Installing testing on a gateway

An example installation of Debian testing on a gateway box

Author:	Francesco Poli
Contact:	invernomuto@paranoici.org
Version:	0.15
Copyright:	Expat license
Notice:	Copyright (c) 2007-2024 Francesco Poli Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

About this document
Web form	HyperText Markup Language
Source form	reStructuredText
Web stylesheet	Cascading StyleSheets
Build directives	Makefile

Contents

Testing on a gateway box step by step
Hardware
Preparation
Installation
Conclusions

Testing on a gateway box step by step

The purpose of this document is showing an example installation of Debian testing on a machine that will be used as a network gateway/firewall/server.

Please note that this is just a step by step description of the installation process for a particular case. It is not meant to replace or substitute the official Debian installation guide: you can find the Debian stable installation guide and the Debian testing installation guide online.

Hardware

For the record, the machine under consideration is a HSIPC Celeron N4120 Quad Core Firewall Micro Appliance with 8 Gibyte memory and a 128 Gbyte solid-state drive.

Preparation

The hardware architecture of the box is AMD64 (EM64T). Hence, an amd64 installation medium will be used. The following testing netinst installation ISO hybrid image is chosen:

$ wget \
https://cdimage.debian.org/cdimage/daily-builds/daily/arch-latest/amd64/iso-cd/debian-testing-amd64-netinst.iso

Insert a USB flash memory stick into a USB port and check which device name it was assigned (by looking at recently created /dev/sd* files). You can now write the image to the USB stick:

# dd if=debian-testing-amd64-netinst.iso of=/dev/sdd status=progress ; sync

Other available images are linked from the Debian Installer page.

Installation

Configure the UEFI in order to set the video to "UEFI" and reboot. Then configure the UEFI in order to select "Linux" as target OS in the south bridge settings; also disable secure boot and legacy BIOS mode (CSM). After that, insert the USB stick into a USB port of the box and boot from USB (after connecting the box to an HDMI screen and a USB keyboard). Check that the UEFI variant of the Debian Installer is being run, then select "Install" and press [Enter] at the boot prompt in order to start the installation process.

First questions

The very first thing you are asked to select is the language you want to use for the installation process (which will subsequently be set as default language for the installed system): choose English, if you share my preferences. After that, you have to choose your country, so that the correct timezone will be set: select other, then Europe, and Italy (or otherwise, if you live elsewhere...). On next screen, choose the locale: select "en_US.UTF-8". Then choose the keymap to use: select "American English", if you are using a US keyboard.

If the Debian Installer fails to mount the installation media and asks you whether it should retry, you can work around this bug by answering no and by executing a shell:

# ls /dev/sd*
# mount /dev/sdb1 /cdrom
# exit

Then go on with detecting and mounting the installation media, which now succeeds.

At that point the installer warns that multiple network interfaces were found in the system and asks the user to choose the primary interface. Choose enp1s0 (not the preselected entry). The installer then proceeds to configure the network through DHCP: it should succeed and no further configuration should be needed.

Now, use your creativity and choose a hostname for your box! You have to enter one in the next screen. Hereinafter, I'll refer to the chosen hostname as $HOSTNAME. Then, you have to enter the domain name: leave the field blank, if you have no established domain name for your LAN.

Time to set the root password: try and think a good one! You can create a regular user as well: enter your full name, a username, and a password.

Partitioning the disk

The goal is setting up a (hopefully) good partitioning layout for a network gateway/firewall/server usage. When asked, choose the manual partitioning method. Next screen displays the current disk partition table:

SCSI1 (0,0,0) (sda) - 128.0 GB ATA IND-S3MS/128G

with various partitions. Select and delete each of them, until only free space is left.

Select the sda line and confirm that you want to create a new partition table. The updated status should look like:

SCSI1 (0,0,0) (sda) - 128.0 GB ATA IND-S3MS/128G
         128.0 GB      FREE SPACE

Select the free space line and choose "Create a new partition" from the dialog screen. Enter "540 MB" as partition size and create the partition at the beginning of the available space, change the "Use as" entry to "EFI System Partition". After choosing "Done setting up the partition", again select the big free space line and choose "Create a new partition"... Go on until you reach the following status:

SCSI1 (0,0,0) (sda) - 128.0 GB ATA IND-S3MS/128G
             1.0 MB        FREE SPACE
     #1    539.0 MB  B  f  ESP
     #2     88.0 GB     f  ext4          /
     #3     32.0 GB     f  ext4          /var
     #4      7.5 GB     f  swap
           335.4 kB        FREE SPACE

Choose "Finish partitioning and write changes to disk"; you'll be asked to confirm the creation of the partitions: answer "Yes". The desired filesystems are created and the swap area is prepared.

Finishing the installation

At this point, you just have to wait for the base system to be installed.

If the Debian Installer gets stuck in a loop while trying to configure the package manager, you can work around this bug by executing a shell:

# umount /cdrom
# exit

Then go on with configuring the package manager, which now succeeds. You'll be asked to choose a Debian network mirror: select a mirror near you (for instance, choose Italy, deb.debian.org). You also have to specify an HTTP proxy, if you use one; if instead you do not use any HTTP proxy on your LAN (as in my case), then leave the proxy field blank.

Then you'll be asked whether you want to contribute to popcon: answer "Yes", if you care about Debian. The next screen allows you to select groups of packages: since the goal here is installing the base system only, deselect everything and choose "Continue".

The installation is complete: choose "Continue" to reboot the system!

Preliminary configuration

Modify the APT repository configuration in order to set up a system that will continue to track the Debian testing branch, even after one particular version has been released as stable. To this aim, edit the repository list:

# vi /etc/apt/sources.list

until it looks like:

$ cat /etc/apt/sources.list
deb http://deb.debian.org/debian testing main non-free-firmware

deb http://deb.debian.org/debian-security testing-security main non-free-firmware

Then install a package manager front-end:

# apt update && apt install --no-install-recommends aptitude

and execute the first package update:

# aptitude update && aptitude --purge-unused safe-upgrade

Some packages will be upgraded, if you answer "Y" when asked for confirmation. These commands can be used from now on, in order to keep the system up-to-date.

Since there's only one operating system on the box, you do not want the GRUB update process to search for other ones in dual-boot. As a consequence, remove the following package:

# aptitude --purge-unused purge os-prober

and then issue the following command:

# update-grub

Install a useful extension the default shell (GNU Bash):

# aptitude install bash-completion

Install the following package to allow regular users to mount USB mass storage devices (e.g.: USB disks, USB sticks, ...):

# aptitude install pmount

The pager less should be already installed (and not marked as automatically installed):

# aptitude search '~i less'
i   less                            - pager program similar to more

Install the tools for reading man pages:

# aptitude install man-db

Install a less minimalist VIM variant:

# aptitude install vim vim-addon-manager

Obviously, you want VIM to be the system-wide default text editor! Consequently, issue the following the command:

# update-alternatives --config editor
There are 3 choices for the alternative editor (providing /usr/bin/editor).

  Selection    Path                Priority   Status
------------------------------------------------------------
* 0            /bin/nano            40        auto mode
  1            /bin/nano            40        manual mode
  2            /usr/bin/vim.basic   30        manual mode
  3            /usr/bin/vim.tiny    15        manual mode

Press enter to keep the current choice[*], or type selection number:

and enter "2" to select /usr/bin/vim.basic as default editor.

The default DHCP client is:

# aptitude search '~i dhcp'
i   dhcpcd-base                     - DHCPv4 and DHCPv6 dual-stack client (binar

You can modify its configuration so that it informs the DHCP server of the hostname of the box:

# vim /etc/dhcpcd.conf

Edit the file until:

# grep -B 1 ^hostname /etc/dhcpcd.conf
# Inform the DHCP server of our hostname for DDNS.
hostname

Install some extra utilities:

# aptitude install util-linux-extra

Set the time and date with:

# date --set='2024-10-27 16:25'
# hwclock --systohc

User privacy

First of all, system-wide settings. Check that this is the default for new users:

$ grep [^_]DIR_MODE /etc/adduser.conf
# Default: DIR_MODE=0700
#DIR_MODE=0700

and also check:

$ grep ^HOME_MODE /etc/login.defs
HOME_MODE       0700

Debian default umask is 0002, which seems to be too permissive: let's set it to 0007 (Debian uses private user groups by default and we want to follow this scheme, so group-permissions may be as broad as user-permissions, without any negative consequences). Edit file ~/.profile for the user created during the installation and change its umask line into:

umask 0007

The same modification must be made for future users (file /etc/skel/.profile). Other files will need similar changes as soon as other shells besides GNU Bash are installed...

On the other hand, for the root user the umask should stay 0022: make sure that there is a line like:

umask 0022

in the file /root/.bashrc.

Now, prevent undesired visits into root's home directory:

# chmod 0700 /root

and into the previously created user's home directory:

$ chmod 0700 ~

although these home directories should already have these permissions...

Finally, a nice privacy-increasing trick should be already implemented for regular users:

$ cat /etc/skel/.bash_logout
# ~/.bash_logout: executed by bash(1) when login shell exits.

# when leaving the console clear the screen to increase privacy

if [ "$SHLVL" = 1 ]; then
    [ -x /usr/bin/clear_console ] && /usr/bin/clear_console -q
fi

Let's extend it to root as well:

# cp -i /etc/skel/.bash_logout /root

SSH server

Install the OpenSSH server:

# aptitude install openssh-server

and immediately stop the daemon until it is properly configured:

# systemctl stop ssh

Now edit /etc/ssh/sshd_config so that it features the following non-comment lines:

# grep -v '^#\|^ *$' /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
Port 22
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
PermitRootLogin no
StrictModes yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
ClientAliveInterval 300
ClientAliveCountMax 150
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server

Then, start the daemon:

# systemctl start ssh

Now, in order to access your box from a remote machine on your LAN, you have to copy the SSH public key you have in your account on the remote machine to the box and append it to the list of authorized keys for your regular user. Hence, after copying your ~/.ssh/id_ed25519.pub from the remote host to your local box, create your ~/.ssh/authorized_keys file on the local box:

$ mkdir -p ~/.ssh
$ chmod 700 ~/.ssh
$ touch ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys
$ cat id_ed25519.pub >> ~/.ssh/authorized_keys
$ chmod 400 ~/.ssh/authorized_keys

Configuring the boot process

Mark the following package as manually installed:

# aptitude unmarkauto efibootmgr

Optimizing the SSD performance

Since the disk is an SSD, and we are using ext4 (and vfat) filesystems, it is suggested to enable TRIM support.

Edit file /etc/fstab, adding the "discard" option to each ext4/vfat filesystem and even to the swap partition ("sw" becomes "sw,discard"). Then reboot.

Conclusions

Now the system is installed and ready to run: you can boot it and log in as root or as the previously created regular user. But very little can be done with the base system and the few packages that have already been installed: next step is tuning the system configuration and begin adding more software packages according to your needs. You may do that (and more) in a way similar to the workstation/desktop initial setup. Follow the steps described in these documents, skipping the already covered parts, and taking the noted differences into account:

Initial configuration (HTML, reST), skipping the UEFI configuration suggestions, skipping the subsection about user privacy and the boot process (since we have already customized them), enabling smartd monitoring for /dev/sda only (see hard disk health section), also, in order to read local mail, you may want to install mutt (aptitude install mutt)

Console configuration (HTML, reST), skipping the installation of bash-completion (since we have already installed it), the installation of vim, vim-vimoutliner (only the customized .vimrc is still missing), the dictionaries and spell checking section, the console mouse support section, the fortune section, the Debian documentation section, the diffoscope installation (too many dependencies), the console fonts section, and the serial console and socket connection sections

After that, you can begin configuring the system for its primary purposes. More details in a separate document (HTML, reST).