You would like to have your own hidden service but don’t know how to do it? It is not that difficult. Note however, that the following instructions only show you how to set up a web server and make it accessible from the TOR network, plus a few basic security features. If your life depends on it you should add a lot more security, e.g. by running lighttpd and tor in a “chroot” jail, which I may add a tutorial for later.
Here is how I did it on Linux Debian 6 (Squeeze) minimal x86:
First update and install the text editor “nano”, the tool “screen” plus a few required libraries:
apt-get update apt-get upgrade apt-get install nano apt-get install screen apt-get install build-essential apt-get install libevent-dev apt-get install openssl apt-get install zlib1g-dev apt-get install libssl-dev
Then make a new folder named “tor” and download + extract tor (link may/will change as soon as a newer version comes out):
cd / mkdir tor wget https://www.torproject.org/dist/tor-0.2.2.37.tar.gz tar xzf tor-0.2.2.37.tar.gz; cd tor-0.2.2.37
Then use:
./configure && make make install
..to install TOR.
Now go to the folder that contains the sample of a configuration file, rename it to “torrc” (or make a new copy) and add/modify lines:
cd /usr/local/etc/tor cp torrc.sample torrc nano torrc
Add/modify:
HiddenServiceDir /tor/hidden_service/ HiddenServicePort 80 127.0.0.1:8765 SocksPort 0
The above lines determine the directory where you will find the .onion link to your website and that port 80 (the website port) gets redirected to port 8765 on your actual server. You can set any port you want for that, but you will also make the web server listen on that port. I would recommend not to set it to 80 or 8080 (remember you want to hide it from the clearweb).
Now install lighttpd with PHP and enable it:
apt-get install lighttpd php5-cgi lighty-enable-mod fastcgi lighty-enable-mod fastcgi-php /etc/init.d/lighttpd restart
Now go to the lighttpd configuration file and add/modify lines:
nano /etc/lighttpd/lighttpd.conf
Add/modify:
server.port = 8765
$HTTP["remoteip"] !~ "127.0.0.1" {
url.access-deny = ( "" )
}
server.dir-listing = "disable"
This makes the server listen on the port you like (which you also provided in the torrc file), disallows access from any IP address other than your own machine (which routes through TOR) and disallows directory listing, which may either expose your files or that you are using lighttpd.
Now run TOR with screen, which keeps it running if you exit the console. You can also run it as a daemon but I prefer screen. Then go to the hidden_service folder and open the file “hostname”, which contains the .onion link to your website:
screen tor [CTRL + A + D (to detatch the screen session)] cd /tor/hidden_service nano hostname
.. and you are done! Have fun with your hidden service! Once again, you can add more security features, which are more complex, to protect your privacy, even in case someone exploits your server!
- make sure PHP (“xx not found in x.php on line x”) error messages are turned off and web server(404, 503,..) error messages do not reveal any information about your server, which seems to be default with lighttpd. By the way you can find the error.log in:
nano /var/log/lighttpd/error.log
- put lighttpd and TOR in a chroot jail (and/or run them not as root). Even if an attacker manages to find an exploit in either lighttpd or TOR, he won’t be able to do anything, because he is locked into a folder for this specific service only. Also make sure to code your PHP with no security leaks, always check anything that can be entered/modified by a user!
- allow traffic through TOR only. This seems to involve the heavy use of iptables (firewall) rules, I am not sure if this is necessary because lighttpd already disallows traffic from outside TOR and you are not running a public TOR relay, only the hidden service. However, if your life depends on it..
- add a self signed SSL certificate. Users will have to confirm a warning and add an exception when they use the SSL version of your service, but it is a fully anonymous certificate and serves its purpose. TOR itself is encrypted already so this does not seem to be of big necessity, but you never know. Plus, you increase trust of your visitors.
- several other things:
Make sure not to host illegal content. If users may upload files to your site you should moderate your service. Of course this depends on if you actually want to host illegal content.
Depending on your project, only share the .onion link with people you need to (unless it’s supposed to be a public site, of course). You can change it anytime by generating a new key/hostname (simply delete the old one, I believe [untested]).
Rent a VPS for your hidden service, if you run it on your computer at home you are easier to identify by your IP address and everyone will know when you go to sleep (if you turn off your server at night). If you want to be completely unidentifiable get a VPS that you pay for anonymously (with fake info/paysafe card). To be even _more_ anonymous, also pay anonymously for a non-logging stealth proxy server or VPN that all traffic between onionland and you goes through.
Okay I think that’s i for now. Image may be NSFW.
Clik here to view.