How to run hidden onion server? Step-by-step guide.

Bridges, Relays, Onion sites, hidden IRC channels etc.

How to run hidden onion server? Step-by-step guide.

Postby Admin » Mon May 06, 2013 7:35 pm

1) Buy any cheap VPS.
You can find good deals on http://www.lowendbox.com/ and also check out http://www.lowendtalk.com/wiki/ with examples of some common VPS installations, such as web-server.

2) Install nginx, mysql, php or anything your website needs to run.

3) Configure your web-server to listen ONLY to 127.0.0.1:4986

Apache:
Code: Select all
Listen 127.0.0.1:4986

lighthttpd:
Code: Select all
server.port = 4986
server.bind = "127.0.0.1"

nginx:
Code: Select all
listen 127.0.0.1:4986;


Now restart your webserver.


4) Install Tor.

Debian:
Code: Select all
apt-get install tor as root

CentOS:
Code: Select all
 sudo yum install tor

or you can find instructions here https://www.torproject.org/docs/debian.html.en (not only for Debian)


5) Configure Tor:
Code: Select all
/etc/tor/torrc

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:4986



Now restart Tor:
Code: Select all
/etc/init.d/tor restart


And your tor hidden service is now up and running.
It's *.onion address is written to this file:
Code: Select all
/var/lib/tor/hidden_service/hostname


Type it in your browser & go check out!

!!! Take care:

1) Since your website is running on VPS, admins of host system could probably have access to all of your files & data. By simply reading that data they can easily match you and your hidden service. Using truecrypt or EncFS greatly reduce this possibility, but it is still possible to read passphrase or unencrypted data from VPS's memory image.

A good choice is to buy physical server & use encryption on it.
Even better choice - stay yourself anonymous to your VPS provider.
Google "bitcoin vps", or use some gift-card, anonymous coupon, ask for test period or whatever. Then, never show your real IP to hoster (create account, pay and later connect to your VPS only via Tor), use only secure protocols for that (https, ssh) and always verify signatures to avoid mitm attack of Tor exit node, that are popular.

2) Beware of web-based attacks. This is true for any website, not only hidden-one, but I'll repeat here once again: never trust user's data.

3) Limit access to your VPS from outside Tor. Configure iptables, or at least make sure you don't have Memcached listening to the whole world.
Admin
Site Admin
 
Posts: 10
Joined: Sat Mar 23, 2013 4:19 pm

Re: How to run hidden onion server? Step-by-step guide.

Postby aetheris » Tue Jun 25, 2013 4:42 am

Thanks for this tutorial. I followed one just like this earlier, and it worked out great, except that I could not find out how to launch the browser.
aetheris
 
Posts: 1
Joined: Tue Jun 25, 2013 4:32 am

Re: How to run hidden onion server? Step-by-step guide.

Postby Danja » Fri Jun 28, 2013 9:18 am

Browser? This tutorial is about server-side hosting, there is no such thing as browser there. Browser is for other people to access your server from their computers, it should not be installed on server.

To access your hidden service you should do whatever you usually do to access other .onion sites, for example install Tor Browser Bundle.
Danja
 
Posts: 80
Joined: Sat Mar 23, 2013 7:19 pm

Re: How to run hidden onion server? Step-by-step guide.

Postby Conduit » Wed Oct 16, 2013 10:41 am

Sorry to dig up a (relevantly) old post but I cannot stop my hidden service from being displayed in clearnet.

When I go to the onion site - the webpage loads
When I access 192.168.0.114:8008 (from another PC on this LAN) I can access the website.

I would have thought localhost is only for that PC and not from another within the same LAN, although i'm not fluent in this area...

I have added to torrc:

HiddenServiceDir /home/pi/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:8008


and also added to /etc/nginx/sites-available/default:

server {
listen 8008; ## listen for ipv4; this line is default and implied


And also restarted both, still can access it. Any advice for a noob?
Conduit
 
Posts: 2
Joined: Wed Oct 16, 2013 10:36 am

Re: How to run hidden onion server? Step-by-step guide.

Postby TOR Hacker » Thu Oct 17, 2013 8:07 am

In nginx.conf
listen 8008;

shoud change to
listen 127.0.0.1:8008;


or, if you run Tor and nginx on different servers, put there IP of Tor box.
TOR Hacker
 
Posts: 135
Joined: Sun Mar 24, 2013 5:13 am

Re: How to run hidden onion server? Step-by-step guide.

Postby Conduit » Thu Oct 17, 2013 11:58 am

Thanks for this - your assistance worked.
Conduit
 
Posts: 2
Joined: Wed Oct 16, 2013 10:36 am

Re: How to run hidden onion server? Step-by-step guide.

Postby johnnyhypes » Sun Mar 13, 2016 11:09 am

°°°°°°°°°°°°°°°°THIS IS A MESSAGE OF THE INTERNATIONAL SOCIAL SECURITY °°°°°°°°°°°°°
°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°°

The solution to all problems on your passport ... the only site that my counselor available 7 on 7, played on finished catches heads for paperwork and endless expectations of immigration agencies that guarantee nothing . get quickly and legally your documents safe handling thanks to an original expertise to offer customers high qualities only true of passports, driver's license, ID cards, stamps, Visas and others, delivers by the respectively embassy countries and registered in the government system database . A team of professionals with Many Years of experience in Producing passports with the collaboration of the different embassies and country migration services specialized IT professionals,database technicians who are advised in high quality documents such as high quality Fake And Real Passport, Birth certs, Visas, Driving License, ID CARDS, marriage certificate, Marriage license, Registered nurse certificate, Social Security Card, Grade 'A' Counterfeit banknotes for USA, Australia, Belgium, Brazil, Norway, Canada, Italy, Finland, France, Germany, Israel, Mexico, Netherlands, South Africa, Spain, United Kingdom.we solve many document issues, place your order being a visa issue,passport,Driver license issue,work permit or needing to work internationally ,studies matters,ID cards runs ,changing or apply for a new birth certificate,social security cards,citizenship documents,school diplomats ,changing your details ,bank statements,credit and debit cards issues , working teamed aim for the best need to our worldwide clients for more details meet any of the contacts you see below;
Contact Name: Mr Joseph LIKUNFA.
Site WEB: http://www.vente-passports.ml / Office mail: josephlikunfa@yahoo.com
Adress: RDC- kinshasa Avenue GOMBE N° 21 Ref King Mazer Rue; PlaceDesFleurs
TEXT Call: +243903456245
Quality Passports,Driver's License,ID Cards,Fake ID's for Over 50's state drivers license cards and State ID cards available, Includes state driver's license hologram and magnetic strip or bar code on back. more activity day order, high resolution that Department of Motor Vehicles use.With only your current .JPG or .GIF of current license/Passport with picture and changes in NAME, DOB, LICENSE #, RESTRICTIONS, etc.all our documents are used at any border pass, airport, applications with no problems we produce the following documents and the list is not full place your order for details
Camouflage passports, express work permits, IELTS certificate,, TOIC ETC express, Canadian citizenship documents verified, id cards passport registered, Canada Cards, United States Cards, Student Cards, International Cards, Private Cards, Adoption Certificates, Baptism Certificates, Birth Certificates, Death Certificates, Divorce Certificates, Marriage Certificates, Custom Certificates, High School Diplomas, G.E.D. Diplomas, Home School Diplomas, College Degrees, University Degrees, Trade Skill Certificates, Social Security Validate SSN Number, Driver License, ID cards, drivers license worldwide USA(United States) passports, Australian passports, Belgium passports, Brazilian(Brazil) passports, Canadian(Canada) passports, Finnish(Finland) passports, French(France) passports, German(Germany) passports, Dutch(Netherlands/Holland) passports, Israel passports,
UK(United Kingdom) passports, Spanish(Spain) passports, Mexican(Mexico) passports South African passports. Australian driver licenses, Canadian driver licenses,
Dutch(Netherlands/Holland) driving licenses, German(Germany) driving licenses, Diplomatic passports, USA(United States) passports,
Australian passports, Dutch(Netherlands/Holland) passports UK(United Kingdom) passports Mexican(Mexico) passports, South African passports Australian passports for sell,and driver license ,id cards Belgium passports for sell, Brazilian(Brazil) passports Spy Products, Voice Changers, Listening Devices,Invisible Ink DMV,Record Inquiry,Background Check,Investigate Anyone,visa issues
Do not hesitate SATISFIED OR REFUNDED An offer like no other
Thanks for your times

johnnyhypes
 
Posts: 7
Joined: Sun Mar 13, 2016 12:19 am

Re: How to run hidden onion server? Step-by-step guide.

Postby tete » Tue Apr 19, 2016 11:10 am

Practical Explanation ( For Example ) :- `1st of all can you tell me every single seconds detail from that time when you born ?? ( i need every seconds detail ?? that what- what you have thought and done on every single second )

can you tell me every single detail of your `1 cheapest Minute Or your whole hour, day, week, month, year or your whole life ??

if you are not able to tell me about this life then what proof do you have that you didn't forget your past ? and that you will not forget this present life in the future ?

that is Fact that Supreme Lord Krishna exists but we posses no such intelligence to understand him.
there is also next life. and i already proved you that no scientist, no politician, no so-called intelligent man in this world is able to understand this Truth. cuz they are imagining. and you cannot imagine what is god, who is god, what is after life etc.
_______
for example :Your father existed before your birth. you cannot say that before your birth your father don,t exists.

So you have to ask from mother, "Who is my father?" And if she says, "This gentleman is your father," then it is all right. It is easy.
Otherwise, if you makes research, "Who is my father?" go on searching for life; you'll never find your father.

( now maybe...maybe you will say that i will search my father from D.N.A, or i will prove it by photo's, or many other thing's which i will get from my mother and prove it that who is my Real father.{ So you have to believe the authority. who is that authority ? she is your mother. you cannot claim of any photo's, D.N.A or many other things without authority ( or ur mother ).

if you will show D.N.A, photo's, and many other proofs from other women then your mother. then what is use of those proofs ??} )

same you have to follow real authority. "Whatever You have spoken, I accept it," Then there is no difficulty. And You are accepted by Devala, Narada, Vyasa, and You are speaking Yourself, and later on, all the acaryas have accepted. Then I'll follow.
I'll have to follow great personalities. The same reason mother says, this gentleman is my father. That's all. Finish business. Where is the necessity of making research? All authorities accept Krsna, the Supreme Personality of Godhead. You accept it; then your searching after God is finished.

Why should you waste your time?
_______
all that is you need is to hear from authority ( same like mother ). and i heard this truth from authority " Srila Prabhupada " he is my spiritual master.
im not talking these all things from my own.
___________

in this world no `1 can be Peace full. this is all along Fact.

cuz we all are suffering in this world 4 Problems which are Disease, Old age, Death, and Birth after Birth.

tell me are you really happy ?? you can,t be happy if you will ignore these 4 main problem. then still you will be Forced by Nature.
___________________

if you really want to be happy then follow these 6 Things which are No illicit sex, No gambling, No drugs ( No tea & coffee ), No meat-eating ( No onion & garlic's )

5th thing is whatever you eat `1st offer it to Supreme Lord Krishna. ( if you know it what is Guru parama-para then offer them food not direct Supreme Lord Krishna )

and 6th " Main Thing " is you have to Chant " hare krishna hare krishna krishna krishna hare hare hare rama hare rama rama rama hare hare ".
_______________________________
If your not able to follow these 4 things no illicit sex, no gambling, no drugs, no meat-eating then don,t worry but chanting of this holy name ( Hare Krishna Maha-Mantra ) is very-very and very important.

Chant " hare krishna hare krishna krishna krishna hare hare hare rama hare rama rama rama hare hare " and be happy.

if you still don,t believe on me then chant any other name for 5 Min's and chant this holy name for 5 Min's and you will see effect. i promise you it works And chanting at least 16 rounds ( each round of 108 beads ) of the Hare Krishna maha-mantra daily.
____________
Here is no Question of Holy Books quotes, Personal Experiences, Faith or Belief. i accept that Sometimes Faith is also Blind. Here is already Practical explanation which already proved that every`1 else in this world is nothing more then Busy Foolish and totally idiot.
_________________________
Source(s):
every `1 is already Blind in this world and if you will follow another Blind then you both will fall in hole. so try to follow that person who have Spiritual Eyes who can Guide you on Actual Right Path. ( my Authority & Guide is my Spiritual Master " Srila Prabhupada " )
_____________
if you want to see Actual Purpose of human life then see this link : ( www.asitis.com {Bookmark it })
read it complete. ( i promise only readers of this book that they { he/she } will get every single answer which they want to know about why im in this material world, who im, what will happen after this life, what is best thing which will make Human Life Perfect, and what is perfection of Human Life. ) purpose of human life is not to live like animal cuz every`1 at present time doing 4 thing which are sleeping, eating, sex & fear. purpose of human life is to become freed from Birth after birth, Old Age, Disease, and Death.
tete
 
Posts: 1
Joined: Tue Apr 19, 2016 11:09 am

Re: How to run hidden onion server? Step-by-step guide.

Postby indutaurus » Mon Dec 12, 2016 8:28 am

Leo privacy is very good, it let you to lock your apps&videos and hide images. it also got great themes which makes my device to look very cool and different. Recommand all to use this app!And There is a new function. Private browsing. https://bit.ly/unique425
indutaurus
 
Posts: 108
Joined: Wed Dec 07, 2016 2:24 am

Re: In close proximity to the Empire: Yankees information -

Postby Sjcg123 » Thu Dec 29, 2016 8:46 am

pandora beads
ugg factory outlet
Ugg Classic Tall
longchamp tote bag
Moncler Store
ray ban wayfarer eyeglasses
nike sportschuhe damen
Michael Kors Outlet
australia uggs outlet
Lebron 13
Adidas Superstar
Air Max 90
ugg boots for women
Ugg Boots On Clearance
ugg boots cheap
Ugg Button
Ray ban sale online
nike air max running shoes
Jordan Sneakers For Sale
prada outlet
Canada Goose Official Site
Toms Shoes For Women
Air Max Sneakers
pandora rings
nike sportschuhe
pandora outlet store
air jordan
uggs for cheap
zapatillas nike baratas
christian louboutin outlet
moncler girls
pandora charm bracelet sale
Nike Air Max Soldes
uggs for women
adidas outlet
fitflops sale uk
Nike Black Friday
Adidas Shoes Discount Marketplace
Bottes Ugg Pas Cher
Womens Ugg Boots
Nike Air Max 90
nike chaussures
hogan scontate
scarpe hogan outlet
Timberland skor
Chaussure Nike Pas Cher
Coach Bags On Sale
nike shoes
canada goose jackets on sale
goedkope nike air max
toms shoes outlet
Air Max For Sale
chaussures de foot pas cher
Ugg boots Sale
nike mercurial soccer cleats
chaussure basket homme
huarache sneakers
Canada Goose Outlet
Original Ugg Boots
Ray-Ban Official Discounted Site
Sneakers Nike
cheap nike air max
Moncler Sale
ugg boots outlet online
adidas kläder
Doudoune Moncler Pas Cher
Nike Pas Cher Homme
michael kors handbags on sale
tru religion jeans
australia uggs outlet
nike damenschuhe
Nike Air Huarache For Sale
Moncler Outlet Online
retro jordans for cheap
cheap uggs
Canada Goose Womens Coats
Air Nike
Oakley Outlet
adidas outlet stores online
new jordan releases
Michael Kors handbag on sale
religion store
canada goose sale online
air force one pas cher
Veste Moncler Femme
Nike Store
Uomo Hogan
Stone Island Outlet
Jordan Schoenen
Orecchini Pandora
hyperdunk 2014
Nike Air Jordan 11
botas de futbol
ugg store
Ugg Noir Pas Cher
nike air jordan pas cher
Canada Goose Sale Outlet
Oakley Sunglasses Cheap
Air Max Femme
nike joggesko
Nike Air Sneakers
Michael Kors
nike jordan shoes
Ugg Femme Pas Cher
běžecké boty nike
canada goose jackets for women
Botte Ugg Femme
new yeezy shoes
zapatos de futbol nike
Jordan Future
nike boty dámské
adidas schoenen
nfl store
Nike Air Max Boutique
abercrombie and fitch store
louboutin heels
Ugg Pas Cher Femme
chaussure Nike homme
nike sneakers
nike air schuhe herren
Uggs Pas Cher Soldes
zapatilla adidas
Chestnut Ugg Boots
Air Huarache
Negozi Pandora
new pandora charms
Pandora Beads And Charms
canada goose online store
nike tn pas cher
Pandora Official Website
vans shoe store
Adidas Originals Superstar
uggs outlet
Sportschuhe Nike
michael kors bags outlet
Nike Zapatos
cheap real uggs
Canada Goose Outlet Store
Nike Air Max Cheap
cheap uggs for women
coach factory outlet online
Boty Nike Air
Canada Goose Coats For Men
adidas store
chaussures nike pas cher
scarpe nike
Nike Online Store
hogan rebel donna
23 is back
moncler coats for women
moncler outlet
zapatillas running
ugg outlet online
billige nike sko
Nike Air Women
Michael Kors Handbags Discount
Air Jordan Release Date
Veste Moncler Pas Cher
Nike Factory Store
canada goose jacket outlet
womens nike air max
Bottes Ugg Femme Pas Cher
sac coach soldes
Air Jordan News
toms sale
Soccer Boots Outlet nike
Doudoune Moncler Solde
official NHL jerseys
Nike Pas Cher Femme
Air Max Femme Pas Cher Soldes
Anelli Pandora
Doudoune Moncler Site Officiel
Ugg Homme Pas cher
pandora jewelry store
Cheap Stone Island Jackets
ugg boots classic
Ugg Grise Pas Cher
Moncler Jacket Womens
Chaussure Nike Air Max Pas Cher
nike air
Uggs Outlet Store
moncler jacket sale
newest lebron shoes
Pandora Store
converse store
pandora bracelet charms
Jordan Store
Nike Air 90
Cheap Michael Kors
Sheepskin Ugg Boots
nike free
nike schuhe günstig
nike sb stefan janoski
Boutique Ugg
Toms Outlet Online
portafoglio michael kors
reebok running shoes
ugg clearance
longchamp bags on sale
Michael Kors handbag discount
Ugg Outlet Online Store
cheap christian louboutin
sac a main michael kors
Doudoune Femme Pas Cher
pandora online
Canada Goose Outlet
cheap air max outlet
Soldes Ugg
1229Sjcg
Sjcg123
 
Posts: 269
Joined: Thu Dec 29, 2016 8:36 am

http://www.skinshining.com/skin-opulent-reviews/

Postby jamie310 » Tue Jan 17, 2017 10:52 am

To preserve the blood circulation lively, one should Skin Opulent continually encompass a regular exercise session regime. don't worry, it doesn't want to be excessive aerobic and weight training - just easy going for walks, or brisk strolling, or even energy yoga and pranayam are all proper alternatives. no longer most effective does it provide pores and skin radiance, but additionally continues joint pains and coronary heart diseases at bay. http://www.skinshining.com/skin-opulent-reviews/
jamie310
 
Posts: 1
Joined: Tue Jan 17, 2017 10:50 am


Re: How to run hidden onion server? Step-by-step guide.

Postby admissionpro » Wed Mar 08, 2017 6:10 am

Step One: Install a web server locally

Step Two: Configure your hidden service

Hidden services operators need to practice proper operational security and system administration to maintain security. For some security suggestions please make sure you read over Riseup's "Tor hidden services best practices" document. Also, here are some more anonymity issues you should keep in mind:

As mentioned above, be careful of letting your web server reveal identifying information about you, your computer, or your location. For example, readers can probably determine whether it's thttpd or Apache, and learn something about your operating system.
If your computer isn't online all the time, your hidden service won't be either. This leaks information to an observant adversary.
It is generally a better idea to host hidden services on a Tor client rather than a Tor relay, since relay uptime and other properties are publicly visible.
The longer a hidden is online, the higher the risk that its location is discovered. The most prominent attacks are building a profile of the hidden service's availability and matching induced traffic patterns.
=============
BAMS Colleges Bangalore
admissionpro
 
Posts: 3
Joined: Wed Mar 01, 2017 12:15 pm

Re: How to run hidden onion server? Step-by-step guide.

Postby leakz » Mon Mar 20, 2017 2:02 am

Hello, get classified (TOP SECRET) CIA's "VAULT 7" secret hacking tools, cyberweapons scripts and codes that are intercepted directly from main source of information to Wikileak's founder, Julian Assange. Grab it now before this material is effectively disarmed and more importantly, empower yourself with the entire hacking capacity of the CIA. Also, discover CIA's covert operation strategies in U.S Consulate General Frankfurt, Hamburg, Dusseldorf, Munich and Leipzig. And many more... https://satoshicrypt.com/w6n3uadygv7q2yr54oape6fv -to unlock files, insert key 21e03d8169cd8d1d19643cf9bb8c61a1c543a1441c2ac66184244921150af143 Download the Torrent files and extract it using 7-Zip. The password you will need to decrypt the archive is : SplinterItIntoAThousandPiecesAndScatterItIntoTheWinds
leakz
 
Posts: 1
Joined: Mon Mar 20, 2017 1:34 am

Re: How to run hidden onion server? Step-by-step guide.

Postby Malleshadmissionq » Fri Apr 14, 2017 5:21 am

How to use this guide.
Here you can find information about running Tor hidden (onion) services based on our experiences running them and helpful tips from people like you. If you have a helpful tip, or can translate this into another language, please contribute!

Tor Hidden Services are being renamed because “Hidden Service” didn’t accurately describe what was possibile, so the name is being broadened to be “Onion Services”, in this guide we will use the new name.

Installing and configuring Onion Services
For information on configuring onion services, please read the Tor Project’s guide

Make sure your tor software is updated
It is not enough to simply install tor and configure your onion service and then forget about it. You must keep it up to date so that critical security flaws are fixed. All software has bugs, and Tor is no exception. Make sure you are keeping your software up-to-date.

Many things can be made into onion services
You can do a lot of things over onion services, not just make a website available! You can also provide IMAP, or SMTP, or deliver mail between MTAs, among many other possibilities. Spread the onions far and wide! But be careful, if the service makes DNS request for whatever reason (like resolving where that SMTP server is to send the email), then you leak information. One way to work around this is to have the machine running your service fully iptabled to go through Tor all the time.

Don’t run a relay at the same time
Do not run a relay and an onion service on the same instance. Having a relay and an onion service on same IP and/or machine helps traffic correlation and fingerprinting. However, Tor is smart enough to not choose itself as a node for the circuit so it’s not a disaster but ideally you want to avoid it.

Monitor your onion service(s) availability
Although their stability has improved greatly, onion services can still fail for a number of reasons. Set up some monitoring to regularly connect to your onion service(s) to make sure that they are still functioning.

Multiple ports for one onion service
You don’t need to create a different onion service for every service you want to make available, just add more HiddenServicePort lines, for example:

HiddenServiceDir /usr/local/etc/tor/other_hidden_service/
HiddenServicePort 6667 127.0.0.1:6667
HiddenServicePort 22 127.0.0.1:22
If you want to run multiple onion services from the same Tor client, just add another HiddenServiceDir line to the config file.

SSL/TLS isn’t necessary
You don’t really need SSL/TLS in an onion address (ie. https) since it’s a complete encrypted tunnel + PFS (perfect forward secrecy), but it does not hurt having extra layers in that onion!

Although it is true that extra layers are good beware that usually redirecting to SSL/TLS will mean that the certificate will not validate (because the hostname will be *.onion, instead of the certificate that you have for your public service). If you can get a .onion certificate, that works!

Onion services and Rails 4
In order to get a .onion site to play nice with rails, and have the site also work over HTTPS when not using the .onion, you need change a few defaults.

The first thing that must be changed is to not use the config.force_ssl = true option. This option is the default for rails apps in production. This setting forces secure cookies and forces HSTS. Change my_rails_app/config/environments/production.rb to be:

config.force_ssl = false
Once we set force_ssl = false, we want to add back the ability to enforce secure cookies and HSTS when using normal HTTPS. So, to do this, we make sure the web server is setting the HSTS headers for the HTTPS virtualhost, and we add the secureheaders gem to enforce secure cookies. The secureheaders gem will actually override the secure cookie flag for plain http requests, unlike the rails force_ssl flag. This allows use to have secure cookies for the regular HTTPS site and insecure cookies for the .onion site, which is what we want.

Install the secureheaders gem for your application, in my_rails_app/Gemfile:

gem 'secure_headers', '~> 3.5'
(replace 3.5 with whatever the current version of secureheaders is available)

Add a secureheaders configuration, in config/initializers/secureheaders.rb:

bc..
SecureHeaders::Configuration.default do |config|
config.cookies = {
secure: true,
httponly: true,
samesite: {
strict: true
}
}
end

NOTE: When configuring apache or nginx in this setup, do not set the X_FORWARDED_PROTO environment variable to be https.

Onion services can be found
If you are not very careful and keep your server from revealing identifying information about you, your computer, or your location, then the onion service will no longer be hidden!

A common misstep here is server signatures, for example it is easy to determine if a webserver is thttpd or Apache, or learn about your operating system because the banner tells the version of the running service and operating system.

Another way that your onion address will get out is via the referrer header in browsers when a client browses a hidden service website and then clicks on a clearnet/hidden service link. The tor browser has taken care of many of these tiny leaks, so be sure to encourage your users to use an up-to-date tor browser instead of using their own browser with tor.

The longer an onion service is online, the higher the risk that its location is discovered. The most prominent attacks are building a profile of the onion service’s availability and matching induced traffic patterns.

There are currently ways in the protocol that a bad relay can learn about your onion address, even if you don’t tell anybody. Follow the discussion on the subject if you want to stay on top of how the Tor project is working on fixing these issues.

Onion services don’t need to be hidden!
You can provide a onion service for a service that you offer publically on a server that is not intended to be hidden. Onion services are useful to protect users from passive network surveillance, they keep the snoopers from knowing where users are connecting from and to.

Make your onion services easy to find
If you provide onion services, make them known to your users by advertising their existance, their onion hostnames and ports that they provide in a way that authenticates they are the ones that are legitimate (for example, you could digitially sign the list of onion addresses like Riseup does, or put them in DNS txt records).

Ask your favorite online service to provide an onion service!
Advocate for more onion services by asking those who provide the services that you use to make them available. They are easy to setup and maintain, and there is no reason not to provide them!

Moving onion services
You can move onion services between systems, just copy the /var/lib/tor/<hidden_service> directory to the new system and make sure the torrc on the new system has the same configuration as the old one. Be sure to disable and stop the old one before starting the new one. The onion service directory simply contains the hostname of the onion service, and the private key.

Protecting your services
Protect your private keys
Keep the onion service private key private! That key should not be available to the public, it should not be shared and it should have proper permissions set so it is not readable by anyone on your system, except for the tor process.

Backup your private keys
If you plan to keep your service available for a long time, you might want to make a backup copy of the private_key file somewhere safe.

Be careful of localhost bypasses!
You should take very careful care to not accidentally expose things on your server that are restricted to the local machine. For example, if you provide /server-status in apache (from mod_status) to monitor the health of your apache webserver, that will typically be restricted to only allow access from 127.0.0.1, or you may have .htaccess rules that only allow localhost, etc.

There are a few ways you can solve this problem:

different machine: consider running the onion service on a different machine (real or virtual) than the actual service. This has the advantage that you can isolate the service from the onion service (a compromise of one doesn’t compromise the other) and helps with isolating potential information leaks
isolation: similarly to the above, you can also isolate tor and the service so it will run on a different network namespace than the service.
public ip: configure the onion service to connect to the public IP address of the service instead of localhost/127.0.0.1, this should make tor not pick 127.0.0.1 as the source address and avoid most misconfigurations. For example like this:
HiddenServiceDir /var/lib/tor/hidden/ftp/
HiddenServicePort 80 192.168.1.1:81
unix socket: consider using unix socket support instead of a TCP socket (requires 0.26 or later tor) – if you do this, then the onion service will be running on the same server as the service itself. With a socket approach, you should be able to run with privatenetwork=yes in systemd unit which gets you some really great isolation, for example:
HiddenServicePort 80 unix:/etc/lighttpd/unix.sock
But then the service itself needs to support unix sockets, otherwise you have to setup some socat redirection from tcp <→ unix (nginx, twisted, lighttpd all support this).

audit carefully: carefully audit, and regularly re-audit your system for configurations that allow localhost/127.0.0.1, but prohibit everywhere else and configure those to work around the problem (for example make /server-status operate on a different IP; make the webserver listen on a different port for /server-status; make it password protected, etc.).

You can make onion services require authentication to use.
If you set HiddenServiceAuthorizeClient (see man page), then it is only available for authorized clients. This will mean that you can’t even attack the service unless you break tor (or have the authorization key).


































..................................
BMS Institute Of Technology Bangalore
CMR Institute of Technology Bangalore
MS Ramaiah Institute of Technology Bangalore
Nitte Meenakshi Institute of Technology Bangalore
PES University Bangalore Admission
RNS Institute of Technology Bangalore
RV College of Engineering Bangalore Admission
SJB Institute of Technology Bangalore
Malleshadmissionq
 
Posts: 2
Joined: Tue Feb 07, 2017 6:37 am


Return to Running a Hidden Server

Who is online

Users browsing this forum: No registered users and 5 guests

cron