[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Hidden Service (Nginx) setup guide

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Hidden Service (Nginx) setup guide
From: Thomas White <thomaswhite@xxxxxxxxxx>
Date: Fri, 13 Feb 2015 09:11:23 +0000
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 13 Feb 2015 04:11:57 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak; t=1423818703; bh=5j8uFx4Icb1/5oChF8tUnYuE7Y3TnkqGzRfNYYBmPzw=; h=Date:From:To:Subject:References:In-Reply-To:From; b=DUWLGUrumF9d3hsbrS5cvdN6fpu7BujBnV3uHvKrk3laWYqrrNsEQw/0gIoOKOWHg QLHcMROLth9LgHG0TQk7gvgtk+fKyLEQWiHH5WTnYgVNSiLPf/3xyQQQ8pAa9U0tqr kSNFk12ynIDPbDzXd4eJ5g8ZSvR05if9DqGe5Dfc=
In-reply-to: <54DDB5F3.9050300@xxxxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "all discussion about theory, design, and development of Onion Routing" <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Openpgp: id=0CCA4983; url=https://www.thecthulhu.com/wp-content/uploads/2014/12/pgpkeys.txt
References: <54DDA477.7080804@xxxxxxxxxx> <54DDB5F3.9050300@xxxxxxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-talk" <tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That idea is very similar to the design of Whonix which I've used in
the past, but not ideal for a tiny VPS perhaps where the goal is to
make the site accessible via .onion. For sensitive publications, as I
tried to make clear, more steps are required and it is intended for
people who have a fresh VPS install and just want to get one running.

Perhaps I could follow up on the first post with more hardening
instructions for specific applications, measures to prevent ip leaks etc.

T

On 13/02/2015 08:29, Mike Ingle wrote:
> Setting up the hidden service itself is easy. Steps 1 thru 97 are
> "set up your website and get it working and secured." Step 98: add
> a few lines to your torrc, possibly set some directory 
> permissions. Step 99: restart Tor, get your hidden service
> address. Step 100: test using Tails.
> 
> The hard part is preventing the services from leaking your real IP 
> address. Most blogs, forums, etc. can be made to leak.
> 
> Here is an interesting procedure to develop and document. I played
> with this a bit last year:
> 
> You can set up a virtual machine configuration, using KVM or
> similar, so that the webserver machine has no public Internet
> address and could not leak your identity if it wanted to.
> 
> I had one VM with the Tor client. It had a public IP address and a 
> 'socket' interface, which is a phony Ethernet that connects to a
> socket on the host machine. The VM was not set to route 
> (ip_forward=0), but a hidden service was set up to forward traffic
> to the web VM over the socket interface.
> 
> The other VM, running Apache, had only a socket interface,
> connected to the Tor VM's socket interface. The Apache VM had no
> outside Internet access, and there was nothing it could get to on
> the Tor VM.
> 
> With a setup like this, even if someone gets a shell on the
> webserver VM, he cannot do anything. He has no way to get out, and
> therefore cannot locate your server. If you want to be more 
> paranoid, you can have a process on the host machine watching for 
> strange packets coming from the web VM, ready to shut it down the
> moment it gets hacked.
> 
> You can have a second administrative hidden service for ssh access.
> With a few automatic service check and restart scripts, a machine
> set up this way could run for several years with no physical 
> attention and no non-Tor access. It would be the ideal way to run
> a hidden service.
> 
> Mike
> 
> 

- -- 
Activist, anarchist and a bit of a dreamer.
Keybase: https://keybase.io/thomaswhite

PGP Keys: key.thecthulhu.com
Current Fingerprint: E771 BE69 4696 F742 DB94 AA8C 5C2A 8C5A 0CCA 4983
Key-ID: 0CCA4983
Master Fingerprint: DDEF AB9B 1962 5D09 4264 2558 1F23 39B7 EF10 09F0
Key-ID: EF1009F0

Twitter: @CthulhuSec
XMPP: thecthulhu at jabber.ccc.de
XMPP-OTR: 4321B19F A9A3462C FE64BAC7 294C8A7E A53CC966
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJU3b+5AAoJEFwqjFoMykmD838P/0hQ4Xj3nZ7iHQmCh3pa4gcY
jRrMZ9t9hUBWN0kSup103zeJ+0MDjn7z5TQuL4vNYWKolYmAabTyngRN9yP2ITPd
7maFpyA94kDfZX0cISL4axw9nWzwCifYTGWDQouNdUtWxeM1ziRsEg75rAQ8MI6X
UOOQhIUvwG/zQL7floLBciYSwiEzEtXezCXBecAs61+fRy2q/Sm8T5Kq6YgiWMSW
kgClNICb2R4NudPS3RPYo78zzqEj6+QhOovdavjjObM2Go9EfbbASWVsbU7izi5w
BbScwyhd9Cwj+YM2hlNqtTGHIFU89cgvEfXpOHoGgGM9YrnhjSCyTiUC5AxDeXDk
Oaw0X7QtgKRQdc90c7knB1lZNR+9wXf69WNNbV+W4eyq96hBelzW8nzAJzeVQcx5
+5pdm0lLXyzScRJoqj08NeKKkhYoBN8fI48MmiGHbc/jAEjsy+GJP1awWIcB8sW5
UilzSZiHWNqEA8KzMpYhl1eqfcl1mrAvmPk6DQswsO4SrD5PCX7QXMiSwakdIBMY
YmF00kLZBMeGYoS9SvhepflrOmiPIbLsxwveina7fuhr2MrjkYISzXL66xEXQLxf
5MSAgkWxeAw0Z+EQYnopYHf7vcU5BZPkkwV803OGD1qCbLndAfboc6/GYsjp2hXI
0kvAqgpOPE2ZSldVHZhG
=DWjV
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] Hidden Service (Nginx) setup guide
  - From: WhonixQubes

References:
- [tor-talk] Hidden Service (Nginx) setup guide
  - From: Thomas White
- Re: [tor-talk] Hidden Service (Nginx) setup guide
  - From: Mike Ingle

Prev by Author: [tor-talk] Hidden Service (Nginx) setup guide
Next by Author: [tor-talk] Funded search engine for onionspace?
Previous by thread: Re: [tor-talk] Hidden Service (Nginx) setup guide
Next by thread: Re: [tor-talk] Hidden Service (Nginx) setup guide
Index(es):
- Author
- Thread