{{Title|
title=System Hardening Checklist
}}
{{Header}}
{{#seo:
|description=Security hardening instructions for {{project_name_long}} and {{q_project_name_long}}. Improving Linux, Windows and macOS host computer security and networking configurations. Safe Tor, Tor Browser and other online activities.
|image=Hardening-13423213.jpg
}}
[[File:Kicksecure-seal.png|thumb|200px]]
[[File:Hardening-13423213.jpg|thumb]]
{{intro|
{{project_name_short}} comes with [https://www.whonix.org/#security many security features]. {{project_name_short}} is {{Kicksecure_link
|
|{{Kicksecure}}
}} Hardened by default and also provides extensive [[Documentation]] including this System Hardening Checklist. The more you know, the safer you can be.
This page is targeted at users who wish to improve the security of their systems for even greater protection.
}}
= Introduction =
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = Recommendations specific to [[Qubes|{{q_project_name_short}}]] or [[Non-Qubes-Whonix|{{non_q_project_name_short}}]] are marked accordingly.
}}
It is possible to significantly harden the {{project_name_short}} and/or host platform. This reduces the likelihood of a temporary or persistent compromise, while increasing the chances of successful, anonymous activity. Hardening is dependent upon a user's skill set, motivation and available hardware. The checklist below is intended to provide a quick overview of important issues, categorized by difficulty level - easy, moderate, difficult and expert.
= Upstream =
This page will focus exclusively on aspects related to {{project_name_short}}/Anonymity. For security hardening and additional insights, users should refer to the Kicksecure page.
{{Upstream_wiki}}
= Easy =
== Anonymous Blogging, Posting, Chat, Email and File Sharing ==
* To remain anonymous, follow all the [[Surfing_Posting_Blogging|{{project_name_short}} recommendations]] to minimize threats of keyboard/mouse biometrics, [[Surfing_Posting_Blogging#Stylometry|stylometric analysis]] and other covert channels.
** A browser is an unsafe environment to directly write text, regardless of whether it is a forum post, email, webmail or IMAP-related reply.
*** At a minimum users should not type into browsers with JavaScript enabled, since this opens up this deanonymization vector. Text should be written in an offline text editor and then copied and pasted into the web interface when it is complete.
* Remove [[metadata|metadata]] from documents, pictures, videos or other files before uploading them to the Internet.
* Think twice before sharing [[Surfing_Posting_Blogging#Photographs|"anonymous" photos]] due to unique embedded noise signatures that have no known countermeasures.
* Be careful sharing [[Surfing_Posting_Blogging#Documents|anonymous documents]]. Digital watermarks with embedded covert data are robust, so run documents through Optical Character Recognition (OCR) before sharing the output.
* Utilize [[OnionShare|OnionShare]] to anonymously share or receive files securely over the Tor network, anonymously chat, or host anonymous websites. [OnionShare 2.0 and higher enforce v3 onion connections. {{project_name_short}} 16 is based on Debian ]{{Stable project version based on Debian codename}} which provides OnionShare v2.2.
== Dedicated Computer ==
For high security, it's best to use a dedicated, physically different computer only for the purpose of using {{project_name_short}} and nothing else. For other use cases, use completely different hardware including a different screen.
This is to lower the impact of fingerprinting VMs in case they get ever compromised.
{{kicksecure_wiki
|wikipage=System_Configuration_and_Access#Use_a_Dedicated_Host_Operating_System_and_Computer
|text=Use a Dedicated Host Operating System and Computer
}}
Related: [[VM Fingerprinting]]
Forum discussion: https://forums.whonix.org/t/high-opsec-recommendation/17237
== File Storage Location ==
* Avoid storing files directly in the root home folder and [[Whonix-Workstation_Security#File_Storage_Location|create appropriate sub-folders instead]].
* Move files downloaded by Tor Browser from the ~/Downloads folder to another specially created one. [The reason is AppArmor profiles (and possibly other mandatory access control frameworks) are unlikely to allow access to these folders by default.]
== Mandatory Access Control ==
* Enable all available [[AppArmor|apparmor profiles]] in the {{project_name_workstation_long}} and {{project_name_gateway_long}} Templates.
* Enable [[{{project_name_gateway_short}}_Security#Seccomp|seccomp]] on {{project_name_gateway_short}} ({{project_name_gateway_vm}} ProxyVM).
