Post-install TODO


Outline

This is a checklist for the requisite tasks in installing Debian Woody. While this is specific to Debian Woody, many of the procedures should be the same for other distributions installed (especially the lockdown procedures).

This checklist covers The basic Debian installation and Base-config (configuration done the first time Debian is booted). However, this is mostly a linear-straightforward process. The interesting part is what to do after Debian is installed.


Debian Install

This section covers the initial stages of installing Debian on the machine, when it is booted from the boot CD.
Partitions
1 big + /boot (16-24MB) + swap (at least 2xmem)
Devices
As necessary
Actual install
From CD or from network (network preferable)

Base Config

This section covers the basic system configuration options and how they should be set.
Hardware clock to GMT
Yes if Linux-only; No if dual-boot
MD5 passwords
Yes
Shadow Passwords
Yes
Root passwd
Set to installfest default
User Account
Create an account for the user, at least to test X setup; User should only use root acct. for admin tasks.
PCMCIA
Remove if a laptop
Configure APT Sources:
  • Non-Free: Yes
  • Contrib: Yes
  • Where: At bottom: Custom
  • Hostname: linux.rice.edu
  • Directory: /debian
  • Non-US: Yes
  • Another source: Yes
  • Edit sources.list manually: Change hostname for non-us from non-us.debian.org to linux.rice.edu.
  • Security: Yes
Tasksel
  • Install: XWindow, Desktop, UNIX server
  • If applicable: dialup, laptop
  • If wanted: Scientific apps, web server, development tools, LaTeX
dselect
No

Package Config

Package Option Setting
locales Locales to Build en_US*
SSH Protocol 2 Only Yes
SSH SUID root No
Run SSHD Server Depends on installee preference (likely Yes)
Default Papersize Letter
CVS CVS Repositories Set to Blank
Run CVS PServer No
GNUPlot Install GNUplot SUID root No
X-Window Settings Configure X server wrapper with debconf Yes
Configure X server config with debconf Yes
Keep defaults, except:
Set monitor info appropriately
Choose appropriate video card driver (don't specify PCI Bus ID, video mem, etc. -- this is autodetected)
Use kernel framebuffer device interface? No
Mouse Device Most likely /dev/psaux
Mouse Driver imps/2 if wheel mouse, otherwise most liekly PS/2
Emulate 3 button mouse? No unless you do not have a 3-button mouse
Enable scroll events from mouse wheel? Yes if you have a mouse wheel
May need to dpkg-reconfigure xserver-xfree86 to set additional options
GPM Set appropriately. Remove package?

Packages to Remove

lpr
If you need printing, use lprng
nfs-common
nfs-kernel-server
portmap
These are RPC services not needed by most installees, add a large security risk./dd>
pidentd
People don't need an auth server running
ppp
pppconfig
pppoe
Only needed for dialup
telnetd
Telnet has been obsoleted by SSH
fingerd
fingerd gives attackers a potential source of info on target.
ftpd
If you need an FTP daemon, use bsd-ftpd

Packages to Install

mozilla
Web browser, galeon is not in testing
lynx-ssl
A preferable default text-based browser to lynx. links-ssl is also a valid option.
Debian docs (doc-base)
Because documentation is good.
gnome-gv
If the user would benefit from it: basically, gv (which is already installed) with a Gnome face.
kdelibs3-crypto
For SSL support in Konqueror
sawfish-gnome
A good default WM
ntp, ntpdate
For auto-setting time. Time servers:
  • Rice: 128.42.5.45 128.42.5.14
  • UH: 128.7.1.66
autofs
Again, depends on if the user would benefit from it

Specialized Setups

Packages to Install for Particular Service

Web Server
apache, apache-ssl if necessary
FTP server
bsd-ftpd. Strongly discouraged; should use sftp instead.
Windows support
smbfs, smbclient
Windows printing support
??? anyone ???
MP3
xmms, freeamp, mpg123
AVI
avifile-player
Office apps
koffice, abiword and gnumeric
NVIDIA video card
Download and install NVidia drivers from NVidia Home Page (get the kernel and GLX source .tar.gz files), compile and install.

Rice Office Machine Setup

NFS
nfs-common
YP/NIS
nis
Printing
lprng

Kernel 2.4.x

We assume that 2.4.17 is the latest kernel. Replace with latest version number (or downgrade) as appropriate and/or necessary.
  1. Install kernel-image-2.4.17-(386|586tsc|686|686-smp|k6|k7) (depending on CPU type).
  2. Don't forget to add the line to lilo.conf (or it will blow up spectacularly!). The required line is:
    initrd=/initrd.img
  3. Install iptables

Ext3 Setup

Ext3 requires kernel 2.4.x support (more particularly, without patching, it requires 2.4.16 or later support). We assume that 2.4.17 is the latest kernel. Replace with latest version number (or downgrade) as appropriate and/or necessary.
  1. Run tune2fs -j /dev/hdxy, for each partition /dev/hdxy
  2. In /etc/fstab, change all instances of ext2 to ext3, especially the entry for /
  3. Run mkinitrd -o /root/initrd.img /lib/modules/2.4.17-686. Replace the 2.4.17 with the appropriate version, and 686 with the appropriate CPU type.
  4. Move /root/initrd.img to /boot/initrd.img-2.4.17-686 (backing up the old initrd, just in case)
  5. Run lilo -v
Note that missing any one of these steps can lead to spectacular blow-up.

Final Lockdown

/etc/inetd.conf

Turn off all services by hand, or use update-inetd, as follows:
update-inetd --disable time
update-inetd --disable daytime
update-inetd --disable discard

/etc/hosts.allow,deny

Appropriate Rice setup:

In /etc/hosts.allow:

ALL: 128.42., 127.
In /etc/hosts.deny:
ALL: ALL
Appropriate Off-campus/other setup:

In /etc/hosts.allow:

ALL: 127.
In /etc/hosts.deny:
ALL: ALL

SSH config

In /etc/ssh/sshd_config
Set PermitRootLogin to no
In /etc/ssh/ssh_config
(Depending on use) set ForwardAgent and ForwardX11 to Yes

Page maintained by Algis Rudys.
Suggestions, constructive criticism, and commentary always welcome!
Last modified: Sat Apr 6 18:01:04 CST 2002