2020-03-31 at 12:04 PM UTC
Hey guys, so i want to have my own personal paste site or gitlab on a hidden service. I have a VPS, but it's for other things. So i was thinking i just live boot into a hardened distro and host all my hidden service related stuff on an external encrypted HDD.
Now, i've never really hosted a website, but i am am reasonably comfortable with web development. And with the added security of using a live OS and an encrypted HDD as place where my hidden service will live i think i could manage. I am not planning to host any CP or whatever, so i am not worried about the FBI. I just think it would be neat to have this type of infrastructure.
Do you have any experience with something similar? And even if you don't i'd love to hear about how you would go about it, things i should be aware of, that sort of thing. If you could help me get a general sense before i commit that would be great, and also greatly appreciated.
Thanks in advance.
2020-03-31 at 12:08 PM UTC
What goodies would be on this site. Anything of interest to us all would most likely have to be illegal.
2020-03-31 at 12:16 PM UTC
Originally posted by Octavian
What goodies would be on this site. Anything of interest to us all would most likely have to be illegal.
Mostly malicious code, prototypes for malware command and control systems. And other cool cyborg stuff.
The following users say it would be alright if the author of this
post didn't die in a fire!
2020-03-31 at 12:23 PM UTC
Nonce asking for help hiding CP alert
Alert!
Most of us wouldn't even think of "do we or do we not put CP on this"
But a nonce does and will mention it to throw us off the track
Doesn't work tho
Im on to you, nonce
The following users say it would be alright if the author of this
post didn't die in a fire!
2020-03-31 at 12:25 PM UTC
POLECAT
POLECAT is a motherfucking ferret
[my presentably immunised ammonification]
pc is less trouble than cp
2020-03-31 at 12:35 PM UTC
I have a Raspberry Pi 4 set up with Ubuntu server and an encrypted hard drive as a file store.
The encryption is kinda pointless imo as the Raspberry Pi is a bigger attack surface than the hard drive, and I have auto mount on, but whatever.
And before everyone goes "nonce" at me for using encryption, full disk encryption is the standard in companies like mine nowadays, and if you aren't using it you're either stupid or lazy.
I can access it from anywhere using SSH/SFTP and my static IP address.
I am trying to figure out how to put it online, to access it via web, but the options I have seen, like NextCloud, are kind of a pain in the ass.
Also I can't figure out how to install Samba on it as the repos for Ubuntu Server for Arm are broken, or were last I checked.
If getting an IP or dealing with NAT is a problem, I'd probably recommend ngrok or similar.
The following users say it would be alright if the author of this
post didn't die in a fire!
2020-04-01 at 9:11 AM UTC
The External HDD is also a must if i decide to go with a Live OS, BTW. Which i did mention in the OP.
2020-04-06 at 3:59 PM UTC
I don't know anything in-depth about the security implications (e.g. is it a good idea to run as an exit node when hosting a hidden service? My guess is no but not really sure). For setup it looks like it's actually really simple, just add two lines to your torrc:
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:8080
And run a webserver that binds to 8080. You could stand up nginx to serve some static files just as a test. The rest of it should be the same as standing up any other web service. I'm not sure how CORS rules work in onionland but people are probably running with JS off anyway so it probably doesn't matter.
Originally posted by Star Trek VI: The Undiscovered Country
I have a Raspberry Pi 4 set up with Ubuntu server and an encrypted hard drive as a file store.
The encryption is kinda pointless imo as the Raspberry Pi is a bigger attack surface than the hard drive, and I have auto mount on, but whatever.
And before everyone goes "nonce" at me for using encryption, full disk encryption is the standard in companies like mine nowadays, and if you aren't using it you're either stupid or lazy.
I can access it from anywhere using SSH/SFTP and my static IP address.
I am trying to figure out how to put it online, to access it via web, but the options I have seen, like NextCloud, are kind of a pain in the ass.
Also I can't figure out how to install Samba on it as the repos for Ubuntu Server for Arm are broken, or were last I checked.
If getting an IP or dealing with NAT is a problem, I'd probably recommend ngrok or similar.
If you can SSH in against a static IP you should be able to set up a webserver and have it just work, right?
The following users say it would be alright if the author of this
post didn't die in a fire!
