Jump to: navigation, search

Advanced Security Guide/pt

This page is a translated version of the page Advanced Security Guide and the translation is 1% complete.

Other languages:
English • ‎español • ‎português • ‎中文(简体)‎

Contents

Basics

Please understand the basics first, read the Security Education first!

Network Time Synchronization

General

Don't wonder... To prevent against time zone leaks, the system clock inside Whonix was set to UTC. This means it may be a few hours before or ahead of your host system clock. Do not change!

When you suspend/save the state of a VM, clock will stop and continue after resume, thus lag behind. You shouldn't suspend/save the state of Whonix-Gateway. Rather power the Gateway off, if you no longer need it. [1] You can suspend/save the state of Whonix-Workstation, but then the clock will lag behind. To fix it run inside Whonix-Workstation Start Menu -> Applications -> System -> Whonix Timesync.

The host system clock synchronization mechanism still uses unauthenticated NTP from a single source. This is not optimal, but there is no real solution to this problem. [2] The ISP and/or the time server could either non-intentionally or intentionally (as an attack) introduce a clock skew or the host clock could simply malfunction.

If the host clock is too much off, more than one hour in past or more than 3 hour in future, Tor can't connect to the Tor network. [3] The easiest fix in this situation is to manually fix the clock on the host, to power off Whonix-Gateway and to power on Whonix-Gateway again.

Another side effect of the host clock being too much off is, that downloading operating system updates on the host and cryptographic verification, such as verifying SSL certificates on the host browser may no longer be possible, until you manually fix the clock.

Before you think, your ISP is tampering with NTP, ensure first, that not simply the host clock is defect due to an empty battery.

If you should really ever catch your ISP tampering with NTP, you should probably disable it and manually update the host clock out of band, i.e. using a watch or atomic clock. In case it isn't a large scale attack, but a targeted attack, you most likely have already bigger problems to worry about than NTP. (See Warning page chapter Confirmation attacks.)

You have also another option. You could disable NTP on your host and always manually adjust the clock out of band, i.e. using a watch or atomic clock. This might make your clearnet traffic more fingerprintable [4], since it introduces a device issuing clearnet traffic (at least operating system updates, I hope), but not using NTP. I don't know how many people deactivated/broken/uninstalled/never installed NTP. Neither I know, how many people are using alternative time synchronization methods such as authenticated NTP, tails_htp, tlsdate or similar. Search engine research however suggests, that very few people care and do so.

Summary:

  • Needs to be done only after importing the Virtual Machine: Modify --biossystemtimeoffset for all Virtual Machines.
  • Run Secure Network Time Synchronization after suspend/save/resume or do not use suspend/save/resume at all.
  • Tor can't connect if the host clock is too much off. In this case manually fix the host clock, power off Whonix-Gateway and power on Whonix-Gateway again.
  • Keep an eye on the host clock, ensure that it's always somewhat accurate.

Even though it's a difficult topic, you are advised to read Technical Design chapter Dev/TimeSync.

Footnotes. Additional information, reasoning, design for interested users, developers and auditors.

  1. Otherwise Tor can get confused if time is more than 1 hour in past or more than 3 hour in future and will only reconnect to the Tor network, if clock is manually fixed or powered off and powered on again.
  2. See Design: Dev/TimeSync.
  3. Because Tor can't verify the Tor consensus.
  4. See Fingerprint page to find out what fingerprinting means in this case.

Deactivate Automatic TimeSync

Recommended against!
Usually not required!

Run.

sudo update-rc.d sdwdate remove

Create a file /etc/sdwdate.d/50_sdwdate_user.

kdesudo kwrite /etc/sdwdate.d/50_sdwdate_user

And add.

INTERVAL="0"

Deactivate sdwdate plugin timesync.

Whonix 8:

mv /etc/sdwdate.d/31_timesync_plugin /home/user/

Whonix 9:

## Will be probably:
sudo apt-get remove timesync

If you want to manually sync time using sdwdate, then run.

sdwdate

You should see something like this.

