2. Before and during the installation

2.1 Choose a BIOS password

Before you install any operating system on your computer, set up a BIOS password and change the boot sequence to disable booting from a floppy. Otherwise a cracker only needs a bootdisk to access your entire system.

Disabling booting without a password is even better. This can be very effective if you run a server, because it is not rebooted very often. The downside to this last tactic is that rebooting requires human intervention which can cause problems if the machine is not easily accessible.

2.2 Choose an intelligent partition scheme

An intelligent partition scheme depends on the how the machine is used. A good rule of thumb is to be fairly liberal with your partitions and to pay attention to the following factors:

• Any partition a user has write permissions to, should be a separate partition, e.g. /home and /tmp. This reduces the risk of a user DoS by filling up your "/" mount point and rendering the system unusable for other users (there is always space reserved for root, that a normal user cannot fill, you can change this with tune2fs.
• Any partition which can fluctuate, e.g. /var (especially /var/log). In Debian context you should create /var a little bit bigger than normal because downloaded packages (the apt cache) are stored in /var/apt/cache/archives.
• Any partition where you want to install non-distribution software. According to the File Hierarchy Standard this is /opt or /usr/local. If these are separate partitions, they will not be erased if you reinstall.

2.3 Set a root password

Setting a good root password is the most basic requirement for having a secure system.

2.4 Activate shadow passwords and MD5 passwords

At the end of the installation, you will be asked if shadow passwords should be enabled. Answer yes to this question, so passwords will be kept in the file /etc/shadow. Only the root user and the group shadow have read access to this file, so no users will be able to grab a copy of this file in order to run a password cracker against it. You can switch between shadow passwords and normal passwords at any time by using shadowconfig. Furthermore you are queried during installation whether you want to use MD5 hashed passwords. This is generally a very good idea since it allows longer passwords and better encryption.

2.5 Run the minimum number of services required

You should not install services on your machine, which are not needed. Every installed service introduces new, perhaps not obvious, but existent security holes to your machine. If you still want to have some services but you use these rarely, use the update-commands, e.g. 'update-inetd' for removing them from the startup process. This section needs a list of services,and what they do and the risk level involved, as newbies don't have a clue, what is considered a security risk.

2.6 Read the debian security mailinglists

It is never wrong to take a look at either the debian-security-announce mailinglist, where advisories and fixes to released packages are announced by the Debian security team or to debian-security@lists.debian.org, where you can participate about discussing debian security related things.

In order to receive important security update alerts, send an email to debian-security-announce-request@lists.debian.org with the word "subscribe" in the subject line. You can also subscribe to this moderated email list via webpage at http://www.debian.org/MailingLists/subscribe

This mailing list has very low volume, and by subscribing to it you will be immediately alerted of security updates for the Debian distribution. This allows you to quickly download new packages with security bug fixes, which is very important in maintaining a secure system. (See Section 5.1 for details on how to do this.)