Actions

System Hardening Checklist

From Whonix

About this System Hardening Checklist Page
Support Status stable
Difficulty easy
Maintainer torjunkie
Support Support

Introduction[edit]

Info Recommendations specific to Qubes-Whonix ™ or Non-Qubes-Whonix ™ are marked accordingly.

It is possible to significantly harden the Whonix ™ and/or host platform. This reduces the likelihood of a temporary or persistent compromise, while increasing the chances of successful, anonymous activity. Hardening is dependent upon a user's skill set, motivation and available hardware. The checklist below is intended to provide a quick overview of important issues, categorized by difficulty level - easy, moderate, difficult and expert.

Easy[edit]

Anonymous Blogging, Posting, Chat, Email and File Sharing[edit]

  • To remain anonymous, follow all the Whonix ™ recommendations to minimize threats of keyboard/mouse biometrics, stylometric analysis and other covert channels.
  • Remove metadata from documents, pictures, videos or other files before uploading them to the Internet.
  • Think twice before sharing "anonymous" photos due to unique embedded noise signatures that have no known countermeasures.
  • Be careful sharing anonymous documents. Digital watermarks with embedded covert data are robust, so run documents through Optical Character Recognition (OCR) before sharing the output.
  • Utilize OnionShare to share or receive files securely and anonymously over the Tor network.

Command Line Operations[edit]

Disabling and Minimizing Hardware Risks[edit]

Entropy[edit]

  • To mitigate against inadequate entropy seeding by the Linux Random Number Generator (RNG), it is recommended to install daemons that inject more randomness into the pool.

File Handling[edit]

Info Qubes-Whonix ™ only.

  • In File Manager, disable previews of files from untrusted sources. Change file preferences in the TemplateVM's File Manager so future AppVMs inherit this feature.
  • Files received or downloaded from untrusted sources (the internet, via email etc.) should not be opened in a trusted VM. Instead, open them in a DisposableVM: Right-clickOpen In DisposableVM
  • Untrusted PDFs should be opened in a DisposableVM or converted into a trusted (sanitized) PDF to prevent exploitation of the PDF reader and potential infection of the VM.

File Storage Location[edit]

Mandatory Access Control[edit]

  • Enable all available apparmor profiles in the Whonix-Workstation ™ and Whonix-Gateway ™ TemplateVMs.
  • Enable seccomp on Whonix-Gateway ™ (sys-whonix ProxyVM).

Passwords and Logins[edit]

  • Use strong, unique and random passwords for all online accounts, system logins and encryption / decryption purposes to prevent the feasibility of brute-forcing attacks.
  • Use a trusted password manager, so hundreds of different passwords can be kept stored in an encrypted password database, protected by one strong master password. [9]
  • For high-entropy passwords, consider using Diceware passphrases. [10]
  • In Qubes-Whonix ™, store all login credentials and passwords in an offline vault VM (preferably with KeePassXC) and securely cut and paste them into the Tor Browser. [11]
  • Read and follow all the principles for stronger passwords.

Secure Downloads[edit]

  • Download Internet files securely using scurl instead of wget from the command line.
  • When downloading with Tor Browser, prevent SSLstrip attacks by typing https:// links directly into the URL / address bar.
  • Prefer onion services file downloads, which provide greater security and anonymity than https.

Secure Qubes Operation[edit]

Info Qubes-Whonix ™ only.

Secure Software Installation[edit]

Tor Browser Series and Settings[edit]

VirtualBox[edit]

Info Non-Qubes-Whonix Only.

Moderate[edit]

Prevent Malware from Sniffing the Root Password[edit]

See Prevent Malware from Sniffing the Root Password.

Create a USB Qube[edit]

Info Qubes-Whonix ™ only.

Host Operating System Distribution[edit]

Info Non-Qubes-Whonix only.

  • For a truly private operating system, install GNU/Linux on the host. [22]
  • The Debian distribution is recommended by Whonix ™ as providing a reasonable balance of security and usability.

Host Operating System Hardening[edit]

All Platforms[edit]

Non-Qubes-Whonix Only[edit]

  • Harden the host Debian Linux OS.

Live-mode[edit]

Info Non-Qubes-Whonix only.

  • Consider running Whonix ™ as a live system, so all writes go to RAM instead of the hard disk.

