OnionWatch Logo
Log in Register
Back to Blog
9 min read

Onion Service Security Checklist

Security Checklist Onion Services Privacy

Operating an onion service comes with unique security responsibilities. This comprehensive checklist covers essential security measures every onion service operator should implement.

Server Security

✓ Operating System Hardening

  • Use a minimal, security-focused OS (Debian, Ubuntu Server, or hardened distributions)
  • Keep the system updated with automatic security patches
  • Disable unnecessary services and ports
  • Configure a firewall (UFW, iptables) to allow only required traffic
  • Implement fail2ban or similar intrusion prevention

✓ Access Control

  • Disable root SSH login
  • Use SSH keys instead of passwords
  • Implement two-factor authentication for SSH
  • Use sudo with limited privileges
  • Regularly audit user accounts and remove unused ones
  • Log all administrative actions

✓ File System Security

  • Encrypt the disk (LUKS, dm-crypt)
  • Set proper file permissions (principle of least privilege)
  • Use separate partitions for /tmp, /var, /home
  • Enable noexec, nosuid on appropriate partitions
  • Implement file integrity monitoring (AIDE, Tripwire)

Tor Configuration Security

✓ Onion Service Configuration

  • Use Onion Service v3 (v2 is deprecated and less secure)
  • Store private keys securely with restricted permissions (600)
  • Back up private keys to secure, encrypted storage
  • Use unique keys for each service (don't reuse)
  • Consider using client authorization for restricted access

✓ Tor Daemon Security

  • Run Tor as a dedicated non-root user
  • Keep Tor updated to the latest stable version
  • Configure appropriate resource limits
  • Enable logging for security events
  • Use SocksPort only on localhost

Web Application Security

✓ HTTPS/TLS Configuration

  • Use HTTPS even for onion services (defense in depth)
  • Generate strong SSL/TLS certificates
  • Use modern TLS versions (1.2+, preferably 1.3)
  • Disable weak ciphers and protocols
  • Implement HSTS headers
  • Monitor certificate expiration

✓ Application Hardening

  • Keep all software and dependencies updated
  • Use a Web Application Firewall (ModSecurity, NAXSI)
  • Implement rate limiting to prevent abuse
  • Validate and sanitize all user input
  • Use parameterized queries to prevent SQL injection
  • Implement CSRF protection
  • Set secure cookie flags (HttpOnly, Secure, SameSite)

✓ Security Headers

Implement comprehensive security headers:

Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
Permissions-Policy: geolocation=(), microphone=(), camera=()

Privacy and Anonymity

✓ Operational Security

  • Never connect to your onion service from your real IP
  • Use Tor for all administrative access
  • Avoid linking your onion service to clearnet identities
  • Don't include identifying information in error messages
  • Sanitize logs to remove sensitive data
  • Use anonymous payment methods if accepting payments

✓ Traffic Analysis Protection

  • Avoid predictable traffic patterns
  • Don't leak timing information
  • Consider using vanguards for additional protection
  • Implement traffic padding where appropriate

Monitoring and Incident Response

✓ Security Monitoring

  • Implement comprehensive logging
  • Use intrusion detection systems (Snort, Suricata)
  • Monitor for unauthorized changes
  • Set up alerts for suspicious activity
  • Use uptime monitoring (OnionWatch) to detect availability issues
  • Regularly review logs for anomalies

✓ Incident Response Plan

  • Document incident response procedures
  • Maintain offline backups
  • Have a communication plan for users
  • Know how to quickly take the service offline if compromised
  • Plan for service migration if necessary

Backup and Recovery

✓ Backup Strategy

  • Implement automated, regular backups
  • Encrypt all backups
  • Store backups in multiple secure locations
  • Test backup restoration regularly
  • Back up onion service private keys separately
  • Document recovery procedures

Compliance and Best Practices

✓ Legal Compliance

  • Understand applicable laws in your jurisdiction
  • Implement age verification if required
  • Have clear terms of service and privacy policy
  • Comply with data protection regulations (GDPR, etc.)
  • Maintain required records and logs

✓ Regular Security Audits

  • Conduct regular security assessments
  • Perform penetration testing
  • Review and update security measures quarterly
  • Stay informed about new threats and vulnerabilities
  • Participate in security communities

Additional Resources

  • Tor Project's onion service best practices documentation
  • OWASP security guidelines
  • CIS benchmarks for server hardening
  • Security-focused Linux distributions (Whonix, Tails)

Conclusion

Security is not a one-time task but an ongoing process. Regularly review and update your security measures, stay informed about new threats, and always assume that determined attackers exist. By following this checklist and maintaining vigilance, you can significantly improve the security posture of your onion service.

Remember: the goal is not perfect security (which doesn't exist) but making your service a hard enough target that attackers move on to easier prey.

Ready to monitor your Tor services?

Start monitoring your onion services with OnionWatch today.

Get Started Free

Related Articles

Tor Monitoring Best Practices for 2025

Learn the essential best practices for monitoring Tor hidden services and onion sites to ensure maximum uptime and reliability.

Read Article

Understanding Onion Service Uptime and Availability

Dive deep into how onion services work and why monitoring uptime is crucial for maintaining a reliable dark web presence.

Read Article