STATUS: Frozen (2019-11-17)
No more updates for this guide.
Please refer to the TOC page.
Now we have hardened small read-only Debian.
Add DNS issue on DHCP setting.
Let us connect to the Internet and apt update && apt upgrade
Find and choose your NIC
root# ls /sys/class/net # check your NIC name(s), enpX lo root# basename /sys/class/net/enpX >> /etc/network/interfaces # and memo it
Now, assume enpX as the main NIC.
Setup the network
tier1.jp uses static IPs for a desktop PCs, workstations, and local servers.
DHCP is used for mobile devices under DHCP range limit by the router.
- Set DHCP range limitation such as 192.168.1.2 ~ 192.168.1.32.
- You can use 192.168.1.33 ~ 192.168.1.255 for static IPs.
Say, we are on our localnet, under the router 192.168.1.1.
Static IP case: An example
root# nano /etc/network/interfaces # edit it with the memo above allow-hotplug enpX iface enpX inet static address 192.168.1.X/24 gateway 192.168.1.1
DHCP case: An example
root# nano /etc/network/interfaces allow-hotplug enpX iface enpX inet dhcp
DNS setup: An example
In read only "/" world, especially DHCP, we need manual DNS setup.
root# nano /etc/resolv.conf nameserver 192.168.1.1
DHCP may fail to set /etc/resolv.conf or something related because it cannot write on /etc.
Please do add this tiny DNS setting file.
18.104.22.168 is Google Public DNS.
If you are interested, read the term of use, and try it.
APT source setups
Include/confirm the security line for APT.
If it is a server, exclude contrib and non-free, since the security team does not cover them.
root# nano /etc/apt/sources.list # remove CD-ROM and add these deb http://deb.debian.org/debian stretch main deb http://deb.debian.org/debian stretch-updates main deb http://security.debian.org/ stretch/updates main
codename or stable/testing
tier1.jp recommends to use codename such as stretch.
If you use stable instead, some day you suddenly upgrade your system drastically.
Read the release note of the next Debian version first.
If you already have a APT-Cacher NG server,
root# nano /etc/apt/apt.conf.d/02-proxy Acquire::http::Proxy "http://RAW-ACNG-SERVER-IP:3142/"; Acquire::http::Proxy DIRECT;
DIRECT is a fallback.
We finished those setting. Now we should turn the system read-only again.
root# mount -o remount,ro / root# findmnt # confirm /, /boot, /boot/efi, /usr, /usr/share are "ro"
Now, attach network cable.
We configured the network "hotplugable", so both reboot and ifup should not be required.
If your NIC is not brought up, then
root# ip address # shows enpX has no address, then root# ifup enpX
This is the first connection to the localnet (and the Internet.)
Never connect any network devices before these security settings.
Update the system
root# apt update root# apt upgrade # 01-remount script should work
At this moment, the system is ready to use.
Let us enable AppArmor. Keep proceeding Next, please.