Quoting: g000hTo be honest, out of the box, Debian doesn't need a firewall to be running. The reason being that there aren't any services (e.g. Apache2, ssh server, ftp, NFS, SMB) running to exploit. I guess it also depends on whether you are running anything dodgy on your machine, i.e. you want outbound rules in place. It is also quite a good idea to have your firewall separate from your desktop, anyway. That way if malware were to run on your desktop it couldn't affect your firewall rules.

I quite like using fail2ban as a safe-guard on my Debian (or Ubuntu or Mint) systems. I also like messing around with iptables or netfilter to customise the rules too, e.g. allow access to specific service from specific ip range.

I love fail2ban, except when I don't. At my last job I had set up PBX in a Flash, and it had fail2ban on there by default. Every once in a while one of the phones would try to authenticate and fail and retry several times until fail2ban would block it for 30m

If anyone wants some protection, I'd suggest doing fail2ban, suricata, psad, and arno-iptables-firewall (or whatever firewall program you prefer).
For those who don't know what they do;
Fail2Ban: auto-firewall rule generator based on authentication/access failures.
Suricata: Intrusion Detection System (replacement to snort)
PSAD: Port Scan Attack Detector (this is actually kind of scary when you see all the crap Windows scans for)
arno-iptables-firewall is just a nice wrapper around iptables (as any firewall should be on Linux)

Quoting: slaapliedje

Quoting: g000hTo be honest, out of the box, Debian doesn't need a firewall to be running. The reason being that there aren't any services (e.g. Apache2, ssh server, ftp, NFS, SMB) running to exploit. I guess it also depends on whether you are running anything dodgy on your machine, i.e. you want outbound rules in place. It is also quite a good idea to have your firewall separate from your desktop, anyway. That way if malware were to run on your desktop it couldn't affect your firewall rules.

I quite like using fail2ban as a safe-guard on my Debian (or Ubuntu or Mint) systems. I also like messing around with iptables or netfilter to customise the rules too, e.g. allow access to specific service from specific ip range.

I love fail2ban, except when I don't. At my last job I had set up PBX in a Flash, and it had fail2ban on there by default. Every once in a while one of the phones would try to authenticate and fail and retry several times until fail2ban would block it for 30m

If anyone wants some protection, I'd suggest doing fail2ban, suricata, psad, and arno-iptables-firewall (or whatever firewall program you prefer).
For those who don't know what they do;
Fail2Ban: auto-firewall rule generator based on authentication/access failures.
Suricata: Intrusion Detection System (replacement to snort)
PSAD: Port Scan Attack Detector (this is actually kind of scary when you see all the crap Windows scans for)
arno-iptables-firewall is just a nice wrapper around iptables (as any firewall should be on Linux)

Great info, thanks! :)

I switched from Mint to LMDE, to eventually pure debian for my server and my gaming machine (before it burst into flames, literally).

For my home server, I still use Debian Stable with a few modifications (backports, extra repos). I can say that in the 7 years I've run Debian on the server, I've had 0 breakages or issues (that weren't user errors!).

I'd agree that it is harder to setup, but if you feel comfortable with your Mint or Ubuntu system, its not too much of a leap to install Debian. While I plan on trying a few other Distros in a few years after I've saved the money to build a new gaming rig, I must say I've had a really good experience with Debian Testing as a gaming/Desktop machine. It is up-to-date without being too bleeding edge, which is a nice middle ground for me.

Also, to the other posters with the security tips. Thanks for those! I use Fail2ban and SSH keys, but never thought of logwatch or the port scan defense. Much appreciated!

I do love Debian, but I have never tried running it as a desktop other than demoing it in a virtual machine. It's hard to imagine departing Arch packages and the AUR. That said, I'm on the opposite spectrum when it comes to servers. Debian Stable servers FTW! Rock solid.

I do have a question to the OP: How do you have your screensaver / power settings / light locker configured? Working out okay? I was irritated how much trial and error I had to go through in XCFE to get those settings to work how I wanted in conjunction with caffeine. I eventually gave up and switched my side computer back to Antergos + KDE, even though I wanted a lighter DE. It does exactly what I want.

Project Update -

Been 3 months already since I made this eh? Time surely flies. Amongst replacing faulty ram and blown up power supply, I maintained my Debian 9 setup and slowly chipped away at it from various angles.

First of all let me say why I chose Stable: living on the edge is not crucial for me (2 of my systems are running Mint 17 - based off Ubuntu 14.04 mind you), the PC is not always connected to the internet and the Debian ISO's let me build a static offline repo hassle-free. Lastly, I wanted to experience a more complex distro and build it using only the packages I needed.

So far with it I have:

- Almost made a 1:1 appearance of my Mint (MATE) desktop.
- Tested a ton of games, all played fine.
- Tried my hand at compiling from source - successfully built latest Wine 3.1 and a handful of open source games: SuperTuxKart, Warzone 2100, FreeCiv and Wesnoth. Just for practice.

It is worth noting that at the time I installed this I used the 9.2.1 ISO's, I have since updated all the offline repositories using the Debian 9.3 update and successfully upgraded the system through synaptic. I also created a "3rd party" repo with my own packages.

Overall I'm very happy, it's super stable and highly customizable and I've learned a lot experimenting with it. Suffice to say when Debian 10 lands it will replace Mint across all my machines.

Another thing I would like to mention with Debian 9, is that the packages aren't as old as some people may think. I found many of them quite modern, some of them are even newer than my Mint 18.1 - Ryzen system.

-----
System used:

Intel Core 2 Quad Q6600
4GB DDR2 Ram (2x2)
Nvidia GT 1030 (384.111)
MATE Desktop Environment with a touch of Gnome programs