Previous Page

nihilist@mainpc - 2024-01-29

Linux Host OS Hardening, Virtualisation and Anti Forensics Setup

In this tutorial we're going to cover why it's important to have an Opensource host-OS and virtualisation software for privacy purposes and we're going to go through all the steps we need to set it up.

Initial Setup

Most people talk about opsec, but they don't realize how bad their opsec is. You wouldn't barricade your bedroom door before barricading the frontdoor right ? In this case, the hardware and the host OS are the front door, and the rest is inside your house. You are leaving your front door opened when you're using a closed source Host OS (for example Windows, or MacOS, or similar). Hence you need a Linux host OS. for example we're going to setup the latest Debian in this case.

[ mainpc ] [ /dev/pts/4 ] [~/Downloads]
→ wget
--2024-01-30 14:53:15--
Resolving (,,, ...
Connecting to (||:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: [following]
--2024-01-30 14:53:15--
Resolving (, 2001:6b0:19::137
Connecting to (||:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 658505728 (628M) [application/x-iso9660-image]
Saving to: ‘debian-12.4.0-amd64-netinst.iso’

debian-12.4.0-amd64-netinst.i 100%[=================================================>] 628.00M  6.85MB/s    in 83s

2024-01-30 14:54:39 (7.55 MB/s) - ‘debian-12.4.0-amd64-netinst.iso’ saved [658505728/658505728]

Then flash it onto an usb stick (heres how you do it from linux below):

[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ lsblk
sda                        8:0    0  3.6T  0 disk
sdb                        8:16   1 14.6G  0 disk
└─sdb1                     8:17   1 14.6G  0 part  /media/nihilist/022E-0C69

[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ sudo umount /media/nihilist/022E-0C69
umount: /media/nihilist/022E-0C69: not mounted.

[ mainpc ] [ /dev/pts/1 ] [~/Downloads]
→ lsblk
sda                        8:0    0  3.6T  0 disk
sdb                        8:16   1 14.6G  0 disk
└─sdb1                     8:17   1 14.6G  0 part

→ sudo dd if=debian-12.4.0-amd64-netinst.iso of=/dev/sdb1 bs=8M status=progress
[sudo] password for nihilist:
78+1 records in
78+1 records out
658505728 bytes (659 MB, 628 MiB) copied, 45.6007 s, 14.4 MB/s

You can use tools like balenaetcher to do the same from other OSes like Windows.

Now that's done, we need to reboot the host OS and get into the BIOS:

In this case we need to spam the F2 key upon booting to arrive into the BIOS. Then navigate to the Boot selection in order to boot to the USB key. for example it can be :

Here instead you just choose the usb key you flashed the linux image on, and boot onto it. Then do as follows:

Now that's done, follow the installation of the host OS on the harddrive you prefer. Make sure it's LUKS encrypted.

Then make sure it has a desktop environment (i recommend cinnamon).

Then let the install finish and then reboot the computer and remove the usb key, it should then boot into a clean host OS.

Host OS Hardening

Now that we're in our host OS, let's do a few basic things to harden it:

su -
apt update ; apt full-upgrade ; apt install --no-install-recommends sudo adduser curl apt-transport-tor tor torsocks

usermod -aG sudo nothing

nothing@debian:~$ sudo apt update -y ; sudo apt full-upgrade -y 

Next, we make sure that unattended upgrades are activated so that minor package updates are automatically carried out by the system.

nothing@debian:~$ sudo apt install unattended-upgrades apt-listchanges -y
nothing@debian:~$ sudo dpkg-reconfigure -plow unattended-upgrades

Next, we're going to trim out what we don't need from our Host OS. First and foremost, let's get rid of all the logs (both system and kernel logs) on the system.

nothing@debian:~$ su -
root@debian:~# crontab -e # run it as the root user!

* * * * * /usr/bin/rm /var/log/*.log /var/log/*/*.log /var/log/*/*/*.log ; dmesg -c ; dmesg -n 1 ; dmesg -c 
0 * * * *  apt clean -y ; apt autoremove -y  

#also uncomment the kernel.printk line in /etc/sysctl.conf to avoid the kernel from printing out errors

root@debian:~# chmod +x

root@debian:~# vim /etc/sysctl.conf

root@debian:~# cat /etc/sysctl.conf | grep printk
kernel.printk = 3 4 1 3

Like so we're making sure that logfiles, and that kernel output is minutely cleared

Virtualisation setup

Next we do not virtualize anything using closed-source software like VMWare Workstation or else. We use QEMU/KVM with virt-manager, which is an open source hypervisor:

nothing@debian:~# sudo apt install libvirt0 virt-manager dnsmasq bridge-utils

sudo systemctl enable --now libvirtd

nothing@debian:~# sudo usermod -a -G libvirt nothing
nothing@debian:~# sudo usermod -a -G kvm nothing

nothing@debian:~# sudo vim /etc/libvirt/libvirtd.conf 
nothing@debian:~# cat /etc/libvirt/libvirtd.conf  | grep sock_group
unix_sock_group = "libvirt"
unix_sock_rw_perms = "0770"

nothing@debian:~#  sudo chmod 770 -R VMs 
nothing@debian:~#  sudo chown nothing:libvirt -R VMs 

nothing@debian:~#  cat /etc/libvirt/qemu.conf
group = "libvirt"
user = "nothing"

nothing@debian:~# systemctl restart libvirtd.service


Next just make sure that the NAT network is created, and that the ISOs and VMs folders are with the correct permissions:

nothing@debian:~$ mkdir ISOs
nothing@debian:~$ mkdir VMs

nothing@debian:~$ sudo chmod 770 -R VMs  
nothing@debian:~$ sudo chmod 770 -R ISOs  
nothing@debian:~$ sudo chown nothing:libvirt -R VMs
nothing@debian:~$ sudo chown nothing:libvirt -R ISOs

Then you can add the file directories in virt-manager like so:

And now you're all set to start making VMs while maintaining the open-source requirement. If you still want to use a closed-source OS, you can do so in a QEMU VM from virt-manager. always remember that closed-source OSes like Windows belong in a VM, never out of one.

Additional notes: you can prevent an adversary to tamper with your laptop, by using glitter polish as shown in mullvad's tutorial, and also make sure that your phone does not have a closed-source host OS by using Graphene OS.


Until there is Nothing left.

About nihilist

Donate XMR: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8

Contact: (PGP)