reworked the linux / internet segmentation / hypervisor tutorials

2025-07-02 11:56:40 +00:00 · 2025-03-31 17:44:11 +02:00 · 2025-03-31 17:44:11 +02:00 · c9ec08f625
commit c9ec08f625
parent 4b591e47b4
52 changed files with 1306 additions and 85 deletions
--- a/opsec/hypervisorsetup/100.png
+++ b/opsec/hypervisorsetup/100.png
--- a/opsec/hypervisorsetup/101.png
+++ b/opsec/hypervisorsetup/101.png
--- a/opsec/hypervisorsetup/102.png
+++ b/opsec/hypervisorsetup/102.png
--- a/opsec/hypervisorsetup/103.png
+++ b/opsec/hypervisorsetup/103.png
--- a/opsec/hypervisorsetup/104.png
+++ b/opsec/hypervisorsetup/104.png
--- a/opsec/hypervisorsetup/105.png
+++ b/opsec/hypervisorsetup/105.png
--- a/opsec/hypervisorsetup/106.png
+++ b/opsec/hypervisorsetup/106.png
--- a/opsec/hypervisorsetup/107.png
+++ b/opsec/hypervisorsetup/107.png
--- a/opsec/hypervisorsetup/21.png
+++ b/opsec/hypervisorsetup/21.png
--- a/opsec/hypervisorsetup/22.png
+++ b/opsec/hypervisorsetup/22.png
--- a/opsec/hypervisorsetup/36.png
+++ b/opsec/hypervisorsetup/36.png
--- a/opsec/hypervisorsetup/37.png
+++ b/opsec/hypervisorsetup/37.png
--- a/opsec/hypervisorsetup/38.png
+++ b/opsec/hypervisorsetup/38.png
--- a/opsec/hypervisorsetup/39.png
+++ b/opsec/hypervisorsetup/39.png
--- a/opsec/hypervisorsetup/index.html
+++ b/opsec/hypervisorsetup/index.html
@ -112,19 +112,19 @@ apt update ; apt full-upgrade ; apt install --no-install-recommends sudo adduser

 usermod -aG sudo nihilist

-nihilist@debian:~$ sudo apt update -y ; sudo apt full-upgrade -y 
+[user ~]%:~$ sudo apt update -y ; sudo apt full-upgrade -y 
 	
 </code></pre>
 <p>Next, we make sure that unattended upgrades are activated so that minor package updates are automatically carried out by the system.</p>
 <pre><code class="nim">
-nihilist@debian:~$ sudo apt install unattended-upgrades apt-listchanges -y
-nihilist@debian:~$ sudo dpkg-reconfigure -plow unattended-upgrades
+[user ~]%:~$ sudo apt install unattended-upgrades apt-listchanges -y
+[user ~]%:~$ sudo dpkg-reconfigure -plow unattended-upgrades
 	
 </code></pre>
 <img src="9.png" class="imgRz">
 <p>Next, we're going to trim out what we don't need from our Host OS. First and foremost, let's get rid of all the logs (both system and kernel logs) on the system. </p>
 <pre><code class="nim">
-nihilist@debian:~$ su -
+[user ~]%:~$ su -
 root@debian:~# crontab -e # run it as the root user!

 * * * * * echo "" > /var/log/*.log /var/log/*/*.log /var/log/*/*/*.log  ; dmesg -c ; dmesg -n 1 ; dmesg -c 
@ -142,25 +142,25 @@ kernel.printk = 3 4 1 3
          <h2><b>Virtualisation setup</b></h2> </br> </br>
 <p>Next <b>we do not virtualize anything using closed-source software</b> like VMWare Workstation or else. <b>We use QEMU/KVM with virt-manager, which is an open source hypervisor</b>:</p>
 <pre><code class="nim">
-nihilist@debian:~# sudo apt install libvirt0 virt-manager dnsmasq bridge-utils
+[user ~]%:~# sudo apt install libvirt0 virt-manager dnsmasq bridge-utils

 sudo systemctl enable --now libvirtd

-nihilist@debian:~# sudo usermod -a -G libvirt nihilist
-nihilist@debian:~# sudo usermod -a -G kvm nihilist
+[user ~]%:~# sudo usermod -a -G libvirt user
+[user ~]%:~# sudo usermod -a -G kvm user

