diff --git a/index.md b/index.md index 11687d3..7fb8e05 100644 --- a/index.md +++ b/index.md @@ -19,6 +19,7 @@ With this new mkdocs blog version, we have completely changed how you can find b (Check out [this blogpost](whytheblog/index.md) for more details on our mission) ## Our latest contributed tutorials: +- 2025-05-25: [Why should I use Whonix for Self-hosted Hidden services ?](whonix_hiddenservice/index.md) - 2025-05-22: [File Verifications (Shasums and PGP)](file-verification/index.md) - 2025-05-21: [Realistic OPSEC Mistakes and Threat Scenarios](opsecmistakes/index.md) - 2025-05-16: [The State is the Enemy](stateistheenemy/index.md) @@ -31,6 +32,7 @@ With this new mkdocs blog version, we have completely changed how you can find b - 2025-04-27: [Anonymous Monitoring (Grafana, Prometheus, Node-exporter)](anonymous_server_monitoring/index.md) - 2025-04-21: [Self-Hosted LLM Hidden Service](openwebuilocalllms/index.md) - 2025-04-20: [Where to Hide your Monero Wealth?](monerowealth/index.md) + ## Our upcoming tutorials: To know what's in store for the future of the Nihilism Opsec blog, you can check out our [Forgejo opsec project board](http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/projects/1) @@ -42,11 +44,18 @@ If there is a new tutorial that should be added in the opsec blog, let us know i If you want to earn some Monero, you can write new blogposts for us (from 10 to 50 euros worth of monero per tutorial, as [advertised on xmrbazaar](https://xmrbazaar.com/listing/UsWA/)), if you're interested, check out our [how to contribute guide](contribute/index.md), and make sure that you follow our [quality standard](qualitystandard/index.md). -## Inspirations +## Wall of Fame (as of May 2025) -- [The Hitchhiker's guide to Anonymity](https://anonymousplanet.org/guide/) -- [Hackliberty Resources](https://git.hackliberty.org/hackliberty.org/Hack-Liberty-Resources) -- [Dread /d/opsec](http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/d/opsec) -- [Sam bent's youtube channel](https://www.youtube.com/@Sam_Bent) -- [Monero Talk's youtube channel](https://www.youtube.com/@MoneroTalk) +- [The Kicksecure Documentation](http://www.w5j6stm77zs6652pgsij4awcjeel3eco7kvipheu6mtr623eyyehj4yd.onion/wiki/Documentation) : One of the actual backbones of OPSEC in general, making Privacy, Anonymity and even Deniability possible on the operating system level and explaining how they achieved it +- [The Whonix Documentation](http://www.dds6qkxpwdeubwucdiaord2xgbbeyds25rbsgr73tbfpqpt4a6vjwsyd.onion/wiki/Documentation) : One of the actual backbones of OPSEC in general, making Anonymity possible on the operating system level and explaining how they achieved it +- [The Hitchhiker's guide to Anonymity](https://anonymousplanet.org/guide/) : The main inspiration for the Opsec blog, an actual goldmine of information, even though i don't like how everything is in one page. +- [Hackliberty Resources](https://git.hackliberty.org/hackliberty.org/Hack-Liberty-Resources) : Community focused on Anarchy in general +- [Dread /d/opsec](http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/d/opsec) : Dread being one of the largest darknet forums out there, their opsec board is a fertile ground for truth seeking +- [Sam bent's youtube channel](https://www.youtube.com/@Sam_Bent) : Ex-darknet vendor, well versed in anything opsec-related, with solid background on the law in general. +- [Monero Talk's youtube channel](https://www.youtube.com/@MoneroTalk) : Show focusing on growing the adoption of Monero to the masses. +## Wall of Shame (as of May 2025) + +- [Dread /d/opsec](http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/d/opsec) : Dread being one of the largest darknet forums out there, their opsec board is also (sadly) a fertile ground for disinformation campaigns and dishonest debates, so make sure you double check and challenge everything they claim in there. +- [PrivacyGuides](https://www.privacyguides.org/en/mobile-browsers/?h=mobile+browsers#legacy-adblock-settings) : Sadly a far too