tor-onions March 2021

tor-onions@lists.torproject.org

5 participants
5 discussions

Onion Service Monitoring
by shadow 16 Aug '21

16 Aug '21

Dear fellow Onion Service operators, I'm curios how you monitor the availability of your onion services? I implemented a solution with icinga2 check commands. It basically queries the onion service via torsocks and check_tcp command [1]. > > object CheckCommand "check_tor_onion" { > command = [ "torsocks", PluginDir + "/check_tcp" ] > timeout = 6m > arguments = { > "-H" = "$hostname$" > "-p" = "$port$" > "-t" = "$timeout$" > } > } This solution is kind of flaky and produces a lot of mail noise, even if I run it with large timeout value (360s), check attempts and retry intervals. Recently I came across the tool called hsprober [2], which looks like a more compelling option. though it requires a prometheus setup. Since it is a network, where connections constantly looses connections, I would like to know how you treat this flakyness. Regardless of which software stack you use, I'm interested in your concept for monitoring your onion services from the outside (user side) and from the inside (server side). And also which tools do you use. Thank you for any answers and opinions. Have a happy new year. shadow [1] - https://www.monitoring-plugins.org/doc/man/check_tcp.html [2] - https://git.autistici.org/ale/hsprober -- best regards | viele Gruesse, shadow(a)systemli.org receive my key: gpg --keyserver zimmermann.mayfirst.org --recv-keys 0x5C6B6ED4248C1F32

7 11

Matrix/Synapse as Onion Service
by shadow 10 Jul '21

10 Jul '21

Hey all fellow list members, does anyone of you has been able to set up Matrix / Synapse / Element as an onion service? There are are open tickets regarding this: * https://github.com/matrix-org/synapse/issues/5152 and also a Cloudflare level implementation: https://blog.cloudflare.com/cloudflare-onion-service/ But I wonder if anyone of you already set it up and what your experience have been with it. To me it looks like, that there are multiple problems and several layers (depending on your Matrix Setup). For example if you use the ansible roles for setting up matrix in a docker environment (https://github.com/spantaleev/matrix-docker-ansible-deploy) Have a nice sunday afternoon, shadow // systemli.org

3 4

Why do TorProject support the removal of RMS?
by Jacob Hrbek 28 Mar '21

28 Mar '21

DISCLAIMER: I tried to find a more suitable list, but this one seems to be the closest to the topic. Tor Project is listed on https://rms-open-letter.github.io/ -> What is the motivation to sigh this letter?

2 1

Re: [tor-onions] Onion-routing of The Free Software Foundation Europe
by Jacob Hrbek 26 Mar '21

