[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [Priority Support]

Understanding Whonix-Gateway


#1

I get the impression the Wiki (I started with https://www.whonix.org/wiki/Dev/Technical_Introduction) mostly concentrates on the protection of Whonix-Workstation, but not much is written about the protection of Whonix-Gateway.

The only directly relevant article I found is:

Which is surprisingly short in relation to more or less any other wiki page I viewed.

I understood a major part here is minimizing the attack surface:

By installing a “minimal system”, the only attack surface to an remote attack is Tor itself, apt-get and tails_htp. You can verify this with netstat.

Is it possible to:

  • Explain in which way exactly can this be verified with netstat? I tried to run netstat -antp and got a long list. I tried netstat -anp and got the phone book. What’s supposed to appear?
  • Provide more resources that can help to understand how is Whonix-Gateway itself protected?
  • Any recommendations for the hardening of Whonix-Gateway?
  • Regarding the quote -

Whonix-Gateway MUST NOT be ever used for anything other than running Tor on it.

But, there are several applications on Whonix-Gateway by default - VLC, KMouth, Nepomak, Ark and others. Don’t those increase the attack surface?


#2

Did you see these pages already?

https://www.whonix.org/wiki/Security_Guide#Whonix-Gateway_Security
https://www.whonix.org/wiki/Advanced_Security_Guide#Whonix-Gateway_Security

These are dealing with Whonix-Gateway specific issues. You should also take a look at the sections discussing general OS security.

web search: network security tutorial

sudo netstat -tulpn
every open port should have a reason for being open

and to a lesser extent (because unix sockets are local):
sudo netstat -xlpn

Barring any low-level filesystem bugs, you could store a catalog of malware on your Gateway as long as the files are never read / executed. However, it’s good practice to strive for simplicity & less clutter, so things that aren’t used or needed should be removed if possible. Having extra files and libraries shouldn’t increase your vulnerability but may provide extra opportunities for an attacker after a compromise. Running processes are what’s important:

ps aux
sudo systemctl list-units


#3

Thank you. I found that those sections quickly move to issues outside of Whonix-Gateway (host, hardware, hypersivosr etc) - those are important of course as well but my focus here is on Whonix-Gateway itself.

Seccomp - the first link strongly advises to activate it - are there any disadvantages to doing so? why isn’t it activated by default?

Same question regarding Tor Connection Padding.

I saw that there’s plenty of documentation about AppArmor - I will read more about it.

Barring any low-level filesystem bugs, you could store a catalog of malware on your Gateway as long as the files are never read / executed.

Well understood. And they could be executed not only intentionally but also by user mistake.

things that aren’t used or needed should be removed if possible

I completely agree. If I don’t need to do anything in Whonix-Gateway apart from running updates, performing some leak tests and viewing Tor Circuits (since this functionality was removed from the Workstation), how can I easily figure out how to remove everything else? one risk is that by trying to do that I’ll break something that is actually needed.

sudo netstat -tulpn
every open port should have a reason for being open

OK. Apart from Tor, I see python listening at 10.152.152.10:9052. Using ps aux I see that’s “usr/bin/python /usr/sbin/cpfpd start”.
Also brltty at 127.0.0.1:4101 and dhclient at UDP 0.0.0.0:24618,
0.0.0.0:68 and udp 6 :::14596

Does this look OK?


#4

There is a ticket open to set ConnectionPadding by default.

https://trac.torproject.org/projects/tor/ticket/23955

Be very careful ! Many users have lost their data because they tried to remove packages without first creating backups.

Please see:


#5

I am worried about something worse. That I’ll break a security feature and won’t even know I am using a more vulnerable setup.


#6

System has hierarchical dependencies.

  • apt-cache depends <pkg> shows which packages pkg depends on
  • apt-cache rdepends <pkg> shows which packages depend on pkg
  • use --recurse as needed

There are multiple threads discussing unneeded packages. Some whonix packages are metapackages so inclusion in a metapackage doesn’t necessarily mean that the package is an essential component. Investigate and post (after searching) if you find unneeded packages.

https://forums.whonix.org/search?q=cpfpd

https://forums.whonix.org/search?q=brltty

I don’t use DHCP or VirtualBox. Not sure what’s required but that doesn’t look unusual. You can disable IPv6 if you don’t need it.


#7

The latter one was discussed on phabricator.whonix.org (and removed in
Whonix 14).


#8

There are multiple threads discussing unneeded packages. Some whonix packages are metapackages so inclusion in a metapackage doesn’t necessarily mean that the package is an essential component.

Ok, I understand most of the easily removable are accessibility tools:

After some reading, for the benefit of others reading this thread:

usr/bin/python /usr/sbin/cpfpd start

Control port filter proxy - a Whonix script that filters information the Workstation can access, for security reasons.

Also brltty at 127.0.0.1:4101

An accessibility tool, no longer automatically installed in Whonix 14.

dhclient at UDP 0.0.0.0:24618, 0.0.0.0:68 and udp 6 :::14596

I don’t use DHCP or VirtualBox. Not sure what’s required but that doesn’t look unusual. You can disable IPv6 if you don’t need it.

For some reason I was under the impression it’s disabled by default. Perhaps in the case of using a VPN?


#9

https://www.virtualbox.org/manual/ch06.html#network_nat :

The virtual machine receives its network address and configuration on the private network from a DHCP server integrated into VirtualBox.

web search: virtualbox static nat network
example: Tutorial - Guest Static IP with NAT networking mode
virtualbox support: https://forums.virtualbox.org


#10

I meant IPv6, not DHCP…