1309
« on: April 06, 2013, 03:18 pm »
The first thing to do is to pay for a server anonymously. You will want a dedicated server for the best security. There are several hosts that accept payment in Bitcoin, Liberty Reserve, Pecunix, etc. You need to make sure that the payment is as anonymous as possible , to prevent anyone who deanonymizes the server from being able to link it to you. Most hosts also accept bank wires and/or western union, and you can use exchanger services to send payments with these services from Bitcoin etc. Also, it can never hurt if the server is offshore in a country that is not known for their cooperation with the world police, Russia is a generally good bet, Panama as well. Of course you need to register with fake information, you will also likely need to get by various systems that try to prevent anonymous registration that are in place to prevent fraud and other illegal usage. Thankfully these systems are generally easy enough to beat. You may need to answer a text send to a phone number in the country that you are pretending to be from. When I do this I just ask a friend in said country to get a burner phone for me. You also may need to hide that you are registering with Tor, this can be accomplished often times by using a free web based proxy service after your Tor circuit, many of these services change very rapidly and never get listed as proxy services in block lists. Actually obtaining the server anonymously is one of the most frustrating processes involved.
You will likely be given a choice of operating systems when you buy the server. Alternatively, and more ideally, you will buy a server with KVM over IP which will let you remotely install the OS of your choice from an ISO. It is much better for security if the server you get supports KVM over IP and lets you install the base operating system. This is also superior in that it will allow you to use FDE, set a BIOS password, etc. Anyway, in regards to the OS you select to use, there are a few choices. OpenBSD is always a good choice, but it doesn't have good virtualization software support for it, so for my example we will choose to not use it. FreeBSD is another good choice, and it supports jails which allow for isolation so if you want isolation it is a superior choice to OpenBSD. The OS that you select will have an affect on the overall security of your hidden service, and different operating systems have different benefits and disadvantages. For running everything on baremetal without virtualization, OpenBSD is the way to go. FreeBSD has jails support as well as an extensive mandatory access control system that will let you fine tune your security to a high degree, provided you take the substantial time required to learn how to use it. Hardened Gentoo is probably the best choice for a Linux OS, in addition to having many of the security features of OpenBSD, it also supports virtualization and has support for extensive mandatory access control systems. However, it is also the hardest of all previously mentioned systems to use, and if you are not already well versed in it then it will probably be extremely frustrating or impossible to use for this. So for someone who is relatively new to this sort of thing, I would suggest Debian or maybe even Ubuntu.
The first thing to do on your server is to install the operating system (if it is KVM over IP, otherwise you will be able to SSH into it right away) and setup basic things like SSH. Of course you should do all of these things over Tor. If it is KVM over IP you will want to encrypt the entire drive immediately, possibly during installation if it is supported by the OS. If it is not KVM over IP you will not be able to use FDE as you do not have access to the boot sequence. Additionally, you will want to set a BIOS password. Preferably you also get a server that has chassis intrusion detection support, in which case you will want to configure the server to shut down in the chassis is breached. This is probably an option in the BIOS settings, which you will again need to have KVM over IP to access. Now we will assume that you have the initial state of you server setup, and can SSH into it.
For security you will want to configure SSH to use RSA instead of password based authentication. Now it is time for basic hardening of the host OS, which you can do with a script such as Bastille. Also, make sure to fully update the OS so that all known security vulnerabilities are patched. The next step is to install VirtualBox. You can control VirtualBox entirley from the command line, although I am not going to get into the exact commands to use here. For your guest OS you can opt to use Debian or Ubuntu as well, although you can also opt to use OpenBSD or similar. The security of the guest OS is not going to be as much as if you ran it on baremetal, but by running it in a virtual machine you will be able to isolate successful hackers from compromising the host system as well as prevent them from obtaining the real IP address of your server. Whatever OS you choose, install it in the guest VM. Make sure that during installation the guest VM has no access to the internet.
At this point you should install Tor on the host OS. For the guest VM networking you want it to use host only routing. This creates a virtual network adapter when the VM is running, usually its default internal IP address is 192.168.56.1 . Now you need to modify your Torrc and make SocksListenAddress 192.168.56.1 or whatever it happens to be. Set SocksPort to 9100 or whatever you like that is available. Now after launching the VM you can launch Tor, and it will bind to the virtual network adapter. At this point you can configure the guest OS to route its traffic through Tor, which will likely require Privoxy or some other solution for http traffic. You will need to individually torrify all of the applications which require access to the internet. apt-get is one of these. After you have torrified apt-get (or whatever package manager) you will need to update your guest OS and make sure it is fully patched. You should also run Bastille or similar in the guest OS for general server hardening.
Now you need to install the web server. I suggest avoiding Apache and going for a smaller lighter weight alternative, Hiawatha is what I have always used and I have not had any problems with it. It also was designed with security in mind, and to be light weight. At this point there are two choices you can make, either you can use the Tor on the host for your hidden service, or you can run another instance of Tor inside the virtual machine and route its traffic out through Tor on the host. I believe that using Tor via Tor in this manner will increase your anonymity, although it isn't going to remain supported by Tor. So because Tor wants to restrict its functionality, we will use the instance of Tor running on the host. You need to bind Hiawatha to the virtual network adapters internal IP address on whatever port you want to.
Now from the host you need to configure Torrc to have the following lines:
HiddenServiceDir /some/path/to/a/folder/on/host/for/the/keys
HiddenServicePort 80 whatever.virtual.adapter.ip:port-hiawatha-listens-on
now restarting Tor should put the hidden services host name and keys at the HiddenServiceDir path. Connections to that hidden service address on port 80 (ie: the port firefox uses by default) are then redirected to the port that hiawatha in the gust VM is listening on on the virtual network adapter. At this point you should have basic hidden service functionality. Now it is time to harden things up a bit. First of all you will want to look into Suhosin for hardening your PHP up. You may also want to look into various other things such as SQL filters. You can configure whatever you want now just like a normal site, you don't really need to worry about your IP leaking either because the guest VM is incapable of sending traffic outside of Tor and it also doesn't know the hosts IP address to begin with. If an attacker compromises the site they will be stuck inside the VM , which is not good news, but it is much better than if they get to the host. There are a lot of other advanced measures you can take as well, perhaps you use SElinux or similar on the host to further isolate the guest VM for example. If you do this, the attacker will first need to pwn your hardened web server / site / guest OS, then they will need to pwn virtualbox and then they will need to pwn SElinux to get to the host. That is not in the realm of things the FBI or DEA can do, but the NSA probably can, although they don't give a flying fuck about your blog.
This is just the basic run down, the most important step IMO is to isolate the web server from Tor and your real IP address. Once you do that and have done basic hardening etc everything else is just icing on the cake really. There are almost no limits to the ends you could theoretically go to in order to maintain your servers security and anonymity, it is a spectrum that starts somewhere around using Windows Server and a remote desktop GUI and ends somewhere around writing your own mathematically formally verified system from the ground up and putting a modified version of Tor that uses ten nested entry guards between it and the rest of the world.