π§ FT_ONION - Tor Hidden Service Project
A fully functional Tor hidden service with Nginx web server, fortified SSH access, and interactive visualization - 42 Cybersecurity Piscine Final Project
- About
- What is Tor?
- Features
- Architecture
- Prerequisites
- Installation
- Usage
- Accessing Services
- Project Structure
- Security Features
- Bonuses Implemented
- Technical Details
- Troubleshooting
- Evaluation
- License
This project demonstrates the creation of a Tor hidden service (.onion website) with enhanced security features. It's a comprehensive implementation that goes beyond basic requirements, achieving a perfect score of 125/100 at 42 Beirut's Cybersecurity Piscine.
The project showcases:
- Deep understanding of Tor network architecture
- Secure server configuration practices
- Docker containerization and orchestration
- Interactive web development
- SSH hardening techniques
Tor (The Onion Router) is a free, open-source software that enables anonymous communication over the internet. It works by routing traffic through a worldwide volunteer network of relays to conceal user location and usage from network surveillance or traffic analysis.
Client β Entry Node β Middle Relay β Exit Node β Destination
π π π π π
- Entry Node: First layer of encryption
- Middle Relay: Adds another layer, hides the connection
- Exit Node: Final decryption before reaching destination
Hidden Services (.onion)
Hidden services are websites hosted on the Tor network that:
- Are only accessible through Tor Browser
- Hide the server's IP address and location
- Provide end-to-end encryption
- Use
.onionaddresses (e.g.,xxxxxxxxxxxxxxxxx.onion)
- β Static Web Page: Custom interactive HTML page
- β Nginx Server: Configured to serve content on port 80
- β SSH Access: Available on custom port 4242
- β
Tor Hidden Service: Accessible via
.onionURL - β No Port Exposure: Services only accessible through Tor network
- β Docker Containerization: Complete multi-container setup
-
β SSH Fortification:
- Public key authentication only
- Disabled root login
- No password authentication
- Disabled X11 forwarding and TCP forwarding
- Connection timeout controls
-
β Interactive Application:
- Animated network visualization
- Real-time packet routing simulation
- Layer activation controls
- Responsive design
- Visual effects and animations
ββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Docker Network β
β (onionnet) β
β β
β ββββββββββββ ββββββββββββ ββββββββββββ β
β β Nginx β β SSH β β Tor β β
β β :80 ββββββ :4242 β β Proxy β β
β β β β β β β β
β ββββββββββββ ββββββββββββ ββββββ¬ββββββ β
β β β β
βββββββββΌββββββββββββββββββββββββββββββββββΌβββββββββββ
β β
ββββββββββββββββββ¬βββββββββββββββββ
β
Tor Network
β
.onion Address
β
Tor Browser
-
Nginx Container (
ft_nginx):- Serves static content
- Listens on port 80 (internal)
- Isolated in onionnet bridge network
-
SSH Container (
ft_ssh):- Hardened SSH server
- Listens on port 4242 (internal)
- Alpine-based with minimal footprint
-
Tor Container (
ft_tor):- Tor daemon
- Routes traffic to Nginx
- Manages .onion address
- Persistent volume for hidden service keys
- Docker (v20.10+)
- Docker Compose (v2.0+)
- Tor Browser (for accessing .onion site)
- Git (for cloning)
git clone https://github.com/yourusername/ft_onion.git
cd ft_oniondocker-compose up --build -d# Monitor logs
docker-compose logs -f tor
# Wait for "Bootstrapped 100%" messagedocker exec ft_tor cat /var/lib/tor/hidden_service/hostnameExample output:
a1b2c3d4e5f6g7h8.onion
# Start all services
docker-compose up -d
# Check status
docker-compose ps
# View logs
docker-compose logs -f# Stop all services
docker-compose down
# Stop and remove volumes (resets .onion address)
docker-compose down -vdocker-compose up --build -d- Install Tor Browser
- Get your .onion address:
docker exec ft_tor cat /var/lib/tor/hidden_service/hostname - Open Tor Browser and navigate to:
http://your-address.onion
# On your local machine
ssh-keygen -t ed25519 -f ~/.ssh/ft_onion_key -C "ft_onion"# Copy your public key
cat ~/.ssh/ft_onion_key.pub
# Access the container
docker exec -it ft_ssh sh
# Add key to authorized_keys
mkdir -p /home/ftuser/.ssh
echo "your-public-key-here" >> /home/ftuser/.ssh/authorized_keys
chmod 700 /home/ftuser/.ssh
chmod 600 /home/ftuser/.ssh/authorized_keys
chown -R ftuser:ftuser /home/ftuser/.ssh
exit# Using torify (if installed)
torify ssh -i ~/.ssh/ft_onion_key -p 4242 ftuser@your-address.onion
# Or configure SSH to use Tor SOCKS proxy
ssh -i ~/.ssh/ft_onion_key \
-o ProxyCommand="nc -X 5 -x 127.0.0.1:9050 %h %p" \
-p 4242 ftuser@your-address.onionft_onion/
β
βββ docker-compose.yml # Orchestrates all containers
β
βββ nginx/ # Web server configuration
β βββ index.html # Interactive webpage
β βββ nginx.conf # Nginx configuration
β
βββ ssh/ # SSH server setup
β βββ Dockerfile # Alpine + OpenSSH
β βββ sshd_config # Hardened SSH configuration
β
βββ tor/ # Tor hidden service
β βββ Dockerfile # Alpine + Tor
β βββ torrc # Tor configuration
β
βββ README.md # This file
Our sshd_config implements multiple security layers:
| Feature | Setting | Security Benefit |
|---|---|---|
| Custom Port | 4242 |
