Jump to content
Not connected, Your IP: 100.24.113.182
Sign in to follow this  
cm0s

nginx naxsi with tor service stealth mode

Recommended Posts

Posted ... (edited)

note: 060417
a tor onion service set to stealth mode is
NOT listed in the tor directory and in order
for a visitor to access the site they need the 'key' as
explained below added to their torrc or torrc file in the
tor browser bundle
this means your site is not tied to any
gen'd hidden service addy and you have full control of the
traffic, basically a 'closed' site member only
you can not even access the site from the server itself
without the 'key' added to the torrc file
to me, this is one of the best fucken ways to host a site
#
# nginx/naxsi | tor website
# stealth mode
# 022517_edit | arch linux
# -----
tor hidden service stealth mode
nginx config on arch linux
# -----
darknet info: en.wikipedia dot org/wiki/Darknet
tor stealth info: whonix dot org/wiki/Hidden_Services
deep web info: en.wikipedia dot org/wiki/Deep_Web
tor info: en.wikipedia dot org/wiki/Tor_%28anonymity_network%29
stunnel: en.wikipedia dot org/wiki/Stunnel
openvpn: en.wikipedia dot org/wiki/OpenVPN
airvpn ssl: airvpn dot org/ssl/
nginx info: en.wikipedia dot org/wiki/Nginx
web app firewall: en.wikipedia dot org/wiki/Web_application_firewall
naxsi: proteansec dot com/application-security/naxsi/
duz/dontz: hongkiat dot com/blog/do-donts-tor-network
crenshaw: youtube dot com/watch?v=eQ2OZKitRwc
# -----
gen the tor hidden service name...
# netctl stop eth0
# ip link set eth0 down
# cp /etc/tor/torrc /etc/tor/torrcbkup
# nano /etc/tor/torrc
at the end add this shit:
# -----
##hidden service site in stealth mode
HiddenServiceDir /var/lib/tor/
# HiddenServicePort 80 127.0.0.1:80
HiddenSErvicePort 443 127.0.0.1:443
HiddenServiceAuthorizeClient stealth SUMFUKGROUP
# -----

fire up shit...
# netctl start eth0
# /usr/bin/tor -f /etc/tor/torrc

give couple secs then stop tor...
# kill $(ps aux | grep '/usr/bin/tor' | awk '{print $2}')

snag the hostname...
# cat /var/lib/tor/hostname
you'll get sumthin like this:
c6yn3YERSITEk3o7.onion u8fAQVZixxxx/kbqTJkzHR # client: SUMFUKGROUP

the hostname is to be placed in anyone on tor at the bottom of their
torrc file, in the browser bundle usually located:
/browser/TorBrowser/Data/Tor/torrc
gets added as such:
HidServAuth c6yn3YERSITEk3o7.onion u8fAQVZixxxx/kbqTJkzHR

on the box running the nginx server you do not need to add it to your
/etc/tor/torrc config file but if you are running tor regular without
the tbb on another box you do need to add it to your torrc so your
'torified' browser can access the site via the tor network

harden the hosts file: h0stz
harden the .httaccess: htaxx

to config AUR
scroll down to 'packer' section run those commands then...
# cd /home/build
# sudo -u nobody packer -S nginx-mainline-waf
example config for tor hidden service/naxsi:
#
# ----- nginx config -----##

user www-data;
worker_processes auto;
pcre_jit on;

events {
worker_connections 768;
# multi_accept on;
}

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# Logging Settings
##

access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

##
# nginx-naxsi config
##
Uncomment it if you installed nginx-naxsi
##

include /etc/nginx/naxsi_core.rules;

##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##

#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;

##
# Virtual Host Configs
##

include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;

## Include for blocking
include blacklist.conf;
include blockips.conf;
}


#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
#######################################################
#
# sites-available config:
#
server {
listen 127.0.0.1;
root /srv/html/;
index home.html;
server_name c6yn3YERSITEk3o7.onion; # replace this with your own
}
#
#######################################################
#
# sites-enabled:
#
server {
listen 127.0.0.1:443;
root /srv/html/;
index 1ndx.html;
server_name c6yn3YERSITEk3o7.onion
ssl on;
ssl_certificate /etc/nginx/ssl/yerkey.crt;
ssl_certificate_key /etc/nginx/ssl/yerkey.key;
add_header X-Frame-Options "DENY";
server_tokens off;
location / {
try_files $uri $uri/ =404;
include /etc/nginx/naxsi.rules;
}
}

server {
listen 127.0.0.1;
server_name c6yn3YERSITEk3o7.onion
return 301 https://c6yn3YERSITEk3o7.onion$request_uri;
}
#
########################################################
#
the config above is set to allow only https traffic
often question is 'why do that, tor is encrypted'
plus the 'untrusted connection window' annoyance
for me itz just a preference, i like layerz
and the untrusted window acts as a blocker in a way
so config this shit how you want yer shit to roll

# mkdir /etc/nginx/ssl
# openssl req -x509 -sha256 -newkey rsa:2048 -keyout /etc/nginx/ssl/yerkey.key -out /etc/nginx/ssl/yercert.crt -days 1024 -nodes -subj '/CN=c6yn3YERSITEk3o7.onion'

there ya go, a nyce one liner, make sure yer site's domain is after the '/CN' common name
make sure in the config that naxsi core rules are uncommented and herez the blakl15t
the blokip should be in the config also

add this into your /etc/nginx/naxsi.rules:

# ------
# Sample rules file for default vhost.

# LearningMode;
SecRulesEnabled;
#SecRulesDisabled;
DeniedUrl "/RequestDenied";

## check rules
CheckRule "$SQL >= 8" BLOCK;
CheckRule "$RFI >= 8" BLOCK;
CheckRule "$TRAVERSAL >= 4" BLOCK;
CheckRule "$EVADE >= 4" BLOCK;
CheckRule "$XSS >= 8" BLOCK;
# -------

this has learning mode OFF which means shit is blocked
# systemctl start nginx
# systemctl status nginx

go to your site's addy try to access a file say: https://c6yn3YERSITEk3o7.onion/blank.html?asd=----

to see if the 'attack' hit yer logz...
# tail -f /var/log/nginx/error.log

should see something like this:

2016/11/16 15:28:18 [error] 15277#0: *1 NAXSI_FMT: ip=127.0.0.1&server=c6yn3YERSITEk3o7.onion&uri=/blankshit.html&learning=0&total_processed=6&total_blocked=1&zone0=ARGS&id0=1007&var_name0=asd, client: 127.0.0.1, server: c6yn3YERSITEk3o7.onion, request: "GET /blankshit.html?asd=---- HTTP/1.1", host: "c6yn3YERSITEk3o7.onion"

that means shit is working
mod any of the configz to yer needs, any improvements, suggestions please contact
#
https://github.com/mariusv/nginx-badbot-blocker
https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
http://7bj57iubvkvwe3n4vozvx5qiixm67te4yue76tsdu6l5aeoti342spqd.onion/nav/linux/nginx.html

Edited ... by tokzco

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...