Best practice for webserver for a TOR hidden service (with security in mind)

Use case.

A LEDE router as IoT sensor server and html readout.

And a TOR hidden service that points to the device.

Since it is a very simple server i guess it would be ok to use the same server as the LEDE webGUI (uhttpd) but that doesn't seem to be the safest option. Or would that still be secure enough for this?

How secure is lighttp

For what reason is hiawatha not available? It has been available in OWRT AA if i remember it correct but i don't see it in LEDE. It is very small and build with security in mind. That's why i'm have my eye on this.

TOR suggests to run the website on localhost (127.0.0.1) What security issues would that introduce?

What would be best practice as a base for IoT usage.

And would it be secure enough to read sensors without the risk of exposing the LAN.
Would it be secure enough to control machines? To me this would be a huge risk, but maybe i'm over protective? Say you have a big scary laser cutter and a web gui to control the beast. What if a police-hacker then launches his spy tools and accidentally starts the machine right when you have your fingers in a dangerous spot.

Where would the security line be drawn? What is safe, when does it get risky, and what is an absolute horror movie plot?

My focus is on simple sensor readouts for now. Arduino sensors...

Maybe TOR isn't the best option either, what else could i look at?
Could it make sense to also offer a TOR bridge or relay functionality? As a way of giving back to the TOR network.

Feel free to brainstorm along, my plan is to stay with the TOR idea for now. But it would be good to see alternatives as well. At least as a means to see what else is possible to make IoT a but more secure.

Most packages are community maintained now; if Hiawatha is not available that simply means nobody stepped up to maintain it (feel free to do so :wink: ).

Stuff listening on localhost is no security issue since localhost can only be accessed - you guessed it - from the host itself.

Frankly, if you're concerned about security, first thing I would do is have another device run your IoT stuff and isolate it from the rest of your LAN. Your router should just handle your network.

@Borromini

I was afraid of that. I don't have any dev background, so it would not be very wise to have me as a maintainer for such a package, i will suggest this to the developers of that webserver, since it would be very nice if this package would have official support from them.

TOR suggest using local host for the hidden service so that this prevents from exposing the website on the device's main IP. Though that page being served from localhost exposes localhost to the world. So port 80 on localhost then becomes somewhat more vulnerable right?

For flat HTML i guess this will be very secure, but once PHP or CGI is enabled i guess this will change the security issue? Or will this not be an issue?

The whole idea to have more secure IoT platform would be to make it secure in itself. The planet seems at the verge of IoT madness. Some people seem to be looking at domotica that can be controlled from the other side of the planet... Sounds horrible to me. But i also see practical use for some devices.

Like having a worldwide network that monitors industrial pollution (uradmonitor.com) and for natural threats like earthquacke for instance.

But with a platform like Arduino i can imagine that web based control of household devices will become more common. I want a few sensors that i can monitor on a hidden webpage. This would run straight from one device and needs to be secure since it will be available online, even though i will use TOR to hide it from the rest of the world it still can be found and thus needs to be secure. A basic webinterface without TOR would be even less secure since it would also expose the IP address of the user.

Or lets say you have few sensors that monitor traffic polluion, sound pollution at 100 locations along a road... Then it would be nice to be able to make them as secure as possible so that you don't need 2 devices to do 1 thing. 100 sensors that all connect to some ones LAN. This isn't the best example but i hope if explains what i have in mind. All those devices then can have a .onion address that only a hand full of people know about.

This will be a lot safer then having to configure other peoples routers. and exposing port 80 on their IP...
Big momma will be looking at them all in no-time at all. :slight_smile: But when using a .onion Then big momma will have to probe a whole lot of onions to find only a few devices, and then still doesn't know the location of the device. So nor privacy will be damaged, and the environment can be monitored in a reasonable quick and low cost manner.

Now i'm not planning on building 100 boxes, Maybe one or two, but there might be 100 people who replicate, elaborate or remix the entire idea. And make their own fracking monitor network that probes water wells, drinking water conditions for their farm, monitoring faultlines, beer condition .. whatever can improve their life.

I kinda hope that a few people get inspired and share a few idea's, configs, hardware hacks, etc.

I am probably in left field but what is wrong with using openvpn?
I have my router in a DMZ zone on the isp's modem.
As of now I send an e-mail to myself once every hr. In case the wan ip has changed.
Using "ubus call network.interface.wan status | sendmail me@here.com" as a cron job.
Still trying to figure out how to use "daemon.notice netifd: Interface 'wan' is now up" < in system log
or "device wlan0 entered promiscuous mode" < in kernel log
As a trigger to send e-mail only after the above is seen. And not every hr. Like my hack. :slight_smile:
If you or someone else has a suggestion on how to accomplish this I am all ears. :smile:
Edit: Or "firewall: Reloading firewall due to ifup of wan (eth1)" < In system log.

That sounds like a cumbersome way of doing Dynamic DNS. :slight_smile:

Did you look at /etc/hotplug.d/iface/? Scripts in there react to interface changes, you can use the existing ones as templates. (FTR: This should also be possible using procd, but I didn't look into that subject yet.)

@metai Thanks for the info will look into using that path.

I'm going to use TOR hidden service, but I cant get it clear in my mind how to setup the webserver in a way that i have it secure enough. For now i just will use port 80 and flat html but PHP i might also use in the fututure.

I guess it would be best to run lighttpd along side of uhttpd however why not use uhtppd and save some resourses. But is that secure enough? How will a hacker attack it?

On the other hand if i have lighttpd and uhttpd side by side then i have the vulnerabilities of the two all together on one box. Still only one is exposed on port 80