{{Header}} {{#seo: |description=Optional {{project_name_gateway_long}} Security Hardening for advanced users. |image=Gatewayhardening.jpg }} [[File:Gatewayhardening.jpg|thumb]] {{intro| Optional {{project_name_gateway_short}} Security Hardening for advanced users. }} = Introduction = {{security_intro}} {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = '''Tip:''' Disabling [https://www.whonix.org/wiki/Dev/onion-grater Control Port Filter Proxy] (onion-grater) can improve security by decreasing the attack surface, while sacrificing usability. }} Note that if onion-grater is disabled, users will no longer receive helpful {{project_name_long}} notifications when Tor is not fully bootstrapped, since the whonixcheck and sdwdate tools rely upon it. = How-to: Disable Control Port Filter Proxy = == {{project_name_gateway_short}} == === Deactivate onion-grater in Firewall === {{Box|text= '''1.''' {{Firewall_Settings}} '''2.''' Add the following content. {{CodeSelect|code= CONTROL_PORT_FILTER_PROXY_ENABLE=0 }} '''3.''' Save the file. '''4.''' {{Reload_Firewall}} }} === Deactivate onion-grater === {{Box|text= '''1.''' Stop onion-grater. {{CodeSelect|code= sudo service onion-grater stop }} '''2.''' Disable autostart of onion-grater. {{CodeSelect|code= sudo systemctl mask onion-grater }} '''3.''' Reboot. '''4.''' Check if onion-grater is still running or disabled. {{CodeSelect|code= ps aux {{!}} grep onion-grater }} If output similar to the following appears, then disabling did not work.
onion-g+ 911 3.2 1.9 66444 20644 ? Ss 12:21 0:00 /usr/bin/python3 -u /usr/lib/onion-grater --debug --listen-interface eth1}} === Deactivate whonixcheck onion-grater Running Test === {{Box|text= '''1.''' {{Open with root rights|filename= /etc/systemcheck.d/50_user.conf }} '''2.''' Add the following content. {{CodeSelect|code= systemcheck_skip_functions+=" check_control_port_filter_running " }} '''3.''' Save the file. }} == {{project_name_workstation_long}} == === Deactivate whonixcheck Tor Bootstrap Test === Because it relies on onion-grater. {{Box|text= '''1.''' {{Open with root rights|filename= /etc/systemcheck.d/50_user.conf }} '''2.''' Add the following content. {{CodeSelect|code= systemcheck_skip_functions+=" check_tor_bootstrap " }} '''3.''' Save the file. }} === Deactivate sdwdate Connectivity Test === {{project_name_workstation_short}} only. {{Box|text= '''1.''' {{Open with root rights|filename= /usr/lib/helper-scripts/te_pe_tb_check }} '''2.''' Replace the existing content with the following text. {{CodeSelect|code= #!/bin/bash exit 0 }} '''3.''' Save the file. '''4.''' Restart sdwdate. {{CodeSelect|code= sudo systemctl restart sdwdate }} The procedure is complete. }} Be aware that this setting will not persist after any upgrade of sdwdate, nor is sdwdate currently configurable. Any {{project_name_short}} users interested in further development should create a relevant ticket on [https://forums.whonix.org/ Whonix Forums]. === Tor Browser Updater === In order to update [[Tor Browser]] using [[Tor_Browser#Update_Tor_Browser|Tor Browser Updater by {{project_name_short}} developers]] while onion-grater is disabled, complete the following step. It is far simpler to update using [[Tor_Browser#Tor_Browser_Internal_Updater|Tor Browser's internal updater]] instead. {{CodeSelect|code= update-torbrowser --no-tor-con-check }} Or create a file ''/etc/torbrowser.d/50_user.conf'' with the following content. {{CodeSelect|code= TB_NO_TOR_CON_CHECK="1" }} = Static VirtualBox IP = Instead of using DHCP to obtain the internal IP address for the {{project_name_workstation_short}}
eth0
NAT adapter, a static IP can be used instead. This might marginally improve security because the DHCP package can then be removed.
Open ''/etc/network/interfaces.d/30_non-qubes-whonix'' [https://github.com/{{project_name_short}}/whonix-gw-network-conf/blob/master/etc/network/interfaces.d/30_non-qubes-whonix on GitHub] and read the comments. Then, comment out DHCP and comment in Static VirtualBox IP.
= Footnotes =
{{reflist|close=1}}
{{Footer}}
[[Category:Documentation]]