[tor-onions] Privacy Audits for Onion Services
dylan at fdylan.co.uk
dylan at fdylan.co.uk
Fri Aug 31 13:58:22 UTC 2018
>ensure that your external website(s)are only listening on external ip addresses"
I believe you mean that the website host (Apache/nginx) listen only on localhost, and NOT on external at all. Otherwise, shodan will find it, and your code will leak the IP.
-----Original Message-----
From: tor-onions <tor-onions-bounces at lists.torproject.org> On Behalf Of J. S. Evans
Sent: Friday, August 31, 2018 9:40 AM
To: tor-onions at lists.torproject.org
Subject: Re: [tor-onions] Privacy Audits for Onion Services
Hi Tom,
Thanks for the input!
On Thu, 2018-08-30 at 17:51 +0200, Tom Ritter wrote:
> That's an excellent question. I think we should make a wiki page on
> trac about this, if we don't have one already...
>
Once there is a page, I would love to volunteer to add input.
> Off the top of my head, I'd suggest the following (specific to
> HTTP(S) servers):
> - Ensure your clock is correct and is corrected automatically once or
> twice a day to reduce time skews
> - If your server is exposed to the internet, ensure that one cannot
> hit your onionsite by specifying it in the host header on the
> clearnet. Ensure the onionsite is only listening on the internal IP.
> - Similarly, ensure that your external website(s)are only listening on
> external ip addresses, and one cannot hit them over the onionsite by
> specifying them in the Host header
> - Best case: run your service on a machine that _has_ no external IP
> address and only internal IP addresses
I usually run onion services on vms in containers. The VM has an internal 192.168... ip and no external (to the internet) facing IP. All real tcp ports are closed. Port 80 is listening on the web server but not actually open on any firewall.
> - Check your SSL configuration and ensure your onionsite isnt sending
> a cert for external websites
Until let's encrypt starts providing certs for .onion sites, I will not run https because it's redundant.
> - Don't run a relay and a hidden service on the same tor instance
>
> Then there are a ton of advice items for individual
> languages/frameworks. For example for PHP, don't expose phpinfo() or
> $_SERVER. Don't expose error messages.
>
Duly noted. It would be great to have a list of suggestions about for different languages on the wiki.
> There is a class of web attack called 'SSRF' or Server Side Request
> Forgery. The toehold of this attack is that you can induce the
> _server_ to perform a connection. This could be through a DNS lookup,
> a XML DTD fetch, or other types of vulnerabilities. If an attacker can
> do this on your onionsite, they can trigger you to connect to their
> server and learn your server address. You can mitigate this by strict
> egress firewalling.
I know how to do this with Docker. I could research this and write up a guide for some of the more well known firewall apps. firewalld, ufw, plain iptables, etc.
>
> -tom
>
> On 30 August 2018 at 10:33, Jason S. Evans <
> jason.s.evans at protonmail.com> wrote:
> > Hi all,
> >
> > How can I best audit an onion service to make sure that my IP can
> > not easily be compromised? Is there a list of things to do to try to
> > hack my own site to try to find the IP?
> >
> > Thanks!
> > Jason
> >
> >
> >
> >
> > _______________________________________________
> > tor-onions mailing list
> > tor-onions at lists.torproject.org
> > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-onions
> >
_______________________________________________
tor-onions mailing list
tor-onions at lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-onions
More information about the tor-onions
mailing list