TOR in a first glance, is used to browse the darknet or to by-pass the firewall restriction. i.e if your firewall blocks certain website you can use TOR browsers to access them. Its really tough to block access to TOR network when your users are using TOR bridges. I know of a few firewalls which will block known TOR relays, but I am yet to discover a firewall which could block even the TOR Bridge relays.
Good part is that TOR can be used to secure or access any service on a server where the TOR server is installed. So lets see how you can secure your SSH service using TOR. By securing using TOR, it does not mean that we are using TOR to secure the server. We are disabling the SSH access for the public by making it listen only on port localhost and then access it using TOR. This method is not highly recommended though, and is here for academic interest (I don’t have a specific reason other than that TOR is generally considered as bad).
Steps to follow
-
Install TOR
-
Setup and change the /etc/ssh/sshd_config to listen only on 127.0.0.1
-
Open /etc/tor/torrc. Please change the value
HiddenServiceDir /var/lib/tor/sagesssh HiddenServicePort 22 127.0.0.1:22
-
Create a folder by the name /var/lib/tor/sagesssh and change the ownership to the same user who runs the tor server.
-
Restart the tor daemon and make sure that you see two files in that folder: hostname and private_key. If not, check the log files for error messages. Most probably it could be because of the permissions / ownership issues. In hostname you’ll find your public onion address and you have to use to access your service like 32rfckwuorlf4dlv.onion
-
You can use the below SSH command to access the above ssh server like
ssh -o ProxyCommand=’nc -x localhost:9150 %h %p’ xxxxxxxxxxx.onion (xxxxxxxxxx.onion like 32rfckwuorlf4dlv.onion)
-
To ease the SSH command instead of entering the above command, you can enter the below snippet in your $HOME/.ssh/config (with necessary changes. You may use nc or socat depending on whichever you have installed)
Host this-server HostName xxxxxxxxxx.onion ProxyCommand socat STDIO SOCKS4A:127.0.0.1:%h:%p,socksport=9050
Now you just have to enter “ssh this-server” and you should be inside your server through the TOR network. You are done with securing SSH using TOR…
Get rid of all the hassles of server management. Let us take care of it.