26 Mar '21

On 1/23/21 8:59 PM, Silvia Puglisi, Ph.D. wrote: > Hi Jacob, > > On 2021-01-22 12:21, Jacob Hrbek wrote: >> On 1/21/21 9:27 PM, Silvia wrote: >>> Exciting to see fsfe moving to onions. >>> How can we help you guys with this? >> Currently the main problem is with implementation as there is an issue >> with certificates using TLS-over-onions (Not economical for non-profit >> foundation) where it seems that using reverse proxy with currently used >> Apache or implementing EOTK is the way to go there? > > Yes EOTK uses a TLS certificate. The idea behind this is that if the > certificate belongs to fsfe, visitors of the onion service can be sure > that the onion has been setup by fsfe. > The certificate is not needed for any other reason than that. > > If you are concerned about how people discover your onion you can use > the onion-location header so that people visting fsfe.org over tor get > the onion available button on the url bar and can get redirected to the > onion > (https://community.torproject.org/onion-services/advanced/onion-location/). > >> More options and way >> to configure EOTK (alec seems to be currently busy and unable to answer) >> appreciated. > EOTK is a tool that setup a few options for you in nginx and install > required packages, but you can setup the onion also manually. > > Here for example you will find a gist of the nginx config of the > propubblica onion: > https://gist.github.com/mtigas/9a7425dfdacda15790b2 > >> Also brainstorm for the implementation as a whole would be appreciated >> the services seems to be mostly running in jail/VM which is favorable to >> be preserved for security reasons (e.g. in scenario where there is a >> major bug discovered in the wild to reduce the impact of one service on >> the system). >> So i am currently unsure whether we want to: >> 1. run one tor daemon per system in jail/VM to provide the routing from >> exposed ports from the services e.g. >> https://git.fsfe.org/kreyren/fsfe-planet/src/branch/onionz/docker-compose.y… >> 2. implementing tor daemon within these jails/VMs with the service >> >> srv/service1 (exposing port 12447) >> srv/service2 (exposing port 12448) >> >> and setting tor as >> >> HiddenServiceDir /var/lib/tor/service1 >> HiddenServicePort 12447 127.0.0.1:12447 >> >> HiddenServiceDir /var/lib/tor/service2 >> HiddenServicePort 12447 127.0.0.1:12447 >> >> > I am not sure about the exact architecture here, but generally you need > a master onion where you run onion balance and use it to scale > horizontally with different backends > (https://onionbalance-v3.readthedocs.io/en/latest/v3/tutorial-v3.html). > > If you are concerned about DOS attacks you can also implement some more > advanced web server configs. > One of them is using captchas, another is to use cookies to filter out > scripted clients. The idea in this case is that the web server sends the > client a cookie and ask the client to verify it. Usually scripted > clients don't set cookies so the verify fails and you find out that the > client is malicious. > > Nginx uses openresty and lua to implement captchas. This solution is > usually highly scripted. With regards to cookies I can recommend this > library from cloudflare for openresty > https://github.com/cloudflare/lua-resty-cookie. I am sure there are > equivalent solution in apache. > > >> 3. implementing tor daemon on the router assuming all services being >> routed through a routing server, but i am concerned about sanitization >> as if there is a bug in tor that could expose user traffic to bad >> actors. (currently being discussed) >> >> 4. Implementing xen (https://en.wikipedia.org/wiki/Xen) which currently >> not favorable as it would require lots of work on the backend. >> >> 5. Other? > There is a tool called onionscan (https://onionscan.org/) that can help > you find vulnerabilities on your onion. This also test things like bugs > in your web service that might expose users data and information that > you might prefer to keep secure. > > I also assume that the fsfe onion isn't interested to be anonymous so > you might consider setting up a 1-hop onion in this case > (https://support.torproject.org/glossary/single-onion-service/). > > Let me know if you need more help. > > Cheers, > -hiro >> FWIW i would also like to provide something like >> https://onion.debian.org so that the website list is available to the >> end-user. >> >> >> _______________________________________________ >> tor-onions mailing list >> tor-onions(a)lists.torproject.org >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-onions I am sorry for delay had to process lots of informations. The onion-location HTTP header is already tracked. Added propublica configuration in tracking as example configuration, thanks! One-hop non-anonymous onion service noted in tracking. OnionScan noted in tracking and recommended to be adapted as Continuous Integration. Personal tracking updated in https://github.com/Kreyren/kreyren/issues/60 peer-review appreciated. About the (D)DoS -> i was told that they are not a concern over onion routing due to the hard delay used for encryption. Can you confirm? Overall the (D)DoS is part of a threat model as FSFE has been (D)DoSed in the past where the main concern is Gitea as the static pages require an unreasonable amount of resources to be taken down atm. About Apache -> This is currently used by the webserver and needs to be implemented with priority in https://git.fsfe.org/fsfe-system-hackers/webserver-bunsen/src/branch/master… (currently tracked in https://git.fsfe.org/fsfe-system-hackers/webserver-bunsen/pulls/7). Any relevant information to the implementation is appreciated as i am currently struggling with making the TLS-over-onion work there where apache should strip the TLS when the website is accessed over onions. Any relevant information appreciated. About Nginx -> Currently not an option as the website is already using Apache. About EOTK -> I would like to implement this as an alternative configuration for system hackers to have a choice and do their research more efficiently and I assume that being a better implementation here as we currently want to onionize gitea service which based on my experience on https://git.dotya.ml requires changing of non-relative links within the webapp (which can be done in nginx/apache, but seems to be painful to maintain?). FWIW i am also considering decentralization for the static pages where the theory is to reduce the system load, make the websites less vulnerable to (D)DoS and make the websites to load faster as the webserver would be closer to the client in question. I am not aware of sane configuration for this over onions, but any relevant info appreciated. -- - Krey

4 5

Run onion on boot
by Amuza en Hackea 22 Mar '21

22 Mar '21

Hello, With software like dropbear-initramfs, cryptsetup-initrafs and others you can remotely unlock a server that has a LUKS-encrypted root partition. That is possible because there is an SSH server running in its unencrypted boot partition. I would like to have an onion service running in the boot partition too, that way I could remotely unlock the root partition without caring about ports, DNS, etc. How could I make it? Any advise, suggestion or step-by-step guide would be very much welcome, but please have in mind that I am not a developer... Thank you very much!

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

tor-onions March 2021