I've just been thinking about how I will block everything and still have Tor. I will have Tor on the NAT and have it accept connections from the hidden server, and users can make outgoing connections through Tor only using socat. Thinking about it, the server will simply have no Internet and the only port it will be able to access is Tor.
I think that solves it. > On Thu, 2013-04-18 at 22:35 +0000, fek...@tormail.org wrote: >> I want to create a Tor hidden server, which people SSH into over Tor. >> Users could discover the IP server by running traceroute. To stop this I >> have added a simple rule to pf.conf based off "helping traceroute". >> Otherwise they could just build or run their own binary traceroute. > > Doesn't traceroute need to be setuid root to work? > > $ ls -l `which traceroute` > -r-sr-xr-x 1 root bin 189176 Aug 1 2012 /usr/sbin/traceroute > > Though, honestly, traceroute is the least of your problems, read on... > >> Is there anything else I should take into consideration when trying to >> prevent a server from being discovered? The server will be behind a NAT >> with only a LAN address. > > ping, ifconfig, lynx or for that matter most web browsers (that can be > used to browse to sites like ipchicken.com or whatismyip.com). Unless, > of course, you are careful to either only allow outbound connections via > Tor (difficult but possible), or not allow outside Internet connectivity > at all (easier but may well defeat the purpose of what you're trying to > do). > > -- > Shawn K. Quinn <skqu...@rushpost.com>
