Hidden service sysadmin tips (Apache/Apache2)
#1
It is unbelievable when you see the amount of Apache webservers that are still used for serving hidden services.

Apache (although being a great webserver) has a lot of per default enabled configs that could unmask your hidden service, or in other words, de-anonymize you.

For this thread, I am assuming that you use a Linux environment as using a Windows environment for hidden service hosting is something I consider a nogo.

Here is a small list on what considerations you should take when you are serious about running a hidden service:

Bind to Localhost:

An absolute must. Scanners could match your website content with your IP address if you don't bind to localhost. You can bind your apache webserver to localhost by configuring your ports.conf file. Simply change

Code:
listen *:80

(or)

Code:
listen :80

to

Code:
listen 127.0.0.1:80

Remove server details

This is a good practice to make it harder for malicious people to find security flaws.

First of all, ABSOLUTELY A MUST, disable your apache status page. If you don't know what I'm talking about, navigate to your domain/server-status (or simply open 127.0.0.1/server-status) and you will see what I am talking about. The server list sensitive data about it.

You can disable it by opening your terminal and typing

Code:
sudo a2dismod status

Disable other potentially dangerous server information by configuring security.conf and changing the ServerSignature + ServerTokens to

Code:
ServerSignature Off
ServerTokens Prod

Directory Listing

Simply use

Code:
sudo a2dismod autoindex

to disable directory listing.

Set proper permissions

If your webserver runs as root, this can be a dangerous issue. You can make sure that your server runs as a non-root user by using the

Code:
chown

command. I won't go into details as it is possible that you want some of your webfiles to run as individual users.

Use less dynamic scripts

Use only HTML if possible. If you need PHP (for example to run a chatroom running LE-CHAT or something) you need to take care of PHP security settings as well.

Note to myself... might do a tutorial on PHP security too :-)

Patch your server (update) as soon as a new version is out.

Cheers!
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  [Blog-Post] Hosting a Tor Hidden Service Decently Insider 3 22,559 08-08-2021, 02:53 AM
Last Post: Smoky