Professional Documents
Culture Documents
Installation Guide
v1.0
Introduction
Welcome to the Onionshop Installation Guide. This is an easy to follow, step-bystep guide to get your copy of Onionshop running.
If you have any questions, don't bother asking us before taking any actions.
Especially the part where you connect to your hosting provider or server has to
be set
up properly, to
not
reveal
identifying
information under
any
circumstances.
Please note that we offer to do the whole installation for you, without charging
additional fees. After we set up your server, you have to change all passwords
and we give you advice what to do and how to pay the hosting fees. While this
is convenient, we still recommend for you to go through the installation
yourself. That way, nobody besides yourself ever get in touch with it and you
don't have to trust a third party with your server infos.
Also note that we also provide Onionshop as a hosted solution for a fixed
monthly rate, if that fits better your needs.
Even if this guide is very systematic, you should never follow blindly any advice
before double-checking and understanding it yourself. Think about the
risk/consequences of each move you make, how to avoid vulnerabilities in your
actions and how to layer up and improve the weak spots. Enhance your OPSEC,
no matter how involved you are. Obscure your Internet connections but make
the destination think you're an average user. Make sure that you never reveal
your identity to anybody, even if its more convenient or profitable otherwise.
Never make exceptions or take shortcuts and always stick to your rules. Find
the points in your everyday life where RL and DN get too close and improve it.
For good OPSEC you constantly need to act on new circumstances and change
up your ways creatively and continuously.. The moment you get too routinized
is when law enforcement starts recognizing patterns and ways to exploit them.
Note that this is only an installation guide and not an A-Z guide for good
OPSEC. We try to give as much information as possible to keep you safe
regarding
important
aspects,
but
there
is
always
endless
room
for
improvement. Take your time and do background checks on subjects you don't
feel confident about.
Getting Started
In this tutorial we are using CentOS 6 as operating system. You can use other
linux distributions as well, the commands will differ a bit though. Do not use a
Windows Server or other closed-source operating systems.
You need to decide if you host the server yourself or rent one from an online
provider. Setting up your own server has the benefit that you don't need to
trust a hosting company in any way and have autonomous access to it. In the
worst case scenario of IP Leakage, law enforcement agencies would have your
location though. Worst case scenario with a rented server is that they seize it,
but still wouldn't have any information about you (unless you didn't
communicate revealing information unencrypted through the messaging
system). Generally speaking, a seizure is less likely if you host the server
yourself, but the consequences in such a case are way less problematic if you
run your site on a server far away from your jurisdiction.
If you don't host yourself, you need to find a hosting company where you can
rent the server. A VPS is usually enough, you don't need a dedicated server.
Also you don't need any extra packages or add-ons, just a plain install of
Centos 6 with SSH access. We don't recommend particular services, since it
would make those providers a greater target for LE. Its most effective if all
Onionshop instances run with different hosting companies.
It is very important to use Tor Browser and a clean environment when
searching for and ordering the VPS. We don't go into details of the OPSEC of
your computer set up, since its a very broad topic which you should inform
yourself anyway. We recommend reading according threads on the HUB Forum
(currently http://thehub7gqe43miyc.onion ). Rule of thumb is, you should avoid
using a Windows or Mac computer. Install a linux distribution (Ubuntu is a good
win/mac alternative for example), or the even more recommendable distro
Tails, which you can easily run on the fly from an USB stick and which covers a
lot of security problems by design.
First, you need a fake identity with an email address. Pick a foreign country and
search for a valid address in a town of your choice. Google for restaurants in
that area for example, so you will quickly have a valid address and phone
number. Make up a common name, and you are good to go. Optionally you
could get a passport scan off the DarkNet in advance and use this identity. This
way you could prove your identity if the hosting company should ask for
validation. You will most likely need this when you pay with credit card, but
usually not when paying with Bitcoin.
Now get an email address. We recommend using common providers and not
too underground ones like safe-mail for example. It shouldn't look like you
want to hide something. You should stay away from the very big ones like
Googlemail, but still pick a provider that an average 45 year old housewife
would use. Register an account with the data of your fake identity.
You can proceed signing up an account at your desired hosting company using
the same identity and the just created email address. You will now have to pay
for the VPS. Obviously don't use any creditcard/paypal/similar that are directly
or indirectly connected with your real identity. Paying with Bitcoin is very
common and recommended. Make sure you tumble the coins that you use for
the payment. Since the VPS fees are usually pretty low, it cant hurt to send
them through 2 mixers before the payment. More and more hosting companies
accept Bitcoin as a payment method, so you will have no troubles finding one
(usually they cost around 10-30$/month). Since providers that accept Bitcoin
are usually more targeted by law enforcement, you can consider using a
normal provider and paying with a credit card for example. Provided that it is
acquired anonymously, it may keep you out of the radar even more. Usually it
should be fine if you take the shorter route by paying with Bitcoin directly
though.
After your order went through, you should get an IP address and a root
password. SSH should be enabled, so you usually don't have to connect to any
control panels. Save them somewhere safe and get ready to install.
Server Installation
All connections to the servers are made through SSH. You need an SSH Client to
execute commands, as well as a file transfer tool. In this tutorial we work with
Putty and Filezilla, which are very common and available for most operating
systems.
Run Putty and you will have this screen:
Enter your Servers IP in the two fields where the 123.123.123.123 is. Hit Save,
but don't connect yet (!). Now click Proxy and fill in the following, to ensure all
connections are routed through Tor:
Click Session and hit Save again. Restart Putty and check if the entry for your
new server is in the list. Click it and hit Load. Check at Proxy again and make
sure the proxy changes are still there.
Now click Open and confirm the message about accepting the Key.
Log in with root and your password.
Type yum update and hit return. This updates all components.
When asked, you have to hit y, Enter to confirm an installation.
Set the timezone. If you don't want to reveal your timezone you can use a
different one obviously. Thats the command if you want to set it to French Time
for example:
cp /usr/share/zoneinfo/Europe/Paris /etc/localtime
At this point you should already be able to reach your webservice through
clearnet. Enter the IP of your server in Tor Browser and you get this screen:
http://download.fedoraproject.org/pub/epel/6/x86_64/epel-
release-6-8.noarch.rpm
sudo rpm -ivh epel-release*
yum repolist
rm epel-release*
sudo yum install mysql-server
sudo service mysqld start
This is where you set your MySQL root-password (different than the server root
password). Don't lose it. Then there's 5 questions asked, you can answer each
with Y
Restart Apache
sudo service httpd restart
Now we will need to upload some files, so get filezilla started. First, click Edit
Preferences. Check on Connection Generic Proxy and enter the same
info like in Putty, to make the connection run through Tor:
Hit OK and then Click on the Server Manager Icon (far left)
Click New Site and enter the IP of your server in the description label. Also
Enter it in the Host field. Set Port to 22, Protocol to SFTP and Login type to
Ask for password
Hit Connect
It should be able to connect and give you your local file system on the left side
and your servers file system on the right side.
sudo make
sudo make test
If all went through smoothly without showing any errors, proceed to the next
package.
cd /tmp
cd libgpg-error-1.13
same procedure
chmod +x configure
./configure
sudo make
sudo make install
Next packages:
cd /tmp
cd libassuan-2.1.1
chmod +x configure
./configure
sudo make
sudo make installation
cd /tmp
cd libksba-1.3.0
chmod +x configure
./configure
sudo make
sudo make installation
cd /tmp
cd libgcrypt-1.6.1
chmod +x configure
yum install xfig transfig
./configure
sudo make
sudo make install
All necessary software is installed now and we can start setting up Tor.
Copy
the
file
torproject.repo
from
our
Config-Zip
with
FileZilla
to
/etc/yum.repos.d/
You can open it with a texteditor to make sure its the same content as you find
it on the official Tor Project site
yum install tor
edit the File /etc/tor/torrc
Scroll to the hidden service part, and add/uncomment the one pointing to the
local Port 80. It should look like this
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80
It defines where to save your onion-host and its keyfile and tells him to route to
your apache.
service tor start
Tor is running now, and you can check the folder /var/lib/tor/hidden_service for
your hostname and key. Enter the onion-hostname into Tor Browser and you
should get the Apache Test Page again. Congrats!
In order to have a custom Onion Hostname, you have to use the tool Scallion (
https://github.com/lachesis/scallion )
Get the binaries and run
scallion.exe -l
which lists your GPUs. You probably only have one, so your next command will
be
scallion.exe -d 0 prefix
(replace the 0 by 1 if you have another gpu you want to use). This will generate
an onion domain like prefix123456789.onion. The more characters your prefix
has, the longer it will take to find a match. 6-7 are pretty easy, 8 and 9 get
tough and dont even try to have a prefix with more than 10 chars. The needed
time will vary a lot depending on your hardware.
If scallion finds a match, it will show you a hostname and its private key.
The basic setup is now complete, but we still need to make some security
adjustments. First, we need to turn off the clearnet availability. Your web
service is still available if you enter your servers IP in a normal browser. In
order to make your Host a hidden-service only, we need to alter the file
/etc/httpd/conf/httpd.conf
Change the line
Listen 80
to
Listen 127.0.0.1:80
Since all Tor request come from your local server, this makes the webservice
unavailable for normal external (clearnet) connections.
Now head into /etc/httpd/conf.d and edit the file phpMyAdmin.conf
remove these lines
Alias /phpMyAdmin /usr/share/phpMyAdmin
Alias /phpmyadmin /usr/share/phpMyAdmin
After a reboot, the services httpd (apache), mysqld (database) and tor need to
be started. These commands make them run automatically when booting up:
chkconfig httpd on
chkconfig mysqld on
chkconfig tor on
reboot
Give him some time and check a couple minutes later if you can access your
onion-url again. Get a new identity in Tor Browser to speed it up.
You made it! Your hidden service is running and the only thing missing is its
content.
Please note that this is a basic setup instruction and there are many ways to
improve every single aspect of your infrastructure. We recommend you get
more into the topics and improve certain aspects. On the other hand some
security measures are counterproductive, while you need to keep your
anonymity on a high level, you still need to seem like an average joe who got
nothing to hide. Keep a good relation between anonymity and not raising red
flags.