Hi List. Sorry to push this up, just wondering if this approach is such stupid that it's not even worth leaving a related comment to it ;-) Or is it just of no interest?
Any comments apriciated. Greetings, Manfred Am 26.10.2013 01:09 schrieb "Manfred Ackermann" <[email protected] >: > I've just finished successfully a Proof-of-Concept to implement > anonymization at server level. I would be please if you guys can review > this approach and extend it and/or show me the caveats ;-) > > The rough picture is assuming someone somehow injected bad code into a > seized site to get hands on visitor infos collected out of HTTP > Request/Response (visitor not capable of setting up privoxy the right way > or even socksing directly into tor). > > To protect I've: > - setup one HiddenService (aaaVisible.onion) that connects to intercepting > privoxy (IPr) > - setup 2nd HiddenService (bbbDblHidden.onion) only accepting from (IPr) > - setup IPr to rewrite aaaVisible.onion to bbbDblHidden.onion removing bad > stuff from Req./Resp. > > This makes the Service double Hidden, more difficult to hack into it, > redirect-able and protects dump visitors against revealing information > (fingerprints). > > Client <-> Tor <-> Tor:HS <-> Privoxy <-> Tor <-> Tor:HS <-> (STunnel <->) > Service > > The STunnel is used to move the IPv4 Service away from the HiddenService > declaration and optional but recommended. Also Service is only allowed to > "speak" to STunnel and has no Internet access. > > To check-out this on a single server w/o STunnel do this (named > onion-links ARE AN EXAMPLE ONLY): > > Get Tor and Privoxy up'n'running like a normal Tor-Entry-Point. > > Modify /etc/tor/torrc: > > HiddenServiceDir /var/lib/tor/onion_relay/ > HiddenServicePort 80 127.0.0.1:8118 > > HiddenServiceDir /var/lib/tor/hidden_service/ > HiddenServicePort 80 127.0.0.1:80 > > Do on the shell > > /etc/init.d/tor restart > > or in arm do x x to sighup tor. > > As AN EXAMPLE this gives > > mr2t4bnopbqy2ql7.onion => "Onion-Relay" > cmt6wblsm36iuoqn.onion => "HiddenService" > > Prepare the Service (here Apache2): > > Create /etc/apache/sites-available/tor > > <VirtualHost *:80> > ServerAdmin [email protected] > ServerName cmt6wblsm36iuoqn.onion > DocumentRoot /var/www/tor > <Directory /> > Options FollowSymLinks > AllowOverride None > </Directory> > <Directory /var/www/tor> > Options Indexes FollowSymLinks MultiViews > AllowOverride None > SetEnvIf X-Onion-Relay-Passphrase > JeoyuXm0xyRgjcAylh6bSfckZRlhWIJs ONION_RELAY_AUTH > Order Deny,Allow > Deny from All > Allow from env=ONION_RELAY_AUTH > </Directory> > ErrorLog ${APACHE_LOG_DIR}/tor-error.log > LogLevel warn > CustomLog ${APACHE_LOG_DIR}/tor-access.log combined > </VirtualHost> > > Do on the shell > > mkdir /var/www/tor > echo '<html><body><h1>cmt6wblsm36iuoqn.onion</h1> \ > <img src="http://cmt6wblsm36iuoqn.onion/x.jpg";></body></html>' \ > > /var/www/tor/index.html > cp some-nice-jpg-file.jpg /var/www/tor/x.jpg > cd /etc/apache/sites-enabled > ln -s ../sites-available/tor 001-tor > /etc/init.d/apache2 restart > > Prepare Privoxy > > In /etc/privoxy/config: > accept-intercepted-requests 1 > > In /etc/privoxy/user.action: > { \ > +hide-user-agent{Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 > Firefox/17.0 (Tor Browser Bundle)} \ > +hide-accept-language{en-us,en;q=0,5} \ > } > / > > { \ > +server-header-filter{server-ident-rewrite} \ > +client-header-filter{onion-request-rewrite} \ > +filter{onion-response-rewrite} \ > +add-header{X-Onion-Relay-Passphrase: JeoyuXm0xyRgjcAylh6bSfckZRlhWIJs} \ > } > mr2t4bnopbqy2ql7.onion > > In /etc/privoxy/user.filter: > SERVER-HEADER-FILTER: server-ident-rewrite Replace Server Ident String > s@^(Server:)\s*.*$@$1 Http/1.1@i > CLIENT-HEADER-FILTER: onion-request-rewrite Replace x.onion with y.onion > s@^(Host:)\s*mr2t4bnopbqy2ql7.onion$@$1 cmt6wblsm36iuoqn.onion@i > FILTER: onion-response-rewrite Replace y.onion with x.onion > s/cmt6wblsm36iuoqn\.onion/mr2t4bnopbqy2ql7.onion/ig > > Do on the shell > > /etc/init.d/privoxy restart > > Try in the browser: > > HiddenService direct: cmt6wblsm36iuoqn.onion => 403 Forbidden > HiddenService indirect by privory onion-rewrite: mr2t4bnopbqy2ql7.onion => > the Result from cmt6wblsm36iuoqn.onion > > Have a look on the Response Headers (e.g. Firefox Plugin WebDeveloper => > Information => Response Header) and you see Server: Apache/2.2.22 > (Ubuntu) is replaced by Server: Http/1.1. Also do modify index-file in > web-root to show Request-Vars like user-agent and accept-language ... here > for example response content can be removed to prevent 3rd party JavaScript > or Flash injection to the visitor. > --- > Regards, > Manfred Ackermann > PGP 0xED5E5F28 > > -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
![http://cmt6wblsm36iuoqn.onion/x.jpg"](http://cmt6wblsm36iuoqn.onion/x.jpg"){kind=link}