Delivery-Date: Fri, 06 Feb 2015 23:08:17 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY,
	URIBL_BLOCKED autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 8810E1E0CA6
	for <archiver@seul.org>; Fri,  6 Feb 2015 23:08:15 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 223B333286;
	Sat,  7 Feb 2015 04:08:12 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id DFB5933266
 for <tor-talk@lists.torproject.org>; Sat,  7 Feb 2015 04:08:07 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Fyp1dbG2X_KP for <tor-talk@lists.torproject.org>;
 Sat,  7 Feb 2015 04:08:07 +0000 (UTC)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id B9F2733122
 for <tor-talk@lists.torproject.org>; Sat,  7 Feb 2015 04:08:07 +0000 (UTC)
Received: from plantcutter.riseup.net (plantcutter-pn.riseup.net [10.0.1.121])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net",
 Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK))
 by mx1.riseup.net (Postfix) with ESMTPS id EFFAD4147F
 for <tor-talk@lists.torproject.org>; Sat,  7 Feb 2015 04:08:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
 t=1423282085; bh=CzrF73MyTJou9TxybkbOueNaaVqZ/Hgy68iP9/7ZelI=;
 h=Date:From:To:Subject:References:In-Reply-To:From;
 b=jKHHp7r4AAPtke+tlPJI/HZ6KFGVTz9oDspzb0DszNMhEHgQYuRXy4CKMXYsZDich
 y57bR7Y0qhBkvQLWuzj99f9rQEqR+V4rUAaik/lbFGP088CQOfHM91DVWS/21o1r54
 HgoC4wSNRmN/g1i71G/HkNmSCG5CpxsA67D9tQNY=
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (Authenticated sender: mirimir) with ESMTPSA id E216722BB3
Message-ID: <54D58FA8.9040302@riseup.net>
Date: Fri, 06 Feb 2015 21:08:08 -0700
From: Mirimir <mirimir@riseup.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <54D23891.3040409@nirgal.com> <54D39634.6090703@riseup.net>
 <54D4E299.7080806@nirgal.com>
In-Reply-To: <54D4E299.7080806@nirgal.com>
X-Virus-Scanned: clamav-milter 0.98.5 at mx1
X-Virus-Status: Clean
Subject: Re: [tor-talk] How to protect apache local-restricted from secret
 service access?
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 02/06/2015 08:49 AM, contact_tor@nirgal.com wrote:
> Mirimir wrote:
>>> When you have a website that is available from a tor secret service, how
>>> do you forbid access to url restricted to ip=localhost?
>>>
>>> I'm thinking of apache default http://xxxxx.onion/server-status for example.
>>>
>>> Using "a2dismod status" is the obvious solution for that one, but does
>>> anyone had a more generic solution?
>>> Maybe a full VM with a vif interface? That's an heavy solution...
>>> Anything more simple?
>>
>> You can use firewall rules.
>> (...)
> 
> I don't think you can a firewall, no:
> 
> "apachectl status" is querying from localhost to
> http://localhost:80/server-status
> 
> Connection from tor hidden service also comes from localhost and
> iptables won't help there.

Sane (or prudent, anyway) hidden service operators put the tor process
on a separate machine, or at least a VM. As you note below.

> I tried 10 random http hidden services with that trick, and could find 2
> servers with information that shouldn't be available, like which service
> are sharing on the same server, the security patch level, list of URL
> being served, and so on. I also could read one public IP on another one. :(
> 
> If you run apache, you should probably disable mod_status. Now.

That's prudent, no doubt.

> # grep -iEr 'require +local' /etc/apache2/
> lists possible problems for apache2.4, for example.
> Each webapp should also be checked for special permissions granted when
> remote IP is actually localhost.
> 
> 
> Documentation really should warn about this, IMHO:
> https://www.torproject.org/docs/tor-hidden-service.html
> and possibly a one line warning in the example torrc since
> "HiddenServicePort 80 127.0.0.1:80" typically is a problem.

Yes.

> I might move httpd and tor to 2 different VM. Any nicer idea?

Using separate VMs for server and tor would be good.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

