Whonix with the Hiawatha web server and Suricata IPS?


from time to time we hear about ddos, and many other different attacks, is there any sense to implement next tools in whonix? would it bring better security to Whonix or not? all is open source:

  1. hiawatha instead of lighttpd/apache:
    Hiawatha can stop SQL injections, XSS and CSRF attacks and exploit attempts. Via a specially crafted monitoring tool, you can keep track of all your webservers. The SSL Labs website gives Hiawatha an A-rating, where Apache has a C.

detailed instruction: Hiawatha Web Server » ADMIN Magazine

  1. The Suricata is an open source Intrusion Detection system (IDS) and Prevention system (IPS) and Network Security Monitoring engine.


of course, system like this can be made to prevent Tor traffic, but rules can be #disabled, modified, suricata can be made to be good for Tor usage.

  1. suricata recommends perl scripts like pulledpig for monitoring suricata reports and for rules management, there is also snorby, based on ruby on rails … and Django based Scirius (web app for rules management).
  1. codemonkey.net/evebox/ - EveBox attempts to provide something like a Gmail inbox approach to alerts. New alerts are placed in an “Inbox” where they can be archived or escalated (starred).

Good day,

Sadly I can’t tell you much about the mentioned projects, you probably will have to try these yourself if you want to make sure. However, for basic Dos/DDos protection, I’d recommend simply setting up a small html with a captcha query for basic protection.

Adding to that, it should be noted that Dos/DDos isn’t really that big of a problem when hosting a hidden service for the simple reason that, with a few exeptions, most of the time an attempted attack is at “best” going to bring down a guard node or two but not the service you are hosting. That is also the main reason why some actually think about using Tor as a protection against Dos/DDos attacks even on the “clearnet”.

Have a nice day,


is there any sense to implement next tools in whonix?

As a defaults in Whonix no. Its out of scope as we care about shipping a generically useful OS instead of crafting a special image for every specific usecase you can think of. However you are very much encouraged to add any specific HS server advice to our wiki to educate people interested in that.

Realize that using application level traffic blacklisting/detection is an endless arms race.

As Ego mentioned, Tor provides a robust anti-DoS protection at layer 3 in the network stack.

simply setting up a small html with a captcha query for basic protection.

Be careful with that. Using third party services for this will harm your privacy.

1 Like

Good day,

By this I didn’t mean “reCaptcha” as in a service provided by Google but rather captcha as in the concept of verifying that traffic comes from a “real person” via a hard-to-read set of letters. The concept of “Completely Automated Public Turing test to tell Computers and Humans Apart/captcha” is far older than the project provided by Google and something like it can easily be accomplished via html without the need for external/third party services, which is what can be used as a simple Dos/DDos protection for hidden services without the necessity to have JavaScript active.

Have a nice day,


1 Like

Yes I understand just wanted to make sure he does too.

1 Like

okay, thank you for answers, I am agreed that you take care to provide general tor linux OS and it would be much bigger work for you to adapt whonix to all individuals and their needs.

considering ddos, I am agreed that simple captcha can do some protection for individual website/server, and Tor network already survived a massive ddos attack in the past.

possibly I will try to learn during the time to set up virtual server/routers/network (with Virtual Machines) in my laptop and to try to make attacks against hiawatha and apache/lighttpd/nginx inside of virtual machines. I will find tutorials how to do it.

Against ddos, onionbalance?