@Jon deps: Proper hardening involves: 1. Proper use of firewall rules using qvm-firewall
2. Reducing the attack surface by only installing what is needed. Refer to usage of debian-minimal and fedora-minimal template in Qubes documentation. 3. Drop INPUT and OUTPUT in sys-net(only do this if you have proper DNS resolving mechanisms in place that are not reliant on sys-net, Qubes is reliant on sys-net for proper DNS resolutions by default. If you're interested then you can start by knowing how to use DNSCrypt proxy made by jedisct1 or using Stubby to make a sys-dns qube to do DNS over TLS resolutions. 4. Implementing the use of a VPN in qubes or highly relying on sys-whonix to torify your connections. 5. Picking only update sources that you could trust. IDK about debian but in fedora, by default, all updates are grabbed from mirrors and alot of those only support http which is bloody insecure thanks to being just plaintext and susceptible to MITM attacks. This can be changed by modifying /etc/yum.repos.d/fedora.repo and fedora-updates.repo If you're interested in doing this then you can search up a thread I made about this here in qubes-users. Just put "Sphere" in search and you will definitely find it among the threads I have made. 6. Frequently updating your qubes after making sure you picked a source of updates that you can really trust. "Since the majority of networks assign the actual IP address to you, you likely won't have much control over that address, and logically the IP address belongs to the network, not you. Chances are that with a different MAC address you will not likely be getting the same IP address each time either, depending of course on how they actually allocate their addresses. " @steve.coleman: I would like to add that IP address allocation from the ISP to you entirely depends on whether they provisioned you a Modem or a Modem + Router combo. For the case of a Modem, you will be allocated a random IP address from a pool of IP addresses the ISP provides on the subnet that you, as a client, was allocated to. Some ISPs do not provide it by random and in the case of statically assigning you an IP address, they use your modem's MAC address and bind it to a specific IP address which effectively becomes your public IP address. This is exactly why VPN is very essential for privacy because any internet activity that does not go through a VPN could effectively be traced back to you by your ISP. Do note that there has been wide confusion that's still happening about Modems and Routers thanks to some devices actually being labelled Modems but in reality they are Modem + Router combos that has a DHCP server which provides you your private IP addresses (Private IP addresses are IP addresses you use to access devices within your local network). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to firstname.lastname@example.org. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/65c5caa6-2482-48e8-b3a8-362b6864293d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.