I find Debian as one of the best Linux distros available. End users should generally choose to run either stable or testing Debian version. Testing is recommended for advanced users who want new software on their desktops and who are capable of reporting and fixing bugs to help Debian.
The stable version is recommended for applications requiring production-level stability and security (servers, firewalls etc) and is also recommended for those who are new to Linux. The stable version has the support of the Debian security team.
The latest stable version of Linux Debian released in 2021-08-14| is Debian 11 with the codename Bullseye. After installing it, I need to spend some time to customize it according to my requirements. Therefore, I am going to share my notes with you and hope you find them useful. In general, my first steps after installing Debian usually include installation and configuration of the following:
- Adding user to sudo group
- Packages update
- Vim editor, Bash path
- Chrome and Tor
- VirtualBox and Qemu/kvm
- GNS3, Wireshark, Ubridge, Scapy
- KolourPaint and VLC
- nfables - Ipv4 and IPv6 firewall
- ClamAV Antivirus
1. Add user 'brezular' to sudo group
We need to add a user to the sudo group to allows user to execute commands as root.
$ su
# /sbin/usermod -a -G sudo brezular
User brezular has been added to the group sudo (Figure 1). The command 'groups' lists of all the groups where user brezular belongs to.
Figure 1 - List Groups where User Brezular is Assigned
As we can see the user bezular is not yet assigned to the sudo group. (Figure 1). We need either to logout and login from GUI or use 'su yourself' in terminal to login again.
$ su brezular
In the new session 'brezular' will be shown as member of the sudo group (Figure 2).
Picture 2 - List Groups where User Brezular is Assigned
2. Updating Debian OS and Applications
Update package list:
$ sudo apt update -y
In our case Debian has been installed from DVD. We need to comment or delete the line containing CDROM repo from /etc/apt/sources.list so we can update list of the packages (Figure 3).
$ sudo vi /etc/apt/sources.list
Figure 3 - Original Debian 11 Repository List with CD-ROM Repo After Install
Remove the red framed line. Add contrib and non-free repos and add Debian Backports so we can install new kernel snd packages with new features on supported Debian stable releases (Figure 4).
Figure 4 - Modified Debian 11 Repository List
Rrerun the update and update the packages:
$ sudo apt update -y
$ sudo apt upgrade -y
Note: All backports are deactivated by default so that the normal operation of a stable installation will not be compromised with potentially disruptive changes (such as incompatible configuration schema).
To install something from backports run one of:
$ sudo apt install <package>/bullseye-backports
3. Vim Editor, Bash Path
3.1 Vim Editor
Vim is my favorite editor; if you do not use it, skip this section and move on to the next step.
$ sudo apt install vim
Configure vim to enable copy and pasting outside vim.
$ echo "set mouse=r" >> ~/.vimrc
Do the same for the root user:
$ echo "set mouse=r" | sudo tee -a /root/.vimrc
3.2 Bash Path
Make binaries located in /usr/sbin available to a non-root user without specifying an absolute path.
$ echo 'export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' >> ~/.bash_profile
4. Internet Browsers
4.1 Chrome
$ wget https://dl.google.com/linux/direct/google-chrome-stable_current_amd64.deb
$ sudo apt install ./google-chrome-stable_current_amd64.deb
Google repository the file /etc/apt/sources.list.d/google-chrome.list has been created.
4.2 Tor from Source
Install Tor Browser using the latest archive from the downloads page.
$ cd Downloads
$ wget https://dist.torproject.org/torbrowser/12.0a4/tor-browser-linux64-12.0a4_ALL.tar.xz
$ tar xvf tor-browser-linux64-12.0a4_ALL.tar.xz
$ cd tor-browser/
Start Tor browser and register desktop icon.
$ ./start-tor-browser.desktop --register-app
Tor icon has been add to Applications-> Internet in K desktop environment (KDE).
5. Virtualization and Emulation Tools
5. 1 Oracle VirtualBox
VirtualBox is a powerful x86 and AMD64/Intel64 virtualization product for enterprise as well as home use.
Add Oracle repository:
$ echo "deb [arch=amd64] https://download.virtualbox.org/virtualbox/debian bullseye non-free contrib" | sudo tee /etc/apt/sources.list.d/virtualbox.list
Add GPG key:
$ wget -q https://www.virtualbox.org/download/oracle_vbox_2016.asc -O- | sudo apt-key add -
Update system and install VirtualBox
$ sudo apt update -y
$ sudo apt install VirtualBox-7.0
The Oracle VirtualBox extension pack extends functionality of VirtualBox for USB 3.0 and VirtualBox Remote Desktop Protocol (VRDP) support. Firstly, download an extension pack.
