On 05/11/2019 02:33 PM, jiggytwi...@danwin1210.me wrote: > >> >> Have you read Configuring Onion Services for Tor [1]? >> >> >> [1] https://2019.www.torproject.org/docs/tor-onion-service.html.en >> >> >> >> Cheers, >> ~Vasilis > > > I had seen this before but it assumes one runs the onion on one's own > machine. My computer is not on 24/7. Isn't there an up-to-date guide for > running hidden services on a VPS?
It's not fundamentally that different. And what's different is more about VPS security than about Tor. I'm not up for writing a complete guide right now. But I'll share some points, which you can fill in through searching. They apply to Debian x64. First, if you want your onion service to be ~anonymous, you must not provide any real contact information, and you must do everything via Tor. That basically means paying with well-mixed Bitcoin. To avoid leaks locally, it's prudent to work in Whonix. You'll need to login to your VPS via Tor, and that's safer using Whonix than just torsocks. It's best to use VPS providers that don't require contact information. CockBox is a good one, not too expensive, and quite Tor friendly. BitHost (a DO reseller) is OK, but too expensive, and isn't so Tor friendly. I've also had good service from a few VPS providers that do require contact information, but don't verify. Such as VPS.BG and HostSailor. Second, once you have your VPS, you SSH to it via Tor. Before doing anything else, change the root password, and create a user account. Then configure SSH for key-based login as user. Because if someone steals your private key, and logs in, at least they won't have root privileges. There are many guides for that, so I won't make another here. I do note that "ssh-keygen" by default creates 2048-bit RSA keys, and that many swear by longer keys, and other algorithms (such as AES). Also, set "PasswordAuthentication no" in "/etc/ssh/sshd_config". And if you decide to SSH login as root, also set "PermitRootLogin prohibit-password". Then restart SSH ('systemctl restart ssh") and test with another SSH login before disconnecting the existing one. Now install the latest Tor release, and upgrade the system. See https://2019.www.torproject.org/docs/debian.html.en, and also install "iptables-persistent". Then "apt-get -y dist-upgrade", and reboot. Then setup Tor. The Tor Project guide for onion services is a little confusing, because it covers Windows, MacOS and Linux. So also see https://github.com/torproject/tor/blob/master/src/config/torrc.sample.in for a sample torrc. In Linux, "@LOCALSTATEDIR@" is typically "/var". By default, Tor now creates v3 onion services. If you want a v2 onion service, you must specify that, as the guide shows (Step Four). Now setup iptables, in iptables-persistent, to make sure that your onion service doesn't leak in clearnet. Do "ip a" to get your interface name, and use that instead of "eth0" in the rules below. Do "id -u debian-tor" to get Tor's UID, and use that instead of "107" in the rules below. Unless you have good reason not to, block all IPv6 traffic. For IPv4, allow only SSH in, and only Tor. Plus related established connections. # nano /etc/iptables/rules.v6 | *filter | | :INPUT DROP [0:0] | :FORWARD DROP [0:0] | :OUTPUT DROP [0:0] | | COMMIT # ip6tables-restore < /etc/iptables/rules.v6 # nano /etc/iptables/test-rules.v4 | *filter | | :INPUT DROP [0:0] | :FORWARD DROP [0:0] | :OUTPUT DROP [0:0] | | -A INPUT -i lo -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT | -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT | -A INPUT -m conntrack --ctstate INVALID -j DROP | -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT | -A INPUT -j DROP | | -A FORWARD -j DROP | | -A OUTPUT -o lo -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT | -A OUTPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT | -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT | -A OUTPUT -o eth0 -m owner --uid-owner 107 -j ACCEPT | -A OUTPUT -j DROP | | COMMIT # iptables-restore < /etc/iptables/test-rules.v4 Now verify that you can still SSH in, from a new local terminal. If you can, rename /etc/iptables/test-rules.v4 as /etc/iptables/rules.v4 # mv /etc/iptables/rules.v4 /etc/iptables/open-rules.v4 # mv /etc/iptables/test-rules.v4 /etc/iptables/rules.v4 You could also create an SSH onion service, and login using that, instead of Tor exit to clearnet SSH port. That increases login anonymity. But blocking clearnet SSH entirely in iptables is risky. Because if something goes wrong with Tor setup in the VPS, you'll be unable to login. And so you'll need to redo the VPS from scratch. Anyway, then install nginx (not apache) and change the listen address from 0.0.0.0 to 127.0.0.1 # nano /etc/nginx/sites-enabled/default | ... | | # Default server configuration | # | server { | listen 127.0.0.1:80 default_server; | ... That should about do it. In creating your site, don't use any third-party resources, and keep it simple. Static sites are most secure, and load much faster. Scripts and databases provide more features, but are risky unless you know what you're doing. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk