[tor-talk] How to protect apache local-restricted from secret service access?

Mirimir mirimir at riseup.net
Sat Feb 7 04:08:08 UTC 2015


On 02/06/2015 08:49 AM, contact_tor at nirgal.com wrote:
> Mirimir wrote:
>>> When you have a website that is available from a tor secret service, how
>>> do you forbid access to url restricted to ip=localhost?
>>>
>>> I'm thinking of apache default http://xxxxx.onion/server-status for example.
>>>
>>> Using "a2dismod status" is the obvious solution for that one, but does
>>> anyone had a more generic solution?
>>> Maybe a full VM with a vif interface? That's an heavy solution...
>>> Anything more simple?
>>
>> You can use firewall rules.
>> (...)
> 
> I don't think you can a firewall, no:
> 
> "apachectl status" is querying from localhost to
> http://localhost:80/server-status
> 
> Connection from tor hidden service also comes from localhost and
> iptables won't help there.

Sane (or prudent, anyway) hidden service operators put the tor process
on a separate machine, or at least a VM. As you note below.

> I tried 10 random http hidden services with that trick, and could find 2
> servers with information that shouldn't be available, like which service
> are sharing on the same server, the security patch level, list of URL
> being served, and so on. I also could read one public IP on another one. :(
> 
> If you run apache, you should probably disable mod_status. Now.

That's prudent, no doubt.

> # grep -iEr 'require +local' /etc/apache2/
> lists possible problems for apache2.4, for example.
> Each webapp should also be checked for special permissions granted when
> remote IP is actually localhost.
> 
> 
> Documentation really should warn about this, IMHO:
> https://www.torproject.org/docs/tor-hidden-service.html
> and possibly a one line warning in the example torrc since
> "HiddenServicePort 80 127.0.0.1:80" typically is a problem.

Yes.

> I might move httpd and tor to 2 different VM. Any nicer idea?

Using separate VMs for server and tor would be good.


More information about the tor-talk mailing list