$ wget http://download.virtualbox.org/virtualbox/$(vboxmanage --version | cut -d 'r' -f1)/Oracle_VM_VirtualBox_Extension_Pack-`echo $(vboxmanage --version | cut -d 'r' -f1)-$(vboxmanage --version | cut -d 'r' -f2)`.vbox-extpack
Now, we can install the pack with vboxmanage:
$ sudo vboxmanage extpack install Oracle_VM_VirtualBox_Extension_Pack-`echo $(vboxmanage --version | cut -d 'r' -f1)-$(vboxmanage --version | cut -d 'r' -f2)`.vbox-extpack
During the VirtualBox installation, the group vboxusers is created. Any system user who is going to use USB device from VirtualBox guest must be member of this group. The following command adds an actual user to the vboxusers if is not a member of group.
$ sudo usermod -a -G vboxusers $(whoami)
Note that adding an active user to that group will require that user to log out and back in again.
5.2 Qemu
KVM (for Kernel-based Virtual Machine) is a full virtualization solution for Linux on x86 hardware containing virtualization extensions (Intel VT or AMD-V). It consists of a loadable kernel module, kvm.ko, that provides the core virtualization infrastructure and a processor specific module, kvm-intel.ko or kvm-amd.ko. [2]
Package also enables KVM kernel virtual machine (VT-x for Intel or AMD-V for AMD CPUs must be enabled in BIOS).
$ sudo apt install qemu-kvm
Run the following egrep command to verify that Intel VMX or AMD SVM supported on your CPU (Figure 5):
$ egrep --color 'vmx|svm' /proc/cpuinfo
Figure 5 - Checking Hardware Virtualization Support for Intel CPU on Linux
6. GNS3 and Auxiliary Tools
6.1 GNS3 GUI and Server
Graphical Network Simulator-3 (shortened to GNS3) is a network software emulator first released in 2008. It allows the combination of virtual and real devices, used to simulate complex networks [3].
$ sudo apt install python3-pip
$ sudo pip3 install gns3-server
$ sudo pip3 install gns3-gui
$ sudo apt-get install python3-pyqt5.qtsvg python3-pyqt5.qtsvg python3-pyqt5.qtwebsockets
6.2 Wireshark
$ sudo apt install wireshark
Add the current user to the Wireshark group to be able to run Wireshark as a non-root user and capture on the interfaces.
$ sudo usermod -a -G wireshark $USER
6.3 Ubridge from Source
uBridge is a simple application to create user-land bridges between various technologies. Currently bridging between UDP tunnels, Ethernet and TAP interfaces is supported. Packet capture is also supported.
$ sudo apt install git build-essential pcaputils libpcap-dev
$ git clone https://github.com/GNS3/ubridge.git
$ cd ubridge
$ make
$ sudo make install
6.4 Scapy
Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more [4].
$ sudo apt-get install python3-pip
$ sudo python3 -m pip install --pre scapy[complete]
7. Media Tools
KolourPaint is a free, easy-to-use paint program by KDE; while VLC is a favourite tool for playing and streaming videos.
$ sudo apt install kolourpaint vlc
8. nftables
nftables is a netfilter project that aims to replace the existing {ip,ip6,arp,eb}tables framework. It provides a new packet filtering framework, a new user-space utility (nft), and a compatibility layer for {ip,ip6}tables. [5],
nftables makes no distinction between temporary rules made in the command line and permanent ones loaded from or saved to a file. All rules have to be created or loaded using nft command line utility. We are going to create a typical ruleset to protect one laptiop in IPv4 and IPv6.
Netfilter tables are organized hierarchically. Tables contain chains and chains contain rules, for example [6]:
- Table 1
- Chain 1
- Rule 1
- Rule 2
- Chain 2
- Rule 3
- Chain 1
- Table 2
- Chain 3
- Rule 4
- Chain 3
8.1 IPv4 Firewall
8.1.1 Create table mytable_ipv4_ipv4
$ sudo nft add table mytable_ipv4
8.1.2 Add a chain to a table
Create a chain for incoming packets that drops all packets that are not explicitly allowed by any rule in this chain. Nft re-uses special characters, such as curly braces and the semicolon. If you are running these commands from a shell such as bash, all the special characters need to be escaped. The simplest way to prevent the shell from attempting to parse the nft syntax is to quote everything within single quotes.
$ sudo nft 'add chain mytable_ipv4 input {type filter hook input priority 0; policy drop;}'
Note: Alternatively, you can run the command:
$ sudo nft add chain mytable_ipv4 input {type filter hook input priority 0 \; policy drop \;}
8.1.3. Add rules to a chain input
Add a rule to our input chain in mytable_ipv4 to accept incoming established and related traffic network traffic.
$ sudo nft add rule mytable_ipv4 input ct state established accept
$ sudo nft add rule mytable_ipv4 input ct state related accept
Add a rule to our input chain in mytable_ipv4 to accept all network traffic from localhost.
$ sudo nft add rule mytable_ipv4 input iif lo accept
Add a rule to our input chain for mytable_ipv4 to accept traffic for SSH.
$ sudo nft add rule mytable_ipv4 input tcp dport 22 counter accept
Log dropped traffic.
$ sudo nft add rule mytable_ipv4 input counter log drop
8.2 IPv6 Firewall
Configure IPv6 firewall which contains rules for IPv6 traffic.
$ sudo nft add table ip6 mytable_ipv6
$ sudo nft 'add chain ip6 mytable_ipv6 input {type filter hook input priority 0; policy drop;}'
$ sudo nft add rule ip6 mytable_ipv6 input ct state established accept
$ sudo nft add rule ip6 mytable_ipv6 input ct state related accept
$ sudo nft add rule ip6 mytable_ipv6 input iif lo accept
$ sudo nft add rule ip6 mytable_ipv6 input tcp dport 22 counter accept
$ sudo nft add rule ip6 mytable_ipv6 input icmpv6 type {nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert} accept
$ sudo nft add rule ip6 mytable_ipv6 input counter log drop
8.3 Make Our Firewal Configuration to Service Restart
Nftables comes with a simple and secure firewall configuration stored in the /etc/nftables.conf file. The nftables.service will load rules from that file when started or enabled [7].
First, we need to create a file /etc/nftables.conf, in which we insert the following three lines.
$ sudo su
# echo '#!/usr/sbin/nft -f' > /etc/nftables.conf
# echo 'flush ruleset' >> /etc/nftables.conf
# echo >> /etc/nftables.conf
$ exit
Now we can view the configured rules we entered via the CLI and add them to the /etc/nftables.conf file:
$ sudo nft -s list ruleset >> /etc/nftables.conf
Enable and start ntf service. The configuration file /etc/nftables.conf file will be loaded.
$ sudo systemctl enable nftables
$ sudo systemctl start nftables
8.4 Useful Commands for Managing nftables
Display all rules along with handles (Figure 6):
$ sudo nft -a list ruleset
Figure 6 - IPv4 and IPv6 Rulesets
For example, to delete a specific rule, such as a rule that accept IPv4 traffic from a loopback, enter the command:
$ sudo nft delete rule mytable input handle 4
To backup firewall configuration to the file save.firewall.txt:
$ sudo nft -s list ruleset | tee save_firewall.txt
To load rules from the save_firewall.txt file and add them to the rules that are already in use, enter the following:
$ sudo nft -f save_firewall.txt
Note: If you only want to use the rules saved in save_firewall.txt file, you must flush the rules that are already in use with the command below:
$ sudo nft flush ruleset
After that load ruleset from the file with the sudo nft -f save_firewall.txt command.
9. ClamAV Antivirus
ClamAV easy-to-use tool for detecting virus infections on Linux systems is ClamAV. It is open source and free, and runs on many Linux systems.
$ sudo apt install clamav clamav-daemon
ClamAV's tools are clamscan to do the scanning and freshclam to update the list of known virus signatures.
To start running freshclam as a service, we should run a command like this:
$ sudo systemctl start clamav-freshclam
Freshlam will run as a daemon (Figure 7) and try to check the signature database 24 times per day by default. The config file for freshlacm is /etc/clamav/freshclam.conf.
Figure 7 - Freshclam Process
To update the signature database manually, enter the command:
# sudo freshclam
To scan directory /home/brezular/ and all subdirectories, enter the command with the following options:
$ sudo clamscan --infected --remove --recursive /home/brezular/
- --infected: prints only infected files
- -–remove: removes infected files
- -–recursive: all the subdirectories in the directory will be scanned
Note: clamscan can only read files that the user running the tool can read, so using sudo is generally required.
End.