ageis · October 2, 2022 11:32 · bauruine · Nov 4, 2014
diff --git a/gistfile1.txt b/gistfile1.txt
 Andy Greenberg of WIRED reports that the FBI has finally revealed how they allegedly located the server on which Silk Road was hosted, and it didn't require parallel construction. http://www.wired.com/2014/09/the-fbi-finally-says-how-it-legally-pinpointed-silk-roads-server

 It was a security fail.

 According to FBI agent Christopher Tarbell, as related by Greenberg: "They found a misconfiguration in an element of the Silk Road login page, which revealed its internet protocol (IP) address and thus its physical location... And when they entered that IP address directly into a browser, the Silk Road's CAPTCHA prompt appeared."

 While I can only speculate about what gave away the IP address, here's a few suggestions for avoiding the latter problem, which should make your .onions slightly more secure.

 First off, the webserver never should have responded to HTTP requests on the server's IP address. Only traffic which comes through the Tor hidden service, which connects to the webserver's port 80 on the loopback interface, should have been allowed. Some iptables rules would have sufficed:

 iptables -A INPUT -i eth0 -p tcp --dport 80 -j DROP
 iptables -A INPUT -i lo -p tcp --dport 80 -j ACCEPT

 In addition Apache itself should listen for connections on localhost (127.0.0.1) only, not * or 0.0.0.0. This is controlled in the VirtualHost definition, or the Listen directive of ports.conf:

 Listen 127.0.0.1:80

 Secondly, here's an example script that you can put in a nightly cron job, which will create an .htaccess file for Apache that will allow traffic from known Tor exit nodes only, and deny everything else. You'll have to set the two variables for the Document Root and the server's IPv4 address.

 #!/bin/bash
 docroot=/var/www/htdocs
 ipaddress=0.0.0.0
 sed -in '/#\ TOR-ALLOW-BLOCK/,/#\ END-TOR-ALLOW-BLOCK/d' $docroot/.htaccess
 wget -q 'https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip='"$ipaddress"'&port=80' -O - | sed '/^\#/d' | sed "s/^/Allow from /g; 1i# TOR-REDIRECT-BLOCK" >> $docroot/.htaccess

 You also need to create the .htaccess file first and populate it with these lines:

 Order Deny,Allow
 Deny from all
 Allow from 127.0.0.1
 # TOR-ALLOW-BLOCK
 # END-TOR-ALLOW-BLOCK

 These simple measures would have ensured that the Silk Road website could only be accessed from Tor.
	Andy Greenberg of WIRED reports that the FBI has finally revealed how they allegedly located the server on which Silk Road was hosted, and it didn't require parallel construction. http://www.wired.com/2014/09/the-fbi-finally-says-how-it-legally-pinpointed-silk-roads-server

	It was a security fail.

	According to FBI agent Christopher Tarbell, as related by Greenberg: "They found a misconfiguration in an element of the Silk Road login page, which revealed its internet protocol (IP) address and thus its physical location... And when they entered that IP address directly into a browser, the Silk Road's CAPTCHA prompt appeared."

	While I can only speculate about what gave away the IP address, here's a few suggestions for avoiding the latter problem, which should make your .onions slightly more secure.

	First off, the webserver never should have responded to HTTP requests on the server's IP address. Only traffic which comes through the Tor hidden service, which connects to the webserver's port 80 on the loopback interface, should have been allowed. Some iptables rules would have sufficed:

	iptables -A INPUT -i eth0 -p tcp --dport 80 -j DROP
	iptables -A INPUT -i lo -p tcp --dport 80 -j ACCEPT

	In addition Apache itself should listen for connections on localhost (127.0.0.1) only, not * or 0.0.0.0. This is controlled in the VirtualHost definition, or the Listen directive of ports.conf:

	Listen 127.0.0.1:80

	Secondly, here's an example script that you can put in a nightly cron job, which will create an .htaccess file for Apache that will allow traffic from known Tor exit nodes only, and deny everything else. You'll have to set the two variables for the Document Root and the server's IPv4 address.

	#!/bin/bash
	docroot=/var/www/htdocs
	ipaddress=0.0.0.0
	sed -in '/#\ TOR-ALLOW-BLOCK/,/#\ END-TOR-ALLOW-BLOCK/d' $docroot/.htaccess
	wget -q 'https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip='"$ipaddress"'&port=80' -O - \| sed '/^\#/d' \| sed "s/^/Allow from /g; 1i# TOR-REDIRECT-BLOCK" >> $docroot/.htaccess

	You also need to create the .htaccess file first and populate it with these lines:

	Order Deny,Allow
	Deny from all
	Allow from 127.0.0.1
	# TOR-ALLOW-BLOCK
	# END-TOR-ALLOW-BLOCK

	These simple measures would have ensured that the Silk Road website could only be accessed from Tor.