|Guide to Hiding a website/server from the FBI, Hackers, or Anyone Posted by: DarkXander at 06-01-2014 16:25 PM, Last Modified 10-17-2014 12:01 PM|
The purpose of this paper is to discuss the most simplistic and easy way to prevent a website from being permanently shutdown either by the FBI, Hackers, Government Agencies, Web Hosts, or generally anyone who might wish to silence your opinions or freedom of speech. This is a method employed by me several times for various reasons, mostly in the combat of hackers, and one very prudish web host. Of course i have never never ever done anything that might warrant the FBI to take notice of me. ;)
This can also be highly effective at mitigating DDoS attacks EVEN if its UDP based because the pawn servers mentioned in the tutorial below only forward Legitimate TCP traffic to the real server they are protecting. Massing several VPS Pawns and putting all their IPs on the A record can multiply the ammount of DDoS damage they can absorb as a team.
Requirements on the Main Hosting Webserver:
Windows or Linux Server, Mac Minis GTFO
http web server, Apache preferred, but for those stuck with IIS i feel for you, it will work, IIS is just sad.
Static IP address on the Main Hosting Server with unfiltered traffic on any ports.
IP Tables Firewall Preferred for Linux Servers.
Requirements on what we will call the Pawn Servers:
Red Hat or CentOS 5 Linux REQUIRED
Decent Older CPU or Better (Anything Core2Duo or better is PLENTY)
IPTABLES Firewall REQUIRED
ROOT Access to the system, NOT SUDO, Real ROOT Login access.
Virtual Private Servers or Virtual Servers work great for Pawns and are usually Cheap, Usually the Cheapest VPS is plenty
I Recommend the Pawn servers be on seperate hosting companies from the Main Server and each other, TRUST ME!
For the domain name, i recommend using a registrar in russia, as they usually give everyone who requests a site be downed the middle finger. Least Russia does something right, WIN!
Prefer a Foreign gTLD Domain as any .com or .net can still be killed by ICANN and the FBI Directly, even if its purchased through a foriegn country, most noobies dont know that little detail. FBI and ICANN have no control over Country Owned TLDs like .ru and the rest.
Setup your Main Server as if it is going to be the Only server, as if we werent going to hide it, setup IPs in apache and elsewhere according to that ideal.
Once the website works and has been FULLY Tested working, we will now begin to Set Pawns in front of it to hide the Main Server from All forms of reverse resolution, Traceroutes, etc. And just by the way this trick works, it will also create a powerfull hacker preventative screen that will not only confuse most moderate skill hackers as to WTF they are looking at, but also defeat them because the Pawn will take all the damage they attempt to deal the network.
Some good Providers to use for Pawns would be:
Godaddy CentOS VPS Servers
Hostway VPS Servers
Gate.com VPS Servers
So now take your First Pawn System and disable its Apache Service Permanently, set apache not to start on boot period. Set apaches non SSL port from 80 to 81 so that if apache starts by some accident it wont interfere with the Pawns normal operations.
if you want to leave a booby trap for hackers, leave mysql and sshd running on normal ports, which makes it look like a dummy set it up, and the hacker will be guaranteed many hours of effort just to find out its a Pawn once they finally break in, LOL.
In the Pawns IPtables firewall open port 80 normally, this line is what a CentOS 5.8 Server uses for that, but it varies slightly, See the manual if your not sure:
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
On the Pawn also set permanently, Without this IT WILL NOT WORK:
sysctl -w net.ipv4.ip_forward=1
once that setting is set get your Main Servers Static IP address handy and run the following commands on the Pawn Server:
iptables -t nat -A PREROUTING -d (Pawn Server IP) -p tcp --dport 80 -j DNAT --to-destination (Main Server IP)
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Now i would also set those two commands to run at bootup, or in a cron job that runs every 1 hour or something.
Finally, go change your domains DNS A record to point to the Pawn Servers IP address, and poof the website should work as if the Pawn is the Real Main Server. With no way to tell from the outside looking in. Any attempt to get in through SSH, or any other port will impact the Pawn and not the Main server.
Now assuming someone powerfull out there REALLY REALLY hates you and wants to kill your site, and is able to kill the pawn after a while.....
Thats why you setup at least one Extra Pawn the EXACT same way as the first! Then when the First pawn starts to fail or goes down, go point your
DNS A record at the backup Pawns IP Address, Bang your back online and the poor hacker will say WTF???!?!?!?!
Addittionally if your DNS provider allows for multiple A records for failover purposes, you can setup a handfull of pawns and add them all to the DNS A records at once, and as they die, just remove them from the list and add more if you wish.
This will drive the poor bastards comming after you nutts as it will seem like you have an entire team of People helping you keep the site online, and no end of failover systems while you sit there sipping on a drink watching them try.
Little Bonuses to this setup:
1. Say they use an HTTP exploit on your site to upload some form of script etc that opens a port for them to access your box, or even creates a root account for them, or changes the root password. THEY STILL FAIL!!!! The other port numbers including SSH are not being funnelled by the Pawn, so they will be attempting to connect to the WRONG IP address and getting extremely confused when the exploit succeeds, yet they STILL cannot get in!!!! Because they have the Pawns IP, but the port is running on the Main which they cant find and dont know about.
Easy of setup and Cost of setup of this method compared to the safety and security it provides is very very good, its simple and easy, yet extremely effective.
When a Pawn dies, cancel the account, or just wipe it back to factory and re-set it up again and put it back in your list of pawns.
I authored this document because im a firm believer in Freedom, Equality, and Freedom of Speech. Go drive those pesky hackers nutts, especially the chinese government ones. I hope the ethical hackers(like me) and system admins who share my beliefs find this usefull and effective at sand bagging their enemies and being victorious.......