Actions

Whonix-Gateway Security

AppArmor[edit]

According to debian.org: [1]

AppArmor is a Mandatory Access Control framework. When enabled, AppArmor confines programs according to a set of rules that specify what files a given program can access. This proactive approach helps protect the system against both known and unknown vulnerabilities.

AppArmor provides a number of advantages: [2]

  • It protects the operating system and applications from external or internal threats, including zero-day attacks.
  • "Good behavior" is enforced and it mitigates exploits via unknown application flaws.
  • AppArmor security policies define the system resources that individual applications can access, and with what privileges. For instance:
    • Network access.
    • Raw socket access.
    • Read, write or execute file permissions on specific paths.


Strongly consider using the Whonix AppArmor profiles which are available for various programs which run in both the Whonix-Gateway and Whonix-Workstation, such as Tor, Tor Browser, Thunderbird and others. The profiles are easily applied and provide a considerable security benefit.

General Advice[edit]


If the Whonix-Gateway VM is ever compromised, the attacker can discover: the user's identity (public IP address); all destinations visited; and the entirety of clear-text and onion service communication over Tor.

Before installing any extra packages on the Whonix-Gateway, first consult the developers to check whether that is necessary and wise.

Seccomp[edit]

According to Mozilla: [3]

Seccomp stands for secure computing mode. It is a simple sandboxing tool in the Linux kernel, available since Linux version 2.6.12. When enabling seccomp, the process enters a "secure mode" where a very small number of system calls are available (exit(), read(), write(), sigreturn()). Writing code to work in this environment is difficult; for example, dynamic memory allocation (using brk() or mmap(), either directly or to implement malloc()) is not possible.

Strongly consider enabling seccomp on Whonix-Gateway (Qubes-Whonix: Whonix-Gateway ProxyVM; sys-whonix), since it is easily applied and provides additional sandboxing protection for the Tor process. Users should be aware that pluggable transports like obfs4, meek-lite and Snowflake are incompatible with seccomp. [4]


Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps.

sudo nano /etc/tor/torrc

Add.

Sandbox 1

Save and exit.

Tor Connection Padding[edit]

Connection padding is available for the Tor process from version 0.3.1.7 onward. This helps to resist traffic analysis, as The Tor Project explains: [5] [6]

Connections between clients and relays now send a padding cell in each direction every 1.5 to 9.5 seconds (tunable via consensus parameters). This padding will not resist specialized eavesdroppers, but it should be enough to make many ISPs’ routine network flow logging less useful in traffic analysis against Tor users.


Padding is negotiated using Tor’s link protocol, so both relays and clients must upgrade for this to take effect. Clients may still send padding despite the relay’s version by setting ConnectionPadding 1 in torrc, and may disable padding by setting ConnectionPadding 0 in torrc.

Consider enabling ConnectionPadding client-side by following these steps.


Open /etc/tor/torrc.

If you are using Qubes-Whonix, complete the following steps.

Qubes App Launcher (blue/grey "Q") -> Whonix-Gateway ProxyVM (commonly named sys-whonix) -> Tor User Config (Torrc)

If you are using a graphical Whonix-Gateway, complete the following steps.

Start Menu -> Applications -> Settings -> /etc/tor/torrc

If you are using a terminal-only Whonix-Gateway, complete the following steps.

sudo nano /etc/tor/torrc

Add.

ConnectionPadding 1

Save and exit.

Warning: Bridged Networking[edit]

Do not change Whonix-Gateway's first or second network interface to a bridged network. This is untested and should not be necessary. Users who feel it is necessary in their circumstances should get in contact.

For further interest, here is a discussion thread, and another one, debating whether NAT or a bridged network is more secure.

Footnotes[edit]

  1. https://wiki.debian.org/AppArmor
  2. http://wiki.apparmor.net/index.php/Main_Page
  3. https://wiki.mozilla.org/Security/Sandbox/Seccomp
  4. See the following forum discussion for further consideration of this issue.
  5. https://blog.torproject.org/tor-0317-now-released
  6. At the time of writing, the Jessie proposed updates repository in Whonix supports this Tor version.

Random News:

Please contribute by helping to answer Whonix questions.


https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)