Create a Hidden Tor Service with VestaCP in 10 MINUTES! ULTIMATE ONION SITE GUIDE! Ubuntu/Debian/CentOS!

Disclaimer: this guide was written for research purposes only because the Author wanted an .onion version of a normal website.
The Author does not host any hidden services, only .onion addresses for already existing .com websites so that they can be accesses by .onion addresses too.
This guide requires almost NO technical knowledge to start a tor hidden service.

UPDATE 2019: This guide was written in late 2016. It may be updated eventually! We don’t touch TOR so it would be cool to see if anything has changed since this guide was first written.

If you do what this guide says, but don’t harden your service, then any hidden services without doing more than what is mentioned in this guide is pretty much guaranteed to be un-hidden..

You have been sternly warned. I am not a TOR expert and this is not rocket science but if you are familiar with all of the software below already, you will have an even better idea than the Author on hosting through tor.

This website was offline for 7 months earlier this year and in that time another cool post was added for Debian version of this guide. I may write another Debian guide soon as it is always interesting to see what changes version-to-version.

Law Enforcement: this guide is for research purposes only. If you would like this post taken down, please leave an anonymous comment stating so and the post will be promptly removed.

Comes already out-of-the box with:

  • nginx
  • iptables & fail2ban
  • MySQL

This setup does NOT use apache (uses php-fpm instead!).

We recommend NOT using a mail server or allowing ftp access with your VestaCP installation.

Get a VPS on ANY of the following:
# RHEL / CentOS 5,6,7
# Debian 6,7,8
# Ubuntu 12.04-15.10

We highly recommend CentOS and the commands in this guide are based on CentOS only.

Disclaimer: this guide was written because I wanted an .onion version of a normal website.

VestaCP is a free server & hosting control panel. See more at vestacp.com.

Log into your server via SSH.
ssh [email protected]

Download installation script
curl -O http://vestacp.com/pub/vst-install.sh

Next, visit vestacp.com and scroll down to generate some Advanced Install Settings.
Choose the following options, which are, nginx + php+fpm, NO ftp, NO mail, NO DNS.

VestaCP advanced install settings

Our generated install command is below, paste this into your terminal.

bash vst-install.sh --nginx yes --phpfpm yes --apache no --vsftpd no --proftpd no --exim no --dovecot no --spamassassin no --clamav no --named no --iptables yes --fail2ban yes --mysql yes --postgresql no --remi yes --quota no

Press y and enter to install VestaCP.

VestaCP installation generic

Press enter when it asks for an email (no email).

For hostname, you can change it to anything, I suggest something very generic, so just type hostname and hit enter.

When it’s finished installing, note down the password.

Open a browser (TOR browser) and visit the URL supplied, it will be your server IP with https:// at the start and :8083 at the end.

Tor browser will give you an insecure certificate warning. Click advaned, allow exception, and confirm security exception.

Click on the IP tab at the very top and then click on the green (+) symbol to add an additional IP.

Vestacp ip settings tab

The IP address we want to add is 127.0.0.1. This is the localhost machine IP, but tor will listen on this address on port 80.
This means that your website will only be accessible by the TOR browsers and never by clear-net browsers.

Set Netmask as 255.255.255.255 and change the Interface to venet0.

VestaCP add 127.0.0.1 new ip address

In a new tab on the Tor Browser, type the IP of your server to see the demo page and make sure the web server is working.

So instead of: https://xx.xx.xx.xx:8083/

Visit http://xx.xx.xx.xx/

You should see a demo page:

VesatCP Demo Page

Next, go to the WEB tab and delete the example website. To delete the site, you may need to turn javascript on temporarily. Hover over the site, click delete and confirm delete.

VestaCP Tor delete example website

Refresh the other tab with the demo website. It should now give an error.

VestaCP Tor Error

Go back to your terminal and install tor.

yum install tor -y

Add tor to startup too.

chkconfig tor on

Remove the default tor settings file and replace it with your own as follows.

rm -f /etc/tor/torrc
echo "HiddenServiceDir /var/lib/tor/hidden_service/" >> /etc/tor/torrc
echo "HiddenServicePort 80 127.0.0.1:80" >> /etc/tor/torrc

Start tor.

service tor start

This will generate a new onion address for you.

cat /var/lib/tor/hidden_service/hostname

This is your .onion address.
Now we need to add it to the VestaCP WEB panel and make sure the IP is set to 127.0.0.1.
Make sure DNS and Mail are turned OFF.NOT

Add onion website to VestaCP

Done!

Now visit your URL is a tor browser.

It may take 5 minutes to show up.

Your service will ONLY be accessible by TOR!

TOR SITE UNAVAILABLE TURNING OFF AFTER REBOOT?

service tor start
service nginx reload

ADDITIONAL SECURITY MEASURES

Go to UPDATES tab and disable autoupdates for vestacp.

Head to the FIREWALL tab and suspend everything except for 22 and 8083.

You can open 25 again later if you need to send emails.

HARDEN YOUR WEB SERVER

This guide is currently for research purposes and does NOT include any hardening tips and is provided as is.

Please see more information here: https://www.reddit.com/r/onions/wiki/hidden_services

You may want to disable phpmyadmin.

HOST MULTIPLE HIDDEN SERVICES ON ONE SERVER

You’ll want to
Open /etc/tor/torrc for editing and add as many services as you want!

Make a new /hidden_service/ directory for each new service:

HiddenServiceDir /var/lib/tor/hidden_service2/
HiddenServicePort 80 127.0.0.1:80

HiddenServiceDir /var/lib/tor/hidden_service3/
HiddenServicePort 80 127.0.0.1:80

Restart tor to generate these new service .onion addresses.

service tor stop
service tor start

Find out the new .onion addresses

cat /var/lib/tor/hidden_service2/hostname
cat /var/lib/tor/hidden_service3/hostname

Add each new .onion address into the WEB tab in the VestaCP admin area!
These are example .onions generated and are not live addresses:

Host Multiple Tor Websites on One Server CentOS 7

HOSTING A .ONION VERSION OF A CLEARNET WEBSITE

I have no idea if this secure or not.
Instead of putting 127.0.0.1 in the torrc file as the HiddenServicePort, change it to the server IP.
Add a new website to your WEB area in the VestaCP admin panel.
This will make your service accessible at both the IP address of your server and at the .onion address.

echo "HiddenServiceDir /var/lib/tor/hidden_service/" >> /etc/tor/torrc
echo "HiddenServicePort 80 xx.xx.xx.xx:80" >> /etc/tor/torrc

Depending on the URL and linking structure of your clearnet website and if there are any htaccess redirects, you may find your .onion service just works for only the homepage and then uses the normal URL because of how your website works.

This guide is, again, for research purposes only, and therefore does not offer any advice on that.

Linux HotKey to Type a Pre-defined String (xdotool)

Depending on your distro, you should have a keyboard shortcut program already installed.

Use xdotool and bash to paste strings via pre-defined hot keys.

I wanted to be able to paste the following very oftenly typed command when pressing a certain key combination:

cd /home/admin/web/*/public_html/

First, you’ll need xdotool

sudo apt-get install xdotool

I was having trouble putting the commands directly into the keyboard shortcut entry, so I put the commands in a mini bash script.
Open a text editor and paste the following:

cdp=$(echo 'cd /home/admin/web/*/public_html/')
sleep 0.3
xdotool type --clearmodifiers "$cdp"

Save the file, I saved mine as /home/user/scripts/xdotool-cdp.sh

Next, add a keyboard shortcut for the following (I used Alt+P):

sh /home/user/scripts/xdotool-cdp.sh

Now when you press Alt + P keys, it executes the script.
The script sets a variable cdp to echo cd /home/admin/web/*/public_html/
Then it sleeps for 0.3 seconds.
Then it types cd /home/admin/web/*/public_html/
Make sure to include –clearmodifiers if you’re using keys such as ctrl, alt or shift as the shortcut as it will affect the way xdotool types.

Check it out:

Use xdotool and bash to paste strings via pre-defined hot keys.

How To Install Megatools on CentOS 7 VPS

According to the Megatools official documentation page on github, you’ll need the following tools for using Megatools on Fedora (and git of course):

yum -y install gcc make glib2-devel libcurl-devel openssl-devel gmp-devel tar automake autoconf libtool wget -y

wget https://megatools.megous.com/builds/megatools-1.9.97.tar.gz
tar -xzvf megatools*.tar.gz
cd megatools*
./configure
make
make install

megadl 'MEGA URL'

Note the ‘single quotes’ around the URL.

Etcher: AMAZING Unetbootin Alternative for Ubuntu/Debian/Linux/Windows

Unetbootin is FURIOUSLY difficult to install on Ubuntu, Debian and even Windows.

I tried the ~5MB unetbootin-linux-xxx.bin file which FAILED.

I tried the ~23MB unetbootin-linux.tar.gz source code which FAILED.

I tried WinUSB which failed.

I tried to get USB-Image Writer, which also failed.

Finally found Etcher, fully open source bootable SD & bootable USB image writer. Even better than standard dd method which lacks progress information.

Grab it here on Windows, Linux, even Mac: https://etcher.io/

Etcher unetbootin alternative

EASY: Move OS & Files from HDD to SSD – Debian, Ubuntu, Fedora, Arch (SMALL SSD)

This tutorial is people who will ADD an SSD to their system.
This NOT for people who will REPLACE their HDD completely with their SSD.

This is by far the easiest, most foolproof, and safest way to transfer 1 linux installation (Debian, Ubuntu, Fedora, Arch, Kali etc.) to a brand new SSD.

For the transfer commands, skip to 3. Transfer Files Section.

Backstory

My HDD is 1TB and my new SSD is a 120GB Samsung 850 EVO.

I bought a Samsung 850 EVO for my laptop and I also purchased an SSD Caddy. The SSD caddy was supposedly “universal” but still 2m or so off and did not fit into the CD-ROM tray. I dismantled the caddy and used one half the caddy to secure the drive in place.

I read that my laptop had a SATA III port where the normal HDD drive belongs, but the CD-ROM port was only a SATA II connection. Therefore, I replaced the old HDD with the SSD and moved the HDD into the caddy.

Samsung 850 PRO vs EVO was another small consideration, and the real difference seems only to be the extended warranty (5 year vs 10 year)… In 10 years from now I can only imagine what Samsung will have invented…

1. SSD Security: File Deletions & Securely Erasing SSDs.

As as is true with all drive wiping/erasing: wiping the entire drive (several times over) is the most offensive way to overwrite storage on a drive. SSDs operate differently to HDDs and whether or not files are deleted, even after filling them with /dev/random and /dev/zero, so the easiest way to prevent important files from being somewhat “recoverable” is to keep them on the HDD.

2. What size SSD should I get?

Not everything from my 1000GB HDD will fit on my new 120GB SSD, nor do I want this to happen because I have two drives now and the cost of having everything on my SSD is much higher because SSDs are pretty expensive. I also don’t want important documents on the SSD because I want to know that I can securely erase them at any time.

  • If you’re replacing your hard disk drive, you’ll need a big SSD.
  • If you’re adding to your hard disk drive (having 2x drives) you don’t really need a big SSD.

I chose the Samsung EVO 120GB SSD because this is more than enough to run Debian/Ubuntu/Arch. Moreover, it will force me to keep my important documents “secure” on the HDD, whilst still achieving a surreal ~550mb/s read & write speed from the new SSD.

Moving files onto the new SSD:

– Operating System (/boot folder, specifically initrd.img & vmlinuz)

– /bin, /lib, /usr, /var etc.

– Applications (FireFox, Chromium, Photoshop, Illustrator, PlayOnLinux, Libre Calc, Virtual Box & Images)

Keeping files on the old HDD:

– Swap memory partition

– Most of my documents

– Most of my images

– Encrypted folders

SSD data recovery is an important consideration as well. Writing and deleting files on an SSD is unlike an HDD. My mission critical documents will stay on my HDD. Since installing my SSD & HDD I have successfully set it up so that:

– I use applications from the SSD

– Open files stay in RAM

– Files Save & Load from the HDD

3. Moving Debian or Ubuntu to SSD [VERY SIMPLE]

rsync is very fast method of file transferring that will keep preserve:

  • folder structure
  • folder & file ownership
  • folder & file permissions

It will also “pick up where you left off” so that you can run it in several times until its finished.

We will use 2 options while using rsync:

-a which means archive mode.

-P which means –partial (continue where left off) and –progress (show progress)

Archive mode is equivalent to all of -rlptgoD which makes sure it’s a mirror if exactly what it’s copying.

Step 1: Mount your SSD

Plug it in, if it doesn’t show up, you may need to format it. Open GParted or Gnome Disks (You’ll have one of them) and format the drive. Gnome Disks will show the drive on the left panel: select it, click the “gear” button at the top, format as ext4. GParted will have a drop down menu in the top right: select your drive (identify by GB size), right click on the colored box and format to ext4.

Step 2: Open the SSD folder

Get into the SSD and note path that the files are located (should be empty, might have lost&found). On my system the SSD is at /mnt/SAMSUNG/. It might be /media/SSD/ or something like that. Open a terminal and execute df to find where its Mounted on.

Copy the path and paste it at the end of one of the below rsync commands that you will use.

Step 3: Rsync the OS, folder & files to the new drive

If you have a really big SSD and you want to copy everything from your old HDD to your SSD use this command (make sure your SSD is going to big enough!)

sudo rsync --exclude="mnt" --exclude="lost+found" --exclude="sys" --exclude="proc" --exclude="cdrom" --exclude="media" -aP / /mnt/SAMSUNG/

If you have a small SSD (this one ignores home temporarily).

sudo rsync --exclude="home" --exclude="mnt" --exclude="lost+found" --exclude="sys" --exclude="proc" --exclude="cdrom" --exclude="media" -aP / /mnt/SAMSUNG/

In the command above, we excluded “home” for the moment, because there’s some big files in there. When the above has finished, choose what you’d like to keep on the HDD. I kept Pictures, Downloads, Documents, PlayOnLinux Drives, Wine data Virtual Box Drives on the HDD. Replace “user” below with your username.

sudo rsync --exclude="Pictures" --exclude="Downloads" --exclude="Documents" --exclude=".PlayOnLinux" --exclude=".wine" --exclude="Virtual*" -aP /home/user/ /mnt/SAMSUNG/home/user

After your Operating System has been moved the SSD, we need to create a few more folders.

cd /
sudo mount -o bind /dev /mnt/SAMSUNG/dev
sudo mount -o bind /sys /mnt/SAMSUNG/sys
sudo mount -t proc /proc /mnt/SAMSUNG/proc
sudo cp /proc/mounts /mnt/SAMSUNG/etc/mtab
sudo chroot /media/user/SAMSUNG/ /bin/bash

If you are logged in as “root” in the new drive, it is good to go.

exit

Step 4: Reinstall grub

 

SUPER SIMPLE: Migrate/Move VestaCP Installation (10 seconds or less!)

I’ve moved VestaCP installations so fast that by the time a customer started the checkout page in Sydney, they submitted their order to Amsterdam.

This is best achieved with Cloudflare as there will be absolutely no downtime, whatsoever.

First make sure there is a new VestaCP installation on your new server. If you have a busy website, having the  new server ready to go will mean you will have less than 10 seconds of downtime.

Alternatively, you may be adding an old VestaCP installation to another VestaCP installation (maybe you realised how powerful & resource un-intensive VestaCP is, especially without exim + dovecot + spamassassin + clamav)

Will you be using admin as the account on the new server?

Create a fresh backup on the OLD SERVER

SSH into the server you want to close down and run

ssh [email protected]
v-backup-user admin

When it’s done, you’ll see the backup timestamp and file size.

v-backup-user-admin

Note the DATE of the backup above.

Open a new terminal and SSH into the NEW SERVER that you want to move VestaCP to.

ssh [email protected]

Run following command
scp -oStrictHostKeyChecking=no [email protected]:/home/backup/admin.2016-10-30.tar /home/backup/
Input the password of the old server and it will securely copy the Old Vest to the New Vesta backup folder.

Once it’s downloaded, restore the user called admin
v-restore-user admin admin.2016-10-30.tar

Your New Server will have been migrated!

SUPER FAST VESTACP MIGRATION METHOD – MILLISECOND DOWNTIME

Open Cloudflare account that holds the website you are migrating.
Open two terminals
In Terminal 1 SSH into your Old Server.
In Terminal 2 SSH into your New Server.
Make sure VestaCP is installed on the New Server (Terminal 2).
In the Terminal 1 Old Server execute
date
Note down the date, for example, “Sun Oct 30 00:22:33 UTC 2016”.
Now in the same Terminal 1 Old Server type (but don’t press enter yet!)
v-backup-user admin

In Terminal 2 New Server type (but don’t press enter yet!) [replace old.server.ip with Old Server IP and replace the date in .tar file]
scp -oStrictHostKeyChecking=no [email protected]:/home/backup/admin.2016-10-30.tar /home/backup/

Copy the root password the Old Server (Ctrl + C) to your clipboard

Ready?

Execute the “v-backup-user admin” command on the Terminal 1 Old Server
Wait a few seconds until the backup is done, or minutes if it’s a big website.
As soon as the backup is done, execute the scp “-oStrictHo….” on Terminal 2 New Server
Paste the password for the old server and the migration will begin.
admin.2016-10-29.tar 100% 15MB 14.8MB/s 00:01
As soon as it’s done, in the same Terminal (Terminal 2 New Server) execute:
v-restore-user admin admin.2016-10-30.tar
Wait a few seconds until the backup is restored, or minutes if it’s a big website.

Go back to Cloudflare and change the IP to the new server.

This will immediately migrate everything, with zero downtime.