How do you maximize your VM security?

[fiftyfour...@gmail.com]

Hi all,

I took a break from setting up my Qubes OS machine and now I'm looking to finish the job and actually settle in. I am familiar with the overall layout and functions of the OS as a whole, but want to shore up the security of my individual VMs, with Debian running everything except for dom0. I know that isolation should do most of the work, but if further hardening my VMs will add more hurdles for attackers while being of minimal cost to me, why not?

For now, I plan on proper firewalling, activating apparmor, installing taskett-hardening, and reducing attack surfaces where possible.

Specific question: how would one strip down non-app VMs (sys-net, sys-USB, sys-firewall, whonix-gw) to minimize their attack surfaces? Aside from common-sense hardening and operation of app VMs, these seem to be the most exposed and therefore most vulnerable.

More generally: what steps have you taken to harden your VMs?

[Dominique]

Hi,

First step for me was to install the minimal template and use them instead of the complete template for service qubes (sys-net, sys-USB and sys-firewall). Information on minimal template can be found here: https://www.qubes-os.org/doc/templates/minimal/

Second step for me was building and using the mirage firewall instead of sys-firewall. Information on mirage can be found here: https://github.com/mirage/qubes-mirage-firewall/

Third step for me was random mac address and hostname. https://www.qubes-os.org/doc/anonymizing-your-mac-address/

That are things that I do on all my qubes laptop installation. After that, you can play with firewall rules, apparmor and other things.

I would love to see a way to add IDS/IPS in qubes easily but did not have time to even check if someone did try to add IDS/IPS

Have fun!

Dominique

[sysad.andes]

-------- Original message --------

From: Dominique <domin...@gmail.com>

Date: 6/9/20 12:26 (GMT-05:00)

To: qubes-users <qubes...@googlegroups.com>

Subject: [qubes-users] Re: How do you maximize your VM security?

On Tuesday, June 9, 2020 at 11:26:22 AM UTC-4, fiftyfour...@gmail.com wrote:

Hi all,

I took a break from setting up my Qubes OS machine and now I'm looking to finish the job and actually settle in. I am familiar with the overall layout and functions of the OS as a whole, but want to shore up the security of my individual VMs, with Debian running everything except for dom0. I know that isolation should do most of the work, but if further hardening my VMs will add more hurdles for attackers while being of minimal cost to me, why not?

For now, I plan on proper firewalling, activating apparmor, installing taskett-hardening, and reducing attack surfaces where possible.

Specific question: how would one strip down non-app VMs (sys-net, sys-USB, sys-firewall, whonix-gw) to minimize their attack surfaces? Aside from common-sense hardening and operation of app VMs, these seem to be the most exposed and therefore most vulnerable.

More generally: what steps have you taken to harden your VMs?

Hi,

First step for me was to install the minimal template and use them instead of the complete template for service qubes (sys-net, sys-USB and sys-firewall). Information on minimal template can be found here: https://www.qubes-os.org/doc/templates/minimal/

Second step for me was building and using the mirage firewall instead of sys-firewall. Information on mirage can be found here: https://github.com/mirage/qubes-mirage-firewall/

Third step for me was random mac address and hostname. https://www.qubes-os.org/doc/anonymizing-your-mac-address/

That are things that I do on all my qubes laptop installation. After that, you can play with firewall rules, apparmor and other things.

I would love to see a way to add IDS/IPS in qubes easily but did not have time to even check if someone did try to add IDS/IPS

Have fun!

Dominique

1st, I second all of this.

2nd, I run a VPN off of the minimal template (technically a double vpn, but it's probably overkill)

3rd, on my todo list, create a scratch template with even less than the minimal for these functions

4th, only wired networking bc all the insecurity regarding wifi.

5th, any applications I don't trust (like Zoom) I run off disposable vms.

6th, don't have any hardware VMs running if you aren't actively using them

7th, add a root password to all VMs

8th, make sure your firewall disallows connections between VMs (granted this is qubes default)

9th, add outbound firewall rules to each VM as appropriate

10th, don't tell people your qubes configuration (I'm kinda fucking up that one right now :p)

11th, use tor if you're seriously concerned about privacy (even though that double vpn was overkill, and this probably moreso)

12th, use both DNSSec and DNS over TLS

13th, test dns leak with regards to vpn

14th, reply in line and don't top post... Okay, not security, just good manners

15th, also strip down bios surface (remove possibilities of remote connections, disable any hardware you aren't likely to use, etc.)

Codially, 

Emlay

--
You received this message because you are subscribed to the Google Groups "qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ad3b1c28-e980-4d0c-9517-8b18402f816do%40googlegroups.com.

[fiftyfour...@gmail.com]

Hi Dominique,

Thanks for the reply. So I take it you chose Mirage because a unikernel firewall has a smaller attack surface compared to full-blown Linux? 

I'm a newbie, so I'm not even sure if these are IDS/IPS, but I'm thinking of installing the tried-and-true trio of rkhunter, lynis, chkrootkit.

I see the point in changing your mac address (already did it myself), but why the hostname as well? Since it's not covered in that link, did you just edit the config files of the template?

(Re-posted since I committed the cardinal sin of top posting) 

[fiftyfour...@gmail.com]

1st, I second all of this.

2nd, I run a VPN off of the minimal template (technically a double vpn, but it's probably overkill)

3rd, on my todo list, create a scratch template with even less than the minimal for these functions

4th, only wired networking bc all the insecurity regarding wifi.

5th, any applications I don't trust (like Zoom) I run off disposable vms.

6th, don't have any hardware VMs running if you aren't actively using them

7th, add a root password to all VMs

8th, make sure your firewall disallows connections between VMs (granted this is qubes default)

9th, add outbound firewall rules to each VM as appropriate

10th, don't tell people your qubes configuration (I'm kinda fucking up that one right now :p)

11th, use tor if you're seriously concerned about privacy (even though that double vpn was overkill, and this probably moreso)

12th, use both DNSSec and DNS over TLS

13th, test dns leak with regards to vpn

14th, reply in line and don't top post... Okay, not security, just good manners

15th, also strip down bios surface (remove possibilities of remote connections, disable any hardware you aren't likely to use, etc.)

Codially, 

Emlay

Hi Emlay,

Thanks for sticking your neck out to help a newbie like me! Your list is very helpful and I'm grateful for it. I have two questions:

1) Is there a resource out there that teaches newbies how to configure minimal templates for different uses? e.g. For VPN, services, apps, etc. 

2) If you're using a VPN (or two), wouldn't they provide DNS encryption services by default?

[Dominique]

Hi

Changing the hostname is interesting especially for laptop. When you are connecting to any network, your hostname is sent with your MAC address to the DHCP server thus leaving a trace in the log of your presence on that network. Also, the sys-net hostname is very unique and stands out of a list of computer name like the default Windows computer name.

Concerning the IDS/IPS (Intrustion Detection System/Intrusion Prevention System) I would be interesting to analyzing the traffic with a qubes and being able to alert or even create firewall rules on alert at one point. This is probably a big projet to do!!!

And sorry for top posting, I am sending a lot of email and I am so used to click reply and start typing!!!

Regards,

Dominique

[fiftyfour...@gmail.com]

Hi

Changing the hostname is interesting especially for laptop. When you are connecting to any network, your hostname is sent with your MAC address to the DHCP server thus leaving a trace in the log of your presence on that network. Also, the sys-net hostname is very unique and stands out of a list of computer name like the default Windows computer name.

Concerning the IDS/IPS (Intrustion Detection System/Intrusion Prevention System) I would be interesting to analyzing the traffic with a qubes and being able to alert or even create firewall rules on alert at one point. This is probably a big projet to do!!!

And sorry for top posting, I am sending a lot of email and I am so used to click reply and start typing!!!

Regards,

 

Dominique

I use groups.google.com so top posting doesn't bother me. I can't speak for everyone else though. Thank you again for all the useful information, Dominique! 

[palet...@gmail.com]

1) Is there a resource out there that teaches newbies how to configure minimal templates for different uses? e.g. For VPN, services, apps, etc. 

you can find some user setups with configuration examples here:

https://github.com/Qubes-Community/Contents/tree/master/docs/user-setups