Use tomcat servlet engine with TOR

I want to use Tomcat as a servlet container on the tor network as a hidden service. What's the easiest and safest way to do this without any IP leaks or stack sending IP addresses?

Thank you in advance

+3


source to share


1 answer


Setting up the Tor / Tomcat anonymous service is pretty simple:

1. On the default Tomcat installation, edit META-INF / context.xml to only allow connections from localhost :

<Context>
    <Valve className="org.apache.catalina.valves.RemoteAddrValve"
           allow="0:0:0:0:0:0:0:1,127\.0\.0\.1" />
</Context>

      

2. With the default Tor installation, edit the torrc file to allow access to your local service over the Tor network , for example:

HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:8080

      

( torrc

usually found in /etc/tor

. If you are configuring it on debian based distributions like ubuntu, you should use their repo, not the distribution )

What is it. You did it. You created an anonymous service, and 99.99% of the people in this world can't break if they want to (this number is just an educated guess, but you get the idea).

Now, please let me step back a bit to put your question in context:

The real risk here is anonymity leak in the content you post. Triple check for those who haven't published anything before.



The closest second would be a vulnerability in the application code or any other point in your server stack. You will always have these. You should always be one step ahead, open them and fix them before anyone else is interested in revealing your site.

I will not go into the moral and ethics of what you may or may not intend to do, but you should not do this if you cannot understand and assume that if your service lives long enough and becomes popular enough, it will eventually, compromised. So get ready to deal with it and have an emergency / disaster recovery plan.

To minimize risk, I suggest that you only deploy actively supported applications with fully tested open source code. Stable and up-to-date versions written by experienced people with many years of experience on projects where safety is the top priority. Every line of code written by your team should be thoroughly reviewed before being put into production. Keep in mind that any quality product should have at least 40% of employees dedicated to testing . This applies to both UX and security concerns. And I cannot stress this enough:

Always keep everything updated

Remove anything you don't need, leave only the minimum requirements. Safely deleting each log file after checking it (a fairly simple configuration logrotate can do this automatically for you, but remember to check the successful attack logs before erasing them. You will get used to this as most attempts are very obvious and after a while you will only know with a look that you can immediately dismiss and which ones you should check). Be especially careful with public API methods or any user inputs. Sanitize and check everything that comes from the other end. Test thoroughly before deployment. If your service becomes popular, you need qualified people you can trust to constantly try to break your application in any way possible.There are security firms that you can hire to audit the underlying code of the applications you deploy. Unless you are a genius with 24/7 dedication, you cannot do such a task yourself. And even the best geniuses don't become IT security experts overnight; it takes a lot of experience and hard work.

Some useful links:

As a bonus, this is not technology related, but very good text to read and links to disaster prevention and recovery .

+3


source







All Articles