== Tor Browser Series and Settings ==
* Prefer the stable Tor Browser release over the alpha series in line with Tor developer recommendations; see footnotes. [[https://blog.torproject.org/new-release-tor-browser-90a1 Tor Blog]: ]Note: this is an alpha release, an experimental version for users who want to help us test new features. For everyone else, we recommend downloading the latest stable release instead.
[[https://www.ics.uci.edu/~perl/pets16_selfrando.pdf Selfrando] (load-time memory randomization) protection has been [https://gitlab.torproject.org/legacy/trac/-/issues/30377 removed from alpha Tor Browser Linux builds]. Although Selfrando provides a security improvement over standard address space layout randomization (ASLR) present in Tor Browser and other browsers, Tor developers believe it is relatively easy for attackers to bypass and not worth the effort.] [The "hardened" Tor Browser series has been deprecated, see: https://gitlab.torproject.org/legacy/trac/-/issues/21912] [Following the official release of the v8.0+ Tor Browser series (based on Firefox 60 ESR), the stable and alpha Tor Browser versions both have a [https://wiki.mozilla.org/Security/Sandbox native sandbox].]
* Run the [[Tor_Browser#Security_Slider|Tor Browser Security Slider]] in the highest position. [This may affect usability and proper functioning on some websites.]
* [https://support.torproject.org/#tbb_tbb-34 Disable Javascript] by default and [[Tor_Browser#Security_vs_Usability_Trade-off|only allow it sparingly]] for trusted sites. [This is more secure, but increases the user's fingerprinting risk due to selective use of Javascript.]
* Do not configure [[Tor_Browser#NoScript_Custom_Setting_Persistence|custom NoScript (per-site) settings]] which persist across successive Tor Browser sessions because this aids fingerprinting.
* Use [https://support.torproject.org/onionservices/ .onion services] where possible to stay within the Tor network, such as defaulting searches to the [https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ DuckDuckGo onion service]. [Take care to observe you stay within the Tor network -- 'downgrade' attacks have been observed that result in clearnet URLs being loaded in place of onion services across successive page loads on some sites.]
* Use [[Tor_Browser/Advanced_Users#Multiple_Tor_Browser_Instances_and_Workstations|multiple Tor Browser instances or multiple {{project_name_workstation_short}}]] to better compartmentalize contextual identities.
* Follow all other [[Tor_Browser#Unsafe_Tor_Browser_Habits|{{project_name_short}} recommendations for safe]] and [[Tips_on_Remaining_Anonymous|anonymous]] use of [[Tor_Browser|Tor Browser]].
* [[Install_Tor_Browser_Outside_of_{{project_name_short}}|Install Tor Browser outside of {{project_name_short}}]] so a second, working instance is always available for anonymous activities. [Thereby circumventing any possible future problems, like the breakage of {{project_name_short}}.]
== Virtual Machines ==
=== All Virtualizers ===
* Remove the virtual audio controller to VMs from getting access to a {{kicksecure_wiki
|wikipage=Hardware_Threat_Minimization#Microphones
|text=microphone (eavesdropping risk)
}} or [[Hardware_Threat_Minimization#Speakers|speaker]] ([[Hardware_Threat_Minimization#Profiling_Threat|profiling threat]]).
=== VirtualBox ===
* Remove a host of [[Virtualization_Platform_Security#VirtualBox Hardening|VirtualBox features]] to reduce the attack surface.
* Take regular, clean [[{{project_name_workstation_short}}_Security#VM_Snapshots|VM snapshots]] that are not used for any activities.
* Spoof the initial [[Network_Time_Synchronization#Spoof_the_Initial_Virtual_Hardware_Clock_Offset|virtual hardware clock offset]].
* Consider disabling [[VirtualBox/Guest_Additions#Clipboard_Sharing|clipboard sharing]] to reduce the risk of identity correlation. [Bidirectional clipboard sharing is currently enabled by default in {{project_name_short}} VirtualBox VMs. There are security reasons to disable clipboard sharing, for example to prevent the accidental copying of something (non-)anonymous and pasting it in its (non-)anonymous counterpart such as a browser, which would lead to identity correlation.]
* [[VirtualBox/Guest_Additions#Shared_Folder|Shared folders]] are discouraged because they weaken isolation between the guest and the host. [Providing a mechanism to access files of the host system from within the guest system via a specially defined path necessarily enlarges the attack surface and provides a potential pathway for malicious actors to compromise the host.]
== Networking ==
== Spoof MAC Addresses ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = '''Tip:''' [https://en.wikipedia.org/wiki/MAC_spoofing MAC spoofing] is only necessary if traveling with your laptop or PC. It is not required for home PCs that do not change locations.
}}
* In [[Qubes|{{q_project_name_short}}]], [https://github.com/Qubes-Community/Contents/blob/master/docs/privacy/anonymizing-your-mac-address.md follow these steps] to spoof the MAC address on the Debian or Fedora Template used for network connections.
* In [[Non-Qubes-Whonix|{{non_q_project_name_short}}]], follow [[MAC_Address#Changing_MAC_Addresses|these steps]] to spoof the MAC address of the network card on a Linux, Windows or macOS host.
== Time Related ==
* {{non_q_project_name_short}} only: [[Disable_TCP_and_ICMP_Timestamps#Disable_ICMP_Timestamps|Disable ICMP timestamps]] and [[Disable_TCP_and_ICMP_Timestamps#Disable_TCP_Timestamps|TCP timestamps]] on the host operating system to prevent leakage of information. [Such as system information, host time, system uptime, and fingerprinting of devices behind a router.]
* {{non_q_project_name_short}} only: [[Time_Attacks#Mitigations|Uninstall the NTP client]] on the host operating system and disable systemd's timdatectl NTP synchronization feature. [
This prevents time-related attack vectors which rely on leakage of the host time.
]
* Prevent possible time leaks by [[Network_Time_Synchronization#Block_Networking_until_sdwdate_Finishes|blocking networking until sdwdate finishes]].
== Tor Settings ==
* Consider enabling [[{{project_name_gateway_short}}_Security#Tor_Connection_Padding|Tor connection padding]] for potentially better anonymity; note it is unclear whether this provides any additional benefit (see footnote). [https://forums.whonix.org/t/tor-connectionpadding/7477]
* Consider installing [[Tor_Versioning|newer Tor versions]] directly from The Tor Project repository.
* Avoid [[Tor_Entry_Guards#Regenerate_the_Tor_State_After_Saving_the_Tor_State_Folder|regenerating the Tor state file]] or [[Tor_Entry_Guards#Manual_Rotation_of_Tor_Guards|manually rotating Tor guards]] [Via creation of a new {{project_name_gateway_short}} (]{{project_name_gateway_vm}}). because it degrades anonymity.
* Avoid configuring [[Tor_Entry_Guards#Fresh_Tor_Entry_Guards_by_Regenerating_the_Tor_State_File|non-persistent entry guards]], as this ''severely'' degrades anonymity.
* Consider using [[Bridges]] if Tor is censored, dangerous or deemed suspicious in your location.
* If using a bridge, configure [[Tor_Entry_Guards#Alternating_Bridges|alternating bridges]] for different physical locations.
* Heavily censored users should configure a ''meek-azure'' bridge with [[Anon_Connection_Wizard|Anon Connection Wizard]]. [For example, {{project_name_short}} users residing in China.]
* To help preserve anonymity, copy [[Tor_Entry_Guards#Copy_Tor_Configuration_files_and_Settings_to_Another_{{project_name_gateway_vm}}_Instance|Tor configuration files and settings]] to any new {{project_name_gateway_vm}} instance which is created. [This is useful when testing later {{project_name_short}} releases to stymie deanonymization attempts by advanced adversaries, or when creating an identical backup that does not share any other persistent data, except for Tor state and custom torrc options.]
== {{project_name_short}} VM Security ==
* Consider disabling the [[{{project_name_gateway_short}}_Security_Hardening#How-to:_Disable_Control_Port_Filter_Proxy|Control Port Filter Proxy]] to reduce the attack surface of both the {{project_name_gateway_short}} and {{project_name_workstation_short}}.
* Consider [[systemcheck_Hardening|hardening systemcheck]].
* Consider the periodic deletion and recreation of VMs that are used for sensitive operations.
** If a compromise of {{project_name_gateway_short}} and/or {{project_name_workstation_short}} is suspected, follow the [[Disaster_Recovery|compromise recovery]] instructions.
= Difficult =
== Chaining Anonymizing Tunnels ==
* Avoid this course of action. The [[Tunnels/Introduction|anonymity benefits are unproven]] and it may actually hurt a user's anonymity and security goals.
