Build your own Linux-powered darknet
Nate Drake has a secret to share: he can help you set up and run your own private darknet website, which only you and your friends can access.
Almost anyone can set up a ‘hidden service’ on the darknet using Tor. This involves setting up a server using the software Apache2 and generating a ‘.onion’ address so that other Tor users can connect.
By default, anyone in possession of the address, such as www.facebook corewwwi.onion, can connect to a Tor hidden service.
For big sites such as Facebook, there’s no harm in doing things this way, because everyone knows who owns the website, and their business model thrives on people connecting and sharing data.
For private citizens in Australia, who are now subject to metadata collection including monitoring of all web traffic, the very fact that you’ve downloaded server software must now be recorded by your ISP, as is the fact you’re using Tor in the first place.
This means that setting up a Tor hidden service anonymously is extremely tricky. Even once you have it up and running, other people connecting to it risk that one of Tor’s nodes has been compromised and will record that ‘.onion’ address.
Malicious web crawlers such as PunkSPIDER have even been able to map the entire Tor darknet, checking hidden services for vulnerabilities. This in itself is not a major security concern, because knowing the address of a website is only the first step to hacking into its server. However, if you only want to share information with a limited group of people, there is a way to prevent rogue scanners from connecting automatically to your hidden service and discovering your server’s real IP address.
STEALTHY ONIONS
This is done using ‘stealth’ onion services. In brief, the way this works is that you generate a unique .onion address for each individual user of your website, in addition to an authentication ‘cookie’.
In order to connect to your Tor hidden service, users need both this unique .onion address and the cookie. Any other person or service simply sees a message saying that it failed to connect.
The steps in the tutorial cover generating unique authentication cookies and onion addresses for your contacts. You need to help them configure their Tor Browser Bundle on computer and/or mobile device to store the cookie, so they can access your service. You do this by modifying the ‘torrc’ configuration file inside their Tor software of choice.
SUPER TAILS
For this project, we’re using TAILS (The Amnesiac Incognito Live System). This OS has been designed with privacy in mind. All connections are routed through the Tor network, so there’s less danger of leaking your real IP address.
TAILS is designed chiefly for internet users who want to access the darknet by booting from a USB or DVD, and loading into your RAM memory. The advantage of this is that, after the machine restarts, there’s no trace left of your internet activity.
The downside to this, of course, is that there is data you may want to save, such as passwords and email addresses. For this reason, TAILS comes with an optional ‘persistent’ mode when installed on USB stick to store such data.
The Persistent section is encrypted and you need to set a password to unlock it each time you boot TAILS. Follow the steps in the section ‘Setting Up TAILS’ to do this.
Your website and any associated files are stored safely inside the Persistent section. This hugely increases the physical security of your server, because the drive is encrypted and you can easily remove or destroy it.
LIGHTWEIGHT SERVER
Tor can work seamlessly with a variety of server software. This project focuses on Nginx-light, which, as the name suggests, is a bare-bones version of the more fully featured Nginx. The server software works on the basis of HTTP modules, which support basic websites, but not more advanced features, such as Mail. The tutorial steps work just as well with the full version of Nginx, although increasing your attack surface could make your server more vulnerable.
If you want to have extra features for your server, such as email, simply substitute ‘nginx-light’ with ‘nginxfull’ in the tutorial and backup scripts.
GETTING STARTED
TAILS is not designed primarily to work as a server, although there are plans to introduce this as a feature. However, because it’s based on Debian Linux, you can install all the programs you need to turn it into one.
The Debian Project is also good enough to host a mirror of its servers on the darknet. Given the Federal Government’s decision to monitor all internet traffic, this is a great relief, because as you’ll be installing via Tor hidden services, it’s virtually impossible for anyone to tell you’re downloading server software in the first place.
Follow the steps in the tutorial to make sure TAILS connects to the darknet using ‘ bridges’. This makes it harder for your ISP to detect you’re running a hidden service.
