On Fri, Aug 31, 2018, 19:59 Micah Lee <micah@micahflee.com> wrote:
On 08/30/18 08:33, Jason S. Evans wrote:
> Hi all,
>
> How can I best audit an onion service to make sure that my IP can not
> easily be compromised? Is there a list of things to do to try to hack my
> own site to try to find the IP?

In addition to what everyone else said, there's also a pretty awesome
tool called OnionScan which will scan http onion services looking for
leaks -- IP address, but also things like exif metadata in jpegs it finds.

I used this on the onion site version of https://onionshare.org and it
discovered that I had apache2's mod_status enabled which was leaking the
real IP address of the server.

Here's the website:
https://onionscan.org/

Here's the code, along with build instructions (it's written in golang):
https://github.com/s-rah/onionscan

sweet!

I just finished to port OnionScan for FreeBSD, and should be in the tree soon; https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231508