Actually I'm just a big security fanboy hehehe, it's the greatest hobby ever. Cryptography has got to be the coolest hobby ever.
Cryptography is never, and can never be a "hobby". If you think so, you have no understanding of the issues involved in security, and certainly should not even be thinking of running a service.
Internet --> Modem --> Sonicwall TZ215 --> OpenBSD firewall appliance --> OpenBSD Server with TOR Hidden Service
Notes
-OpenBSD is considered to be the most secure OS out there
The most secure free and publically available maybe - but it is not the most secure.
-OBSD comes with military grade encryption
Military grade encryption = minimum requirements to work at specific levels due to the complexity required to crack the data through brute force- potential key compromise. (according to country - Unclassified, Restricted, Secret, Top Secret, Code-word clearance). Which category does OpenBSD fall into? Continuously evaluated with recommendations published frequently, and new competitions to produce alternatives (c.f. SHA3). Once upon a time MD4 was military strength, but is now crackable in microseconds, particularly with rainbow tables. DES similarly was military strength, again crackable through brute force with a moderately cheap GPU.
Now my only problem is whether I can successfully run vBulletin with OpenBSD as a server.
and you want to run a perfectly secure OS with three of the most buggy, incapable bits of software in PHP, vBulletin and MySQL? I don't think you can find more incapable bits of software for a secure system if you tried. (I'd be interested to know)
If you want evidence read any of the following.
Bugtraq
packetstorm
Seclist.org
If you aren't reading any of them then you certainly shouldn't be claiming that you can run a service responsibly. If you don't know what any of the above are then you should not be running anything period. For at least a year. Maybe more.
In fact you should also be reading the Tor and Onion mailing lists on a daily basis.
You should be capable of compiling and analysing the code, for any claim to be substantiated.
The setup is nice an everything but the vBulletin track record on security is not that great. Everything else is useless if some remote exploit can reveal the servers ip address.
How is that possible when used in conjunction with TOR?
because you have access to the computers network if you have compromised the application software/database, thereby being able to obtain the IP address - particularly useful if you have uPnP enabled, and other unicast/multicast protocols on the network (dhcp, bonjour/zeroconf etc.). VMs can be susceptible dependent on the virtualisation configuration. Does a chroot jail ring a bell?
Just to be clear, OpenBSD is not, and never will be the securest Operating System. Whilst it does a very good job of being secure, it has no independent formal verification.
Please look up the terms Common Criteria, NIST, NSA, EAL (particularly EAL4+ ALC.FLR.*) and
Most importantly you seem not to have read the mailing lists and website that tell you how to do exactly what you want to do without causing problems. (hint. it's a VM solution, with a firegap.)
marked
