I want to use Tomcat as a servlet container on the tor network as a hidden service. What is the easiest and most secure way to do this without any IP leaking or stack traces giving away IP addresses?
Thanks in advance
Setting an anonymous Tor/Tomcat service is pretty straight forward:
1. On Tomcat default install, edit META-INF/context.xml to allow connections only from localhost:
<Context>
<Valve className="org.apache.catalina.valves.RemoteAddrValve"
allow="0:0:0:0:0:0:0:1,127\.0\.0\.1" />
</Context>
2. On Tor default install, edit torrc file to provide access to your local service through the Tor network, for example:
HiddenServiceDir /Library/Tor/var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:8080
(torrcis usually located in /etc/tor. If you are setting it up on debian based distros, like ubuntu, you should use their repo, not the distro's repo)
And that's it. You are done. You have set up an anonymous service ~99.99% of people in this world would not be able to break, providing they wanted to (this number is just an educated guess, but you get the idea).
Now, please allow me to get a little bit out of the specific topic to put your question in context:
The real risk here is anonymity leaks on the content you publish. Triple check for those before you post anything.
A close second would be vulnerabilities on your application code, or any other point of your server stack. You will always have those. You have to always be one step ahead and discover them and patch them before anyone else interested on uncovering your site does.
I will not enter on the morality and ethics of what you may or may not intend to do, but you shouldn't do it if you cannot understand and assume that if your service lives long enough and becomes popular enough it will be compromised, eventually. So be prepared to deal with that and have a contingency plan / disaster recovery strategy.
To minimize the risk I suggest you only deploy actively maintained apps with fully tested open source code. Stable and up to date versions written by skilled people with many years of experience on projects where security is the top priority. Every line of code written by your team must be carefully reviewed before going into production. Apart from that review, keep in mind that any quality product should have at least 40% of the staff dedicated exclusively to test it. That applies as much to UX as it does to security issues. And I cannot stress this enough:
Always keep everything up to date
Remove anything you don't need, leave only the minimum requirements. Securely erase every log file after checking it (A fairly simple logrotate configuration can do that automatically for you, but don't forget to check the logs for successful attacks before they are erased. You will get used to it, since most attempts are very obvious, and after a while you'll know with just a look which ones can be dismissed right away and which ones you should check on). Be extra careful with exposed API methods or any kind of user input. Sanitize and validate everything coming in from the other end. Test thoroughly before deploying. If your service becomes popular you need skilled people you can trust to constantly try to break your app in any possible way. There are security firms you can hire for conducting audits on the base code of the applications you deploy. Unless you are a genius with 24/7 dedication you cannot do such task by yourself. And even top geniuses do not become IT security experts overnight; it takes a lot of experience and hard work.
Some useful links:
As a bonus, this is not technology related, but a very good read and a reference document on disaster avoidance and recovery measures.