Hardening Qubes-Whonix

@entr0py

Do you mind cutting and pasting your sources.list (.onions) which works, so that I can edit the wiki somewhere to reflect the correct sources for those wishing to harden their Qubes-Whonix installation?

I’m a little confused which ones we are pointing to and whether it is just tor:// or tor + http:// - what else is new :slight_smile:

Reflecting on what we have covered so far, a future wiki entry might look something like that below (with links to relevant wiki entries/stubs). It is better to have it in one place, so users have a quick reference and don’t have to search everywhere for this information:

Qubes-Whonix users can achieve significant hardening of their system by completing a number of additional steps after installation of the base system.

Successful completion of these steps below is dependent upon the user’s skill level and available hardware. Applicable steps are marked with ‘easy’, ‘medium’ or ‘difficult’ tags to reflect this:

  • Default the Debian mirrors in sources.list to available .onions (easy);
  • Install all available apparmor profiles in the Whonix-Workstation and Whonix-Gateway TemplateVMs (easy);
  • Enable seccomp in the Whonix-Gateway TemplateVM torrc file (easy);
  • Use the hardened (alpha) Tor Browser series to resist fingerprinting and have additional memory protections (easy);
  • Use the (alpha) Tor process sandbox to restrict exploitation opportunities (difficult - not yet implemented in Whonix; requires sandbox compilation - @Patrick, this requires a wiki stub somewhere);
  • Implement MAC spoofing for ethernet and/or wi-fi via Qubes user documentation (medium);
  • Use all instances of the Whonix-Workstation in a Whonix-Workstation DisposableVM - preferably uncustomized to resist fingerprinting (medium);
  • Implement GRSEC templates for Fedora, Debian and Whonix templates in the Qubes system (difficult; only Debian currently available - @Patrick, we need a GrSec stub somewhere in the wiki for future copying of all steps);
  • Tweak the Tor Browser to provide ClearClick protections, run the security slider in the highest position, restrict Javascript uniformly, and default to .onion searches via DuckDuckGo (easy);
  • Store all login credentials and passwords in an offline vault VM (preferably in a password manager), and cut and and paste into the Tor Browser when required (easy);
  • Never type directly into the Tor Browser to resist typing profiling (easy);
  • Install newer Tor versions via Whonix config settings i.e. jessie-proposed-updates (easy);
  • Install latest versions of the Linux kernel available to benefit from mainlined kernel hardening (easy);
  • Use AEM (anti-evil-maid) in Qubes, in combination with a Trusted Platform Module (medium);
  • Store encrypted Qubes backups with a sufficiently long (high-entropy) passphrase due to OpenSSL’s weak key derivation scheme, which relies on a single round of md5 or store encrypted backups on a separate back-up disk that is already encrypted with LUKS (easy);
  • Install Qubes-Whonix with a sys-usb template to provide protection from malicious compromise of dom0. This requires available USB controllers and, in a desktop configuration, available PS/2 ports and adapters for the keyboard and mouse (medium).

What have I missed? :slight_smile:

1 Like

These are non-Qubes-Whonix specific so would be good if others could see them too.

#### Debian onion mirrors

# deb http://ftp.debian.org/debian jessie main contrib non-free
deb http://vwakviie2ienjx6t.onion/debian jessie main contrib non-free

# deb http://security.debian.org jessie/updates main contrib non-free
deb http://sgvtcaew4bxjd7ln.onion jessie/updates main contrib non-free

# (optional - Backports)
# deb http://ftp.debian.org/debian jessie-backports main contrib non-free
deb http://vwakviie2ienjx6t.onion/debian jessie-backports main contrib non-free

#### Whonix onion mirrors

# deb http://deb.whonix.org jessie main
deb http://deb.kkkkkkkkkk63ava6.onion jessie main

#### Tor Project mirrors

# (optional - for direct Tor package)
# deb http://deb.torproject.org/torproject.org jessie main
deb http://sdscoq7snqtznauu.onion/torproject.org jessie main

#### Qubes - still waiting

deb [arch=amd64] http://deb.qubes-os.org/r3.1/vm jessie main

Just http. Because apt-get is uwt-wrapped and gets sent straight to the Gateway. No apt-transport-tor.