2020-04-06 at 4:33 PM UTC
P.S. technical forum, tropical thread, etc keep it on topic
The following users say it would be alright if the author of this
post didn't die in a fire!
2020-04-06 at 4:34 PM UTC
I am in physical possession of the box that will become the server, so accessing it shouldn't be a problem from my end, don't plan on using my rPi, i could even host it on my heavily customized Android if i wanted to. But for security reasons i won't. I'll have my static web resources in a directory i will serve through Tor, all i need is to be able to receive text files and host a few binaries and serve some pages with some type of submission form. I think i will run TAILs Live, since it's basically minimalist Debian with Tor stuff built in and ready to go and i'll have persistent storage of the things that require it on an encrypted external HDD. I've written a script that cycles through a few cracked AP's every so often. Which might change the onion address on the ledger(Although i don't know that for sure) but only me and the Tor network need to know that short term. Although i have no clue how long the Tor equivalent of "DNS propagation" takes. It should be fine.
Going to set up later tonight and run a couple of tests. After thinking about it for a bit, i think i can use Ngrok to tunnel through the Tor network also, i am going to test that as well. But i suspect it would be a security risk even if i tunnel into the network and the exit node is what Ngrok will see the data coming in and out of i'd still be dependent on their servers and the tunnel works both ways. It's better to have six hops than three as well which should be the case if i set up a hidden service. The hidden service will take three hops and any clients connecting will take three hops as well where they will meet in the middle.
The more security the better, the point is that the server will be hard to find for anyone trying to mess with it. I am also thinking of adding a mechanism whereby, should i have bots/clients that need to establish a connection to my prototype C2, they must request a separate web resource with the appropriate credentials or identifiers, in order to get the onion address to deposit any data that i instruct them to send me.
What i want is a hard to find and hard to disrupt C2 server that receives data securely, stores data securely and can be taken offline, in a secure manner at a moments notice. I will expand upon this later by creating a gitlab type set up on a different server later, with more features. Ideally i'd have an overlord node, to which 5 master nodes report. With redundancies built it, so as not to have a single point of failure.
2020-04-13 at 7:41 PM UTC
What you are trying to do is extremely easy. I would suggest a rPi Zero and a USB flash drive to store your files on. Make a small server that hosts your webpage that has links to download your files. You will have to do your own security.
2020-04-13 at 7:46 PM UTC
gadzooks
Dark Matter
[keratinize my mild-tasting blossoming]
Also, to remain somewhat on topic...
I use AWS these days for just about anything.
If it's straight up file storage, there's S3 (leagues cheaper than dropbox and so on).
If you need to actually execute any logic, they got both EC2 and Lambda.
Fuck, Amazon should just hire me as a shill, I'd do that shit.
2020-04-13 at 7:47 PM UTC
gadzooks
Dark Matter
[keratinize my mild-tasting blossoming]
And they don't care what in particular you're doing, as long as you don't violate the TOS.
2020-04-13 at 7:56 PM UTC
Originally posted by Misterigh
What you are trying to do is extremely easy.
Alright no need to flex on a nigga, i never hosted a hidden service, i figured i'd ask before i got to it.
Originally posted by Misterigh
I would suggest a rPi Zero and a USB flash drive to store your files on.
No i have multiple boxes here, why would i buy an rPi 4? I don't plan on hiding it in my wall or whatever.
Originally posted by Misterigh
Make a small server that hosts your webpage that has links to download your files.
Yes this is what i'm doing.
Originally posted by Misterigh
You will have to do your own security.
You don't say?
Originally posted by gadzooks
Also, to remain somewhat on topic…
I use AWS these days for just about anything.
If it's straight up file storage, there's S3 (leagues cheaper than dropbox and so on).
If you need to actually execute any logic, they got both EC2 and Lambda.
Fuck, Amazon should just hire me as a shill, I'd do that shit.
Yee. I come across malicious AWS all the time. But i don't think i will.
The following users say it would be alright if the author of this
post didn't die in a fire!
2020-04-15 at 12:16 AM UTC
I did not mean to sound like a dick.
If you do not need to hide it inside an appliance and already have devices you can run it on then yes use those.
You could just use an old phone as well.
