[tor-talk] Hidden Service (Nginx) setup guide

Thomas White thomaswhite at riseup.net
Fri Feb 13 09:11:23 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That idea is very similar to the design of Whonix which I've used in
the past, but not ideal for a tiny VPS perhaps where the goal is to
make the site accessible via .onion. For sensitive publications, as I
tried to make clear, more steps are required and it is intended for
people who have a fresh VPS install and just want to get one running.

Perhaps I could follow up on the first post with more hardening
instructions for specific applications, measures to prevent ip leaks etc.

T

On 13/02/2015 08:29, Mike Ingle wrote:
> Setting up the hidden service itself is easy. Steps 1 thru 97 are
> "set up your website and get it working and secured." Step 98: add
> a few lines to your torrc, possibly set some directory 
> permissions. Step 99: restart Tor, get your hidden service
> address. Step 100: test using Tails.
> 
> The hard part is preventing the services from leaking your real IP 
> address. Most blogs, forums, etc. can be made to leak.
> 
> Here is an interesting procedure to develop and document. I played
> with this a bit last year:
> 
> You can set up a virtual machine configuration, using KVM or
> similar, so that the webserver machine has no public Internet
> address and could not leak your identity if it wanted to.
> 
> I had one VM with the Tor client. It had a public IP address and a 
> 'socket' interface, which is a phony Ethernet that connects to a
> socket on the host machine. The VM was not set to route 
> (ip_forward=0), but a hidden service was set up to forward traffic
> to the web VM over the socket interface.
> 
> The other VM, running Apache, had only a socket interface,
> connected to the Tor VM's socket interface. The Apache VM had no
> outside Internet access, and there was nothing it could get to on
> the Tor VM.
> 
> With a setup like this, even if someone gets a shell on the
> webserver VM, he cannot do anything. He has no way to get out, and
> therefore cannot locate your server. If you want to be more 
> paranoid, you can have a process on the host machine watching for 
> strange packets coming from the web VM, ready to shut it down the
> moment it gets hacked.
> 
> You can have a second administrative hidden service for ssh access.
> With a few automatic service check and restart scripts, a machine
> set up this way could run for several years with no physical 
> attention and no non-Tor access. It would be the ideal way to run
> a hidden service.
> 
> Mike
> 
> 

- -- 
Activist, anarchist and a bit of a dreamer.
Keybase: https://keybase.io/thomaswhite

PGP Keys: key.thecthulhu.com
Current Fingerprint: E771 BE69 4696 F742 DB94 AA8C 5C2A 8C5A 0CCA 4983
Key-ID: 0CCA4983
Master Fingerprint: DDEF AB9B 1962 5D09 4264 2558 1F23 39B7 EF10 09F0
Key-ID: EF1009F0

Twitter: @CthulhuSec
XMPP: thecthulhu at jabber.ccc.de
XMPP-OTR: 4321B19F A9A3462C FE64BAC7 294C8A7E A53CC966
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJU3b+5AAoJEFwqjFoMykmD838P/0hQ4Xj3nZ7iHQmCh3pa4gcY
jRrMZ9t9hUBWN0kSup103zeJ+0MDjn7z5TQuL4vNYWKolYmAabTyngRN9yP2ITPd
7maFpyA94kDfZX0cISL4axw9nWzwCifYTGWDQouNdUtWxeM1ziRsEg75rAQ8MI6X
UOOQhIUvwG/zQL7floLBciYSwiEzEtXezCXBecAs61+fRy2q/Sm8T5Kq6YgiWMSW
kgClNICb2R4NudPS3RPYo78zzqEj6+QhOovdavjjObM2Go9EfbbASWVsbU7izi5w
BbScwyhd9Cwj+YM2hlNqtTGHIFU89cgvEfXpOHoGgGM9YrnhjSCyTiUC5AxDeXDk
Oaw0X7QtgKRQdc90c7knB1lZNR+9wXf69WNNbV+W4eyq96hBelzW8nzAJzeVQcx5
+5pdm0lLXyzScRJoqj08NeKKkhYoBN8fI48MmiGHbc/jAEjsy+GJP1awWIcB8sW5
UilzSZiHWNqEA8KzMpYhl1eqfcl1mrAvmPk6DQswsO4SrD5PCX7QXMiSwakdIBMY
YmF00kLZBMeGYoS9SvhepflrOmiPIbLsxwveina7fuhr2MrjkYISzXL66xEXQLxf
5MSAgkWxeAw0Z+EQYnopYHf7vcU5BZPkkwV803OGD1qCbLndAfboc6/GYsjp2hXI
0kvAqgpOPE2ZSldVHZhG
=DWjV
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list