Debian 9 VirtualBox

June 23, 2017

This is a brief article about installing VirtualBox on a new installation of Debian 9. We also provide some suggestions with instructions on which type of security-related VMs you may wish to build afterwards.

Begin by downloading the Debian 9.0 64-bit network installer, verify its integrity and copy the ISO directly onto a blank USB stick (512 MB is sufficient) using the Linux dd command. Below is its SHA256 hash at this time of writing:

user@linux:~$ sha256sum debian-9.0.0-amd64-netinst.iso 
9d98f339016dc2a3998881949a8f0678baede26b5106f18ef1168d7e13606773
  debian-9.0.0-amd64-netinst.iso

WARNING: For those not familiar with dd, understand that the command below should only be performed if /dev/sdb represents your USB stick, otherwise you risk permanently overwriting something you did not intend to (dd is "unforgiving" and will gladly overwrite your entire hard drive without hesitation if you make a single typo). You can use the command dmesg shortly after having inserted your USB stick to discover which device letter it is associated with. If your dd version is 8.24 or later you can append the parameter status=progress to the command below to observe its progress. Also note that if you wish to reuse your USB stick after the installation, you will need to reformat it with a tool such as gparted. If you are unsure about any of this, do not use dd and instead use a tool such as Win32 Disk Imager:

root@linux:/# dd if=debian-9.0.0-amd64-netinst.iso bs=4096 of=/dev/sdb

Proceed to install Debian 9 by inserting the USB stick into your computer and boot from it. If your computer fails to recognize the USB device as bootable (we have encountered this before when using dd to write an ISO image) then rewrite the USB stick with a dedicated ISO image writer software instead of dd. The installation of Debian 9 is pretty straightforward. At the partition disk screen, we selected separate /home, /var, and /tmp partitions. For the following screen we select Cinnamon as our desktop environment instead of GNOME or KDE. If you've never tried Cinnamon before, now is the time.


Optional: Once Debian is installed and your computer has booted, launch Synaptic Package Manager to uninstall any software you consider unnecessary (for example the dozen pre-installed games, Cheese if you don't use a webcam, GIMP if you don't need it, etc.). A method for doing this in Synaptic is to click on the Status button in the bottom left and click on Installed at the top left in order to show only installed packages, then go through the list and right-click on unnecessary packages and select "Mark for Complete Removal" and click on Apply to remove. Make sure to pay attention to any subsequent messages asking you to mark additional required changes. If those packages appear to be critical or whenever you are unsure, click Cancel. Alternatively hold off on this for now and test it first in your Debian 9 test VM - discussed later in this article. You can hold SHIFT or CTRL to select multiple items at once.


While you have Synaptic open, consider taking this opportunity to install useful packages such as ufw, nmap, and tcpdump. If you install ufw (stands for "Uncomplicated Firewall") make sure to also enable it with the following commands:

root@debian:~# ufw default deny
root@debian:~# ufw enable
root@debian:~# ufw status verbose

Next, modify your sources.list file to add VirtualBox as a source:

root@debian:~# nano /etc/apt/sources.list

by adding the following at the bottom of the sources.list file:

deb http://download.virtualbox.org/virtualbox/debian stretch contrib

Download the VirtualBox public key:

user@debian:~$ wget -S https://www.virtualbox.org/download/oracle_vbox_2016.asc

then add the key and verify it. You can also verify the key prior to adding it by using the gpg --list-packets command against the file:

root@debian:~# apt-key add oracle_vbox_2016.asc
root@debian:~# apt-key list
/etc/apt/trusted.gpg
--------------------
pub   rsa4096 2016-04-22 [SC]
      B9F8 D658 297A F3EF C18D  5CDF A2F6 83C5 2980 AECF
uid           [ unknown] Oracle Corporation (VirtualBox archive signing key) <info@virtualbox.org>
sub   rsa4096 2016-04-22 [E]

<snip>

Visit pgp.mit.edu to compare the keys.

Perform an apt-get update, then install VirtualBox. One of the advantages of installing VirtualBox through this method instead of installing it via a manual download from virtualbox.org is that this method will automatically install all necessary dependencies such as gcc, make, linux-headers, etc. Updates for VirtualBox will now also be accessible through normal apt-get update & upgrade commands:

root@debian:~#apt-get update
root@debian:~#apt-get install virtualbox-5.1

After VirtualBox installs, add your user account to the vboxusers group, where <user> is the username of your account:

root@debian:~# usermod -a -G vboxusers <user>

Download the VirtualBox Oracle VM VirtualBox Extension Pack, verify its hash (link provided is for version 5.1.22) and install it:

user@debian:~$ sha256sum Oracle_VM_VirtualBox_Extension_Pack-5.1.22-115126.vbox-extpack
244e6f450cba64e0b025711050db3c43e6ce77e12cd80bcd08796315a90c8aaf
  Oracle_VM_VirtualBox_Extension_Pack-5.1.22-115126.vbox-extpack

To do so, click on Oracle VM VirtualBox in the Debian start menu (it will appear under the Administration category as shown below -- for ease of access you should right-click on it and select Add to panel or Add to favorites).

After launching VirtualBox click on File | Preferences | Extensions, and on the right click on the blue icon with the orange triangle to select and install the extension pack. Note that whenever your computer upgrades its version of VirtualBox, you will need to go to virtualbox.org and download and reinstall the latest Extension Pack.


Once you've installed the extension pack you can go ahead and start building some VMs.

Virtual Machine Ideas

You can create a minimalist VM that is dedicated to web surfing potentially malicious web sites which you revert to the previous snapshot when completed. Similarly you could create a VM that is configured with high private browsing settings which would be used for casual web browsing in which you want the least amount of residual tracking, but would not be used for your online banking since your bank site would likely keep asking you to answer security questions upon every visit since your history would not be kept. In this latter setup we would recommend coupling this with the browser extensions HTTPS Everywhere and uBlock Origin, and configure your browser to always clear its history upon exit.

Another idea could be to create a honeypot VM (articles here and here) which you would bridge its network adapter to your home network so that it appears on the LAN instead of being NAT'd behind your host. There are also some security appliances which you could set up at home to provide internet traffic filtering, to prevent your IoT devices from phoning home to certain sites.

It could be interesting to set up a VM that is used solely as an email client for accessing private and secure webmail service such as ProtonMail and Tutanota, with "throw-away" email accounts which you use to sign up to various online mailing lists whenever you wish to maintain your privacy. You could couple this with a free VPN service such as ProtonVPN.

Although less interesting, a useful VM which you should deploy is to create another instance of the same configuration of your Debian 9 host that you use for testing major changes before doing so on your host computer. If you frequently use this Debian 9 test VM and it is not accessible remotely, you may wish to enable auto-login. To do so (if using cinnamon) edit /etc/lightdm/lightdm.conf and under the [Seat:*] section uncomment the entry autologin-user= to specify the username to auto-login.

For those who wish to start setting up some automation, refer to this article to see examples on how to manage the VMs at the command-line.