Delivery-Date: Fri, 06 Feb 2015 10:50:18 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.5 required=5.0 tests=BAYES_00,
	RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,URIBL_BLOCKED
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id AF0A51E0411
	for <archiver@seul.org>; Fri,  6 Feb 2015 10:50:16 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id AEA7533165;
	Fri,  6 Feb 2015 15:50:11 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 8A4EE33081
 for <tor-talk@lists.torproject.org>; Fri,  6 Feb 2015 15:50:07 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id V_XEk8tDEyyg for <tor-talk@lists.torproject.org>;
 Fri,  6 Feb 2015 15:50:07 +0000 (UTC)
Received: from silicium.nirgal.com (silicium.nirgal.com
 [IPv6:2001:bc8:33b8:100::1])
 (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 58E5A33061
 for <tor-talk@lists.torproject.org>; Fri,  6 Feb 2015 15:50:07 +0000 (UTC)
Received: from [78.41.115.145] (helo=127.0.0.1)
 by silicium.nirgal.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128)
 (Exim 4.80) (envelope-from <contact_tor@nirgal.com>)
 id 1YJlAD-0002Rc-I6
 for tor-talk@lists.torproject.org; Fri, 06 Feb 2015 16:50:02 +0100
Message-ID: <54D4E299.7080806@nirgal.com>
Date: Fri, 06 Feb 2015 15:49:45 +0000
From: contact_tor@nirgal.com
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <54D23891.3040409@nirgal.com> <54D39634.6090703@riseup.net>
In-Reply-To: <54D39634.6090703@riseup.net>
X-SA-Exim-Connect-IP: 78.41.115.145
X-SA-Exim-Mail-From: contact_tor@nirgal.com
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:57:07 +0000)
X-SA-Exim-Scanned: Yes (on silicium.nirgal.com)
Subject: Re: [tor-talk] How to protect apache local-restricted from secret
 service access?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

Mirimir wrote:
>> When you have a website that is available from a tor secret service, how
>> do you forbid access to url restricted to ip=localhost?
>>
>> I'm thinking of apache default http://xxxxx.onion/server-status for example.
>>
>> Using "a2dismod status" is the obvious solution for that one, but does
>> anyone had a more generic solution?
>> Maybe a full VM with a vif interface? That's an heavy solution...
>> Anything more simple?
> 
> You can use firewall rules.
> (...)

I don't think you can a firewall, no:

"apachectl status" is querying from localhost to
http://localhost:80/server-status

Connection from tor hidden service also comes from localhost and
iptables won't help there.


I tried 10 random http hidden services with that trick, and could find 2
servers with information that shouldn't be available, like which service
are sharing on the same server, the security patch level, list of URL
being served, and so on. I also could read one public IP on another one. :(

If you run apache, you should probably disable mod_status. Now.


# grep -iEr 'require +local' /etc/apache2/
lists possible problems for apache2.4, for example.
Each webapp should also be checked for special permissions granted when
remote IP is actually localhost.


Documentation really should warn about this, IMHO:
https://www.torproject.org/docs/tor-hidden-service.html
and possibly a one line warning in the example torrc since
"HiddenServicePort 80 127.0.0.1:80" typically is a problem.


I might move httpd and tor to 2 different VM. Any nicer idea?
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

