Delivery-Date: Fri, 06 Feb 2015 15:12:21 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD,URIBL_BLOCKED autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 30D3D1E0C7D
	for <archiver@seul.org>; Fri,  6 Feb 2015 15:12:19 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id E494E331FD;
	Fri,  6 Feb 2015 20:12:14 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id D74B93304E
 for <tor-talk@lists.torproject.org>; Fri,  6 Feb 2015 20:12:11 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id W4rjUXzbFBLO for <tor-talk@lists.torproject.org>;
 Fri,  6 Feb 2015 20:12:11 +0000 (UTC)
Received: from locutus.yolo-swag.com (unknown [IPv6:2604:180:1::ad8c:6e0d])
 by eugeni.torproject.org (Postfix) with ESMTP id A54CF32F6F
 for <tor-talk@lists.torproject.org>; Fri,  6 Feb 2015 20:12:11 +0000 (UTC)
X-Greylist: delayed 453 seconds by postgrey-1.34 at eugeni;
 Fri, 06 Feb 2015 20:12:11 UTC
Received: from cadance (c-67-183-133-21.hsd1.wa.comcast.net [67.183.133.21])
 by locutus.yolo-swag.com (Postfix) with ESMTPSA id EC4EDAC2290F
 for <tor-talk@lists.torproject.org>; Fri,  6 Feb 2015 21:04:09 +0100 (CET)
Date: Fri, 6 Feb 2015 12:04:08 -0800
From: Christine Dodrill <xena@yolo-swag.com>
To: tor-talk@lists.torproject.org
Message-ID: <20150206200408.GA30998@cadance>
References: <54D23891.3040409@nirgal.com> <54D39634.6090703@riseup.net>
 <54D4E299.7080806@nirgal.com> <54D4E478.1060406@endofnet.org>
MIME-Version: 1.0
In-Reply-To: <54D4E478.1060406@endofnet.org>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [tor-talk] How to protect apache local-restricted from secret
 service access?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============6109971397640875575=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


--===============6109971397640875575==
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="UlVJffcvxoiEqYs2"
Content-Disposition: inline


--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Feb 06, 2015 at 04:57:44PM +0100, david wrote:
>=20
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> If you would not like to disable the /server-status you could use
> something like:
>=20
>   AuthType Basic
>   AuthName "Authentication Required"
>   AuthUserFile "/etc/htpasswd/.htpasswd"
>   Require valid-user
>=20
>   Order allow,deny
>   Allow from all
>=20
> and protect it with some really heavy user/password.
>=20
>=20
>=20
> Am 06.02.2015 um 16:49 schrieb contact_tor@nirgal.com:
> > Mirimir wrote:
> >>> When you have a website that is available from a tor secret service, =
how
> >>> do you forbid access to url restricted to ip=3Dlocalhost?
> >>>
> >>> I'm thinking of apache default http://xxxxx.onion/server-status for
> example.
> >>>
> >>> Using "a2dismod status" is the obvious solution for that one, but does
> >>> anyone had a more generic solution?
> >>> Maybe a full VM with a vif interface? That's an heavy solution...
> >>> Anything more simple?
> >>
> >> You can use firewall rules.
> >> (...)
> >
> > I don't think you can a firewall, no:
> >
> > "apachectl status" is querying from localhost to
> > http://localhost:80/server-status
> >
> > Connection from tor hidden service also comes from localhost and
> > iptables won't help there.
> >
> >
> > I tried 10 random http hidden services with that trick, and could find 2
> > servers with information that shouldn't be available, like which service
> > are sharing on the same server, the security patch level, list of URL
> > being served, and so on. I also could read one public IP on another
> one. :(
> >
> > If you run apache, you should probably disable mod_status. Now.
> >
> >
> > # grep -iEr 'require +local' /etc/apache2/
> > lists possible problems for apache2.4, for example.
> > Each webapp should also be checked for special permissions granted when
> > remote IP is actually localhost.
> >
> >
> > Documentation really should warn about this, IMHO:
> > https://www.torproject.org/docs/tor-hidden-service.html
> > and possibly a one line warning in the example torrc since
> > "HiddenServicePort 80 127.0.0.1:80" typically is a problem.
> >
> >
> > I might move httpd and tor to 2 different VM. Any nicer idea?
>=20
> - --=20
>=20
> PGP-Key:
> https://www.endofnet.org/David_K._david@endofnet.org_%280x1F86D6CB%29_pub=
=2Easc
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>=20
> iQIcBAEBAgAGBQJU1OR4AAoJECua8aAfhtbLLbwP/0M+5nSsYc0Vh2yBsynpneAk
> id4VsGtlOrGA+Zw4EV1EEmzDgA+dKs3Xkq03NKhOGTmuW88FBIXq3qRsFD0APEpR
> 2X2ogQUQS+WlP8k+mrM06/8pzR+quJUj4Y4RDurAzErlYSeRBiRJcWsLaTCIe9Ix
> FSUWDrCu4MzT3uymvqoS7u0cqPwRlgDBR5ciqBQKLzj/vIJfk35JjMddGJU2Y1yG
> 3DvA55OqtHS2pQaQjIddIXp6CpRgh4AdXv8MAYEV7lS1fbd5VXAuhPuGVW2hzsJn
> +qJT2aYSaywtKUPZm/4NTxa/5TqDEYoc6e3O6iaRhI4JA3er8WVWtz6amHKLtzAw
> FkZ1m/VRHTRY7a0GxV+jeOZ511xNKnpeSCmmlEdmspA+DjPvQ3kls6JjC5TUMmA/
> hzi8A7/j3pttGV/dlvUMGVvQpXDay1xtTTkhMJQ+dIweWoHRohtaIC7tfD5GCwWP
> +lA/xF1Mdy46GBxz/YR5RuV93sIv+eqH4WuJKfDSp/d/K7wPqQTcGEoUTPrJDB9J
> n8Q4omUPx0/uxu2r/pmyAyi3GL+81bdSWVnFQlkXzylj6WtzzZWS9MCtgBMbkL7l
> mHKFc+Egw32GxVmZPcRIl2kAojmSPOP3CJyzhhD89gWNL+jND8B4zTxj+UYpk2je
> MfrDZY4thysIH935sc2g
> =3DaoT2
> -----END PGP SIGNATURE-----
>=20
> --=20
> tor-talk mailing list - tor-talk@lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

