d0ctrine
Elite
- Joined
- 26.12.23
- Messages
- 35
- Reaction score
- 114
- Points
- 33
Ghosts in the Machine: Hosting Your Own Untraceable .ONION Website 
During my previous guide here, we've covered setting up your own server. Now it's time to take that shit to the next level and make it invisible. We're not just talking about hiding behind a VPN here. We're going full ghost mode.
Enter Tor and .onion sites
You've probaly heard about Tor and maybe even used it to browse the dark web. But we're not here to window shop. We're here to set up shop. Since running Tor and browsing the dark web has been covered everywhere else, we're going to focus on the other end of the coin: hosting your own shit on the dark web. That's where the real power is, and that's what separates the script kiddies from the real players.
How Tor Works
Before we dive in, let's break down how this magic works. Tor isn't just some fancy VPN. It's a whole different shit. Your data doesn't just take a single hop through a server, it bounces through multiple encrypted nodes. Each node only knows the step before and after it, The result? Untraceable connections that would make even the most hardcore privacy nuts wet their pants.
Now, why the hell would you want to turn your server into an .onion site? Let me break it down for you:
- Complete anonymity: Your site's physical location? It's almost like it doesn't even exist.
- Automatic encryption: Every bit of traffic is locked down tight.
- No exit nodes: Your traffic never leaves the Tor network.
- Takedown-proof: No domain registrar or hosting provider to harass.
What Can You Host? The Sky's the Limit (As Long As You Watch Your Ass)
Anything that needs to stay off the radar:
Card shops: Sell those garbage VR cards of yours without worrying about takedowns, haha.
Botnet C&C: Run your zombie army from an untraceable HQ.
Dark markets: Whether it's drugs, guns, or anything else, .onion's got you covered.
Hacking forums: Share techniques, tools, and targets without fear.
Data leaks: Got some juicy ransomware data to leak? darkweb is there for you.
Setting Up Your .onion Site: Let's Get Our Hands Dirty
1. SSH Into Your Server[/B]
First things first, connect to your server.
But for fuck's sake, use a VPN or Tor. Don't be the idiot connecting from your home IP.
That's like robbing a bank then leaving your driver's license at the scene.
2. Install Tor
Time to get Tor up and running:
Bash:
sudo apt update
sudo apt install tor
3. Configure Tor
Now we need to tell Tor to play nice with our setup. Edit the Tor config file:
Edit `/etc/tor/torrc`:
Bash:
nano /etc/tor/torrcUncomment these lines:
Bash:
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:80
This tells Tor to create a hidden service that forwards to your local web server. It's like setting up a secret tunnel from the dark web to your server.
4. Restart Tor and Get Your .onion Address
Bash:
sudo systemctl restart tor
sudo cat /var/lib/tor/hidden_service/hostname
This spits out your .onion address. Guard this with your life. It's your server's new address in the darkweb.
5. Install Apache
If you haven't already, we need a web server to actually serve content. Let's go with Apache:
Bash:
sudo apt update
sudo apt install apache2
6. Configure Apache
Now we need to tell Apache to only listen locally. Edit the config:
Edit /etc/apache2/ports.conf:
Bash:
sudo nano /etc/apache2/ports.conf
Bash:
Listen 80
Bash:
Listen 127.0.0.1:80
This makes sure Apache only responds to requests from Tor, not the open internet.
7. Restart Apache
Bash:
sudo systemctl restart apache28. Lock It Down
Time to seal up any possible cracks. Set up a firewall:
Bash:
sudo ufw default deny incoming
sudo ufw allow from 127.0.0.1
sudo ufw enableThis blocks all incoming connections except those from localhost. Your server is now in full paranoid retard mode.
9. Sanitize Your Server
Remove any identifying info from your web pages, server headers, everything. We're talking comments in your HTML, metadata in your images, custom error pages, anything that could point back to you. Don't forget to scrub your Apache logs and config files too. Set your server time to UTC to avoid timezone leaks. If you're using a database, make sure there's no test data with real names or emails lurking in there.
10. Test Your Site
Let's make sure this shit actually works. Edit the default HTML file:
Bash:
sudo nano /var/www/html/index.html
11. Set Permissions and Restart Apache
Make sure your test page is readable:
Bash:
sudo chown www-data:www-data /var/www/html/index.html
sudo chmod 644 /var/www/html/index.html
sudo systemctl restart apache212. Access Your .onion Site
Fire up Tor Browser and navigate to your .onion address. If you see your test page, congratu-fucking-lations. You've just hosted your first .onion site. And I'm flattered I'm the one who devirginized you.
Final Checks: The Real Deal
Alright, you've set up your .onion site. Now it's time for the real-world checks. This isn't some bullshit checklist - these are the steps that'll keep your ass out of the fire.
Verify Your .onion Address: Fire up Tor Browser and visit your site. Make sure the address matches what you've set up. If it doesn't, you've got a serious problem - either a config fuck-up or worse, someone's intercepting your shit.
Content Check: Is everything showing up like it should? If anything's off, even slightly, shut it down and figure out why. Unexplained changes could mean you're compromised.
Access Control: Try hitting your site/server's IP without Tor. You shouldn't be able to see your Apache. If you can, your server's leaking like an asshole. Fix that shit immediately.
Server Headers: Use a tool like curl through Tor to check your HTTP headers. Look for anything that might give away your server type or version. Information disclosure a rookie mistake, but you'd be surprise with the amount of darknet sites getting raided due to this.
Bash:
Copytorsocks curl -I your.onionaddress.onion
Log Check: SSH into your server and check the logs. Look for any access attempts that shouldn't be there. Unexpected entries could mean someone's probing your defenses.
Connection Security: In Tor Browser, check the security level (the shield icon). Make sure it's set to Safest for your site. If it's not, figure out why and fix it.
Remember, this isn't a one-time deal.
Run through these checks regularly.
In this game, complacency kills. Stay paranoid, stay safe, and maybe you'll avoid becoming another cautionary tale.
And for fuck's sake, if anything looks off, don't ignore it.
Better to be overly cautious than to explain to Jeremy why you're his new cellmate, lmao!
Closing Thoughts: You're Not a Pro Yet, So Don't Act Like One
This setup is just baby steps. Don't host anything serious yet without double or triple checkign everything. You've got the basics down, but there's a whole world of security measures we haven't even touched.
Next time, we're diving into the real shit. We'll cover Tor hosting for PHP and Node.js, so you can run actual web apps instead of static HTML. We'll talk about databases that keep their mouth shut, and file uploads that don't leave breadcrumbs. Hell, we'll even show you how the feds try to unmask .onion sites. Know their game to stay ahead.
Remember, in this world, the tools change faster than you can blink. But the golden rule stays the same: stay paranoid, stay sharp. The second you think you've got it all figured out is the second you've lost already.
Sit tight and stand by for the next guide. And don't get cocky.
Last edited:
