Mirimir wrote: >> When you have a website that is available from a tor secret service, how >> do you forbid access to url restricted to ip=localhost? >> >> I'm thinking of apache default http://xxxxx.onion/server-status for example. >> >> Using "a2dismod status" is the obvious solution for that one, but does >> anyone had a more generic solution? >> Maybe a full VM with a vif interface? That's an heavy solution... >> Anything more simple? > > You can use firewall rules. > (...)
I don't think you can a firewall, no: "apachectl status" is querying from localhost to http://localhost:80/server-status Connection from tor hidden service also comes from localhost and iptables won't help there. I tried 10 random http hidden services with that trick, and could find 2 servers with information that shouldn't be available, like which service are sharing on the same server, the security patch level, list of URL being served, and so on. I also could read one public IP on another one. :( If you run apache, you should probably disable mod_status. Now. # grep -iEr 'require +local' /etc/apache2/ lists possible problems for apache2.4, for example. Each webapp should also be checked for special permissions granted when remote IP is actually localhost. Documentation really should warn about this, IMHO: https://www.torproject.org/docs/tor-hidden-service.html and possibly a one line warning in the example torrc since "HiddenServicePort 80 127.0.0.1:80" typically is a problem. I might move httpd and tor to 2 different VM. Any nicer idea? -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
