blog.0day.rocks Open in urlscan Pro
52.1.147.205  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Open in app

Sign up

Sign in

Write


Sign up

Sign in




SECURING A WEB HIDDEN SERVICE


QUICK GUIDE ON HOW TO PRESERVE A .ONION ANONYMITY

x0rz

·

Follow

Published in

Just another infosec blog type of thing

·
4 min read
·
Oct 24, 2017

336

1

Listen

Share



While browsing the darknet (Onion websites), it’s quite stunning to see the
number of badly configured Hidden Services that will leak directly or indirectly
the underlying clearnet IP address. Thus canceling the server anonymity
protection that can offer Tor Hidden Services.

Here are a few rules you should consider following before setting up a
Onion-only website. This guide covers both Apache and Nginx.


1) LISTEN TO LOCALHOST ONLY

Don’t let anyone reach your Onion web application through the clearnet. Plain
and simple. Your web server should only listen to 127.0.0.1 so that uniquely the
Tor daemon can connect to it. If you can’t listen to localhost (for whatever
reasons), use a god damn firewall (iptables/nftables) to prevent any leak or —
at the very least — make sure the default virtual host isn’t redirecting to your
Onion application.

The reasons why you shouldn’t be accessible on clearnet are scanners. Scanners
from Shodan or Censys (or even Google) are constantly scanning all the IPv4
public space (what we can call 0.0.0.0/0) and will scan and index your server as
well. You’ll be easily uncloaked if scanners find matching HTML content of your
website, or even matching HTTP headers (see examples below).

On Apache, change /etc/apache2/ports.conf so that it contains:

Listen 127.0.0.1:80

On Nginx, you should add a listen statement in the /etc/nginx/nginx.conf file,
(inside a sever section):

listen 127.0.0.1:80;

There are some pitfalls to this method but it’s the least you can do (and
quickest way to prevent any major leak). If you’re using Apache and want to go
further I encourage you reading Alec Muffett comment on that:


LISTENING TO “LOCALHOST” IS KINDA-OKAY BECAUSE IT IS BETTER THAN THE THREAT
AS-DESCRIBED; HOWEVER…


SEE THIS THREAD FOR DETAILS:
HTTPS://TWITTER.COM/ALECMUFFETT/STATUS/922924914893398017

medium.com

Most notorious fails







2) DISABLE DIRECTORY LISTING

“Directory listing” or “directory indexing” is a known plague, even for clearnet
websites. It’s considered by OWASP as a common vulnerability, but given the
sensitivity of most hidden services it is just unacceptable to leave this open
on a serious HS.

On Apache you can either disable the mod_autoindex (as root, simply type
a2dismod autoindex) or add a Options -Indexes directive to your root web
directory:

<Directory /var/www/>
Options -Indexes
</Directory>

On Nginx, disable the autoindex module in nginx.conf file:

location / {
    autoindex off; 
}

Most notorious fails




3) DISABLE VERBOSE SIGNATURE AND ERROR REPORTING

This is to ensure your server have a tiny fingerprint, no specific headers or
unique version number to track you down.


3.1) DISABLE SERVER-INFO AND SERVER-STATUS (APACHE ONLY)

On some configuration Apache is showing by default /server-info and
/server-status pages leaking internal data (such as URL requested from other
users).
You can easily disable it by removing the mod_info from httpd.conf or by
commenting out the <Location/server-info> and <Location/server-status>
directives in the configuration file.


3.2) REMOVING THE SERVER SIGNATURE

This will ensure that the version of your webserver and the OS server name won’t
leak in the Server header and inside default error webpages (404, 500, …).

On Apache simply add these directives your default httpd.conf file (on Debian 8
you can directly edit /etc/apache2/conf-enabled/security.conf):

ServerSignature Off
ServerTokens Prod

On Nginx, disable the server_tokens in nginx.conf:

http {
    server_tokens off; 
}


3.3) DISABLE APPLICATION ERROR REPORTING

This depends on the backend language you’re using (PHP, NodeJS, Python, etc.), I
won’t go into the details for each on how to disable error reporting, Google is
your friend. Most error reporting (stack traces, memory dumps, etc.) are likely
to leak your IP address or other relevant information: disable them all! FYI,
this may be how the Silk Road DMN was taken down.

Most notorious fails





4) FIX YOUR FLAWS

Patch your god damn server (keep it up to date), write code that isn’t shit and
riddled with SQL injections, and you should be fine. If you’re reading this
guide and learning new sysadmins tricks, my best advice is that you should
probably stay away from darknet entrepreneurship (especially darknet markets and
all form of illegal activities online).

Apply some basic security measures as disabling unwanted services, respect the
principle of least privilege and compartmentalize the different layers of your
web application. For the rest, use common sense.

If it helps, you can follow some security hardening guide to tighten your
configuration. Bonus points if you install grsecurity/PaX on your box.


5) ROUTE ONLY TOR TRAFFIC (ADVANCED)

Some web applications are sending verification e-mails that might leak your IP
address to the recipient. This can also happen if your app tries to reach any
third party through clearnet (bitcoin payment API, analytics, Twitter, …). In
order to prevent this from happening, I recommend you to transparently route all
outgoing traffic through Tor. The Tor Project has a guide on how to set up a
Transparent Proxy.
TL;DR: set your firewall to deny all outgoing connections except from those
coming from the Tor process.

> Keep in mind nothing is bulletproof and 0day can (or must) be part of your
> threat-model if you’re somewhat serious about anonymity.



If you liked this article, you can also buy me a coffee ☕ anytime!



Be part of a better internet.
Get 20% off membership for a limited time.


FREE



Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.


Sign up for free


MEMBERSHIP

Get 20% off


Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app


Try for $5 $4/month
Privacy
Cybersecurity
Sysadmin
Apache
Censorship


336

336

1


Follow



WRITTEN BY X0RZ

3.3K Followers
·Editor for

Just another infosec blog type of thing

Security Researcher

Follow




MORE FROM X0RZ AND JUST ANOTHER INFOSEC BLOG TYPE OF THING

x0rz

in

Just another infosec blog type of thing


ABUSING GMAIL TO GET PREVIOUSLY UNLISTED E-MAIL ADDRESSES


A CLASSIC USER ENUMERATION ATTACK ON GMAIL THAT ALLOWED ME TO RETRIEVE THOUSANDS
OF E-MAIL ADDRESSES

Apr 1, 2017
120
10



x0rz

in

Just another infosec blog type of thing


STARTING IN CYBERSECURITY?


HERE ARE MY FEW TIPS ON HOW TO GET STARTED ON THE TECHNICAL SIDE OF COMPUTER
HACKING

Sep 21, 2017
3.3K
17



x0rz

in

Just another infosec blog type of thing


HIDING THROUGH A MAZE OF IOT DEVICES


HOW TO CREATE THE PERFECT ANONYMIZING BOTNET BY ABUSING UPNP FEATURES — AND
WITHOUT ANY INFECTION

Nov 29, 2018
409
1



x0rz

in

Just another infosec blog type of thing


CATCHING PHISHING BEFORE THEY CATCH YOU


PAYPAL PHISHING, PAYPAL PHISHING EVERYWHERE

Nov 7, 2017
928
3


See all from x0rz
See all from Just another infosec blog type of thing



RECOMMENDED FROM MEDIUM

Alexander Nguyen

in

Level Up Coding


THE RESUME THAT GOT A SOFTWARE ENGINEER A $300,000 JOB AT GOOGLE.


1-PAGE. WELL-FORMATTED.


May 31
14.9K
228



Kallol Mazumdar

in

ILLUMINATION


I WENT ON THE DARK WEB AND INSTANTLY REGRETTED IT


ACCESSING THE FORBIDDEN PARTS OF THE WORLD WIDE WEB, ONLY TO REALIZE THE
DEPRAVITY OF HUMANITY


Mar 12
21K
414




LISTS


TECH & TOOLS

17 stories·273 saves


DATA SCIENCE AND AI

40 stories·202 saves


MEDIUM'S HUGE LIST OF PUBLICATIONS ACCEPTING SUBMISSIONS

334 stories·3162 saves


STAFF PICKS

698 stories·1167 saves


Jonathan Mondaut


HOW CHATGPT TURNED ME INTO A HACKER


DISCOVER HOW CHATGPT HELPED ME BECOME A HACKER, FROM GATHERING RESOURCES TO
TACKLING CTF CHALLENGES, ALL WITH THE POWER OF AI.


Jun 18
291
8



Unbecoming


10 SECONDS THAT ENDED MY 20 YEAR MARRIAGE


IT’S AUGUST IN NORTHERN VIRGINIA, HOT AND HUMID. I STILL HAVEN’T SHOWERED FROM
MY MORNING TRAIL RUN. I’M WEARING MY STAY-AT-HOME MOM…


Feb 16, 2022
83K
1137



Abhay Parashar

in

The Pythoneers


17 MINDBLOWING PYTHON AUTOMATION SCRIPTS I USE EVERYDAY


SCRIPTS THAT INCREASED MY PRODUCTIVITY AND PERFORMANCE


4d ago
4.4K
35



LORY


A BASIC QUESTION IN SECURITY INTERVIEW: HOW DO YOU STORE PASSWORDS IN THE
DATABASE?


EXPLAINED IN 3 MINS.


May 11
4.4K
50


See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams