Onionshop 2.

Installation Guide
v1.0

11th January 2015

Introduction

Welcome to the Onionshop Installation Guide. This is an easy to follow, step-bystep guide to get your copy of Onionshop running.
If you have any questions, don't bother asking us before taking any actions.
Especially the part where you connect to your hosting provider or server has to
be set

up properly, to

not

reveal

identifying

information under

any

circumstances.
Please note that we offer to do the whole installation for you, without charging
additional fees. After we set up your server, you have to change all passwords
and we give you advice what to do and how to pay the hosting fees. While this
is convenient, we still recommend for you to go through the installation
yourself. That way, nobody besides yourself ever get in touch with it and you
don't have to trust a third party with your server infos.
Also note that we also provide Onionshop as a hosted solution for a fixed
monthly rate, if that fits better your needs.
Even if this guide is very systematic, you should never follow blindly any advice
before double-checking and understanding it yourself. Think about the
risk/consequences of each move you make, how to avoid vulnerabilities in your
actions and how to layer up and improve the weak spots. Enhance your OPSEC,
no matter how involved you are. Obscure your Internet connections but make
the destination think you're an average user. Make sure that you never reveal
your identity to anybody, even if its more convenient or profitable otherwise.
Never make exceptions or take shortcuts and always stick to your rules. Find

the points in your everyday life where RL and DN get too close and improve it.
For good OPSEC you constantly need to act on new circumstances and change
up your ways creatively and continuously.. The moment you get too routinized
is when law enforcement starts recognizing patterns and ways to exploit them.
Note that this is only an installation guide and not an A-Z guide for good
OPSEC. We try to give as much information as possible to keep you safe
regarding

important

aspects,

but

there

is

always

endless

room

for

improvement. Take your time and do background checks on subjects you don't
feel confident about.

Getting Started
In this tutorial we are using CentOS 6 as operating system. You can use other
linux distributions as well, the commands will differ a bit though. Do not use a
Windows Server or other closed-source operating systems.
You need to decide if you host the server yourself or rent one from an online
provider. Setting up your own server has the benefit that you don't need to
trust a hosting company in any way and have autonomous access to it. In the
worst case scenario of IP Leakage, law enforcement agencies would have your
location though. Worst case scenario with a rented server is that they seize it,
but still wouldn't have any information about you (unless you didn't
communicate revealing information unencrypted through the messaging
system). Generally speaking, a seizure is less likely if you host the server
yourself, but the consequences in such a case are way less problematic if you
run your site on a server far away from your jurisdiction.

If you don't host yourself, you need to find a hosting company where you can
rent the server. A VPS is usually enough, you don't need a dedicated server.
Also you don't need any extra packages or add-ons, just a plain install of
Centos 6 with SSH access. We don't recommend particular services, since it
would make those providers a greater target for LE. Its most effective if all
Onionshop instances run with different hosting companies.
It is very important to use Tor Browser and a clean environment when
searching for and ordering the VPS. We don't go into details of the OPSEC of
your computer set up, since its a very broad topic which you should inform
yourself anyway. We recommend reading according threads on the HUB Forum
(currently http://thehub7gqe43miyc.onion ). Rule of thumb is, you should avoid
using a Windows or Mac computer. Install a linux distribution (Ubuntu is a good
win/mac alternative for example), or the even more recommendable distro
Tails, which you can easily run on the fly from an USB stick and which covers a
lot of security problems by design.

First, you need a fake identity with an email address. Pick a foreign country and
search for a valid address in a town of your choice. Google for restaurants in
that area for example, so you will quickly have a valid address and phone
number. Make up a common name, and you are good to go. Optionally you
could get a passport scan off the DarkNet in advance and use this identity. This
way you could prove your identity if the hosting company should ask for
validation. You will most likely need this when you pay with credit card, but
usually not when paying with Bitcoin.
Now get an email address. We recommend using common providers and not
too underground ones like safe-mail for example. It shouldn't look like you

want to hide something. You should stay away from the very big ones like
Googlemail, but still pick a provider that an average 45 year old housewife
would use. Register an account with the data of your fake identity.
You can proceed signing up an account at your desired hosting company using
the same identity and the just created email address. You will now have to pay
for the VPS. Obviously don't use any creditcard/paypal/similar that are directly
or indirectly connected with your real identity. Paying with Bitcoin is very
common and recommended. Make sure you tumble the coins that you use for
the payment. Since the VPS fees are usually pretty low, it cant hurt to send
them through 2 mixers before the payment. More and more hosting companies
accept Bitcoin as a payment method, so you will have no troubles finding one
(usually they cost around 10-30$/month). Since providers that accept Bitcoin
are usually more targeted by law enforcement, you can consider using a
normal provider and paying with a credit card for example. Provided that it is
acquired anonymously, it may keep you out of the radar even more. Usually it
should be fine if you take the shorter route by paying with Bitcoin directly
though.
After your order went through, you should get an IP address and a root
password. SSH should be enabled, so you usually don't have to connect to any
control panels. Save them somewhere safe and get ready to install.

Server Installation
All connections to the servers are made through SSH. You need an SSH Client to
execute commands, as well as a file transfer tool. In this tutorial we work with
Putty and Filezilla, which are very common and available for most operating

systems.
Run Putty and you will have this screen:

Enter your Servers IP in the two fields where the 123.123.123.123 is. Hit Save,
but don't connect yet (!). Now click Proxy and fill in the following, to ensure all
connections are routed through Tor:

Click Session and hit Save again. Restart Putty and check if the entry for your
new server is in the list. Click it and hit Load. Check at Proxy again and make
sure the proxy changes are still there.
Now click Open and confirm the message about accepting the Key.
Log in with root and your password.

Type yum update and hit return. This updates all components.
When asked, you have to hit y, Enter to confirm an installation.

To make him do the update automatically from now on, type

yum install yum-cron

Change your root password

passwd

Set the timezone. If you don't want to reveal your timezone you can use a
different one obviously. Thats the command if you want to set it to French Time
for example:
cp /usr/share/zoneinfo/Europe/Paris /etc/localtime

Now install sudo

yum install sudo

You can proceed installing a webserver, we recommend Apache

sudo yum install httpd mod_ssl

After installation, run the service

sudo /usr/sbin/apachectl start

At this point you should already be able to reach your webservice through
clearnet. Enter the IP of your server in Tor Browser and you get this screen:

Congrats, you've got your own web service running :)

Now we need some more packages, PHP Support first:

yum install php-pear
yum install php-devel
yum install libcurl libcurl-devel
yum groupinstall 'Development Tools'

Now MySQL for the database

wget

http://download.fedoraproject.org/pub/epel/6/x86_64/epel-

release-6-8.noarch.rpm
sudo rpm -ivh epel-release*
yum repolist
rm epel-release*
sudo yum install mysql-server
sudo service mysqld start

Mysql is running now. Time to install the database

sudo mysql_install_db

Proceed to secure the installation with this command

sudo mysql_secure_installation

This is where you set your MySQL root-password (different than the server root
password). Don't lose it. Then there's 5 questions asked, you can answer each
with Y

Install phpmyadmin to manage the database

sudo yum install phpmyadmin

Restart Apache
sudo service httpd restart

Now we will need to upload some files, so get filezilla started. First, click Edit
Preferences. Check on Connection Generic Proxy and enter the same
info like in Putty, to make the connection run through Tor:

Hit OK and then Click on the Server Manager Icon (far left)

Click New Site and enter the IP of your server in the description label. Also
Enter it in the Host field. Set Port to 22, Protocol to SFTP and Login type to
Ask for password
Hit Connect

It should be able to connect and give you your local file system on the left side
and your servers file system on the right side.

Et voil, you are able to transfer files to your server now.

In order to encrypt the shipping info automatically, Onionshop requires the

GnuPG library. There are different ways to get it installed, we will explain one of
them.
You need to install the following dependencies first:
- pth-2.0.7
- libgpg-error-1.13
- libassuan-2.1.1
- libksba-1.3.0
- libgcrypt-1.6.1
It usually works with other versions too, but these are the ones we have it
tested with (in this order). You can find those folders in the Optional Software
and Configs - Zip in your Onionshop Account Area. Its not a bad idea to get
these packages from the original sources though, which

gives you 100%

certainty that they are original and untouched.