50e99987-0ee8-4e17-883e-2aeb58881507: Loaded. | pid: 9766 | LD_PRELOAD: 
50e99987-0ee8-4e17-883e-2aeb58881507: sdwdate_main...
50e99987-0ee8-4e17-883e-2aeb58881507: Running sdwdate...
50e99987-0ee8-4e17-883e-2aeb58881507: sdwdate_preparation: Setting CURL to curl.anondist-orig.
50e99987-0ee8-4e17-883e-2aeb58881507: dispatching pre (SDW_MODE: startup): true
50e99987-0ee8-4e17-883e-2aeb58881507: dispatching prerequisite (SDW_MODE: startup) (CURL: curl.anondist-orig) (LD_PRELOAD: ): /usr/lib/whonix/timesync_prerequisite
50e99987-0ee8-4e17-883e-2aeb58881507: DISPATCH_PREREQUISITE returned 0, continuing...
50e99987-0ee8-4e17-883e-2aeb58881507: getUrlDateDiff: https://www.torproject.org
50e99987-0ee8-4e17-883e-2aeb58881507: dispatching SDWDATE_CURL_DISPATCH_PRE[SDWDATE_POOL_PAL] (SDW_MODE: startup) (CURL: curl.anondist-orig): true
50e99987-0ee8-4e17-883e-2aeb58881507: dispatching SDWDATE_CURL_DISPATCH_POST[SDWDATE_POOL_PAL]: true
50e99987-0ee8-4e17-883e-2aeb58881507: https://www.torproject.org (took 1s) => diff = -170 second(s)
50e99987-0ee8-4e17-883e-2aeb58881507: getUrlDateDiff: https://www.stackexchange.com
50e99987-0ee8-4e17-883e-2aeb58881507: dispatching SDWDATE_CURL_DISPATCH_PRE[SDWDATE_POOL_NEUTRAL] (SDW_MODE: startup) (CURL: curl.anondist-orig): true
50e99987-0ee8-4e17-883e-2aeb58881507: dispatching SDWDATE_CURL_DISPATCH_POST[SDWDATE_POOL_NEUTRAL]: true
50e99987-0ee8-4e17-883e-2aeb58881507: https://www.stackexchange.com (took 1s) => diff = -170 second(s)
50e99987-0ee8-4e17-883e-2aeb58881507: getUrlDateDiff: https://encrypted.google.com
50e99987-0ee8-4e17-883e-2aeb58881507: dispatching SDWDATE_CURL_DISPATCH_PRE[SDWDATE_POOL_FOE] (SDW_MODE: startup) (CURL: curl.anondist-orig): true
50e99987-0ee8-4e17-883e-2aeb58881507: dispatching SDWDATE_CURL_DISPATCH_POST[SDWDATE_POOL_FOE]: true
50e99987-0ee8-4e17-883e-2aeb58881507: https://encrypted.google.com (took 1s) => diff = -169 second(s)
50e99987-0ee8-4e17-883e-2aeb58881507: Median diff: -169 second(s)
50e99987-0ee8-4e17-883e-2aeb58881507: Setting time to 1398684745...
50e99987-0ee8-4e17-883e-2aeb58881507: dispatching post_success (SDW_MODE: startup): true

Host Security

Recommendation to use Whonix with Physical Isolation

Whonix using Physical Isolation, setup using two different computers AND virtualization. This is the most secure Tor configuration to date. Unfortunately, it is difficult to setup. See Isolation| Physical Isolation.

Hardening

General hardening recommendations apply.

  • Minimize attack surface
  • securely configure services
    • e.g. for ssh: use fail2ban, allow only key authentication),

Proactive Defenses

Retroactive Defenses

  • The usefulness of this approach is limited. It doesn't prevent security breaches. It can only help making future breaches less likely.
  • rkhunter
  • IDS (Intrusion Detection System)
  • Snort
  • TIGER
  • sxid
  • antivirus, antimalware

These are only pointers for you to search the web about these topics and these are probably beyond the scope of this guide.

One VM

One VM is deprecated. It was tested and developed for 0.1.3. The concept worked. It's deprecated now, because it has no maintainer.

Alternatively, you could also use one VM instead of two, where Tor runs on the host. It has some security and other kinds of advantages/disadvantages listed in the article. See OneVM.

Separate user account for VirtualBox

Security-wise it makes sense to create a separate user account just for using VirtualBox, which is not in the admin/sudo group.

DMZ

If you are using a shared network, as in a cable modem/router or ADSL/router setup, that is shared with others, you should consider configuring a DMZ for your Whonix-Gateway.

