Ubuntu Tips

From Whonix
Jump to navigation Jump to search

About this Ubuntu Tips Page
Contributor maintained wiki page.
Support Status unmaintained
Difficulty medium
Contributor none
Support Support

Most simple, least secure[edit]

Logo-ubuntusvg.png

Unofficial Video, using Whonix-Gateway to torify Ubuntu.

Html5 Video. Works without Flash inside Tor Browser. Showing the Easiest, but least secure option, see Youtube Linkarchive.org.

More secure[edit]

Tested with Debian and Ubuntu.

Download Ubuntuarchive.org (or use a different install CD or iso file) and verify using VerifyIsoHowtoarchive.org.

Create a new VM and choose following settings: Under Network set Adapter 1 to "Internal Network", rename "intnet" to "Whonix".

You can use the Live environment or install Ubuntu. When the installer asks questions, generally choose the default, most common or other non-identifying options. Language: English; keymap: choose yours (potentially risk...); Country (leave it as it is): United States (New York for Ubuntu 14.04); User Name: leave blank; Host Name: host ; Time Zone (change it): UTC (it is at the very bottom. For Ubuntu 14.04 change it later using tzdata as instructed below); Username (account name): user. This ensures that all Whonix users have the same settings. Additionally this is more safe, when an application leaks such data, such as SSH, if you simply ssh some.host.name, it will tell your current account name, and it would be very bad if this where you real name or anything which would identify you.

Reboot into the freshly installed system and open a terminal.

If you forgot to set the time to UTC you can do so at any time by typing the following into the terminal:

sudo dpkg-reconfigure tzdata

Remove Ubuntu's “phone home” program(s). If any of these packages are not installed the error message should indicate which to delete from the command. In a terminal type:

sudo apt --yes remove canonical-census unity-lens-shopping unity-scope-video-remote unity-scope-musicstores

Dhcp auto-configuration like software such as network manager have to be removed, since we are using static networking.

sudo apt remove isc-dhcp-client isc-dhcp-common network-manager network-manager-gnome resolvconf

Setup a fixed IP for the virtual LAN network card and to use the same subnet like the Whonix-Gateway for the Internal Network. If you use a Linux desktop with network manager you can use the GUI for this step. Otherwise: open a Terminal and type

Open file /etc/network/interfaces in an editor with root rights.

Non-Qubes-Whonix

This box uses sudoedit for better security.

sudoedit /etc/network/interfaces

Qubes-Whonix

NOTES:

  • When using Qubes-Whonix, this needs to be done inside the Template.

sudoedit /etc/network/interfaces

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Qubes-Whonix.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/network/interfaces

You only need to configure eth0:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface, leave as it is
auto lo
iface lo inet loopback

auto eth0
#iface eth0 inet dhcp
iface eth0 inet static
# increment last octet on additional workstations
       address 10.152.152.50
       netmask 255.255.192.0
       #network 192.168.0.0
       #broadcast 192.168.0.255
       gateway 10.152.152.10

Open /etc/resolv.conf.

Open file /etc/resolv.conf in an editor with root rights.

Non-Qubes-Whonix

This box uses sudoedit for better security.

sudoedit /etc/resolv.conf

Qubes-Whonix

NOTES:

  • When using Qubes-Whonix, this needs to be done inside the Template.

sudoedit /etc/resolv.conf

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Qubes-Whonix.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/resolv.conf

For auto-generated resolv.conf files, do this instead:

Open file /etc/resolvconf/resolv.conf.d/base in an editor with root rights.

Non-Qubes-Whonix

This box uses sudoedit for better security.

sudoedit /etc/resolvconf/resolv.conf.d/base

Qubes-Whonix

NOTES:

  • When using Qubes-Whonix, this needs to be done inside the Template.

sudoedit /etc/resolvconf/resolv.conf.d/base

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Qubes-Whonix.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Whonix, please refer to this link.

sudoedit /etc/resolvconf/resolv.conf.d/base

and delete everything, then add

nameserver 10.152.152.10

Update package lists.

sudo apt update

Get latest updates.

sudo apt full-upgrade

Guest additions for Ubuntu[edit]

You can try first, if VirtualBox Guest Additions work on Ubuntu, because they are a bit shorter and easier.

Otherwise...

On the host:

sudo apt install virtualbox-guest-additions-iso

Inside Whonix-Workstation:

Execute the following commands. They can take a very long time, due to the Ubuntu upstream bug. [1]

sudo apt update
sudo apt full-upgrade
sudo apt install dkms build-essential linux-headers-generic linux-headers-generic-pae

Insert the guest additions iso by clicking on the VM → devices → install guest additions.

sudo mkdir -p /mnt/sr0
sudo mount /dev/sr0 /mnt/sr0
sudo sh /mnt/sr0/VBoxLinuxAdditions.run

Or start autorun.sh (not with a console, strange bug!).

Force remove CD eject.

Reboot. Done.

Advanced[edit]

About Ubuntu[edit]

TODO: This chapter needs revision. Incorporate latest developments:

Privacy in Ubuntu 12.10: Amazon Ads and Data Leaksarchive.org

While Ubuntu is one of the more secure (See Overviewarchive.org) Linux distributions it is by no means a secure operating system. It is designed first and foremost to bring Linux to end users. It doesn't protect against some of the threat models that some Tor users will have.

Here's an (incomplete) list of things the more paranoid user will have to consider:

apt as currently used in Ubuntu does not protect against a stale mirror attack (Bug #716535: Please support Valid-Until in release files for security.ubuntu.comarchive.org) where an adversary provides validly signed but outdated metadata to prevent users from downloading and installing the latest critical security updates. When fetching updates over tor this problem is of a lesser extent because no single malicious exit relay will realistically prevent users from downloading updates more than once in a row. Malicious mirror is possible but Whonix-Workstation uses the main US mirror, any irregularities will be uncovered pretty soon. More of concern is the clear text update of the host operating system. Here it is a good idea to manually check how old the repository metadata is yourself:

find /var/lib/apt/lists/* -type f | xargs cat | grep "Date: "

From time to time vulnerabilities that allow installation of untrusted code are discovered in apt. New security features are often implemented in Debian first.

The Ubuntu server kernel comes with everything and the kitchen sink. At any given day the kernel will be vulnerable in one way or the other. It is by far the most patched piece of code in the default Ubuntu Server installation, obviously runs at full kernel privileges and naturally can't be protected with mandatory access control. Whonix-Gateway exposes the kernel to attacks through its firewall, TCP/IP stack and whatever kernel calls Tor does or could be compelled to do.

checksec.sharchive.org --kernel reports good kernel protection: GCC stack protector support, Enforce read-only kernel data, Restrict /dev/mem and /dev/kmem access are all enabled!

Userland protection for Tor is great. [2] Unlike Tor Browser the tor version distributed via the .deb comes with RELRO, canaries etc. and can fully make use of ASLR since it is compiled as PIE. Of course with Grsec the entropy would be higher.

Footnotes[edit]

  1. Unpacking linux-headers unbelievably slow in Lubuntu Precise (Beta 1)archive.org (Affects Ubuntu precise final as well.)
  2. This would only apply if you created a Custom-Whonix-Gateway.

We believe security software like Whonix needs to remain open source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!