New Democracy Now! Onion site

g6klvb3bfx3zuivo.onion

Updated onion address: 2017-March-12

Previous work here. The rest of this post is for technical individuals.

I recently moved to a new DN! host mainly because my first one ran out of storage. I apologize to those who have not been able to access the last few episodes due to the old host filling up. This post goes into detail how I set up the new Onion site, then how I transfered all ~30GB of existing DN! files from the old host to the new host exclusively over Onion service via rsync.

Some major improvements include Democracy Now’s third-party services all support TLS now, meaning that I’m finally pulling the media via authenticated and confidential (exluding metadata) transport. My updated shell script is below, too.

Please note that not all traffic is torified on the new host, the DN! files are still getting pulled via port 443, outbound DNS via port 53, and outbound NTP via port 123.

New Ubuntu 16.04 Xenial host setup

Enable the firewall disabling all inbound traffic:

sudo ufw enable

Edit sources list to remove the default HTTP repositories with Wikimedia’s HTTPS repositories for transport authentication and confidentiality, and add Tor Project’s HTTP repository:

sudo vim /etc/apt/sources.list

deb https://ubuntu.wikimedia.org/ubuntu/ xenial main restricted universe multiverse
deb https://ubuntu.wikimedia.org/ubuntu/ xenial-updates main restricted universe multiverse
deb https://ubuntu.wikimedia.org/ubuntu/ xenial-backports main restricted universe multiverse
deb https://ubuntu.wikimedia.org/ubuntu/ xenial-security main restricted universe multiverse
deb http://deb.torproject.org/torproject.org xenial main

Add the Tor Project’s signing key:

gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -

Update, upgrade, then install the necessary Tor apps:

sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install tor apt-transport-tor deb.torproject.org-keyring -y

Edit torrc to create the new Onion site address:

sudo vim /etc/tor/torrc

HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 22 127.0.0.1:22
HiddenServicePort 80 127.0.0.1:80

Restart the Tor service:

sudo service tor restart

View the new Onion site address:

sudo cat /var/lib/tor/hidden_service/hostname

gnt3qwmxads3yytg.onion

Edit sources list again so that the repositories will only be accessed via Onion service:

sudo vim /etc/apt/sources.list

deb tor+https://ubuntu.wikimedia.org/ubuntu/ xenial main restricted universe multiverse
deb tor+https://ubuntu.wikimedia.org/ubuntu/ xenial-updates main restricted universe multiverse
deb tor+https://ubuntu.wikimedia.org/ubuntu/ xenial-backports main restricted universe multiverse
deb tor+https://ubuntu.wikimedia.org/ubuntu/ xenial-security main restricted universe multiverse
deb tor+http://deb.torproject.org/torproject.org xenial main

Update and upgrade again, and install Open-SSH, all via Onion service:

sudo apt-get update && sudo apt-get upgrade -y && sudo apt-get install openssh-server

Configure the SSH server to only accept connections via Onion service. Also harden the security a little bit:

sudo vim /etc/ssh/sshd_config

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
AllowUsers user
Port 22
ListenAddress 127.0.0.1:22
Protocol 2
HostKey /etc/ssh/ssh_host_ed25519_key
UsePrivilegeSeparation yes
KeyRegenerationInterval 30
ServerKeyBits 4096
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 30
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes

Install Apache via Onion service, disable status, and enable headers:

sudo apt-get install apache2 -y && sudo a2dismod status && sudo a2enmod headers

Configure the index view of the Apache landing page:

sudo vim /etc/apache2/mods-available/autoindex.conf

IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=* DescriptionWidth=* Charset=UTF-8 SuppressDescription SuppressIcon SuppressLastModified SuppressRules
IndexOrderDefault Descending Name

Harden Apache’s security configuration:

sudo vim /etc/apache2/conf-available/security.conf

Directory /
AllowOverride None
Require all denied
/Directory

Header always set X-XSS-Protection: "1; mode=block"
Header always set X-Permitted-Cross-Domain-Policies: "master-only"
Header always set Cache-Control: "private, no-cache, no-store, must-revalidate"
Header always set Pragma: "no-cache"
Header always set Expires: "-1"
Header always set X-Content-Type-Options: "nosniff"
Header always set X-Frame-Options: "sameorigin"
Header always set Content-Security-Policy: "default-src 'self'"
ServerTokens Prod
ServerSignature Off
TraceEnable Off

Configure Apache to only work via Onion service:

sudo vim /etc/apache2/sites-available/000-default.conf

VirtualHost 127.0.0.1:80
ServerName gnt3qwmxads3yytg.onion
ServerAdmin gnt3qwmxads3yytg@yawnbox.com
DocumentRoot /var/www/html/dn/
LogLevel info
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
/VirtualHost

Restart Apache:

sudo service apache2 restart

Make the DN! directory:

sudo mkdir /var/www/html/dn/

Create the shell script to download the various DN! files:

sudo vim dn-now.sh

#!/bin/bash
cd /var/www/html/dn/
daystamp=$(date +%Y-%m%d)
wget -m -p -E -k -K -np -nd -e robots=off -H -r https://publish.dvlabs.com/democracynow/360/dn$daystamp.mp4
wget -m -p -E -k -K -np -nd -e robots=off -H -r https://traffic.libsyn.com/democracynow/dn$daystamp-1.mp3
wget -m -p -E -k -K -np -nd -e robots=off -H -r https://ewheel.democracynow.org/dn$daystamp.mp4.torrent
chown -R www-data:www-data /var/www/html/dn/*

Edit cron to check for new files every 15 minutes:

sudo crontab -e

*/15 * * * * bash /home/user/dn-now.sh

Old Host

Configure SSH client to be torified:

sudo vim /etc/ssh/ssh_config

Host *
ProxyCommand nc -X 5 -x 127.0.0.1:9050 %h %p
CheckHostIP no

Rsync all files from the old host (ssh client) to the new host (ssh server):

sudo rsync -v /var/www/html/dn/* user@gnt3qwmxads3yytg.onion:/var/www/html/dn/

Cheers!