You could also run the apache instance in a Docker container or an LXC
container to separate it that way.

--=20

             Christine Dodrill <xena@yolo-swag.com>
       2E5C BE74 C16D ED81 6351  E7CE B58E EB12 46DF 6D21

  =E2=80=9CLinux printing was designed and implemented by people working
  to preserve the rainforest by making it utterly impossible to
  consume paper.=E2=80=9D
=E2=80=94 Athas

--UlVJffcvxoiEqYs2
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJU1R44AAoJELWO6xJG320hheQP/R5bQ3B+2YCUCAl2LYrUnA1k
xQAqiqx2Hg5ulSrqqFqdy2Y21ShBQY/J0A1ry6DcUbtgmMC2aNxVDe7gDiaQh4z/
deQj2tsxxmi67TPJSQiwkqgzSCWVqOvjsXltVXq7gEr+8jdDMPhFx8fw5fQU5YmN
hUfYfDVnPyzuKEqGqeOvvRBdeTmjI2sy8BTQF0PJ0gcMHToOsBDfMdBxH30iaU+E
sM+MDcOBSG97U8WKqIApb2QcSSkntbHCUPnJ9+rDDb8eUXhGCYGsADuCkDk1/LNJ
dqlS/LTCq0gmmD3eELJJbPrEH5hDYnLRlJHyN267cGfj2360DkvNqapy8auu225m
JMhTERdtFZ7vJX9u/8AVB7muvjLpOicY1CRU+3KPbXo7MLKflOFXtfqQGe28yzuC
SGsgrJSbaf2RAsHtH71yhQxgDHueFdIXEjYnFs6k9tWK8k41giiHsHjSehx1u49Y
YY/6gwS4mX/OFEnKw0hmEe0h/YebQFSDwhQOPVmOvvvW34SDF1YiWj6NsFbIXCup
+Kz5bXeJVRaRVmyx3wF4WiRFgWAQOv8R+4ljTseT85CXZBpkxV7V/ViQ1CINjx6y
vATMwWqhPH3VNFqt7fRG6lhievsCNdiLDUwXDmtcu5EN8AWhYZ9mqDywv+tOwi8O
VIGaUNBeXl3pFq3+KM4N
=KU9H
-----END PGP SIGNATURE-----

--UlVJffcvxoiEqYs2--

--===============6109971397640875575==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============6109971397640875575==--