2 Likes

Just now created:
Tor Browser Essentials

That belongs to Deprecated/grsecurity - Whonix. Do these instructions work in KVM? If so, the existing page becomes chapter KVM. //cc @HulaHoop

Suggested entry below (Security Guide section) for the benefit of both Qubes and Non-Qubes-Whonix users. Tested and now working on my system for both templates.

Onionizing Whonix and Debian Repositories

When Whonix, Debian and Qubes packages are installed or updated, default settings point to repositories with a http:// URI.[1][2] However, experimental .onion support is already available for both Whonix and Debian packages, with Qubes .onion mirrors planned for the near-term.[3][4]

In order to install or update with the utmost caution, users may consider manually editing their sources.list to point to the Whonix and Debian .onion mirrors. There are several security and privacy benefits of this approach:[5]

  • The user cannot be uniquely targeted for malicious updates (attackers are forced to attack everyone requesting the update);
  • The package repository, or observers watching it, can’t track what programs you’ve installed;
  • The ISP cannot easily learn what packages you fetch; and
  • End-to-end authentification and encryption provides protection against man-in-the-middle attacks e.g. version downgrade attacks.

To use the .onion mirrors, it is necessary to change the whonix.list and debian.list files in the /etc/apt/sources.list.d directory in both the Whonix-Workstation and Whonix-Gateway TemplateVMs.[6]

(1) In the TemplateVM, open the Debian sources file in an editor with root rights.

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/apt/sources.list.d/debian.list

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/sources.list.d/debian.list

(2) Cut and paste the following .onion mirrors and comment out (#) the corresponding http repositories noted in bold:

#deb Index of /debian jessie main contrib non-free
deb http://vwakviie2ienjx6t.onion/debian jessie main contrib non-free

# deb http://security.debian.org jessie/updates main contrib non-free
deb http://sgvtcaew4bxjd7ln.onion jessie/updates main contrib non-free

(Optional - Backports)

#deb Index of /debian jessie-backports main contrib non-free
deb http://vwakviie2ienjx6t.onion/debian jessie-backports main contrib non-free

(3) Save the new debian.list file

(4) Point to the Whonix APT Repository .onion mirror:

sudo whonix_repository --baseuri http://deb.kkkkkkkkkk63ava6.onion --enable --repository stable

Note: Users have four preferences available for Whonix packages: stable, stable-proposed-updates, testers and developers. Change the entry above to reflect this preference.[7]

(5) Check the .onions are correct and functional in your Whonix system:

sudo apt-get update && sudo apt-get dist-upgrade

Remember to repeat steps 1-5 for both the Whonix-Workstation and Whonix-Gateway TemplateVMs.[8]

(6) OPTIONAL testers/paranoid users step - create an onionized torproject.list:

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/apt/sources.list.d/torproject.list

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/sources.list.d/torproject.list

Cut and paste the following text and comment out (#) the corresponding http repository noted in bold::

#deb Index of /torproject.org jessie main
deb http://sdscoq7snqtznauu.onion/torproject.org jessie main

Save and exit.

Footnotes:

[1] Whonix APT Repository
[2] Whonix 14 will prefer .onion repositories by default, even when adding third-party resources
[3] Onionizing Qubes-Whonix Repositories
[4] Install Additional Software Safely
[5] Tor at the Heart: apt-transport-tor and Debian onions | The Tor Project
[6] tor:// or tor:// + http:// entries are not required in Whonix because apt is uwt-wrapped.
[7] Whonix APT Repository
[8] Qubes users can repeat these steps in their Debian-8 TemplateVM to onionize installations and updates.

torjunkie:

Tested on my system. Working, except for a 404 error on the Whonix server:

Failed to fetch http://kkkkkkkkkk63ava6.onion/dists/jessie/main/binary-amd64/Packages 404 Not Found
I think we can also add these .onions entries to a new user.list, instead of manually changing the debian.list and whonix.list so i.e so they are not later written over by packages updates?

The canonical way is:

sudo whonix_repository --baseuri http://deb.kkkkkkkkkk63ava6.onion --enable --repository stable

Won’t ever be automatically overwritten.

[With a small exception, if the onion ever changes (upcoming strong
hidden services keys) we’ll sed replace the old to the new onion
trough whonix-legacy package.]

Wow, really sloppy. Sorry.

deb http://deb.kkkkkkkkkk63ava6.onion jessie main vs
deb http://kkkkkkkkkk63ava6.onion jessie main

Whonix 14 ticket: https://phabricator.whonix.org/T399


Looks good to me. Thanks!

