Closed Uisgdlyast closed 11 years ago
whackashoe
commented
11 years ago Yes you should be able to without problem. Just change the part about setting the network bridge on kvm to whatever vm software you use: Make sure that this is working properly before you deploy. Let me know if it goes smoothly, and I'll test it and add it to the guide.
Uisgdlyast
commented
11 years ago Thanks, awesome guide. How secure will this make me? Should I take any other precautions before setting up a hidden service? On Jun 25, 2013 12:31 AM, "whackashoe" notifications@github.com wrote:
Yes you should be able to without problem. Just change the part about setting the network bridge on kvm to whatever vm software you use: Make sure that this is working properly before you deploy.
— Reply to this email directly or view it on GitHubhttps://github.com/whackashoe/tor-hidden-service-setup/issues/1#issuecomment-19952614 .
whackashoe
commented
11 years ago Hard question (: To be honest, I can't say as I haven't found a way to break it. Assuming everything is setup correctly, even if someone got root on the vm they should not be able to find your ip. Now, they still could possibly use a 0-day on your vm software to break out of it, tor might have a way to be broken out of on the host machine. However, both of those things are quite sophisticated.
There are numerous hardening techniques on linux which would be a good read, this guide really only torifies it. Main advice is to double check everything, ensure the ip address cannot be resolved to your host machine at multiple steps. Ensure that your host machine is in and of itself secure as well. Good luck!
Uisgdlyast
commented
11 years ago Thanks. I'll look into Linux hardening techniques.
Sorry for the barrage of questions but would you consider kvm more secure than vmware? Possibly since vmware is used more or that I don't update vmware. On Aug 3, 2013 10:23 PM, "whackashoe" notifications@github.com wrote:
Hard question (: To be honest, I can't say as I haven't found a way to break it. Assuming everything is setup correctly, even if someone got root on the vm they should not be able to find your ip. Now, they still could possibly use a 0-day on your vm software to break out of it, tor might have a way to be broken out of on the host machine. However, both of those things are quite sophisticated.
There are numerous hardening techniques on linux which would be a good read, this guide really only torifies it. Main advice is to double check everything, ensure the ip address cannot be resolved to your host machine at multiple steps. Ensure that your host machine is in and of itself secure as well. Good luck!
— Reply to this email directly or view it on GitHubhttps://github.com/whackashoe/tor-hidden-service-setup/issues/1#issuecomment-22065584 .
whackashoe
commented
11 years ago Both have been broken out of by people in the past. and probably will be broken out of in the future. I can't really say, I would assume an updated kvm would be more secure than an outdated vmware- but I don't really have any standing to suppose that. vmware does have more points of attack. Here are two videos on breaking out of virtualization.
http://www.youtube.com/watch?v=NnYNaLSiOxY - Cloudburst (Hacking 3D And Breaking Out Of Vmware)
http://www.youtube.com/watch?v=hCPFlwSCmvU - DEFCON 19: Virtualization under attack: Breaking out of KVM
If you can prevent someone breaking through your site, prevent someone who has broken into your vm from escalating their privileges, you're better off. If you have some sort of intrusion detection on the guest, you are also probably better off (have it disable networking on guest on detection). If you can secure the guest host adequately you can prevent those fields of attack.
Uisgdlyast
commented
11 years ago Thanks a lot. May I ask what your field of work is in? I'd guess network security. Now is it possible to run a vm inside a vm? I have some ideas on it, then you have 2 layer.
And then what about running everything at home? I assume you wouldn't want that but I'm new to real hosting.
I donated a tiny amount of btc to you, scrap change but I'll be getting more soon and appreciate you taking that time, other than the old hidserv.pdf which is outdated I don't know anyone else trying. I wish the info e with made much more public On Aug 4, 2013 3:45 PM, "whackashoe" notifications@github.com wrote:
Both have been broken out of by people in the past. and probably will be broken out of in the future. I can't really say, I would assume an updated kvm would be more secure than an outdated vmware- but I don't really have any standing to suppose that. vmware does have more points of attack. Here are two videos on breaking out of virtualization.
http://www.youtube.com/watch?v=NnYNaLSiOxY - Cloudburst (Hacking 3D And Breaking Out Of Vmware)
http://www.youtube.com/watch?v=hCPFlwSCmvU - DEFCON 19: Virtualization under attack: Breaking out of KVM
If you can prevent someone breaking through your site, prevent someone who has broken into your vm from escalating their privileges, you're better off. If you have some sort of intrusion detection on the guest, you are also probably better off (have it disable networking on guest on detection). If you can secure the guest host adequately you can prevent those fields of attack.
— Reply to this email directly or view it on GitHubhttps://github.com/whackashoe/tor-hidden-service-setup/issues/1#issuecomment-22077528 .
whackashoe
commented
11 years ago Yeah, no problem. I'm glad some people are finding my guide useful. I am a programmer & sysadmin, most of my security knowledge I've picked up as a result of those things. On your questions:
is it possible to run a vm inside a vm? I have some ideas on it, then you have 2 layer.
Not really; I mean- you can in some instances but you're not going to get much of a benefit from it. If you are stuck owning only a vps or something, then you could try it but its not really what I'd recommend.
And then what about running everything at home? I assume you wouldn't want that but I'm new to real hosting.
There are basically two things you need to take into consideration (outside of the obvious ones :) ). One, is that when the power goes out your server can eventually be located via statistics on power outages (I forget the company that has these stats). Alternatively, if you are running a (dedicated) server off site you cannot assume that nobody else is tampering with it. My guide is written for people to run these off of home servers, where only they have physical access- although there are definitely upsides to running offsite as well. It is a balance where neither side can be really shown to be necessarily better- it all depends on what you are doing.
Thanks for the btc! I really want to see a world where people can create things for general use, and those who are able to fund it do help- so thank you for being a part of that world. There isn't much else out there for hidden services at the present, there is another project which I would watch that is called onioncloud, which is still in funding / planning stage. I am quite excited about it, although it is still very early stages. It is an attempt to make a cheap or even free deployment of hidden services- at this point in the project it won't help you but consider following it. Hopefully, even if its not that project, something will come along that is easier than this guide, and more secure.
Sorry, I couldn't find your email. I appreciate your development, it is a little newer than the other one out there (by Ringo I believe, http://pastebin.com/Fy6c1wB8) and the scripts make it a lot easier. I have been trying to combine the guides I have read in a way that works for me. My issue is that when I open virtual machine manager I get the error that KVM is not installed and my machine may perform poorly, I did install it and after some googling I found out you need VT-x compatibility on your intel, which I unfortunately do, one of the few multi-cores w/out it. I am wondering if I can apply the same principal to your guide but use VMware or virtual box instead?
thanks