[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Hidden Service (Nginx) setup guide



Setting up the hidden service itself is easy.
Steps 1 thru 97 are "set up your website and get it working and secured."
Step 98: add a few lines to your torrc, possibly set some directory permissions.
Step 99: restart Tor, get your hidden service address.
Step 100: test using Tails.

The hard part is preventing the services from leaking your real IP address. Most blogs,
forums, etc. can be made to leak.

Here is an interesting procedure to develop and document. I played with this a bit last year:

You can set up a virtual machine configuration, using KVM or similar, so that the webserver machine has no public Internet address and could not leak your identity if it wanted to.

I had one VM with the Tor client. It had a public IP address and a 'socket' interface, which is a phony Ethernet that connects to a socket on the host machine. The VM was not set to route (ip_forward=0), but a hidden service was set up to forward traffic to the web VM over the
socket interface.

The other VM, running Apache, had only a socket interface, connected to the Tor VM's socket interface. The Apache VM had no outside Internet access, and there was nothing it could get to
on the Tor VM.

With a setup like this, even if someone gets a shell on the webserver VM, he cannot do anything. He has no way to get out, and therefore cannot locate your server. If you want to be more paranoid, you can have a process on the host machine watching for strange packets coming from
the web VM, ready to shut it down the moment it gets hacked.

You can have a second administrative hidden service for ssh access. With a few automatic service check and restart scripts, a machine set up this way could run for several years with no physical attention and no non-Tor access. It would be the ideal way to run a hidden service.

Mike


--
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk