Title : Tor part 2: hidden service Author: Solène Date : 11 October 2018 Tags : openbsd68 openbsd unix tor security In this second Tor article, I will present an interesting Tor feature named **hidden service**. The principle of this hidden service is to make available a network service from anywhere, with only prerequisites that the computer must be powered on, tor not blocked and it has network access. This service will be available through an address not disclosing anything about the server internet provider or its IP, instead, a hostname ending by **.onion** will be provided by tor for connecting. This hidden service will be only accessible through Tor. There are a few advantages of using hidden services: - privacy, hostname doesn't contain any hint - security, secure access to a remote service not using SSL/TLS - no need for running some kind of dynamic dns updater The drawback is that it's quite slow and it only work for TCP services. From here, we assume that Tor is installed and working. Running an hidden service require to modify the Tor daemon configuration file, located in **/etc/tor/torrc** on OpenBSD. Add the following lines in the configuration file to enable a hidden service for SSH: HiddenServiceDir /var/tor/ssh_service HiddenServicePort 22 127.0.0.1:22 The directory **/var/tor/ssh_service** will be be created. The directory **/var/tor** is owned by user **_tor** and not readable by other users. The hidden service directory can be named as you want, but it should be owned by user **_tor** with restricted permissions. Tor daemon will take care at creating the directory with correct permissions once you reload it. Now you can reload the tor daemon to make the hidden service available. $ doas rcctl reload tor In the **/var/tor/ssh_service** directory, two files are created. What we want is the content of the file **hostname** which contains the hostname to reach our hidden service. $ doas cat /var/tor/ssh_service/hostname piosdnzecmbijclc.onion Now, we can use the following command to connect to the hidden service from anywhere. $ torsocks ssh piosdnzecmbijclc.onion In Tor network, this feature doesn't use an exit node. Hidden services can be used for various services like http, imap, ssh, gopher etc... Using hidden service isn't illegal nor it makes the computer to relay tor network, as previously, just check if you can use Tor on your network. Note: it is possible to have a version 3 .onion address which will prevent hostname collapsing, but this produce very long hostnames. This can be done like in the following example: HiddenServiceDir /var/tor/ssh_service HiddenServicePort 22 127.0.0.1:22 HiddenServiceVersion 3 This will produce a really long hostname like tgoyfyp023zikceql5njds65ryzvwei5xvzyeubu2i6am5r5uzxfscad.onion If you want to have the short and long hostnames, you need to specify twice the hidden service, with differents folders. Take care, if you run a ssh service on your website and using this same ssh daemon on the hidden service, the host keys will be the same, implying that someone could theoricaly associate both and know that **this** public IP runs **this** hidden service, breaking anonymity.