On Sun, 29 Apr 2018 10:39:21 -0400 Ed <e...@edjusted.com> wrote:
>On 04/28/2018 08:50 PM, Stuart Perkins wrote: >> Hi list. >> >> I'm considering setting up Qubes capable server at my home. What I need, >> however, is to be able to remotely control it. Updates...reboot/stop/start >> system and app vm's etc. Is this even possible with Qubes? I currently run >> a Ubuntu powered old laptop as a "server" and have it hosting a couple of >> VM's with virtualbox. I can ssh into it and even have an sshuttle setup for >> VPN over SSH functionality for when I need to do something "gui" remotely. >> One of my VM's is an old XP system which monitors my solar electric. One is >> a ubuntu install hosting a Drupal website. One is also installed which is a >> full blow VPN server for when I need to do more than just simple things...I >> rarely use this one. >> >> I will be upgrading my "server" hardware to a real server class platform one >> of these days, and I would like something specific to running independent >> VM's, but the remote maintenance might be a Qubes eliminating need... >> >> Anybody here attacked a remote console to dom0 before, or does it so >> completely violate the philosophy of Qubes that it is an absolute >> no-way-in-hell thing? >> >> Stuart >> > >Hi Stuart, > >Philosophies aside, you can do whatever you want :) Adding networking >to dom0 is certainly defeating a lot of the hardwork/security that went >into qubes. If you wanted to go this route you might consider just >running Xen directly? Especially if you are putting this in your >closet/basement? > >There is another issue however, aside from just giving dom0 network >access, and that's the LUKS password. If you needed to reboot the >machine entirely from remote, you'd be stuck if you had LUKS encryption >on the disk with no way to enter it remotely. > >Unless.... you do what I did, and hook up a Raspberry Pi to the serial >console of my machine, and update the kernel boot line in grub to use >the serial console (Note: This REQUIRES you to use the serial console to >enter the LUKS password, you lose the ability to enter it from your >keyboard locally). > >Stating the obvious, if someone gets access to the Raspberry Pi I'd be >in a bit of trouble, though as long as I remember to log out of the >shell at the serial console on the Pi, someone compromising that machine >does not immediately give them access to the Qubes box, they would have >to guess my password or wait for me to log back in and enter it if I >didn't know they were there and they could capture it. I run OSSEC on >this PI to help combat that issue. > >Also considering defense in depth, I can only access that Raspberry Pi >via VPN, I do NOT expose it directly to the internet, it also sits on >it's own VLAN which I leave isolated, so when I do have to do remote >administration I first have to grant access to that VLAN from my router >console. > >So at the end of the day, less secure? Yes. Added convenience? Yes. >Added complexity? Yes... > >You can draw the line wherever you want :) > >Ed > Thanks for the detailed answer. I may consider a straight up xen hypervisor host for those reasons. Physical compromise is unlikely. I have no neighbors...at least none who would care to hack my computer system. The only one even remotely capable is a trusted friend...who I would call to physically touch something if needed. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180430085825.420cd021%40gmail.com. For more options, visit https://groups.google.com/d/optout.