Configuring A Hidden Service on Ubuntu Server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

A) Ubuntu Server:

1 Go to http://www.ubuntu.com/download/server.
1.1 Download Ubuntu Server and install.

1.2 Configure Networking

1.3 Update

sudo apt-get update
sudo apt-get upgrade -y

2 Extra Security
2.1 Install the following:

sudo apt-get install ufw chkrootkit rkhunter

2.2 Configure ufw ( Uncomplicated Firewall )
sudo ufw default deny incoming
sudo ufw default allow outgoing
2.2.1 Manually edit UFW to disable ICMP network traffic:
vi /etc/ufw/before.rules
Comment out the 5 rules in the ‘ok icmp codes for INPUT’ section:
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-reject -j ACCEPT

2.2.2 Enable the Uncomplicated Firewall:
sudo ufw enable

2.3 Configure chkrootkit
sudo vi /etc/chkrootkit.conf

Edit:
RUN_DAILY="true"
RUN_DAILY_OPTS=""

2.3.1 Manually run chkrootkit ( due this regularly )
chkrootkit &> logfile.log

2.4 Set cron for RKHunter:
sudo vi /etc/default/rkhunter

Edit:
CRON_DAILY_RUN="true"
CRON_DB_UPDATE="true"

2.5 Manually run RKHunter
sudo rkhunter --propupd --update --versioncheck

2.6 Disable IPv6
sudo vi /etc/default/grub
Find:
GRUB_CMDLINE_LINUX_DEFAULT=""
Inline edit:
GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disabled=1"

2.6.1 Update Grub
sudo update-grub

Important: At this point, this server is now ready for you to install either SecureDrop or Globaleaks platforms. However if you are intending to run your hidden service for something else other than a secure whistleblower platform, then complete the following:

3 Install apache2 and tor packages:
sudo apt-get install -y apache2 tor

3.1 Configure your apache2 to listen to 127.0.0.1 only:
echo "Listen 127.0.0.1:80" > /etc/apache2/ports.conf

3.2 Change apache’s user from www-data to debian-tor so that Tor can read only its directories:
sudo vi /etc/apache2/envvars
export APACHE_RUN_USER=debian-tor
export APACHE_RUN_GROUP=debian-tor
service apache2 stop
sudo chown -R debian-tor:debian-tor /var/{lock,log}/apache2 /var/www

4 Security:
4.1 Hide your onion address private_key:
sudo vi /etc/apache2/apache2.conf
<FilesMatch "private_key">
Require all denied
</FilesMatch>

4.2 Change two options:
sudo vi /etc/apache2/conf-enabled/security.conf
ServerSignature Off
ServerTokens Prod

4.3 Disable server-status modules:
sudo a2dismod status
rm /etc/apache2/mods-available/status.*
rm /etc/apache2/mods-enabled/status.*

4.4 Return a server error 403 to requests for /server-status:
sudo vi /etc/apache2/sites-enabled/000-default.conf
Append to bottom:
<Location /server-status>
SetHandler server-status
order deny,allow
Require all denied
</Location>

Important:
Only install MYSQL & PHP if you need to use them

5 Install MYSQL:

5.1 Run the following
sudo apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql
sudo mysql_install_db
sudo /usr/bin/mysql_secure_installation
Follow instructions…

6 Install PHP:

6.1 Run the following commands
sudo apt-get install php5 libapache2-mod-php5 php5-mcrypt
sudo nano /etc/apache2/mods-enabled/dir.conf

Add the following:
<IfModule mod_dir.c>
DirectoryIndex index.php index.html index.htm
</IfModule>
Don’t forget to configure your php.ini file!

7 Let’s create your first hidden web page:
echo "Hello world!" > /var/www/index.php

8 Restart apache2:
service apache2 start

9 Tor:
9.1 Let’s configure Tor:
cat >> /etc/tor/torrc << EOF
HiddenServiceDir /var/lib/tor/hidden_service
HiddenServicePort 80 127.0.0.1:80
EOF

9.2 Edit apparmor rules, need to add only one line:
sudo vi /etc/apparmor.d/system_tor
owner /var/www/** rwk,

Restart apparmor:
service apparmor restart

9.3 Restart Tor daemon:
service tor restart

10 DoS Attack Mitigation:
10.1 Install mod_reqTimeout
sudo a2enmod reqTimeout

10.2 Harden the prefork mod
sudo vi /etc/apache2/mods-enabled/mpm_prefork.conf
Set MaxRequestWorkers to be greater than default 150
MaxRequestWorkers 500
Add this line:
ServerLimit 500

10.3 Edit Apache configuration file
sudo vi /etc/apache2/apache2.conf
Set Timeout to something lower than default 300
Timeout 30
10.4 Restart Apache
sudo service apache2 restart

Final Tips:
– – You need to harden your Apache and PHP. There are plenty of tutorials around that explain all of this.
– – Use Torify to do updates
– – MANDATORY: Use a network firewall. I recommend SG-22220 pfSense router [here]

  • Allow Tor outbound
  • Allow DNS
  • Allow NTP
  • Drop all other traffic

Github
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX+J3WAAoJEL7YCbL0gxCTz0QP/12Go+vQyTgV40S014hX+5XU
X6V2fW9GonOe6/wdedxKLuYfAFDruhs+xfhvb/noJjzbC1zQM/+oczr4E9GT9Jh9
x99Yfaw63budF4MaSmz5xQiX+jgFWUZwHVF7T30HPpaQ6cEZ9hg58N00Bz2KukYQ
ByRhQO9Z2JMnNyO9eq60XasEJyhXIUy2nis2BqGTz1sWlrZFhcq4u5VRlZaggSNy
55kVzFy4B7e3n96tGpRCykKYf4M9RtadoBa9EFQUaq0dVlvbV5cusaNCLKpOFBAR
4Jdil5jh69r3fS9qjJvL3RNGVFP+8xffnW16RONNxlUGLtN3IDcIQP438srKFlyn
YqtzWrgxIhfOcGWuHql5uxwcYIdlN9viX7CdeWylNeLH3njg2x1QCB5Hd8P1O6YF
jjoxekFGe4FO0MstfRXSQ7NReHO5S2w9pOwGzqrItdwFO1sbHLQy9rJCa6BZV+pL
dj0I0oxShZ2ipq67QQtWLPxclBDk+2Zl64UKkmJvZVgkfVW1l6j9jpN5cuXRosVK
CPaaAlNTtgd7NpWDvJsNi101yqcCg19jsgoSGOcrCE/xF7h1F5H5MRAYot+Y167t
TD+OixYBttKpu7AEcjyX3Xmby1QlJAluuDo7K2zpce6jvX1Hrh3OIqjNMr0qies4
RfwlQ96uerSXvaEqNUY+
=aU21
-----END PGP SIGNATURE-----