Skip to content

Latest commit

 

History

History
57 lines (47 loc) · 3.06 KB

14_3_Adding_SSH_Hidden_Services.md

File metadata and controls

57 lines (47 loc) · 3.06 KB

Chapter 14.3: Adding SSH Hidden Services

ℹ️ NOTE: This is a draft in progress, so that I can get some feedback from early reviewers. It is not yet ready for learning.

To date, you've used Tor with your Bitcoin services, but you can also use it to protect other services on your machine, improving their security and privacy. This section demonstrates how by introducing an ssh hidden service to login remotely using Tor.

Create SSH Hidden Services

New services are created by adding them to the /etc/tor/torrc file:

$ su 
# cat >> /etc/tor/torrc << EOF
HiddenServiceDir /var/lib/tor/hidden-service-ssh/
HiddenServicePort 22 127.0.0.1:22
EOF
# exit

Here's what that means:

  • HiddenServiceDir: Indicates that you have a hidden service directory with the necessary configuration at this path.
  • HiddenServicePort: Indicates the tor port to be used; in the case of SSH, this is usually 22.

After you add the appropriate lines to your torrc file, you will need to restart Tor:

$ sudo /etc/init.d/tor restart

After the restart, your HiddenServiceDir should have new files as follows:

$ sudo ls -l /var/lib/tor/hidden-service-ssh
total 16
drwx--S--- 2 debian-tor debian-tor 4096 Jul 22 14:55 authorized_clients
-rw------- 1 debian-tor debian-tor   63 Jul 22 14:56 hostname
-rw------- 1 debian-tor debian-tor   64 Jul 22 14:55 hs_ed25519_public_key
-rw------- 1 debian-tor debian-tor   96 Jul 22 14:55 hs_ed25519_secret_key

The file hostname in this directory contains your new onion ID:

$ sudo cat /var/lib/tor/hidden-service-ssh/hostname
qwkemc3vusd73glx22t3sglf7izs75hqodxsgjqgqlujemv73j73qpid.onion

You can connect to the ssh hidden service using torify and that address:

$ torify ssh standup@qwkemc3vusd73glx22t3sglf7izs75hqodxsgjqgqlujemv73j73qpid.onion
The authenticity of host 'qwkemc3vusd73glx22t3sglf7izs75hqodxsgjqgqlujemv73j73qpid.onion (127.42.42.0)' can't be established.
ECDSA key fingerprint is SHA256:LQiWMtM8qD4Nv7eYT1XwBPDq8fztQafEJ5nfpNdDtCU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'qwkemc3vusd73glx22t3sglf7izs75hqodxsgjqgqlujemv73j73qpid.onion' (ECDSA) to the list of known hosts.
standup@qwkemc3vusd73glx22t3sglf7izs75hqodxsgjqgqlujemv73j73qpid.onion's password: 

Summary: Adding SSH Hidden Services

Now that you've got Tor installed and know how to use it, you can add other services to Tor. You just add lines to your torrc (on your server), then connect with torify (on your client).

🔥 What's the power of Other Hidden Services? Every time you access a service on your server remotely, you leave footprints on the network. Even if the data is encrypted by something like SSH (or TLS), lurkers on the network can see where you're connecting from, where you're connecting to, and what service you're using. Does this matter? This is the question you have to ask. But if the answer is "Yes", you can protect the connection with a hidden service.

Move on to "Programming with RPC" with Chapter Fifteen: Talking to Bitcoind with C.