Onion GuideOnionshop Guide: How to set up a hidden service?

Onionshop 2.0

Installation Guide v1.0

11th January 2015

Introduction

Welcome to the Onionshop Installation Guide. This is an easy to follow, step-bystep guide to get your copy of Onionshop running. If you have any questions, don't bother asking us before taking any actions. Especially the part where you connect to your hosting provider or server has to be set

up properly, to

not

reveal

identifying

information under

any

circumstances. Please note that we offer to do the whole installation for you, without charging additional fees. After we set up your server, you have to change all passwords and we give you advice what to do and how to pay the hosting fees. While this is convenient, we still recommend for you to go through the installation yourself. That way, nobody besides yourself ever get in touch with it and you don't have to trust a third party with your server infos. Also note that we also provide Onionshop as a hosted solution for a fixed monthly rate, if that fits better your needs. Even if this guide is very systematic, you should never follow blindly any advice before double-checking and understanding it yourself. Think about the risk/consequences of each move you make, how to avoid vulnerabilities in your actions and how to layer up and improve the weak spots. Enhance your OPSEC, no matter how involved you are. Obscure your Internet connections but make the destination think you're an average user. Make sure that you never reveal your identity to anybody, even if its more convenient or profitable otherwise. Never make exceptions or take shortcuts and always stick to your rules. Find

the points in your everyday life where RL and DN get too close and improve it. For good OPSEC you constantly need to act on new circumstances and change up your ways creatively and continuously.. The moment you get too routinized is when law enforcement starts recognizing patterns and ways to exploit them. Note that this is only an installation guide and not an A-Z guide for good OPSEC. We try to give as much information as possible to keep you safe regarding

important

aspects,

but

there

is

always

endless

room

for

improvement. Take your time and do background checks on subjects you don't feel confident about.

Getting Started In this tutorial we are using CentOS 6 as operating system. You can use other linux distributions as well, the commands will differ a bit though. Do not use a Windows Server or other closed-source operating systems. You need to decide if you host the server yourself or rent one from an online provider. Setting up your own server has the benefit that you don't need to trust a hosting company in any way and have autonomous access to it. In the worst case scenario of IP Leakage, law enforcement agencies would have your location though. Worst case scenario with a rented server is that they seize it, but still wouldn't have any information about you (unless you didn't communicate revealing information unencrypted through the messaging system). Generally speaking, a seizure is less likely if you host the server yourself, but the consequences in such a case are way less problematic if you run your site on a server far away from your jurisdiction.

If you don't host yourself, you need to find a hosting company where you can rent the server. A VPS is usually enough, you don't need a dedicated server. Also you don't need any extra packages or add-ons, just a plain install of Centos 6 with SSH access. We don't recommend particular services, since it would make those providers a greater target for LE. Its most effective if all Onionshop instances run with different hosting companies. It is very important to use Tor Browser and a clean environment when searching for and ordering the VPS. We don't go into details of the OPSEC of your computer set up, since its a very broad topic which you should inform yourself anyway. We recommend reading according threads on the HUB Forum (currently http://thehub7gqe43miyc.onion ). Rule of thumb is, you should avoid using a Windows or Mac computer. Install a linux distribution (Ubuntu is a good win/mac alternative for example), or the even more recommendable distro Tails, which you can easily run on the fly from an USB stick and which covers a lot of security problems by design.

First, you need a fake identity with an email address. Pick a foreign country and search for a valid address in a town of your choice. Google for restaurants in that area for example, so you will quickly have a valid address and phone number. Make up a common name, and you are good to go. Optionally you could get a passport scan off the DarkNet in advance and use this identity. This way you could “prove” your identity if the hosting company should ask for validation. You will most likely need this when you pay with credit card, but usually not when paying with Bitcoin. Now get an email address. We recommend using common providers and not too “underground” ones like safe-mail for example. It shouldn't look like you

want to hide something. You should stay away from the very big ones like Googlemail, but still pick a provider that an average 45 year old housewife would use. Register an account with the data of your fake identity. You can proceed signing up an account at your desired hosting company using the same identity and the just created email address. You will now have to pay for the VPS. Obviously don't use any creditcard/paypal/similar that are directly or indirectly connected with your real identity. Paying with Bitcoin is very common and recommended. Make sure you tumble the coins that you use for the payment. Since the VPS fees are usually pretty low, it cant hurt to send them through 2 mixers before the payment. More and more hosting companies accept Bitcoin as a payment method, so you will have no troubles finding one (usually they cost around 10-30$/month). Since providers that accept Bitcoin are usually more targeted by law enforcement, you can consider using a “normal” provider and paying with a credit card for example. Provided that it is acquired anonymously, it may keep you out of the radar even more. Usually it should be fine if you take the shorter route by paying with Bitcoin directly though. After your order went through, you should get an IP address and a root password. SSH should be enabled, so you usually don't have to connect to any control panels. Save them somewhere safe and get ready to install.

