[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How to protect apache local-restricted from secret service access?

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] How to protect apache local-restricted from secret service access?
From: Mirimir <mirimir@xxxxxxxxxx>
Date: Fri, 06 Feb 2015 21:08:08 -0700
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 06 Feb 2015 23:08:17 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1423282085; bh=CzrF73MyTJou9TxybkbOueNaaVqZ/Hgy68iP9/7ZelI=; h=Date:From:To:Subject:References:In-Reply-To:From; b=jKHHp7r4AAPtke+tlPJI/HZ6KFGVTz9oDspzb0DszNMhEHgQYuRXy4CKMXYsZDich y57bR7Y0qhBkvQLWuzj99f9rQEqR+V4rUAaik/lbFGP088CQOfHM91DVWS/21o1r54 HgoC4wSNRmN/g1i71G/HkNmSCG5CpxsA67D9tQNY=
In-reply-to: <54D4E299.7080806@xxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <54D23891.3040409@xxxxxxxxxx> <54D39634.6090703@xxxxxxxxxx> <54D4E299.7080806@xxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0

On 02/06/2015 08:49 AM, contact_tor@xxxxxxxxxx wrote:
> Mirimir wrote:
>>> When you have a website that is available from a tor secret service, how
>>> do you forbid access to url restricted to ip=localhost?
>>>
>>> I'm thinking of apache default http://xxxxx.onion/server-status for example.
>>>
>>> Using "a2dismod status" is the obvious solution for that one, but does
>>> anyone had a more generic solution?
>>> Maybe a full VM with a vif interface? That's an heavy solution...
>>> Anything more simple?
>>
>> You can use firewall rules.
>> (...)
> 
> I don't think you can a firewall, no:
> 
> "apachectl status" is querying from localhost to
> http://localhost:80/server-status
> 
> Connection from tor hidden service also comes from localhost and
> iptables won't help there.

Sane (or prudent, anyway) hidden service operators put the tor process
on a separate machine, or at least a VM. As you note below.

> I tried 10 random http hidden services with that trick, and could find 2
> servers with information that shouldn't be available, like which service
> are sharing on the same server, the security patch level, list of URL
> being served, and so on. I also could read one public IP on another one. :(
> 
> If you run apache, you should probably disable mod_status. Now.

That's prudent, no doubt.

> # grep -iEr 'require +local' /etc/apache2/
> lists possible problems for apache2.4, for example.
> Each webapp should also be checked for special permissions granted when
> remote IP is actually localhost.
> 
> 
> Documentation really should warn about this, IMHO:
> https://www.torproject.org/docs/tor-hidden-service.html
> and possibly a one line warning in the example torrc since
> "HiddenServicePort 80 127.0.0.1:80" typically is a problem.

Yes.

> I might move httpd and tor to 2 different VM. Any nicer idea?

Using separate VMs for server and tor would be good.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] How to protect apache local-restricted from secret service access?
  - From: contact_tor

References:
- [tor-talk] How to protect apache local-restricted from secret service access?
  - From: contact_tor
- Re: [tor-talk] How to protect apache local-restricted from secret service access?
  - From: Mirimir
- Re: [tor-talk] How to protect apache local-restricted from secret service access?
  - From: contact_tor

Prev by Author: Re: [tor-talk] How to protect apache local-restricted from secret service access?
Next by Author: Re: [tor-talk] Fwd: I Encourage Everyone, Right Here And Now, To Donate Money To His Three Main Security Programs, Which He Uses The Most!
Previous by thread: Re: [tor-talk] How to protect apache local-restricted from secret service access?
Next by thread: Re: [tor-talk] How to protect apache local-restricted from secret service access?
Index(es):
- Author
- Thread