Reduces automated attacks |
| Root Login | PermitRootLogin no |
Prevents root compromise |
| Password Auth | PasswordAuthentication no |
Only key-based access |
| Public Key Auth | PubkeyAuthentication yes |
Cryptographic authentication |
| X11 Forwarding | X11Forwarding no |
Prevents GUI-based attacks |
| TCP Forwarding | AllowTcpForwarding no |
Blocks tunnel creation |
| Connection Timeout | ClientAliveInterval 300 |
Terminates idle sessions |
- Anonymity: Server location completely hidden
- Encryption: Multi-layer encryption by default
- No DNS Leaks: .onion addresses resolved internally
- Censorship Resistance: Bypass geographical restrictions
- Network Isolation: Custom bridge network
onionnet - No Port Exposure: Services not accessible from host
- Minimal Attack Surface: Alpine Linux base images
- Resource Constraints: Container resource limits
Complete SSH hardening following industry best practices:
- β Public key authentication only
- β Disabled password authentication
- β Disabled root login
- β Custom port (4242)
- β Disabled X11 forwarding
- β Disabled TCP forwarding
- β Connection timeout controls
- β
Minimal privilege user (
ftuser)
Advanced frontend implementation featuring:
- β Animated Network Visualization: Canvas-based particle system
- β Real-time Packet Simulation: Visual data flow through layers
- β Interactive Controls: Toggle encryption, network visibility
- β Layer Selection: Click to activate individual Tor layers
- β Responsive Design: Mobile and desktop compatible
- β Modern UI: Gradient effects, animations, smooth transitions
- β Educational Value: Demonstrates Tor routing principles
Technical Stack:
- Pure JavaScript (no frameworks)
- HTML5 Canvas for animations
- CSS3 animations and transitions
- Responsive grid layout
services:
nginx: # Web server
ssh: # SSH access
tor: # Hidden service proxy
networks:
onionnet: # Isolated bridge network
volumes:
tor_data: # Persistent .onion keys- Single-page application served on port 80
- Optimized MIME type handling
- Sendfile enabled for performance
- Clean URL routing with fallback
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 ft_nginx:80
- Routes port 80 traffic to Nginx container
- Persists keys in Docker volume
- Logs to stdout for monitoring
Following the principle of least privilege:
- Only necessary features enabled
- Strong authentication required
- Minimal user permissions
- Connection lifecycle management
Solution:
# Check if Tor is fully bootstrapped
docker-compose logs tor | grep "Bootstrapped 100%"
# Verify .onion address exists
docker exec ft_tor cat /var/lib/tor/hidden_service/hostname
# Restart Tor service
docker-compose restart torSolution:
# Verify SSH is running
docker-compose ps ssh
# Check SSH logs
docker-compose logs ssh
# Ensure you're using the correct key
ssh -i ~/.ssh/ft_onion_key -vvv ftuser@address.onion -p 4242Solution:
# Check Nginx status
docker-compose logs nginx
# Verify network connectivity
docker exec ft_tor ping ft_nginx
# Rebuild containers
docker-compose down && docker-compose up --build -dExplanation: This happens when the tor_data volume is deleted.
Solution:
# Always use 'down' without -v to preserve volumes
docker-compose down
# Never use:
# docker-compose down -v # This deletes volumes!- β Hidden Service Setup (25 pts)
- β Nginx Configuration (25 pts)
- β SSH Access (25 pts)
- β Documentation (15 pts)
- β Defense (10 pts)
- β SSH Fortification (15 pts)
- β Interactive Application (10 pts)
- Docker containers start without errors
-
.onionaddress is accessible via Tor Browser - Webpage loads and displays correctly
- Interactive features work (animations, buttons)
- SSH connection works on port 4242
- Password authentication is disabled
- Root login is disabled
- Project structure matches requirements
- All configuration files are present
- Student can explain Tor architecture
- Docker: Container orchestration
- Alpine Linux: Minimal base image
- Nginx: High-performance web server
- Tor: Anonymous network protocol
- OpenSSH: Secure shell implementation
This is an educational project for 42's Cybersecurity Piscine. While it's a completed assignment, suggestions for improvements are welcome!
- Add multi-page navigation
- Implement WebSocket for real-time features
- Add monitoring dashboard
- Create automated tests
- Add CI/CD pipeline
- Implement rate limiting
This project is created for educational purposes only as part of 42's Cybersecurity curriculum.
Important Notes:
- Do not use for illegal activities
- Tor hidden services should comply with local laws
- SSH security depends on proper key management
- Always use strong, unique keys for authentication
- Keep software updated for security patches
This project is part of the 42 School curriculum and follows the school's guidelines.
Your Name - @yourusername
- 42 Intra:
your_login - School: 42 Beirut
- Project: ft_onion (Cybersecurity Piscine)
- Score: 125/100
- 42 Network for the challenging curriculum
- The Tor Project for privacy tools and documentation
- Docker Community for containerization resources
- Alpine Linux for minimal, secure base images
- 42 Beirut peers for discussions and peer-evaluation