Hi shadow, On Sat, Jan 30, 2016 at 12:00:57PM +0100, shadow wrote:
To fix this problem in an apache setup and keep mod_status enabled, I did the following
I did the following:
1. Only allow 127.0.0.1 to request server-status in mod_status 2. Map the HiddenService on another IP (here: the internal IP of the machine) 3. Force Apache to Listen on the internal IP and port 4. setup a virtual host for IP and port
1. #/etc/apache2/mods-enabled/status.conf
Require ip 127.0.0.1
2. # /etc/tor/torrc HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 192.168.2.4:8888
3. # /etc/apache2/ports.conf #ListenOnHsPorts Listen 192.168.2.4:8888
4. <VirtualHost 192.168.2.4:8888>
ServerName fooou4vhdb26iks.onion DocumentRoot /var/www/mysite.org/www snip --- 8< ---- </VirtualHost>
perhaps 127.0.0.X where X [2-254] ? e.g. # ip addr add 127.0.0.27 dev lo HiddenServicePort 80 127.0.0.27:8888 Listen 127.0.0.27:8888 VirtualHost 127.0.0.27:8888 192.168.Y.Z is routable on local networks, leaving you one configuration mistake away from revealing your hidden service locally. As a second layer of defense against mis-configuration, set your iptables to restrict processes running as the tor user/group to tcp:127.0.0.27:8888 [1]. Then, drop anything else with that destination. You can really lock down the box via iptables default DROP policies (-P) and explicitly allowing narrowly acceptable traffic. It takes a bit to set up, but for single-purpose boxes, it's doable. hth, Jason. [1] caveat: The tor process also needs Internet access in order to be effective. ;-)