Copy all those folders with FileZilla in the /tmp directory of your server. This will
take a while.
After its done, connect with Putty again, and enter
cd /tmp

switch in the first folder

cd pth-2.0.7
make the setup file executable
chmod +x configure
chmod +x shtool
run the configure file
./configure

sudo make
sudo make test

sudo make install

If all went through smoothly without showing any errors, proceed to the next
package.
cd /tmp
cd libgpg-error-1.13

same procedure
chmod +x configure
./configure
sudo make
sudo make install

Next packages:
cd /tmp
cd libassuan-2.1.1
chmod +x configure
./configure
sudo make
sudo make installation
cd /tmp

cd libksba-1.3.0
chmod +x configure
./configure
sudo make
sudo make installation
cd /tmp
cd libgcrypt-1.6.1
chmod +x configure
yum install xfig transfig
./configure
sudo make
sudo make install

Some more dependencies

yum install zlib-devel
yum list | grep pgp
yum list | grep gmp
su -c "yum install gmp pgp-tools"
yum whatprovides gnupg
whereis gnupg
su -c "yum install gnupg2-2.0.14-6.el6_4.x86_64"
yum install re2c
pecl channel-update pecl.php.net
yum list | grep gpg
yum install gpgme gpgme-devel

Now we have everything in place to do the GnuPG install

pecl install gnupg

Now edit the following file

/etc/php.ini
Search for the part
;;;;;;;;;;;;;;;;;;;;;;
; Dynamic Extensions ;
;;;;;;;;;;;;;;;;;;;;;;
; If you wish to have an extension loaded automatically, use the
following
; syntax:
insert this line
;;;;;;;;;;;;;;;;;;;;;;
; Dynamic Extensions ;
;;;;;;;;;;;;;;;;;;;;;;
extension=gnupg.so

; If you wish to have an extension loaded automatically, use the

following
; syntax:
After adding the extension, save the php.ini and restart Apache
service httpd restart

All necessary software is installed now and we can start setting up Tor.
Copy

the

file

torproject.repo

from

our

Config-Zip

with

FileZilla

to

/etc/yum.repos.d/
You can open it with a texteditor to make sure its the same content as you find
it on the official Tor Project site
yum install tor
edit the File /etc/tor/torrc
Scroll to the hidden service part, and add/uncomment the one pointing to the
local Port 80. It should look like this
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80

It defines where to save your onion-host and its keyfile and tells him to route to
your apache.
service tor start
Tor is running now, and you can check the folder /var/lib/tor/hidden_service for
your hostname and key. Enter the onion-hostname into Tor Browser and you
should get the Apache Test Page again. Congrats!
In order to have a custom Onion Hostname, you have to use the tool Scallion (
https://github.com/lachesis/scallion )
Get the binaries and run
scallion.exe -l
which lists your GPUs. You probably only have one, so your next command will
be
scallion.exe -d 0 prefix
(replace the 0 by 1 if you have another gpu you want to use). This will generate
an onion domain like prefix123456789.onion. The more characters your prefix
has, the longer it will take to find a match. 6-7 are pretty easy, 8 and 9 get
tough and dont even try to have a prefix with more than 10 chars. The needed
time will vary a lot depending on your hardware.
If scallion finds a match, it will show you a hostname and its private key.

Replace those values in your files at /var/lib/tor/hidden_service, make a

service tor restart, and your webservice will listen at the new customized
onion URL.

The basic setup is now complete, but we still need to make some security
adjustments. First, we need to turn off the clearnet availability. Your web
service is still available if you enter your servers IP in a normal browser. In
order to make your Host a hidden-service only, we need to alter the file
/etc/httpd/conf/httpd.conf
Change the line
Listen 80
to
Listen 127.0.0.1:80
Since all Tor request come from your local server, this makes the webservice
unavailable for normal external (clearnet) connections.
Now head into /etc/httpd/conf.d and edit the file phpMyAdmin.conf
remove these lines
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin

and add this one instead

Alias /phpma123 /usr/share/phpMyAdmin
instead of phpma123 pick any name of your choice. This will be the secret link
to access your phpMyAdmin installation.
Restart your apache
service httpd restart
check if you can access phpMyAdmin (http://yoururl.onion/phpma123) and also
if you can only access your site with the onion-url, and not by entering the
servers IP in the browser.

After a reboot, the services httpd (apache), mysqld (database) and tor need to
be started. These commands make them run automatically when booting up:
chkconfig httpd on
chkconfig mysqld on
chkconfig tor on

Ok, time to reboot the server

reboot
Give him some time and check a couple minutes later if you can access your
onion-url again. Get a new identity in Tor Browser to speed it up.
You made it! Your hidden service is running and the only thing missing is its
content.
Please note that this is a basic setup instruction and there are many ways to
improve every single aspect of your infrastructure. We recommend you get
more into the topics and improve certain aspects. On the other hand some
security measures are counterproductive, while you need to keep your
anonymity on a high level, you still need to seem like an average joe who got
nothing to hide. Keep a good relation between anonymity and not raising red
flags.