[TUTORIAL] How to setup a .onion (tor) website and protect youself from breaches

Deadsh0t

FIRST OF ALL IF THIS IS NOT ALLOWED PLEASE DELETE THIS POST

So i wanted to share how to setup a deepweb website and have it as secure as possible.
What youll need:
NOTE: YOU DONT NEED TO HAVE ANY PORTS OPEN NOT EVEN PORT 80 YOU CAN DO THIS ON ANY REGULAR INTERNET CONNECTION
-running web server preferably on ubuntu or debian (google how to install lamp if you dont know how to host websites)
-apache isnt the 1 you must choose but it is the easiest to configure
-A good concept

-Really basic linux skills

Step 1: Install tor you can do this on debian/ubuntu distributions by typing

Code:
sudo apt-get install tor

for arch linux

Code:
sudo pacman -S tor

and for centos/rhel:

Code:
yum install epel-release

yum install tor

Step 2: generate onion domain:

Code:
edit /etc/tor/torrc (you can do this by typing nano /etc/torrc)and uncomment

HiddenServiceDir /var/lib/tor/hidden_service/

HiddenServicePort 80 127.0.0.1:80

sometimes this is commented so uncomment it and restart tor using systemctl restart tor

Step 3: check your onion domain:

Code:
cat /var/lib/tor/hidden_service/hostname

(the folder hidden_service also creates a private key that can be used to
transfer your onion domain to a new server)

Step 4: make the onion domain known to apache:

Code:
edit /etc/apache2/sites-available/000-default.conf (nano /etc/apache2/sites-available/000-default.conf)

and add this to end of file

Code:

<virtualhost 127.0.0.1:80>

ServerName bvibfr576o4zpdr6.onion

ServerAdmin [email protected]

DocumentRoot /var/www/hidden_service

</virtualhost>

after this restart apache sudo systemctl restart apache2

step 5: create content directory (to place the website files):

Code:
cd /var/www

sudo mkdir hidden_service

you can place all your website files into /var/www/hidden_service

Step 6:Test your tor website by copying your address into the tor browser

Were not done yet now were going to take some security measures

step 1 disable server info :

Code:
nano /etc/apache2/apache2.conf

ServerSignature Off

ServerTokens Prod

this disables the info

step 2 disable server status:

Code:
sudo a2dismod status

contains server info we dont want anyone to know
normally this is only for localhost to access
but when someone accesses our tor site .onion it acts as localhost

There you go you now have your very own deepweb website
BUT REMEMBER A CHAIN IS AS STRONG AS ITS WEAKEST LINK

UPDATE For people who want to use nginx , nginx is a lot lighter and sometimes faster than apache ( thanks @Sweets for the addition Wink

):

With regards to #4, should you so choose to use NGINX, your configuration will look as such

Code:
server {

   listen 80 default_server;

   listen [::]:80 default_server;

   root /var/www/hidden_service

   server_name bvibfr576o4zpdr6.onion;

}

This configuration will likely be located in /etc/nginx/sites-available, with the same name symlinked to the previous path at /etc/nginx/sites-enabled. I'm not entirely certain of how one may disable localhost related information for an NGINX backend, though, since I've never needed to. That being said, it would be wisest to look into that, for users that are using NGINX.

Also, another addition, Arch Linux users can install tor with

Sweets

This is completely allowed. There's nothing inherently related to hacking at all, so it's not against MyBB terms of usage. Which honestly we may just toss out the window anyways. In any case, I'm glad someone posted a tutorial. I'd also like to add that, in addition to what's been stated here, you may also supplement Apache with NGINX. All of the same steps still apply, save for #4.

With regards to #4, should you so choose to use NGINX, your configuration will look as such

Code:
server {

    listen 80 default_server;

    listen [::]:80 default_server;

    root /var/www/hidden_service

    server_name bvibfr576o4zpdr6.onion;

}

This configuration will likely be located in /etc/nginx/sites-available, with the same name symlinked to the previous path at /etc/nginx/sites-enabled. I'm not entirely certain of how one may disable localhost related information for an NGINX backend, though, since I've never needed to. That being said, it would be wisest to look into that, for users that are using NGINX.

Also, another addition, Arch Linux users can install tor with

Code:
sudo pacman -S tor

Deadsh0t

(10 months ago)Sweets Wrote: This is completely allowed. There's nothing inherently related to hacking at all, so it's not against MyBB terms of usage. Which honestly we may just toss out the window anyways. In any case, I'm glad someone posted a tutorial. I'd also like to add that, in addition to what's been stated here, you may also supplement Apache with NGINX. All of the same steps still apply, save for #4.

With regards to #4, should you so choose to use NGINX, your configuration will look as such

Code:
server { listen 80 default_server; listen [::]:80 default_server; root /var/www/hidden_service server_name bvibfr576o4zpdr6.onion; }

This configuration will likely be located in /etc/nginx/sites-available, with the same name symlinked to the previous path at /etc/nginx/sites-enabled. I'm not entirely certain of how one may disable localhost related information for an NGINX backend, though, since I've never needed to. That being said, it would be wisest to look into that, for users that are using NGINX.

Also, another addition, Arch Linux users can install tor with

Code:
sudo pacman -S tor

thanks for your addition Smile

added it and changed some things