This DMZ would restrict the Whonix-Gateway from accessing and from being accessible by other nodes on the network, eg printers, phones, computers, laptops, even if root access was somehow achieved on it.

Should an incursion occur, it would prevent the adversary from exploring other systems and possibly compromising them. It won't however do anything to protect your anonymity, because they could just ping some remote server and discover your real IP address. Or should other systems be compromised, it would be more difficult to compromise Whonix-Gateway.

Host Firewall

Computer Security Education

Installing a host firewall has been already recommended in Computer Security Education#Host Firewall.

Port Scan

Using a port scanner service on the internet to test your local LAN's router/firewall is a good idea, if you are careful to find a legitimate one instead of somebody who only wants to sell you something and will give you false positives deceptively. That's good, but even better is to run a port scan application from an external IP to scan your own IP. Either remote login (ssh) on some external machine of your own or proxy through an external IP to scan your own IP. The details on how to do so are outside the scope of this document.

However, if you are not using a stand-alone machine, but are on a LAN with other PCs, it is important to keep in mind that these testing services or your own port scan application from an external IP, actually only scan the local LAN's router/firewall, but these tests do not test your actual host's PC, which, if badly configured, could be susceptible to attacks from other machines within the LAN, behind the router. A false sense of security could be the result.

For example if you share your LAN with flatmates, who are not so sophisticated in computer security, you should regard their machines as possible malicious (may be conquered by a botnet already). Therefore you can not trust the output of a port scan application running on their machine. If you have no spare machine of your own, you could eventually boot their computer from a Live CD, which includes a port scan application, to scan your machine. The details on how to do so are outside the scope of this document.

NAT Router

Being behind an ordinary NAT router may be another tiny extra layer of security.

Dedicated connection

If possible, not sharing the network (LAN, Wi-Fi, hotspot) with other possibly compromised machines is safer.

Filtering Ports

Introduction

From time to time someone asks, which ports incoming/outgoing Whonix-Gateway requires. The answer is.

  • incoming: none
  • outgoing: all

Incoming

Whonix-Gateway itself does not open any ports. Closing ports on the host is still advised. That was already covered in the Computer Security Education, chapter Host Firewall.

Outgoing

Recommended against. Port based filtering of outgoing traffic isn't applicable (as in useful) in case of Whonix-Gateway.

Filtering outgoing ports is difficult, since Tor entry guards (or bridges) listen on a variety of different ports. Limiting ports Tor uses for outgoing traffic is possible, although recommended against, since it reduces anonymity (fewer entry guards (or bridges) are available to you). If you want to do so anyway...

On Whonix-Gateway.

Open your /etc/tor/torrc.

sudo nano /etc/tor/torrc

Add.

ReachableDirAddresses *:80
ReachableORAddresses *:443
## maybe: FirewallPorts PORTS
## See Tor manual: https://www.torproject.org/docs/tor-manual.html.en

Reload Tor.

sudo service tor reload

This has also been discussed in the old forum.

Hardware Security

It's recommended to use "clean" computers made of parts manufactured by reputable companies and to pay in cash so as to not have hardware IDs leak your identity.

Whonix doesn't do anything against hardware backdoors.

Physical Attacks

Introduction

Physical attacks require an adversary to be physically preset, i.e. to be able to touch your computer.

Full Disk Encryption

Note that as said on the warning page, Whonix is not designed as an amnesic operating system.

To protect against theft or robbery, power off your machine at times when this is more likely to happen (traveling) and use FDE (Full Disk Encryption) on the host. When using FDE on the host, you shouldn't keep any unencrypted files on that same physical media. It is advisable to move the /boot partition to separate USB media and install Grub, the bootloader, to it. See Pwning Past Whole Disk Encryption.

Side channel attacks

Whonix does not defeat hardware keylogger, miniature cameras, TEMPEST.

Needless to say, that also FDE does not protect against these threats.

Screen lock

Always lock the screen of the host (or better shut down) if you leave the system unattended.

BIOS password

Can't hurt to have BIOS password for BIOS setup and boot. After you are done installing, allow only booting from HDD.

Cold Boot Attacks

Due to how modern computing works, basically everything that you have done during a session is stored in the RAM. If an attacker has physical access to your computer when you are running Whonix, it may enable her to recover everything that have been achieved during the session - even if you are using Full Disk Encryptoion. From typed texts to saved files, including passwords and encryption keys. The more recent the activity, the more likely it is that it is still in the RAM.

