since whonix built for anonymity and to gain that, is by using The Onion Routers , so i wonder why dont we config whonix just to react with Tor abilities ?
for example disabling IPv6 or disabling all UDP traffics and …etc from hardenings (because that will prevent many attacks and lower the surface attack). a good place to start with is /etc/sysctl.conf , there r many options there which r good to activate or deactivate for example deactivating IPv6 or activating IP spoofing …etc. and sure there r more places to change for hardening. but i wonder why we dont do it.
ls -la /etc/sysctl.d
Disabling UDP would kill Transparent DNS. UDP is sorted out in whonix-gw-firewall.
aha ok , but how about the others ?
disabling IPv6 or Disabling ICMP or turning on execshield or…etc
TNT_BOM_BOM:
aha ok , but how about the others ?
disabling IPv6 or Disabling ICMP or turning on execshield
or…etc
IPv6 is handled by whonix-gw-firewall.
[We cannot just add random recommendations from random websites just
because those are listed there and useful in a different context.]
Others would require a detailed proposal. Some quick thoughts what it
should roughly include. [No need to make that formal.]
- What exactly does it do?
- What does it improve?
- Does it really apply in context of Whonix?
- Likelihood of introducing issues?
- Long term test results.
- Effects on network fingerprint?
- Effects on web fingerprint? (less likely)
- Why aren’t these the Debian defaults already anyway?
- Would it make sense to suggest to Debian or Qubes to enable these settings by default also?
- Do any other security focused distributions use these settings?
Some stuff may only be elegible for
Security Guide - Whonix or
Advanced Security Guide - Whonix.
I don’t think any sysctl settings are missing at the moment, but if
you think different, please submit a detailed proposal.
Nothing is missing.
hmm check here for example:-
http://hashdump.org/wiki/linux/hardening/ipv6.html
and i think it is not shifted inside debian by default because why would they turn off IPv6 by default ? or even ICMP ? …etc. but we (may) need to do that for more security with Tor network.
and sure , its better to ask ppl who r expert in this.