* Virtual Private Network (VPN) tunnel-links are [[Tunnels/Introduction#VPN_Tunnel_Risks|strongly recommended against]] due to multiple security and anonymity risks.
== Disposables ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = Qubes / {{q_project_name_short}} only.
Note: Some traces of Disposable usage and data contents will leak into the dom0 filesystem and survive reboots; see [https://github.com/QubesOS/qubes-issues/issues/4972 here] for further information. (This is a Qubes-specific issue and [[Unspecific|unrelated to {{project_name_short}}.]])
}}
* Run all instances of Tor Browser in a [[Qubes/Disposables|Disposable]] which is preferably uncustomized to resist fingerprinting. [This is safe in the stable Qubes R4 release, but [https://phabricator.whonix.org/T695 privacy issues] were unresolved in Qubes R3.2 (now unsupported).]
* Configure each ServiceVM as a [https://www.qubes-os.org/doc/disposable-customization/ static Disposable] to mitigate the threat from persistent malware accross VM reboots. [Users can configure ]sys-net, sys-firewall and sys-usb as static Disposables. This option has been available from Qubes R4 onward.
* Until fully ephemeral Disposables are available by default in [https://github.com/QubesOS/qubes-issues/issues/4972 a future Qubes release], advanced users can consider configuring them manually:
** [https://github.com/unman/notes/blob/master/Really_Disposable_Qubes.md Unman's guide to ephemeral Disposables] creates a RAM-based storage area.
** [https://github.com/anywaydense/QubesEphemerize anywaydense's guide to ephemeral PVH Disposables] encrypts data written to the disk with an ephemeral encryption key only stored in RAM.
== Email ==
=== All Platforms ===
* Follow the [[E-Mail#Email_Provider_Comparison|{{project_name_short}} recommendations]] to select an email provider compatible with privacy and anonymity.
* For [[E-Mail#Encrypted_Email|anonymous PGP-encrypted email]] over Tor, use [[Encrypted_Email_with_Thunderbird|Mozilla Thunderbird]]. [Reminder: The ''Subject:'' line and other header fields are not encrypted in the current configuration.]
* For greater email or message security, consider using the [[PQCrypto#OneTime|OneTime]] application or a [[One_Time_Pad|Physical One-time Pad]] for military-grade encryption.
* Follow all other [[E-Mail#Safe_Email_Principles|email principles for greater safety]].
=== {{q_project_name_short}} Only ===
* Use [https://www.qubes-os.org/doc/split-gpg/ split-GPG] for email to reduce the risk of key theft used for encryption / decryption and signing.
* Create an App Qube that is exclusively used for email and change the VM's firewall settings to only allow network connections to the email server and nothing else ("Deny network access except...").
* Only open [https://micahflee.com/2016/07/how-qubes-makes-handling-pdfs-way-safer/ untrusted email attachments] in a Disposable to prevent possible infection.
== Mix Personal Tor Traffic with Own Tor Bridge or Relay ==
* See [[Host a Bridge or Tor Relay]]; this configuration ''might'' make adversary classification of Tor traffic more difficult. [The reason is adversaries observing traffic will need to perform classification of both traffic generated by the Tor relay or bridge and your personal client traffic.]
== Whitelisting Tor Traffic ==
* [[Qubes|{{q_project_name_short}}]]: Configure {{project_name_gateway_vm}} to use [[Corridor|corridor]] as a filtering gateway to ensure only connections to Tor relays pass through. [This provides an additional fail-safe to protect from accidental clearnet leaks that might arise from hypothetical {{project_name_short}} bugs, but does not address potential Qubes ProxyVM leaks.] [https://github.com/rustybird/corridor]
* [[Non-Qubes-Whonix|{{non_q_project_name_short}}]] or {{q_project_name_short}}: Use a standalone [https://github.com/rustybird/corridor corridor] as a filtering gateway.
= Expert =
== Physical Isolation ==
{{mbox
| type = notice
| image = [[File:Ambox_notice.png|40px|alt=Info]]
| text = {{non_q_project_name_short}} only.
}}
* If additional hardware is available, consider [[Dev/Build_Documentation/Physical_Isolation|Physical Isolation]] in [[Non-Qubes-Whonix|{{non_q_project_name_short}}]]. [Using two different computers and virtualization is one of the most secure configurations available, but may be less secure than [https://invisiblethingslab.com/resources/2014/Software_compartmentalization_vs_physical_separation.pdf Qubes' approach] (software compartmentalization).]
= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]