cm0s 118 Posted ... (edited) note: 060417 a tor onion service set to stealth mode is NOT listed in the tor directory and in order for a visitor to access the site they need the 'key' as explained below added to their torrc or torrc file in the tor browser bundle this means your site is not tied to any gen'd hidden service addy and you have full control of the traffic, basically a 'closed' site member only you can not even access the site from the server itself without the 'key' added to the torrc file to me, this is one of the best fucken ways to host a site # # nginx/naxsi | tor website # stealth mode # 022517_edit | arch linux # ----- tor hidden service stealth mode nginx config on arch linux # ----- darknet info: en.wikipedia dot org/wiki/Darknet tor stealth info: whonix dot org/wiki/Hidden_Services deep web info: en.wikipedia dot org/wiki/Deep_Web tor info: en.wikipedia dot org/wiki/Tor_%28anonymity_network%29 stunnel: en.wikipedia dot org/wiki/Stunnel openvpn: en.wikipedia dot org/wiki/OpenVPN airvpn ssl: airvpn dot org/ssl/ nginx info: en.wikipedia dot org/wiki/Nginx web app firewall: en.wikipedia dot org/wiki/Web_application_firewall naxsi: proteansec dot com/application-security/naxsi/ duz/dontz: hongkiat dot com/blog/do-donts-tor-network crenshaw: youtube dot com/watch?v=eQ2OZKitRwc # ----- gen the tor hidden service name... # netctl stop eth0 # ip link set eth0 down # cp /etc/tor/torrc /etc/tor/torrcbkup # nano /etc/tor/torrc at the end add this shit: # ----- ##hidden service site in stealth mode HiddenServiceDir /var/lib/tor/ # HiddenServicePort 80 127.0.0.1:80 HiddenSErvicePort 443 127.0.0.1:443 HiddenServiceAuthorizeClient stealth SUMFUKGROUP # ----- fire up shit... # netctl start eth0 # /usr/bin/tor -f /etc/tor/torrc give couple secs then stop tor... # kill $(ps aux | grep '/usr/bin/tor' | awk '{print $2}') snag the hostname... # cat /var/lib/tor/hostname you'll get sumthin like this: c6yn3YERSITEk3o7.onion u8fAQVZixxxx/kbqTJkzHR # client: SUMFUKGROUP the hostname is to be placed in anyone on tor at the bottom of their torrc file, in the browser bundle usually located: /browser/TorBrowser/Data/Tor/torrc gets added as such: HidServAuth c6yn3YERSITEk3o7.onion u8fAQVZixxxx/kbqTJkzHR on the box running the nginx server you do not need to add it to your /etc/tor/torrc config file but if you are running tor regular without the tbb on another box you do need to add it to your torrc so your 'torified' browser can access the site via the tor network harden the hosts file: h0stz harden the .httaccess: htaxx to config AUR scroll down to 'packer' section run those commands then... # cd /home/build # sudo -u nobody packer -S nginx-mainline-waf example config for tor hidden service/naxsi: # # ----- nginx config -----## user www-data; worker_processes auto; pcre_jit on; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; ## # nginx-naxsi config ## Uncomment it if you installed nginx-naxsi ## include /etc/nginx/naxsi_core.rules; ## # nginx-passenger config ## # Uncomment it if you installed nginx-passenger ## #passenger_root /usr; #passenger_ruby /usr/bin/ruby; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; ## Include for blocking include blacklist.conf; include blockips.conf; } #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # server { # listen localhost:110; # protocol pop3; # proxy on; # } # # server { # listen localhost:143; # protocol imap; # proxy on; # } #} ####################################################### # # sites-available config: # server { listen 127.0.0.1; root /srv/html/; index home.html; server_name c6yn3YERSITEk3o7.onion; # replace this with your own } # ####################################################### # # sites-enabled: # server { listen 127.0.0.1:443; root /srv/html/; index 1ndx.html; server_name c6yn3YERSITEk3o7.onion ssl on; ssl_certificate /etc/nginx/ssl/yerkey.crt; ssl_certificate_key /etc/nginx/ssl/yerkey.key; add_header X-Frame-Options "DENY"; server_tokens off; location / { try_files $uri $uri/ =404; include /etc/nginx/naxsi.rules; } } server { listen 127.0.0.1; server_name c6yn3YERSITEk3o7.onion return 301 https://c6yn3YERSITEk3o7.onion$request_uri; } # ######################################################## # the config above is set to allow only https traffic often question is 'why do that, tor is encrypted' plus the 'untrusted connection window' annoyance for me itz just a preference, i like layerz and the untrusted window acts as a blocker in a way so config this shit how you want yer shit to roll # mkdir /etc/nginx/ssl # openssl req -x509 -sha256 -newkey rsa:2048 -keyout /etc/nginx/ssl/yerkey.key -out /etc/nginx/ssl/yercert.crt -days 1024 -nodes -subj '/CN=c6yn3YERSITEk3o7.onion' there ya go, a nyce one liner, make sure yer site's domain is after the '/CN' common name make sure in the config that naxsi core rules are uncommented and herez the blakl15t the blokip should be in the config also add this into your /etc/nginx/naxsi.rules: # ------ # Sample rules file for default vhost. # LearningMode; SecRulesEnabled; #SecRulesDisabled; DeniedUrl "/RequestDenied"; ## check rules CheckRule "$SQL >= 8" BLOCK; CheckRule "$RFI >= 8" BLOCK; CheckRule "$TRAVERSAL >= 4" BLOCK; CheckRule "$EVADE >= 4" BLOCK; CheckRule "$XSS >= 8" BLOCK; # ------- this has learning mode OFF which means shit is blocked # systemctl start nginx # systemctl status nginx go to your site's addy try to access a file say: https://c6yn3YERSITEk3o7.onion/blank.html?asd=---- to see if the 'attack' hit yer logz... # tail -f /var/log/nginx/error.log should see something like this: 2016/11/16 15:28:18 [error] 15277#0: *1 NAXSI_FMT: ip=127.0.0.1&server=c6yn3YERSITEk3o7.onion&uri=/blankshit.html&learning=0&total_processed=6&total_blocked=1&zone0=ARGS&id0=1007&var_name0=asd, client: 127.0.0.1, server: c6yn3YERSITEk3o7.onion, request: "GET /blankshit.html?asd=---- HTTP/1.1", host: "c6yn3YERSITEk3o7.onion" that means shit is working mod any of the configz to yer needs, any improvements, suggestions please contact # https://github.com/mariusv/nginx-badbot-blocker https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker http://7bj57iubvkvwe3n4vozvx5qiixm67te4yue76tsdu6l5aeoti342spqd.onion/nav/linux/nginx.html Edited ... by tokzco 1 OmniNegro reacted to this Quote Share this post Link to post