Return Home
Hidden Service
28th July, 2017

Setup and host multiple hidden onion services

Hidden onion services are actually pretty easy to setup but maintaining them and keeping them secure is a whole new story. Im going to run you through how to set and manage your hidden service both locally and remotely.

When thinking about hosting a hidden service you have a few things to consider. I have tried to break these down into seperate points below (almost as a checklist).

The service
By now you should already know what type of service you want to provide. It may be a simple IRC chat room, a simple file sharing service, or a full blowen darknet market. This is key in the choices that you make below as hosting a market place from a local machine will almost certainly get you arrested. 

You have a choice where to host, you could host your service locally on an old machine you have laying around, or you could choose to use a VPS provider and host the service from there. Using a machine locally allows you better access to the 'server' itself, but does carry the risk of exposing your IP address if you havent correctly configured the server not to leak informayion. The beatuy of a VPS is its hosted by someone else whos IP would be exposed should anything go wrong.

This is why it really depends on what service you wish to host.

If you choose to host via a VPS then the setup is virtually the same as setting up on a local machine, but ofcourse requires you to setup and install the server. This will require you to have some knowledge of linux or whatever distrobution you wish to use.

If you choose to host locally, remeber that shutting the server/machine down can offer information to those who are monitoring you. Looking at a pattern of a service uptime can help to locate the exact location of the server so make sure you dont shut the server down if you can aviod it.

Once the inital sever is setup, you can then begin to setup the hidden service using the steps below.

The below steps are for hosting multiple services using a local web server.

Step 1
Install Xampp or ngix

Step 2
Install tor browser, or complie tor from source

Step 3
Configure the local web server to listen for specific local IP and ports. These ports will then map to specific folders within the local server. You need to find and edit the httpd.conf file. Simply add the below code to the file and save and restart apache.
#Listen Listen 80
#Listen for Tor services

Step 4
Now you need to edit the apache httpd-vhosts.conf file to listen out for those above IP and port number, in turn mapping to the correct folder.
ServerAdmin me@email.com
ServerName site1example8nbp.onion
DocumentRoot /path/to/my/tor/www/root/site1
ServerAlias http://site1example8nbp.onion/

ServerAdmin me@email.com
ServerName site2example8nbp.onion
DocumentRoot /path/to/my/tor/www/root/site2
ServerAlias http://site2example8nbp.onion/

Step 5
You can now edit the torrc file within the tor browser bundle, or via a command line if you installed tor from source. You will need to create a folder within your choosen location to store the onion address keys. These folders may need to be given the correct premission for tor to be able to write to them.
HiddenServiceDir /path/to/my/site/keys/service1
HiddenServicePort 80
HiddenServiceDir /path/to/my/site/keys/service2
HiddenServicePort 80

Step 6
Now that the web server and tor is installed, and setup to listen and point to the correct place, you can now restart the web server and give it a test. 

Upon launching tor for the first time since the above changes, the keys for the onions address will be created in the paths you specified within the torrc file.

*If tor fails to launch and connect, first check your servers date and time is correct for your location, if so then the error will be within the torrc file. When i say error, this could simply be that tor cannot write to the folders so its a premission issue. This is the most likely cause of tor not launching.

Step 7
Once everything is up and running, you now need to start to look at configuring your server to make sure no revealing or important information will be leaked. Use the below list to try and reduce the risk of information leakage.

Hiding Version and OS Identity (Apache)
Disable Directory Listing (Apache)
Restricting File and Directory Access (Apache)
Disable Server Side Includes and CGI Execution (Apache)
Disable the Apache status page (Apache)
Restrict PHP Information Leakage (PHP)
Disable Remote Code Execution (PHP)
Disabling Dangerous PHP Functions (PHP)
Limit PHP Access To File System (PHP)
Disable Unused PHP Modules (PHP)
Enable Limits in PHP (PHP)
Restrict Remote MySQL Access (MySQL)
Disable use of LOCAL INFILE (MySQL)
Create Application Specific User in MySQL (MySQL)
Improve Security with mysql_secure_installation (MySQL)
Write Protect Configuration Files (Apache/MySQL/PHP)

There are many more things you could do to ensure your saftey but these will be more bespoke to your needs or service that your running.

Im currently at work as i write this post so will update it with some more information on the above shortly.