At this point, TAILS cannot be run headlessly — without a monitor, mouse and keyboard — so make sure to choose a machine you won’t need while your hidden service is running. This also means that you need to be present each time TAILS boots up, to enter passwords and restore your data.
The TAILS website says that at least a 4GB USB stick is required to run the OS. Play it safe and choose at least an 8GB one, because hopefully your website will grow over time.
Before following the steps in the tutorial (over the page), note down the people who will be accessing your service and ask each of them either to install the Tor Browser Bundle on their machines and/or Orbot on their Android device.
You can always remove or add more users later on if you wish. The walkthrough outlines how to create a basic index page to let you know the server is working correctly — however, after going to all this trouble, you will probably want more than this.
Tor hidden services can host most kinds of websites, though given that you’re running yours from a USB stick, the more lightweight the better. If, for instance, you want to run an imageboard, consider using vichan, which is a fork of the now defunct tinyboard. Refer to each program’s project page to see whether any additional software is required, such as MySQL. If so, make sure to modify your ‘restore’ script (see above) to make sure this can be automatically installed each time you restart TAILS.
LOCK DOWN YOUR SERVER
Once your hidden service is up and running, consider installing a basic firewall by opening Terminal and running sudo apt-get install ufw . Once the install is complete, run the command sudo ufw enable to start the firewall. By default, all incoming connections are blocked and all outgoing connections are allowed.
If you want to enable incoming connections on a certain port, use the syntax sudo ufw allow — for example, sudo ufw allow 23 .
Once all your clients are able to connect to your website, take some time to lock down Nginx properly by running sudo nano /etc/nginx/ nginx.conf .
Remove the # at the start of the line starting with the words server_ tokens of . This means that, if an unauthorised person tries to connect, the fact that you’re using Nginx-light won’t automatically display. Next, scroll down to the ‘Basic Settings’ section, and find ‘Logging Settings’. Put a # before the lines starting access and error . This feature disables most logging features, which makes it more difficult for anyone to identify who is connecting to the server, although any error messages are still logged.
Now restart Nginx to apply your changes with sudo service nginx restart .
The ‘light’ version of Nginx you’re using contains a bare minimum of HTTP modules to set up a basic website, although you can add others if you wish. Bear in mind that the more modules you install, the more likely it is an attacker can find one to exploit.
TAILS OF WOE
By its very nature, TAILS is amnesiac. If you remove the USB stick from your computer or restart the machine itself, all files and settings are lost.
For this reason, make sure you’ve enabled persistence by following the steps in ‘Setting Up TAILS’ (see below) before going through the tutorial.
Once you’re happy that your darknet site is up and running OK, make sure to go through the ‘Backup Scripts’ section (see previous page) so that you can save and reload your settings.
The Riseup website ( https://riseup.net/ en/security/network-security/tor/ onionservices-best-practices) contains some excellent advice for best practices with Tor hidden services. Pay close attention to the section on local host bypasses. And make sure you keep your software up to date, because new vulnerabilities are discovered with TAILS and Tor hidden services all the time.
That said, remember that Tor supports a number of hidden services, so don’t be afraid to experiment with running a private mail server or chat service, as opposed to a simple web page. A good security approach is to think of the authentication token as being only one layer of protection, and you can require users to log in with a separate password to your site.
Also, remember that, if anyone can access your machine while TAILS is running, they may also be able to access your client tokens.
The only safe way to make sure that only people you approve can access your hidden service is if you give them their keys in person. Remember that anyone with access to their device can either use the hidden service or make a copy of the authentication token. Ask them to store their Tor Browser on an encrypted drive. Mobile users should also enable encryption on their Android device, in case of theft or seizure.
If you are worried your keys have been compromised, run the command sudo shred -v /var/lib/tor/ hidden_ service/client_ keys and restart Tor with sudo service tor restart . The system will generate new keys for your users.
Finally, bear in mind that, while malicious scanners won’t be able to automatically connect to your hidden service, they won’t receive the same message they would for an invalid onion address — in other words, they will know the address exists, but it will appear as though the server is down. This isn’t exactly plausible denial but the Tor Project is working on it.