On Fri, Aug 31, 2018, 19:59 Micah Lee micah@micahflee.com wrote:
On 08/30/18 08:33, Jason S. Evans wrote:
Hi all,
How can I best audit an onion service to make sure that my IP can not easily be compromised? Is there a list of things to do to try to hack my own site to try to find the IP?
In addition to what everyone else said, there's also a pretty awesome tool called OnionScan which will scan http onion services looking for leaks -- IP address, but also things like exif metadata in jpegs it finds.
I used this on the onion site version of https://onionshare.org and it discovered that I had apache2's mod_status enabled which was leaking the real IP address of the server.
Here's the website: https://onionscan.org/
Here's the code, along with build instructions (it's written in golang): https://github.com/s-rah/onionscan
sweet!
I just finished to port OnionScan for FreeBSD, and should be in the tree soon; https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231508