[tor-talk] How to protect apache local-restricted from secret service access?
contact_tor at nirgal.com
contact_tor at nirgal.com
Fri Feb 6 15:49:45 UTC 2015
Mirimir wrote:
>> When you have a website that is available from a tor secret service, how
>> do you forbid access to url restricted to ip=localhost?
>>
>> I'm thinking of apache default http://xxxxx.onion/server-status for example.
>>
>> Using "a2dismod status" is the obvious solution for that one, but does
>> anyone had a more generic solution?
>> Maybe a full VM with a vif interface? That's an heavy solution...
>> Anything more simple?
>
> You can use firewall rules.
> (...)
I don't think you can a firewall, no:
"apachectl status" is querying from localhost to
http://localhost:80/server-status
Connection from tor hidden service also comes from localhost and
iptables won't help there.
I tried 10 random http hidden services with that trick, and could find 2
servers with information that shouldn't be available, like which service
are sharing on the same server, the security patch level, list of URL
being served, and so on. I also could read one public IP on another one. :(
If you run apache, you should probably disable mod_status. Now.
# grep -iEr 'require +local' /etc/apache2/
lists possible problems for apache2.4, for example.
Each webapp should also be checked for special permissions granted when
remote IP is actually localhost.
Documentation really should warn about this, IMHO:
https://www.torproject.org/docs/tor-hidden-service.html
and possibly a one line warning in the example torrc since
"HiddenServicePort 80 127.0.0.1:80" typically is a problem.
I might move httpd and tor to 2 different VM. Any nicer idea?
More information about the tor-talk
mailing list