Introduction
The following is all based on the original code from defuse.ca who was gracious enough to release the code via Github. The released repository is mostly intact, but requires some quick fixes to get it running. I forked the original repository, and created an easy to deploy standalone package, also available from Github
The code is obviously available for review, but this article will focus on deploying PIEBin as a TOR hidden service. Testing was done under vanilla Debian install on a minimal VPS setup.
Dependencies
Before we dig in, you'll need to install the following packages onto your VPS.- MySQL
- Nginx
- PHP
- Tor
$ sudo apt-get install mysql-server php5-mysql nginx php5-fpm tor
Download Pastebin Files
For minimal configuration, install the files into /usr/share/nginx/www/pastebin via the following commands. Please note that if you are setting up your own TOR service, you should take precautions while downloading the software that you intend to run as the hidden service. Timing analysis / timeline reconstruction could point a finger at you if you're using either your server or home IP address to acquire the software from third party sites. Download using your tor browser or setup proxy chains.
$ cd /usr/share/nginx/www $ git clone git@github.com:chokepoint/pastebin.git
Initialize the Database
Now that we have mysql installed, we need to create the database and table structure for the pastebin application. Using the password you created during installation, open up the MySQL client.
mysql -u 'root' -p Password: ***** > CREATE DATABASE pastebin; > CREATE TABLE pastes (token VARCHAR(70), data TEXT, time INTEGER, jscrypt TEXT);
Preparing TOR
Configuring a server as a TOR hidden service is relatively straight forward, but care must be taken in order to not leak information about the actual host of the service. We'll configure both port 80 and 443. HTTP requests will simply be redirected to the HTTPS service for security reasons. To do this, we'll add the following three lines to /etc/tor/torrc
HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 443 127.0.0.1:443 HiddenServicePort 80 127.0.0.1:80
Now, simply restart tor in order to reveal your new .onion address.
$ sudo service tor restart $ sudo cat /var/lib/tor/hidden_service/hostname sldfjadlkjfalieta.onion
Generate Self Signed SSL Certificates
In order to support encrypted HTTPS connections, we must generate a self signed certificate. The following sequence will set up a 2048 bit key for use with nginx which we'll configure next.
$ sudo mkdir /etc/nginx/ssl && cd /etc/nginx/ssl $ sudo openssl genrsa -des3 -out server.key 2048 $ sudo openssl req -new -key server.key -out server.csr $ sudo cp server.key server.key.org $ sudo openssl rsa -in server.key.org -out server.key $ sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Configure nginx
As I mentioned earlier, you need to take steps to ensure information is not leaked about the actual server hosting these hidden services. The following section will configure nginx to listen on localhost only so that our service can only be accessed through the TOR network. Be sure to change server_name to the .onion you generated during the first step. You may also need to tweak the root directory depending upon where you originally installed the pastebin source files.
# /etc/nginx/sites-available/default server { listen 127.0.0.1:80; ## listen for ipv4; this line is default and implied listen 127.0.0.1:443 ssl; ssl_certificate /etc/nginx/ssl/server.crt; ssl_certificate_key /etc/nginx/ssl/server.key; root /usr/share/nginx/www/pastebin; # Change to your directory index index.php index.html index.htm; # Change this to the onion address we created earlier. server_name sldfjadlkjfalieta.onion; location / { try_files $uri $uri/ /index.html; } location ~ \.php$ { try_files $uri =404; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } #error_page 404 /404.html; #error_page 405 = $uri; }
Next we'll disable logging by modifying /etc/nginx/nginx.conf.
access_log /dev/null error_log /dev/null
Now restart nginx so that the changes take effect.
Testing
If you completed the above steps you should now be running your own TOR hidden, encrypted pastebin. Open up your browser and navigate to the .onion address we generated earlier.