Disabling IP address logging in Apache

Much thanks to Micah Lee for speaking at HOPE Number 9 – Privacy Tricks for Activist Web Developers

This post covers, in slightly more detail, the actions needed that are described between 15:50m and 17:01m of the following video:

I’d really like to flesh out additional SOPs in order to work toward an open privacy specification.

Standard Operating Procedure for disabling IP logging of visitors to an Apache 2.2 vhost on Ubuntu 12.04. I performed the following steps on this WordPress blog, anon.is. If you maintain your own WordPress blog, you would need SSH and root/sudo access to your web server.

Confirm Apache version:
# apache2 -v
Server version: Apache/2.2.22 (Ubuntu)

Edit Apache’s config file:
# sudo vim /etc/apache2/apache2.conf

Locate the directives for defining log customization and add:
LogFormat "%l %u %t "%r" %>s %O" noip

Edit your virtual host config file:
# sudo vim /etc/apache2/sites-available/site

The default vhost config will have the following line:
CustomLog ${APACHE_LOG_DIR}/access.log combined

Replace the word ‘combined’ with ‘noip’ at the end of the line:
CustomLog ${APACHE_LOG_DIR}/access.log noip

Delete, via shred, your old access.log files:
# sudo shred -f -v -z -u /var/log/apache2/access.log*

Save your change and reload Apache:
# sudo service apache2 reload

Before this change, my visit to my blog looked like:
108.162.246.105 - - [29/Jul/2012:18:40:51 -0700] "GET / HTTP/1.1" 200 19663 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11"

After this change, my log entry looks like:
- - [29/Jul/2012:18:45:49 -0700] "GET / HTTP/1.1" 200 19664

108.162.246.105 is CloudFlare — Micah discusses this issue in his talk. Since I’m using the CloudFlare CDN as a middleman between my blog and my blogs readers, CloudFlare does record all visitors. As far as I know, I have no control over CloudFlare IP logging. If I were not using a third-party service, I would have seen my actual originating IP.

It would be really awesome if I could find a way to log partial IP addresses, like the first two octets of an IPv4 address, possibly using Apache’s SetEnvIf directive. I also need to find out how to leverage this privacy-maintaining tactic when using an Intrusion Detection System in front of a web server, since it definitely stores all IP addresses with timestamps that can be compared to the reduced log file.

Updated Tor Exit config

Below are some small developments with respect to my Tor exit routing operations. I updated my torrc file by removing the configuration lines that I don’t use and the comment verbiage. I also added a new low-bandwidth exit router on a VPS in Iceland, tor.pirate.is, and made sure to update my MyFamily fingerprint line.

## UPDATED: 2012-JUL-24
NumCPUs 2
SocksPort 0
Log notice file /var/log/tor/notices.log
RunAsDaemon 1
DataDirectory /var/lib/tor
ORPort 9001
Nickname yawnbox
Address tor.anon.is
RelayBandwidthRate 5500 KB
RelayBandwidthBurst 7000 KB
ContactInfo Chris Sheats
DirPort 9030
MyFamily $6B53D408A434C2410FADA8224097CC60A441F7C5,$0F8D514E77A8E375105F506C549B87D080F736BB
ExitPolicy accept *:119 # accept nntp as well as default exit policy
ExitPolicy accept *:22 # ssh
ExitPolicy accept *:443 # https (HTTP via TLS)
ExitPolicy accept *:465 # smtps (SMTP over SSL)
ExitPolicy accept *:993 # imaps (IMAP over SSL)
ExitPolicy accept *:994 # ircs (IRC over SSL)
ExitPolicy accept *:995 # pop3s (POP3 over SSL)
ExitPolicy accept *:6660-6667 # allow irc ports
ExitPolicy accept *:6697 # irc (using SSL)
ExitPolicy reject *:* # no exits allowed

I also updated both to Tor 0.2.3.19-rc. Since I run these as a hobby, I don’t mind running bleeding-edge exit routers.

Ubuntu 12.04 + Irssi + Tor + Freenode

This post is a guide for securely connecting to the Freenode IRC network using Ubuntu 12.04 x64 server, via the IRC client Irssi, using a Tor hidden service.

Note: This specific blog post is licensed as CC0 for the purpose of contributing to the Crypto.is project. You are free to copy, change, delete, or publish any part of this guide.

REQUIREMENTS

1. Have Ubuntu server installed + sudo and root access
2. Have a registered SN on Freenode: http://freenode.net/faq.shtml#userregistration

INSTALL TOR

sudo vim /etc/apt/sources.list

add:

deb http://deb.torproject.org/torproject.org precise main
deb-src http://deb.torproject.org/torproject.org precise main

:wq

sudo su
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
exit
sudo apt-get update
sudo apt-get install deb.torproject.org-keyring
sudo apt-get install tor

INSTALL IRSSI

sudo apt-get install irssi irssi-plugin-otr irssi-scripts screen libcrypt-openssl-bignum-perl libcrypt-blowfish-perl libcrypt-dh-perl
cd /usr/share/irssi/scripts/
sudo wget http://freenode.net/sasl/cap_sasl.pl

CONFIGURE TOR AND IRSSI

sudo vim /etc/tor/torrc

add:

 mapaddress 10.40.40.40 p4fsi4ockecnea7l.onion

:wq

sudo service tor reload
sudo mkdir /usr/share/irssi/scripts/autorun
sudo ln -s /usr/share/irssi/scripts/cap_sasl.pl /usr/share/irssi/scripts/autorun
torify irssi
/script load cap_sasl.pl
/sasl set freenode [USER] [PASS] DH-BLOWFISH
/sasl save
/save
/exit
sudo ln -s /usr/share/irssi/scripts ~/.irssi/scripts
sudo vim ~/.irssi/config

add to line 2:

{ address = "p4fsi4ockecnea7l.onion"; chatnet = "freenode"; port = "6667"; use_ssl = "no"; ssl_verify = "no"; },

:wq

usewithtor irssi -n [USER]
/server freenode
/join #[CHANNEL]