Disabling IP address logging in Apache

Much thanks to Micah Lee for speaking at HOPE 9 – Privacy Tricks for Activist Web Developers!

This post covers, in slightly more detail, the actions needed that are described starting at 15:50m into the following YouTube video:

https://www.youtube.com/watch?v=q38HdGGWS78&t=15m50s

I’d really like to flesh out additional SOPs in order to work toward an open privacy specification.

This post describes how to disable IP logging of visitors to an Apache 2.2 virtual host. Keep in mind that even though this web server may not be logging IP addresses, your company who owns your server may still be logging inbound and outbound IP addresses.

Confirm Apache version:
$ apache2 -v
Server version: Apache/2.2.22 (Ubuntu)

This guide has also been confirmed with Apache 2.4:
$ apache2 -v
Server version: Apache/2.4.7 (Ubuntu)

Edit Apache’s config file:
$ sudo vim /etc/apache2/apache2.conf

Locate the directives for defining log customization:
/LogFormat

Comment out this line:
LogFormat "%h %l %u %t \"%r\" %>s %O" common

Add this line:
LogFormat "- %l %u %t \"%r\" %>s %b" noip

Edit your virtual host config file:
$ sudo vim /etc/apache2/sites-available/site

The default vhost config will have the following line:
CustomLog ${APACHE_LOG_DIR}/access.log combined

Replace the word ‘combined’ with ‘noip’ at the end of the line:
CustomLog ${APACHE_LOG_DIR}/access.log noip

Delete, via shred, your old access.log files:
$ sudo shred -f -v -z -u /var/log/apache2/access.log*

Reload Apache:
$ sudo service apache2 reload

Before this change, my visit to my blog looked like:
108.162.246.105 - - [29/Jul/2012:18:40:51 -0700] "GET / HTTP/1.1" 200 19663 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11"

After this change, my log entry looks more like:
- - [29/Jul/2012:18:45:49 -0700] "GET / HTTP/1.1" 200 19664

108.162.246.105 is CloudFlare — Micah discusses this issue in his talk. Since people might be using a CDN as a middleman between their blog and your blog’s readers, CDNs do record visitors. As far as I know, I have no control over CloudFlare IP logging. If I were not using a third-party service, I would have seen my actual originating IP.

It would be really awesome if I could find a way to log partial IP addresses, like the first two octets of an IPv4 address, possibly using Apache’s SetEnvIf directive. I also need to find out how to leverage this privacy-maintaining tactic when using an Intrusion Detection System in front of a web server, since it definitely stores all IP addresses with timestamps that can be compared to the reduced log file.

WordPress & PHP

Also mentioned in Micah’s talk, is “hide identifying data from PHP with $_SERVER”:

(edit your wp-config.php file and add these lines:)


$_SERVER['HTTP_REFERER'] = 'https://web/';
$_SERVER['HTTP_USER_AGENT'] = 'web browser';
$_SERVER['REMOTE_ADDR'] = '127.0.0.1';
$_SERVER['REMOTE_HOST'] = 'localhost';

Updated Tor Exit config

Below are some small developments with respect to my Tor exit routing operations. I updated my torrc file by removing the configuration lines that I don’t use and the comment verbiage. I also added a new low-bandwidth exit router on a VPS in Iceland, tor.pirate.is, and made sure to update my MyFamily fingerprint line.

## UPDATED: 2012-JUL-24
NumCPUs 2
SocksPort 0
Log notice file /var/log/tor/notices.log
RunAsDaemon 1
DataDirectory /var/lib/tor
ORPort 9001
Nickname yawnbox
Address tor.anon.is
RelayBandwidthRate 5500 KB
RelayBandwidthBurst 7000 KB
ContactInfo Chris Sheats
DirPort 9030
MyFamily $6B53D408A434C2410FADA8224097CC60A441F7C5,$0F8D514E77A8E375105F506C549B87D080F736BB
ExitPolicy accept *:119 # accept nntp as well as default exit policy
ExitPolicy accept *:22 # ssh
ExitPolicy accept *:443 # https (HTTP via TLS)
ExitPolicy accept *:465 # smtps (SMTP over SSL)
ExitPolicy accept *:993 # imaps (IMAP over SSL)
ExitPolicy accept *:994 # ircs (IRC over SSL)
ExitPolicy accept *:995 # pop3s (POP3 over SSL)
ExitPolicy accept *:6660-6667 # allow irc ports
ExitPolicy accept *:6697 # irc (using SSL)
ExitPolicy reject *:* # no exits allowed

I also updated both to Tor 0.2.3.19-rc. Since I run these as a hobby, I don’t mind running bleeding-edge exit routers.

Ubuntu 12.04 + Irssi + Tor + Freenode

This post is a guide for securely connecting to the Freenode IRC network using Ubuntu 12.04 x64 server, via the IRC client Irssi, using a Tor hidden service.

Note: This specific blog post is licensed as CC0 for the purpose of contributing to the Crypto.is project. You are free to copy, change, delete, or publish any part of this guide.

REQUIREMENTS

1. Have Ubuntu server installed + sudo and root access
2. Have a registered SN on Freenode: http://freenode.net/faq.shtml#userregistration

INSTALL TOR

sudo vim /etc/apt/sources.list

add:

deb http://deb.torproject.org/torproject.org precise main
deb-src http://deb.torproject.org/torproject.org precise main

:wq

sudo su
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
exit
sudo apt-get update
sudo apt-get install deb.torproject.org-keyring
sudo apt-get install tor

INSTALL IRSSI

sudo apt-get install irssi irssi-plugin-otr irssi-scripts screen libcrypt-openssl-bignum-perl libcrypt-blowfish-perl libcrypt-dh-perl
cd /usr/share/irssi/scripts/
sudo wget http://freenode.net/sasl/cap_sasl.pl

CONFIGURE TOR AND IRSSI

sudo vim /etc/tor/torrc

add:

 mapaddress 10.40.40.40 p4fsi4ockecnea7l.onion

:wq

sudo service tor reload
sudo mkdir /usr/share/irssi/scripts/autorun
sudo ln -s /usr/share/irssi/scripts/cap_sasl.pl /usr/share/irssi/scripts/autorun
torify irssi
/script load cap_sasl.pl
/sasl set freenode [USER] [PASS] DH-BLOWFISH
/sasl save
/save
/exit
sudo ln -s /usr/share/irssi/scripts ~/.irssi/scripts
sudo vim ~/.irssi/config

add to line 2:

{ address = "p4fsi4ockecnea7l.onion"; chatnet = "freenode"; port = "6667"; use_ssl = "no"; ssl_verify = "no"; },

:wq

usewithtor irssi -n [USER]
/server freenode
/join #[CHANNEL]