Let’s say I want to maintain a contriversial hidden service, and be a fool enough to team up with someone. Naturally that someone “needs” root access to the server via SSH.
In this scenario our system would be set up in a rented rackspace (rather then a VPS) and built around Whonix Gateway. Now, when things go sour and my partner thinks he’s had enough, what could he do to expose the server location with SSH and root access (only) to the workstation? Would it be a viable attack vector? Would it make a difference if we would use another guest OS rather then Whonix Workstation, say Centos or Debian?
Good day,
If the workstation (no matter whether custom or pre-made) has been set-up properly and according to the standard safety measures and your “partner” really only gets access to the workstation, rather then the entire server or the gateway, it’s currently impossible for him to find out the IP-address of the server on which it’s hosted. However, other security issues (like him maybe knowing something about you, which could lead to a lead (no pun intended) to you) will still remain, though this will always be the case with humans. Furthermore, I would recommend against connecting to the VPS with anything other than a secure connection (over Tor), since nothing says the provider won’t safe whichever IPs connect with your host for working on it. And, if we are really consequent, we also need to keep in mind, that someone could “hack” the server using a USB drive, or something similar, thus I recommend, if you have complete access (including for example KVM over IP) to everything, including the BIOS, you should really use a host, which is as immune as possible to this kind of attacks, like good old Qubes.
Have a nice day,
Ego
Once a root compromise happened, the attach surface is much bigger. Whonix assumes this, but as part of a multi layered security concept it’s something very much worthwhile to avoid. A VM exploit would be fatal [leading to real IP discovery].
Related:
Thanks to both of you for your replies.
Would it help to have a separate physical router that connects only to a VPN?
Good day,
since that router would still be linkable to you, I’d say no.
Have a nice day,
Ego
The depends on whether VPNs work against your adversary or not. This isn’t a topic on which Whonix has an official standpoint on. See:
Other VPN related information (not all applicable to your use case):
Nah, a second rack server to use as a router would be prohibitive expensive buy and operate. The one I have now was a real bargain second-hand but still not cheap, and rackspace doesn’t come for free either.
But still, would a VPN help in this case, assuming it’s anonymous to begin with? In that case a successful attack of the sort I have in mind would only be able to see the VPN’s IP, right? I don’t intend to do anything illegal, so the only thing I very much have to worry about is attacks from people with no legal authority.
And also, would you fell me in on proper setup and standard safety measures when it comes to something like this? On my VM’s I’ve always installed Debian from behind Whonix Gateway, and left it much like that with the exception of handling routing manually. But then again, they have been for testing only.
Under these assumptions, why shouldn’t it work.
Still read Combining Tunnels with Tor because it gives insights about the fail closed mechanism and who knows what else you not know yet and find useful.