 |
Title: Tor part 2: hidden service |
|
Author: Solène |
|
Date: 11 October 2018 |
|
Tags: openbsd unix tor security |
|
Description: |
|
|
|
In this second Tor article, I will present an interesting Tor feature |
|
named **hidden service**. The principle of this hidden service is to |
|
make available a network service from anywhere, with only |
|
prerequisites that the computer must be powered on, tor not blocked |
|
and it has network access. |
|
|
|
This service will be available through an address not disclosing |
|
anything about the server internet provider or its IP, instead, a |
|
hostname ending by **.onion** will be provided by tor for |
|
connecting. This hidden service will be only accessible through Tor. |
|
|
|
There are a few advantages of using hidden services: |
|
|
|
- privacy, hostname doesn't contain any hint |
|
- security, secure access to a remote service not using SSL/TLS |
|
- no need for running some kind of dynamic dns updater |
|
|
|
The drawback is that it's quite slow and it only work for TCP |
|
services. |
|
|
|
From here, we assume that Tor is installed and working. |
|
|
|
Running an hidden service require to modify the Tor daemon |
|
configuration file, located in **/etc/tor/torrc** on OpenBSD. |
|
|
|
Add the following lines in the configuration file to enable a hidden |
|
service for SSH: |
|
|
|
HiddenServiceDir /var/tor/ssh_service |
|
HiddenServicePort 22 127.0.0.1:22 |
|
|
|
The directory **/var/tor/ssh_service** will be be created. The |
|
directory **/var/tor** is owned by user **_tor** and not readable by |
|
other users. The hidden service directory can be named as you want, |
|
but it should be owned by user **_tor** with restricted |
|
permissions. Tor daemon will take care at creating the directory with |
|
correct permissions once you reload it. |
|
|
|
Now you can reload the tor daemon to make the hidden service |
|
available. |
|
|
|
$ doas rcctl reload tor |
|
|
|
In the **/var/tor/ssh_service** directory, two files are created. What |
|
we want is the content of the file **hostname** which contains the |
|
hostname to reach our hidden service. |
|
|
|
$ doas cat /var/tor/ssh_service/hostname |
|
piosdnzecmbijclc.onion |
|
|
|
Now, we can use the following command to connect to the hidden service |
|
from anywhere. |
|
|
|
$ torsocks ssh piosdnzecmbijclc.onion |
|
|
|
In Tor network, this feature doesn't use an exit node. Hidden services |
|
can be used for various services like http, imap, ssh, gopher etc... |
|
|
|
Using hidden service isn't illegal nor it makes the computer to relay |
|
tor network, as previously, just check if you can use Tor on your |
|
network. |
|
|
|
Note: it is possible to have a version 3 .onion address which will |
|
prevent hostname collapsing, but this produce very long |
|
hostnames. This can be done like in the following example: |
|
|
|
HiddenServiceDir /var/tor/ssh_service |
|
HiddenServicePort 22 127.0.0.1:22 |
|
HiddenServiceVersion 3 |
|
|
|
This will produce a really long hostname like |
|
tgoyfyp023zikceql5njds65ryzvwei5xvzyeubu2i6am5r5uzxfscad.onion |
|
|
|
If you want to have the short and long hostnames, you need to specify |
|
twice the hidden service, with differents folders. |
|
|
|
Take care, if you run a ssh service on your website and using this |
|
same ssh daemon on the hidden service, the host keys will be the same, |
|
implying that someone could theoricaly associate both and know that |
|
**this** public IP runs **this** hidden service, breaking anonymity. |