popular community of privacy laxists, [claiming that using closed-source software is supposedly suitable for private use](https://discuss.privacyguides.net/t/should-privacy-guides-require-open-source-source-first-or-source-available-as-a-criteria-for-all-tools/22684/83). +- [Techlore](https://www.youtube.com/watch?v=EA4KyQBdSu8) : Another privacy laxist community claiming that privacy is possible on Windows, or MacOS. diff --git a/whonix_hiddenservice/image-1.png b/whonix_hiddenservice/image-1.png new file mode 100644 index 0000000..750e0c2 Binary files /dev/null and b/whonix_hiddenservice/image-1.png differ diff --git a/whonix_hiddenservice/image-2.png b/whonix_hiddenservice/image-2.png new file mode 100644 index 0000000..96ffcd1 Binary files /dev/null and b/whonix_hiddenservice/image-2.png differ diff --git a/whonix_hiddenservice/image-3.png b/whonix_hiddenservice/image-3.png new file mode 100644 index 0000000..c901127 Binary files /dev/null and b/whonix_hiddenservice/image-3.png differ diff --git a/whonix_hiddenservice/image-4.png b/whonix_hiddenservice/image-4.png new file mode 100644 index 0000000..3757b05 Binary files /dev/null and b/whonix_hiddenservice/image-4.png differ diff --git a/whonix_hiddenservice/image-5.png b/whonix_hiddenservice/image-5.png new file mode 100644 index 0000000..8b964e9 Binary files /dev/null and b/whonix_hiddenservice/image-5.png differ diff --git a/whonix_hiddenservice/image-6.png b/whonix_hiddenservice/image-6.png new file mode 100644 index 0000000..8e5a06a Binary files /dev/null and b/whonix_hiddenservice/image-6.png differ diff --git a/whonix_hiddenservice/image.png b/whonix_hiddenservice/image.png new file mode 100644 index 0000000..720b98e Binary files /dev/null and b/whonix_hiddenservice/image.png differ diff --git a/whonix_hiddenservice/index.md b/whonix_hiddenservice/index.md new file mode 100644 index 0000000..1501001 --- /dev/null +++ b/whonix_hiddenservice/index.md @@ -0,0 +1,118 @@ +--- +author: Nihilist +date: 2025-05-25 +gitea_url: "http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions/issues/324" +xmr: 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8 +--- +# Why should I use Whonix for Self-hosted Hidden services ? + +Whonix by itself provides the following [security features](https://www.whonix.org/#security) : + +- Impossible to leak an IP address +- Discovery and traffic analysis attacks +- TCP ISN CPU INformation Leak Protection +- Time Attack Defenses + +Since the goal of self-hosting hidden services is to avoid revealing your home IP address, the IP address leak protection that Whonix provides is a paramount requirement. While this is not necessarily a concern when setting up hidden services on remote servers (VPSes) because the actual server's public IP address is not your home IP address anyway, **but when we're self hosting hidden services, IP Leaks becomes a main concern because an actual leak would lead to your home address directly**, hence the serverside Whonix VMs requirement. + +## Targeted Setup: + +![alt text](image.png) + +For this targeted setup, we're going to re-use a set of QEMU Whonix VMs on our homeserver, the nginx service with the local website are going to sit on the whonix workstation, meanwhile the actual Tor daemon will remain on the Whonix Gateway. We're going to follow the [official whonix documentation](https://www.whonix.org/wiki/Onion_Services#Hidden_Webserver) to do this setup. + +### Whonix Gateway Setup + +First in the whonix gateway, we setup the hidden service : + +```sh +[gateway user ~]% sudo vim /usr/local/etc/torrc.d/50_user.conf +[gateway user ~]% sudo cat /usr/local/etc/torrc.d/50_user.conf +# Tor user specific configuration file +# +# Add user modifications below this line: +############################################ + +HiddenServiceDir /var/lib/tor/hidden_service/ +HiddenServicePort 80 10.152.152.11:80 +HiddenServiceVersion 3 +``` +Then, we restart the tor daemon and get the hidden service address: +```sh +[gateway user ~]% sudo systemctl restart tor@default +[gateway user ~]% sudo cat /var/lib/tor/hidden_service/hostname +4fqigk23qhaa47kk7g3yzmi4xiutvbl774dee2in2fdiekxnbyuia6yd.onion +``` + + +### Whonix Workstation Setup + +![alt text](image-1.png) + +Once in the sysmaint session, we open up a terminal to setup the nginx webserver and configure it: + +![alt text](image-2.png) + +```sh +[workstation sysmaint ~]% sudo apt update -y ; sudo apt install nginx -y + +[workstation sysmaint ~]% cd /etc/nginx +[workstation sysmaint ~]% rm sites-*/default +[workstation sysmaint ~]% sudo vim sites-available/webservice +[workstation sysmaint ~]% cat sites-available/webservice + +server { + listen 80; + listen [::]:80; + server_name 4fqigk23qhaa47kk7g3yzmi4xiutvbl774dee2in2fdiekxnbyuia6yd.onion; + root /srv/webservice/; + +} + +:wq + +[workstation sysmaint ~]% sudo ln -s /etc/nginx/sites-available/webservice /etc/nginx/sites-enabled/ +[workstation sysmaint ~]% sudo nginx -t +nginx: the configuration file /etc/nginx/nginx.conf syntax is ok +nginx: configuration file /etc/nginx/nginx.conf test is successful + +[workstation sysmaint ~]% sudo vim /srv/webservice/index.html +[workstation sysmaint ~]% cat /srv/webservice/index.html +welcome to my self-hosted hidden service! +[workstation sysmaint ~]% sudo systemctl restart nginx +[workstation sysmaint ~]% sudo systemctl enable --now nginx +[workstation sysmaint ~]% curl 127.0.0.1:80 +welcome to my self-hosted hidden service! +``` +Now that the webservice is functional locally, we need to make sure that the whonix workstation firewall allows the connection from the local IP 10.152.152.11, as otherwise the whonix gateway cant redirect the traffic to the webserver: + +```sh +[workstation sysmaint ~]% curl 10.152.152.11:80 +curl: (7) Failed to connect to 10.152.152.11 port 80 after 0 ms: Couldn't connect to server +zsh: exit 7 curl 10.152.152.11:80 + +[workstation sysmaint ~]% sudo -i +[workstation root ~]# mkdir -p /usr/local/etc/whonix_firewall.d +[workstation root ~]# vim /usr/local/etc/whonix_firewall.d/50_user.conf +[workstation root ~]# cat /usr/local/etc/whonix_firewall.d/50_user.conf +EXTERNAL_OPEN_PORTS+=" 80 " + +[workstation root ~]# whonix_firewall +``` +![alt text](image-3.png) + +Now that the firewall has been configured correctly to allow the traffic to arrive on the local IP on port 80, we can test if the hidden service works as intended from the tor browser: +![alt text](image-4.png) + +And it works! Now let's reboot the whonix workstation back into user mode since we finished the maintenance, and check if the hidden service still works as intended: + +```sh +[workstation root ~]# reboot now +``` +![alt text](image-5.png) + +![alt text](image-6.png) + +After rebooting the whonix workstation we see that it is still accessible as intended! + +The point of going back into the regular user mode is that in case if the service were to get hacked, the whonix hardening features are going to make it impossible for the attacker to do anything. For example they can't get the onion hidden service keys because those sit on the Whonix gateway, rather than on the Workstation. \ No newline at end of file diff --git a/whonixqemuvms/index.md b/whonixqemuvms/index.md index aefe84e..93e9804 100644 --- a/whonixqemuvms/index.md +++ b/whonixqemuvms/index.md @@ -14,8 +14,6 @@ Whonix is an open-source set of 2 VMs (one being used for networking, and the ot ![alt text](image-7.png) - - ## _OPSEC Recommendations:_ 1. Hardware : (Personal Computer / Laptop) @@ -277,4 +275,6 @@ Then, after rebooting into the regular user mode, we see that neofetch is instal ![alt text](image-5.png) -And thats it! you now have a VM ready to be used for your Anonymous activities, \ No newline at end of file +And thats it! you now have a VM ready to be used for your Anonymous activities, + +Now if you want to remove the user and sysmaint separation, you can select the "Remove user-sysmaint-split - enable unrestricted admin mode" boot option like we did in the [Kicksecure Host OS tutorial.](../linux/index.md) \ No newline at end of file