Actions

Advanced Host Security

From Whonix


Host232security23434234.jpg

Whonix ™ comes with many security features [archive]. Whonix ™ is Kicksecure ™ security hardened by default and also provides extensive Documentation including a System Hardening Checklist. The more you know, the safer you can be.

This page is targeted at advanced users who wish to improve the general security of their host operating system to become even more secure.

apt-transport-tor[edit]

apt-transport-tor is a package that allows host operating systems or non-Whonix-Workstation ™ VMs that are not behind a torifying gateway (like Whonix-Gateway ™) to torify their APT traffic for individual repositories.

With non-Whonix ™ systems in mind, for security reasons APT blocks clearnet connections to .onion domains by default. APT developers want to protect users from accidentally trying to use .onion repositories without using Tor. Otherwise, a rogue DNS server could redirect users to a false domain and trick them into thinking they are using Tor when they are not.

Strictly speaking, there is no need to use apt-transport-tor inside Whonix ™ VMs since all traffic is already routed over Tor. APT is stream-isolated using a pre-configured uwt wrapper. In other words, APT in Whonix ™ is already talking to a Tor SocksPort. Nevertheless, apt-transport-tor (tor+http) is the default from Whonix ™ 14 onward because it provides better error handling and stream isolation. [1] [2] [3]

DMZ[edit]

If users have a shared network -- such as a cable modem/router or ADSL/router setup that is utilized by others -- then consider configuring a Whonix-Gateway ™ (sys-whonix) DMZ [archive].

A properly configured DMZ restricts Whonix-Gateway ™ (sys-whonix) from accessing, and being accessible to, other nodes on the network like printers, phones, computers and laptops. This is true even if root access is somehow achieved.

Should an incursion take place, a DMZ prevents an adversary from exploring other systems and possibly compromising them. However, in this case a DMZ does not protect the user's anonymity, since the adversary could just ping a remote server and discover the real IP address. Another benefit of a DMZ is that should other systems be compromised, it is more difficult to compromise Whonix-Gateway ™ (sys-whonix).

Hardware Security[edit]

Info Whonix ™ cannot provide protection against hardware backdoors.

Trusted computer hardware is fundamental to anonymity and security. It is recommended to purchase and use "clean" computers that have components manufactured by reputable companies. It is preferable to pay in cash so hardware IDs do not leak your identity.

As outlined in the System Configuration and Access entry, it is safest to purchase a computer that is solely used for Whonix ™ activities because this minimizes the risk of a prior hardware compromise.

Key Hardening Steps[edit]

For greater security, advanced users should harden the host OS as much as is practicably possible. This includes, but is not limited to applying relevant steps from the System Hardening Checklist and instructions found throughout this section:

Layered Defense[edit]

Attack Surface Reduction[edit]

In addition to the checklist above, it is suggested to also follow the principles of minimizing the attack surface [archive] of the OS, and securely configuring services -- for example when using SSH, implementing Fail2ban [archive] so only key authentication is allowed.

The attack surface concept deserves more consideration. Simply put, it is the sum of different attack vectors (aggregate of vulnerabilities) where an unauthorized user can try to enter or extract data from an environment. [4] To reduce the attack surface and mitigate risks, it is necessary to: [5]

  • Enforce least privilege for all executed processes and reduce entry points for untrusted users.
  • Control system and network segment access across the network, for example, reduce (unauthenticated) access to network endpoints.
  • Minimize exposed system targets by reducing the amount of code running and removing unnecessary functionality.
  • Remove or shutdown software and services (channels, protocols) that are infrequently or rarely used.
  • Frequently patch security vulnerabilities.

Proactive Defenses[edit]

This includes, but is not limited to:

Retroactive Defenses[edit]

The usefulness of this approach is limited because it does not prevent security breaches; it can only help in making future breaches less probable:

The programs listed in this section are only a very brief introduction to this topic. If interested, users should research these topics in depth because they are beyond the scope of this guide.

One VM Whonix ™ Configuration[edit]

Ambox warning pn.svg.png Warning: The one VM Whonix ™ configuration has been deprecated because there is no contributor. Use at your own risk!

This platform was developed and tested successfully for Whonix ™ v0.1.3.

Basically, it is possible to use one VM instead of two, with Tor running on the host OS and a single client VM routing activities via Tor. This configuration has several advantages and disadvantages relating to security and other matters. For further information, see OneVM.

