Hi shadow,
On Sat, Jan 30, 2016 at 12:00:57PM +0100, shadow wrote:
To fix this problem in an apache setup and keep mod_status enabled, I did the following
I did the following:
Only allow 127.0.0.1 to request server-status in mod_status
Map the HiddenService on another IP (here: the internal IP of the machine)
Force Apache to Listen on the internal IP and port
setup a virtual host for IP and port
#/etc/apache2/mods-enabled/status.conf
Require ip 127.0.0.1
# /etc/tor/torrc HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 192.168.2.4:8888
# /etc/apache2/ports.conf #ListenOnHsPorts Listen 192.168.2.4:8888
<VirtualHost 192.168.2.4:8888>
ServerName fooou4vhdb26iks.onion DocumentRoot /var/www/mysite.org/www
snip --- 8< ----
</VirtualHost>
perhaps 127.0.0.X where X [2-254] ? e.g.
# ip addr add 127.0.0.27 dev lo
HiddenServicePort 80 127.0.0.27:8888 Listen 127.0.0.27:8888 VirtualHost 127.0.0.27:8888
192.168.Y.Z is routable on local networks, leaving you one configuration mistake away from revealing your hidden service locally.
As a second layer of defense against mis-configuration, set your iptables to restrict processes running as the tor user/group to tcp:127.0.0.27:8888 [1]. Then, drop anything else with that destination.
You can really lock down the box via iptables default DROP policies (-P) and explicitly allowing narrowly acceptable traffic. It takes a bit to set up, but for single-purpose boxes, it's doable.
hth,
Jason.
[1] caveat: The tor process also needs Internet access in order to be effective. ;-)