates available, we can run the command:
apt upgrade -t buster-security
where buster-security is the codename of the Debian security repository for the current stable release. We can also configure apt to automatically install security updates by installing the unattended-upgrades package and editing the /etc/apt/apt.conf.d/50unattended-upgrades file.
Repositories are sources of software packages that apt uses to install, update, or remove software on our system. By using trusted repositories, we can ensure that the software we install is authentic, verified, and compatible with our system.
To use trusted repositories on Debian, we can edit the /etc/apt/sources.list file and add or remove lines that specify the repository URLs, codenames, and components. For example, a typical sources.list file for Debian 10 (buster) looks like:
deb http://deb.debian.org/debian buster main
deb-src http://deb.debian.org/debian buster main
deb http://security.debian.org/debian-security buster/updates main
deb-src http://security.debian.org/debian-security buster/updates main
deb http://deb.debian.org/debian buster-updates main
deb-src http://deb.debian.org/debian buster-updates main
The first two lines refer to the main Debian repository, which contains free software that is officially supported by the Debian project. The third and fourth lines refer to the Debian security repository, which contains security updates for the stable release. The fifth and sixth lines refer to the Debian updates repository, which contains packages that are not included in the initial release but are added later.
We can also add other repositories, such as backports, which contain newer versions of software that are not available in the stable release, or third-party repositories, which contain software that is not maintained by the Debian project. However, we should be careful when adding other repositories, as they may not be compatible with our system or may contain malicious or unverified software. We should always verify the authenticity and integrity of the repositories we add by using GPG (GNU Privacy Guard) keys and signatures.
Using strong passwords and a password manager
A fourth step to harden our Debian desktop is to use strong passwords and a password manager. Passwords are secret strings of characters that we use to authenticate ourselves to various services and applications. By using strong passwords, we can prevent unauthorized access to our accounts and data.
A strong password should:
- Be at least 12 characters long
- Contain a mix of uppercase and lowercase letters, numbers, and symbols
- Be unique and not reused for different services or applications
- Be random and not based on personal or predictable information
To create strong passwords, we can use tools like pwgen or diceware, which generate random passwords based on various criteria. Alternatively, we can use passphrases, which are sentences or phrases that are easy to remember but hard to guess.
A password manager is a software application that stores and manages our passwords in a secure and encrypted way. By using a password manager, we can avoid writing down or memorizing our passwords, as well as typing them manually every time we need them.
To use a password manager on Debian, we can install one of the many available options, such as KeePassXC, Bitwarden, or LastPass. To use KeePassXC, for example, we can run the command:
apt install keepassxc
To create a new database for storing our passwords, we can launch KeePassXC and click on “Create new database”. We will need to enter a master password that will unlock our database. We should make sure that our master password is very strong and secure, as it is the only thing that protects our database from unauthorized access.
To add a new entry for a service or application, we can click on “Add entry” and fill in the details, such as title, username, password, URL, notes, etc. We can also generate a random password by clicking on the dice icon next to the password field. We can also organize our entries into groups or categories by using folders.
To access our passwords when we need them, we can either copy them to the clipboard by clicking on the copy icon next to each field or use the auto-type feature by selecting an entry and pressing Ctrl+V. We can also sync our database across multiple devices by using cloud storage services like Dropbox or Google Drive.
Avoiding unnecessary services and software
A fifth step to harden our Debian desktop is to avoid unnecessary services and software. Services are programs that run in the background and perform various tasks on our system. Software are programs that we install and use on our system. By avoiding unnecessary services and software,
Don’t forget to join my Discord: https://discord.gg/YbSYGsQYES
Tom's IT Cafe 