No announcement yet.

HowTo - Create a Tor Hidden Service

  • Filter
  • Time
  • Show
Clear All
new posts

  • HowTo - Create a Tor Hidden Service

    You don't have to be a criminal to want a web service hidden away behind The Onion Router. It is always a good idea to be careful on the Internet especially with any personal information.
    So, how hard is it to Torify a web service? And the answer is that it is not hard at all. When I say that I am just saying that the Tor part of doing this is the easy part and that is all I will be looking at in this post.

    To Torify a web service I used a brand new installation of the Ubuntu Server 18.04 LTS and I will go through this step-by-step.

    The first thing I did was to verify what the IP address of the server is and if anything was already listening on TCP port 80 as I was planning on using.
    # ss -antp                // Show the services already in use
    # ip address              // Show the IP address(es) of this server
    The "ss" command is the replacement for the now deprecated "netstat" command and the "ip address" command is the replacement for the "ifconfig" command. The "ip address" command can be shorted as "ip a" for faster typing. If the TCP port you are planning on using is already in use, this is the time to stop and disable these services. Also make sure you have a public IP address and not a RFC1918 address or you will have to set up NAT to make this work. If you are setting this up on a public VPS you should be good to go.

    To have something to test on I decided to just use Apache2 as it is readily available and easy to set up.
    # sudo apt-get update             // Update repository
    # sudo apt-get install apache2    // Install Apache2
    Apache2 will start running as soon as the installation is complete and it might be a good time to just verify again with the "ss -antp" command. There is no reason to spend a lot of time debugging Tor when something doesn't work if it is just Apache not running.
    I am trying to keep this short but I want to mention that if you want Apache2 to run SSL you can run below commands to fix this.
    # sudo apt-get install ssl-cert   // Package for dummy certificates
    # sudo a2ensite default-ssl.conf  // Enable the default Apache ssl site
    # sudo a2enmod ssl                // Enable SSL
    # sudo systemctl reload apache2   // Reload Apache
    A note on not just the SSL part but the full configuration on Apache2; this is not a secure installation but it is an easy and handy one that works well for this example and to make this guide short. It is easier - by far - to do a manual installation when you have an overview of what steps you need to do and where to look when things do not work.

    Now it is time to install Tor and I will use the package that comes with Ubuntu even though it will likely never be the latest and greatest. Again - if you want a secure installation you should download the most recent ones from where you will also find information on how to configure the updated versions by hand.
    # sudo apt-get install tor
    Tor will also start running as soon as the installation finishes. You can verify this by trying out the "ss -antp | grep 9050" command. The local Tor proxy that is now running is listening on port 9050 by default.
    Now we need to set up our Tor Hidden Service in the "torrc" config file. This file is the same in all operating systems so there should be no surprises in there.
    # sudo nano /etc/tor/torrc
    Scroll down to the section starting with "############### This section is just for location-hidden services ###" as this is where we will add our configuration

    We will add the following two lines defining the HiddenService directory and port. Make sure to never set the HiddenServiceDir to your web root or any other location accessible from your website.
    HiddenServiceDir /var/lib/tor/hidden_service/
    HiddenServicePort 80
    The HiddenServicePort will define on which port Tor will expose your Tor Hidden Service to the world on. In this case we picked port 80. This is followed by "" which is where on your local server the service is provided; that is - your Apache webserver is listening on the localhost address on TCP port 80. A note on this is that if you want to increase your security you need to configure Apache2 to ONLY listen on and you should pick a port above the System Ports that goes up to and include port 1023. If you pick a User Port, port 1024 or higher you get the ability to have Apache2 run as a non-root user. In Linux you have to be root to listen to a port below 1024 so what Apache2 does is it starts as root, create a listening socket on that port and then it drops it's privileges down to the www-data user. To keep this short I will not talk about how to do that. Also, there is no guarantee you pick Apache2 for your project.
    You can add more hidden services there if you need to or change above configuration to fit your setup. You might want to use HTTPS or almost any other service you need.

    Note that if you are not using Ubuntu 18.04 LTS as I do and have a hard time locating the "torrc" file you can try using "locate" to find it. You might have to update the database once but I still find it faster than using "find".
    # sudo updatedb           // Update the database for locate
    # locate torrc            // Search for the file
    Now we are done and we only need one final step to get your Tor Hidden Service up and running. We have to restart Tor so that it will read the HiddenServiceDir and HiddenServicePort we configured earlier.
    # sudo systemctl restart tor
    When Tor is being restarted two things will happen. Tor will create two files in the HiddenServiceDir we configured in the "torrc" configuration file. One is the "private_key" file bound to our service and the other file is the "hostname" file which will contain our Onion address. The location may be different for you if you changed the HiddenServiceDIr or you added more services than I did.

    # sudo cat /var/lib/tor/hidden_service/private_key
    # sudo cat /var/lib/tor/hidden_service/hostname
    Now you should be up and running with your Tor Hidden Service. I will leave you to do your own hardening and improvements. And as I mentioned earlier it is recommended to download and configure an updated Tor installation instead of using the one already packaged to your distribution. Chances are that it is already outdated.
    Last edited by Resheph; 06-17-2018, 02:48 PM. Reason: Corrected a typo
    Certified Security Geek