Message-ID:

You may be gone tomorrow, but that doesn't mean that you weren't here today.

rocksolid / Rocksolid Nodes Help / Re: Securing Rocksolid Light with Tor Hidden Service

Subject: Securing Rocksolid Light with Tor Hidden Service
From: No One
Newsgroups: rocksolid.nodes.help
Organization: To protect and to server
Date: Thu, 26 Dec 2024 02:00 UTC

Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!newsfeed.bofh.team!paganini.bofh.team!tor-network!not-for-mail
From: no@one.nope (No One)
Newsgroups: rocksolid.nodes.help
Subject: Securing Rocksolid Light with Tor Hidden Service
Date: Wed, 25 Dec 2024 20:00:26 -0600
Organization: To protect and to server
Message-ID: <vkidck$1sk59$1@paganini.bofh.team>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Date: Thu, 26 Dec 2024 02:00:52 -0000 (UTC)
Injection-Info: paganini.bofh.team; logging-data="1986729"; posting-host="gBAXkaDbULZ5T6DcpUcvyg.user.paganini.bofh.team"; mail-complaints-to="usenet@bofh.team"; posting-account="9dIQLXBM7WM9KzA+yjdR4A";
X-Notice: Filtered by postfilter v. 0.9.3
X-TOR-Router: sha256:MTg1LjE4My4xNTcuMjE0 --

View all headers

I am trying to set up a hidden forum with NNTP access.

How would I secure Rocksolid behind a Tor Hidden Service address?

A few concerns need to be addressed.

- prohibiting leakage of server IP or hostname

- sandboxing to prevent exploit traversal

- disabling email confirmation and all email functions in rslight

All leakage of any kind of server data must be rendered impossible.

Subject: Re: Securing Rocksolid Light with Tor Hidden Service
From: Retro Guy
Newsgroups: rocksolid.nodes.help
Organization: Rocksolid Light
Date: Thu, 26 Dec 2024 06:18 UTC
References: 1

Path: eternal-september.org!news.eternal-september.org!feeder3.eternal-september.org!i2pn.org!i2pn2.org!.POSTED!not-for-mail
From: retroguy@novabbs.com (Retro Guy)
Newsgroups: rocksolid.nodes.help
Subject: Re: Securing Rocksolid Light with Tor Hidden Service
Date: Wed, 25 Dec 2024 23:18:26 -0700
Organization: Rocksolid Light
Message-ID: <1ecc61067d16c6ac28f8788476d6837a$1@novabbs.org>
References: <vkidck$1sk59$1@paganini.bofh.team>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Injection-Info: i2pn2.org;
logging-data="499397"; mail-complaints-to="usenet@i2pn2.org";
posting-account="PGd4t4cXnWwgUWG9VtTiCsm47oOWbHLcTr4rYoM0Edo";
User-Agent: 40tude_Dialog/2.0.15.41
X-Spam-Checker-Version: SpamAssassin 4.0.0

View all headers

On Wed, 25 Dec 2024 20:00:26 -0600, No One wrote:

> I am trying to set up a hidden forum with NNTP access.
>
> How would I secure Rocksolid behind a Tor Hidden Service address?
>
> A few concerns need to be addressed.
>
> - prohibiting leakage of server IP or hostname

Disable all email features.

> - sandboxing to prevent exploit traversal

That's for the admin to handle.

> - disabling email confirmation and all email functions in rslight
>
> All leakage of any kind of server data must be rendered impossible.

Yes, disabling email features is the first thing I would do. Have a look at
the config files 'rslight.inc.php' and 'overrides.inc.php' to see what can
be disabled. Get rid of 'phpmailer.inc.php' just to be safe.

Try using one of my sites via tor (news.novabbs.org is here:
http://fev4bgoasgxttqb3x3tukxxia6lwryteq6a2ramqb2gjiol3zbu6xaid.onion/common/register.php

and see what info you can determine at the user's end. Post, try email (to
make sure it's really disabled), etc. and see what you find.

RSLight isn't meant as a stealth application, so it's not meant to be
hidden, but that doesn't mean that it can't be.

Please let me know if you find something that should be obvious for me to
fix.

Subject	Author
Securing Rocksolid Light with Tor Hidden Service	No One
Re: Securing Rocksolid Light with Tor Hidden Service	Retro Guy