{{Header}}
{{#seo:
|description=Advanced Host Security for Advanced Users, {{project_name_long}} Hardening
|image=Host232security23434234.jpg
}}
[[File:Host232security23434234.jpg|thumb]]
{{intro|
{{security_intro}}

This page is targeted at advanced users who wish to improve the general security of their host operating system to become even more secure.
}}
= apt-transport-tor =

apt-transport-tor is a package that allows non-{{project_name_workstation_long}} that are not behind a torifying gateway to torify their APT traffic for individual repositories.

With non-{{project_name_short}} systems in mind, for security reasons APT blocks clearnet connections to <code>.onion</code> domains by default. APT developers want to protect users from accidentally trying to use <code>.onion</code> repositories without using Tor. Otherwise, a rogue DNS server could redirect users to a false domain and trick them into thinking they are using Tor when they are not.

apt-transport-tor (<code>tor+http</code>) is the default from {{project_name_short}} 14 onward because it provides better error handling. <ref>
source: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754242#54

<blockquote>
That said, it might make sense to use a-t-tor anyhow even if not
strictly needed as it will deal better with certain tor anomalies given
that it knows tor is involved reporting better errors (like telling you
that the .onion address you typo'ed is too long/short; saying
"unreachable host" if a service is… well, not reachable, instead of
saying "TTL expired" which is reported by Tor and technically more
correct but unhelpful), will use different circuits for different
sources and stuff.
</blockquote>
</ref> <ref>
For instance it reports if the <i>.onion</i> address is too long or short, and will use different circuits for different sources.
</ref>

= DMZ =

If users have a shared network -- such as a cable modem/router or ADSL/router setup that is utilized by others -- then consider configuring a {{project_name_gateway_short}} [https://en.wikipedia.org/wiki/DMZ_%28computing%29 DMZ].

A properly configured DMZ restricts {{project_name_gateway_short}} from accessing, and being accessible to, other nodes on the network like printers, phones, computers and laptops. This is true even if root access is somehow achieved.

Should an incursion take place, a DMZ prevents an adversary from exploring other systems and possibly compromising them. However, in this case a DMZ does not protect the user's anonymity, since the adversary could just ping a remote server and discover the real IP address. Another benefit of a DMZ is that should other systems be compromised, it is more difficult to compromise {{project_name_gateway_short}}.

= Hardware Security =

{{mbox
| type      = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = {{project_name_short}} cannot provide protection against hardware backdoors.
}}

Trusted computer hardware is fundamental to security. It is recommended to purchase and use "clean" computers that have components manufactured by reputable companies. It is preferable to pay in cash so hardware IDs do not leak your identity.

As outlined in the [[System_Configuration_and_Access#Use_a_Dedicated_Host_Operating_System_and_Computer|System Configuration and Access]] entry, it is safest to purchase a computer that is solely used for {{project_name_short}} activities because this minimizes the risk of a prior hardware compromise.

= Key Hardening Steps =

For greater security, advanced users should harden the host {{os}} as much as is practicably possible. This includes, but is not limited to applying relevant steps from the [[System_Hardening_Checklist|System Hardening Checklist]] and instructions found throughout this section:

<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2">
* [[System_Hardening_Checklist#Disabling_and_Minimizing_Hardware_Risks|Disable and minimize hardware risks]].
* [[System_Hardening_Checklist#Secure_Downloads|Securely download files]] and [[System_Hardening_Checklist#Secure_Software_Installation|install software on the host]].
* Avoid [https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/multiboot.md insecure dual-boot arrangements].
* Choose a host OS that is [[Host_Operating_System_Selection|compatible with privacy and security goals]].
* [[Operating_System_Hardening#Harden_Debian|Harden]] the host.
** Use [[Full_Disk_Encryption|Full Disk Encryption (FDE)]] on the host.
** Apply a [[Protection_Against_Physical_Attacks#BIOS_Password|BIOS password]] for BIOS set up and boot.
** Torify APT traffic on the host to prevent fingerprinting and leakage of sensitive security information. {{project_name_short}} does that by default, see [[About#Torified_Apt_Upgrades|Torified Apt Upgrades]].
** [[Advanced_Host_Security#{{project_name_short}}|Further harden the host OS]] against [[Protection_Against_Physical_Attacks|physical attacks]].
* Apply instructions to [[System_Hardening_Checklist#Networking|harden networking]], including:
** Use a [[Host_Firewall#Dedicated_Connection|dedicated network connection]].
** Configure a [[Advanced_Host_Security#DMZ|de-militarized zone (perimeter network)]] if necessary.
** Test the router / firewall with a [[Host_Firewall#Port_Scan|port scanning device]].
** Change the default administration router password and [[Router_and_Local_Area_Network_Security#Recommended_Router_Settings|lock it down with strict settings]].
** [[System_Hardening_Checklist#Flash_the_Router_with_Opensource_Firmware|Flash the router with opensource firmware]].
* [[MAC_Address#Changing_MAC_Addresses|Spoof MAC addresses]] if necessary.
* Disable [[Disable_TCP_and_ICMP_Timestamps|TCP and ICMP timestamps]].
* [[Time_Attacks#Mitigations|Remove the NTP client]] and disable the NTP synchronization feature.
</div>

= Layered Defense =

== Attack Surface Reduction ==

In addition to the checklist above, it is suggested to also follow the principles of minimizing the [https://en.wikipedia.org/wiki/Attack_surface attack surface] of the OS, and securely configuring services -- for example when using SSH, implementing [https://www.fail2ban.org/wiki/index.php/Main_Page Fail2ban] so only key authentication is allowed.

The attack surface concept deserves more consideration. Simply put, it is the sum of different attack vectors (aggregate of vulnerabilities) where an unauthorized user can try to enter or extract data from an environment. <ref>[https://en.wikipedia.org/wiki/Attack_surface Wikipedia: Attack surface]</ref> To reduce the attack surface and mitigate risks, it is necessary to: <ref>https://resources.infosecinstitute.com/topic/attack-surface-reduction/</ref>

* Enforce least privilege for all executed processes and reduce entry points for untrusted users.
* Control system and network segment access across the network, for example, reduce (unauthenticated) access to network endpoints.
* Minimize exposed system targets by reducing the amount of code running and removing unnecessary functionality.
* Remove or shutdown software and services (channels, protocols) that are infrequently or rarely used.
* Frequently patch security vulnerabilities.

== Proactive Defenses ==

This includes, but is not limited to:
* [https://wiki.debian.org/Hardening Compile time hardening]
* [https://en.wikipedia.org/wiki/Intrusion_prevention_system Intrusion Prevention Systems]
* [https://en.wikipedia.org/wiki/Mandatory_access_control Mandatory Access Control]

== Retroactive Defenses ==

The usefulness of this approach is limited because it does not prevent security breaches; it can only help in making future breaches less probable:

* [[Malware_and_Firmware_Trojans#Malware|Anti-virus and anti-malware programs]].
* [https://en.wikipedia.org/wiki/Intrusion_detection_system Intrusion Detection System (IDS)].
* [https://en.wikipedia.org/wiki/Rkhunter Rootkit Hunter (rkhunter)].
* [https://en.wikipedia.org/wiki/Snort_%28software%29 Snort network intrusion prevention system].
* [https://packages.debian.org/sxid sxid file and directory change tracker].
* [https://packages.debian.org/tiger TIGER security auditing program].

The programs listed in this section are only a very brief introduction to this topic. If interested, users should research these topics in depth because they are beyond the scope of this guide.

= Separate VirtualBox User Account =

Security-wise, it makes sense to create a separate user account solely for using [[VirtualBox]], which is not in the admin/sudo group.

= Virtualization Platform =
{{Anchor|About VirtualBox}}

== VirtualBox ==

[[VirtualBox]] is developed by Oracle, a company which has a reputation of not being very "open". In the past, concerns have been raised about how they announce security issues in their products and how well they communicate with each other, leading to a negative perception by the security community.

VirtualBox is primarily a simple, "user-friendly", desktop solution and is most certainly not designed with the {{project_name_short}} threat model in mind. Development is reported to be at a standstill and the author is not aware of any serious code audits having been completed. <ref>https://developers.slashdot.org/story/15/01/30/1530245/virtualbox-development-at-a-standstill/</ref> {{project_name_short}} developers would like to recommend a different VM solution at least as an alternative, but many popular, open source options like KVM and Xen are not cross-platform. Further, the latter examples seem to still lack a reliable "internal networking" feature, which {{project_name_short}} heavily depends upon. Any readers who have in-depth knowledge of this issue are encouraged to edit this paragraph accordingly.

Users that have a strong preference for security should strongly consider using [[Qubes|{{q_project_name_long}}]], if they have suitably modern hardware. In short, [[Qubes|{{q_project_name_long}}]] is more secure than the default {{project_name_short}} configuration using a [[Virtualization_Platform_Security#Type_1_vs_Type_2_Hypervisors|Type 2 hypervisor like VirtualBox]].

Related VirtualBox Links:

* [https://www.virtualbox.org/query?summary=~&col=id&col=summary&col=status&col=owner&col=type&col=priority&col=component&order=priority Custom Ticket Search]
* [https://www.virtualbox.org/newticket New Ticket]

See also:

* [[Dev/VirtualBox]] for licensing issues.

=== Secure Labeling ===

VirtualBox has a [https://www.virtualbox.org/manual/ch09.html#idm7867 secure labeling feature (VBoxSDL)] which has not yet been implemented in {{project_name_short}}. <ref>Partially because it is not available on the macOS platform.</ref> This feature addresses the security risk of running in full screen mode:

<blockquote>When running guest operating systems in full screen mode, the guest operating system usually has control over the whole screen. This could present a security risk as the guest operating system might fool the user into thinking that it is either a different system (which might have a higher security level) or it might present messages on the screen that appear to stem from the host operating system.
<br />
In order to protect the user against the above mentioned security risks, the secure labeling feature has been developed. Secure labeling is currently available only for VBoxSDL. When enabled, a portion of the display area is reserved for a label in which a user defined message is displayed. The label height in set to 20 pixels in VBoxSDL. The label font color and background color can be optionally set as hexadecimal RGB color values.</blockquote>

Any readers who are knowledgeable in this area are encouraged to share their expertise and edit this section accordingly.

= See Also =
* [[Basic Host Security]]
* [[Host Operating System Selection]]

= Footnotes =
{{reflist|close=1}}

{{Footer}}

[[Category:Documentation]]