Blocking traceroute

[fekete]

I want to create a Tor hidden server, which people SSH into over Tor.
Users could discover the IP server by running traceroute. To stop this I
have added a simple rule to pf.conf based off "helping traceroute".
Otherwise they could just build or run their own binary traceroute.

block on em0 inet proto udp to port 33433 >< 33626

This appears to work, but couldn't traceroute be built to use other UDP
ports? Perhaps I should block all UDP ports, it is no big loss really.

Is there anything else I should take into consideration when trying to
prevent a server from being discovered? The server will be behind a NAT
with only a LAN address.

Re: Blocking traceroute

[fekete]

I've just been thinking about how I will block everything and still have
Tor. I will have Tor on the NAT and have it accept connections from the
hidden server, and users can make outgoing connections through Tor only
using socat. Thinking about it, the server will simply have no Internet
and the only port it will be able to access is Tor.

I think that solves it.

> On Thu, 2013-04-18 at 22:35 +, fek...@tormail.org wrote:
>> I want to create a Tor hidden server, which people SSH into over Tor.
>> Users could discover the IP server by running traceroute. To stop this I
>> have added a simple rule to pf.conf based off "helping traceroute".
>> Otherwise they could just build or run their own binary traceroute.
>
> Doesn't traceroute need to be setuid root to work?
>
> $ ls -l `which traceroute`
> -r-sr-xr-x  1 root  bin  189176 Aug  1  2012 /usr/sbin/traceroute
>
> Though, honestly, traceroute is the least of your problems, read on...
>
>> Is there anything else I should take into consideration when trying to
>> prevent a server from being discovered? The server will be behind a NAT
>> with only a LAN address.
>
> ping, ifconfig, lynx or for that matter most web browsers (that can be
> used to browse to sites like ipchicken.com or whatismyip.com). Unless,
> of course, you are careful to either only allow outbound connections via
> Tor (difficult but possible), or not allow outside Internet connectivity
> at all (easier but may well defeat the purpose of what you're trying to
> do).
>
> --
> Shawn K. Quinn 

user websites on apache chroot

[fekete]

I want to avoid using Apache 2.x for my server and want a chroot but where
users can have their own webpages. It doesn't need to be automated I'm
happy to edit httpd.conf to add each virtual server. I'd also like php to
run as that user, can I run php via cgi on Apache 1.3?

NAT with one interface

[fekete]

According to the pf FAQ page for network address translation: "An OpenBSD
system doing NAT will have at least two network adapters, one to the
Internet, the other to your internal network."

I have a VPS with two IP addresses, one for the Internet and one for a
VLAN. I have another VPS just on the VLAN. I am wondering if I can do a
NAT on the first VPS for the second.

Re: NAT with one interface

[fekete]

> On 2013-04-21, Ted Unangst  wrote:
>> On Sun, Apr 21, 2013 at 00:47, Stuart Henderson wrote:
>>
>>>
>>> I've changed the FAQ to say "interfaces" rather than "adapters" to
>>> make it more obvious that there's no problem doing this with vlans.
>>
>> Strictly speaking, you don't even need vlans. You can NAT off a single
>> interface with two IPs.
>>
>>/--- inside machine 1
>> uplink  switch  NAT router
>>\-- inside machine 2
>>
>> This will work, although your uplink may or may not enjoy your
>> "inside" packets occasionally leaking into their network.
>
> Indeed, though I think this is sufficiently unusual that including
> it in the FAQ would be counter-productive ;)
>
>
Actually it's not that unusual, seems to be stardard fare if you've got
two VPS's at a colo and one without Internet. They typically only have one
interface.