Securely hosting a Tor hidden service/site

  • There are some detailed instructions for setting up a Tor site at torproject.org1. It seems that it would be most secure to use a dedicated machine for this task if possible. I've read elsewhere that thttpd might be preferable to Apache and its likely more secure to go with a GNI/Linux over Windows.

    Any thoughts on this? Is there a "standard" distro and/or web-server that would be best-suited for this task? Or is that merely a matter of personal preference?

    Also, what are appropriate and effective security practices, both technical and operational? What can we learn from the recent compromises of Freedom Hosting (perhaps the largest .onion hosting provider) and the Silk Road? According to Wired2, "the FBI yesterday acknowledged that it secretly took control of Freedom Hosting last July". The article notes that "[i]t’s not clear how the FBI took over the servers". However, the comment that "the bureau was temporarily thwarted when Marques somehow regained access and changed the passwords" is suggestive. As details come out in the trial, it would be prudent to identify relevant technical and/or operational failures.

    In the case of the Silk Road, it's clear from the Maryland complaint3 that vulnerabilities in Tor were not instrumental in the site's compromise. Even so, did technical and/or operational failures contribute to the takedown, and how might they be corrected?

    As new hidden service sites fill these market niches, at least some of the underlying technical and/or operational improvements may become public. There is much to learn about doing this right.

    Actually, now I see that these two questions should be merged. After the dust settles, maybe I'll take a shot at that. But I don't know how yet, especially how to transfer answers and comments.

  • mirimir

    mirimir Correct answer

    9 years ago

    It's prudent to use open-source software, given the greater risk of backdoors in closed-source products. You want to thoroughly lock down remote access to the server. In my experience, servers are constantly hammered by login attempts. It's crucial to disable password-based ssh logins, allowing only key-based logins.

    I've also seen thttpd recommended for hidden services, because it has a smaller attack surface. Unless you have good reason, and really know mysql and php, it's best to serve only static html. Vulnerabilities there are your major risk after securing login. Static html is also faster over Tor, because there's less back-and-forth in loading the site.

    As David notes, it's best to run Tor and the service in separate machines, or at least in separate VMs. If you're using one machine, you want Tor on the host and the service in the VM, given the greater risk that the service will get hacked and try to take down the Tor client, rather than vice versa.

    But the bigger question is where to site these machines. I have pondered this question for years. First, consider that, if someone wants to create a hidden service, it's reasonable to assume that they want it well "hidden". It's also reasonable to assume that the operator wants to remain anonymous, not linked to the hidden service. If OP doesn't care about those issues, I have no clue why they want to run a hidden service.

    Regarding location, there are some seemingly contradictory requirements. For obvious reasons, it's imprudent to operate from one's home or place of business. However, it's also crucial to control physical access. Otherwise, it's impossible to rely on security practices such as full-disk encryption. Hardware can be hardened, of course, and one can use Mandos to protect against tinkering. But ultimately, physical access trumps everything else.

    Controlling physical access to hosted servers is logistically difficult, especially when one wishes to remain anonymous. It's also very expensive. And then there's the need to trust ones partners and staff.

    One workaround is using diskless servers as reverse proxies for actual content servers. However, it's still necessary to securely host the content servers. So that's not a real (or at least full) solution.

    Perhaps that's why Freedom Hosting was so popular. Users figured that they must have some special knowledge. However, in retrospect, it's pretty clear that neither Freedom Hosting nor the Silk Road were very well secured.

    I may be able to shed some light on why somebody would be willing to be associated with their hidden service: I run a fairly popular Tor search engine and I don't at all mind being linked to it; it is a hidden service because there is nothing I can do to violate the privacy of my users and I only index tor hidden services anyways.

    I would assume, that most hidden services are hosted at the host's home. Not spending much thought on security. And/or others may host hidden services because that market isn't saturated. In clearnet it's difficult to start a new page. But a legitimate hidden service may turn out as a profitable investment. (They may not be in for the money, just for leading a community/service.) At least this is what I think, what they think.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM