Debian manual network and security settings

STATUS: Frozen (2019-11-17)

No more updates for this guide.

Please refer to the TOC page.

This chapter is not enough. This is minimum security.

However, at least you should do it, just after you install the system.


Title tweaked.

Add some security notes and network workaround, and NIC name memo command tweak (from 2nd).

APT setups

Include/confirm the security line for APT.


If it is a server, exclude contrib and non-free, since the security team does not cover them.

Now we can use deb.debian.org CDN.

root# nano /etc/apt/sources.list
deb http://deb.debian.org/debian stretch main
deb http://deb.debian.org/debian stretch-updates main
deb http://security.debian.org/ stretch/updates main

codename or stable/testing

tier1.jp recommends to use codename such as stretch.

If you use stable instead, some day you suddenly upgrade your system drastically.

Read the release note of the next Debian version first.

APT with /tmp noexec (optional)

In short, let apt use ephemeral tmpfs.

As a result, it will be fast to install and/or upgrade, provided you have plenty DRAM.


This is necessary if you use /tmp with noexec.

This also require enough DRAM and/or swap area.


You can abuse this method if you want fast APT operations.

4GB DRAM can handle GNOME install (gnome-core.)

root# mkdir -p /srv/apt/temp # this mountpoint is an example.
root# nano /etc/apt/apt.conf.d/01-tempdir
APT::ExtractTemplates::TempDir "/srv/apt/temp";
DPkg {
  Pre-Invoke  { "mount -t tmpfs tmpfs /srv/apt/temp" };
  Post-Invoke { "umount /srv/apt/temp" };

Find and choose your NIC

root# ls /sys/class/net # check your NIC name(s),
enpX  lo
root# basename /sys/class/net/enpX >> /etc/network/interfaces # and memo it

Now, assume enpX as the main NIC.

Setup the network

tier1.jp uses static IPs for a desktop PCs, workstations, and local servers.

DHCP is used for mobile devices (under DHCP range limit by the router.)

Say, we are on our localnet, under the router

Static IP case: An example

root# nano /etc/network/interfaces # edit it with the memo above
allow-hotplug enpX
iface enpX inet static
    address 192.168.1.X/24

DHCP case: An example

root# nano /etc/network/interfaces
allow-hotplug enpX
iface enpX inet dhcp

DNS setup: An example

root# nano /etc/resolv.conf
nameserver is Google Public DNS.

If you are interested, read the term of use, and try it.

Before you connect,

You should check some security settings before you connect to the Internet.

However, the methods we use are not ordinal. Many people use sudo and/or su (wheel related).

  • We restrict securetty.
  • We don't use sudo or must provide restricted sudoers.
  • We don't use su with so called wheel system group.

The reason why is simple; restrict root privilege local.

In the 2nd edition we assume these settings to be our default.

Restrict securetty (optional)


You need a physical root console access under this setting.


First, re-login from your "securetty". Let us assume it is tty5.

root# exit
(change to tty5 and login as root)
root# w # make sure which tty you are using now.
(time) up (uptime), 1 user,  load average: (loads)
USER     TTY      FROM      LOGIN@   ...
root     tty5     -         (time)   ...

Then, tweak the securetty.

root# mv /etc/securetty /etc/securetty.orig
root# nano /etc/securetty
#tty1 # on desktop, used by gdm3, etc.
#tty2 # on desktop, tends to be used by users' xsessions tty2-4
tty6 # and more and/or other ttys such as ttyS0, if you want.

Restrict su by PAM (optional)

You can restrict users' su commands not to become them the super user.

root# nano /etc/pam.d/su
auth required pam_wheel.so # uncomment this


Combined with the securetty above, you only can have root privilege from physical securetty.


Reboot the box.

root# reboot -n

Check everything okay

root# journalctl

You can ignore "kvm disabled" error if you disabled virtualization on BIOS.

If you choose securetty and PAM restrictions, let's check it now.

Assuming we only have tty5 in securetty and PAM su restrictions,

Debian GNU/Linux 9 hostname ttyN (N != 5)

hostname login: root

Login incorrect

securetty works. No password prompt, simple failure.

Change the console to tty5 by hitting Ctrl+Alt+F5.

Debian GNU/Linux 9 hostname tty5

hostname login: root
password: (enter it)
(motd shown)

securetty confirmed.

Next, PAM su restriction.

Debian GNU/Linux 9 hostname ttyX

hostname login: user
password: (enter it)
user@hostname:~$ su -
Password: (enter root password)
su: Permission denied

PAM works fine. The password is correct but rejected by permission.

You can confirm it in the syslog.

root# journalctl
date hostname login[PID]: pam_securetty(login:auth) access denied: tty `...` is not secure !
date hostname su[PID]: pam_authenticate: Permission denied
date hostname su[PID]: FAILED su for root by user

In this scenario, you only can have root login on tty5, and nobody can be root by su even if it knows the root password.


If you install sudo and add some user into sudo group, they can do anything. Never do it.

Edit sudoer if you install sudo. Allow least commands; NO ALL.

First connection

Now, attach network cable.

We configured the network "hotplugable", so both reboot and ifup should not be required.

If your NIC is not brought up, then,

root# ip address # shows enpX has no address, then
root# ifup enpX

This would be the first connection to the localnet (and the Internet.)

Order matters

Never connect any network devices before these security settings.

Update the system

root# apt update
root# apt upgrade

A goal

At this moment, the system is ready to use.


You may add some more security settings such as below, or take a rest.

Baseline security check (optional)

root# apt install chkrootkit clamav
root# chkrootkit | more # check nothing infected
root# dpkg-reconfigure clamav-freshclam # read and answer


If you do not use clamd, answer "No" to "clamd be notified after update?"

This setting does not provide on-access-scan.

You have to do it manually.

To scan recursively and make it report only infected files,

user$ clamscan -i -r SOMEPATH


Firewall is difficult. The basic is DROP all, explicitly ACCEPT what you need, using conntrack and hashlimit.

root# apt install iptables-persistent


This package just provides persistent firewall setting scripts. You need to write rules.

Firewall varies and can be complicated; not covered in this guide.

APT consistency

There are many other system consistency check software such as tripwire, debsums is an easy way.

First, you need to initialize.

root# apt install debsums
root# debsums_init

And sometimes, run a system check command.

root# debsums -s

SELinux or AppArmor


This guide is not enough. At least install SELinux or AppArmor.

tier1.jp recommends AppArmor.

Debian buster chose AppArmor and enabled it by default, but anyway we should do more to make it practical.


If you create and/or edit your AppArmor profiles, you should have at least 2GB /var/log, since it produces tons of audit logs.

Also, you should set maxsize logrotate setting.

AppArmor Setup Example

The Debian Administrator's Handbook is a little bit long and tricky.

Here is short and simple summary.

Install AppArmor packages

root# apt install apparmor{,-utils,-profiles,-profiles-extra}
root# nano /etc/default/grub # add apparmor parameters
GRUB_CMDLINE_LINUX="apparmor=1 security=apparmor"
root# update-grub && reboot -n

Check AppArmor status

After (root) login,

root# aa-enabled
YES (it works now.)

Going further

AppArmor profiles are not so much provided. It's very difficult to create some universal profiles.

You should consider creating your own.


If you create your own AppArmor profile, you'd better to do it one by one.

Also, consider executing logrotate -f YOURCONFIG before you create another profile.

tier1.jp will write about it in the future, but not in this guide.

A milestone

You can stop using this guide on this stage.

  • You now have a small secure Debian GNU/Linux base system.
  • If you are interested, keep going "Next".

Thank you for reading this. Have a nice day.

published: MODIFIED: