[TUTORIAL] How to setup a .onion (tor) website and protect youself from breaches

FIRST OF ALL IF THIS IS NOT ALLOWED PLEASE DELETE THIS POST

So i wanted to share how to setup a deepweb website and have it as secure as possible.
What youll need:
NOTE: YOU DONT NEED TO HAVE ANY PORTS OPEN NOT EVEN PORT 80 YOU CAN DO THIS ON ANY REGULAR INTERNET CONNECTION
-running web server preferably on ubuntu or debian (google how to install lamp if you dont know how to host websites)
-apache isnt the 1 you must choose but it is the easiest to configure
-A good concept
-Really basic linux skills
 
Step 1: Install tor you can do this on debian/ubuntu distributions by typing

Code:

sudo apt-get install tor

for arch linux

Code:

sudo pacman -S tor

and for centos/rhel:

Code:

yum install epel-release
yum install tor

 
Step 2: generate onion domain:

Code:

edit /etc/tor/torrc (you can do this by typing nano /etc/torrc)and uncomment
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80
sometimes this is commented so uncomment it and restart tor using systemctl restart tor
 

Step 3: check your onion domain:

Code:

cat /var/lib/tor/hidden_service/hostname

(the folder hidden_service also creates a private key that can be used to
transfer your onion domain to a new server)
 
 
Step 4: make the onion domain known to apache:

 

Code:

edit /etc/apache2/sites-available/000-default.conf (nano /etc/apache2/sites-available/000-default.conf)
 

and add this to end of file

 

Code:

<virtualhost 127.0.0.1:80>
ServerName bvibfr576o4zpdr6.onion
ServerAdmin [email protected]
DocumentRoot /var/www/hidden_service
</virtualhost>

after this restart apache sudo systemctl restart apache2
 
step 5: create content directory (to place the website files):

Code:

cd /var/www
sudo mkdir hidden_service

you can place all your website files into /var/www/hidden_service
 
Step 6:Test your tor website by copying your address into the tor browser
 
Were not done yet now were going to take some security measures
 
 
step 1 disable server info :

Code:

nano /etc/apache2/apache2.conf
ServerSignature Off
ServerTokens Prod

this disables the info
 
step 2 disable server status:

Code:

sudo a2dismod status

contains server info we dont want anyone to know
normally this is only for localhost to access
but when someone accesses our tor site .onion it acts as localhost
 
There you go you now have your very own deepweb website
BUT REMEMBER A CHAIN IS AS STRONG AS ITS WEAKEST LINK

UPDATE For people who want to use nginx , nginx is a lot lighter and sometimes faster than apache ( thanks @Sweets for the addition ):


With regards to #4, should you so choose to use NGINX,  your configuration will look as such

Code:

server {
   listen 80 default_server;
   listen [::]:80 default_server;

   root /var/www/hidden_service

   server_name bvibfr576o4zpdr6.onion;
}

This configuration will likely be located in /etc/nginx/sites-available, with the same name symlinked to the previous path at /etc/nginx/sites-enabled. I'm not entirely certain of how one may disable localhost related information for an NGINX backend, though, since I've never needed to. That being said, it would be wisest to look into that, for users that are using NGINX.

Also, another addition, Arch Linux users can install tor with

This is completely allowed. There's nothing inherently related to hacking at all, so it's not against MyBB terms of usage. Which honestly we may just toss out the window anyways. In any case, I'm glad someone posted a tutorial. I'd also like to add that, in addition to what's been stated here, you may also supplement Apache with NGINX. All of the same steps still apply, save for #4.

With regards to #4, should you so choose to use NGINX, your configuration will look as such

Code:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/hidden_service

    server_name bvibfr576o4zpdr6.onion;
}

This configuration will likely be located in /etc/nginx/sites-available, with the same name symlinked to the previous path at /etc/nginx/sites-enabled. I'm not entirely certain of how one may disable localhost related information for an NGINX backend, though, since I've never needed to. That being said, it would be wisest to look into that, for users that are using NGINX.

Also, another addition, Arch Linux users can install tor with

Code:

sudo pacman -S tor

This is completely allowed. There's nothing inherently related to hacking at all, so it's not against MyBB terms of usage. Which honestly we may just toss out the window anyways. In any case, I'm glad someone posted a tutorial. I'd also like to add that, in addition to what's been stated here, you may also supplement Apache with NGINX. All of the same steps still apply, save for #4.

With regards to #4, should you so choose to use NGINX, your configuration will look as such

Code:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    root /var/www/hidden_service

    server_name bvibfr576o4zpdr6.onion;
}

This configuration will likely be located in /etc/nginx/sites-available, with the same name symlinked to the previous path at /etc/nginx/sites-enabled. I'm not entirely certain of how one may disable localhost related information for an NGINX backend, though, since I've never needed to. That being said, it would be wisest to look into that, for users that are using NGINX.

Also, another addition, Arch Linux users can install tor with

Code:

sudo pacman -S tor

thanks for your addition added it and changed some things