-nihilist@debian:~# sudo vim /etc/libvirt/libvirtd.conf 
-nihilist@debian:~# cat /etc/libvirt/libvirtd.conf  | grep sock_group
+[user ~]%:~# sudo vim /etc/libvirt/libvirtd.conf 
+[user ~]%:~# cat /etc/libvirt/libvirtd.conf  | grep sock_group
 unix_sock_group = "libvirt"
 unix_sock_rw_perms = "0770"

-nihilist@debian:~#  cat /etc/libvirt/qemu.conf
+[user ~]%:~#  cat /etc/libvirt/qemu.conf
 group = "libvirt"
-user = "nihilist"
+user = "user"

-nihilist@debian:~# systemctl restart libvirtd.service
+[user ~]%:~# systemctl restart libvirtd.service

-nihilist@debian:~# virt-manager
+[user ~]%:~# virt-manager
 	
 </code></pre>
 <p>Next just make sure that the NAT network is created, and that the ISOs and VMs folders are with the correct permissions:</p>
@ -169,14 +169,14 @@ nihilist@debian:~# virt-manager
 <img src="50.png" class="imgRz">
 <p>That way, the adversary that can normally see what's going on in the network attached to the Windows VM can no longer see as it is being put in a different network altogether. </p>
 <pre><code class="nim">
-nihilist@debian:~$ mkdir ISOs
-nihilist@debian:~$ mkdir VMs
+[user ~]%:~$ mkdir ISOs
+[user ~]%:~$ mkdir VMs

-nihilist@debian:~$ sudo chmod 770 -R VMs  
-nihilist@debian:~$ sudo chmod 770 -R ISOs  
+[user ~]%:~$ sudo chmod 770 -R VMs  
+[user ~]%:~$ sudo chmod 770 -R ISOs  
 	
-nihilist@debian:~$ sudo chown nihilist:libvirt -R VMs
-nihilist@debian:~$ sudo chown nihilist:libvirt -R ISOs
+[user ~]%:~$ sudo chown nihilist:libvirt -R VMs
+[user ~]%:~$ sudo chown nihilist:libvirt -R ISOs
 </code></pre>

 <p>Then you can add the file directories in virt-manager like so:</p>
@ -197,7 +197,7 @@ nihilist@debian:~$ sudo chown nihilist:libvirt -R ISOs
 	    <div class="container">
 			<div class="row">
 				<div class="col-lg-8 col-lg-offset-2">
-          <h2><b>How to setup Vms for Public and Private use</b></h2> </br> </br>
+          <h2><b>How to setup the Public use VM</b></h2> </br> </br>
 <p>Next, Bob needs to use VMs for 2 basic needs: Public internet usage, and Private internet usage. He first needs to download the <a href="https://www.microsoft.com/en-us/software-download/windows10ISO">Windows ISO</a> file, and the <a href="https://www.debian.org/distrib/netinst">debian iso</a> file too:</p>
 <p>First he creates the windows VM like so:</p>
 <img src="23.png" class="imgRz">
@ -215,17 +215,52 @@ nihilist@debian:~$ sudo chown nihilist:libvirt -R ISOs
 <img src="31.png" class="imgRz">
 <img src="32.png" class="imgRz">
 <img src="33.png" class="imgRz">
-<p>Then he creates the debian VM like so:</p>
-<img src="34.png" class="imgRz">
-<img src="35.png" class="imgRz">
-<p>Then in both VMs he installs the OS on the virtual disk:</p>
+<p>Then in the windows VM he installs the OS on the virtual disk:</p>
 <img src="36.png" class="imgRz">
 <img src="37.png" class="imgRz">
-<p>Then Bob can launch both VMs (make sure that the VM boots onto the disk instead of the iso in the boot settings):</p>
+<p>Then Bob can launch the windows VM (make sure that the VM boots onto the disk instead of the iso in the boot settings):</p>
 <img src="38.png" class="imgRz">
 <img src="39.png" class="imgRz">
-<p>Then Bob can use the windows VM for his public usage (such as KYC services, and closed-source software), and use the debian VM for his private usage (any personal matter, with only open source software)</p>
-<p>From inside the Debian VM, you can run the following from a terminal to be able to copy and paste from inside the VM out, and from outside the VM in:</p>
+<p>Then Bob can use the windows VM for his public usage (such as KYC services, and closed-source software). <b>Keep in mind that the windows VM is the place where the big eye of sauron can see what you are doing. NEVER do anything sensitive from this VM, because you will never have any privacy in it.</b></p>
+
+				</div>
+			</div><!-- /row -->
+	    </div> <!-- /container -->
+	</div><!-- /white -->
+
+
+  <!-- +++++ Second Post +++++ -->
+	<div id="anon2">
+	    <div class="container">
+			<div class="row">
+				<div class="col-lg-8 col-lg-offset-2">
+          <h2><b>How to setup the Private use VM</b></h2> </br> </br>
+<p>To setup the Private use VM, we'll download the Kicksecure ISO just like we previously did in the host OS tutorial, except this time we'll directly attach it to a new VM:</p>
+<img src="100.png" class="imgRz">
+<img src="101.png" class="imgRz">
+<img src="102.png" class="imgRz">
+<img src="103.png" class="imgRz">
+<img src="104.png" class="imgRz">
+<img src="105.png" class="imgRz">
+<img src="106.png" class="imgRz">
+<p>From there you can repeat the steps that we took <a href="../linux/index.html">to install kicksecure on the host OS</a>, to install it:</p>
+
+<img src="../linux/23.png" class="imgRz">
+<img src="../linux/24.png" class="imgRz">
+<img src="../linux/25.png" class="imgRz">
+<img src="../linux/26.png" class="imgRz">
+<img src="../linux/28.png" class="imgRz">
+<p>Once here, we reboot the VM, and upon rebooting we unlock the encrypted system drive:</p>
+<img src="../linux/52.png" class="imgRz">
+<img src="../linux/53.png" class="imgRz">
+
+
+
+
+<p> And from here we have our private VM setup! <b>Warning: You only have privacy in this VM, as long as you do not install any closed-source software (ex: no discord, no google chrome, etc) in it!</b> Make sure that you ONLY install FOSS software in the private VM. <b>Any closed-source software you want to install needs to be installed in the Public VM instead.</b></p>
+<img src="107.png" class="imgRz">
+
+<!--<p>From inside the Kicksecure VM, you can run the following from a terminal to be able to copy and paste from inside the VM out, and from outside the VM in:</p>
 <pre><code class="nim">
 su -
 apt update -y
@ -233,8 +268,8 @@ apt install spice-vdagent -y
 reboot now

 </pre></code>
-<p>Do not do the same for the windows VM, otherwise you'd be allowing the Windows VM to spy on what your clipboard contains, from outside the VM. Make sure it is kept isolated as it is by default here.</p>
-<p>Next, Bob can setup a  <a href="../vpn/index.html">VPN</a> by default into his debian VM to prevent his ISP from spying on what he is doing.</p>
+<p>Do not do the same for the windows VM, otherwise you'd be allowing the Windows VM to spy on what your clipboard contains, from outside the VM. Make sure it is kept isolated as it is by default here.</p>-->
+<p>Next, Bob can setup a  <a href="../vpn/index.html">VPN</a> by default into his kicksecure VM to prevent his ISP from spying on what he is doing.</p>


 				</div>