I get the impression the Wiki (I started with Technical Introduction) mostly concentrates on the protection of Whonix-Workstation, but not much is written about the protection of Whonix-Gateway.
The only directly relevant article I found is:
Which is surprisingly short in relation to more or less any other wiki page I viewed.
I understood a major part here is minimizing the attack surface:
By installing a “minimal system”, the only attack surface to an remote attack is Tor itself, apt-get and tails_htp. You can verify this with netstat.
Is it possible to:
Explain in which way exactly can this be verified with netstat? I tried to run netstat -antp and got a long list. I tried netstat -anp and got the phone book. What’s supposed to appear?
Provide more resources that can help to understand how is Whonix-Gateway itself protected?
Any recommendations for the hardening of Whonix-Gateway?
Regarding the quote -
Whonix-Gateway MUST NOT be ever used for anything other than running Tor on it.
But, there are several applications on Whonix-Gateway by default - VLC, KMouth, Nepomak, Ark and others. Don’t those increase the attack surface?
These are dealing with Whonix-Gateway specific issues. You should also take a look at the sections discussing general OS security.
web search: network security tutorial
sudo netstat -tulpn
every open port should have a reason for being open
and to a lesser extent (because unix sockets are local): sudo netstat -xlpn
Barring any low-level filesystem bugs, you could store a catalog of malware on your Gateway as long as the files are never read / executed. However, it’s good practice to strive for simplicity & less clutter, so things that aren’t used or needed should be removed if possible. Having extra files and libraries shouldn’t increase your vulnerability but may provide extra opportunities for an attacker after a compromise. Running processes are what’s important:
Thank you. I found that those sections quickly move to issues outside of Whonix-Gateway (host, hardware, hypersivosr etc) - those are important of course as well but my focus here is on Whonix-Gateway itself.
Seccomp - the first link strongly advises to activate it - are there any disadvantages to doing so? why isn’t it activated by default?
Same question regarding Tor Connection Padding.
I saw that there’s plenty of documentation about AppArmor - I will read more about it.
Barring any low-level filesystem bugs, you could store a catalog of malware on your Gateway as long as the files are never read / executed.
Well understood. And they could be executed not only intentionally but also by user mistake.
things that aren’t used or needed should be removed if possible
I completely agree. If I don’t need to do anything in Whonix-Gateway apart from running updates, performing some leak tests and viewing Tor Circuits (since this functionality was removed from the Workstation), how can I easily figure out how to remove everything else? one risk is that by trying to do that I’ll break something that is actually needed.
sudo netstat -tulpn
every open port should have a reason for being open
OK. Apart from Tor, I see python listening at 10.152.152.10:9052. Using ps aux I see that’s “usr/bin/python /usr/sbin/cpfpd start”.
Also brltty at 127.0.0.1:4101 and dhclient at UDP 0.0.0.0:24618,
0.0.0.0:68 and udp 6 :::14596
apt-cache depends <pkg> shows which packages pkg depends on
apt-cache rdepends <pkg> shows which packages depend on pkg
use --recurse as needed
There are multiple threads discussing unneeded packages. Some whonix packages are metapackages so inclusion in a metapackage doesn’t necessarily mean that the package is an essential component. Investigate and post (after searching) if you find unneeded packages.
There are multiple threads discussing unneeded packages. Some whonix packages are metapackages so inclusion in a metapackage doesn’t necessarily mean that the package is an essential component.
Ok, I understand most of the easily removable are accessibility tools:
After some reading, for the benefit of others reading this thread:
usr/bin/python /usr/sbin/cpfpd start
Control port filter proxy - a Whonix script that filters information the Workstation can access, for security reasons.
Also brltty at 127.0.0.1:4101
An accessibility tool, no longer automatically installed in Whonix 14.
dhclient at UDP 0.0.0.0:24618, 0.0.0.0:68 and udp 6 :::14596
I don’t use DHCP or VirtualBox. Not sure what’s required but that doesn’t look unusual. You can disable IPv6 if you don’t need it.
For some reason I was under the impression it’s disabled by default. Perhaps in the case of using a VPN?