On 02/06/2015 08:49 AM, [email protected] wrote: > Mirimir wrote: >>> When you have a website that is available from a tor secret service, how >>> do you forbid access to url restricted to ip=localhost? >>> >>> I'm thinking of apache default http://xxxxx.onion/server-status for example. >>> >>> Using "a2dismod status" is the obvious solution for that one, but does >>> anyone had a more generic solution? >>> Maybe a full VM with a vif interface? That's an heavy solution... >>> Anything more simple? >> >> You can use firewall rules. >> (...) > > I don't think you can a firewall, no: > > "apachectl status" is querying from localhost to > http://localhost:80/server-status > > Connection from tor hidden service also comes from localhost and > iptables won't help there.
Sane (or prudent, anyway) hidden service operators put the tor process on a separate machine, or at least a VM. As you note below. > I tried 10 random http hidden services with that trick, and could find 2 > servers with information that shouldn't be available, like which service > are sharing on the same server, the security patch level, list of URL > being served, and so on. I also could read one public IP on another one. :( > > If you run apache, you should probably disable mod_status. Now. That's prudent, no doubt. > # grep -iEr 'require +local' /etc/apache2/ > lists possible problems for apache2.4, for example. > Each webapp should also be checked for special permissions granted when > remote IP is actually localhost. > > > Documentation really should warn about this, IMHO: > https://www.torproject.org/docs/tor-hidden-service.html > and possibly a one line warning in the example torrc since > "HiddenServicePort 80 127.0.0.1:80" typically is a problem. Yes. > I might move httpd and tor to 2 different VM. Any nicer idea? Using separate VMs for server and tor would be good. -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
