How to Setup a Hidden Service on Tor

A benefit to using Tor is that it allows you to create hidden services that will mask your identity to other users. In fact, you can have a website that is
untraceable to you personally, provided you've taken all security precautions to keep your system updated. Here is an example of an onion site only accessible by using Tor:


Tor Service

Naturally you can't access this with your Firefox browser without Tor.

hence the "hidden" name.

This chapter will give you the basics on what you need to set up your own Tor hidden service. It's not meant to be all-inclusive that covers everything and the kitchen sink, but only to give you an idea of the technical know-how you need to possess.

Step One: Ensure Tor Works

Follow the directions on installing Tor, securing it against exploits and security vulnerabilities first and foremost. Windows directions are here, Linux here, and OS X here.

Each OS has it's own vulnerabilities, with Windows being the worst. I recommend you go with Linux after you've mastered the basics as it gives you more control over Tor and is far more resistant to attacks than Windows.

Now might be a good time to state the obvious, something you've
probably realized by now, and that is this: That no two counter-intelligence experts ever do the same thing the same way all the time. There is no red pill
that makes it "All Clear." No cheat sheet of Magic Opsec Sauce that everyone can master if they only gulp it down. You can't memorize every organic compound combination in Organic Chemistry. Believe me, I tried. There
were far too many.

What you do however is memorize the general principles, from which
you can derive a solution to every problem that comes about. Anonymity is  sometimes like that. Your strengths will not be your neighbor's strengths.

Your weaknesses will be different as well. You adapt as you go along, and I can guarantee you your skills as a hobbyist will far exceed those working on the government dole.

Step Two: Installing Your Own Web Server

A local web server is the first thing you need to configure. It is a bit more involved than space here allows (without jacking the price) but if you do not know what a web server is, there is a simple guide here.

You also want to keep this local server separate from any other
installations that you have to avoid cross-contamination. In fact, you don't want ANY links between your hidden server and your day-to-day computer usage outside Tor.

Your server must be set to disallow any data leaks that might give away your identity. So you must attach the server to localhost only. If you're swapping trade secrets and don't want the boss to know, use a virtual machine to prevent DNS and other data leaks, but only if you can access the physical
host yourself. Professional web hosting services (i.e. the Cloud) are a big no-no since it is stupid easy for the admin to snatch your encryption keys from

Go to http://localhost:8080/ via browser, since that is the port-number you entered at creation. Copy a text doc to the usual html-folder and ensure it copies successfully by logging into the webpage.

Configuration Time

Now comes the part where most people quit. Don't worry, it isn't hard. It's just that beginners see these numbers and think "Oh no... math!" and throw the book out the window.

But that's not what you'll do... because you're a smart cookie.

First, set your hidden-service to link to your own web-server. You can use Notepad to open your "torrc" file within Tor directory and do a search for the following piece of code:

########### This section is just for location-hidden services ###

As you can see, the hidden services function of Tor is edited out by the
"#" sign, where each row relates to a hidden service. 

HiddenServiceDir is the
section that will house all data about your own hidden service. Within this  will be the hostname.file. This is where your onion-url will be.

The "HiddenServicePort" allows you to set a decoy port for redirects to throw off any efforts at detecting you. So add these to your torrc file.

HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/

HiddenServicePort 80

Next, alter the HiddenServiceDir to the real directory from which Tor runs.

For Windows, use:
HiddenServiceDir C:\Users\username\Documents\tor\hidden_service

HiddenServicePort 80

For Linux:
/home/username/hidden_service/, substituting "username" with whatever you named that directory.

Restart Tor after saving the Torrc-file and it should be operational. Check your spelling if it throws out any errors.

Now then. Two files are created: the private_key and the hostname;
private keys for your hidden service which you should keep under lock and key. 
The hostname is not your private key, however. You can give this to
anyone you wish.

A descriptor for the hidden service links to other Tor servers and their
respective directories so that Tor users can download it anonymously when they link or access to your hidden server.

Other points of note:

-Visitors to your hidden service may be able to identify whether your web-server is Thttpd or Apache.

-If your offline 50% of the time, so will your hidden service. Little bits
(or lengthy ones, in this case) of data like this are useful to an adversary creating a profile on you.

-It is wiser to create a hidden service on Tor clients versus Tor relays as the relay uptime is visible to the public.

-Be aware that you are not a Node by default. On that point, it is advised to not have a relay running on the same machine as your hidden service as this opens security risks.

Shallot and Scallion Option :-

You also have the option of using Shallot or Scallion. Shallot allows one to create a customized .onion address for a hidden service, such as yyyyynewbietestyyyy.onion

On Running a Hidden Tor Server (and other Opsec
Magic Sauce) :-

Having used Tor for many years, it came as a pleasant surprise to learn how few incidents there were in which the NSA managed to disrupt Tor. And  I don't mean spam, either, but rather something that brought large sections of
the network to a grinding halt. As it turns out, they're bark is much worse than their bite, especially if one is vigilant with their own secure setup.

The thing is, most Tor users couldn't be bothered. But then most users aren't interested in running a hidden server just as most P2P users don't
bother seeding. Most are hit n' run downloaders. They know that as U.S. citizens they stand a good chance of getting sued if they leave their balls out
there long enough. So some users opt to not further their own security knowledge. Let the Tor devs do it, they say. Can't be bothered.

Except most of the Tor advice by Tor developers I've read come up
woefully inadequate. In fact I find that they aren't paranoid nearly enough. It's always been my belief that you can never be sufficiently paranoid as far as protecting your freedom is concerned, since the powers that be want to
capture it and bottle it the way a cancer captures control of a cell: One organelle at a time with little of it's environment aware of the slow-boiling attack. 
Be honest... I suspect they depend on apathy and ignorance. And a
lot of users gladly oblige.

Mr. Frog, meet boiling pot of water...
So then, what can we do? Well for starters, we can get the right security

Tor and Your PC :- 

A secure computer is your best defense as the NSA mostly relies on man-in-the-middle attacks and browser exploits that deliver payloads to hidden Tor servers. That said, you should anticipate and expect such an exploit can
infiltrate your system at any point. Things like Nits (network bugs), you have to be aware of. Thus the need to adhere to the following:

- Use Linux whenever possible. Yes, I know you're comfortable using Windows and think Linux too much of a bother. But you won't if you're ISP is subpoenaed for something you said on Facebook. Something anti-feminist, for instance. So learn to use it.

As you can see in these NSA slides - they typically target the weakest
system. The Tor Browser Bundle for Windows was instrumental in taking down Freedom Hosting and Silk Road because of unpatched vulnerabilities.

That, and a few rogue Tor exit nodes patched unsigned Windows packages to spread malware.

If you're new to Linux, look at Linux Mint. If you're experienced, Debian is a good choice. Windows can't be trusted primarily because it is closed-source, but also because malware is more effective on it than Linux. If Linux is out of the question, consider Tails or Whonix as these apps come
preconfigured to not allow any outgoing connections to clearnet.

Update Update Update!

Your PC must also be updated, always. Not updating leads to
vulnerabilities and exploits such as those in Windows. Optimally, you should ensure Tails is always updated each time you use Tor, and avoid any sites that use Java/Javascript/Flash or any kind of scripting as these execute code
in ways you cannot see. Use these only in an emergency and never in your home system.

Avoid using cookies wherever possible. Consider installing the Self-Destructing Cookies add-on.

Again, you should not use anything but a portable PC since your home PC is most likely not portable enough to be discarded in a trash can in the event of compromise.

Avoid Google like the Black Plague. Use DuckDuckGo or Startpage
instead for your Tor sessions.

Situation Awareness :-

Here we go again, preachin' the same old song and dance. But reading things three times often becomes a trigger in the brain later on for taking action, so here it is. Again.

If an agency can monitor your local connection as well as the link you are browsing, then (with sufficient resources) they can apply traffic analysis to
pinpoint your real location. Therefore, I recommend you do not use Tor in your residence.

Just to clarify, do not use Tor in your legal residence if doing any kind of  covert work or anything illegal without strict security measures in place; the
kind the average Tor user will likely overlook. Let that other guy learn his lesson. It's a tough break, but better him than you. He's a 19 year old named  Jimmy who likes hacking. You're a 32 year old construction guy with two
kids and a mortgage. Who has more to lose? Right, you. So study counter-surveillance and counter-forensics like your life depends on it... because it does!

For enemies of the state-level operations, I would suggest not engaging anything even near your online PC at home. Certainly nothing that makes you think you need Tor to hide it. It may be fine for private browsing but not
for someone planning a coup, running an illegal operation (home bible study in Iran, for instance), or trying to disappear.

Be wary of using it in hotels as well, where often there are many cams watching with 24/hr surveillance. That location can be linked to Tor activity.

Do not use Tor more than a day in any specific location. A

correlation-attack can be done in less than an hour if a black van is parked nearby--a van you will not see. They may not slap the cuffs on you as you walk out of the cafe that very week, but later they might. Consider the area a toxic dump after a day, regardless if you must travel to the next shop or town.

If you want to get really cloak and dagger about it, have an app running (an MMO, for instance) while you are out and about doing your Tor activity that makes it look like you were home during that time.

We've been watching you Mr. Anderson, and it seems you've been living... two... lives. 
                -- Agent Smith, The Matrix

Also Read ----->

/* If you want to remove footer link visit here and contact me bruus */