Furthermore, it has been shown that the data present in the RAM might be recoverable for seconds or even minutes after the computer is powered off using a cold boot attack.

In both cases the RAM contents can be analyzed in a computer forensics laboratory which might turn into a major disaster depending on what they find.

As far as the authors know, cold boot attacks are not standard procedure within law enforcements and similar organizations anywhere in the world yet, but it might still be good to be prepared and stay on the safe side.

Wipe RAM on shutdown (e.g. using a kexec script) - or do not leave the computer unattended immediately after shutdown. Unfortunately there is not yet an upstream script, to implement wiping the RAM on shutdown. We can not provide a solution for this attack, this is solved nowhere but partially in Tails and Liberte Linux (not checked), waiting for upstream solution, see Dev#Wipe RAM panic script. It's up to you to implement a panic button which will wipe the RAM, please Contribute. The least you can do is Vote at upstream for the feature.

Hypothetical... So, what should you do when you hear an attacker knocking at your door? You could just press the hypothetical panic button on the host. It would start to wipe the contents of the RAM by filling it out with random junk, thus erasing everything that was stored there before, including the encryption key of the encrypted storage devices you might use and the traces of your session. Then you would wait, possibly trying to buy valuable time by barricading your door.

Evil Maid Attack

See Evil Maid Attack.

If you have a TPM chip, see Anti Evil Maid.

Problematic Interfaces

Some interfaces such as ExpressCard, PCMCIA, FireWire or Thunderbolt may depending on the host operating system settings allow an attacker with physical access to read the RAM. You are advised to securely configure those interfaces, to disable them or to remove them.

Operating System

About Debian

Debian Announcements

Since Whonix is based on Debian, it takes advantages of the all of the work done by the Debian security team. As quoted from (http://security.debian.org/):

Debian takes security very seriously. We handle all security problems brought to our
attention and ensure that they are corrected within a reasonable timeframe. Many
advisories are coordinated with other free software vendors and are published the same
day a vulnerability is made public and we also have a Security Audit team that reviews
the archive looking for new or unfixed security bugs. 

Experience has shown that "security through obscurity" does not work. Public disclosure
allows for more rapid and better solutions to security problems. In that vein, this
page addresses Debian's status with respect to various known security holes, which
could potentially affect Debian.

Consider also subscribing to the Debian security announcement mailing list.

Harden Debian

Most hardening steps can not be easily added by default to Whonix. Mostly the user has to understand them and to be aware of them, require knowledge and effort, otherwise one thing or another will break. This is still under investigation and open for suggestions. Having a secure operating system will always be an important topic.

Harden Software Repositories

Many operating systems provide multiple repositories. Since Whonix's example implementation is based on Debian, you should read Ubuntu Repositories (similar in Debian) and Debian Policy Manual Chapter 2 - The Debian Archive as introduction.

In conclusion, the main repository gets most attention and security updates. It would make sense to tweak /etc/apt/sources.list and to only use software from the main repository and to only install security fixes, no other updates.

Whonix currently doesn't do that by default and it's an open question for research if that really improves security.

dpkg-origins can create a list of all packages and their repository.

About grsecurity

Linux kernel is not a secure OS, Linus himself made it pretty clear that he doesn't think highly of the "security community"[1]. His threat model and a Tor User threat model don't have much in common. Good that Linux is open source and if we disagree with a policy or politics we can just patch or fork it... Grsecurity/PaX is the most comprehensive kernel patch providing much needed security hardening both for the kernel itself and for making userland protections more effective.

Sadly Debian does not ship a grsecurity kernel. [2] That means either a packager/maintainer of Whonix needs to compile them EVERY TIME there is a security update to the kernel (which is pretty frequently) or the Whonix users themselves need to compile and update their kernels. This is undesirable because kernel compilation is not set and forget, you need a bit of knowledge, it takes a while, especially in a resource restricted VM and you need to keep updated about new releases via mailing lists or similar because your software updater doesn't automatically handle custom kernels (even emerge in hardened gentoo doesn't). All this would most likely only result in users running old, outdated kernel versions.

Furthermore, for Whonix-Gateway and the Identity/Location TCB grsecurity only addresses a subset of security risks: It can mitigate some kernel vulnerabilities (and we only really care about the networking stack which is pretty secure judging from its track record). Maybe some (memory corruption) vulnerabilities in apt-get and Tor that aren't already mitigated by the existing userland hardening done by Ubuntu. It can't protect against backdoors or security issues related to design, policy or yet unknown classes of exploits. We feel that these relatively small advantages outweigh the issues introduced by using a custom compiled kernel. We hope a binary distro will step forward and start using grsecurity. In that case we'll most likely switch Whonix-Gateway to that distro as soon as possible.

For Whonix-Workstation the benefits are even more doubtful. To be effective grsecurity needs to lock down some functions that are needed by Xorg, JIT compilers... but we need those to be working. To solve this we'd have to write a restrictive RBAC policy which is far from trivial. We think accepting that Whonix-Workstation will be exploitable and acting accordingly (using snapshots and rolling back to clean state) is the right approach for a desktop system.

If you disagree with this assessment or have any suggestions how to improve the current situation please let us know.

Experts only: There is also Hardened Gentoo based Whonix-Gateway. Outdated, needs maintainer. See Hardened Gentoo TG .

Updates:

  • There's Alpine Linux, where Tor is in testing. Package Request: Tor.</ref>
  • Arch Linux offers a grsecurity kernel. [3]

Footnotes:

  1. https://www.networkworld.com/news/2008/081408-torvalds-security-circus.html
  2. https://wiki.debian.org/grsecurity
  3. https://wiki.archlinux.org/index.php/Grsecurity

Vulnerabilities at Install Time

Introduction

The issue with:

  • Installer DVDs (including Debian and others)
  • Live DVDs (such as Tails and others)
  • Readily downloadable and importable VM images (Whonix and others)
  • VM images that are built with frozen sources rather than current sources (including Whonix)

is that latest stable releases sometimes contain vulnerable, remotely exploitable applications that are very likely to be used over untrusted networks[1] that are in a position to run man-in-the-middle attacks. One example of this is [CVE-2014-6273] in apt-get.

Please help research and document sane and effective solutions. Forum discussion.

Possible Solutions

apt-cache

Whonix-Gateway (when using virtual machines) could be configured to use the host apt-cache. Physically isolated Whonix-Gateways could use an apt-cache running on a separate machine. apt-cacher-ng is an example implementation of such an apt-cache.

Operating system updates would not be anonymized by default, which would be a big disadvantage[2]. One would have to figure out how to configure apt-cacher-ng on the host to download through Tor.

Eventually Whonix-Workstation could use an apt-cache that is running on Whonix-Gateway. This would increase Whonix-Gateways's attack surface once Whonix-Workstation is compromised while decreasing Whonix-Workstation's attack surface when using a vulnerable apt-get to download through untrusted Tor exit relays.

apt-offline

Somehow using apt-offline to do the initial updates of Whonix-Gateway and Whonix-Workstation.

Building from Source Code using Current Sources

Self-created builds from source code using current sources would solve this. However, frozen sources have been implemented for reasons explained in the "Current Sources" chapter. Using Current Sources comes with its own issues.

Always Up to Date Builds

A good solution for end users; however, the maintenance effort (building, testing, uploading) is beyond our current ability. We need help with testing and with an automated test suite for Whonix.

Virtualization Platform

About VirtualBox

VirtualBox is developed by Oracle, a company which is known for not being very "open". That includes how they announce security issues in their products as well as how they are perceived by the security community and how they will communicate with each other.

VirtualBox is primarily a simple, "user friendly", desktop solution and most certainly not designed with our threat model in mind. I haven't heard of anyone seriously auditing the code and I'd like to recommend a different VM solution at least as an alternative. There's KVM and Xen, open source but not cross-platform. It seems they are still lacking in terms of a reliable "internal networking" feature which Whonix heavily depends on. (If you know more, please edit this paragraph).

Anyone looking into Whonix solely because of security should really consider using Whonix with Physical Isolation.

Related VirtualBox Links:

Ver também:

Qubes OS

It shouldn't be very hard to get Whonix to run on top of Qubes OS, which would be more secure than VirtualBox. See blog post: Running Whonix on top of Qubes OS, anyone interested?.

Secure Label

Secure labeling with VBoxSDL has not yet been added to Whonix. I couldn't get it to work. If you know more, please share your knowledge.

We must not end up with non-standard desktop resolution, as per Protocol-Leak-Protection and Fingerprinting-Protection.

Whonix-Workstation Security

Hardening

Introduction

Whonix isn't a perfectly hardened system. Additional hardening would be very welcome. At the same time, hardening by default is very difficult. That's why this is outside the scope of the Whonix Anonymous Operating System project, unless the project gets serious amounts of help with it. Hardening is left to the upstream operating system. See Operating System for details.

AppArmor

Learn about AppArmor. Check out Whonix's AppArmor profiles.


SELinux

SELinux is more robust than Apparmor because its label based vs file-path based. But his comes at the expense of being difficult to write policies. The good news is if you are a KVM user and want to harden your GNU/Linux host, its as simple as enabling SELinux and libvirt will automatically take advantage of it without any further effort needed on your part.

These instructions apply to Whonix and could be easily replicated for your Debian host. First disable Apparmor if you are using it. Both MAC systems cannot be run simultaneously run. This is not supported by LSM and may also be a source of conflicts.

AppArmor is disabled, and the kernel module unloaded by entering the following[3]:

sudo /etc/init.d/apparmor stop
sudo update-rc.d -f apparmor remove

To enable SELinux follow these steps.[4] The cited guide also includes steps for writing custom policy for hardening.


    # aptitude install selinux-basics selinux-policy-default
    # selinux-activate
    # reboot

    # sudo nano /etc/default/grub

    Replace all mention of apparmor in settings for GRUB_CMDLINE_LINUX with selinux=1 and the enforcing=1 parameter to the Linux kernel. The audit=1 parameter enables SELinux logging which records all the denied operations.

    Remove the line under it that starts with: GRUB_CMDLINE_LINUX_DEFAULT

    # update-grub

To check the status of SELinux run:

# sestatus

More than one Tor Browser in Whonix

These instructions only work with TBB 3.x and above.

As the Warning page stated, Whonix doesn't magically separate your different contextual identities and since Tor Browser and Tor Button do not yet solve this, for further separation of identities you could use Multiple Whonix-Workstations, which would be more secure.

Alternatively, less secure than Multiple Whonix-Workstations, you could start multiple instances of Tor Browser and run them through different SocksPorts. The instructions in the Manually Downloading Tor Browser article need minimal changes.

You need to extract Tor Browser into a different folder.

You also have to use a different SocksPort, see Change/Remove Proxy Settings. (See Stream Isolation page for explanation why you should use different SocksPorts.)

Using multiple Whonix-Workstations

See Multiple Whonix-Workstations.

Second, Optional, Extra Firewall

There is a Second, Optional, Extra Firewall for Whonix-Workstation, which is disabled by default. You find it inside Whonix-Workstation in /usr/bin/whonix_firewall.

Read the script comments and decide if you want to use it.

Whonix-Gateway Security

Static VirtualBox IP

Instead of using DHCP to obtain the internal IP for Whonix-Workstation eth0 NAT adapter, you could also use a static IP instead. Perhaps this could (minimally?) improve security, since you can remove one more package: the DHCP package.

Open /etc/network/interfaces on github, read the comments, comment out DHCP and comment in Static VirtualBox IP.

Disable Control Port Filter Proxy

Introduction

Disabling Control Port Filter Proxy (CPFP) can improve security while sacrificing usability. You will receive helpful notifications when Tor is not fully bootstrapped anymore by multiple tools that come with Whonix.

How

On Whonix-Gateway

Deactivate CPFP in Firewall

Create a file /etc/whonix_firewall.d/50_user.conf.

sudo nano /etc/whonix_firewall.d/50_user.conf

Add the following content.

CONTROL_PORT_FILTER_PROXY_ENABLE=0

Reload Whonix's firewall.

sudo whonix_firewall
Deactivate CPFP

Stop CPFP.

sudo service control-port-filter stop

Disable autostart of CPFP.

sudo chmod -x /etc/init.d/control-port-filter

After reboot, check if CPFP is still running or disabled.

ps aux | grep controlportfilt

If you see the following, then disabling didn't work.

106       2099  0.0  0.1   2748  1172 ?        S    08:01   0:00 /bin/bash /usr/bin/controlportfilt
Deactivate whonixcheck CPFP running test

Create a file /etc/whonix.d/50_whonixcheck_user.

sudo nano /etc/whonix.d/50_whonixcheck_user

Add the following content.

whonixcheck_skip_functions+=" check_control_port_filter_running "

On Whonix-Workstation

Deactivate whonixcheck's Tor bootstrap test

Because it relies on CPFP.

