Blog Archive

DeepDotArchive

How to Safely Host Your Own TOR Hidden Service

10 minute read

Posted by: DeepDotWeb October 19, 2013

This Tutorial Is OUTDATED

– DO NOT USE IT – YOU WILL BE DE-ANOYNMIZED AND BUSTED!

you have the knowledge and ability to host on a Linux Based system, that is a preferable alternative. However, the majority of users will have a Windows Based PC at their disposal or are more comfortable with Windows.
There are plenty of complete Linux mainly Debian guides to this, but a complete Windows guide was not found.

What You’ll Need:

  • Dedicated Box [Free to $200] – At least 1Ghz Dual Core, 1GB RAM, 30GB HD, and Windows XP Windows 7 & 8 Not Advisable
  • Anonymous VPN Account [$3 to $12 Monthly] – Allows you to further mask your identity in the event of errors or exploits to your site
  • Tor Browser Bundle [www.torproject.org] – The same bundle you already use to browse .onion sites and /r/silkroad
  • Apache, MySQL, PHP package [http://www.uniformserver.com/] – We recommend you use The Uniform Server, but you are free to use any package that includes PHP support, MySQL backend, and has Apache. Xampp is very insecure, and EasyPHP has many items you do not need in a TOR server.

Building the Box

First you need to make sure your Windows OS is not registered to you and it is preferable that you find a PC that is not registered to you (such as at yard sales, friends, auctions, ebay without Serial, ect).
Since most don’t just have a spare Windows disc lying around, you should visit the Pirate Bay or similar torrent sites and download a Windows XP SP3 (with matching architecture – x86 is 32 Bit, x64 is 64 Bit).
Always make sure to source reliable torrents, and to make sure they don’t have any backdoors or embedded malicious software. This can be done by monitoring your network activity from the machine for a few days to make sure no activity that’s odd occurs.

Make sure you name your PC a obscure name, such as PC or DIR – never anything that can be linked to you. Server errors can sometime link to the servers name, and if this is JohnSmithsPC then that’s not very good for John Smith.

The same thing goes with your admin account – something obscure. Occasionally the users name is displayed in errors (along with or instead of the PC name).

Building the System

Uninstall Everything. Well, nearly everything.
No updater, no antivirus, no firewall, no software – nothing but the basic requirements for your PC to operate.
You also need to go to Control Panel > Uninstall Program > Uninstall Windows Service
Remove games, fax, and any other tools that you do not need. Keep any networking tools that are already checked.

Windows Defender is good enough since you are not going to be on the clearnet, and unless you are browsing with this PC you will not encounter any issues with downloading malicious software from the web.

If you don’t trust Defender, any free AV is acceptable. Same with the firewall.

Adding Security

Download Truecrypt and install it.
At the very least you want to make sure your containers for your hostname and your web directory are encrypted.
This will require you to login to the container to decrypt it after each restart, but this also prevents any information to be recovered as long as the PC is shut down before any security breaches occur.

This will require you to monitor the server, and if remote you will have to use a remote login to decrypt the container each restart.

This Tutorial Is OUTDATED

– DO NOT USE IT – YOU WILL BE DE-ANOYNMIZED AND BUSTED!

 

The Software

Okay, so you have a barebones system.

Install your VPN first, and always have it on. Routinely change it (or enable auto change) to further mask your identity/location.

NEVER USE THIS PC WITHOUT THE VPN ENABLED.

Extract TOR to a directory under C (Such as C:\TOR) and add the Videlia.exe to your startup folder in your start menu so TOR starts whenever your OS loads up.

Open Tor Browser, and the Videlia GUI appears.

Click Settings > Services and you will see a blank table. Click the green “+” and a new service is added.
Click the appropriate box to change or add a value.

  • Set Virtual Port to 80
  • Set Target to 127.0.0.1:420 – Replace 420 with whatever port number you wish
  • Set Directory Path to (preferably) a separate storage container. This could be a partition, a external HD, a SD card, a Flash Drive.

Just remember the drive must NOT be named anything revealing.

Restart TOR and go to your directory path that you entered.
Open the “HOSTNAME” file with notepad and you will find your unique .onion address.

If you know how to generate a unique .onion address using Scallion, these are the two files you will replace to have a custom .onion address.

This Tutorial Is OUTDATED

– DO NOT USE IT – YOU WILL BE DE-ANOYNMIZED AND BUSTED!

 

As a reference, this is how long it takes to generate a custom address:

  • 4 Characters – 10 seconds
  • 5 Characters – 29 Seconds
  • 6 Characters – 1 Minute
  • 7 Characters – 5 to 10 Minutes
  • 8 Characters – 20 Minutes to 1 hour
  • 9 Characters – 2 to 10 Hours
  • 10 Characters – 5 to 10 days

Now, you need to install your Web Server. We recommend The Uniform Server, but you are free to use any web server package you want. Just remember some are much less secure than others.

Make sure your web directory is a separate container than your operating system. This can be a separate partition, hard drive, external drive, SD card, or flash drive. This will be the drive to destroy in the event of an emergency.

After you get everything installed, you will have to customize your httpd.config file.

Scroll down to Listen 80
Change this to Listen 127.0.0.1:80
Add the following line below this one: Listen 127.0.0.1:420 (if you changed the Port Number, make sure this line matches what you put in the “Target” box in your TOR service).