[I need a wiki for the wiki. I know there are templates for #1 and #2 that generalize instructions for qubes-whonix & non-qubes-whonix. I don’t know where to find them though.]

(1) In the TemplateVM, open a terminal with Konsole.

(2) Edit the Debian sources file:

[6] Debian starts Onionizing - #11 by Patrick

Community effort. Better to link to discussions I think - unless attributing to a well-known expert. [Plus I don’t want any blame.] :slight_smile:

1 Like

Here is a list of all templates (since we have not categorized them):

(You can find such special pages through https://www.whonix.org/wiki/Special:SpecialPages.)

If you like to create any new templates, please just tell me the template page names and I create them.

(Many are general, non-Qubes specific.)

I like the ordering in various difficulties.

Security Guide - Whonix is supposed to contain only items being ‘easy’ and perhaps ‘medium’.

Advanced Security Guide - Whonix is supposed to contain only ‘difficult’ items.

Perhaps Security_Guide needs a face lift? Perhaps remove all non-actionable items? I.t. remove all items that are just knowledge. Move that elsewhere, to where? And then have only ‘easy’ and ‘medium’ difficult actionable items on that page? [Plus links to other actionable items that have a separate page such as grsecurity.]

Thanks!

Works with entr0py’s amended .onion mirror link, as does the canonical method for enabling the Whonix repository. @entr0py does the Tor project .onion mirror belong in the Debian sources file?

See edits above. If this is okay, I will insert it in the security guide somewhere.

Patrick - I agree re: security docs. If entr0py and Ego have the quick-start guide in hand, then I hope to take this on as a mini-project. It is one of the most important sections of the wiki.

My other main interests are getting the Tor sandboxing stuff working (when you have the time) and helping to test and document this, and seeing that GRSEC documentation and testing works in Qubes-Whonix. Most of this will hopefully just be cut and pasting from coldhacka’s blog with the appropriate attribution.

1 Like

No, if anything, it should get its own torproject.list. I would leave it out of the end-user security guide. Only for testers or paranoid. Testers Wanted! Tor - Stable Upgrades - #5 by Patrick

1 Like

They do but can just as easily work for other hypervisors by changing a single config option.

For Qubes [Xen] it’s not as simple. ( https://github.com/coldhakca/coldkernel/issues/35 )

Doesn’t work out of the box for VirtualBox either. (Breaks X, guest additions and apparmor.)

So I wonder it works with KVM at all.

Another point to add… Due to https://forums.whonix.org/t/disable-sys-net-pings-to-fedoraproject-org switch your sys-net and sys-firewall to Debian, if that works for you. [medium difficulty since this can break your networking. I advice to keep the original sys-net and sys-firewall Fedora based. Just in case. So you can switch back. And have a separate sys-net-debian as well as sys-firewall-debian.]

VBox is an out of tree module and things with dkms are very flaky.

Working here but thats not much consolation and I won’t pretend to know whats wrong in Xen’s case.

Good call. I have tested this and it works (Debian sys-net and firewall).

The side benefit is you can defer to .onions also in the debian-8 templateVM, meaning the whole system is onionized, except for Qubes mirrors currently (with the .onion project underway).

I realize another addition to the list is putting any clear-net browsing (Firefox in Debian AppVM) in a firejail sandbox. Firejail is available from Jessie backports and seems to work well.

The only question is (I know you have a huge firejail thread going on elsewhere), how does one edit the qubes desktop file to run not just plain FF, but the command “firejail firefox” in the executable line? I have located the .desktop file, but wasn’t sure. Is some kind of symbolic link required or “” somewhere? Just throwing in “firejail firefox” there doesn’t work.

1 Like

re Qubes dom0 desktop files edit for firejail support:

Don’t. :slight_smile: Really. :slight_smile: Unless of course there is really no other way around. dom0 should not be involved at all. That should be purely up to the VM templates. Qubes dom0 start menu is capable to extract the full exec line. For example whonix-irc-chat-support.desktop uses hexchat --url ircs://irc.oftc.net:9999/#Whonix. The only place where this is configured is inside the template.

The question is: “How to firejailify an application without requiring the user manually typing firejail into the console.”

