[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Please help me test my hidden service

     On Mon, 03 Aug 2009 16:42:57 -0400 Ringo <2600denver@xxxxxxxxx>
>I posted a while ago saying I was making a how-to manual for newbies on
>how to set up (reasonably) secure hidden services. I'm almost done but I
>want to release my server for testing to see if I missed anything
>obvious. This is a pretty standard LAMP install running in a virtual
>machine. The OS is Ubuntu on both.
>The site is at http://76jejbkd7gtm5jbb.onion

     I trust that, once you have figured out how to make it work properly,
you will generate new keys for your currently not-so-very-hidden service,
now that you've identified the connection between the URL above and yourself.
     For that matter, it's probably best *not* to run most kinds of hidden
services on tor relays precisely because tor relays are well known through
the directory.  Running a hidden service on a client-only tor would be the
safest way because clients are not listed anywhere as such.  There might be
a place for running a hidden service on a bridge, but it would have to be
for something not terribly dangerous to the hidden service operator because
bridges *are* known to the bridge authorities and thus must be considered to
be listed somewhere.  Something like a web service that is also accessible
directly and publicly and that presents no known danger to its operator (e.g.,
the various tor status pages) can reasonably be run on a tor relay node,
a bridge, or a client.
>There's a drupal install at /drupal and a wordpress install (currently
>not working due to forwarding issues) at /wordpress.
>Feel free to poke around all you want, just please don't do anything
>that would stop other users from accessing the machine such as DoS
>attacks. If you somehow break through, please stay off my home network ; )

     Best you learn how to protect your butt *before* opening it up to the
world, no?  Have you thought about running your service inside a jail or a
virtual machine?  That would make it much easier to wall it off from the
rest of your computer and home network.
>I haven't allowed users to add content because... well.. you know what
>would happen with that in onionland. If you want to add content just
>throw me an email and I'll make you an account. I figure that way I have
>somebody to blame if stuff goes horribly wrong. My PGP key is included

     Again, a jail or a VM would help you contain any damage, and a backup
of the jail's or VM's environment would make it very easy and fast to
restore it to the way you set it up.

>if you roll that way.
>I'm also interested to hear people's ideas on how exactly to test the
>security of this server without handing out shell logins (or is that
>exactly what I should do?).

     A jail or a VM can certainly help you there by limiting the ability
of shell accounts to access the world at large, especially when combined
with the application of a decent packet filter on the host system.

                                  Scott Bennett, Comm. ASMELG, CFIAG
* Internet:       bennett at cs.niu.edu                              *
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *