Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Off-topic
Re: [14 BTC bounty] http://findmeifyoucan.eu
by
OpenYourEyes
on 28/10/2012, 13:56:47 UTC
Long and scattered post but here's my 2c.

How are you connecting to the server to administrate it? Do you use SSH over TOR? ||Home (TOR)||  >  ||Server (SSH)||
Are you using Firefox to tunnel your internet activity?

In either case, you need to watch out for DNS leaks. By default, SSH & Firefox (and most applications) will not do DNS lookups through a proxy.

So, if you browse to google.com, your web traffic will be encrypted and tunnelled as you expect, but the DNS request (i.e what is the IP of google) will come from your home internet connection. In firefox (don't know if it affects other browsers), this 'bug' is easily rectified. Go to about:config and set remote.dns to true.
If your connect to your server by running SSH over TOR then never specify the hostname (i.e. ssh findmeifyoucan.eu, or any other domain), as this, again, will force an non-tunnelled DNS lookup. Always use the IP.

A few other things:
  • Watch out for any information you leave on the server through log files, etc. (Does a: grep xx.xx.xx.xx /var/log/* -R where xx is your real IP, come up with anything.)
  • Install some sort of IDS on your server to monitor for new installtions/modifications. If this get compromised then so are you (regardless of if you connecting over TOR). What's to stop the hacker from spoofing the DNS record for tormail, SR, etc and sending your to another server.
  • Take a look through your .bash_history, it will show all the commands you've executed: things you've done, files you've modified, etc. which could aid an attacker if they gain access. Disable it in your .bash_rc or just ln -s ~/.bash_history /dev/null
  • Why are you tunnelling all your traffic from your server? As you said yourself, all your traffic originates from one IP address. Even if no body knows the true identity of the person behind this IP, your a leaving an easy trail for people to follow. One lapse in your security, which reveals who own this IP, and everything then can be linked back to you.
    Why not run TOR on your home machine, tunnel your traffic over SSH to the server, and then run TOR on the server aswell? Everything going in and out of the server is going through TOR, then if there is a break in the chain, you'll be protected by your servers IP.