Tor Hidden Server, please review

Discussion in 'privacy technology' started by axemmiw905, Mar 7, 2012.

Thread Status:
Not open for further replies.
  1. axemmiw905

    axemmiw905 Registered Member

    Joined:
    Feb 8, 2012
    Posts:
    35
    Hi,

    I'm planning on building a Tor Hidden Server for an anonymous/safe/secure message board. I really want to stress on safety here, so I'm planning for the server setup to look like this:

    Internet --> Modem --> SonicWall TZ210 w/ AV... OR UNTANGLE PC --> PC with hardware encryption(TPM) and full software encryption(Truecrypt Hidden Operating System and Decoy) --> Virtualization --> TrueCrypt HIDDEN File Container, using AES-Twofish-Serpent w/ Whirlpool and using the max amount of characters allowed 64 bits, with multiple key files as .jpg files and .mp3 files --> Contents of message board et al.

    Of course, since Truecrypt is only compatible with Windows for the most part, the PC will also have Bitdefender as AV and Comodo Firewall

    IS THERE ANYWAY I CAN ENHANCE THE SECURITY OF MY TOR HIDDEN SERVER?
     
    Last edited: Mar 7, 2012
  2. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    There is no point encrypting your system if you are making it accessible to the outside world. The data needs to be unencrypted to be used by the server software you try to use, therefore any user who has access to your server will need it decrypted unless you plan on using a 3rd party to distribute keys to your users, which is what we (using an off-line solution) do for authentication to our web servers to gain access to the security critical parts of our sites.

    You main vector of compromise will be the server software you run to for the message board (and the message board software itself).

    You need to think about the minimum configuration required to get the job done, only run the software you need, only run the services required, only open the firewall ports needed for users to access your server software. Bonus points if you also remember to prevent your server connecting OUT unless needed (so if it is compromised hackers cant run other software on your machine). If your message board is web based, look at enforcing SSL connections only.
    Then you need to look at the information stored, minimise that. If possible dont allow users to register/login, if they do, store the minimum information required. Make sure passwords are not stored plain if you store them

    Oh and you need to TEST your setup. Without testing it you won't know how secure your setup is. And retest frequently, you never get your config perfect first time, vulnerabilities is the software you run will be found.

    Cheers Nick
     
  3. axemmiw905

    axemmiw905 Registered Member

    Joined:
    Feb 8, 2012
    Posts:
    35
    THERE IS EVERY POINT in encrypting the system, you don't know what I'm going to do with my Tor Hidden Server. It's a gray market.

    Server software will have to be windows or windows server. That is the only thing that works with Truecrypt, no choice there.

    No point in using SSL, Tor Hidden Service is encrypted end to end.

    Thanks Nick.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Disk encryption will not protect you when your server is running. Even if the server is local, you want it headless, and accessible only via SSH from specified clients. You want your server software and Tor running on separate machines, or at least on separate VMs. I advise against using Windows for anything about this. Ubuntu is probably OK for host and VMs, although some swear by BSD. Although it's easier (and much less expensive) to secure local hardware, there's no deniability if you get busted with a running server.
     
  5. axemmiw905

    axemmiw905 Registered Member

    Joined:
    Feb 8, 2012
    Posts:
    35
    read up on tor hidden service
     
  6. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    You forgot to mention keeping the software patched and current. Otherwise sound advice :thumb:

    You are right we don't know, though if you are planning to do something shall we say "grey" or "black" I would advise you to reconsider and weigh against any ethical or legal ramifications. However that being said everyone has free choice in this world, though most individuals who chose the former keep me employed and put food on my table :p

    That being said disk encryption will only protect you if the drive is unmounted as stated above in a mounted state disk encryption will do nothing to protect your data.
     
  7. axemmiw905

    axemmiw905 Registered Member

    Joined:
    Feb 8, 2012
    Posts:
    35
    LMFAO... the disk encryption is for situations where the police come down to my house, break my door down and confiscate my server.

    I could care less about hackers.
     
  8. axemmiw905

    axemmiw905 Registered Member

    Joined:
    Feb 8, 2012
    Posts:
    35
    Internet --> Modem --> SonicWall TZ215 --> OpenBSD Firewall Appliance --> OpenBSD Server with Tor Hidden Service --> Contents et. al

    The above should be perfect...
     
    Last edited: Mar 8, 2012
  9. Serapis

    Serapis Registered Member

    Joined:
    Nov 15, 2009
    Posts:
    241
    What OpenBSD based firewall are you using? or is it the one included in the OS by default?
     
  10. x942

    x942 Guest

    You do realize that law enforcement would just bring a specialized generator and keep constant power to the server right? As long as the server is on the data is unencrypted.

    Even without a special generator they just dump the data right there and mirror the HDD and RAM and boom! they have the keys too!.

    Think you can shutdown quickly? Not if they wait till your out.
     
  11. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    I was always under the impression most raids are announced a week or so in advance and if you tell the agents who storm your residence you need time to shut down your equipment, they actually step out for a soda. Additionally I heard they even give a grace period to allow the RAM chips to cool. On top of that they employ highly unskilled individuals who have never heard of drive encryption and always assume it is safe to turn off a machine, only then admit defeat when they realize they are dealing with a crypto professional.

    Boy was I wrong. o_O
     
  12. x942

    x942 Guest

    LOL :thumb: that just made my day XD
     
  13. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    The conversation has taken a turn that is out of scope and interest of this board.
     
Loading...
Thread Status:
Not open for further replies.