Or a wider question: "How to automatically prepend commands (such as firejail before applications (such as firefox).

Has been (partially*) discussed here:
https://forums.whonix.org/t/firejail-seccomp-more-options-for-program-containment

(* I’d have to re-read first to know.)

Hi

According to this: Dev/Firejail - Kicksecure

A short term workaround until the proposed upstreaming of start-tor-browser [4] happens: is to append Firejail to all launcher commands under: /usr/share/applications. Reasoning: TBB folder not visible to users. For a user to accidentally execute Tor Browser without protection, they have to go out of their way to find and launch the start-tor-browser script in the hidden TBB folder. In TBB’s use-model we don’t have to worry about command line users because TBB is a GUI app first and foremost. Visual indicators further help warn against accidental execution in the unlikely event it happens. If they use command line the might as well put Firejail before the script name. This solution is tested and working and survives TBB upgrades.

So, I imagined this would mean:

1) In Qubes-Whonix, we would edit the relevant file in the Debian-8 TemplateVM

/usr/share/applications/firefox-esr.desktop

2) Prepend the firefox executable in the following line with “firejail”

Exec=/usr/lib/firefox-esr/firefox-esr %u

Exec=/usr/lib/firefox-esr/firejail firefox-esr %u

And hoping for Christmas magic, it would lead to Firefox automatically starting contained, because the Qubes menu entry points to: /usr/share/applications/firefox-esr.desktop

Of course, not that easy. Help?

I’m trying to make this easy for dumb users like me. We need our hands held every step of the way, or we will do something really stupid :slight_smile:

Although, I don’t mind running a terminal with “firejail firefox” every time, there must be an easy solution.

torjunkie:

2) Prepend the firefox executable in the following line with
“firejail”

Exec=/usr/lib/firefox-esr/firefox-esr %u

Exec=/usr/lib/firefox-esr/firejail firefox-esr %u

Exec=firejail /usr/lib/firefox-esr/firefox-esr %u

Maybe full path to firejail is required as well.

Ha ha ha :slight_smile: Dyslexia at its finest. Yep - that works.

What about an entry something like this below? (DebianVM Firefox-ESR tested; Whonix-WS Tor Browser tested) - please point out my many errors, misunderstandings and poor, non-canonical method.

To Do: Non-Qubes-Whonix only - Running Tor Browser in the Alpha Tor Sandbox

[Copy working instructions from sandboxing thread]

Sandboxing Tor Browser and Firefox with Firejail in Qubes-Whonix

Until the alpha Tor Browser sandbox is fully integrated into Qubes-Whonix (experimental instructions are now available for non-Qubes-Whonix), Qubes-Whonix users should strongly consider running instances of the Tor Browser in a restricted environment using the Firejail Security Sandbox.

It must be remembered that the Tor Browser is an untrusted application with a huge attack surface. It is frequently, and successfully, attacked in the wild. Therefore, it makes sense to mitigate the risk of security breaches with a sandboxing approach. According to the Firejail project page:

https://firejail.wordpress.com/

Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.

Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. The program is released under GPL v2 license.

Best of all, Firejail has built-in profiles for a large number of popular Linux programs including: Firefox, Chromium, VLC and Transmission. Sandboxes can be started by simply prefixing your program command with “firejail” in a terminal e.g. “firejail firefox”, “firejail vlc” etc.

Alternatively, a simple work-around in Qubes-Whonix is to edit the relevant .desktop file that launches a process and prepend the executable path with the firejail command.[1][2]

Running Tor Browser in a Firejail Sandbox (tested)

Note: preferably clone your Whonix-Workstation-TemplateVM prior to taking these steps below, as some dependencies will be added.

(1) Open /etc/apt/preferences.d/debian-pinning.pref in an editor with root rights.[3][4]

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/apt/preferences.d/debian-pinning.pref

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/preferences.d/debian-pinning.pref

(2) Paste:

Package: *
Pin: release a=stable
Pin-Priority: 700

Package: *
Pin: release a=jessie-backports
Pin-Priority: 650

Package: *
Pin: release a=testing
Pin-Priority: 600

Package: *
Pin: release a=unstable
Pin-Priority: 550

Package: *
Pin: release a=experimental
Pin-Priority: 500

Save.