Separate VirtualBox User Account[edit]

Security-wise, it makes sense to create a separate user account solely for using VirtualBox, which is not in the admin/sudo group.

Tor[edit]

See Tor.

Torify APT Traffic[edit]

It is recommended to torrify APT's traffic on the host for several reasons:

  • Each machine has its own unique package selection. This allows location tracking, because systems can be fingerprinted across physical networks as system updates are performed.
  • System updates leak sensitive security information like package versions and the varying patch levels. This information aids targeted attacks.

Follow the instructions below to torify APT traffic in Debian. [6]

1. Install apt-transport-tor from the Debian repository. 

sudo apt install apt-transport-tor

2.Edit the sources.list to include only tor:// URLs for every entry.

Open file /etc/apt/sources.list in an editor with root rights.

This box uses sudoedit for better security [archive]. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link. 

sudoedit /etc/apt/sources.list

3. Save and exit.

Other URL Configurations

Alternatively, the tor+http:// URL scheme is possible.

apt-transport-tor can also in theory be combined with apt-transport-https, leading to the tor+https:// URL scheme. [7] In practice at time of writing no major repository (such as the Debian repository) supported tor+https://.

Note that changing ftp.us.debian.org to http.debian.net picks a mirror near to whichever Tor exit node is being used. Throughput is surprisingly fast. [8] Also be aware that all public-facing debian.org FTP services were shut down on November 1, 2017 [archive]. [9]

Debian URLs can also be pointed to the available onion services http://2s4yqjx5ul6okpp3f2gaunr2syex5jgbfpfvhxxbbjwnrsvbk5v3qbid.onion [archive] and http://sgvtcaew4bxjd7ln.onion [archive]. This is the most secure option, as no package metadata ever leaves Tor. [10] [11] [12] This URL scheme also protects from system compromise in the event APT has a critical security bug. The following entries should work in the sources list: 

deb  tor+http://vwakviie2ienjx6t.onion/debian          bullseye            main
deb  tor+http://vwakviie2ienjx6t.onion/debian          bullseye-updates    main
deb  tor+http://sgvtcaew4bxjd7ln.onion/debian-security bullseye/updates    main

#deb tor+http://vwakviie2ienjx6t.onion/debian          bullseye-backports  main

Tor Traffic Whitelisting Gateway[edit]

Info corridor is a filtering gateway that only allows connections to Tor relays to pass through. It is not a proxying gateway.

It is possible to configure Whonix-Gateway ™ (sys-whonix) to use corridor as a local proxy to establish the following tunnel:

UsercorridorTorInternet

This approach is not necessarily more anonymous, but it is an additional fail-safe since a Tor traffic whitelisting gateway can help protect from accidental clearnet leaks.

Virtualization Platform[edit]

VirtualBox[edit]

VirtualBox is developed by Oracle, a company which has a reputation of not being very "open". In the past, concerns have been raised about how they announce security issues in their products and how well they communicate with each other, leading to a negative perception by the security community.

VirtualBox is primarily a simple, "user-friendly", desktop solution and is most certainly not designed with the Whonix ™ threat model in mind. Development is reported to be at a standstill and the author is not aware of any serious code audits having been completed. [13] Whonix ™ developers would like to recommend a different VM solution at least as an alternative, but many popular, open source options like KVM and Xen are not cross-platform. Further, the latter examples seem to still lack a reliable "internal networking" feature, which Whonix ™ heavily depends upon. Any readers who have in-depth knowledge of this issue are encouraged to edit this paragraph accordingly.

Users that have a strong preference for security should strongly consider using Qubes-Whonix ™, if they have suitably modern hardware. In short, Qubes-Whonix ™ is more secure than the default Whonix ™ configuration using a Type 2 hypervisor like VirtualBox.

Related VirtualBox Links:

See also:

Secure Labeling[edit]

VirtualBox has a secure labeling feature (VBoxSDL) [archive] which has not yet been implemented in Whonix ™. [14] This feature addresses the security risk of running in full screen mode:

When running guest operating systems in full screen mode, the guest operating system usually has control over the whole screen. This could present a security risk as the guest operating system might fool the user into thinking that it is either a different system (which might have a higher security level) or it might present messages on the screen that appear to stem from the host operating system.