Memory Allocator[edit]

Networking[edit]

All Platforms[edit]

  • If possible, use a dedicated network connection (LAN, WiFi etc.) that is not shared with other potentially compromised computers.
  • If using a shared network via a common cable modem/router or ADSL router, configure a de-militarized zone (perimeter network). [24]
  • Test the LAN's router/firewall with either an internet port scanning service or preferably a port scanning application from an external IP address.
  • Change the default administration password on the router to a unique, random, and suitably long Diceware passphrase to prevent bruteforcing attacks.
  • WiFi users should default to the WPA2-AES or WPA3 standard; the protocols are safer and have stronger encryption. [25] [26]
  • Follow all other Whonix ™ recommendations to lock down the router.

Qubes-Whonix ™ Only[edit]

  • Prefer the Debian Template for networking (sys-net and sys-firewall) since it is minimal in nature and does not "ping home", unlike the Fedora Template. [27]
  • Consider using customized minimal templates for NetVMs to reduce the attack surface.
  • For greater security, higher performance and a lower resource footprint, consider using an experimental MirageOS-based unikernel firewall that can run as a QubesOS ProxyVM.

Newer Kernels[edit]

Sandboxing[edit]

  • Use Firejail to restrict Tor Browser, Firefox-ESR, VLC and other regularly used applications. [29]

Spoof MAC Addresses[edit]

Info Tip: MAC spoofing is only necessary if traveling with your laptop or PC. It is not required for home PCs that do not change locations.

Time Stamps and NTP Clients[edit]

Info Non-Qubes-Whonix only.

Tor Settings[edit]

Whonix ™ VM Security[edit]

Difficult[edit]

Anti-Evil Maid[edit]

Info Qubes-Whonix ™ only.

  • If a Trusted Platform Module is available, use AEM protection to attest that only desired (trusted) components are loaded and executed during the system boot. [35]
  • Consider the Android Haven application for sensitive devices -- motion, sound, vibration and light sensors can monitor and protect physical areas. [36]

Chaining Anonymizing Tunnels[edit]

DisposableVMs[edit]

Info Qubes-Whonix ™ only.

  • Run all instances of Tor Browser in a DisposableVM which is preferably uncustomized to resist fingerprinting. [37]
  • Configure each ServiceVM as a Static DisposableVM to mitigate the threat from persistent malware accross VM reboots. [38]

Email[edit]

All Platforms[edit]

Qubes-Whonix ™ Only[edit]

  • Use split-GPG for email to reduce the risk of key theft used for encryption / decryption and signing.
  • Create an AppVM that is exclusively used for email and change the VM's firewall settings to only allow network connections to the email server and nothing else ("Deny network access except...").
  • Only open untrusted email attachments in a DisposableVM to prevent possible infection.

Ethernet/FDDI Station Activity Monitor[edit]

Flash the Router with Opensource Firmware[edit]

Ambox warning pn.svg.png Warning: risk of bricking your router!

Multi-Factor User Authentication[edit]

  • Configure PAM USB as a module that only allows user authentication by inserting a token (a USB stick), in which a one-time password is stored.
  • For secure account logins, utilize a Yubikey hardware authentication device which supports one-time passwords, public-key encryption, and the Universal 2nd Factor (U2F) and FIDO2 protcols.
    • Qubes: Follow the Yubikey instructions to enhance the security of Qubes user authentication, mitigate the risk of password snooping, and to improve USB keyboard security.

Whitelisting Tor Traffic[edit]

Expert[edit]

Disable Intel ME Blobs[edit]

Ambox warning pn.svg.png Warning: high risk of bricking your computer!

Opensource Firmware[edit]

  • Libreboot is no longer recommended as a proprietary firmware alternative; see footnote. [44]
  • Coreboot is a possible BIOS/UEFI firmware alternative -- consider purchasing hardware that has it pre-installed (like Chromebooks), or research flashing procedures for the handful of refurbished motherboards that support it.

Physical Isolation[edit]

Info Non-Qubes-Whonix only.

Footnotes[edit]

  1. This reduces the likelihood of a successful root or non-root user compromise.
  2. Whonix ™ 16 and later versions will disable the root account by default.
  3. This addresses deanonymization techniques relying on watermarked, (in)audible sounds that can link multiple devices, as well as headphones/speakers being covertly used as a microphone.
  4. This applies to both Intel and AMD architecture.
  5. While this may introduce new vulnerabilities, this is objectively better than running a system that is vulnerable to known attacks.
  6. sudo apt-get install jitterentropy-rngd
  7. sudo apt-get install haveged
  8. The reason is AppArmor profiles (and possibly other mandatory access control frameworks) are unlikely to allow access to these folders by default.
  9. For greater security, store the password manager off-line.
  10. To estimate strength, an 8-word Diceware passphrase provides ~90 bits of entropy, while a 10-word passphrase provides ~128 bits of entropy.
  11. For greater safety, copy something else into the clipboard after pasting so the password is purged and cannot be accidentally pasted elsewhere.
  12. The Whonix ™ and Debian repositories are no longer set to onion mirrors by default due to stability issues. This decision will be reviewed in the future once v3 onions have further matured.
  13. Tor Blog:

    Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.

