Whonix-Gateway Security Hardening
From Whonix
Introduction[edit]
Tip: Disabling Control Port Filter Proxy [archive] (onion-grater) can improve security by decreasing the attack surface, while sacrificing usability.
Note that if onion-grater is disabled, users will no longer receive helpful Whonix ™ notifications when Tor is not fully bootstrapped, since the whonixcheck and sdwdate tools rely upon it.
How-to: Disable Control Port Filter Proxy[edit]
Whonix-Gateway ™[edit]
Deactivate onion-grater in Firewall[edit]
1. Modify Whonix-Gateway ™ User Firewall Settings.
Note: If no changes have yet been made to Whonix ™ Firewall Settings, then the Whonix ™ User Firewall Settings File /usr/local/etc/whonix_firewall.d/50_user.conf appears empty (because it does not exist). This is expected.
If using Qubes-Whonix ™, complete these steps.
In Whonix-Gateway ™ App Qube. Make sure folder /usr/local/etc/whonix_firewall.d exists.
sudo mkdir -p /usr/local/etc/whonix_firewall.d
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway ™ App Qube (commonly called sys-whonix) → Whonix ™ User Firewall Settings
If using a graphical Whonix-Gateway ™, complete these steps.
Start Menu → Applications → Settings → User Firewall Settings
If using a terminal-only Whonix-Gateway ™, complete these steps.
In Whonix-Gateway ™, open the whonix_firewall configuration file in an editor.
sudoedit /usr/local/etc/whonix_firewall.d/50_user.conf
For more help, press on Expand on the right.
Note: This is for informational purposes only! Do not edit /etc/whonix_firewall.d/30_whonix_gateway_default.conf.
Note: The Whonix ™ Global Firewall Settings File /etc/whonix_firewall.d/30_whonix_gateway_default.conf contains default settings and explanatory comments about their purpose. By default, the file is opened read-only and is not meant to be directly edited. Below, it is recommended to open the file without root rights. The file contains an explanatory comment on how to change firewall settings.
## Please use "/etc/whonix_firewall.d/50_user.conf" for your custom configuration,
## which will override the defaults found here. When {{project_name}} is updated, this
## file may be overwritten.
See also Whonix modular flexible .d style configuration folders.
To view the file, follow these instructions.
If using Qubes-Whonix ™, complete these steps.
Qubes App Launcher (blue/grey "Q") → Template: whonix-gw-16 → Whonix Global Firewall Settings
If using a graphical Whonix-Gateway ™, complete these steps.
Start Menu → Applications → Settings → Global Firewall Settings
If using a terminal-only Whonix-Gateway ™, complete these steps.
In Whonix-Gateway ™, open the whonix_firewall configuration file in an editor.
nano /etc/whonix_firewall.d/30_whonix_gateway_default.conf
2. Add the following content.
CONTROL_PORT_FILTER_PROXY_ENABLE=0
3. Save the file.
4. Reload Whonix-Gateway ™ Firewall.
If you are using Qubes-Whonix ™, complete the following steps.
Qubes App Launcher (blue/grey "Q") → Whonix-Gateway ™ ProxyVM (commonly named sys-whonix) → Reload Whonix ™ Firewall
If you are using a graphical Whonix-Gateway ™, complete the following steps.
Start Menu → Applications → System → Reload Whonix ™ Firewall
If you are using a terminal-only Whonix-Gateway ™, run.
sudo whonix_firewall
Deactivate onion-grater[edit]
1. Stop onion-grater.
sudo service onion-grater stop
2. Disable autostart of onion-grater.
sudo systemctl mask onion-grater
3. Reboot.
4. Check if onion-grater is still running or disabled.
ps aux | grep onion-grater
If output similar to the following appears, then disabling did not work.
onion-g+ 911 3.2 1.9 66444 20644 ? Ss 12:21 0:00 /usr/bin/python3 -u /usr/lib/onion-grater --debug --listen-interface eth1
Deactivate whonixcheck onion-grater Running Test[edit]
1. Open file /etc/systemcheck.d/50_user.conf in an editor with root rights.
This box uses sudoedit for better security [archive]. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.
sudoedit /etc/systemcheck.d/50_user.conf
2. Add the following content.
whonixcheck_skip_functions+=" check_control_port_filter_running "
3. Save the file.
Whonix-Workstation ™[edit]
Deactivate whonixcheck Tor Bootstrap Test[edit]
Because it relies on onion-grater.
1. Open file /etc/systemcheck.d/50_user.conf in an editor with root rights.
This box uses sudoedit for better security [archive]. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.
sudoedit /etc/systemcheck.d/50_user.conf
2. Add the following content.
whonixcheck_skip_functions+=" check_tor_bootstrap "
3. Save the file.
Deactivate sdwdate Connectivity Test[edit]
Whonix-Workstation ™ only.
1. Open file /usr/lib/helper-scripts/te_pe_tb_check in an editor with root rights.
This box uses sudoedit for better security [archive]. This is an example and other tools can also achieve the same goal. If this example does not work for you or if you are not using Whonix ™, please refer to this link.
sudoedit /usr/lib/helper-scripts/te_pe_tb_check
2. Replace the existing content with the following text.
#!/bin/bash exit 0
3. Save the file.
4. Restart sdwdate.
sudo systemctl restart sdwdate
The procedure is complete.
Be aware that this setting will not persist after any upgrade of sdwdate, nor is sdwdate currently configurable. [1]
Tor Browser Updater[edit]
In order to update Tor Browser using Tor Browser Updater by Whonix ™ developers while onion-grater is disabled, complete the following step. [2]
update-torbrowser --no-tor-con-check
Or create a file /etc/torbrowser.d/50_user.conf with the following content.
TB_NO_TOR_CON_CHECK="1"
Static VirtualBox IP[edit]
Instead of using DHCP to obtain the internal IP address for the Whonix-Workstation ™ eth0 NAT adapter, a static IP can be used instead. This might marginally improve security because the DHCP package can then be removed.
Open /etc/network/interfaces.d/30_non-qubes-whonix on GitHub [archive] and read the comments. Then, comment out DHCP and comment in Static VirtualBox IP.
Footnotes[edit]
- ↑ Any Whonix ™ users interested in further development should create a relevant ticket on Phabricator [archive].
- ↑ It is far simpler to update using Tor Browser's internal updater instead.
Whonix ™ is Supported by Evolution Host DDoS Protected VPS. Stay private and get your VPS with Bitcoin or Monero.
|
100px |
| Fosshost | About Advertisements |
Search engines: YaCy | Qwant | ecosia | MetaGer | peekier | Whonix ™ Wiki
.svg.png&filetimestamp=20200623163525&.html){kind=small}
Interested in becoming an author for the Whonix ™ News Blog or writing about anonymity, privacy and security? Please get in touch!
Priority Support | Investors | Professional Support
Whonix ™ | © ENCRYPTED SUPPORT LP | 
Freedom Software / 
Open Source (Why?)
The personal opinions of moderators or contributors to the Whonix ™ project do not represent the project as a whole.