Title: Tor part 2: hidden service | |
Author: Solène | |
Date: 11 October 2018 | |
Tags: openbsd unix tor security | |
Description: | |
In this second Tor article, I will present an interesting Tor feature | |
named **hidden service**. The principle of this hidden service is to | |
make available a network service from anywhere, with only | |
prerequisites that the computer must be powered on, tor not blocked | |
and it has network access. | |
This service will be available through an address not disclosing | |
anything about the server internet provider or its IP, instead, a | |
hostname ending by **.onion** will be provided by tor for | |
connecting. This hidden service will be only accessible through Tor. | |
There are a few advantages of using hidden services: | |
- privacy, hostname doesn't contain any hint | |
- security, secure access to a remote service not using SSL/TLS | |
- no need for running some kind of dynamic dns updater | |
The drawback is that it's quite slow and it only work for TCP | |
services. | |
From here, we assume that Tor is installed and working. | |
Running an hidden service require to modify the Tor daemon | |
configuration file, located in **/etc/tor/torrc** on OpenBSD. | |
Add the following lines in the configuration file to enable a hidden | |
service for SSH: | |
HiddenServiceDir /var/tor/ssh_service | |
HiddenServicePort 22 127.0.0.1:22 | |
The directory **/var/tor/ssh_service** will be be created. The | |
directory **/var/tor** is owned by user **_tor** and not readable by | |
other users. The hidden service directory can be named as you want, | |
but it should be owned by user **_tor** with restricted | |
permissions. Tor daemon will take care at creating the directory with | |
correct permissions once you reload it. | |
Now you can reload the tor daemon to make the hidden service | |
available. | |
$ doas rcctl reload tor | |
In the **/var/tor/ssh_service** directory, two files are created. What | |
we want is the content of the file **hostname** which contains the | |
hostname to reach our hidden service. | |
$ doas cat /var/tor/ssh_service/hostname | |
piosdnzecmbijclc.onion | |
Now, we can use the following command to connect to the hidden service | |
from anywhere. | |
$ torsocks ssh piosdnzecmbijclc.onion | |
In Tor network, this feature doesn't use an exit node. Hidden services | |
can be used for various services like http, imap, ssh, gopher etc... | |
Using hidden service isn't illegal nor it makes the computer to relay | |
tor network, as previously, just check if you can use Tor on your | |
network. | |
Note: it is possible to have a version 3 .onion address which will | |
prevent hostname collapsing, but this produce very long | |
hostnames. This can be done like in the following example: | |
HiddenServiceDir /var/tor/ssh_service | |
HiddenServicePort 22 127.0.0.1:22 | |
HiddenServiceVersion 3 | |
This will produce a really long hostname like | |
tgoyfyp023zikceql5njds65ryzvwei5xvzyeubu2i6am5r5uzxfscad.onion | |
If you want to have the short and long hostnames, you need to specify | |
twice the hidden service, with differents folders. | |
Take care, if you run a ssh service on your website and using this | |
same ssh daemon on the hidden service, the host keys will be the same, | |
implying that someone could theoricaly associate both and know that | |
**this** public IP runs **this** hidden service, breaking anonymity. |