Creating your first hidden service Part 16th July 2017
If you've kept up with the latest news, you've probably heard the word "Dark web" or "Dark net" or "Deep web" bandied around quite loosely, usually in the context of some murky illegal activities. The reality of this though, is that this "dark net" is simply a term used to describe corners of the internet which reside on the Tor network, or more specifically Tor Hidden Services.
There's nothing illegal about Tor hidden services, and they have a whole list of handy features built into them which make them fantastic tools for anyone wanting to publish online or ever connect to remote resources securely. To get started, let's start with the basics and create a straightforward hidden service to output a default web server page, to introduce you to the basics of configuring a hidden service.
I will be creating this hidden service on an OVH Sandbox instance which has the following specifications:
OS: Debian 9 (Stretch) CPU: 1 core (2.4GHz) RAM: 2GB Storage: 10GB SSD Network: 100Mbps
For the purpose of this guide, you should also know at least how to SSH into a server.
Apply standard system updates
Firstly, you should log into the server as root, apply all the available updates and reboot the server. This can be done using a quick one liner:
apt-get update && apt-get dist-upgrade -y && reboot
Once the server is back online again, there are a few tools I would also recommend installing.
htop: Provides a pretty output of current resource usage and shows running processes
vnstat: Tracks your network traffic by day and month
curl: Is a package for retrieving remote content which we will use shortly.
To install these, as root type:
apt-get install -y htop vnstat curl
Once these are installed, you can quickly familiarise yourself with them. For example, htop will show you the current resource usage, although vnstat may not be fully ready yet if it has not had time to gather the network information it tracks.
Installing Nginx and Tor
Next is to add the repositories for Nginx, which will be our webserver. This is the program which will receive the requests from Tor and serve the content to visitors.
echo "deb http://nginx.org/packages/debian/ stretch nginx" >> /etc/apt/sources.list
echo "deb-src http://nginx.org/packages/debian/ stretch nginx" >> /etc/apt/sources.list
We also need to add the Nginx signing key to ensure we are downloading the right package.
curl -O https://nginx.org/keys/nginx_signing.key && apt-key add ./nginx_signing.key
You have now added the Nginx repository information to your system sources list, and also imported the Nginx PGP key used to sign the packages. Now we can refresh the package cache and install both Nginx and Tor with:
apt-get install -y nginx tor
With both Tor and Nginx installed, you need to ensure both services are now running. Both of the following commands should output an active status.
service nginx status
service tor status
If both are operational, then we can proceed. Otherwise, you will need to manually start the service, replacing x with either Nginx or tor, depending on which requires starting.
service x start
Configure the torrc file
With both processes started, we need to generate a key for our hidden service. Fortunately, Tor can do this for us if we simply give it a directory to place this in. As the whole Tor configuration is commented out by default, to keep this simple for us, let us clear that out to begin with
echo "" > /etc/tor/torrc
Then, open up /etc/tor/torrc using nano, and add the following entries
DataDirectory /var/lib/tor HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 127.0.0.1:80
Of course, you can called the hidden_service folder whatever you like, but it is what I will be referencing for the moment. Just keep the folder within /var/lib/tor to ensure the service has the correct permissions to create and access the files.
Once these are added, reload the tor process and it will generate the keys for you:
service tor reload
Checking the steps have succeeded
Once this has been done, you should see two files in /var/lib/tor/hidden_service using the ls command
root@server:~# ls /var/lib/tor/hidden_service hostname private_key
The one we are concerned with right now is the hostname, so echo out the contents of this by using the cat command:
root@server:~# cat /var/lib/tor/hidden_service/hostname bvu2luyt2jm33ey5.onion
This jumble of characters is your hidden service address. If you now visit this in the Tor Browser, you will be greeted by a "Welcome to nginx!" page, indicating the hidden service has now successfully reached your Nginx instance.
If you see the above page, then congratulations, you are now serving content over a Tor hidden service!
To recap on the above, we have now installed Tor and Nginx, and ensured that our web server is reachable through the Tor network using hidden services. Next I will cover how to further configure Nginx to ensure that it serves only content over the Tor network to provide some location anonymity for your web application, and cover some basic firewall rules to help you block unwanted traffic which does not originate from Tor.