قالب وردپرس درنا توس
Home / Tips and Tricks / How To Set Up An SSH Server With Tor To Hide It From Shodan & Hackers «Null Byte :: WonderHowTo

How To Set Up An SSH Server With Tor To Hide It From Shodan & Hackers «Null Byte :: WonderHowTo



The next libSSH or OpenSSH exploit may be upon us. Keep your SSH service away from Shodan's database before hackers find new ways to bypass the password to protect the server.

Shodan was referred to as the hacker's search engine because it is literally a searchable database of devices and servers connected to the Internet. It allows anyone to search webcams, routers, servers, Raspberry Pis, traffic lights, point-of-sale systems, industrial control systems, and more.

The web tool does this by randomly going through all existing IP addresses (online or not) and trying to extract service banners on different ports. Service banners typically store metadata about the service being run, such as the service name, type, and version number.

Why set up SSH with Tor?

Every device connected to the Internet will inevitably be covered by Shodan and other databases such as Censys. Hackers use these databases to locate outdated, vulnerable servers. Even system administrators who regularly update their servers and follow the best security practices are exposed to exploits. The libSSH Authentication Bypass Vulnerability is a prime example of this.

The libSSH vulnerability allowed hackers to connect to SSH services without first performing authentication. The latest services were still vulnerable to this exploit and endangered many servers and websites. More importantly, fully-updated systems are still exposed to exploits that still need to be exposed. Blackhat is sometimes a horde and sells vulnerabilities in private communities. It is not clear how many unknown OpenSSH exploits can exist today.

Tor Onion services can help reduce the threat. Similar to accessing onion sites using a standard web browser, SSH services can only be configured to access through Tor. It can make services for search engines like Shodan completely inaccessible and harder for hackers to find.

Step 1: Install Tor

First, we need to gate on the Virtual Private Server (VPS) and install the client computer. The client can be a Debian, Ubuntu, or Kali system to follow. MacOS and Windows 10 users can read the official Tor Project documentation to correctly install tor . For most readers, the SSH server is likely to be a Debian VPS. However, this can be set up on an Ubuntu desktop or Raspberry Pi if you want to access computers from home.

Tor is available in many Linux repositories. In most cases, the packages are not reliably maintained or updated, which means that important stability and security updates may be missing. In addition, anonymity software should always be obtained directly from the source (eg, torproject.org).

Log in to your SSH server and add the Tor project repository to your APT repository list, which works in Debian, with the following command echo .

  ~ $ echo -e "deb https://deb.torproject.org/torproject.org $ (lsb_release -sc) main  ndeb-src https://deb.torproject.org/ torproject.org $ (lsb_release -sc) main "> /etc/apt/sources.list.d/tor.list[19659013[IfyoucancelKaliLinuxusethefollowingcommand

 ~ $ echo -e" deb https://deb.torproject.org/torproject.org stretch main  ndeb-src https://deb.torproject.org/torproject.org stretch main "> /etc/apt/sources.list.d/ tor.list 

Then download and import the signature key of the Tor project insert it into your APT keyring with the following command.

  ~ $ wget -O- https://deb.torproject.org/torproject.org/ A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | sudo apt-key add -

--2019-03-05 06: 29: 13-- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc
Resolving deb.torproject.org (deb.torproject.org) ... 82.195.75.101, 2001: 41b8: 202: deb: 213: 21ff: fe20: 1426
Connection to deb.torproject.org (deb.torproject.org) | 82.195.75.101 |: 443 ... produced.
HTTP request sent, response expected ... 200 OK
Length: 19665 (19K) [text / plain]
Save as: "STDOUT"

- 100% [================================>] 19.20K 54.8KB / s in 0.4s

2019-03-05 06:29:16 (54.8 KB / s) - written to stdout [19665/19665] 

The output "OK" is displayed when the signature key has been added to your keychain. Next, update APT with the following command apt-get .

  ~ $ apt-get update

Get: 2 https://deb.torproject.org/torproject.org stretch InRelease [4,965 B]
Get: 4 https://deb.torproject.org/torproject.org stretch / main Sources [1,169 B]
Get: 5 https://deb.torproject.org/torproject.org stretch / main amd64 packages [2,400 B]
Retrieved in 8s 8,534 B (1,091 B / s)
Package lists are read ... Done 

Install Tor with the following command apt-get and you're done.

  ~ $ apt-get install tor deb.torproject.org-keyring torsocks

Read package lists ... Done
Create dependency tree
Status information is read ... Done
Suggested packages:
mixmaster torbrowser-launcher socat tor-arm apparmor-utils obfs4proxy
The following NEW packages will be installed:
deb.torproject.org key ring
The following packages are being updated:
tor 

Tor should be installed on both the client and the VPS running the SSH server. Be sure to follow the above steps on both systems.

Step 2: Creating an Onion Service on the Server

The Tor process is likely to run immediately after installation, so as root ( sudo ), stop the process. Use the command systemctl .

  ~ $ sudo systemctl stop tor 

Then open the file / etc / tor / torrc with a text editor. This is the configuration file used by Tor to change its behavior and create onion services.

  ~ $ sudo nano / etc / tor / torrc 

There is a myriad of information in this file. Most of it is not relevant to this article. Scroll down a bit to the section "This section is only for location-based services". In Debian and Kali Linux it looks like this:

  ################ This section is for site-based services only ###

## After configuring a hidden service, you can view it
## Contents of the file "... / hidden_service / hostname" for the address
## to tell people.
##
## HiddenServicePort x y: z prompts you to redirect requests to port x
## address y: z.

#HiddenServiceDir / var / lib / tor / hidden_service /
#HiddenServicePort 80 127.0.0.1:80

#HiddenServiceDir / var / lib / tor / other_hidden_service /
#HiddenServicePort 80 127.0.0.1:80
#HiddenServicePort 22 127.0.0.1:22[19659013{Uncomment( # ) a "HiddenServiceDir" and a "HiddenServicePort" line as such: 

  ########### # ### This section is intended for location-based services only. ###

## After configuring a hidden service, you can view it
## Contents of the file "... / hidden_service / hostname" for the address
## to tell people.
##
## HiddenServicePort x y: z prompts you to redirect requests to port x
## address y: z.

#HiddenServiceDir / var / lib / tor / hidden_service /
#HiddenServicePort 80 127.0.0.1:80

HiddenServiceDir / var / lib / tor / other_hidden_service /
#HiddenServicePort 80 127.0.0.1:80
HiddenServicePort 22 127.0.0.1:22[19659013<SaveandexitthetexteditorRestartwiththefollowingcommand[196659014] $ sudo systemctl restart tor 

The file "hostname" in the directory / var / lib / tor / other_hidden_service / contains the new onion address. Use cat to read the file. Write down this onion address, it will be needed in the next step.

  ~ $ cat / var / lib / tor / other_hidden_service / hostname

pkgsxmtmdrlxp7l3gfqysi3ceaochd4vnv7eax2fuyridmcz7ucvluad.onion 

Step 3: Checking the onion service is working (optional)

Before proceeding, make sure the SSH service is reachable at the new onion address. This can be quickly verified with the Torsocks a shell wrapper used to gate ify command-line applications such as curl wget or nmap ,

The following Torsock and Curl command queries the new onion service. Make sure you attach the SSH port number (: 22 ). Otherwise curl queries port 80 by default and fails. A successful query returns the SSH version banner as shown below.

  ~ $ torsocks curl http://pkgsxmtmdrlxp7l3gfqysi3ceaochd4vnv7eax2fuyridmcz7ucvluad.onion:22

SSH-2.0-OpenSSH_7.4p1 Debian-10 + deb9u5 

Step 4: Privateize the SSH Service

By default, most SSH services monitor each IPv4 interface. Although not all Linux distributions do, this is true for popular distributions like Ubuntu and Debian. This is usually represented as "0.0.0.0" in the / etc / ssh / sshd_config file, where SSH stores all service configurations.

SSH services configured in this way allow access to the server from any computer in the world. This is convenient for site administrators who need to make changes to their website from different devices and networks.

First let's look at the SSH service running in the background. Use ss a sockets explorer tool to display processes ( -p ) listening to TCP ( -t ) connections.

  ~ $ ss -plt

Status Recv-Q Send-Q Local Address: Port Peer Address: Port
LISTS 0 128 *: ssh *: * User: (("sshd", pid = 1148, fd = 3)) 

When running applications on the server in the background (for example, Apache, Nginx, IRC software etc.)) many services can appear here. Let's focus on the column Local Address: Port in the *: ssh . Wildcards mean that the SSH service is listening on every available IPv4 and IPv6 interface.

Shodan can find this SSH service because he is available in this state (ready to receive). To change this, open the / etc / ssh / sshd_config file and locate the "ListenAddress" line (s).

  ~ $ sudo nano / etc / ssh / sshd_confnig 

In Debian, it looks like it's shown below. You will probably comment out what is normal. When each ListAddress is commented out, SSH is reset to the default configuration to listen to all interfaces.

  #Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress :: 

Change the ListenAddress line to "127.0.0.1" and comment it out as follows:

  #Port 22
#AddressFamily any
ListenAddress 127.0.0.1
#ListenAddress :: 

Then restart the SSH service.

  ~ $ sudo systemctl restart ssh 

Immediately after executing the systemctl command, the current SSH connection may be closed. The SSH service is no longer available for any IPv4 or IPv6 address, so it is normal for the connection to be lost.

Step 5: Connecting to the SSH Server with Tor

Fortunately, the onion service was set up on the server. The SSH service is still reachable. From the client (i.e., laptop or remote computer), use the following command torsocks to connect to the SSH service.

  ~ $ torsocks ssh -p 22 username @ pkgsxmtmdrlxp7l3gfqysi3ceaochd4vnv7eax2fuvuyridmczadmcz

The authenticity of the host & # 39; pkgsxmtmdrlxp7l3gfqysi3ceaochd4vnv7eax2fuyridmcz7ucvluad.onion (127.42.42.0) & # 39; can not be determined.
The fingerprint of the ECDSA key is SHA256: f22LX7WJfLGOiKxP + 0 + cA / l5Q1GsJLFA30ZyMyGLMl4.
Do you really want to continue the connection (yes / no)? Yes

Warning: & # 39; pkgsxmtmdrlxp7l3gfqysi3ceaochd4vnv7eax2fuyridmcz7ucvluad.onion & # 39; (ECDSA) has been permanently added to the list of known hosts.
username@pkgsxmtmdrlxp7l3gfqysi3ceaochd4vnv7eax2fuyridmcz7ucvluad.onions Password: 

Step 6: Make sure that the SSH service for Shodan

is not visible after you log on to the server [1945901] again to view Listening Services , It should no longer report SSH listening on any available interface, but only 127.0.0.1.

  ~ $ ss -plt

Status Recv-Q Send-Q Local Address: Port Peer Address: Port
LISTS 0 128 127.0.0.1:ssh *: * users: (("sshd", pid = 1162, fd = 3)) 

We can further verify this by using a simple nmap version execute ( -sV ) Scan on the server.

  ~ $ nmap -p 22 -sV 

PORT STATE SERVICE VERSION
22 / tcp closed ssh 

The SSH service may still show days or even weeks on Shodan. Shodan is not great when it comes to erasing old service banners and information. However, this does not mean that the SSH service is still available to attackers.

Conclusion

By far the biggest limitation in the use of SSH with onion services is slowness. The reactions in the terminal can be painfully slow for someone who is not used to onion services and Tor.

When Tor is configured to work with SSH services in this way, it is hidden from Shodan, but it is not entirely impossible for hackers to find it. It can still be achieved with Tor, which considerably minimizes the general threat, but does not make it completely insensitive to attacks.

There is a security function in Tor named HiddenServiceAuthorizeClient . With this feature, users can essentially protect the onion service with a password by using an authentication cookie. At the time of writing, HiddenServiceAuthorizeClient is not supported by the newer next generation onion services. It would be possible to generate older onion services, but it seems to be a poor security practice to use an outdated Tor feature. In the future, it will be possible to use HiddenServiceAuthorizeClient with next generation onions to make them completely inaccessible to others than you. Changing the SSH port number to a non-default value, such as 62359 or 41171, will help keep script kiddies out of the darknet bulk scanning on port 22.

Do not miss: Hide confidential files in encrypted containers on your Linux system

Cover image and screenshots after distortion / zero byte

Source link