Your web host doesn't need to know who you are

Your hosting provider keeps logs and records who controls what servers. If your server is identified or completely compromised, you want to be sure that it's not tied to your real identity.

We have to treat the hosting provider and payment processor as if they are completely compromised from day 1. Paying with a credit card would lead a trail directly to your real address.

Install the Tor Browser Bundle

Throughout this whole process you should be using the Tor Browser Bundle for all of your web browsing and searching.

You must keep your Tor identity seperate from your real identity. If you've set up any kind of account while browsing on Tor, never log into it from your normal browser. Never log into your personal email account from Tor. The idea is to keep your public and anonymous profiles completely separate.

For more on using Tor for browsing, see Tor's "Want Tor to really work?" warnings.

Download the Tor Browser Bundle (or ask for a USB stick).

Get a new email address

Using the Tor browser, create a new email address.

You should only ever log in to this account through Tor. Please, for the love of Cthulhu, don't sign up using your real email address.

Most email providers require SMS or credit card verification when signing up with Tor (either of which will identify you).

Use a disposable email address from a provider like 10minutemail.com. Bear in mind these services are often blocked by hosting providers; this one is confirmed to be working as of 15/3/17.

Get a virtual server

If you don't have bitcoin

If you want to skip this part of the workshop, you can simply register for a virtual server provider like Linode or DigitalOcean using a credit card (note that this creates a link to your real identity).

Ideally, you should pay for your server with bitcoin in a way that doesn't reveal your bitcoin address. But setting up a bitcoin wallet might take a while, and you'll need someone to transfer you some funds to get you started .

If you want to take the time to set up a bitcoin wallet, you'll need to choose a bitcoin wallet provider that you trust.

Bitcoin is a pseudo-anonymous cryptocurrency. Transaction history of accounts is completely public but bitcoin accounts aren't necessarily tied to real identities. To use Bitcoin anonymously, you could get a bitcoin account that's not tied to your real identity... but that's tricky. Australian sites make you upload ID when you buy bitcoin.

Fortunately, some wallets offer privacy-enhancing features that go some way to anonymising your transactions. A full analysis is out of scope for this workshop.

There are some options here: Choose Your Wallet (look for "improved privacy"). Alternatively, check out Samourai Wallet (Android only, Alpha) or Bread Wallet (iOS and Android).

When you have a wallet, you'll have to ask someone else to transfer you some bitcoin (so you can get it immediately). In future you can use LocalBitcoins to trade cash for bitcoins.

If/when you have some bitcoin...

Sign up for Bithost using your new email address, and confirm by clicking the link in the verification email. Then credit your Bithost account with at least US$15 worth of bitcoin.

Create an SSH key-pair just for Tor

You need to create an SSH key pair to connect to your server.

ssh-keygen -C "no-one-knows" -f tor_only_rsa

You should get output like this:

Your identification has been saved in tor_only_rsa.
  Your public key has been saved in tor_only_rsa.pub.
  The key fingerprint is:
  3c:fb:bf:4b:71:13:dd:d5:36:0d:94:6a:c7:23:97:75 no-one-knows

Now add that key to Bithost (copying and pasting the contents of tor_only_rsa.pub).

Create a server

Great. Now launch a Debian (not Ubuntu) server using the key you uploaded earlier.

You should see instructions telling you how to ssh to your server, but don't run that command yet -- skip to the next step.

SSH onto the server using Tor

Only ever connect to your server using Tor!

Run the Tor command line proxy.

tor

Connect to your server with SSH

Replace the IP 1.2.3.4 in the text below with your server's IP and add this to your SSH config.

~/.ssh/config
Host 1.2.3.4 my-secret-server
HostName 1.2.3.4
User root
CheckHostIP no
Compression yes
Protocol 2
ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
IdentityFile ~/.ssh/tor_only_rsa

Notice the line ProxyCommand ... 127.0.0.1:9050 .... This tells SSH to route connections through localhost port 9050.

You can now ssh onto your server through Tor!

ssh my-secret-server

You have an anonymous server!

You're awesome! Now, upload something, set up a webserver, create a site where people can rate each other's cats... the world is your oyster... just try not to blow your cover (more on that here).

Having SSH'd onto the server, you can set up your hidden service. Follow these instructions to get Apache set up as a service on Debian https://www.digitalocean.com/community/tutorials/how-to-configure-the-apache-web-server-on-an-ubuntu-or-debian-vps

Uploading content

Thanks to the SSH config that you set up earlier, you can upload files using sftp (via Tor).

sftp my-secret-server

Next

Scan for leaks




Anonoblog | Robin Doherty | robindoherty.com | @rdoh | rdoherty@gmail.com | PGP