How To: Set Up an SSH Server with Tor to Hide It from Shodan & Hackers

Set Up an SSH Server with Tor to Hide It from Shodan & Hackers

The next libSSH or OpenSSH exploit may be just around the corner. Keep your SSH service out of Shodan's database before hackers find new ways to bypass the password protecting the server.

Shodan has been called the "hacker's search engine" because it's literally a searchable database of internet-connected devices and servers. It allows anyone to search for webcams, routers, servers, Raspberry Pis, traffic lights, point of sale systems, industrial control systems, and much more.

The web tool accomplishes this by randomly iterating through every possible IP address in existence (whether it's online or not being used) and attempts to extract service banners on different ports. Service banners usually store metadata about the running service, like the service name, type, and version number.

Why Set Up SSH with Tor?

Any internet-connected device will inevitably be scanned by Shodan and other databases like Censys. Hackers use these databases to locate out-of-date, vulnerable servers. Even system administrators who regularly update their servers and follow the best security practices are exposed to exploits. The libSSH authentication bypass vulnerability is an excellent example of this.

The libSSH vuln allowed hackers to connect to SSH services without first performing authentication. The most fully up-to-date services were still vulnerable to this exploit and put many servers and websites at risk. More importantly, fully updated systems are still exposed to exploits that have yet to be disclosed. Blackhat's sometimes horde and sell vulnerabilities in private communities. There's no telling how many undisclosed OpenSSH exploits may exist today.

Tor onion services can help mitigate exposure. Much like how onion websites can't be accessed using a standard web browser, SSH services can be configured only to allow access over Tor. It can make services entirely inaccessible for search engines like Shodan and more difficult for hackers to find.

Step 1: Install Tor

The first thing we need to do is install Tor on both the virtual private server (VPS) and the client computer. The client can be a Debian, Ubuntu, or a Kali system to follow along. MacOS and Windows 10 users can check out the official Tor Project documentation for installing tor properly. For most readers, the SSH server will likely be a Debian VPS. However, this can be set up on an Ubuntu desktop or Raspberry Pi, for those who wish to remotely access computers at home.

Tor is available in many Linux repositories. In most cases, the packages aren't reliably maintained or updated, which means there could be missing critical stability and security updates. Furthermore, anonymity software should always be acquired directly from the source (i.e., torproject.org).

Log into your SSH server and add the Tor Project's repository to your APT repository list with the following echo command, which works in Debian.

~$ echo -e "deb https://deb.torproject.org/torproject.org $(lsb_release -sc) main \ndeb-src https://deb.torproject.org/torproject.org $(lsb_release -sc) main" > /etc/apt/sources.list.d/tor.list

If you're running Kali Linux, use the following command instead.

~$ echo -e "deb https://deb.torproject.org/torproject.org stretch main \ndeb-src https://deb.torproject.org/torproject.org stretch main" > /etc/apt/sources.list.d/tor.list

Then, download the Tor Project's package signing key and import it into your APT keyring with the following command.

~$ wget -O- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | sudo apt-key add -

--2019-03-05 06:29:13--  https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
Resolving deb.torproject.org (deb.torproject.org)... 82.195.75.101, 2001:41b8:202:deb:213:21ff:fe20:1426
Connecting to deb.torproject.org (deb.torproject.org)|82.195.75.101|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19665 (19K) [text/plain]
Saving to: ‘STDOUT’

-                                       100%[================================>]  19.20K  54.8KB/s    in 0.4s

2019-03-05 06:29:16 (54.8 KB/s) - written to stdout [19665/19665]

You'll see the "OK" output when the signing key has been added to your keyring. Next, update APT using the below apt-get command.

~$ apt-get update

Get:2 https://deb.torproject.org/torproject.org stretch InRelease [4,965 B]
Get:4 https://deb.torproject.org/torproject.org stretch/main Sources [1,169 B]
Get:5 https://deb.torproject.org/torproject.org stretch/main amd64 Packages [2,400 B]
Fetched 8,534 B in 8s (1,091 B/s)
Reading package lists... Done

Install Tor using the below apt-get command, and you're done.

~$ apt-get install tor deb.torproject.org-keyring torsocks

Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  mixmaster torbrowser-launcher socat tor-arm apparmor-utils obfs4proxy
The following NEW packages will be installed:
  deb.torproject.org-keyring
The following packages will be upgraded:
  tor

Both the client and the VPS running the SSH server should have Tor installed. Be sure to follow the above steps on both systems.

Step 2: Create an Onion Service on the Server

The Tor process will likely get executed immediately after installing it so, as root (sudo), stop the process. This can be done using the systemctl command.

~$ sudo systemctl stop tor

Then, use a text editor to open the /etc/tor/torrc file. This is the configuration file used by Tor to modify its behavior and create onion services.

~$ sudo nano /etc/tor/torrc

There will be a ton of information in this file. Most of it isn't relevant to this article. Scroll down a bit to the "This section is just for location-hidden services" section. In Debian and Kali Linux, it appears as shown below.

############### This section is just for location-hidden services ###

## Once you have configured a hidden service, you can look at the
## contents of the file ".../hidden_service/hostname" for the address
## to tell people.
##
## HiddenServicePort x y:z says to redirect requests on port x to the
## address y:z.

#HiddenServiceDir /var/lib/tor/hidden_service/
#HiddenServicePort 80 127.0.0.1:80

#HiddenServiceDir /var/lib/tor/other_hidden_service/
#HiddenServicePort 80 127.0.0.1:80
#HiddenServicePort 22 127.0.0.1:22

Uncomment (#) one "HiddenServiceDir" and one "HiddenServicePort" line, as such:

############### This section is just for location-hidden services ###

## Once you have configured a hidden service, you can look at the
## contents of the file ".../hidden_service/hostname" for the address
## to tell people.
##
## HiddenServicePort x y:z says to redirect requests on port x to the
## address y:z.

#HiddenServiceDir /var/lib/tor/hidden_service/
#HiddenServicePort 80 127.0.0.1:80

HiddenServiceDir /var/lib/tor/other_hidden_service/
#HiddenServicePort 80 127.0.0.1:80
HiddenServicePort 22 127.0.0.1:22

Save and exit the text editor. Then, restart tor using the below command.

~$ sudo systemctl restart tor

The "hostname" file in the /var/lib/tor/other_hidden_service/ directory will hold the new onion address. Use cat to read the file. Take note of this onion address, it will be required in the next step.

~$ cat /var/lib/tor/other_hidden_service/hostname

pkgsxmtmdrlxp7l3gfqysi3ceaochd4vnv7eax2fuyridmcz7ucvluad.onion

Step 3: Verify the Onion Service Is Working (Optional)

Before proceeding, it's good to make sure the SSH service is reachable using the new onion address. This can quickly be verified using the torsocks, a shell wrapper used to transparently Tor-ify command line applications like curl, wget, or nmap.

The following torsocks and curl command will query the new onion service. Be sure to append the SSH port number (:22), otherwise, curl will query port 80 by default and fail. A successful query will return the SSH version banner, as shown below.

~$ torsocks curl http://pkgsxmtmdrlxp7l3gfqysi3ceaochd4vnv7eax2fuyridmcz7ucvluad.onion:22

SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u5

Step 4: Make the SSH Service Private

By default, most SSH services are listening on every IPv4 interface. While not the case for all Linux distributions, this is true for popular ones like Ubuntu and Debian. This is usually represented as "0.0.0.0" in the /etc/ssh/sshd_config file, where SSH stores all of the service configurations.

SSH services configured this way makes it possible to access the server from any computer in the world. Which is convenient for website administrators who need to make changes to their website from different devices and networks.

First, let's have a look at SSH service running in the background. Use ss, a tool for investigating sockets, to show processes (-p) listening (-l) for TCP (-t) connections.

~$ ss -plt

State      Recv-Q Send-Q       Local Address:Port           Peer Address:Port
LISTEN     0      128                      *:ssh                       *:*           users:(("sshd",pid=1148,fd=3))

If the server has applications running in the background (e.g., Apache, Nginx, IRC software, etc.), many services may appear here. Let's focus on the Local Address:Port column which reads *:ssh. Wildcards indicate the SSH service is listening on every available IPv4 and IPv6 interface.