In order to protect the user against the above mentioned security risks, the secure labeling feature has been developed. Secure labeling is currently available only for VBoxSDL. When enabled, a portion of the display area is reserved for a label in which a user defined message is displayed. The label height in set to 20 pixels in VBoxSDL. The label font color and background color can be optionally set as hexadecimal RGB color values.

Any readers who are knowledgeable in this area are encouraged to share their expertise and edit this section accordingly.

Before this feature could be implemented in Whonix ™, one prerequisite is that users do not end up with a non-standard desktop resolution, as this degrades anonymity as per Protocol Leak Protection and Fingerprinting Protection.

Whonix ™[edit]

Info Qubes-Whonix ™ is recommended for the majority of users seeking a higher security solution.

As noted in the Virtualization Platform Security entry, there are two platforms providing greater security than the standard host OS / Type 2 hypervisor Whonix ™ configuration:

In contrast to Qubes-Whonix ™, physical isolation is:

  • Difficult to set up.
  • Inconvenient and still experimental.
  • Requires a significant time investment.
  • Not clearly superior to Qubes' compartmentalized software approach [archive].
  • Does not support Qubes features like:
    • DisposableVMs.
    • A USB VM.
    • Secure copy and paste operations.
    • Secure copying and transfer of files.
    • PDF/image sanitization.
    • An ephemeral Whonix-Gateway ™ ProxyVM and/or Whonix-Workstation ™ AppVM. [15]

In summary, users should prefer Qubes for a higher-security solution since it supports a host of features unavailable in the Type 2 hypervisor model (VirtualBox, KVM, VMware etc.).

See Also[edit]

Footnotes[edit]

  1. source: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754242#54 [archive]

    That said, it might make sense to use a-t-tor anyhow even if not strictly needed as it will deal better with certain tor anomalies given that it knows tor is involved reporting better errors (like telling you that the .onion address you typo'ed is too long/short; saying "unreachable host" if a service is… well, not reachable, instead of saying "TTL expired" which is reported by Tor and technically more correct but unhelpful), will use different circuits for different sources and stuff.

  2. For instance it reports if the .onion address is too long or short, and will use different circuits for different sources.
  3. apt-transport-tor will not result in Tor over Tor scenarios due to built-in Whonix ™ settings preventing this [archive].
  4. Wikipedia: Attack surface [archive]
  5. http://resources.infosecinstitute.com/attack-surface-reduction/ [archive]
  6. https://packages.debian.org/apt-transport-tor [archive]
  7. https://lwn.net/Articles/672350/ [archive]
  8. https://retout.co.uk/blog/2014/07/21/apt-transport-tor [archive]
  9. ftp://ftp.debian.org and ftp://security.debian.org
  10. http://richardhartmann.de/blog/posts/2015/08/24-Tor-enabled_Debian_mirror [archive] /
  11. https://onion.debian.org [archive]
  12. https://onion.torproject.org [archive]
  13. https://developers.slashdot.org/story/15/01/30/1530245/virtualbox-development-at-a-standstill/ [archive]
  14. Partially because it is not available on the macOS platform.
  15. In Qubes R4.
Fosshost is sponsors Kicksecure ™ stage server 100px
Fosshost About Advertisements

Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki

Follow: 1024px-Telegram 2019 Logo.svg.png Iconfinder Apple Mail 2697658.png Twitter.png Facebook.png Rss.png Reddit.jpg 200px-Mastodon Logotype (Simple).svg.png

Support: Discourse logo.png

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contribute

Whonix donate bitcoin.png Monero donate Whonix.png United Federation of Planets 1000px.png

Twitter-share-button.png Facebook-share-button.png Telegram-share.png link=mailto:?subject=Advanced Host Security&body=./Advanced_Host_Security link=https://reddit.com/submit?url=./Advanced_Host_Security&title=Advanced Host Security link=https://news.ycombinator.com/submitlink?u=./Advanced_Host_Security&t=Advanced Host Security link=https://mastodon.technology/share?message=Advanced Host Security%20./Advanced_Host_Security&t=Advanced Host Security

Did you know that Whonix ™ could provide protection against backdoors? See Verifiable Builds. Help is wanted and welcomed.

https link onion link Priority Support | Investors | Professional Support

Whonix | © ENCRYPTED SUPPORT LP | Heckert gnu.big.png Freedom Software / Osi standard logo 0.png Open Source (Why?)

The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.

Retrieved from "https://www.whonix.org/w/index.php?title=Advanced_Host_Security&oldid=70356"
By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent.
More information