(3) Add Debian Backports to the Debian sources file

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /etc/apt/sources.list.d/debian.list

If you are using a terminal-only Whonix, run:

sudo nano /etc/apt/sources.list.d/debian.list

Cut and paste the following Debian Backports mirror (choose the http OR .onion mirror):

deb Index of /debian jessie-backports main contrib non-free

OR

deb http://vwakviie2ienjx6t.onion/debian jessie-backports main contrib non-free

Save and exit.

(4) Update the TemplateVM and Install Firejail from the backports mirror

sudo apt-get update

sudo apt-get -t jessie-backports install firejail

(5) Create a local directory for the Tor Browser desktop file

mkdir -p /home/user/.local/share/applications

(6) Copy the existing Tor Browser desktop file to the local directory

sudo cp /usr/share/applications/janondisttorbrowser.desktop /home/user/.local/share/applications/janondisttorbrowser.desktop

(7) Edit janondisttorbrowser.desktop in an editor with root rights.[5]

If you are using a graphical Whonix or Qubes-Whonix, run:

kdesudo kwrite /home/user/.local/share/applications/janondisttorbrowser.desktop

If you are using a terminal-only Whonix, run:

sudo nano /home/user/.local/share/applications/janondisttorbrowser.desktop

(8) Prepend the Exec= line with “firejail”[6]

Exec=firejail torbrowser %u

OR to use the existing Firefox profile with Tor

Exec=firejail --profile=/etc/firejail/firefox.profile torbrowser %u

Save and exit

(9) Populate the newly created folder in the TemplateVM

Note: change the name of the template below if you created a whonix-ws-clone-1 to test this procedure.

While Whonix-Workstation TemplateVM is still running, in dom0 run:

qvm-sync-appmenus whonix-ws

(10) Create a new Whonix-Workstation-AppVM based on your modified template

The Tor Browser entry will now point to the modified janondisttorbrowser.desktop file in the .local directory which is prepended with firejail.

Running Firefox-ESR in a Firejail Sandbox (Qubes Debian-8 Template only; tested)

Note: preferably clone your Debian-8 TemplateVM prior to taking these steps below, as some dependencies will be added.[7]

Repeat the steps above for the Tor Browser entry, EXCEPT:

At steps (6) and (7), edit the following file:

/usr/share/applications/firefox-esr.desktop

At step (9), run in dom0:

qvm-sync-appmenus debian-8

Note: change the name of the template if you cloned it at an earlier step.

Footnotes:

[1] Dev/Firejail - Kicksecure
[2] This process can be repeated with every .desktop application file if desired
[3]Template:Apt-Pinning - Whonix
[4] Apt-Pinning allows the user to mix and match packages from different Debian repos without breaking the base distro
[5] Yawning’s script for Firejail integration with Tor Browser is no longer available at https://git.schwanenlied.me/yawning/tor-firejail/src/master/start-tor-browser
[6] Advanced users can create a custom profile for Tor Browser by following these steps at Building Custom Profiles | Firejail
[7] Users should NOT use Firefox in a Whonix template. It is easily fingerprinted and less secure than Tor Browser

1 Like

Of course right.

Yes.

Quite possible.

We’re on the same page. Our world view on that topic matches. The reason it’s not already done is lack of time. I am still working on the tickets for Whonix 14. Some of them are incredible hard for me. What Whonix needs is contributions like this. :slight_smile:

Can you please use this template?
Template:Apt-Pinning - Whonix

(Unless you see it unfit, then we fix it?)

(((For usage examples of that template: Tools -> What links here)))

Please use Template:Open with root rights - Whonix instead.

Please don’t directly edit that file. That can lead to unexpected results. Next time tb-updater is updated (each time there is a new Tor Browser stable release) that file be overwritten. From then, no more firejail. That’s how Debian [and others] packaging works. There are workarounds for that. One is using dpkg-divert, but not a great one. Can you try please if overwriting the desktop file using /home/user/.local/share/applications works? That would be much better.

This need a warning box stating that one should not run Firefox in Whonix and expect anonymity. Generally, I am open to non-anonymity related security also. But some things may not be confused with each other.

(For that purpose I was wondering to hack Tor Browser that gets more and more hardened and then use it for browsing clearnet. Will probably not be easyly possible since TCP support will be removed from Tor Browser [using SocksSocket only]. Would require recompilation or finding a clever socks to clearnet solution.)

1 Like