  14. Selfrando (load-time memory randomization) protection is being removed from alpha Tor Browser Linux builds. Although Selfrando provides a security improvement over standard address space layout randomization (ASLR) present in Tor Browser and other browsers, Tor developers believe it is relatively easy for attackers to bypass and not worth the effort.
  15. The "hardened" Tor Browser series has been deprecated, see: https://trac.torproject.org/projects/tor/ticket/21912
  16. Following the official release of the v8.0+ Tor Browser series (based on Firefox 60 ESR), the stable and alpha Tor Browser versions both have a native sandbox.
  17. This may affect usability and proper functioning on some websites.
  18. This is more secure, but increases the user's fingerprinting risk due to selective use of Javascript.
  19. Thereby circumventing any possible future problems, like the breakage of Whonix ™.
  20. A USB qube is automatically created as of Qubes R4.0
  21. USB keyboards and mice expose dom0 to attacks, and all USB devices are potential side channel attack vectors.
  22. Windows and macOS are surveillance platforms that do not respect user freedom or privacy.
  23. This provides hardening against heap corruption vulnerabilities and improves overall memory performance and usage.
  24. This restricts Whonix-Gateway ™ accessibility to/from other nodes on the network such as printers, phones and laptops.
  25. WPA3 protocol improvements include:
    • Protection against brute force “dictionary” attacks -- adversaries cannot make multiple login attempts with commonly used passwords.
    • Stronger encryption: WPA2 relies on a 64-bit or 128-bit encryption key, but WPA3 uses 192-bit encryption.
    • Use of individualized data encryption in open networks to strengthen user privacy.
    • Forward secrecy: if an adversary captures encrypted Wi-Fi transmissions and cracks the password, they cannot use it to read older data.
  26. Do not rely on WiFi Protected Set-up (WPS), which has major security flaws.
  27. https://forums.whonix.org/t/disable-sys-net-pings-to-fedoraproject-org/1952
  28. This recommendation comes with a warning: cutting-edge kernels may destabilize the system or cause boot failures.
  29. Previously The Tor Project's alpha sandbox was recommended to restrict Tor Browser, but the project has unfortunately been abandoned.
  30. Such as system information, host time, system uptime, and fingerprinting of devices behind a router.
  31. This prevents time-related attack vectors which rely on leakage of the host time.
  32. Via creation of a new Whonix-Gateway ™ (sys-whonix).
  33. For example, Whonix ™ users residing in China.
  34. This is useful when testing later Whonix ™ releases to stymie deanonymization attempts by advanced adversaries, or when creating an identical backup that does not share any other persistent data, except for Tor state and custom torrc options.
  35. Unauthorized modifications to BIOS or the boot partition will be notified.
  36. Notifications are made in real time for any potentially suspicious activity.
  37. This is safe in Qubes R4, but privacy issues are unresolved in Qubes R3.2
  38. Users may configure sys-net, sys-firewall and sys-usb as static DisposableVMs. This option is only available for Qubes R4 users.
  39. Reminder: The Subject: line and other header fields are not encrypted in the current configuration.
  40. Attackers use these methods to redirect local network traffic and execute Man in the Middle Attacks.
  41. Administrators are advised of any changes via email, such as new station/activity, flip-flops and re-used/changed old addresses.
  42. This provides an additional fail-safe to protect from accidental clearnet leaks that might arise from hypothetical Whonix ™ bugs, but does not address potential Qubes ProxyVM leaks.
  43. https://github.com/rustybird/corridor
  44. Although Libreboot is a free, opensource BIOS or UEFI replacement that initializes the hardware and starts the bootloader for the OS, the absence of proprietary firmware means important microcode security updates are unavailable. Also, even experts risk bricking their hardware during the process and it is incompatible with newer architectures, making it impractical for the majority of the Whonix population.
  45. Using two different computers and virtualization is one of the most secure configurations available, but may be less secure than Qubes' approach (software compartmentalization).

No comments for now due to spam. Use Whonix forums instead.


Random News:

Don't mind having your name connected to Whonix ™? Follow us on Twitter / Facebook.


https | (forcing) onion

Follow: Twitter | Facebook | gab.ai | Stay Tuned | Whonix News

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.