2

After installing Debian, I was reading through the Securing Debian Manual, and I found a warning to not connect to the internet during installation. This surprised me, because this seems to be the default way of installing Debian, and in fact there are many stories of people getting broken/unusable installations when installing without internet access. Moreover, the installer asked for an internet connection early on in the process with no clear option to opt out (but maybe I missed it), and neither the Debian Installation Guide nor the installer mentioned anything about this being insecure.

So my question is: when installing Debian stable (Bullseye) to a laptop in 2022, is it dangerous to connect to the internet during installation? What are the specific risks? For instance, the Securing Debian Manual says in Section 3.3: Do not plug to the Internet until ready:

Since the system will install and activate services immediately, if the system is connected to the Internet and the services are not properly configured you are opening it to attack.

Which services are meant here? Does this only apply to server installs (which might be running a web server, SSH, etc.), or does this also affect desktop users?

Improve this question
2
  • There's "active internet connection" as in one that allows unfiltered ingress and egress, and there's "active internet connection" as in your typical home internet setup which likely doesn't have any way for some rando in the internet to directly establish a connection to your system, because of your router's basic firewall, NAT, CGNAT and what not. Sure some lucky people might be getting a public IP from their modem or whatever, but in practice ... Commented Jul 14, 2022 at 7:50
  • @muru ah yes, but I would expect that an operating system would block all network traffic during installation, except that which is strictly necessary for installation. These comments in the Securing Debian Manual made me question that. But you make a good point that my own computer's firewall (or lack thereof) is not the only layer of protection. 🙂 Commented Jul 22, 2022 at 19:04

2 Answers 2

Reset to default
4

Since the system will install and activate services immediately, if the system is connected to the Internet and the services are not properly configured you are opening it to attack.

Yeah, this makes no sense. The default configuration of services should be secure, everything else would be Debian's fault for rolling out an insecure default installation. That will not magically become secure after installation, as service activation is the last step in the setup of a daemon package, anyways.

So, honestly, that guide seems to be not closely oriented on the packaging reality of debian, or security best practices. Maybe just ignore it.

It gets even worse, for example, 3.4.:

Setting a good root password is the most basic requirement for having a secure system

what a bunch of nonsense. Without setting a root password, root can't log in using a password. That's unambigously more secure than letting root log in with the correct password.

So, really, ignore that guide. It's wrong, terribly outdated (judging from the cited references) where it's not wrong, and fully inapplicable to debian 11: it refers to update-rc.d, a script that simply has no role / existence on a modern debian any more, for example. No debian system install telnet by default, or even has the old-school inetd.

This guide is full of advise that was questionable in the early 2000s, and is wrong or obsolete in 2022. Going with debian defaults is, in any case, better for a secure system than following any specific guidance (other than maybe "don't explicitly install daemons that you know you won't need").

As a matter of fact, the CHANGELOG says for revision 3.16 from January 2013 (almost 10 years ago)

Indicate that the document is not updated with latest versions.

I can't find that indication anywhere in the document. Honestly, that document wasn't great at that point, and its been not really been updated since 2009. At this point, having this document around reduces the security of the reader ;)

Improve this answer
5
  • Thank you for your answer. Thanks in particular for pointing out that the Securing Debian Manual is terribly outdated. I only saw the "Copyright © 2017" notice, so I thought it was relatively recent. However, I now see that I could have noted with little effort just how old this manual is. (For instance, it says that the default filesystem on Debian is ext3.) Although ideally I would like to know exactly why these specific warnings were included in the Securing Debian Manual and why they are no longer relevant today, I will accept this answer as this is not a computer history forum. 🙂 Commented Jul 22, 2022 at 18:56
  • it kind of is that, actually (not the forum part, but the archeology is strong around here). The honest truth is that a lot of that advise was common "knowledge" with strong quotation marks (i.e., mostly misunderstood overgeneralizations), or still is (like, "have a firewall" is sensible). Some of that got obsolete by stronger distro requirements for things that package services, like, if your service is enabled and started right away, it needs to be in the safest possible configuration according to what the user would reasonably want (OK, a media server will give your LAN access to your… Commented Jul 22, 2022 at 19:50
  • … media by default, for example, which obviously is not anything you'd ever want for a server machine, but you would never install a media player daemon on that by default; and that media player service would often only be started by a user session, not system-wide automatically) Commented Jul 22, 2022 at 19:51
  • But for example, I'm pretty sure that the default apache2 installation only drops you to a "welcome to this fresh server" page, and doesn't e.g. enable a cgi-bin directory anywhere by default. samba will not come with anonymous shares enabled, and so on. Commented Jul 22, 2022 at 19:52
  • Ah, maybe there should be an archeology tag? 😜 Anyway, thanks for your additional comments! Commented Aug 2, 2022 at 2:32
2

It is possible to install most packages without connecting to the internet. Just don't use the netinst image. However, a netinst itself is not insecure. That's because the netinst image contains all of Debian's gpg keys used to sign packages and your system will verify that no packages have been tampered with by a man-in-the-middle attack. The guide you are mentioning does not disagree with this.

The manual is warning you about connecting your machine to the internet before you've had a chance to configure it. In some ways I can see where the manual is coming from. It depends on your security policy. It's reasonable to have everything comply with your policy before connecting to the internet. You may want to change a service's configuration before exposing it to the internet.

Example:

openssh-server can be installed during the basic install, and is configured with the following default:

PasswordAuthentication yes

This allows you to ssh into the machine using a password instead of only allowing a key. For most people, this is great because it gives you a chance to ssh-copy-id your ssh-key to this machine before locking it down. Some people want to keep PasswordAuthentication yes, using something like fail2ban to block attackers that try to repeatedly guess your username/password. Others simply rely on strong passwords that won't be cracked by simple un-targeted dictionary attacks.

If you work for a company with a habit of shared usernames/passwords, then exposing a machine with PasswordAuthentication yes to the internet opens a window where someone in-the-know (perhaps a previous employee) can access the machine.

If you work for a company/government, then it may be possible that they may simply have a policy of PasswordAuthentication no and will not tolerate any machine at any time with a different configuration.

However, if you want to install openssh-server and have no plans to change its configuration or install additional security (like ufw or fail2ban), then waiting until after-install to connect to the internet will not give you any benefits.

Improve this answer
2
  • Thank you for your answer. You say "The manual is warning you about connecting your machine to the internet before you've had a chance to configure it." I don't think I agree with that assessment. As I see it, Chapter 3 of the Securing Debian Manual is about "Before and during the installation", not after installation. If you install using netinst (the default installation method offered by Debian), then you don't have a Live system, so by definition you have not had a chance to configure the system. [...] Commented Jul 22, 2022 at 18:46
  • [...] This discrepancy between the default installation method and the security recommendations is the core of my question, and I feel that your answer does not really address this. Commented Jul 22, 2022 at 18:46

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.