Silk Road forums
Discussion => Security => Topic started by: iLegalBusinessConsultant on April 06, 2013, 01:45 pm
-
Trying to get some info about creating an onion website. Just a small personal blog.
Since I know nothing about this, if anyone would like to volunteer a dummy guide on how to create an onion blog site, I would greatly appreciate.
I do have several questions to get the conversation started
1) Can you use the same process to create an onion site as a clearnet site? Use wordpress, create a blog, upload with FTP?
2) Does Freedom Hosting, or any other onion hosting company offer simple to use control panel to create and edit an onion site?
3) What are some security issues to be aware of when publishing an onion site?
4) If I were to hire someone to create a site for me, what type of security precautions do I need to be aware of, assuming I want to keep my anonymity?
I hope the responses to this thread will be helpful not just to me, but to a large audience on SR. I think there might be a large amount of people here that would like to have a small site, whether it be commercial or just personal. I've searched all these deep web directories and found a profound lack of interesting sites in onionland. If we can get more people to put up sites, I think the deep web would be a lot more interesting. Not that the drugs on here are boring ;)
-
I know a little bit about this- its actually very simple.
You can host an onion site anywhere on any system and could even host it with a third party webhost so long as it is not a shared hosting and you have access to a real/virtual server.
You just build and run your website as you would any normal website but install TOR and add your websites home directory as a hidden service.
If you want a custom URL like Silk Road has then try a script called Shallot- it will generate a custom onion address for you and you just put the generated public key in your service directory and restart TOR.
Only security issues to watch out for is with your web server, for example Apache can occasionaly leak your real IP if certain errors occur and what not so read up on how to disable anything which could reveal information about the hardware the page is running on or your real IP.
Other than that everything is just the same as a normal website.
-
The first thing to do is to pay for a server anonymously. You will want a dedicated server for the best security. There are several hosts that accept payment in Bitcoin, Liberty Reserve, Pecunix, etc. You need to make sure that the payment is as anonymous as possible , to prevent anyone who deanonymizes the server from being able to link it to you. Most hosts also accept bank wires and/or western union, and you can use exchanger services to send payments with these services from Bitcoin etc. Also, it can never hurt if the server is offshore in a country that is not known for their cooperation with the world police, Russia is a generally good bet, Panama as well. Of course you need to register with fake information, you will also likely need to get by various systems that try to prevent anonymous registration that are in place to prevent fraud and other illegal usage. Thankfully these systems are generally easy enough to beat. You may need to answer a text send to a phone number in the country that you are pretending to be from. When I do this I just ask a friend in said country to get a burner phone for me. You also may need to hide that you are registering with Tor, this can be accomplished often times by using a free web based proxy service after your Tor circuit, many of these services change very rapidly and never get listed as proxy services in block lists. Actually obtaining the server anonymously is one of the most frustrating processes involved.
You will likely be given a choice of operating systems when you buy the server. Alternatively, and more ideally, you will buy a server with KVM over IP which will let you remotely install the OS of your choice from an ISO. It is much better for security if the server you get supports KVM over IP and lets you install the base operating system. This is also superior in that it will allow you to use FDE, set a BIOS password, etc. Anyway, in regards to the OS you select to use, there are a few choices. OpenBSD is always a good choice, but it doesn't have good virtualization software support for it, so for my example we will choose to not use it. FreeBSD is another good choice, and it supports jails which allow for isolation so if you want isolation it is a superior choice to OpenBSD. The OS that you select will have an affect on the overall security of your hidden service, and different operating systems have different benefits and disadvantages. For running everything on baremetal without virtualization, OpenBSD is the way to go. FreeBSD has jails support as well as an extensive mandatory access control system that will let you fine tune your security to a high degree, provided you take the substantial time required to learn how to use it. Hardened Gentoo is probably the best choice for a Linux OS, in addition to having many of the security features of OpenBSD, it also supports virtualization and has support for extensive mandatory access control systems. However, it is also the hardest of all previously mentioned systems to use, and if you are not already well versed in it then it will probably be extremely frustrating or impossible to use for this. So for someone who is relatively new to this sort of thing, I would suggest Debian or maybe even Ubuntu.
The first thing to do on your server is to install the operating system (if it is KVM over IP, otherwise you will be able to SSH into it right away) and setup basic things like SSH. Of course you should do all of these things over Tor. If it is KVM over IP you will want to encrypt the entire drive immediately, possibly during installation if it is supported by the OS. If it is not KVM over IP you will not be able to use FDE as you do not have access to the boot sequence. Additionally, you will want to set a BIOS password. Preferably you also get a server that has chassis intrusion detection support, in which case you will want to configure the server to shut down in the chassis is breached. This is probably an option in the BIOS settings, which you will again need to have KVM over IP to access. Now we will assume that you have the initial state of you server setup, and can SSH into it.
For security you will want to configure SSH to use RSA instead of password based authentication. Now it is time for basic hardening of the host OS, which you can do with a script such as Bastille. Also, make sure to fully update the OS so that all known security vulnerabilities are patched. The next step is to install VirtualBox. You can control VirtualBox entirley from the command line, although I am not going to get into the exact commands to use here. For your guest OS you can opt to use Debian or Ubuntu as well, although you can also opt to use OpenBSD or similar. The security of the guest OS is not going to be as much as if you ran it on baremetal, but by running it in a virtual machine you will be able to isolate successful hackers from compromising the host system as well as prevent them from obtaining the real IP address of your server. Whatever OS you choose, install it in the guest VM. Make sure that during installation the guest VM has no access to the internet.
At this point you should install Tor on the host OS. For the guest VM networking you want it to use host only routing. This creates a virtual network adapter when the VM is running, usually its default internal IP address is 192.168.56.1 . Now you need to modify your Torrc and make SocksListenAddress 192.168.56.1 or whatever it happens to be. Set SocksPort to 9100 or whatever you like that is available. Now after launching the VM you can launch Tor, and it will bind to the virtual network adapter. At this point you can configure the guest OS to route its traffic through Tor, which will likely require Privoxy or some other solution for http traffic. You will need to individually torrify all of the applications which require access to the internet. apt-get is one of these. After you have torrified apt-get (or whatever package manager) you will need to update your guest OS and make sure it is fully patched. You should also run Bastille or similar in the guest OS for general server hardening.
Now you need to install the web server. I suggest avoiding Apache and going for a smaller lighter weight alternative, Hiawatha is what I have always used and I have not had any problems with it. It also was designed with security in mind, and to be light weight. At this point there are two choices you can make, either you can use the Tor on the host for your hidden service, or you can run another instance of Tor inside the virtual machine and route its traffic out through Tor on the host. I believe that using Tor via Tor in this manner will increase your anonymity, although it isn't going to remain supported by Tor. So because Tor wants to restrict its functionality, we will use the instance of Tor running on the host. You need to bind Hiawatha to the virtual network adapters internal IP address on whatever port you want to.
Now from the host you need to configure Torrc to have the following lines:
HiddenServiceDir /some/path/to/a/folder/on/host/for/the/keys
HiddenServicePort 80 whatever.virtual.adapter.ip:port-hiawatha-listens-on
now restarting Tor should put the hidden services host name and keys at the HiddenServiceDir path. Connections to that hidden service address on port 80 (ie: the port firefox uses by default) are then redirected to the port that hiawatha in the gust VM is listening on on the virtual network adapter. At this point you should have basic hidden service functionality. Now it is time to harden things up a bit. First of all you will want to look into Suhosin for hardening your PHP up. You may also want to look into various other things such as SQL filters. You can configure whatever you want now just like a normal site, you don't really need to worry about your IP leaking either because the guest VM is incapable of sending traffic outside of Tor and it also doesn't know the hosts IP address to begin with. If an attacker compromises the site they will be stuck inside the VM , which is not good news, but it is much better than if they get to the host. There are a lot of other advanced measures you can take as well, perhaps you use SElinux or similar on the host to further isolate the guest VM for example. If you do this, the attacker will first need to pwn your hardened web server / site / guest OS, then they will need to pwn virtualbox and then they will need to pwn SElinux to get to the host. That is not in the realm of things the FBI or DEA can do, but the NSA probably can, although they don't give a flying fuck about your blog.
This is just the basic run down, the most important step IMO is to isolate the web server from Tor and your real IP address. Once you do that and have done basic hardening etc everything else is just icing on the cake really. There are almost no limits to the ends you could theoretically go to in order to maintain your servers security and anonymity, it is a spectrum that starts somewhere around using Windows Server and a remote desktop GUI and ends somewhere around writing your own mathematically formally verified system from the ground up and putting a modified version of Tor that uses ten nested entry guards between it and the rest of the world.
-
1) Can you use the same process to create an onion site as a clearnet site? Use wordpress, create a blog, upload with FTP?
Yes. A hidden service uses Tor to proxy connections, but the rest of the software stack can be exactly the same as any other web site.
2) Does Freedom Hosting, or any other onion hosting company offer simple to use control panel to create and edit an onion site?
FH offers a simple control panel with a web file manager and zip file upload/extraction. Problem is it's hard to get an invite and most people charge, but if you can get one, or are willing to pay for one, this is your best option, because all the issues with securing hidden services[1] are taken care of, and if your site gets hacked or whatever, you won't be deanonymized.
3) What are some security issues to be aware of when publishing an onion site?
In terms of software, minimalistic web servers like Lighttd are safer than big, complex ones like Apache. Static html pages are safer than scripts like PHP. If you really want to run Wordpress, make sure you read some "wordpress hardening" and "web server hardening" guides. I like to create a separate user without root/sudo privileges and make it the owner of everything in DocumentRoot, that way Wordpress can't write to files. It disables things like file uploads, but also prevents code injection attacks. There's a lot that could be said about server hardening, and you should read some detailed guides.
Or go with FH or some other onion host, who has done all that for you[2].
4) If I were to hire someone to create a site for me, what type of security precautions do I need to be aware of, assuming I want to keep my anonymity?
If you want to keep your anonymity, that's not a good idea. It sounds to me that at your level of knowledge, you should start with an onion host, instead of trying to harden your own server.
1. http://dkn255hz262ypmii.onion/index.php?topic=100998.0
2. http://3suaolltfj2xjksb.onion/hiddenwiki/index.php/Main_Page#Web_Hosting
-
BTW, what I said about static html being better than scripts, also storing data in flat files rather than using a database program like MySQL is much safer. MySQL is big target of attack. There is a blogging software that meets these requirements. It's called Flatpress. You should look into it.
-
Hi Astor. Thanks for all your great thoughts as usual. I did read through all of your posts on this thread and the one from January on the topic. I will go with your advice and go with an onion host who has done all the security and hardening for me.
So once I open up an account with an onion host, then the process to create and publish a website is pretty much the same as a clearnet site?
I'm investigating Freedom Hosting (need to find an invite at a reasonable price), torhost (it looks free), onionhosting (2.5 BTC fee is fairly expensive), Pachinco's (looks non professional but what does that matter). Do you have any suggestions? Or perhaps you are able to host :)
I basically looking for a low cost host, that is secure, that I don't have to worry about security, that can support a low bandwith and low memory blog site with text and perhaps a few simple pictures, that has an easy to use control panel, that has a easy to use editor, that has easy to use file transfers.
Thanks again, as always for the help you provide. If you ever need anything from me that I can help out with, feel free to let me know. I think you probably know what I'm good at. If not feel free to ask.
-
renton is selling FH invites on SR for $17. I suggest FH because it's a one time fee and you can easily make your money back, because you get an invite every month, which you can sell. You also get (hardened) PHP and MySQL as part of your account, whereas on Torhost you have to pay a monthly fee for those features.
I have a couple of invites but I'm saving them and would only part with them for significantly more than $17 ;)
-
Do you happen to have rentons vendor link? Thanks
-
I tried figuring this out last week... and couldnt what so ever.
Im not computer savy and feel like i had no chance...
but hopefully someone will put out an easy guide of how to for retards like me
-
The first thing to do is to pay for a server anonymously. You will want a dedicated server for the best security. There are several hosts that accept payment in Bitcoin, Liberty Reserve, Pecunix, etc. You need to make sure that the payment is as anonymous as possible , to prevent anyone who deanonymizes the server from being able to link it to you. Most hosts also accept bank wires and/or western union, and you can use exchanger services to send payments with these services from Bitcoin etc. Also, it can never hurt if the server is offshore in a country that is not known for their cooperation with the world police, Russia is a generally good bet, Panama as well. Of course you need to register with fake information, you will also likely need to get by various systems that try to prevent anonymous registration that are in place to prevent fraud and other illegal usage. Thankfully these systems are generally easy enough to beat. You may need to answer a text send to a phone number in the country that you are pretending to be from. When I do this I just ask a friend in said country to get a burner phone for me. You also may need to hide that you are registering with Tor, this can be accomplished often times by using a free web based proxy service after your Tor circuit, many of these services change very rapidly and never get listed as proxy services in block lists. Actually obtaining the server anonymously is one of the most frustrating processes involved.
You will likely be given a choice of operating systems when you buy the server. Alternatively, and more ideally, you will buy a server with KVM over IP which will let you remotely install the OS of your choice from an ISO. It is much better for security if the server you get supports KVM over IP and lets you install the base operating system. This is also superior in that it will allow you to use FDE, set a BIOS password, etc. Anyway, in regards to the OS you select to use, there are a few choices. OpenBSD is always a good choice, but it doesn't have good virtualization software support for it, so for my example we will choose to not use it. FreeBSD is another good choice, and it supports jails which allow for isolation so if you want isolation it is a superior choice to OpenBSD. The OS that you select will have an affect on the overall security of your hidden service, and different operating systems have different benefits and disadvantages. For running everything on baremetal without virtualization, OpenBSD is the way to go. FreeBSD has jails support as well as an extensive mandatory access control system that will let you fine tune your security to a high degree, provided you take the substantial time required to learn how to use it. Hardened Gentoo is probably the best choice for a Linux OS, in addition to having many of the security features of OpenBSD, it also supports virtualization and has support for extensive mandatory access control systems. However, it is also the hardest of all previously mentioned systems to use, and if you are not already well versed in it then it will probably be extremely frustrating or impossible to use for this. So for someone who is relatively new to this sort of thing, I would suggest Debian or maybe even Ubuntu.
The first thing to do on your server is to install the operating system (if it is KVM over IP, otherwise you will be able to SSH into it right away) and setup basic things like SSH. Of course you should do all of these things over Tor. If it is KVM over IP you will want to encrypt the entire drive immediately, possibly during installation if it is supported by the OS. If it is not KVM over IP you will not be able to use FDE as you do not have access to the boot sequence. Additionally, you will want to set a BIOS password. Preferably you also get a server that has chassis intrusion detection support, in which case you will want to configure the server to shut down in the chassis is breached. This is probably an option in the BIOS settings, which you will again need to have KVM over IP to access. Now we will assume that you have the initial state of you server setup, and can SSH into it.
For security you will want to configure SSH to use RSA instead of password based authentication. Now it is time for basic hardening of the host OS, which you can do with a script such as Bastille. Also, make sure to fully update the OS so that all known security vulnerabilities are patched. The next step is to install VirtualBox. You can control VirtualBox entirley from the command line, although I am not going to get into the exact commands to use here. For your guest OS you can opt to use Debian or Ubuntu as well, although you can also opt to use OpenBSD or similar. The security of the guest OS is not going to be as much as if you ran it on baremetal, but by running it in a virtual machine you will be able to isolate successful hackers from compromising the host system as well as prevent them from obtaining the real IP address of your server. Whatever OS you choose, install it in the guest VM. Make sure that during installation the guest VM has no access to the internet.
At this point you should install Tor on the host OS. For the guest VM networking you want it to use host only routing. This creates a virtual network adapter when the VM is running, usually its default internal IP address is 192.168.56.1 . Now you need to modify your Torrc and make SocksListenAddress 192.168.56.1 or whatever it happens to be. Set SocksPort to 9100 or whatever you like that is available. Now after launching the VM you can launch Tor, and it will bind to the virtual network adapter. At this point you can configure the guest OS to route its traffic through Tor, which will likely require Privoxy or some other solution for http traffic. You will need to individually torrify all of the applications which require access to the internet. apt-get is one of these. After you have torrified apt-get (or whatever package manager) you will need to update your guest OS and make sure it is fully patched. You should also run Bastille or similar in the guest OS for general server hardening.
Now you need to install the web server. I suggest avoiding Apache and going for a smaller lighter weight alternative, Hiawatha is what I have always used and I have not had any problems with it. It also was designed with security in mind, and to be light weight. At this point there are two choices you can make, either you can use the Tor on the host for your hidden service, or you can run another instance of Tor inside the virtual machine and route its traffic out through Tor on the host. I believe that using Tor via Tor in this manner will increase your anonymity, although it isn't going to remain supported by Tor. So because Tor wants to restrict its functionality, we will use the instance of Tor running on the host. You need to bind Hiawatha to the virtual network adapters internal IP address on whatever port you want to.
Now from the host you need to configure Torrc to have the following lines:
HiddenServiceDir /some/path/to/a/folder/on/host/for/the/keys
HiddenServicePort 80 whatever.virtual.adapter.ip:port-hiawatha-listens-on
now restarting Tor should put the hidden services host name and keys at the HiddenServiceDir path. Connections to that hidden service address on port 80 (ie: the port firefox uses by default) are then redirected to the port that hiawatha in the gust VM is listening on on the virtual network adapter. At this point you should have basic hidden service functionality. Now it is time to harden things up a bit. First of all you will want to look into Suhosin for hardening your PHP up. You may also want to look into various other things such as SQL filters. You can configure whatever you want now just like a normal site, you don't really need to worry about your IP leaking either because the guest VM is incapable of sending traffic outside of Tor and it also doesn't know the hosts IP address to begin with. If an attacker compromises the site they will be stuck inside the VM , which is not good news, but it is much better than if they get to the host. There are a lot of other advanced measures you can take as well, perhaps you use SElinux or similar on the host to further isolate the guest VM for example. If you do this, the attacker will first need to pwn your hardened web server / site / guest OS, then they will need to pwn virtualbox and then they will need to pwn SElinux to get to the host. That is not in the realm of things the FBI or DEA can do, but the NSA probably can, although they don't give a flying fuck about your blog.
This is just the basic run down, the most important step IMO is to isolate the web server from Tor and your real IP address. Once you do that and have done basic hardening etc everything else is just icing on the cake really. There are almost no limits to the ends you could theoretically go to in order to maintain your servers security and anonymity, it is a spectrum that starts somewhere around using Windows Server and a remote desktop GUI and ends somewhere around writing your own mathematically formally verified system from the ground up and putting a modified version of Tor that uses ten nested entry guards between it and the rest of the world.
Lot's of good info here, but for a newb this is hardly possible. I enjoyed reading it thought. We need more posts like this on SR
-
Astor's knowledge about creating your own website is definitely for advanced users. You are best advised to follow his instructions if you intend to buy your own server and host your own website. For me, and some other posters here, we're looking for a simple deep web solution to finding a hosting company, designing the website, and publishing it, all anonymously. Sort of like the deep web version of weebly. Astor has also said, for a non tech user who's looking to create a simple website, get yourself a Freedom Hosting account. You have to get an invite first. Once you open your FH account, you can user their editor to create a website and then publish. FH takes care of all the security and the anonymity. If' I'm missing anything, please chime in. My purpose in creating this thread was to get more people to build deep web sites. I check out the sites listed in the hidden wiki, and most suck or are uninteresting. I think the deep web would be more entertaining and vibrant with a greater variety of onion sites. I have so many ideas where the security and anonymity of TOR and onionland would make a great vehicle for a website to take advantage of.
-
I tried figuring this out last week... and couldnt what so ever.
Im not computer savy and feel like i had no chance...
but hopefully someone will put out an easy guide of how to for retards like me
Creating a hidden service is really easy. You basically uncomment 2 lines in the torrc. You can even create a hidden service with the Tor Browser Bundle, go to onion icon -> Settings -> Services. Of course, you'll need some actual services, like a web server, running on your computer.
The hard part is making your hidden service secure. I have a list of like 50 PHP functions that should be disabled, if you are going to use PHP, and there are many other things you can and/or should do to secure your HS, depending on what it's hosting.
-
My purpose in creating this thread was to get more people to build deep web sites. I check out the sites listed in the hidden wiki, and most suck or are uninteresting. I think the deep web would be more entertaining and vibrant with a greater variety of onion sites.
There are 4 or 5 hosting providers now, and Jediknight is doing something along those lines. That's much better than a year ago when FH was the only option.