Kicksecure ™

Download

On Computer USB Installation Intel / AMD64 ARM64 Raspberry Pi PPC64 Windows (VM) Mac Linux (VM) VirtualBox (VM) Qubes (VM) KVM (VM) Debian morph to Kicksecure More options Source Code

About

Overview Features Why Open Source? Project Activities Contributors Mission & Vision

Docs

Documentation FAQ Troubleshooting

Community

Forums Forum Best Practices Contribute

Support

Self Support First Policy Search Engines, Docs and AI Support (Limited) Reporting Bugs Contact (Restricted)

Tools Upload file Special pages Recent changes Print Version Page meta What links here Related changes Page information

Page Read Edit History Move Protection Unwatch Watch Delete Purge

User Preferences Watchlist Contributions Logout Create account Login

Donate

Kicksecure comes with many security features. Kicksecure is Security Hardened by default and also provides extensive Documentation including a System Hardening Checklist. The more you know, the safer you can be.

This page is targeted at advanced users who wish to improve the general security of their host operating system to become even more secure.

apt-transport-tor[edit]

apt-transport-tor is a package that allows non-Kicksecure that are not behind a torifying gateway to torify their APT traffic for individual repositories.

For security reasons APT blocks clearnet connections to .onion domains by default. APT developers want to protect users from accidentally trying to use .onion repositories without using Tor. Otherwise, a rogue DNS server could redirect users to a false domain and trick them into thinking they are using Tor when they are not.

apt-transport-tor (tor+http) is the default from Kicksecure 14 onward because it provides better error handling. ^{[1] [2]}

DMZ[edit]

If users have a shared network -- such as a cable modem/router or ADSL/router setup that is utilized by others -- then consider configuring a Kicksecure DMZ.

A properly configured DMZ restricts Kicksecure from accessing, and being accessible to, other nodes on the network like printers, phones, computers and laptops. This is true even if root access is somehow achieved.

Should an incursion take place, a DMZ prevents an adversary from exploring other systems and possibly compromising them.

However, in this case a DMZ does not protect the user's anonymity, since the adversary could just ping a remote server and discover the real IP address. Another benefit of a DMZ is that should other systems be compromised, it is more difficult to compromise Kicksecure.

Hardware Security[edit]

Trusted computer hardware is fundamental to security. It is recommended to purchase and use "clean" computers that have components manufactured by reputable companies. It is preferable to pay in cash so hardware IDs do not leak your identity.

As outlined in the System Configuration and Access entry, it is safest to purchase a computer that is solely used for Kicksecure activities because this minimizes the risk of a prior hardware compromise.

Key Hardening Steps[edit]

For greater security, advanced users should harden the host operating system (OS) as much as is practicably possible. This includes, but is not limited to applying relevant steps from the System Hardening Checklist and instructions found throughout this section:

Layered Defense[edit]

Attack Surface Reduction[edit]

In addition to the checklist above, it is suggested to also follow the principles of minimizing the attack surface of the OS, and securely configuring services -- for example when using SSH, implementing Fail2ban so only key authentication is allowed.

The attack surface concept deserves more consideration. Simply put, it is the sum of different attack vectors (aggregate of vulnerabilities) where an unauthorized user can try to enter or extract data from an environment. ^[3] To reduce the attack surface and mitigate risks, it is necessary to: ^[4]

• Enforce least privilege for all executed processes and reduce entry points for untrusted users.
• Control system and network segment access across the network, for example, reduce (unauthenticated) access to network endpoints.
• Minimize exposed system targets by reducing the amount of code running and removing unnecessary functionality.
• Remove or shutdown software and services (channels, protocols) that are infrequently or rarely used.
• Frequently patch security vulnerabilities.

Proactive Defenses[edit]

This includes, but is not limited to:

• Compile time hardening
• Intrusion Prevention Systems
• Mandatory Access Control

Retroactive Defenses[edit]

The usefulness of this approach is limited because it does not prevent security breaches; it can only help in making future breaches less probable:

• Anti-virus and anti-malware programs.
• Intrusion Detection System (IDS).
• Rootkit Hunter (rkhunter).
• Snort network intrusion prevention system.
• sxid file and directory change tracker.
• TIGER security auditing program.

The programs listed in this section are only a very brief introduction to this topic. If interested, users should research these topics in depth because they are beyond the scope of this guide.

Separate VirtualBox User Account[edit]

Security-wise, it makes sense to create a separate user account solely for using VirtualBox, which is not in the admin/sudo group.

Virtualization Platform[edit]

VirtualBox[edit]

VirtualBox is developed by Oracle, a company which has a reputation of not being very "open". In the past, concerns have been raised about how they announce security issues in their products and how well they communicate with each other, leading to a negative perception by the security community.

VirtualBox is primarily a simple, "user-friendly", desktop solution and is most certainly not designed with the Kicksecure threat model in mind.

Users that have a strong preference for security should strongly consider using Kicksecure for Qubes, if they have suitably modern hardware. In short, Kicksecure for Qubes is more secure than the default Kicksecure configuration using a Type 2 hypervisor like VirtualBox.

Related VirtualBox Links:

• Custom Ticket Search
• New Ticket

See also:

• Dev/VirtualBox for licensing issues.

See Also[edit]

• Basic Host Security
• Host Operating System Selection

Footnotes[edit]

Advanced Users Documentation User Namespace Previous page: Advanced Users Index page: Documentation Next page: User Namespace

Kicksecure A secure by default operating system with the latest security research in place.

Dark mode

Follow us on social media

Supported by Power Up Privacy

Kicksecure is proudly supported until 2025 by Power Up Privacy, a privacy advocacy group that seeks to supercharge privacy projects with resources so they can complete their mission of making our world a better place. (Strictly subject to our sponsorship policy.)

At Kicksecure we value freedom and trust, supporting Open Source and Freedom Software

By using this website, you acknowledge you have read, understood, and agree to be bound by these agreements: Terms of Service, Privacy Policy, Cookie Policy, E-Sign Consent, DMCA, Imprint 2012- 2025 ENCRYPTED SUPPORT LLC

Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 13 year success story and maybe DONATE!