Easy hardening for beginners

I know this has been asked before (a lot!) but I don’t think it’s been asked like this. What are some ways that a beginner can harden their system? For example, using the security-testing repositories isn’t too difficult but using openbsd as a netvm is. Sorry if this has been asked before!

I’m a beginner like you, from what I’ve gathered so far reading this forum, the system is already pretty hardened, and continues to be further hardened with every new update.

You go on to mention ‘netvm’ so I’m assuming network hardening is a key concern. I myself wanted to figure out how to detect compromise with Dom 0, and it seems implementation of IDS would be a good start. A robust solution for this concept doesn’t seem to exist. Yet.

This is what I’ve started to work on, or merely brainstorm, feel free to get involved: Attack Early Warning, Detection, Delay and Denial System (IDS) for the Eye of Sauron & Co

However I won’t be doing openbsd because I want to stay as stock as possible to what currently exists within qubes, rather then learning and managing a whole other architecture and command structure.

Just a quick hint: A thing I did immediately after installing qubes was Onionizing my repos (.onion link / clearnet link).

It’s fairly simple especially because it is explained for absolute beginners in the whonix wiki.

1 Like

Qubes aims to ship with secure defaults, so no general hardening should be necessary (unlike an operating system that was not designed primarily with security in mind). Anything not done by default is probably something that depends on the user’s unique situation (use case, threat model, etc.). In other words, if there’s something that all users should do as soon as they install Qubes OS in order to harden the system, then we (the project) should simply make that the default and ship Qubes that way. If we haven’t already done that for a given thing, then it’s probably not something that would be appropriate for every user, or we’re still working on making it the default.


That sounds understandable. Would you say a lot of qubes os hardening isn’t implemented by default due to the lack of resources?

No, not a lot.

Regarding this I’d like to understand more about firewall rules and how can I block certain domains [like all google domains] from a certain qube.

Although Qubes OS implements more hardening than any other system, I respectfully disagree here. A lot more can be done by default as mentioned here, and in very, very, very, very, very, very many Github issues, along with adding many more OSes to improve the security through compartmentalization.

Not all of those things may be helpful to newbies, some may complicate the usage of Qubes OS. But it’s, in principle, always beneficial to add a GUI somewhere with such hardening options.

The nice thing (or not so nice thing) about phrases like “a lot” is that they’re entirely relative and subjective. If you consider the multitude of things Qubes has already implemented and that we take for granted because we’ve been quietly reaping the benefits for years, then the things you listed may not seem like “a lot.” Personally, I’d much prefer to talk about concrete specifics, as arguing about what constitutes “a lot” is rather pointless without defining our terms.

1 Like