Server Installation All connections to the servers are made through SSH. You need an SSH Client to execute commands, as well as a file transfer tool. In this tutorial we work with Putty and Filezilla, which are very common and available for most operating

systems. Run Putty and you will have this screen:

Enter your Servers IP in the two fields where the 123.123.123.123 is. Hit Save, but don't connect yet (!). Now click Proxy and fill in the following, to ensure all connections are routed through Tor:

Click Session and hit Save again. Restart Putty and check if the entry for your new server is in the list. Click it and hit Load. Check at Proxy again and make sure the proxy changes are still there. Now click Open and confirm the message about accepting the Key. Log in with root and your password.

Type yum update and hit return. This updates all components. When asked, you have to hit y, Enter to confirm an installation.

To make him do the update automatically from now on, type yum install yum-cron

Change your root password passwd

Set the timezone. If you don't want to reveal your timezone you can use a different one obviously. Thats the command if you want to set it to French Time for example: cp /usr/share/zoneinfo/Europe/Paris /etc/localtime

Now install sudo yum install sudo

You can proceed installing a webserver, we recommend Apache sudo yum install httpd mod_ssl

After installation, run the service sudo /usr/sbin/apachectl start

At this point you should already be able to reach your webservice through clearnet. Enter the IP of your server in Tor Browser and you get this screen:

Congrats, you've got your own web service running :)

Now we need some more packages, PHP Support first: yum install php-pear yum install php-devel yum install libcurl libcurl-devel yum groupinstall 'Development Tools'

Now MySQL for the database wget

http://download.fedoraproject.org/pub/epel/6/x86_64/epel-

release-6-8.noarch.rpm sudo rpm -ivh epel-release* yum repolist rm epel-release* sudo yum install mysql-server sudo service mysqld start

Mysql is running now. Time to install the database sudo mysql_install_db

Proceed to secure the installation with this command sudo mysql_secure_installation

This is where you set your MySQL root-password (different than the server root password). Don't lose it. Then there's 5 questions asked, you can answer each with Y

Install phpmyadmin to manage the database sudo yum install phpmyadmin

Restart Apache sudo service httpd restart

Now we will need to upload some files, so get filezilla started. First, click Edit → Preferences. Check on Connection → Generic Proxy and enter the same info like in Putty, to make the connection run through Tor:

Hit OK and then Click on the Server Manager Icon (far left)

Click New Site and enter the IP of your server in the description label. Also Enter it in the Host field. Set Port to 22, Protocol to SFTP and Login type to Ask for password Hit Connect

It should be able to connect and give you your local file system on the left side and your servers file system on the right side.

Et voilà, you are able to transfer files to your server now.

In order to encrypt the shipping info automatically, Onionshop requires the GnuPG library. There are different ways to get it installed, we will explain one of them. You need to install the following dependencies first: - pth-2.0.7 - libgpg-error-1.13 - libassuan-2.1.1 - libksba-1.3.0 - libgcrypt-1.6.1 It usually works with other versions too, but these are the ones we have it tested with (in this order). You can find those folders in the “Optional Software and Configs” - Zip in your Onionshop Account Area. Its not a bad idea to get these packages from the original sources though, which

gives you 100%

certainty that they are original and untouched. Copy all those folders with FileZilla in the /tmp directory of your server. This will take a while. After its done, connect with Putty again, and enter cd /tmp

switch in the first folder cd pth-2.0.7 make the setup file executable chmod +x configure chmod +x shtool run the configure file ./configure

sudo make sudo make test

sudo make install

If all went through smoothly without showing any errors, proceed to the next package. cd /tmp cd libgpg-error-1.13

same procedure chmod +x configure ./configure sudo make sudo make install

Next packages: cd /tmp cd libassuan-2.1.1 chmod +x configure ./configure sudo make sudo make installation cd /tmp

cd libksba-1.3.0 chmod +x configure ./configure sudo make sudo make installation cd /tmp cd libgcrypt-1.6.1 chmod +x configure yum install xfig transfig ./configure sudo make sudo make install

Some more dependencies yum install zlib-devel yum list | grep pgp yum list | grep gmp su -c "yum install gmp pgp-tools" yum whatprovides gnupg whereis gnupg su -c "yum install gnupg2-2.0.14-6.el6_4.x86_64" yum install re2c pecl channel-update pecl.php.net yum list | grep gpg yum install gpgme gpgme-devel

Now we have everything in place to do the GnuPG install pecl install gnupg

Now edit the following file /etc/php.ini Search for the part ;;;;;;;;;;;;;;;;;;;;;; ; Dynamic Extensions ; ;;;;;;;;;;;;;;;;;;;;;; ; If you wish to have an extension loaded automatically, use the following ; syntax: insert this line ;;;;;;;;;;;;;;;;;;;;;; ; Dynamic Extensions ; ;;;;;;;;;;;;;;;;;;;;;; extension=gnupg.so

; If you wish to have an extension loaded automatically, use the following ; syntax: After adding the extension, save the php.ini and restart Apache service httpd restart

All necessary software is installed now and we can start setting up Tor. Copy

the

file

torproject.repo

from

our

Config-Zip

with

FileZilla

to

/etc/yum.repos.d/ You can open it with a texteditor to make sure its the same content as you find it on the official Tor Project site yum install tor edit the File /etc/tor/torrc Scroll to the hidden service part, and add/uncomment the one pointing to the local Port 80. It should look like this HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 127.0.0.1:80

It defines where to save your onion-host and its keyfile and tells him to route to your apache. service tor start Tor is running now, and you can check the folder /var/lib/tor/hidden_service for your hostname and key. Enter the onion-hostname into Tor Browser and you should get the Apache Test Page again. Congrats! In order to have a custom Onion Hostname, you have to use the tool Scallion ( https://github.com/lachesis/scallion ) Get the binaries and run scallion.exe -l which lists your GPUs. You probably only have one, so your next command will be scallion.exe -d 0 prefix (replace the 0 by 1 if you have another gpu you want to use). This will generate an onion domain like prefix123456789.onion. The more characters your prefix has, the longer it will take to find a match. 6-7 are pretty easy, 8 and 9 get tough and dont even try to have a prefix with more than 10 chars. The needed time will vary a lot depending on your hardware. If scallion finds a match, it will show you a hostname and its private key.

Replace those values in your files at /var/lib/tor/hidden_service, make a service tor restart, and your webservice will listen at the new customized onion URL.

The basic setup is now complete, but we still need to make some security adjustments. First, we need to turn off the clearnet availability. Your web service is still available if you enter your servers IP in a normal browser. In order to make your Host a hidden-service only, we need to alter the file /etc/httpd/conf/httpd.conf Change the line Listen 80 to Listen 127.0.0.1:80 Since all Tor request come from your local server, this makes the webservice unavailable for normal external (clearnet) connections. Now head into /etc/httpd/conf.d and edit the file phpMyAdmin.conf remove these lines Alias /phpMyAdmin /usr/share/phpMyAdmin Alias /phpmyadmin /usr/share/phpMyAdmin

and add this one instead Alias /phpma123 /usr/share/phpMyAdmin instead of phpma123 pick any name of your choice. This will be the secret link to access your phpMyAdmin installation. Restart your apache service httpd restart check if you can access phpMyAdmin (http://yoururl.onion/phpma123) and also if you can only access your site with the onion-url, and not by entering the servers IP in the browser.

After a reboot, the services httpd (apache), mysqld (database) and tor need to be started. These commands make them run automatically when booting up: chkconfig httpd on chkconfig mysqld on chkconfig tor on

Ok, time to reboot the server

reboot Give him some time and check a couple minutes later if you can access your onion-url again. Get a new identity in Tor Browser to speed it up. You made it! Your hidden service is running and the only thing missing is its content. Please note that this is a basic setup instruction and there are many ways to improve every single aspect of your infrastructure. We recommend you get more into the topics and improve certain aspects. On the other hand some security measures are counterproductive, while you need to keep your anonymity on a high level, you still need to seem like an average joe who got nothing to hide. Keep a good relation between anonymity and not raising red flags.