Scroll down to ServerName
Change this to ServerName 1qw23er45ty67ui8.onion, where 1qw23er45ty67ui8.onion is your hidden service .onion hostname.

Make sure you disable any features that you do not need to prevent security issues.

As per the BMR mistake, make sure your index.html or index.php is just a redirect.

Create a subfolder to keep your site at (this will be displayed in the URL, so instead of mysite.com/index.html being your home page, it should be a redirect to another directory and your real index should be at mysite.com/hidden/index.html or something similar).

This Tutorial Is OUTDATED

– DO NOT USE IT – YOU WILL BE DE-ANOYNMIZED AND BUSTED!

 

Some errors result in your index page being offered for download, so make sure you don’t have any identifying information in it. Also, ASCII art being placed in index pages is a long time tradition, try that.

You site will be available at localhost, but it is not recommended that you use this to setup scripts since some will take localhost as your hostname, and not your .onion address.
You do have to use TOR Browser to access your .onion site address to setup some scripts. Some have the option to change your hostname in the settings, and others have documentation on how to manually change it, but ultimately it is much easier to go to your .onion site and set it up since you are making a client connection so you also are making sure the site and scripts will work for your customers, visitors, ect.

You should also find your intranet IP and see if you can connect to your site using that IP and the port you set. If you can, you need to change Listen 80 to Listen 127.0.0.1:80
If you can see your website from, say, 192.168.1.20 then anyone that is on your network can, and anyone that has your outside IP address (even through VPN) can see your site on clearnet. You MUST have 127.0.0.1:80 listed.

Running Multiple TOR Sites

1) Create your hidden services manually in your torrc configuration file as normal e.g. :

2) Start Tor to generate your services’ host names. For vanity .onion names, see Scallion.

3) Stop Apache if it is running and edit your virtual host file(s) – specifically, add an entry for each host, where ServerName is the name from your Tor service’s ‘hostname’ file:

4) Assuming Apache is still stopped, edit your httpd.conf file to listen on the ports you specified above (near the top):

5) Save all your configuration changes and restart Apache. Assuming everything went well, all of your hidden services should be available as separate .onion addresses.

Please note there are more secure way to set things up and the above is just to show how the basic directives work.

  • 127.0.0.1 is used to help restrict access to “localhost only” for the Listen directive.
  • Ports are just examples – you can use any ports you like as long as they match. Ports listed were not forwarded (other than 80).
  • .onion domains in step 3 are (obviously) examples and should match whatever Tor generates for the actual service name. Note that if you want REAL vanity .onion addresses, check out Scallion for Windows and Linux. There is a pre-built Windows binary here.

More information here

  • You should drop in your Scallion-made ‘private_key'(s) into the appropriates folders listed in Step 1 before starting Tor in Step 2. Otherwise, Tor will auto-generate your services ‘private_key’ and ‘hostname’ files in the appropriately selected folders. You can delete these and start over if you wish, just update your virtual host entries.
  • Step 4 is VERY important, otherwise the services will be unavailable even from localhost (e.g. if you just did steps 2 and 3).
  • For Linux, you might need to add the .onions to your /etc/hosts/ file, but I haven’t verified this. No host file alterations needed for Windows, for certain.

Extra Steps

Email

If you wish, you can enter your email in httpd.config. Make sure you use anonymous email services, we like safe-mail.net but there are several alternatives.

This is also useful for people contacting you. Customers, bug reports, or just to chat about the site or content an email is always a good resource to take advantage of.

PGP Encryption

PGP is also very useful, and with the current situations with marketplaces being shut down and messages intercepted, it is highly recommended.

PGP is free, and consists of the following:

  • Your Public Key, which you give people to encrypt messages that only you can decrypt.
  • Your Private Key, which is used to decrypt messages by you. NEVER GIVE YOUR PRIVATE KEY OUT.

When a person wants to send you a message, then take your public key and save it to their PGP client. Then then type their message any encrypt it.
After they encrypt it, not even the person who wrote/sends it can read it again. Only the person that has the matching private key can decrypt it.

Virtual Machine

Some wish to install the entire system inside a Virtual Machine, in which you will have to install windows again as well as follow all the previous instructions, but the advantage is you can run a VPN on the host (outside the VM) and you will be able to bounce off of 2 separate IP addresses.

Experienced users can also forward everything on the host trough TOR, so a native connection on the VM will actually be masked by TOR.
Using this you will be able to use 2 separate TOR instances along with 2 different masking IP’s.

Escrow

You need to sell stuff, people need t buy stuff, and people are looking to steal stuff.
So, use escrow.
/r/bitcoin‘s sidebar and Bitcoin Trade Wiki has several Escrow services, although some are not geared towards illegal activity.
http://www.bitescrow.org/ is a decent escrow site that accommodates several (private) marketplaces already, and so far looks to be a reliable resource.
It is also open source.
Budster recently created a brainwallet that utilized P2P escrow, but has yet to release it for open source. When they do, it will be a valuable tool for the BTC community.

This Tutorial Is OUTDATED

– DO NOT USE IT – YOU WILL BE DE-ANOYNMIZED AND BUSTED!

 

</div>

Updated: 2013-10-19

Updated:

You may also enjoy