On Fri, Feb 06, 2015 at 04:57:44PM +0100, david wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> If you would not like to disable the /server-status you could use
> something like:
>
> AuthType Basic
> AuthName "Authentication Required"
> AuthUserFile "/etc/htpasswd/.htpasswd"
> Require valid-user
>
> Order allow,deny
> Allow from all
>
> and protect it with some really heavy user/password.
>
>
>
> Am 06.02.2015 um 16:49 schrieb contact_tor@xxxxxxxxxx:
> > Mirimir wrote:
> >>> When you have a website that is available from a tor secret service, how
> >>> do you forbid access to url restricted to ip=localhost?
> >>>
> >>> I'm thinking of apache default http://xxxxx.onion/server-status for
> example.
> >>>
> >>> Using "a2dismod status" is the obvious solution for that one, but does
> >>> anyone had a more generic solution?
> >>> Maybe a full VM with a vif interface? That's an heavy solution...
> >>> Anything more simple?
> >>
> >> You can use firewall rules.
> >> (...)
> >
> > I don't think you can a firewall, no:
> >
> > "apachectl status" is querying from localhost to
> > http://localhost:80/server-status
> >
> > Connection from tor hidden service also comes from localhost and
> > iptables won't help there.
> >
> >
> > I tried 10 random http hidden services with that trick, and could find 2
> > servers with information that shouldn't be available, like which service
> > are sharing on the same server, the security patch level, list of URL
> > being served, and so on. I also could read one public IP on another
> one. :(
> >
> > If you run apache, you should probably disable mod_status. Now.
> >
> >
> > # grep -iEr 'require +local' /etc/apache2/
> > lists possible problems for apache2.4, for example.
> > Each webapp should also be checked for special permissions granted when
> > remote IP is actually localhost.
> >
> >
> > Documentation really should warn about this, IMHO:
> > https://www.torproject.org/docs/tor-hidden-service.html
> > and possibly a one line warning in the example torrc since
> > "HiddenServicePort 80 127.0.0.1:80" typically is a problem.
> >
> >
> > I might move httpd and tor to 2 different VM. Any nicer idea?
>
> - --
>
> PGP-Key:
> https://www.endofnet.org/David_K._david@xxxxxxxxxxxxx%280x1F86D6CB%29_pub.asc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBAgAGBQJU1OR4AAoJECua8aAfhtbLLbwP/0M+5nSsYc0Vh2yBsynpneAk
> id4VsGtlOrGA+Zw4EV1EEmzDgA+dKs3Xkq03NKhOGTmuW88FBIXq3qRsFD0APEpR
> 2X2ogQUQS+WlP8k+mrM06/8pzR+quJUj4Y4RDurAzErlYSeRBiRJcWsLaTCIe9Ix
> FSUWDrCu4MzT3uymvqoS7u0cqPwRlgDBR5ciqBQKLzj/vIJfk35JjMddGJU2Y1yG
> 3DvA55OqtHS2pQaQjIddIXp6CpRgh4AdXv8MAYEV7lS1fbd5VXAuhPuGVW2hzsJn
> +qJT2aYSaywtKUPZm/4NTxa/5TqDEYoc6e3O6iaRhI4JA3er8WVWtz6amHKLtzAw
> FkZ1m/VRHTRY7a0GxV+jeOZ511xNKnpeSCmmlEdmspA+DjPvQ3kls6JjC5TUMmA/
> hzi8A7/j3pttGV/dlvUMGVvQpXDay1xtTTkhMJQ+dIweWoHRohtaIC7tfD5GCwWP
> +lA/xF1Mdy46GBxz/YR5RuV93sIv+eqH4WuJKfDSp/d/K7wPqQTcGEoUTPrJDB9J
> n8Q4omUPx0/uxu2r/pmyAyi3GL+81bdSWVnFQlkXzylj6WtzzZWS9MCtgBMbkL7l
> mHKFc+Egw32GxVmZPcRIl2kAojmSPOP3CJyzhhD89gWNL+jND8B4zTxj+UYpk2je
> MfrDZY4thysIH935sc2g
> =aoT2
> -----END PGP SIGNATURE-----
>
> --
> tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
You could also run the apache instance in a Docker container or an LXC
container to separate it that way.
--
Christine Dodrill <xena@xxxxxxxxxxxxx>
2E5C BE74 C16D ED81 6351 E7CE B58E EB12 46DF 6D21
âLinux printing was designed and implemented by people working
to preserve the rainforest by making it utterly impossible to
consume paper.â
â Athas
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk