Silk Road forums
Discussion => Security => Topic started by: CityLights on July 07, 2013, 08:57 pm
-
I've been studying Tor for some time now and am considering building my own hidden service and eventually hosting hidden services for others. Does anybody have any experience with this? I understand the whole onion routing process very well and have read through the Tor design paper as well as the protocol specs on gitweb, but I am concerned that the server itself might leak information through error messages or some other unforeseen channel. I know configuring applications to route through Tor can lead to issues like DNS leaks but binding the server to localhost should prevent any data from being sent outside of Tor from the server. I was planning on going with Apache running on linux for the server unless anyone can recommend a better alternative. I don't have much experience with server configuration yet. Insights and advice would be appreciated, thanks.
-
There is a free service that already offers this and it's called Freedom Hosting. You will end up with CP on your server you're hosting for others.
-
There is a free service that already offers this and it's called Freedom Hosting. You will end up with CP on your server you're hosting for others.
CP?
-
I know configuring applications to route through Tor can lead to issues like DNS leaks but binding the server to localhost should prevent any data from being sent outside of Tor from the server.
You'd think so, but many things could go wrong to leak your IP. Besides server misconfiguration and hacking / rooting the server, if you are running PHP or other scripting languages, malicious scripts could connect over clearnet to an attacker's server to reveal your IP. The safest configuration is this:
http://dkn255hz262ypmii.onion/index.php?topic=100998.0
But that's too expensive for the vast majority of hidden services. A better alternative is to use VMs or jails to isolate the web server and the Tor client, and route everything from the web server VM through the Tor VM, for example, so even if the server is pwned, the attacker won't find your IP (at least not easily).
Another option is to rent the server anonymously and make frequent backups. This is the "disposable server" option, where you simply drop the server and redeploy elsewhere if it is pwned. :)
I was planning on going with Apache running on linux for the server unless anyone can recommend a better alternative. I don't have much experience with server configuration yet. Insights and advice would be appreciated, thanks.
Generally, the simpler the application, in this case the web server software, the smaller the attack surface. Apache is a complex web server with a large attack surface. If you can avoid running scripts entirely, then a simple server that only serves static html would be the safest, but Nginx with minimal features would still be better than Apache.
-
There is a free service that already offers this and it's called Freedom Hosting. You will end up with CP on your server you're hosting for others.
CP?
Child pornography.
-
Some other points.
If you're really worried about the hidden service being identified, you should NOT run it on a VPS. Get a dedicated server. You can find low end dedis for under $50 a month these days, which should be enough to get started. Make sure you remove any backdoors, like ssh keys that the provider puts in root's authorized_keys file.
Use full disk encryption. You will have to request this feature if the provider doesn't have a way for you to load installation images and install the OS yourself.
Never connect to the hidden service directly. Create a separate hidden service for ssh and enable the HiddenServiceAuthorizeClient option in stealth mode.
Rent the server anonymously, whether or not it's disposable. The vast majority of providers don't take bitcoins, so you'll have to anonymize fiat currency. I haven't done that for years and the most popular method back then, Liberty Reserve, is gone, so you'll have to find other ways of bouncing your money through exchanges. Other people are more knowledgeable than me about that and can probably consult you in private.
And if all this is too much, then like Jack said, just get an FH invite. :)
-
I've been studying Tor for some time now and am considering building my own hidden service and eventually hosting hidden services for others. Does anybody have any experience with this? I understand the whole onion routing process very well and have read through the Tor design paper as well as the protocol specs on gitweb, but I am concerned that the server itself might leak information through error messages or some other unforeseen channel. I know configuring applications to route through Tor can lead to issues like DNS leaks but binding the server to localhost should prevent any data from being sent outside of Tor from the server. I was planning on going with Apache running on linux for the server unless anyone can recommend a better alternative. I don't have much experience with server configuration yet. Insights and advice would be appreciated, thanks.
The number one step you need to take to secure the server from IP leaks is running the entire thing inside of a virtual machine that is only capable of communicating with the internet via Tor, and which does not know your external IP address. If you do that it prevents all IP leaks and DNS leaks, and it also makes it a lot harder for hackers to obtain your real IP address even if they manage to root the VM with the web server in it. I consider this technique to be absolutely indispensable, especially for hidden services.
Generally, the simpler the application, in this case the web server software, the smaller the attack surface. Apache is a complex web server with a large attack surface. If you can avoid running scripts entirely, then a simple server that only serves static html would be the safest, but Nginx with minimal features would still be better than Apache.
This. Don't use Apache. Go with Nginx or Hiawatha.
Use full disk encryption. You will have to request this feature if the provider doesn't have a way for you to load installation images and install the OS yourself.
It isn't possible to use FDE on a remote server without something like KVM over IP. You need total access to the entire boot sequence. That said, using a server with KVM over IP is a great idea.
Rent the server anonymously, whether or not it's disposable. The vast majority of providers don't take bitcoins, so you'll have to anonymize fiat currency. I haven't done that for years and the most popular method back then, Liberty Reserve, is gone, so you'll have to find other ways of bouncing your money through exchanges. Other people are more knowledgeable than me about that and can probably consult you in private.
Definitely renting the server anonymous is 100% required for your security. You can still use exchangers to cash out Bitcoin to bank wires and such probably, although it has been a while since I bought a server anonymously, and since LR is gone and a lot of exchangers have been busted it might be harder these days. It was already a pain in the ass even before they busted LR, since people renting dedicated servers generally have various anti fraud systems in place that are hard to get around while maintaining your anonymity. I am sure you can still get dedicated servers anonymously, it is just a bit of work and probably even more so now than it ever has been before.
There are a lot of other things to take into consideration as well. I mean, for the absolute ultimately secured hidden service I could write a book on the subject, but pretty much nobody goes to all of the trouble and expense required to make a hidden service as secure as humanly possible. Some steps are totally indispensable though, like running the web server isolated in a VM that doesn't know your external IP address. Check the securing hidden services thread that Astor linked to as well.
-
Also it is worthwhile to mention that Jack N Hoff is correct. Your server will end up consisting of 95% child pornography sites, and it will quite likely be a high priority target of federal police and Interpol. If you don't want to host child porn you should think of a different idea for your hidden service. On the other hand, if you truly support freedom of speech, then it isn't the worst idea in the world. Just realize that you will really seriously be putting yourself at risk of going to prison for child porn distribution, just like the admin of Freedom Hosting is at risk. Freedom Hosting originally used a strategy of pretending to be completely oblivious to any of the content they host, but even that defense mechanism is probably worthless since everybody knows they are used extensively by CP sites. I think they have had like 50 different CP sites hosted by them, single ones of which have been considered some of the largest in the world.
-
I'd rather host everything from home, at least in the early stages while I'm still learning. If I could keep everything at home long term, that would be nice, but I wouldn't mind paying for space in a datacenter if my service took off. Is my ISP likely to notice anything? I'd be starting off with completely legitimate content but I want to perfect the setup as much as practically possible so that I could graduate on to other things- not child pornography, for the record. I could get another machine to act as a gateway if that would be more secure, but what makes two separate computers better than one computer with two virtual machines? I'll run Nginx and hardened Gentoo and route through Tor twice like the Securing Hidden Services thread discussed. I'm hoping to learn how to do this myself instead of relying on Freedom Hosting. Thank you all for the responses.
-
I'd rather host everything from home, at least in the early stages while I'm still learning. If I could keep everything at home long term, that would be nice, but I wouldn't mind paying for space in a datacenter if my service took off. Is my ISP likely to notice anything?
If it's a busy hidden service, they might notice more continuous up than down traffic, but it's unlikely it will be that popular.
I'd be starting off with completely legitimate content but I want to perfect the setup as much as practically possible so that I could graduate on to other things- not child pornography, for the record.
So you want to host a potentially insecure hidden service that you're using to learn security -- in your home? That seems like exactly the kind of thing you'd want an anonymous disposable server for. Actually in that case a cheap VPS would be fine.
Even if you're not hosting anything illegal, do you really want to risk someone doxing you (at least your IP) as the operator of a hidden service?
I could get another machine to act as a gateway if that would be more secure, but what makes two separate computers better than one computer with two virtual machines?
Harder to break out of a baremetal server than a VM, but a VM is probably fine.
I'll run Nginx and hardened Gentoo and route through Tor twice like the Securing Hidden Services thread discussed. I'm hoping to learn how to do this myself instead of relying on Freedom Hosting. Thank you all for the responses.
Sounds good, and you're welcome. :)