Hosting on the I2P network - everything you need to organize


Hosting on the I2P network - everything you need to organize
Our task for today is to anonymously place the site on the Internet. There are not many technologies that can help us in this matter. But one of the most technologically advanced solutions, which provides the possibility of anonymous hosting, practically excluding the possibility of determining where the server with the files is actually located, is I2P.



II2P vs Tor

So what is I2P? The technology is best perceived as an additional network layer that runs on top of the familiar IP protocol and provides opportunities for anonymous data transfer. I2P uses various types of cryptography to securely transfer messages and numerous pear-to-pear tunnels, based on which the anonymity and resiliency of the system are ensured. We have repeatedly mentioned I2P on the pages of the magazine, but we never stopped at its work in detail. Yes, and few had to deal with it. Much more famous in the field of anonymization was the development of Tor . Therefore, talking about how I2P works, we will conduct some comparisons of these two technologies.
Both systems, I2P and Tor, use multilevel cryptography so that intermediaries cannot decrypt the contents of the packets transmitted through them. The only thing known for each node is the next link in the data transfer chain. While Tor is more focused on keeping the client incognito while surfing the Internet, the challenge of I2P is to create an anonymous network that connects connected users. And although the possibility of anonymous surfing is still there (using special gateways that have access “out”, which you can read about in the inset), its main purpose is to provide anonymous hosting services.
This is primarily about hosting web sites, which in I2P terminology are called eepsites. This is a bit like the concept of Hidden Services available to Tor users, but anonymous hosting in I2P works much faster. This is not a pathetic attempt, but really working technology for hosting sites, reliable and sustainable.
I2P has no central servers and no familiar DNS servers, but it uses the distributed hash table DHT (Distributed Hash Table), built on the basis of Kademlia. This approach eliminates a serious system failure point. We all remember the story when, in 2007, firewall in China blocked access to the main directory of Tor services. The fact that I2P relies on peer-to-peer technology to exchange routing information avoids such problems. The system by which I2P users get information about each other is called NetDB. Each network participant is a router through which transit traffic is transmitted, therefore, generally speaking, there is no noticeable difference in the system between the server and the regular client.

AAddressing in I2P

To access other routers and services, IP'shniki are not used, addressing is performed using a special cryptographic identifier, by means of which both routers and end services are designated. For example, the identifier www.i2p2.i2p (the main project site within the I2P network) looks like this:
-KR6qyfPWXoN ~ F3UzzYSMIsaRy4udcRkHu2Dx9syXSz
[... cut out ...]
e9NYkIqvrKvUAt1i55we0Nkt6xlEdhBqg6xXOyIAAAA
Thus, the destination point is 516 bytes in Base64. Obviously, such an identifier can hardly be called convenient. In addition, it will not work with some protocols (including HTTP). Therefore, I2P offers another way for identifiers to be named — it is called “Base 32 Names” and is quite similar to the rules for composing .onion names in the Tor network. The original 516-byte identifier is decoded (with the replacement of some characters) in the original raw form. The resulting value is hashed using SHA256 and then encoded into Base32. In the end, the result is added .b32.i2p. What is the result? A completely usable sequence of characters. If you do the operation for the original identifier www.i2p2.i2p, you get the following:
rjxwbsw4zjhv4zsplma6jmf5nr24e4ymvvbycd3swgiinbvg7oga.b32.i2p
This form is much easier to work with. In I2P, there is no official equivalent of a DNS server that would perform resolving of names (that is, it would establish a correspondence between the <somename> .i2p domain and identifier), since this would be a serious point of failure for the entire system. Each I2P node has its own set of text files that are mapped for services. These files are very similar to the HOSTS config we are used to. However, the user can synchronize their database of “bindings” through a special subscription server inside I2P. At the same time, he exclusively trusts the owner of such a service, believing that he provides him with the “correct” identifiers.



Chaining for data transfer

HProtective Mechanisms

I2P implemented several interesting technologies to eliminate the possibility of interception and substitution of traffic. While Tor uses one chain to perform communications, I2P relies on the concepts of inbound (“in”) and outbound (“out”) tunnels. Thus, requests and responses do not always follow the same path. During transmission, the message is subjected to multi-level encryption (end-to-end, tunnel, and transport layer), and end nodes are designated with encrypted identifiers. Moreover, the tunnels themselves are rebuilt every ten minutes.
In addition, I2P uses “garlic routing” (Garlic routing). In fact, this is multi-layered encryption, which allows a single message (the so-called “garlic”) to contain a lot of “cloves” - fully formed messages with instructions for their delivery. In one “garlic” at the time of its formation before sending it is laid a lot of “cloves”, which are encrypted messages from both our site and from others - transit ones. Is this or that “clove” in “garlic” our message or is it someone else’s who created the “garlic” who knows someone else’s transit message that passes through us? No one else can get this information.
Such a complex approach provides a high level of data protection, but at the same time does not limit the possibility of using I2P. The network can be hosted a variety of services: IRC, BitTorrent, eDonkey, Email. In addition, I2P developers provide an API for creating new applications that work through a secure network, but do not require the user to additionally install and configure an I2P client.

AndInteresting I2P Internal Resources

inproxy.tino.i2p / status.php is a constantly updated eepsite index displaying information about the availability of a service; tracker2.postman.i2p and exotrack.i2p are the largest BitTorrent trackers; hashparty.i2p is a service for breaking hashes (LM, MD5, MYSQLSHA1, NTLM, SHA1, and so on; redzara.i2p

DoClient Installation

If we are talking about the installation of the client, then we proceed to the practical part of our material. I2P is written in Java, and therefore it is possible to start the application on almost any OS - if only a Java-machine was installed on the system. The client distribution kit is equipped with a convenient installer that will do everything for you. After the installation is complete, go to the directory with the application and run its daemon. All management is done through the web shell, which is available at 127.0.0.1:7657/index.jsp. We will continue to work with her. In order to be able to visit I2P resources and external Internet resources (on anonymous conditions), it is better to immediately register an HTTP proxy in the browser: 127.0.0.1:4444. That's the whole installation. There is nothing to add.

AAnonymous Website Hosting

So, since one of the main purposes of I2P is to create the conditions for a completely anonymous hosting service, it is reasonable to start our practice from this moment on. The site hosted inside I2P is called eepsite. Yes, it will not be available to the general public via the Internet, but I2P users will always be able to contact it and, if desired, make a mirror of the resource on the global network. In this case, theoretically (and this is a question for a separate discussion, to which we will return at the end of the article), it will be extremely difficult to identify your real IP address. I offer you below step-by-step instructions on how to host a site through I2P.
  1. If you go to page 127.0.0.1:7658, then you will see a stub site. This is a blank for eepsite, which we will use. All you need to do is edit or replace the files in ~ / .i2p / eepsite / docroot / (Linux) and% APPDATA% I2Peepsitedocroot (Windows). This is the standard folder for the Jetty web daemon that was installed with I2P: it is this folder that now accepts connections on port 7658. Here we must understand that at the moment it is just a local site. To make it available to users, an appropriate tunnel must be created for it on the I2P network.
  2. Fortunately, we have a blank for the tunnel. If you go to the admin panel to manage tunnels (127.0.0.1:7657/i2ptunnel), then in the “Server I2P tunnels” section you will see the entry “I2P webserver” is exactly what you need. Now the tunnel is off. Go to its settings. The first thing you should pay attention to is the parameter “Local destination address” (local destination) and its value, which represents something like “F94tTd-vSO7C0v ~ 4wudVsaYV [.. cut out ...] AAAA”. This long string in Base64 is the key that is used for addressing inside the I2P network. Something like an IP address. For convenience, you can copy it somewhere - we still need it. Besides, it's time to translate it into a readable Base32 view (we described the meaning of this operation above) using a simple Python script (look for it on disk). By specifying the original identifier as a key, at the exit of the script we get a key like "zeky7b4hp3hscdwovgb2vtdbvltsvpf24ushype5uoigu42p3v5q.b32.i2p". If the tunnel was now started, other users could connect to it using this address. But it’s too early to activate the tunnel, we still have to take care that our site has the opportunity to use the domain name.
  3. The DNS system in I2P is not as such, but there are substitutes for it. Therefore, we can register a domain name (something.i2p) for our eepsite. Checking whether it is being used by someone else is easily carried out through a special service: 127.0.0.1:7657/susidns/addressbook.jsp?book=router&filter=none. Making sure of the uniqueness, go to the settings of our tunnel and replace the standard value “mysite.i2p” with the selected name (for example, xa31337xa.i2p). It will not be superfluous to turn on the “Autostart” option so that our service automatically starts with I2P.
  4. Minimum setup complete! Now you can turn on our tunnel. To do this, go to the admin area and for our eepsite press the "Start" button. In the “State” column, the star indicating the current status will first turn yellow and then green. If you go to the main admin page, then in the left pane in the Local Tunnels category there will be a new entry with our eepsite. From now on, anonymous hosting has been launched! You can share with someone the identifier in Base32-format, and a person without any problems will open our site in the browser.
  5. Now you need to finish the affairs associated with the domain name. The first thing to do is to add the selected domain to your own address book using the web interface 127.0.0.1:7657/susidns/addressbook.jsp?book=master. After that, you can try to access the site from the local machine using the domain and make sure that everything works.
  6. Information about our eepsite needs to be added to distributed address storages like stats.i2p. If you go to this resource, you will quickly find a form for adding a new record. Here again, you must specify the domain name and the local address of the destination (516 bytes in Base64). Do not forget to click on the "Submit" button. What is the meaning of this idea? Many customers periodically update their local address books, getting fresh entries from this site. Therefore, after some time (from several hours to several days) each of these users will have an entry about our xa31337xa.i2p. It turns out, albeit brake, but an analogue of the DNS server. Users, however, can immediately access it via the Base32 address or via the link in the following format: stats.i2p / cgi-bin / jump.cgi? A = xa31337xa.i2p. If the site is of some public interest,
  7. So simply we raised the server, where the site is spinning, which is extremely difficult to track. It is almost impossible to restrict access to it. In conclusion, I must say that the resource does not even have to be physically located on the local computer; it can be anywhere: on the local network or even on the internet. Nothing prevents us from forwarding the tunnel not to 127.0.0.1:80, but, let's say, to 92.241.175.142:80 (this is the ip-schnick xakep.ru).

Andanonymous surfing

Let the possibility of anonymous surfing and is not the main one for I2P, but it is still implemented. All you need to do is register in the proxy browser: 127.0.0.1:4444. But the question of how safe this surfing is, you have to decide for yourself. To access Internet resources, special gateways are used (so-called outproxy). Accordingly, there is a potential risk that someone has installed a sniffer there and monitors all traffic. In short, I2P is not for that. If you want to go to the Internet through an anonymous and encrypted channel, then use the VPN / Tor / SSH-tunnel. I2P is, first of all, anonymous hosting.

PSSH Server Location

In addition to directly hosting web servers through I2P, many other services work quite well. As an example, I’ll give you the settings for creating an SSH tunnel, which can be useful at least to administer your eepsite. There are some nuances.
  1. To begin with, through the already familiar I2P admin panel, we will create a new tunnel. We specify the address and port of our SSH server. Let it be a daemon running somewhere on our local network: for example, on a router or access point (for more specificity - 192.168.1.1:22). Next we need the address of the local destination, which is generated admin panel. We translate a long identifier into an abbreviated (Base32) form - we will need it to connect.
  2. It may seem that now all that remains for the client is to specify the service identifier in his SSH client (for example, PuTTY). But no. Other I2P users will not be able to access this service directly. We'll have to use SOCKS, and for this, in turn, create a special tunnel. So, on the machine with which the connection will be made, you need to open the I2P admin panel, go to the section for administering the tunnels, find the section “Client I2P tunnels” and create the SOCKS 4 / 4a / 5 tunnel. In fact, the only option that you need to specify is the port (for specificity, take 5454).
  3. Now we check how everything works. Open PuTTY, specify the identifier obtained in point one as the server. Go to the settings of the "Connection .. Proxy" and in the field "Proxy proxyname" write the address at which we have just created a SOCKS-tunnel - 127.0.0.1.14545. Options “DNS name lookup” should be set to “Yes” or “Auto”.
  4. That's all. It remains only to join the server and make sure that SSH works fine on top of a secure I2P. Thus, it is possible to host not only web servers, but also many other daemons.



Feast information is the best illustration of the P2P nature of the I2P network

BIs it safe?

A cautious reader may ask the question: “But can I2P really provide 100% anonymity to the owner of eepsite?”. The short answer is no. Despite the fact that the system itself is very well thought out, the services themselves can be handed over to the service owner, which are hosted in I2P. A simple example is a vulnerability in a web application. If you manage to exploit it before the possibility of executing commands, then there is a high probability to reveal the real IP address of the computer.
Partager
ParPosted at Enregistrer un commentaire
Labels

Commentaires

You are welcome to share your ideas with us in comments!