On 31 August 2018 at 08:58, dylan@fdylan.co.uk wrote:
ensure that your external website(s)are only listening on external ip addresses"
I believe you mean that the website host (Apache/nginx) listen only on localhost, and NOT on external at all. Otherwise, shodan will find it, and your code will leak the IP.
No, I meant that. I'm assuming one is running a webserver that is hosting both clearnet websites and onion websites through vhosts. For example, my own tomritterbassljd.onion and ritter.vg (obviously this is not trying to be a hidden service, just an onion service so I'm using it as my example.) There are two attack vectors there:
Sending a Host: ritter.vg to my onion site (over tor of course) and retrieving the website for ritter.vg. Sending a Host: tomritterbassljd.onion to my clearnet site (not through Tor) and retrieving the Hidden Service.
So to mitigate this you need to make sure that your onionsites are listening only on local addresses and your clearnet sites are listening only on external addresses.
Alternately (and this is what I do) you can set up your onionsite on a local address and non-standard port (e.g. 88), and ensure that only the onionsite is accessible on that port and the clearnet sites are not. Then you can have your clearnet sites listen on both the external IP(s) and 127.0.0.1:80/443 like normal.
-tom