Where would you install opensnitch or aide?
It’s also an issue with sniffing traffic and using a VPN. How would you solve that? A quick change in some qube from vpn to regular when sniffing right?
A good IDS that would warn automatically if someone had a intrusion in Qubes, that would be a good feature! A IDS that warned if others intruded Qubes without your permission, that would be an exellent feature in Qubes actually. It should be possible to set upon your own right? How would you best do that?
Like some firewall pop up that says intruder, as in the same way a VPN pops up or goes down.
Where would you install snort?
How would you set up an honeypot in Qubes? That would also be a good thing…
if someone attacked a qubes machine and got into the first cube… You could trick that user to think the next was a Qube, when it in reality was a honeypot. =)
So a warning, and a honeypot. Clever!
Is this possible to set up? How?
Qubes comes without any kind of IDS and stuff, and i think that’s not as secure as the OS could be by default. Opensnitch and aide, wireshark, snort and stuff… Some of those would make qubes a more secure OS from hackers and crackers.
Sniff the traffic before it goes in to the VPN.
Install a sniffer between qubes and sys-vpn
You could set up a monitor to warn of exceptions to the firewall rules.
You can pass rules to user space using nflog group in the rules.
You can chain nft to something like suricata, which will provide
automatic pop-ups as needed.
All this is documented online , and there is nothing Qubes specific.
Like some firewall pop up that says intruder, as in the same way a VPN pops up or goes down.
Wherever you can sniff the traffic.
You can run a honeypot, of course.
What you envisage is different, since you cant predict what the “next”
is going to be. I cant see how that would work.
You could run a honeypot named “vault” which might attract
attention. Same for “work”, or indeed almost any of the named by
default qubes.
I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.
Ok, how would you do that? You could also just stop using a VPN on that cube…
Sounds interesting… Far from my level of knowledge, but i can check it out sometimes out of curiosity.
yeah… Maybe “overkill”, but i guess it could be cool if Qubes had that! And snort. Just some kind of pop-up if others would attack an system. It would just be good to know i guess. Thanks
