Мануал/Книга Set up secure onion site *v3* / Firewall Rules / Block Scanners / Hide Backend

[Dastardy]

Hello People of XSS,
Today i am here to write a small tutorial on how to securely set up an onion site and to add basic security features.
In the following tutorial i am using ubuntu20.04 LTS.

1. Install Tor & Nginx
sudo apt install nginx -y && sudo apt install tor
1.2 Check if installed correctly
nginx -v
tor -h

----------------------------------
2. Enable Tor & Config Torrc File
nano /etc/tor/torrc
uncomment the following things:
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80

save the file and reload tor:
sudo systemctl reload tor
----------------------------------
3. Our Onion Site is alive, now what?
first head to /var/lib/tor/hidden_service, download the 3 files that are to be found in the dir, this are your private keys,public key and hostname.

open the hostname file to find out our hostname, in my case its:
ndfje3vt4a4twk22vjsk2y63dojimexjaqepu4vvirg7hzeukjw7n4id.onion
If we head to the browser and open the link, we will see our site is now alive!

-------
4. Security & Firewall
it is important not to get caught by scanners like censys/shodan and to get your backend leaked, to do this do the following rules:
curl -s https://check.torproject.org/torbulkexitlist | awk '{print "sudo ufw allow from " $1 " to any port 80"}' | sudo bash
sudo ufw status
sudo ufw enable
sudo ufw allow ssh
sudo ufw deny 80

------------------------------------
We are done, everything is now ready, the backend is unreachable from the clearnet, it is impossible for scanners to catch on where your server is secured.
Please note, this is a basic setup written for less than an hour. It is just a basic start of what you can do and how to do it.

Cheers,
For any questions, message me via forum

 

[Dread Pirate Roberts]

it is important not to get caught by scanners like censys/shodan and to get your backend leaked, to do this do the following rules:

curl -s https://check.torproject.org/torbulkexitlist | awk '{print "sudo ufw allow from " $1 " to any port 80"}' | sudo bash

wait, does that mean that anybody could find your backend server if they scan the whole world for port 80 through Tor exit nodes?

 

[Dastardy]

wait, does that mean that anybody could find your backend server if they scan the whole world for port 80 through Tor exit nodes?

well there is really no way to hide your backend completely, if anyone wants to find it he will its just a mouse and cat game,
maybe you could use a reverse proxy and allow connections to your backend completely only from the one ip but still the rev proxy ip can end up leaked

 

[Pan1c]

really nice sharing.I have another question.Opening a Tor site,which is the site that sells a server that allows illegal activities?

 

[Dastardy]

really nice sharing.I have another question.Opening a Tor site,which is the site that sells a server that allows illegal activities?

i cant understand a lot what you mean, but the over the tor domain you have full custody/ownership

no one can suspend it unless they access your server

 

[Dread Pirate Roberts]

you could use a reverse proxy and allow connections to your backend completely only from the one ip

yes, that's how you should do it.

 

[voldemort]

really nice sharing.I have another question.Opening a Tor site,which is the site that sells a server that allows illegal activities?

Your own server in your garage

 

[voldemort]

wait, does that mean that anybody could find your backend server if they scan the whole world for port 80 through Tor exit nodes?

How this can be done ?

 

[HostBost]

curl -s https://check.torproject.org/torbulkexitlist | awk '{print "sudo ufw allow from " $1 " to any port 80"}' | sudo bash

зачем нужно выполнять эту команду?

 

[89t0rIhnt]

зачем нужно выполнять эту команду?

Разрешить connect с любого айпи со списка "https://check.torproject.org/torbulkexitlist" на любой интерфейс с портом 80. Могут только со списка айпи.

 

[voldemort]

well there is really no way to hide your backend completely, if anyone wants to find it he will its just a mouse and cat game,
maybe you could use a reverse proxy and allow connections to your backend completely only from the one ip but still the rev proxy ip can end up leaked

how about I2P is it the same as Tor?

 

[Acid Bunny]

Please stop, wtf? the best way is to configure nginx to run on localhost:80

 

[Dastardy]

how about I2P is it the same as Tor?

never used I2P sorry, but there is plently of material around the net about it.

 

[Whisper]

how about I2P is it the same as Tor?

I2P extreme slow.

 

[voldemort]

I2P extreme slow.

but extremely more secure

 

[Whisper]

but extremely more secure

1. It no matter when it makes work through it impossible.
2. It no so secure as peoples think about it, just look how much nodes in it and study about massive ddos on it,

 

[voldemort]

1. It no matter when it makes work through it impossible.
2. It no so secure as peoples think about it, just look how much nodes in it and study about massive ddos on it,

what are you talking about even Tor is vulnerable to DDOS even more than i2p

 

[Whisper]

what are you talking about even Tor is vulnerable to DDOS even more than i2p

Actually no any sense to discuss about who is more vulnerable to ddos cause i2p cant be used for work it just too slow.

 

[voldemort]

Actually no any sense to discuss about who is more vulnerable to ddos cause i2p cant be used for work it just too slow.

I would rather sacrifice speed for more anonymity and security don't you ?

 

[Whisper]

I would rather sacrifice speed for more anonymity and security don't you ?

More anonymity useless when you cant work. Just try rdp/vnc through i2p, or download something, work with ssh through i2p also painful. You can use i2p only for specific cases but not for normal and efficient work.