-------- Original message --------From: Dominique <dominiqu...@gmail.com> Date: 6/9/20 12:26 (GMT-05:00) To: qubes-users <qubes-users@googlegroups.com> Subject: [qubes-users] Re: How do you maximize your VM security? On Tuesday, June 9, 2020 at 11:26:22 AM UTC-4, fiftyfour...@gmail.com wrote:Hi all,I took a break from setting up my Qubes OS machine and now I'm looking to finish the job and actually settle in. I am familiar with the overall layout and functions of the OS as a whole, but want to shore up the security of my individual VMs, with Debian running everything except for dom0. I know that isolation should do most of the work, but if further hardening my VMs will add more hurdles for attackers while being of minimal cost to me, why not?For now, I plan on proper firewalling, activating apparmor, installing taskett-hardening, and reducing attack surfaces where possible.Specific question: how would one strip down non-app VMs (sys-net, sys-USB, sys-firewall, whonix-gw) to minimize their attack surfaces? Aside from common-sense hardening and operation of app VMs, these seem to be the most exposed and therefore most vulnerable.More generally: what steps have you taken to harden your VMs?
Hi,First step for me was to install the minimal template and use them instead of the complete template for service qubes (sys-net, sys-USB and sys-firewall). Information on minimal template can be found here: https://www.qubes-os.org/doc/templates/minimal/Second step for me was building and using the mirage firewall instead of sys-firewall. Information on mirage can be found here: https://github.com/mirage/qubes-mirage-firewall/Third step for me was random mac address and hostname. https://www.qubes-os.org/doc/anonymizing-your-mac-address/That are things that I do on all my qubes laptop installation. After that, you can play with firewall rules, apparmor and other things.I would love to see a way to add IDS/IPS in qubes easily but did not have time to even check if someone did try to add IDS/IPSHave fun!Dominique1st, I second all of this.2nd, I run a VPN off of the minimal template (technically a double vpn, but it's probably overkill)3rd, on my todo list, create a scratch template with even less than the minimal for these functions4th, only wired networking bc all the insecurity regarding wifi.5th, any applications I don't trust (like Zoom) I run off disposable vms.6th, don't have any hardware VMs running if you aren't actively using them7th, add a root password to all VMs8th, make sure your firewall disallows connections between VMs (granted this is qubes default)9th, add outbound firewall rules to each VM as appropriate10th, don't tell people your qubes configuration (I'm kinda fucking up that one right now :p)11th, use tor if you're seriously concerned about privacy (even though that double vpn was overkill, and this probably moreso)12th, use both DNSSec and DNS over TLS13th, test dns leak with regards to vpn14th, reply in line and don't top post... Okay, not security, just good manners15th, also strip down bios surface (remove possibilities of remote connections, disable any hardware you aren't likely to use, etc.)Codially, Emlay -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ad3b1c28-e980-4d0c-9517-8b18402f816do%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/5edfcd90.1c69fb81.a0909.78cc%40mx.google.com.