Create a file /etc/whonix.d/50_whonixcheck_user.

sudo nano /etc/whonix.d/50_whonixcheck_user

Add the following content.

whonixcheck_skip_functions+=" check_tor_bootstrap "
Deactivate sdwdate-plugin-anon-shared-con-check

Uninstall (TODO: currently a bit difficult, needs ticket and explanation) or currently easier, deactivate sdwdate-plugin-anon-shared-con-check. Create a file /etc/sdwdate.d/50_anon_dist_con_check_plugin_user.

sudo nano /etc/sdwdate.d/50_anon_dist_con_check_plugin_user

Add the following content.

DISPATCH_PREREQUISITE=""

[5]

Restart sdwdate.

sudo service sdwdate restart
Tor Browser Updater

If you want to update Tor Browser using Tor Browser Updater by Whonix developers... There is a bad and a good news. Bad news first. Unfortunately, there is not yet an option to skip function tb_connectivity_checks_tor, that relies on CPFP. (That function has been added in a to be released version. [6]) However, the good news is, you can use update-torbrowser in non-interactive mode using the --devbuildpassthrough switch. Note,

  • that it will kill any eventually running instances of Tor Browser / firefox without asking, so close your browser sessions before attempting to update.
  • it will by default not use Stream Isolation (proxy settings), but by using its CURL_PROXY variable [7] as described below, you can configure stream isolation.
  • works only if folder /home/user/tor-browser_en-US does not exist.
  • it wouldn't stop if the download server were to run an endless data attack [8] [9] However, it can be compensated by either manually terminating update-torbrowser or by using the timeout utility as in the example below.
export CURL_PROXY="--socks5-hostname socks5h://10.152.152.10:9115/"
timeout 600 update-torbrowser --devbuildpassthrough

whonixcheck Hardening

Prevent polluting TransPort

On Whonix-Workstation.

Deactivate TransPort Test for better Stream Isolation.

Create a file /etc/whonix.d/50_whonixcheck_user.

sudo nano /etc/whonix.d/50_whonixcheck_user

Add the following content.

WHONIXCHECK_DISABLE_TRANS_PORT_TEST="1"

Prevent connecting to torproject.org

On Whonix-Gateway and Whonix-Workstation.

Deactivate SocksPort Test, TransPort Test and Tor Browser Update check.

Create a file

/etc/whonix.d/50_whonixcheck_user.
sudo nano /etc/whonix.d/50_whonixcheck_user

Add the following content.

WHONIXCHECK_DISABLE_SOCKS_PORT_TEST="1"
WHONIXCHECK_DISABLE_TRANS_PORT_TEST="1"
whonixcheck_skip_functions+=" check_torbrowser "

Prevent downloading Whonix News

On Whonix-Gateway and Whonix-Workstation.

Prevent downloading Whonix News.

Create a file /etc/whonix.d/50_whonixcheck_user.

sudo nano /etc/whonix.d/50_whonixcheck_user

Add the following content.

whonixcheck_skip_functions+=" download_whonix_news "

Prevent running apt-get

On Whonix-Gateway and Whonix-Workstation.

Prevent downloading running apt-get by whonixcheck.

Create a file /etc/whonix.d/50_whonixcheck_user.

sudo nano /etc/whonix.d/50_whonixcheck_user

Add the following content.

whonixcheck_skip_functions+=" check_operating_system "

Tor

Changing Tor Entry Guards

Usually you don't want/need to do this, but if you're sure you want to do it, you can do it like this.

Fresh Tor Entry Guards by regenerating Tor State File

On your Whonix-Gateway.

Stop Tor.

sudo service tor stop

Delete state file.

sudo rm /var/lib/tor/state

Restart Tor.

sudo service tor start

Chaining Anonymizing Gateways

Experts only!

All Whonix-Workstation traffic is by default forced through Whonix-Gateway. Alternatively, you could also build a chain of Anonymizing Gateways. Examples:

Post-Tor-VPN.

## chain:
Whonix-Workstation -> VPN-Gateway    -> Whonix-Gateway -> clearnet
## connection scheme:
user               -> Tor            -> VPN            -> destination server

Pre-Tor-VPN.

