Delivery-Date: Fri, 06 Feb 2015 11:04:24 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD,URIBL_BLOCKED autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 1B1261E093E
	for <archiver@seul.org>; Fri,  6 Feb 2015 11:04:23 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 834C8332BE;
	Fri,  6 Feb 2015 16:04:18 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 0065533222
 for <tor-talk@lists.torproject.org>; Fri,  6 Feb 2015 16:04:16 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id ukojAGrGVcMe for <tor-talk@lists.torproject.org>;
 Fri,  6 Feb 2015 16:04:15 +0000 (UTC)
Received: from endofnet.org (endofnet.org [78.47.72.52])
 by eugeni.torproject.org (Postfix) with ESMTP id A9995331FD
 for <tor-talk@lists.torproject.org>; Fri,  6 Feb 2015 16:04:15 +0000 (UTC)
X-Greylist: delayed 384 seconds by postgrey-1.34 at eugeni;
 Fri, 06 Feb 2015 16:04:15 UTC
Received: by endofnet.org (Postfix, from userid 5001)
 id B9BE35E138; Fri,  6 Feb 2015 16:57:47 +0100 (CET)
Received: from [192.168.2.2] (unknown [109.163.233.169])
 by endofnet.org (Postfix) with ESMTPSA id BA22A5E0D3
 for <tor-talk@lists.torproject.org>; Fri,  6 Feb 2015 16:57:45 +0100 (CET)
Message-ID: <54D4E478.1060406@endofnet.org>
Date: Fri, 06 Feb 2015 16:57:44 +0100
From: david <david@endofnet.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <54D23891.3040409@nirgal.com> <54D39634.6090703@riseup.net>
 <54D4E299.7080806@nirgal.com>
In-Reply-To: <54D4E299.7080806@nirgal.com>
Subject: Re: [tor-talk] How to protect apache local-restricted from secret
 service access?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you would not like to disable the /server-status you could use
something like:

  AuthType Basic
  AuthName "Authentication Required"
  AuthUserFile "/etc/htpasswd/.htpasswd"
  Require valid-user

  Order allow,deny
  Allow from all

and protect it with some really heavy user/password.



Am 06.02.2015 um 16:49 schrieb contact_tor@nirgal.com:
> Mirimir wrote:
>>> When you have a website that is available from a tor secret service, how
>>> do you forbid access to url restricted to ip=localhost?
>>>
>>> I'm thinking of apache default http://xxxxx.onion/server-status for
example.
>>>
>>> Using "a2dismod status" is the obvious solution for that one, but does
>>> anyone had a more generic solution?
>>> Maybe a full VM with a vif interface? That's an heavy solution...
>>> Anything more simple?
>>
>> You can use firewall rules.
>> (...)
>
> I don't think you can a firewall, no:
>
> "apachectl status" is querying from localhost to
> http://localhost:80/server-status
>
> Connection from tor hidden service also comes from localhost and
> iptables won't help there.
>
>
> I tried 10 random http hidden services with that trick, and could find 2
> servers with information that shouldn't be available, like which service
> are sharing on the same server, the security patch level, list of URL
> being served, and so on. I also could read one public IP on another
one. :(
>
> If you run apache, you should probably disable mod_status. Now.
>
>
> # grep -iEr 'require +local' /etc/apache2/
> lists possible problems for apache2.4, for example.
> Each webapp should also be checked for special permissions granted when
> remote IP is actually localhost.
>
>
> Documentation really should warn about this, IMHO:
> https://www.torproject.org/docs/tor-hidden-service.html
> and possibly a one line warning in the example torrc since
> "HiddenServicePort 80 127.0.0.1:80" typically is a problem.
>
>
> I might move httpd and tor to 2 different VM. Any nicer idea?

- -- 

PGP-Key:
https://www.endofnet.org/David_K._david@endofnet.org_%280x1F86D6CB%29_pub.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJU1OR4AAoJECua8aAfhtbLLbwP/0M+5nSsYc0Vh2yBsynpneAk
id4VsGtlOrGA+Zw4EV1EEmzDgA+dKs3Xkq03NKhOGTmuW88FBIXq3qRsFD0APEpR
2X2ogQUQS+WlP8k+mrM06/8pzR+quJUj4Y4RDurAzErlYSeRBiRJcWsLaTCIe9Ix
FSUWDrCu4MzT3uymvqoS7u0cqPwRlgDBR5ciqBQKLzj/vIJfk35JjMddGJU2Y1yG
3DvA55OqtHS2pQaQjIddIXp6CpRgh4AdXv8MAYEV7lS1fbd5VXAuhPuGVW2hzsJn
+qJT2aYSaywtKUPZm/4NTxa/5TqDEYoc6e3O6iaRhI4JA3er8WVWtz6amHKLtzAw
FkZ1m/VRHTRY7a0GxV+jeOZ511xNKnpeSCmmlEdmspA+DjPvQ3kls6JjC5TUMmA/
hzi8A7/j3pttGV/dlvUMGVvQpXDay1xtTTkhMJQ+dIweWoHRohtaIC7tfD5GCwWP
+lA/xF1Mdy46GBxz/YR5RuV93sIv+eqH4WuJKfDSp/d/K7wPqQTcGEoUTPrJDB9J
n8Q4omUPx0/uxu2r/pmyAyi3GL+81bdSWVnFQlkXzylj6WtzzZWS9MCtgBMbkL7l
mHKFc+Egw32GxVmZPcRIl2kAojmSPOP3CJyzhhD89gWNL+jND8B4zTxj+UYpk2je
MfrDZY4thysIH935sc2g
=aoT2
-----END PGP SIGNATURE-----

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

