[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Question: Hidden Services, Virtual Machines, and iptables
- To: or-talk@xxxxxxxxxxxxx
- Subject: Question: Hidden Services, Virtual Machines, and iptables
- From: Ringo <2600denver@xxxxxxxxx>
- Date: Tue, 07 Jul 2009 21:10:59 -0400
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Tue, 07 Jul 2009 21:11:46 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:x-enigmail-version:content-type :content-transfer-encoding; bh=r0c1y0FTRtIf03v1DNyEkMD9kBxE2rEbZFzBpUINkv0=; b=wiPg/LBQWPbx+SXxC6/+e9YXGsCek5GRSpPkcJyx3AE6zeRPyjSZ2whHxhGps+Jt6Y F7heISfJhO5F1KWbzMk2gjqVhUuUfZUXlnZOM5eb8l519DVSkmJ9lsKpJBkVqiTYvDN8 ausYuQ2LtdJ26trD1xcjr4FvrnSpP/uBZWL8U=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :x-enigmail-version:content-type:content-transfer-encoding; b=KCkFItUfHSZd3nBb1s+OSdsYUUT9/Xm+UCpXopecbpxXQzTq2viWda2E0jT3k4EFzD Tm/MFyzmS83x4yACvgjOtZ72fZcxMsRSy6z2+ChbUAWPvLXXSy6seUbnVON7ilOQATbr 2yJhBj5i42gpmjkrC8hYEztm+cmyaDVbs3FcE=
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
- User-agent: Thunderbird 2.0.0.21 (X11/20090318)
Hey Tor users,
My work to write a how-to manual for setting up and securing hidden
services is well underway, but I've got a question that's been getting
at me.
Obviously, hidden services are the 'most secure' when they're run inside
a virtual machine (qemu, vmware, etc. pick your poison). One could
certainly run Tor inside the vm and then have that torrc contain the
instructions for the hidden service. The problem then, is that the vm
has to access the web. We would only want the vm accessing the web IF it
was going through Tor, but we wouldn't want to just route all vm traffic
through the host's Tor client because then you could be running Tor...
over Tor.
One solution would be to create an iptables blacklist (on the host) and
then ban connections to any computers which *aren't* Tor servers. This
seems like it might be a little work to implement and an adversary could
always set up a Tor server if they could hack your hidden service and
remotely execute code (or cause your web server to fetch external content).
Of course, one could always run a hidden service on the host machine and
then redirect all traffic to the vm, but the pitfalls in this are
obvious. You've only got one layer of encryption and any serious
exploits found in Tor could be used against the host machine, revealing
the true IP address of the hidden service. Also, if somebody were forced
to reveal the encryption key to the hard drive, the game would be up as
opposed to running a vm from a deniably-encrypted truecrypt drive that
was mounted remotely via ssh.
Does anybody have any solutions to this dilemma or thoughts on ways to
restructure the model so this isn't a problem?
Also, anybody with hidden service security tips (particularly on
implementing a LAMP server) is welcome to contact me off-list for
obvious reasons. My PGP key is pasted below.
Thanks,
Ringo
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.9 (GNU/Linux)
mQGiBEniUKIRBADfn8kULsRd3si+zPnVbeVp4C/cjxfOxvPURPjRMDPRZPuDuEI5
QIiMP+lZs0Y1BS/zubrwJ/R+knZW0dfkCbd0IBqhtcci4ZiDXRCNxxYow0MysweG
sbZE0QY4T2u40ffOLs9m/ENiDebUxknTyAg8/Jim9aBdEDgurCc7HCX+iwCghfLh
1POMWQRkXB4zUmXQfp+u+0MD/j5SUN6ct6fH4ex3L/WeIHRA+PZXBEpQv5HCwcYO
9VAtS0KYTtrBePXuhabjmiyhWIVsPHa8A+5RW3ONkK4gQ71E7sh2nu44p0rOSVkz
9/ZQiHVCjxZJNhvCsabIFT2/G8OFo2XPnJ0+8Gfluueb5a/HKArUWHIvkws82kQ5
75RJBACJp436/Bvk/CpKDkIG8v/4dQkyNKhv5AEAbx3jNjdOAxNSK0tBaQAulgCk
GFNkk+wpv6OWaawgQzFh71KvmEswSLObXk+S6WZgC+Epy4XmfzzDG/gIHD0VuBQ+
2D8JzFT/TiDMu6wdYu4kgDg5sO4a5Yzn7xoYMF5YWzXnPKhXi7QacmluZ28gPHJp
bmdvQGhhY2tibG9jLm9yZz6IZgQTEQIAJgUCSeJQogIbIwUJAeEzgAYLCQgHAwIE
FQIIAwQWAgMBAh4BAheAAAoJEFUc7QiIWsvrdtkAn3KtPdxxC/qWmmIFZ4Nc4cFE
as42AJoDwdk/N9I3sPvc91wTTlbsKhoHLrkEDQRJ4lCiEBAAs2JYGr1k1Dgi3DMy
h0ziX+22tIWWyIJoGKWKFspA7nGeniOBodLBvR+POtqqGCh+bkm9I0X/YMF9oVcP
xXBql7H6E4JSgtCk7xtohDpLlfcCpsddVxcJdXYLynTUMcmJtCER0bCNIkTmYoV7
uNXAqmUNAp4zaI70yWsidpAVHme0+sBUYNinfBdlcaMddzslbDtRV7yGKgvW3E5e
hPNTJ0pWF6WJg4VsEOFoP7pldtQ4YWScskvuCk957K4t4Of3QZs13Nn9sQZleFJU
E2L1bxEHuSqY/f1F/pbKmc7in8qkoBBAyhUbzCNxxELdof3uJpBy0pw0468GvSyb
Z4jyh2XFvxFFAcelzc453y9GOylIC0OQczkrzOa6QrIWQSmeCzn/byjLoi+TRFve
usRmJn5H9MJg+k+mG5LJM2mcyQJU2UOPDvSurKmk50vByBED6Qn5CvhXJp18H6Uk
2r+PICG4h8aN9KZpSrMAqYggyKgAxHTlCaQzGCwvJGiX6lx6iIm2GLoqeHdRHZZX
9XognVcbTwUWJkL0LR9nhm5U0GhFGM9eRdLw89C/Z/s1/Q/QLjoDh60qXcYo+vFS
5bJtiT52HnlA002opyi+Zn5mk9aXQiksOJruIdNw1rvJSe+uAIYQeBv+rinxzAyL
4f/p/+vvgnfgkEc2G1hLuGTvWMsAAwYP+gIhIgQ6UwQ0Bu1gyRN88Gs9H0fnQ74Z
RmFXDgUtpn1YrFzFfTNegQh8vvgo1pXV4ZDPc0w9Cs8QHrspnkYrvSymAEmwYtGd
nvnAVVROIJfN5d140Z1FJXCgFp/3m2SAX1omYyN3/5WX9ef1uaYWub48kSdqfHlr
xe8Z15nXQ9E6WMgDtP5jXpfCkAnweW6/WSGRrHlRyBUevCTyRSZ4dwtim0GHsls9
VbfDYWJVxiKWdgjtjg+PfsXrdQG2KICEHXprS9/tYCheWaHP4couXVHDPUNMGK/w
HSYXbr0/xA0i0JHpRzVCDweKZ32hgbYkTXp0U7ArBYLtbfpWlB8uWHFFAIS5yJQL
YMwc8/qFCgl5fUGMk4ZLTgbftQo/sfcOAIPQl2nVjhnvzucj8PgBBaJgH9ORTpW6
89zIzOtfXfju0dq4LC6Xj4h6SA/duh8dEiBzewNJ1FwnlrywvaQjsVdx5+5RolAk
gZKcT4hHCj+s2vCAyF5R70rfKkZkKhMuUzEWc4R4AzbkmI1eTtEl/FJVCzBsJRan
HC+YMgCdf2ujTxvBltytpWrs0nvzFVY6+RyihQsqlV6KeOtDBTv38a8Q5gdARK0j
5og+X3SWHW0p29PSKk6a3NeSB08J0wlXsrNOJ/JXlYw/yIifZdgl6fO8V7rPBoQt
xIQB5UKSXj8YiE8EGBECAA8FAkniUKICGwwFCQHhM4AACgkQVRztCIhay+vXkQCf
beWbtPmJOWbXn+9LEaJTqcN73REAn2MmtesdDs24QjWfZeTfc8dyEZ2n
=O0oE
-----END PGP PUBLIC KEY BLOCK-----