[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] Hidden Service (Nginx) setup guide

Hash: SHA1

That idea is very similar to the design of Whonix which I've used in
the past, but not ideal for a tiny VPS perhaps where the goal is to
make the site accessible via .onion. For sensitive publications, as I
tried to make clear, more steps are required and it is intended for
people who have a fresh VPS install and just want to get one running.

Perhaps I could follow up on the first post with more hardening
instructions for specific applications, measures to prevent ip leaks etc.


On 13/02/2015 08:29, Mike Ingle wrote:
> Setting up the hidden service itself is easy. Steps 1 thru 97 are
> "set up your website and get it working and secured." Step 98: add
> a few lines to your torrc, possibly set some directory 
> permissions. Step 99: restart Tor, get your hidden service
> address. Step 100: test using Tails.
> The hard part is preventing the services from leaking your real IP 
> address. Most blogs, forums, etc. can be made to leak.
> Here is an interesting procedure to develop and document. I played
> with this a bit last year:
> You can set up a virtual machine configuration, using KVM or
> similar, so that the webserver machine has no public Internet
> address and could not leak your identity if it wanted to.
> I had one VM with the Tor client. It had a public IP address and a 
> 'socket' interface, which is a phony Ethernet that connects to a
> socket on the host machine. The VM was not set to route 
> (ip_forward=0), but a hidden service was set up to forward traffic
> to the web VM over the socket interface.
> The other VM, running Apache, had only a socket interface,
> connected to the Tor VM's socket interface. The Apache VM had no
> outside Internet access, and there was nothing it could get to on
> the Tor VM.
> With a setup like this, even if someone gets a shell on the
> webserver VM, he cannot do anything. He has no way to get out, and
> therefore cannot locate your server. If you want to be more 
> paranoid, you can have a process on the host machine watching for 
> strange packets coming from the web VM, ready to shut it down the
> moment it gets hacked.
> You can have a second administrative hidden service for ssh access.
> With a few automatic service check and restart scripts, a machine
> set up this way could run for several years with no physical 
> attention and no non-Tor access. It would be the ideal way to run
> a hidden service.
> Mike

- -- 
Activist, anarchist and a bit of a dreamer.
Keybase: https://keybase.io/thomaswhite

PGP Keys: key.thecthulhu.com
Current Fingerprint: E771 BE69 4696 F742 DB94 AA8C 5C2A 8C5A 0CCA 4983
Key-ID: 0CCA4983
Master Fingerprint: DDEF AB9B 1962 5D09 4264 2558 1F23 39B7 EF10 09F0
Key-ID: EF1009F0

Twitter: @CthulhuSec
XMPP: thecthulhu at jabber.ccc.de
XMPP-OTR: 4321B19F A9A3462C FE64BAC7 294C8A7E A53CC966
Version: GnuPG v2

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to