Skip to content

VolkanSah/Secure-Hidden-Service

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Setting Up a Secure Hidden Service (Onion Site) - basics

Table of Contents

  1. Introduction
  2. Why Avoid Exit Traffic?
  3. Installing and Configuring Tor
  4. Setting Up a Hidden Service
  5. Firewall and Network Security
  6. Disabling Logging for Anonymity
  7. Securing the Server
  8. Conclusion

Other important stuff

Introduction

A Tor Hidden Service (onion site) allows you to host a website that is only accessible via the Tor network. To maintain security and anonymity, we must ensure that our service does not act as an exit node, which could expose our server to legal and security risks.

Why Avoid Exit Traffic?

Exit nodes in the Tor network route traffic from users to the regular internet, potentially exposing the server operator to liability. To prevent this, we configure our Tor service to only act as a hidden service without relaying or exiting traffic.

Installing and Configuring Tor

Install Tor

sudo apt update && sudo apt install tor -y

Configure Tor to Disable Exit Traffic

Edit the Tor configuration file (/etc/tor/torrc) and add the following lines:

SocksPort 0  # Disable Socks proxy
ExitRelay 0  # Prevent exit traffic

Restart Tor to apply the changes:

sudo systemctl restart tor

Setting Up a Hidden Service

Modify the torrc file to configure your hidden service:

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80

Create the directory and set proper permissions:

sudo mkdir -p /var/lib/tor/hidden_service/
sudo chmod 700 /var/lib/tor/hidden_service/
sudo chown -R debian-tor:debian-tor /var/lib/tor/hidden_service/

Restart Tor:

sudo systemctl restart tor

Retrieve your new .onion address:

cat /var/lib/tor/hidden_service/hostname

Firewall and Network Security

To ensure your server only listens on local connections:

sudo ufw allow 22/tcp  # SSH access (if needed)
sudo ufw allow 80/tcp  # Web traffic via Tor
sudo ufw enable

For Nginx, modify the configuration to bind only to localhost:

server {
    listen 127.0.0.1:80;
    server_name _;
    root /var/www/html;
}

For Apache:

<VirtualHost 127.0.0.1:80>
    DocumentRoot "/var/www/html"
</VirtualHost>

Disabling Logging for Anonymity

To prevent information leaks, disable logging:

Nginx

access_log off;
error_log /dev/null crit;

Apache

CustomLog /dev/null common
ErrorLog /dev/null

Securing the Server

  • Use Fail2Ban to prevent brute-force attacks:
sudo apt install fail2ban -y
  • Secure SSH:
    • Disable root login (PermitRootLogin no in /etc/ssh/sshd_config)
    • Change default SSH port (Port 2222 instead of Port 22)
  • Encrypt sensitive data using LUKS or encfs.

Conclusion

By following these steps, you will have a secure and anonymous Tor Hidden Service without exposing your server to exit traffic risks. Maintain best security practices and keep your software updated to protect your service. 🚀

Copyright

S. Volkan Sah

About

Setting Up a Secure Hidden Service (Onion Site)

Resources

Readme

License

CC0-1.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published