Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Making Tor Hidden Services Slightly More Secure
Andy Greenberg of WIRED reports that the FBI has finally revealed how they allegedly located the server on which Silk Road was hosted, and it didn't require parallel construction. http://www.wired.com/2014/09/the-fbi-finally-says-how-it-legally-pinpointed-silk-roads-server
It was a security fail.
According to FBI agent Christopher Tarbell, as related by Greenberg: "They found a misconfiguration in an element of the Silk Road login page, which revealed its internet protocol (IP) address and thus its physical location... And when they entered that IP address directly into a browser, the Silk Road's CAPTCHA prompt appeared."
While I can only speculate about what gave away the IP address, here's a few suggestions for avoiding the latter problem, which should make your .onions slightly more secure.
First off, the webserver never should have responded to HTTP requests on the server's IP address. Only traffic which comes through the Tor hidden service, which connects to the webserver's port 80 on the loopback interface, should have been allowed. Some iptables rules would have sufficed:
iptables -A INPUT -i eth0 -p tcp --dport 80 -j DROP
iptables -A INPUT -i lo -p tcp --dport 80 -j ACCEPT
In addition Apache itself should listen for connections on localhost (127.0.0.1) only, not * or 0.0.0.0. This is controlled in the VirtualHost definition, or the Listen directive of ports.conf:
Listen 127.0.0.1:80
Secondly, here's an example script that you can put in a nightly cron job, which will create an .htaccess file for Apache that will allow traffic from known Tor exit nodes only, and deny everything else. You'll have to set the two variables for the Document Root and the server's IPv4 address.
#!/bin/bash
docroot=/var/www/htdocs
ipaddress=0.0.0.0
sed -in '/#\ TOR-ALLOW-BLOCK/,/#\ END-TOR-ALLOW-BLOCK/d' $docroot/.htaccess
wget -q 'https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip='"$ipaddress"'&port=80' -O - | sed '/^\#/d' | sed "s/^/Allow from /g; 1i# TOR-REDIRECT-BLOCK" >> $docroot/.htaccess
You also need to create the .htaccess file first and populate it with these lines:
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
# TOR-ALLOW-BLOCK
# END-TOR-ALLOW-BLOCK
These simple measures would have ensured that the Silk Road website could only be accessed from Tor.
@pepijndevos

This comment has been minimized.

Copy link

@pepijndevos pepijndevos commented Sep 6, 2014

But that breaks the captcha!

@0a92372470bffa2b

This comment has been minimized.

Copy link

@0a92372470bffa2b 0a92372470bffa2b commented Sep 6, 2014

Secondly, here's an example script that you can put in a nightly cron job, which will create an .htaccess file for Apache that will allow traffic from known Tor exit nodes only, and deny everything else. You'll have to set the two variables for the Document Root and the server's IPv4 address.

Why does Apache need to receive requests directly from Tor nodes? That's insane, it breaks the security model of Tor hidden services. What you should do is only allow outbound packets from a "tor" user on the system to go to Tor nodes, and deny any other outbound (other than ntp, dhcp, optionally dns, etc). That way only the Tor client can reach Tor nodes, and anything running under the www-user (apache, and below that php and whatnot), can only reach the Tor proxy on loopback. That is the most ideal scenario in my opinion. Aside from doing all of your administration via Tor, and purchasing these servers via Tor, and with Bitcoin that you earn from work done over Tor!

Whether you're LEO or someone with good intentions, your little 5 minute gist here is putting lazy hidden service operators in harm's way, the same harm that the Silkroad was in, and maybe that's a bloody good thing.

@ageis

This comment has been minimized.

Copy link
Owner Author

@ageis ageis commented Sep 6, 2014

@0a92372470bffa2b there are many more ideal scenarios and additional measures, from what you said to the use of VMs and containers; I am not putting anyone "in harm's way" by listing something basic that all THS operators need to remember when they do setup, that's totally ridiculous. I am offering the script only because it was opportune, but you should explain how it "breaks the security model". Defense in depth is the best approach.

btw, a follow-up: https://blog.ageispolis.net/speculating-fbi-silk-road-unmasking-technique/

@bauruine

This comment has been minimized.

Copy link

@bauruine bauruine commented Nov 4, 2014

It's just WRONG absolutely wrong. There is no reason a exit node should ever connect to your apache.

Deny from all
Allow from 127.0.0.1

That's enough.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.