oxeo0/blog-contributions
1
0
Fork 0
mirror of http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions.git synced 2025-07-02 11:56:40 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
blog-contributions/opsec/hypervisorsetup/index.html
nihilist d7046eac19 updated all the simplex chat links
2025-02-03 13:03:49 +01:00

344 lines
18 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>Linux Hypervisor Setup (QEMU/KVM virtualisation)</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
<link href="../../assets/css/xt256.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../assets/css/main.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Static navbar -->
<div class="navbar navbar-inverse-anon navbar-static-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand-anon" href="\index.html">The Nihilism Blog</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="/about.html">About</a></li>
<li><a href="/blog.html">Categories</a></li>
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
<li><a href="/contact.html">Contact</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-01-29</ba></p>
<h1>Linux Hypervisor Setup (QEMU/KVM virtualisation) </h1>
<img src="999.png" style="width:250px">
<p>In this tutorial we're going to cover how to setup the open source hypervisor QEMU/KVM in <a href="../linux/index.html">Linux</a> host OS, using the libvirt technology.</p>
<p><h2><u>OPSEC Recommendations:</u></h2></p>
<ol>
<li><p>Hardware : PC / Laptop / Homeserver / Remote Server</p></li>
<li><p>Host OS : <a href="../linux/index.html">Linux</a></p></li>
</ol>
<p>I recommend using this setup first of all to <b>isolate your Public use</b>, and to <b>segment it from the other Uses</b> such as <a href="../privacy/index.html">Private use</a>, but it can later be used for <a href="../anonymityexplained/index.html">Anonymous use</a>, and also <a href="../encryption/index">Sensitive Use</a>, as per the <a href="../opsec4levels/index.html">4 basic OPSEC levels</a>.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Why should Bob use an open-source hypervisor ?</b></h2>
<p>Bob has a problem, he wants to use his laptop for 4 different internet uses:</p>
<img src="../internetsegmentation/4.png" class="imgRz">
<p>But currently, he has only one laptop with linux as the host OS.</p>
<img src="21.png" class="imgRz">
<p>So the idea basically is that Bob does not need to purchase 4 laptops each for a different usage, he just needs to virtualise those machines using a Hypervisor:</p>
<img src="22.png" class="imgRz">
<p>Bob is going to use a QEMU/KVM hypervisor to virtualize 4 VMs, each for a specific use. The windows VM will be for public use, the debian VM will be for the private use, the Whonix VM will be for Anonymous use, and the other whonix VMs in the veracrypt hidden volume be used for sensitive uses.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<!-- <h2><b>Host OS Hardening</b></h2> </br> </br>
<p>Now that we're in our host OS, let's do a few basic things to harden it:</p>
<pre><code class="nim">
su -
apt update ; apt full-upgrade ; apt install --no-install-recommends sudo adduser curl apt-transport-tor tor torsocks
usermod -aG sudo nihilist
nihilist@debian:~$ sudo apt update -y ; sudo apt full-upgrade -y
</code></pre>
<p>Next, we make sure that unattended upgrades are activated so that minor package updates are automatically carried out by the system.</p>
<pre><code class="nim">
nihilist@debian:~$ sudo apt install unattended-upgrades apt-listchanges -y
nihilist@debian:~$ sudo dpkg-reconfigure -plow unattended-upgrades
</code></pre>
<img src="9.png" class="imgRz">
<p>Next, we're going to trim out what we don't need from our Host OS. First and foremost, let's get rid of all the logs (both system and kernel logs) on the system. </p>
<pre><code class="nim">
nihilist@debian:~$ su -
root@debian:~# crontab -e # run it as the root user!
* * * * * echo "" > /var/log/*.log /var/log/*/*.log /var/log/*/*/*.log ; dmesg -c ; dmesg -n 1 ; dmesg -c
0 * * * * apt clean -y ; apt autoremove -y
#also uncomment the kernel.printk line in /etc/sysctl.conf to avoid the kernel from printing out errors
root@debian:~# vim /etc/sysctl.conf
root@debian:~# cat /etc/sysctl.conf | grep printk
kernel.printk = 3 4 1 3
</code></pre>
<p>Like so we're making sure that logfiles, and that kernel output is minutely cleared</p>-->
<h2><b>Virtualisation setup</b></h2> </br> </br>
<p>Next <b>we do not virtualize anything using closed-source software</b> like VMWare Workstation or else. <b>We use QEMU/KVM with virt-manager, which is an open source hypervisor</b>:</p>
<pre><code class="nim">
nihilist@debian:~# sudo apt install libvirt0 virt-manager dnsmasq bridge-utils
sudo systemctl enable --now libvirtd
nihilist@debian:~# sudo usermod -a -G libvirt nihilist
nihilist@debian:~# sudo usermod -a -G kvm nihilist
nihilist@debian:~# sudo vim /etc/libvirt/libvirtd.conf
nihilist@debian:~# cat /etc/libvirt/libvirtd.conf | grep sock_group
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"
nihilist@debian:~# cat /etc/libvirt/qemu.conf
group = "libvirt"
user = "nihilist"
nihilist@debian:~# systemctl restart libvirtd.service
nihilist@debian:~# virt-manager
</code></pre>
<p>Next just make sure that the NAT network is created, and that the ISOs and VMs folders are with the correct permissions:</p>
<img src="11.png" class="imgRz">
<p>And also create another NAT network so that we can put all the untrusted VMs such as Windows into:</p>
<img src="50.png" class="imgRz">
<p>That way, the adversary that can normally see what's going on in the network attached to the Windows VM can no longer see as it is being put in a different network altogether. </p>
<pre><code class="nim">
nihilist@debian:~$ mkdir ISOs
nihilist@debian:~$ mkdir VMs
nihilist@debian:~$ sudo chmod 770 -R VMs
nihilist@debian:~$ sudo chmod 770 -R ISOs
nihilist@debian:~$ sudo chown nihilist:libvirt -R VMs
nihilist@debian:~$ sudo chown nihilist:libvirt -R ISOs
</code></pre>
<p>Then you can add the file directories in virt-manager like so:</p>
<img src="13.png" class="imgRz">
<img src="12.png" class="imgRz">
<p>And now you're all set to start making VMs while maintaining the open-source requirement. If you still want to use a closed-source OS, you can do so in a QEMU VM from virt-manager. <b>always remember that closed-source OSes like Windows belong in a VM, never out of one.</b></p>
<p>Additional notes: you can prevent an adversary to tamper with your laptop, by using glitter polish as shown in mullvad's <a href="https://mullvad.net/en/blog/how-tamper-protect-laptop-nail-polish">tutorial</a>, and also make sure that your phone does not have a closed-source host OS by using <a href="https://grapheneos.org/install/cli"> Graphene OS</a>.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Second Post +++++ -->
<div id="anon1">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>How to setup Vms for Public and Private use</b></h2> </br> </br>
<p>Next, Bob needs to use VMs for 2 basic needs: Public internet usage, and Private internet usage. He first needs to download the <a href="https://www.microsoft.com/en-us/software-download/windows10ISO">Windows ISO</a> file, and the <a href="https://www.debian.org/distrib/netinst">debian iso</a> file too:</p>
<p>First he creates the windows VM like so:</p>
<img src="23.png" class="imgRz">
<img src="24.png" class="imgRz">
<img src="25.png" class="imgRz">
<img src="26.png" class="imgRz">
<img src="27.png" class="imgRz">
<img src="28.png" class="imgRz">
<img src="29.png" class="imgRz">
<img src="30.png" class="imgRz">
<p>Then before we begin the installation, we make sure that the windows VM uses the untrusted NAT network to make sure it remains isolated:</p>
<img src="51.png" class="imgRz">
<p>Then we hit Apply, and then we click on begin installation</p>
<img src="31.png" class="imgRz">
<img src="32.png" class="imgRz">
<img src="33.png" class="imgRz">
<p>Then he creates the debian VM like so:</p>
<img src="34.png" class="imgRz">
<img src="35.png" class="imgRz">
<p>Then in both VMs he installs the OS on the virtual disk:</p>
<img src="36.png" class="imgRz">
<img src="37.png" class="imgRz">
<p>Then Bob can launch both VMs (make sure that the VM boots onto the disk instead of the iso in the boot settings):</p>
<img src="38.png" class="imgRz">
<img src="39.png" class="imgRz">
<p>Then Bob can use the windows VM for his public usage (such as KYC services, and closed-source software), and use the debian VM for his private usage (any personal matter, with only open source software)</p>
<p>From inside the Debian VM, you can run the following from a terminal to be able to copy and paste from inside the VM out, and from outside the VM in:</p>
<pre><code class="nim">
su -
apt update -y
apt install spice-vdagent -y
reboot now
</pre></code>
<p>Do not do the same for the windows VM, otherwise you'd be allowing the Windows VM to spy on what your clipboard contains, from outside the VM. Make sure it is kept isolated as it is by default here.</p>
<p>Next, Bob can setup a <a href="../vpn/index.html">VPN</a> by default into his debian VM to prevent his ISP from spying on what he is doing.</p>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>How to harden your private VM by distro-morphing it into Kicksecure</b></h2> </br> </br>
<p><b>What is Kicksecure?</b> Kicksecure is a free and open-source Linux distribution designed to provide a highly secure computing environment. It is built on a hardened version of Debian, implementing a defense-in-depth security model that protects against various types of malware and attacks.</p>
<p><b>Reasons to use Kicksecure</b></p>
<ul>
<li>Enhanced Security Features:</li>
<p>Kicksecure is designed with a strong focus on security, incorporating various hardening techniques such as kernel hardening, user account isolation, and application-specific restrictions.</p>
<li>Privacy Protection:</li>
<p>All updates and software installations are routed through the Tor network, ensuring that user identities and IP addresses remain anonymous.</p>
<li>Lower Attack Surface:</li>
<p>Kicksecure minimizes potential vulnerabilities by not having open server ports or unnecessary services running by default. </p>
<li>User -Friendly Experience:</li>
<p>The operating system is designed to be accessible, with many applications available in their apt repositories and configured for immediate use, such as the <a href="../torbrowsing/index.html">tor browser.</a></p>
<li>Compatibility with Virtualization:</li>
<p>Kicksecure supports various virtualization options, allowing users to run it in a virtual machine.</p>
<li>Free and Open Source:</li>
<p>As an open-source project, Kicksecure allows users to review, modify, and redistribute the source code.</p>
</ul>
<p>
<b>Kicksecure is important in many scenarios.</b> It is ideal for individuals handling sensitive data, such as personal or financial information, as its robust security features protect against data breaches and unauthorized access. Journalists, activists, and whistleblowers can maintain anonymity while communicating, safeguarding their identities from surveillance. Users accessing public Wi-Fi can rely on Kicksecure for secure browsing, reducing the risk of data interception. Running Kicksecure in a virtual machine helps contain potential malware threats, protecting the primary operating system. Additionally, developers and researchers can create a secure environment for security tools and cybersecurity research. Kicksecure also serves as an educational resource, offering documentation and community support for users looking to enhance their security knowledge. Its hardened configuration defends against brute force attacks, making it suitable for securing sensitive accounts. Overall, Kicksecure is essential for anyone prioritizing security, privacy, and anonymity in their digital activities. For more details on why you should use kicksecure, check out their official <a href="https://www.kicksecure.com/wiki/About">website.</a></p>
<p>Now let's setup Kicksecure in the private VM, by distro-morphing the Debian guest OS into a Kicksecure guest OS. First,we need to create a new group called console. Then add the your user to the console group</p>
<!-- <img src="" class="imgRz"> -->
<pre><code class="nim">sudo addgroup --system console</code></pre>
<!-- <p></p> -->
<pre><code class="nim">sudo adduser "your_username" console</code></pre>
<p>After that,we need to install console related packages.</p>
<pre><code class="nim"> sudo apt install console-data console-common kbd keyboard-configuration</code></pre>
<!-- <img src="assets/05_installing_requirements.png" class="imgRz"> -->
<p>Now, we will install extrepo to get the kicksecure APT repository. We will also enable the repository</p>
<pre><code class="nim"> sudo apt install extrepo </code></pre>
<pre><code class="nim"> sudo extrepo enable kicksecure </code></pre>
<!-- <pre><code class="nim"> sudo apt install apt-transort-tor</code></pre> -->
<p>Next step is to download the kicksecure packages. Note that this will install a desktop environment(Xfce) and other applications</p>
<pre><code class="nim">sudo apt install kicksecure-xfce-host</code></pre>
<!-- <img src="assets/09_installs_kicksecure_packges.png" class="imgRz"> -->
<p>Finally, we need to enable the Kicksecure APT derivative.list in /etc/apt/sources.list.d/derivative.list</p>
<pre><code class="nim">sudo repository-dist --enable --repository onion</code></pre>
<p>This command will generate derivative.list file.</p>
<img src="10_dev_list_over_onion.png" class="imgRz">
<p>Disable the extrepo kicksecure APT repository. This is to avoid a duplicate Kicksecure repository.</p>
<pre><code class="nim"> sudo extrepo disable kicksecure</code></pre>
<p>That's it! A quick reboot will apply all the new settings and configurations.</p>
<pre><code class="nim">sudo reboot</code></pre>
<p><b>Changes after reboot</b></p>
<p>New GNU GRUB menu</p>
<img class="imgRz" src="new_grub.png">
<p>sdwdate to synchronize the system clock with time servers over the Tor network for better anonymity.</p>
<img class="imgRz" src="sdwdate.png">
<p>System Integrity Checks</p>
<img class="imgRz" src="sys_inter.png">
<p>System updates over Tor</p>
<img class="imgRz" src="tor.png">
<p><b>In conclusion</b>,Kicksecure offers a robust solution for security and privacy, built on a hardened Debian foundation. Users can confidently operate within a Kicksecure VM, ready for private use in todays complex digital landscape.</p>
</div>
</div><!--/row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Footer Section +++++ -->
<div id="anonb">
<div class="container">
<div class="row">
<div class="col-lg-4">
<h4>Nihilism</h4>
<p>
Until there is Nothing left.</p></br></br><p>Creative Commons Zero: <a href="../../../../opsec/runtheblog/index.html">No Rights Reserved</a></br><img src="\CC0.png">
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>My Links</h4>
<p>
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FBD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI%3D%40b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion%2FdXQ3FLM5ufTNQxgXU6jm07fRXSq9Ujkt%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEAzABUDXe4g0bjXyPcNOU0QzWxMYMMGgR3kcOQacoEaQ0%253D&data=%7B%22groupLinkId%22%3A%22G3yklv9753AcNA7lGV3FBw%3D%3D%22%7D">SimpleX Chat</a><br/>
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>About nihilist</h4>
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 85fGTpPWivci2dRzJSgvm5QeEuEUZ11ZDbZA6Yc58XdCHSen2oRKLpgbNBr1sv9gacbrfMP3Qw23RcGqYb8V1FN4L67kph6</p></br><p><u>Contact:</u> nihilist@contact.nowhere.moe (<a href="https://nowhere.moe/nihilist.pubkey">PGP</a>)</p>
</div><!-- /col-lg-4 -->
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
</body>
</html>
Reference in a new issue View git blame Copy permalink