Hi, The below content will let you easily set up your own website in the Dark Web aka Dark Net easily. Bear in mind that this is the tutorial for the Red Hat family distros like CentOS, Red Hat, Fedora etc. For Debian family distros it is a little bit different, but not so hard to modify it.
Very basic setup of your own website in Dark Web
Below you have a very basic configuration that allows you to setup what is needed. Advanced security configuration for nginx has been added additionally below this section, to allow you to harden the nginx. Of course this tutorial does not contain all the steps, just because it requires a knowledge that I share in my other posts.
Update packages
Add admins group that gives permissions to sudo
Add user. Replace user with a random name.
Add user to admins group
1
|
usermod -aG admins user
|
Set the password for the user
Make a very advance password. I recommend to use a password manager like bitwarden
Replace the default wheel to admins
1
|
sed -i 's/%wheel/%admins/g' /etc/sudoers
|
Check is user added to admins group
Switch to user account
Install vim or nano text editor
1
|
sudo dnf install vim -y
|
or
1
|
sudo dnf install nano -y
|
#Install nginx and tor
1
|
sudo dnf install nginx tor -y
|
edit the tor configuration file
1
|
sudo vim /etc/tor/torrc
|
1
2
3
4
5
|
Log notice file /var/log/tor/log
RunAsDaemon 1
DataDirectory /var/lib/tor
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80
|
Save and exit
Start, enable during boot and then check status of both services
1
2
3
|
sudo systemctl start nginx tor
sudo systemctl enable nginx tor
sudo systemctl status nginx tor
|
go back into root (ctrl + D)
1
|
cat /var/lib/tor/hidden_service/hostname
|
it will display your onion address. This is onion address for this server. You should put it in server block section, see server_name in /etc/nginx/nginx.conf
switch back to user
delete the content in index.html
1
|
sudo cat /dev/null > /usr/share/nginx/html/index.html
|
Edit the index.html
1
|
sudo vim /usr/share/nginx/html/index.html
|
or
1
|
sudo nano /usr/share/nginx/html/index.html
|
Paste the below:
1
2
3
4
5
6
7
8
9
10
11
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Welcome to the Dark Web</title>
</head>
<body>
<p>Hello world!</p>
</body>
</html>
|
Save and exit
*** secure nginx - very basic configuration ***
Edit nginx configuration
1
|
sudo vim /etc/nginx/nginx.conf
|
add in server block section
add in server block section
1
|
listen 127.0.0.1:80 default_server
|
1
2
|
listen 80 default_server;
listen [::]:80 default_server;
|
Deny the directory traversal
Add autoindex off; this way:
1
2
3
|
location / {
autoindex off;
}
|
Test the configuration
Restart nginx
1
|
sudo systemctl restart nginx
|
Enjoy your dark web website!
Advanced Nginx protection
You can control and configure Linux kernel and networking settings via /etc/sysctl.conf. Remember to reboot the server after this step, please.
1
|
sudo vim /etc/sysctl.conf
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
|
##### Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
##### Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
##### Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
##### Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
##### No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
##### Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
##### Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
##### Don't act as a router
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
##### Turn on execshild
kernel.exec-shield = 1
kernel.randomize_va_space = 1
##### Tuen IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
##### Optimization for port usefor LBs
##### Increase system file descriptor limit
fs.file-max = 65535
##### Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536
##### Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
##### Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
##### Increase Linux auto tuning TCP buffer limits
##### min, default, and max number of bytes to use
##### set max to at least 4MB, or higher if you use very high BDP paths
##### Tcp Windows etc
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
net.ipv4.tcp_window_scaling = 1
|
Controlling Buffer Overflow Attacks
Edit nginx.conf and set the buffer size limitations for all clients.
1
|
sudo vim /etc/nginx/nginx.conf
|
Edit and set the buffer size limitations for all clients as follows:
1
2
3
4
|
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 1k;
large_client_header_buffers 2 1k;
|
Disable Any Unwanted HTTP methods
I suggest that you disable any HTTP methods, which are not going to be utilized and which are not required to be implemented on the web server. If you add the following condition in the location block of the nginx virtual host configuration file, the server will only allow GET, HEAD, and POST methods and will filter out methods such as DELETE and TRACE.
1
2
3
|
location / {
limit_except GET HEAD POST { deny all; }
}
|
Another approach is to add the following condition to the server section (or server block). It can be regarded as more universal but you should be careful with if statements in the location context.
1
2
|
if ($request_method !~ ^(GET|HEAD|POST)$ ) {
return 444; }
|
To additionally harden your nginx web server, you can add several different HTTP headers. in http block .
######## X-Frame-Options
You use the X-Frame-Options HTTP response header to indicate if a browser should be allowed to render a page in a or an . This could prevent clickjacking attacks. Therefore, we recommend that you enable this option for your nginx server.
To do this, add the following parameter to the nginx configuration file in the server section:
1
|
add_header X-Frame-Options "SAMEORIGIN";
|
######## Strict-Transport-Security
HTTP Strict Transport Security (HSTS) is a method used by websites to declare that they should only be accessed using a secure connection (HTTPS). If a website declares an HSTS policy, the browser must refuse all HTTP connections and prevent users from accepting insecure SSL certificates. To add an HSTS header to your nginx server, you can add the following directive to your server section:
1
|
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
|
######## CSP and X-XSS-Protection
Content Security Policy (CSP) protects your web server against certain types of attacks, including Cross-site Scripting attacks (XSS) and data injection attacks. You can implement CSP by adding the following example Content-Security-Policy header (note that the actual header should be configured to match your unique requirements):
1
|
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
|
The HTTP X-XSS-Protection header is supported by IE and Safari and is not necessary for modern browsers if you have a strong Content Security Policy. However, to help prevent XSS in the case of older browsers (that don’t support CSP yet), you can add the X-XSS Protection header to your server section:
1
|
add_header X-XSS-Protection "1; mode=block";
|
The whole nginx configuration after the modification should looks like this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
##### For more information on configuration, see:
##### * Official English Documentation: http://nginx.org/en/docs/
##### * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
##### Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##### Load modular configuration files from the /etc/nginx/conf.d directory.
##### See http://nginx.org/en/docs/ngx_core_module.html#include
##### for more information.
include /etc/nginx/conf.d/*.conf;
server {
##### Additional settings for security reason
server_tokens off;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
client_body_buffer_size 1k;
client_header_buffer_size 1k;
client_max_body_size 1k;
#listen 80 default_server;
#listen [::]:80 default_server;
listen 127.0.0.1:80 default_server;
#your onion address
server_name q.......sga.onion;
root /usr/share/nginx/html;
##### Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
autoindex off;
limit_except GET HEAD POST { deny all; }
proxy_http_version 1.1;
proxy_set_header "Connection" "";
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
##### Settings for a TLS enabled server.
#
##### server {
##### listen 443 ssl http2 default_server;
##### listen [::]:443 ssl http2 default_server;
##### server_name _;
##### root /usr/share/nginx/html;
#
##### ssl_certificate "/etc/pki/nginx/server.crt";
##### ssl_certificate_key "/etc/pki/nginx/private/server.key";
##### ssl_session_cache shared:SSL:1m;
##### ssl_session_timeout 10m;
##### ssl_ciphers PROFILE=SYSTEM;
##### ssl_prefer_server_ciphers on;
#
##### ##### Load configuration files for the default server block.
##### include /etc/nginx/default.d/*.conf;
#
##### location / {
##### }
#
##### error_page 404 /404.html;
##### location = /40x.html {
##### }
#
##### error_page 500 502 503 504 /50x.html;
##### location = /50x.html {
##### }
##### }
}
|
Check logs: (press ctrl+c to exit tail)
1
2
3
|
tail -f /var/log/tor/log
tail -f /var/log/nginx/access.log
tail -f /var/log/nginx/error.log
|
I recommend to install more convenient tool called multitail
1
|
sudo dnf install multitail
|
Then you can view logs with this tools this way:
1
|
multitail /var/log/tor/log /var/log/nginx/access.log /var/log/nginx/error.log
|
Press q to exit multitail.
Install vanguards
If you run a high-security onion service which is under attack by sophisticated adversaries, you should install the Vanguards addon which defends against various advanced attacks. Please read Tor project’s blog post on how to install and use this tool.
You can install vanguards to protect the service from github repository
https://github.com/mikeperry-tor/vanguards
All you need to do is to install few packages in RHEL 8
1
|
sudo dnf install git python3-stem
|
In the next step you need to clone the repository
1
2
3
4
|
#Switch to root
sudo -i
cd /home/root
git clone https://github.com/mikeperry-tor/vanguards.git
|
Edit the vanguards.py file
1
|
vim /root/vanguards/src/vanguards.py
|
Change shebang to the path where your python3 is installed. By default it will be /usr/bin/python3 so it should look like this:
Press Esc, then type :x and hit enter
After that edit the crontab with the command: (it will open in the default text editor, in my case it is vim I installed, because I do not use nano).
Add this line
1
|
@reboot /usr/bin/python3 /root/vanguards/src/vanguards.py
|
Press Esc, then type :x and hit enter
Then you can reboot the server and the script will run during the reboot.
Avoiding the Top 10 NGINX Configuration Mistakes
Please visit this website to read an article about it:
https://www.nginx.com/blog/avoiding-top-10-nginx-configuration-mistakes/