hardening Whonix /etc/sysctl.conf

nurmagoz · December 8, 2015, 11:21pm

since whonix built for anonymity and to gain that, is by using The Onion Routers , so i wonder why dont we config whonix just to react with Tor abilities ?
for example disabling IPv6 or disabling all UDP traffics and …etc from hardenings (because that will prevent many attacks and lower the surface attack). a good place to start with is /etc/sysctl.conf , there r many options there which r good to activate or deactivate for example deactivating IPv6 or activating IP spoofing …etc. and sure there r more places to change for hardening. but i wonder why we dont do it.

Patrick · December 8, 2015, 11:25pm

ls -la /etc/sysctl.d

Disabling UDP would kill Transparent DNS. UDP is sorted out in whonix-gw-firewall.

nurmagoz · December 8, 2015, 11:34pm

aha ok , but how about the others ?

disabling IPv6 or Disabling ICMP or turning on execshield or…etc

Patrick · December 8, 2015, 11:47pm

@nurmagoz:

aha ok , but how about the others ?

disabling IPv6 or Disabling ICMP or turning on execshield
or…etc

IPv6 is handled by whonix-gw-firewall.

[We cannot just add random recommendations from random websites just
because those are listed there and useful in a different context.]

Others would require a detailed proposal. Some quick thoughts what it
should roughly include. [No need to make that formal.]

What exactly does it do?
What does it improve?
Does it really apply in context of Whonix?
Likelihood of introducing issues?
Long term test results.
Effects on network fingerprint?
Effects on web fingerprint? (less likely)
Why aren’t these the Debian defaults already anyway?
Would it make sense to suggest to Debian or Qubes to enable these settings by default also?
Do any other security focused distributions use these settings?

Some stuff may only be elegible for
Security Guide - Whonix or
Advanced Security Guide - Whonix.

I don’t think any sysctl settings are missing at the moment, but if
you think different, please submit a detailed proposal.

(@HulaHoop)

HulaHoop · December 11, 2015, 4:58pm

Nothing is missing.

nurmagoz · December 11, 2015, 5:44pm

hmm check here for example:-

http://hashdump.org/wiki/linux/hardening/ipv6.html

and i think it is not shifted inside debian by default because why would they turn off IPv6 by default ? or even ICMP ? …etc. but we (may) need to do that for more security with Tor network.

and sure , its better to ask ppl who r expert in this.