[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Decent guide to setting up an .onion site on a VPS?

On 05/11/2019 02:33 PM, jiggytwiggy@xxxxxxxxxxxxx wrote:
> 
>>
>> Have you read Configuring Onion Services for Tor [1]?
>>
>>
>> [1] https://2019.www.torproject.org/docs/tor-onion-service.html.en
>>
>>
>>
>> Cheers,
>> ~Vasilis
> 
> 
> I had seen this before but it assumes one runs the onion on one's own
> machine. My computer is not on 24/7. Isn't there an up-to-date guide for
> running hidden services on a VPS?

It's not fundamentally that different. And what's different is more
about VPS security than about Tor. I'm not up for writing a complete
guide right now. But I'll share some points, which you can fill in
through searching. They apply to Debian x64.

First, if you want your onion service to be ~anonymous, you must not
provide any real contact information, and you must do everything via
Tor. That basically means paying with well-mixed Bitcoin. To avoid leaks
locally, it's prudent to work in Whonix. You'll need to login to your
VPS via Tor, and that's safer using Whonix than just torsocks.

It's best to use VPS providers that don't require contact information.
CockBox is a good one, not too expensive, and quite Tor friendly.
BitHost (a DO reseller) is OK, but too expensive, and isn't so Tor
friendly.

I've also had good service from a few VPS providers that do require
contact information, but don't verify. Such as VPS.BG and HostSailor.

Second, once you have your VPS, you SSH to it via Tor. Before doing
anything else, change the root password, and create a user account. Then
configure SSH for key-based login as user. Because if someone steals
your private key, and logs in, at least they won't have root privileges.

There are many guides for that, so I won't make another here. I do note
that "ssh-keygen" by default creates 2048-bit RSA keys, and that many
swear by longer keys, and other algorithms (such as AES). Also, set
"PasswordAuthentication no" in "/etc/ssh/sshd_config". And if you decide
to SSH login as root, also set "PermitRootLogin prohibit-password". Then
restart SSH ('systemctl restart ssh") and test with another SSH login
before disconnecting the existing one.

Now install the latest Tor release, and upgrade the system. See
https://2019.www.torproject.org/docs/debian.html.en, and also install
"iptables-persistent". Then "apt-get -y dist-upgrade", and reboot.

Then setup Tor. The Tor Project guide for onion services is a little
confusing, because it covers Windows, MacOS and Linux. So also see
https://github.com/torproject/tor/blob/master/src/config/torrc.sample.in
for a sample torrc. In Linux, "@LOCALSTATEDIR@" is typically "/var".

By default, Tor now creates v3 onion services. If you want a v2 onion
service, you must specify that, as the guide shows (Step Four).

Now setup iptables, in iptables-persistent, to make sure that your onion
service doesn't leak in clearnet. Do "ip a" to get your interface name,
and use that instead of "eth0" in the rules below. Do "id -u debian-tor"
to get Tor's UID, and use that instead of "107" in the rules below.

Unless you have good reason not to, block all IPv6 traffic. For IPv4,
allow only SSH in, and only Tor. Plus related established connections.

# nano /etc/iptables/rules.v6
| *filter
|
| :INPUT DROP [0:0]
| :FORWARD DROP [0:0]
| :OUTPUT DROP [0:0]
|
| COMMIT

# ip6tables-restore < /etc/iptables/rules.v6

# nano /etc/iptables/test-rules.v4
| *filter
|
| :INPUT DROP [0:0]
| :FORWARD DROP [0:0]
| :OUTPUT DROP [0:0]
|
| -A INPUT -i lo -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
| -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
| -A INPUT -m conntrack --ctstate INVALID -j DROP
| -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
| -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
| -A INPUT -j DROP
|
| -A FORWARD -j DROP
|
| -A OUTPUT -o lo -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
| -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
| -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
| -A OUTPUT -o eth0 -m owner --uid-owner 107 -j ACCEPT
| -A OUTPUT -j DROP
|
| COMMIT

# iptables-restore < /etc/iptables/test-rules.v4

Now verify that you can still SSH in, from a new local terminal. If you
can, rename /etc/iptables/test-rules.v4 as /etc/iptables/rules.v4

# mv /etc/iptables/rules.v4 /etc/iptables/open-rules.v4
# mv /etc/iptables/test-rules.v4 /etc/iptables/rules.v4

You could also create an SSH onion service, and login using that,
instead of Tor exit to clearnet SSH port. That increases login
anonymity. But blocking clearnet SSH entirely in iptables is risky.
Because if something goes wrong with Tor setup in the VPS, you'll be
unable to login. And so you'll need to redo the VPS from scratch.

Anyway, then install nginx (not apache) and change the listen address
from 0.0.0.0 to 127.0.0.1

# nano /etc/nginx/sites-enabled/default
| ...
|
| # Default server configuration
| #
| server {
|         listen 127.0.0.1:80 default_server;
| ...

That should about do it. In creating your site, don't use any
third-party resources, and keep it simple. Static sites are most secure,
and load much faster. Scripts and databases provide more features, but
are risky unless you know what you're doing.



-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk