|Andy Greenberg of WIRED reports that the FBI has finally revealed how they allegedly located the server on which Silk Road was hosted, and it didn't require parallel construction. http://www.wired.com/2014/09/the-fbi-finally-says-how-it-legally-pinpointed-silk-roads-server|
|It was a security fail.|
|According to FBI agent Christopher Tarbell, as related by Greenberg: "They found a misconfiguration in an element of the Silk Road login page, which revealed its internet protocol (IP) address and thus its physical location... And when they entered that IP address directly into a browser, the Silk Road's CAPTCHA prompt appeared."|
|While I can only speculate about what gave away the IP address, here's a few suggestions for avoiding the latter problem, which should make your .onions slightly more secure.|
|First off, the webserver never should have responded to HTTP requests on the server's IP address. Only traffic which comes through the Tor hidden service, which connects to the webserver's port 80 on the loopback interface, should have been allowed. Some iptables rules would have sufficed:|
|iptables -A INPUT -i eth0 -p tcp --dport 80 -j DROP|
|iptables -A INPUT -i lo -p tcp --dport 80 -j ACCEPT|
|In addition Apache itself should listen for connections on localhost (127.0.0.1) only, not * or 0.0.0.0. This is controlled in the VirtualHost definition, or the Listen directive of ports.conf:|
|Secondly, here's an example script that you can put in a nightly cron job, which will create an .htaccess file for Apache that will allow traffic from known Tor exit nodes only, and deny everything else. You'll have to set the two variables for the Document Root and the server's IPv4 address.|
|sed -in '/#\ TOR-ALLOW-BLOCK/,/#\ END-TOR-ALLOW-BLOCK/d' $docroot/.htaccess|
|wget -q 'https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip='"$ipaddress"'&port=80' -O - | sed '/^\#/d' | sed "s/^/Allow from /g; 1i# TOR-REDIRECT-BLOCK" >> $docroot/.htaccess|
|You also need to create the .htaccess file first and populate it with these lines:|
|Deny from all|
|Allow from 127.0.0.1|
|These simple measures would have ensured that the Silk Road website could only be accessed from Tor.|
Why does Apache need to receive requests directly from Tor nodes? That's insane, it breaks the security model of Tor hidden services. What you should do is only allow outbound packets from a "tor" user on the system to go to Tor nodes, and deny any other outbound (other than ntp, dhcp, optionally dns, etc). That way only the Tor client can reach Tor nodes, and anything running under the www-user (apache, and below that php and whatnot), can only reach the Tor proxy on loopback. That is the most ideal scenario in my opinion. Aside from doing all of your administration via Tor, and purchasing these servers via Tor, and with Bitcoin that you earn from work done over Tor!
Whether you're LEO or someone with good intentions, your little 5 minute gist here is putting lazy hidden service operators in harm's way, the same harm that the Silkroad was in, and maybe that's a bloody good thing.
@0a92372470bffa2b there are many more ideal scenarios and additional measures, from what you said to the use of VMs and containers; I am not putting anyone "in harm's way" by listing something basic that all THS operators need to remember when they do setup, that's totally ridiculous. I am offering the script only because it was opportune, but you should explain how it "breaks the security model". Defense in depth is the best approach.