[tor-onions] If you run a Tor hidden service for an Apache server, make sure you disable mod_status
shadow
shadow at systemli.org
Sat Jan 30 11:00:57 UTC 2016
Hello all,
alec you raised an important point.
I think the problem is the example config a tor hiddenservices which
suggests to use 127.0.0.1:80.
Apache is not the only software out there which may leaks metadata due
to this "misconfiguration".
Those folks of riseup did a good write up:
https://help.riseup.net/en/security/network-security/tor/onionservices-best-practices#be-careful-of-localhost-bypasses
For some monitoring tools, for example munin, mod_status is essential.
To fix this problem in an apache setup and keep mod_status enabled, I
did the following
>
> I did the following:
>
> 1. Only allow 127.0.0.1 to request server-status in mod_status
> 2. Map the HiddenService on another IP (here: the internal IP of the machine)
> 3. Force Apache to Listen on the internal IP and port
> 4. setup a virtual host for IP and port
>
> 1.
> #/etc/apache2/mods-enabled/status.conf
>
> Require ip 127.0.0.1
>
> 2.
> # /etc/tor/torrc
> HiddenServiceDir /var/lib/tor/hidden_service/
> HiddenServicePort 80 192.168.2.4:8888
>
> 3.
> # /etc/apache2/ports.conf
> #ListenOnHsPorts
> Listen 192.168.2.4:8888
>
> 4.
> <VirtualHost 192.168.2.4:8888>
>
> ServerName fooou4vhdb26iks.onion
> DocumentRoot /var/www/mysite.org/www
> snip --- 8< ----
> </VirtualHost>
>
On 30.01.2016 08:46, Alec Muffett wrote:
> A word for the wise...
>
> https://wireflaw.net/blog/apache-hidden-service-vuln.html
>
> Tor hidden service operators: your default Apache install is probably
> vulnerable
>
> TL;DR If you run a Tor hidden service for an Apache server, make sure
> you disable mod_status with: $ a2dismod status
>
> On most distributions, Apache ships with a handy feature called
> mod_status enabled. It's a page located at /server-status that displays
> some statistics, like uptime, resource usage, total traffic, enabled
> virtual hosts, and active HTTP requests. For security reasons, it's only
> accessible from localhost by default.
>
> This seems fairly reasonable, until you realize the Tor daemon runs on
> localhost. Consequently, any hidden service using Apache's default
> config has /server-status exposed to the world. What could a malicious
> actor do in that case? They could spy on potentially sensitive requests.
> They could deduce the server's approximate longitude if the timezone is
> set. They could even determine its IP address if a clearnet Virtual Host
> is present.
>
> But this shouldn't be too much of a problem. Surely people who have
> taken the time to install an advanced web server and configure a hidden
> service for it have thoroughly read the documentation and disabled the
> offending module.
>
> Or not.
>
> [continues...]
>
>
> --
> http://dropsafe.crypticide.com/aboutalecm
>
>
> _______________________________________________
> tor-onions mailing list
> tor-onions at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-onions
>
--
best regards | viele Gruesse, shadow at systemli.org
receive my key:
gpg --keyserver zimmermann.mayfirst.org --recv-keys 0x5C6B6ED4248C1F32
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-onions/attachments/20160130/c1a82565/attachment.sig>
More information about the tor-onions
mailing list