i want use tomcat servlet container on tor network hidden service. easiest , secure way without ip leaking or stack traces giving away ip addresses?
thanks in advance
setting anonymous tor/tomcat service pretty straight forward:
1. on tomcat default install, edit meta-inf/context.xml allow connections localhost:
<context> <valve classname="org.apache.catalina.valves.remoteaddrvalve" allow="0:0:0:0:0:0:0:1,127\.0\.0\.1" /> </context> 2. on tor default install, edit torrc file provide access local service through tor network, example:
hiddenservicedir /library/tor/var/lib/tor/hidden_service/ hiddenserviceport 80 127.0.0.1:8080 (torrcis located in /etc/tor. if setting on debian based distros, ubuntu, should use repo, not distro's repo)
and that's it. done. have set anonymous service ~99.99% of people in world not able break, providing wanted (this number educated guess, idea).
now, please allow me little bit out of specific topic put question in context:
the real risk here anonymity leaks on content publish. triple check before post anything.
a close second vulnerabilities on application code, or other point of server stack. have those. have 1 step ahead , discover them , patch them before else interested on uncovering site does.
i not enter on morality , ethics of may or may not intend do, shouldn't if cannot understand , assume if service lives long enough , becomes popular enough compromised, eventually. prepared deal , have contingency plan / disaster recovery strategy.
to minimize risk suggest deploy actively maintained apps tested open source code. stable , date versions written skilled people many years of experience on projects security top priority. every line of code written team must reviewed before going production. apart review, keep in mind any quality product should have @ least 40% of staff dedicated exclusively test it. applies ux security issues. , cannot stress enough:
always keep date
remove don't need, leave minimum requirements. securely erase every log file after checking (a simple logrotate configuration can automatically you, don't forget check logs successful attacks before erased. used it, since attempts obvious, , after while you'll know ones can dismissed right away , ones should check on). careful exposed api methods or kind of user input. sanitize , validate coming in other end. test thoroughly before deploying. if service becomes popular need skilled people can trust try break app in possible way. there security firms can hire conducting audits on base code of applications deploy. unless genius 24/7 dedication cannot such task yourself. , top geniuses not become security experts overnight; takes lot of experience , hard work.
some useful links:
- tomcat remote address filter configuration
- tor hidden service configuration
- updated list of known tomcat vulnerabilities
- updated list of known tor vulnerabilities
- cve data updates , rss feeds
- iso/iec 27001 standard on information security management (pay per download link)
- some useful data breach contingency plan guidelines
as bonus, not technology related, read , reference document on disaster avoidance , recovery measures.
Comments
Post a Comment