Linux, Ceph, Openstack and Privacy Tech

Creating your first hidden service Part 1

6th July 2017

If you've kept up with the latest news, you've probably heard the word "Dark web" or "Dark net" or "Deep web" bandied around quite loosely, usually in the context of some murky illegal activities. The reality of this though, is that this "dark net" is simply a term used to describe corners of the internet which reside on the Tor network, or more specifically Tor Hidden Services.

There's nothing illegal about Tor hidden services, and they have a whole list of handy features built into them which make them fantastic tools for anyone wanting to publish online or ever connect to remote resources securely. To get started, let's start with the basics and create a straightforward hidden service to output a default web server page, to introduce you to the basics of configuring a hidden service.

I will be creating this hidden service on an OVH Sandbox instance which has the following specifications:

OS: Debian 9 (Stretch)
CPU: 1 core (2.4GHz)
RAM: 2GB
Storage: 10GB SSD
Network: 100Mbps

For the purpose of this guide, you should also know at least how to SSH into a server.

Apply standard system updates

Firstly, you should log into the server as root, apply all the available updates and reboot the server. This can be done using a quick one liner:

apt-get update && apt-get dist-upgrade -y && reboot

Once the server is back online again, there are a few tools I would also recommend installing.

htop: Provides a pretty output of current resource usage and shows running processes

vnstat: Tracks your network traffic by day and month

curl: Is a package for retrieving remote content which we will use shortly.

To install these, as root type:

apt-get install -y htop vnstat curl

Once these are installed, you can quickly familiarise yourself with them. For example, htop will show you the current resource usage, although vnstat may not be fully ready yet if it has not had time to gather the network information it tracks.

Installing Nginx and Tor

Next is to add the repositories for Nginx, which will be our webserver. This is the program which will receive the requests from Tor and serve the content to visitors.

echo "deb http://nginx.org/packages/debian/ stretch nginx" >> /etc/apt/sources.list
echo "deb-src http://nginx.org/packages/debian/ stretch nginx" >> /etc/apt/sources.list

We also need to add the Nginx signing key to ensure we are downloading the right package.

curl -O https://nginx.org/keys/nginx_signing.key && apt-key add ./nginx_signing.key

You have now added the Nginx repository information to your system sources list, and also imported the Nginx PGP key used to sign the packages. Now we can refresh the package cache and install both Nginx and Tor with:

apt-get update
apt-get install -y nginx tor

With both Tor and Nginx installed, you need to ensure both services are now running. Both of the following commands should output an active status.

service nginx status
service tor status

If both are operational, then we can proceed. Otherwise, you will need to manually start the service, replacing x with either Nginx or tor, depending on which requires starting.

service x start

Configure the torrc file

With both processes started, we need to generate a key for our hidden service. Fortunately, Tor can do this for us if we simply give it a directory to place this in. As the whole Tor configuration is commented out by default, to keep this simple for us, let us clear that out to begin with

echo "" > /etc/tor/torrc

Then, open up /etc/tor/torrc using nano, and add the following entries

DataDirectory /var/lib/tor
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80

Of course, you can called the hidden_service folder whatever you like, but it is what I will be referencing for the moment. Just keep the folder within /var/lib/tor to ensure the service has the correct permissions to create and access the files.

Once these are added, reload the tor process and it will generate the keys for you:

service tor reload

Checking the steps have succeeded

Once this has been done, you should see two files in /var/lib/tor/hidden_service using the ls command

root@server:~# ls /var/lib/tor/hidden_service
hostname  private_key

The one we are concerned with right now is the hostname, so echo out the contents of this by using the cat command:

root@server:~# cat /var/lib/tor/hidden_service/hostname
bvu2luyt2jm33ey5.onion

This jumble of characters is your hidden service address. If you now visit this in the Tor Browser, you will be greeted by a "Welcome to nginx!" page, indicating the hidden service has now successfully reached your Nginx instance.

nginx-default

If you see the above page, then congratulations, you are now serving content over a Tor hidden service!

To recap on the above, we have now installed Tor and Nginx, and ensured that our web server is reachable through the Tor network using hidden services. Next I will cover how to further configure Nginx to ensure that it serves only content over the Tor network to provide some location anonymity for your web application, and cover some basic firewall rules to help you block unwanted traffic which does not originate from Tor.

AUTHOR

Thomas White

View Comments