- part1: how to start an anonymous website anonymously
- OPSEC (again... always...)
- Server Setup & Maintainance
- Anonymous Online Content
We assume you want to stay anonymous after you went through all that hassle to set up your own anonymous website anonymously. This post is not meant to be a definite guide, but rather it is meant to outline certain challanges you are going to face if you try to keep running a website anonymously after you managed to set it up anonymously. Without going into detail, our list features a few tips and best practices.
However, we have to repeat that you proceed at your own risk: We can only offer advice. How do you know you can trust us? You should always inform yourself, do your homework, check other resources and verify any information that is given...
OPSEC (again... always...)
Revisit the point about Operational Security in the first part of this guide: https://term7.info/how-to-start-an-anonymous-website-anonymously/#OPSEC.
Read The Hitchhiker's Guide to Online Anonymity: http://thgtoallkcxrdv37u6knsc3pumk6cq6lqmcqlw3j5vkmyahkxive4jyd.onion/guide.html
Server Setup & Maintainance
- If you decided to self-host and you rent your own VPS, the most important thing to do in the very beginning is to secure it properly: harden SSH, the way to log into your server (i.e. change the default SSH port, setup your own user account to log into your VPS and disallow root login, use an SSH key instead of a password - preferably set up a cryptographic hardware key like a Nitrokey to log into your server, etc.), set up a firewall and configure it to suit your needs, close all unnecessary ports and install fail2ban to mitigate brute-force attacks, monitor your logs and always keep your system and all of your applications up to date. You can find a lot of tutorials online on how to secure a VPS. Take your time and do your research before you decide to configure your server.
- After you secured your server, in order to install a website you likely will have to install a LAMP stack or a LEMP stack with Apache2 or NGINX as a webserver. Both Apache2 and NGINX can be tweaked for security. The same is true for a Wordpress installation that is built on top of a LAMP or a LEMP stack.
- Consider to install Tor on your server and make your anonymous website available as a Torv3 Onion Page. That way you can access and maintain your website from within the Tor network.
- Keep the attack surface of your server as minimal as possible: only install what you really need to run your website and keep things simple. The more complex an installation gets, the more likely it is you miss a vulnerability or that you make a mistake.
- Don't use commercial proprietary products on your anonymous server. Only use free and open source software (FOSS) - which is trustworthy because the code can be reviewed and there usually is a big community of developers behind it. With closed source software you have to trust the company that sells it. It is impossible to verify proprietary source code.
Anonymous Online Content
- If you run an anonymous blog and you want to post a picture, make sure you delete all metadata, like geographic coordinates, its timestamp, properties that may reveal what kind of phone or camera you used, etc. before you post it. An easy to use software (FOSS) that deletes metadata and that runs on Linux, MacOS and Windows is ExifCleaner. Weigh the risks of what the content of the picture may reveal about yourself. For example it may show where it was taken (i.e. because there is an iconic building in the background), it may even reveal you as a photographer (i.e. if you are visible in a window reflection)...
- Every person has a unique way of writing. This is called stylometry. Your stylometry can be analised by linguistic forensics, which uses algorithms to compare your word choices (linguistic features), your sentence structure, hyphenation and punctuation (syntactic features), acronyms and contextually significant words you use (content-specific words) and analysis of gramatical errors you make (diosyncratic features) with databases of collected texts (i.e. posts on Twitter or Reddit). This analysis can reveal your approximate age, gender and a lot about your personality. To counteract forensic linguistic analytics you should be conscious about your style and the choices you make when writing a text. Try to identify your own patterns of writing and break them in any context where you want to remain anonymous. Furthermore we recommend you use a spell checker to get rid of any grammatical and spelling errors. To further de-personalise your writing you should use translation software to translate your text from one language into another and another and another (...), before you finally translate it back into the language you want to use. Read more about How to Counteract Forensic Linguistics on privacytools.io.