Skip to content

Instantly share code, notes, and snippets.

@ChristopherA

ChristopherA/debian9install.md

Last active December 12, 2017 07:06
Show Gist options
  • Save ChristopherA/f31dbd8101c898e50a99d6049d424d0d to your computer and use it in GitHub Desktop.
Save ChristopherA/f31dbd8101c898e50a99d6049d424d0d to your computer and use it in GitHub Desktop.
Download ZIP
Debian 9 Initial Install
Raw
debian9install.md

Add additional sources

$ sudo nano /etc/apt/sources.list

Add contrib and nonfree

$ sudo apt-get update

Before you install other tools, you should run the following commands to get all the latest patches:

$ export DEBIAN_FRONTEND=noninteractive
$ sudo apt-get update
$ sudo apt-get upgrade -y
$ sudo apt-get dist-upgrade -y

This process will take several minutes. Take a break. Have an espresso.

Finally, we highly suggest that you set upgrades to be automatic, so that you stay up to date on updates in the future:

$ echo "unattended-upgrades unattended-upgrades/enable_auto_updates boolean true" | debconf-set-selections
$ apt-get -y install unattended-upgrades

Install haveged for better randomness, especially on VM instances

(See https://unix.stackexchange.com/questions/395316/install-firefox-quantum-in-debian-9-stretch)

$ apt-get install haveged -y

Turn off PermitRootLogin in sshd_config

sudo nano /etc/ssh/sshd_config

service sshd restart

If running as VMware machine, install VMware Tools

$ sudo apt-get install open-vm-tools open-vm-tools-desktop
$ vmware-user-suid-wrapper

IPTables

$ sudo cat > /etc/iptables.firewall.rules <<EOF
*filter

#  Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT

#  Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allow all outbound traffic - you can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# If you want HTTP and HTTPS, uncomment these

#  Allow SSH connections
#
#  The -dport number should be the same port number you set in sshd_config
#
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT

#  Allow ping
-A INPUT -p icmp -j ACCEPT

# Allow Bitcoin connections
-A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp --dport 8333 -j ACCEPT
-A INPUT -p tcp --dport 18333 -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

#  Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

#  Drop all other inbound - default deny unless explicitly allowed policy
-A INPUT -j DROP
-A FORWARD -j DROP

COMMIT
EOF

Most work is still done on IPv4 networks, but the following will establish the same rules for IPv6:

$ sudo cat /etc/iptables.firewall.rules | sed 's/127.0.0.0\/8/::1\/128/' > /etc/ip6tables.firewall.rules

Afterward, you need to create a file that will run both of these on startup:

$ sudo cat > /etc/network/if-pre-up.d/firewall <<EOF
#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules
/sbin/ip6tables-restore < /etc/ip6tables.firewall.rules
EOF

$ chmod a+x /etc/network/if-pre-up.d/firewall

Finally, you should immediately run that:

$ /etc/network/if-pre-up.d/firewall

Git

# sudo apt-get install git

Solarized Mate Terminal

$ sudo apt-get install dconf-cli #needed by solarized

$ cd ~/projects/github/
$ git clone [email protected]:oz123/solarized-mate-terminal.git
    # https://github.com/oz123/solarized-mate-terminal/blob/master/solarized-mate.sh
$ bash solarized-mate.sh

Quit mate-terminal, re-open, change default to solarized dark

eval "`dircolors ~/.dircolors`"

my dotfiles

git clone [email protected]:ChristopherA/dotfiles.git .dotfiles
mv ~/.bashrc ~/.bashrc.old
mv ~/.gitconfig ~/.bashrc.old
mv ~/.profile ~/.bashrc.old
cd .dotfiles
stow 0-shell
stow 0-shell-debian/

other advice

https://linuxpanda.wordpress.com/2016/12/31/things-to-do-after-installing-debian-stretch/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment