@Jon deps: Proper hardening involves:
1. Proper use of firewall rules using qvm-firewall

2. Reducing the attack surface by only installing what is needed. Refer to 
usage of debian-minimal and fedora-minimal template in Qubes documentation.

3. Drop INPUT and OUTPUT in sys-net(only do this if you have proper DNS 
resolving mechanisms in place that are not reliant on sys-net, Qubes is reliant 
on sys-net for proper DNS resolutions by default. If you're interested then you 
can start by knowing how to use DNSCrypt proxy made by jedisct1 or using Stubby 
to make a sys-dns qube to do DNS over TLS resolutions.

4. Implementing the use of a VPN in qubes or highly relying on sys-whonix to 
torify your connections.

5. Picking only update sources that you could trust. IDK about debian but in 
fedora, by default, all updates are grabbed from mirrors and alot of those only 
support http which is bloody insecure thanks to being just plaintext and 
susceptible to MITM attacks. This can be changed by modifying 
/etc/yum.repos.d/fedora.repo and fedora-updates.repo
If you're interested in doing this then you can search up a thread I made about 
this here in qubes-users. Just put "Sphere" in search and you will definitely 
find it among the threads I have made.

6. Frequently updating your qubes after making sure you picked a source of 
updates that you can really trust.

"Since the majority of networks assign the actual IP address to you, you
likely won't have much control over that address, and logically the IP
address belongs to the network, not you. Chances are that with a
different MAC address you will not likely be getting the same IP address
each time either, depending of course on how they actually allocate
their addresses. "

@steve.coleman: I would like to add that IP address allocation from the ISP to 
you entirely depends on whether they provisioned you a Modem or a Modem + 
Router combo.

For the case of a Modem, you will be allocated a random IP address from a pool 
of IP addresses the ISP provides on the subnet that you, as a client, was 
allocated to. Some ISPs do not provide it by random and in the case of 
statically assigning you an IP address, they use your modem's MAC address and 
bind it to a specific IP address which effectively becomes your public IP 
address. This is exactly why VPN is very essential for privacy because any 
internet activity that does not go through a VPN could effectively be traced 
back to you by your ISP.

Do note that there has been wide confusion that's still happening about Modems 
and Routers thanks to some devices actually being labelled Modems but in 
reality they are Modem + Router combos that has a DHCP server which provides 
you your private IP addresses (Private IP addresses are IP addresses you use to 
access devices within your local network).

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to