Changes between Version 1457 and Version 1458 of doc/TorFAQ


Ignore:
Timestamp:
Aug 31, 2018, 1:25:23 PM (7 months ago)
Author:
traumschule
Comment:

small fixes

Legend:

Unmodified
Added
Removed
Modified
  • doc/TorFAQ

    v1457 v1458  
    326326== Running an Onion Service ==
    327327
    328 === How can I protect my onion service safe?
     328=== How can I protect my Onion Service?
    329329
    330330Start by running an onion server on a dedicated machine in a network enclave behind NAT and with intentionally invalid hostnames, so that any/all metadata that might leak in (say) Apache headers, is mostly useless; the NAT-internal network would be 10.0.0.0/24, the hostname "invalid.invalid", etc...
     
    336336Then: work out for yourself how to do software updates via (say) a HTTP proxy + VPN.
    337337
    338 === How can I audit an onion service to make sure that my IP can not easily be compromised?
    339 
    340 That's an excellent question. I think we should make a wiki page on trac about this, if we don't have one already...
    341 
    342 Off the top of my head, I'd suggest the following (specific to HTTP(S) servers):
     338=== How to audit an Onion Service to make sure that my IP can not easily be compromised?
     339
     340For HTTP(S) servers:
    343341- Ensure your clock is correct and is corrected automatically once or twice a day to reduce time skews
    344342- If your server is exposed to the internet, ensure that one cannot hit your onionsite by specifying it in the host header on the clearnet. Ensure the onionsite is only listening on the internal IP.
    345343- Similarly, ensure that your external website(s)are only listening on external ip addresses, and one cannot hit them over the onionsite by specifying them in the Host header
    346344- Best case: run your service on a machine that _has_ no external IP address and only internal IP addresses
    347 - Check your SSL configuration and ensure your onionsite isnt sending a cert for external websites
     345- Check your SSL configuration and ensure your onionsite isn't sending a cert for external websites
    348346- Don't run a relay and a hidden service on the same tor instance
    349347
     
    356354
    357355=== Is there a list of things to do to try to hack my own site to try to find the IP?
    358 Have a look at [https://github.com/mikeperry-tor/vanguards vanguards] and README_SECURITY.md
     356Have a look at README_SECURITY.md in [https://github.com/mikeperry-tor/vanguards vanguards].
    359357
    360358== Development ==