## chain:
Whonix-Workstation -> Whonix-Gateway -> VPN-Gateway    -> clearnet
## connection scheme:
user               -> VPN            -> Tor            -> destination server

Pre- and Post-Tor-VPN.

## chain:
Whonix-Workstation -> VPN-Gateway    -> Whonix-Gateway -> VPN-Gateway -> destination server
## connection scheme:
user               -> VPN            -> Tor            -> VPN         -> destination server

It's not limited to VPN-Gateways. You could also replace the VPN with a Proxy-Gateway.

Post-Tor-Proxy.

## chain:
Whonix-Workstation -> Proxy-Gateway  -> Whonix-Gateway -> clearnet
## connection scheme:
user               -> Tor            -> Proxy          -> destination server

Or with a Post-Tor-Proxy, or with a Pre/Post-Tor-SSH. Or replace the proxy with JonDo or perhaps I2P. Virtually any combinations are possible.

It's important to understand, that the connection will be created in reverse order. This is best explained using an example.

## chain:
Whonix-Workstation -> Proxy-Gateway  -> Whonix-Gateway -> VPN-Gateway -> clearnet
## connection scheme:
user               -> VPN            -> Tor            -> Proxy       -> destination server

If you think about it, it becomes clear why the connection happens in reverse order. Whonix-Workstation has no way but to go through the Proxy-Gateway. The Proxy-Gateway has no way but to go through Whonix-Gateway. The last one in the chain, in this case, the VPN-Gateway, must obviously connect through clearnet. Thus, the VPN-Gateway uses clearnet, the Whonix-Gateway uses the VPN-Gateway to connect, the Proxy-Gateway uses Whonix-Gateway to connect and Whonix-Workstation uses the Proxy-Gateway to connect. Since the Proxy-Gateway has no way but to go through Whonix-Gateway followed by VPN-Gateway, it's clear why it will be the last hop in front of the destination server.

Whether such combinations make sense or not is controversially discussed and depends on your personal threat model, see Tor plus VPN or Proxy.

Legend:

  • destination server: could be for example a website

Recommended basic knowledge:

May be useful as well: Inspiration.

You must know, understand and edit /etc/network/interfaces on Whonix-Gateway and/or on Whonix-Workstation (and if not using physical isolation, the virtual internal network name in VirtualBox settings).

It will be difficult, because there are no other Anonymizing Gateways (VPN/JonDo/I2P/Proxy/SSH/VPN) available for download besides Whonix-Gateway which uses Tor to anonymize traffic, which you already know about. You have to look for instructions (there are some for a pfSense based VPN-Gateway you can find using a search engine, but untested for leaks, which does not imply, that there are leaks) and/or build such a Anonymizing-Gateway yourself.

For a VPN-Gateway, see also:
VPN-Gateway (w)

Useful External Links

Other important stuff

Last, but definitely not least.

Footnotes

  1. Such as Tor exit relays.
  2. Leaks list of installed packages to ISP level adversaries and update servers. You usually don't want them to know that you installed a webserver and therefore likely host a hidden web service and so forth.
  3. https://help.ubuntu.com/12.04/serverguide/apparmor.html
  4. http://debian-handbook.info/browse/stable/sect.selinux.html
  5. This will undo setting by /etc/sdwdate.d/31_anon_dist_con_check_plugin.
  6. --no-tor-con-check / TB_NO_TOR_CON_CHECK="1" will come in tb-updater 0.8 / Whonix 10.
  7. The CURL_PROXY variable is a feature by update-torbrowser, not curl, in case you are wondering and found this page through a search engine.
  8. i.e. claiming to provide a 500.000 GB big file
  9. because --devbuildpassthrough implies --ordinary, that does not use curl-prgs's CURL_PRGRS_MAX_FILE_SIZE_BYTES.

License

Whonix Advanced Security Guide wiki page Copyright (C) Amnesia <amnesia at boum dot org>
Whonix Advanced Security Guide wiki page Copyright (C) 2012 -2014 Patrick Schleizer <adrelanos@riseup.net>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

Random News:

We are looking for video makers.


Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+
This is a wiki. Want to improve this page? Help welcome, volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation. Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted above, content of this page is copyrighted and licensed under the same Free (as in speech) license as Whonix itself.