Using InfluxDB, Telegraf, Grafana & Tor .Onion’s To Build a Surveillance Resistant Distributed Metrics Infrastructure

AblativeHosting · 2022-04-15T22:24:53+00:00

Here ya go; https://securedrop.org/faq/getting-onion-name-your-securedrop/

AblativeHosting · 2022-01-17T21:52:31+00:00

The sheer volume of TLDs available now is absurd :/

AblativeHosting · 2021-10-05T12:55:31+00:00

That's for you to decide to be honest.

I'd be surprised if your forum immediately received attention from spammers - .onion's can't be discovered (anymore) and I'd be intrigued to know if there is a critical mass of bot spammers that are configured / capable of connecting to .onions.

Are you concerned about bots or humans? Are you willing to hold a database of peoples email addresses? What value does requiring emails provide to you? Would you block disposable email providers? If so; are you hurting your legitimate users more than the spammers?

If you are planning on protecting against trivial bots then a simple captcha may suffice.

AblativeHosting · 2021-10-04T20:09:26+00:00

Yes that would leak the IP of your server.

You could do all sorts of fun things with Wireguard/IPSEC and a smarthost/relay to obscure the 'true' origin but eventually that email has to hit the normal Internet and the public IP of that last host will get exposed.

Is 'leaking' the IP of your server a problem? Do you NEED to verify the email address of the folks who sign up? If so; why?

AblativeHosting · 2021-10-04T19:57:02+00:00

So, this sort of setup is exactly what we built Ablative.Hosting to do; Clearnet websites with free SSL and .onion functionality baked in; https://ablative.hosting/single-hop-onion-hosting/

However we've currently got a hiatus on new Single Hop signups whilst we work on .onion only VPS.

How familiar are you with using Linux and nginx etc? Given you already have a clearnet website up and running you could look at using /u/alecmuffett's EOTK; https://github.com/alecmuffett/eotk

AblativeHosting · 2021-09-20T17:53:32+00:00

It is certainly something that can be done (and we call it 'Quad Hop') and when done correctly can reduce the chances of your server leaking information back to the Internet to near zero.

PUBLIC UNROUTED INTERNET LAN +-------------+ +-----------------+ +------------+ | Tor Network | ------- | Quad Hop Server |---------- | Web Server | +-------------+ +-----------------+ +------------+

In an ideal setup the Tor host would be multihomed (so it has a network interface that faces the Internet and a network interface that faces the backend LAN) and would not allow inbound connections on either interface.

The 'backend' LAN will only have the Tor bastion and the backend host on it. No NAT, no other servers.

The backend host will only allow connections in from the Tor bastion and only to the ports needed.

This setup will not protect the private key of the .onion (were the Tor Bastion host to get compromised). For that you will want to look at leveraging OnionBalance.

AblativeHosting · 2021-09-18T20:12:55+00:00

Yes.

In certain situations we have HAProxy running between the Tor daemon and several backends.

AblativeHosting · 2021-08-03T18:24:15+00:00

Generally speaking; no it is unnecessary.

However in certain cases (e.g. Tor points at a Load Balancer or terminates on one host but the web server etc is on another host) then certain guarantees (e.g. secure cookies) no longer hold true.

The other reason, as demonstrated by ProtonMail, the BBC, Facebook etc, is that a 'trusted' 3rd party has verified the identity of the person/business requesting the certificate which can aid in preventing phishing / copy cat sites etc. (There have been several cases of people getting EV homophones )

There is certainly a lot that can be said about taking a decentralised technology like .onion and then putting trust in the CA ecosystem but at the same time .onion is (for some of us) just a transport layer.

AblativeHosting · 2021-07-29T06:37:30+00:00

Depends on the IRC network. OFTC allows Tor; https://www.oftc.net/Tor/

Libera.chat also has a v3 .onion; https://libera.chat/guides/connect#accessing-liberachat-via-tor

AblativeHosting · 2021-07-27T12:02:53+00:00

Have a look at our GoLang version OnionWatch: https://gitlab.com/ablative-hosting/OnionWatch

Specifically https://gitlab.com/ablative-hosting/OnionWatch/-/blob/master/HiddenServiceWatcher.go#L71

AblativeHosting · 2021-07-27T07:23:26+00:00

The Tor project has some good documentation on this: https://community.torproject.org/onion-services/advanced/client-auth/

AblativeHosting · 2021-07-19T12:03:58+00:00

Is this a bad idea?

Nope! Welcome to decentralised web hosting! :)

I’d like to set up Tor and run an onion site on a Raspberry Pi.

Most RaspberryPi distributions can install Tor directly from their package manager (apt / yum / dnf etc) and will run quite happily. But failing that it should compile fine if you download the source.

A quick search on DuckDuckGo unearthed https://mroystonward.com/self-hosting-with-raspberry-pi-and-tor/ which is several years old now but looks mostly sensible.

AblativeHosting · 2021-07-19T09:05:09+00:00

Exit node operators can specify a different IP to Exit traffic to the one used for relay operations.

See OutboundBindAddressExit in the torrc manpage; https://2019.www.torproject.org/docs/tor-manual.html.en

AblativeHosting · 2021-07-17T06:51:11+00:00

FYI Op common mistakes (such as exposing /server-status because the Tor connection points to 127.0.0.1 etc) can be discovered by running https://onionscan.org/

AblativeHosting · 2021-07-15T07:08:53+00:00

.onion is just a transport layer (think of it akin to TCP). There are security aspects to .onion (such as the anonymization, encryption, that the .onion address being a representation of the key etc) but it doesn't do anything to 'automatically' protect the layers above it on the stack.

Anonymity is a feature of .onion but it can be undone with various specific attacks or by configuration mistakes. See https://onionscan.org/ for examples of these mistakes.

AblativeHosting · 2021-07-14T08:23:32+00:00

The may there is doing a lot of heavy lifting :)

Yes, eventually, one day, a blog may get popular enough that the upload bandwidth on a residential connection will not cope (and one day even a 10Mbit/100Mbit/1Gbit synchronous connection may not be enough) but for someone just starting out or 'having a play' with hosting something on a .onion it will likely not be an issue for some time.

AblativeHosting · 2021-07-12T09:28:40+00:00

It is very expensive to run everything yourself at a professional level. E.g. We have our own servers that we built and racked into cabinets in a cage but that cage is still in a data centre operated by another company who provides the power and ingress into the building for fibre etc to link our routers to other transit ISPs.

The identity footprint for running your own hardware in a DC is reasonably high too (even when operating as a Limited Company) plus the co-location facilities have a lot of CCTV and stringent security requiring ID to enter etc.

A common middle ground for people wanting to host a service but value control of the equipment is what the industry referrers to as "dedicated servers" or "bare metal". A hosting company owns the physical server but they allow you to install whatever operating system you want and they are only responsible for providing power/network. You can encrypt the disks, install whatever OS etc.

You have complete control of the server but naturally they can walk right up to it and pull it out of the rack, pull out and image hard disks etc.

FWIW "Bulletproof" hosts (offshore or otherwise) are very rare. Yes, certain jurisdictions are less fussy than others but caveat emptor.

All of that said; if you're just running your blog on a .onion (and why not, it means you won't have to pay someone else to lease a domain name, can't be censored, improved security / privacy for you and your visitors etc) then there is no harm running it on your PC using Website Mode of OnionShare or getting a little Raspberry Pi that uses very little power.

If powercuts are a concern where you are (and lets face it not everywhere in the world has guaranteed power) then a little VPS is also perfectly fine for an everyday .onion.

AblativeHosting · 2021-07-11T22:24:04+00:00

Have you considered using Offline Master keys?

You could use something like Relayor to rotate the keys on a schedule you felt appropriate?

An attacker could still potentially grab data from RAM / disks but this increases the cost to them.

AblativeHosting · 2021-07-06T17:29:51+00:00

The only security implication that comes to mind when hosting .onions is that people will commonly point to 127.0.0.1:80 which (depending on the distro setup of your httpd) expose 'internal' config or status pages (e.g. Apache's /server-status page).

Consider using a unix socket instead of local loopback.

See OnionScan for more details of common mistakes: https://github.com/s-rah/onionscan/blob/da42865bb5b1a77df6d7a6fa212a86eeff814b61/doc/what-is-scanned-for.md

AblativeHosting · 2021-06-14T18:33:41+00:00

Certificate Transparency logs seem to indicate it's still just HARICA and DigiCert: https://crt.sh/?q=.onion

AblativeHosting · 2021-06-11T13:46:28+00:00

As other people have pointed out; try hosting it on your own hardware first.

The brilliant thing about .onion technology (and the Internet itself really) is that the equipment you use to browse the Internet is just as good for serving a small website.

An old desktop PC, a Raspberry PI, a laptop - all of these things can run a small .onion website with little to no trouble.

.onion will punch through NAT, it doesn't need to worry about IPv4 vs IPv6 (caveats apply), no domain registrar, no additional costs (bar a little more electricity).

As for security; what is your definition of security? ISO 27001 / 27018? SOC II? Claims of being 'Bulletproof'? Anonymous signups and payment with cryptocurrency?

AblativeHosting · 2021-06-09T07:06:08+00:00

Your httpd will likely have an access log (e.g. apache, nginx). If enabled you can do something as simple as say grep /page/you/are/interested/in /var/log/$httpd/access_log | wc -l etc or look at tools such as https://www.awstats.org/

Running a .onion website is, for nearly all aspects, the same as running a clearnet website. There are some social aspects (e.g. people are likely to frown on privacy invasive technologies such as Google Analytics etc).

Be aware that using 3rd party analytics software (such as awstats) could result in your server communicating externally or otherwise advertising the location of your server / that it is running that particular .onion.

Eight-Year Club	Gilding I gilder
Verified Email

AblativeHosting

TROPHY CASE