Before you install any operating system on your computer, set up a BIOS password and change the boot sequence to disable booting from a floppy. Otherwise a cracker only needs physical access and a boot disk to access your entire system.
Disabling booting without a password is even better. This can be very effective if you run a server, because it is not rebooted very often. The downside to this tactic is that rebooting requires human intervention which can cause problems if the machine is not easily accessible.
An intelligent partition scheme depends on the how the machine is used. A good rule of thumb is to be fairly liberal with your partitions and to pay attention to the following factors:
Setting a good root password is the most basic requirement for having a secure system.
At the end of the installation, you will be asked if shadow passwords should be
enabled. Answer yes to this question, so passwords will be kept in the file
/etc/shadow. Only the root user and the group shadow have read
access to this file, so no users will be able to grab a copy of this file in
order to run a password cracker against it. You can switch between shadow
passwords and normal passwords at any time by using shadowconfig.
Furthermore you are queried during installation whether you want to use MD5
hashed passwords. This is generally a very good idea since it allows longer
passwords and better encryption.
Read more on Shadow passwords in
You should not install services which are not needed on your machine. Every installed service introduces new, perhaps not obvious, but real security holes on your machine. If you still want to have some services but you use these rarely, use the update-commands, e.g. 'update-inetd' for removing them from the startup process.
FIXME: This section needs a list of services, and information about what they do and the security risk level involved, for newbies who don't have a clue.
It is never wrong to take a look at either the debian-security-announce mailing list, where advisories and fixes to released packages are announced by the Debian security team, or at firstname.lastname@example.org, where you can participate in discussions about things related to Debian security.
In order to receive important security update alerts, send an email to
with the word "subscribe" in the subject line. You can also
subscribe to this moderated email list via the web page at
This mailing list has very low volume, and by subscribing to it you will be immediately alerted of security updates for the Debian distribution. This allows you to quickly download new packages with security bug fixes, which is very important in maintaining a secure system. (See Execute a security update, Section 4.4 for details on how to do this.)