Shodan is able to locate this SSH service because it's available (listening) in this state. To change this, open the /etc/ssh/sshd_config file and find the "ListenAddress" line(s).

~$ sudo nano /etc/ssh/sshd_confnig

In Debian, it appears as shown below. They will probably be commented out, which is normal. When every ListenAddress is commented out, SSH falls back to its default configuration to listen on every interface.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

Change the ListenAddress line to "127.0.0.1" and uncomment it as such:

#Port 22
#AddressFamily any
ListenAddress 127.0.0.1
#ListenAddress ::

Then, restart the SSH service.

~$ sudo systemctl restart ssh

Immediately after executing the systemctl command, the current SSH connection may close. The SSH service is no longer available on any IPv4 or IPv6 address so it's normal for the connection to break.

Step 5: Connect to the SSH Server Using Tor

Fortunately, the onion service was set up on the server so the SSH service can still be reached. Now, from the client (i.e., laptop or remote computer), use the below torsocks command to connect to SSH service.

~$ torsocks ssh -p 22 username@pkgsxmtmdrlxp7l3gfqysi3ceaochd4vnv7eax2fuyridmcz7ucvluad.onion

The authenticity of host 'pkgsxmtmdrlxp7l3gfqysi3ceaochd4vnv7eax2fuyridmcz7ucvluad.onion (127.42.42.0)' can't be established.
ECDSA key fingerprint is SHA256:f22LX7WJfLGOiKxP+0+cA/l5Q1GsJLFA30ZyMyGLMl4.
Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added 'pkgsxmtmdrlxp7l3gfqysi3ceaochd4vnv7eax2fuyridmcz7ucvluad.onion' (ECDSA) to the list of known hosts.
username@pkgsxmtmdrlxp7l3gfqysi3ceaochd4vnv7eax2fuyridmcz7ucvluad.onion's password:

Step 6: Make Sure the SSH Service Isn't Visible to Shodan

After logging into the server using the onion address, use the ss command again to view listening services. It should no longer report SSH listening on every available interface, only 127.0.0.1.

~$ ss -plt

State      Recv-Q Send-Q       Local Address:Port           Peer Address:Port
LISTEN     0      128              127.0.0.1:ssh                       *:*           users:(("sshd",pid=1162,fd=3))

We can further verify this by executing a simple nmap version (-sV) scan on the server.

~$ nmap -p 22 -sV <vps ip here>

PORT   STATE  SERVICE VERSION
22/tcp closed ssh

The SSH service may still appear on Shodan for days or even weeks. Shodan isn't great about purging old service banners and information. But that doesn't mean the SSH service is still accessible to attackers.

Conclusion

By far the most significant caveat to using SSH with onion services is the slowness. Responses in the terminal can be painfully slow for someone who isn't used to onion services and Tor.

Configuring Tor to work with SSH services in this way hides it from Shodan but doesn't make it entirely impossible to locate by hackers. It can still be reached using Tor, which significantly minimizes its overall exposure but doesn't make it altogether impervious to attacks.

There's a security feature in Tor called HiddenServiceAuthorizeClient. This feature allows users to essentially password-protect the onion service with an authentication cookie. At the time of this writing, HiddenServiceAuthorizeClient isn't supported by the newer "next-gen" onion services. It would be possible to generate older onion services, but it seems like bad security practice to use a soon to be a deprecated feature of Tor. In the future, it will be possible to use HiddenServiceAuthorizeClient with next-gen onions to make them completely inaccessible to anyone but you. For now, changing the SSH port number to something non-standard like 62359 or 41171 will help keep it off the radar of script-kiddies on the darknet mass-scanning on port 22.

Just updated your iPhone? You'll find new features for TV, Messages, News, and Shortcuts, as well as important bug fixes and security patches. Find out what's new and changed on your iPhone with the iOS 17.6 update.

Cover photo and screenshots by distortion/Null Byte

1 Comment

Hello, this article has been super helpfu6, however I'm not sure this process secures my up/location. If I run "curl ifconfig.me" my public IP address for my raspberry pi is still returned, not the Tor routed public IP. Is this normal, and do you know if this can be changed? My preference would be to make it completely unidentifiable when looking for that. Anything helps!

Share Your Thoughts

  • Hot
  • Latest