Security: There are three open ports on a new installation of Debian 6. These are port 25 (SMTP – Simple Mail Management Protocol), 111 (rpcbind port), and 631 (Internet Printing Protocol port). There is no firewall script in the init directory to start/stop the built-in firewall. There are at least a dozen firewall scripts and graphical firewall applications in the repository that you can install to protect your system. One of those scripts is the same firewall application available on Ubuntu and Ubuntu-based distributions. I am, of course, referring to ufw, the Uncomplicated FireWall, and its graphical interface – Gufw. While Gufw is simple to use, it lacks many useful features available in the graphical firewall applications on Fedora or Mandriva. Installing NuFW and its related programs provide a better firewall protection for your system than Gufw does.
Mandatory Access Control (MAC) programs available in the repository are SELinux and Tomoyo Linux. Although not as well known as SELinux, Tomoyo Linux, an NTT Data Corporation-sponsored project, provides MAC and system analysis services. It is said to be more noob-friendly than SELinux and AppArmor, a MAC program sponsored by Canonical, the parent company of Ubuntu.
Suggestions: Because of the Debian Free Software Guidelines, a Debian distribution is never going to meet your desktop computing needs out-of-the-box. You will have to spend sometime adding alternate repos to your sources.list file, and installing several non-free packages. Nothing I write or suggest here is going to change that. There are, however, a few aspects of a new Debian 6 installation that could be improved, which have nothing to do with software licensing. If implemented, these suggestions should make a default installation of Debian better than it is now.
- Like the Fedora and Pardus 2011 installer, the Debian Installer should be designed to enforce a minimum password length for the root and user account passwords. Allowing a user to specify a 1-character password encourages sloppy security behavior.
- Out of the box, every distribution should have a firewall installed and configured. And it makes no difference whether the computer is sitting behind a network firewall or not. There is no good excuse for why a default installation of Debian should not have a security posture on par with that of, say, Fedora and Mandriva. The necessary applications are in the repository.
Resources: You may download 32-bit and 64-bit standard, Live or netinst ISO images of Debian 6.0 here.
Screenshots: View a few more screenshots from my test installation of Debian 6.0.