monkey-business.biz

SSHD tor authenticated hidden service setup script

10 October 2019

setup_sshdHiddenService.sh (use gist to copy code. Sometimes something doesn’t escape escaping of WordPress editor 😉 )

#! /bin/sh
 
# sshd tor authenticated hidden service setup script
# <configuration>
SSH_PORT="" # new SSH port, leave empty for no change
# </configuration>
# workflow:
# - change SSH port if not empty
# - setup SSH brute force protection: fail2ban
# - setup tor: basic authenticated sshd hidden service
# - output of hidden service connection data
# more about authenticated hidden services: 
# https://www.antitree.com/2017/08/tor-onion-service-stealth-and-basic-authentication-modes/
 
function setup {    
 
    # change SSH port if set
    if [ ! -z "$SSH_PORT" ]; then
        sed -i "s|Port [0-9]+|Port ${SSH_PORT}|" /etc/ssh/sshd_config
    fi
 
    # install fail2ban
    apt-get install -y fail2ban
 
    # setup tor
    apt-get install -y tor
 
    # setup basic authenticated hidden service sshd
    # NOTICE: sed -i '1i XXX' FILEPATH; adds value (XXX) on first line of file /etc/tor/torrc/
 
    # "basic" authenticated hidden server, set service name: HiddenServiceAuthorizeClient
    sed -i "1i HiddenServiceAuthorizeClient basic sshd" /etc/tor/torrc
 
    # forward hidden service port to local ssh: HiddenServicePort
    sed -i "1i HiddenServicePort ${SSH_PORT} 127.0.0.1:${SSH_PORT}" /etc/tor/torrc
 
    # hidden service directory contains services private key, address: HiddenServiceDir
    sed -i "1i HiddenServiceDir /var/lib/tor/sshd/" /etc/tor/torrc
 
    # restart tor to load new settings
    systemctl restart tor
 
    sleep 1
 
    # formated hidden service data output for user
    # get hidden service url, login from file, remove comment
    HIDDEN_SERVICE_COOKIE=$(cat /var/lib/tor/tcpproxy/hostname | sed -Ee "s| # client:||") 
 
    # get hidden service uri from cookie, get string until first whitespace
    HIDDEN_SERVICE_HOST=$(echo ${HIDDEN_SERVICE_COOKIE} | sed -Ee 's| .*||')
 
    # user output
    echo "##########"
    echo "add next line to your local tor configuration at /etc/tor/torrc:"
    echo "HidServAuth ${HIDDEN_SERVICE_COOKIE}"
    echo "##########"
    echo "connect to your hidden service sshd after local tor restart:"
    echo "torsocks ssh ${HIDDEN_SERVICE_HOST} -p ${SSH_PORT}"
 
    # message ssh will disconnect, wait for y key / restart
    RESTART_SSHD=""
    while [ "$RESTART_SSHD" != "y" ]; do
        echo "restart of sshd required"
        read -p "you need to reconnect ssh at port ${SSH_PORT} [y/STRG+C]: " RESTART_SSHD
    done
    systemctl restart sshd
}
 
# check root, ask for root, run setup as root
WHOAMI=$(whoami)
if [ "$WHOAMI" != "root" ]; then
    su -c "$(declare -f setup); setup"    
else
    setup
fi

#! /bin/sh # sshd tor authenticated hidden service setup script # <configuration> SSH_PORT="" # new SSH port, leave empty for no change # </configuration> # workflow: # - change SSH port if not empty # - setup SSH brute force protection: fail2ban # - setup tor: basic authenticated sshd hidden service # - output of hidden service connection data # more about authenticated hidden services: # https://www.antitree.com/2017/08/tor-onion-service-stealth-and-basic-authentication-modes/ function setup { # change SSH port if set if [ ! -z "$SSH_PORT" ]; then sed -i "s|Port [0-9]+|Port ${SSH_PORT}|" /etc/ssh/sshd_config fi # install fail2ban apt-get install -y fail2ban # setup tor apt-get install -y tor # setup basic authenticated hidden service sshd # NOTICE: sed -i '1i XXX' FILEPATH; adds value (XXX) on first line of file /etc/tor/torrc/ # "basic" authenticated hidden server, set service name: HiddenServiceAuthorizeClient sed -i "1i HiddenServiceAuthorizeClient basic sshd" /etc/tor/torrc # forward hidden service port to local ssh: HiddenServicePort sed -i "1i HiddenServicePort ${SSH_PORT} 127.0.0.1:${SSH_PORT}" /etc/tor/torrc # hidden service directory contains services private key, address: HiddenServiceDir sed -i "1i HiddenServiceDir /var/lib/tor/sshd/" /etc/tor/torrc # restart tor to load new settings systemctl restart tor sleep 1 # formated hidden service data output for user # get hidden service url, login from file, remove comment HIDDEN_SERVICE_COOKIE=$(cat /var/lib/tor/tcpproxy/hostname | sed -Ee "s| # client:||") # get hidden service uri from cookie, get string until first whitespace HIDDEN_SERVICE_HOST=$(echo ${HIDDEN_SERVICE_COOKIE} | sed -Ee 's| .*||') # user output echo "##########" echo "add next line to your local tor configuration at /etc/tor/torrc:" echo "HidServAuth ${HIDDEN_SERVICE_COOKIE}" echo "##########" echo "connect to your hidden service sshd after local tor restart:" echo "torsocks ssh ${HIDDEN_SERVICE_HOST} -p ${SSH_PORT}" # message ssh will disconnect, wait for y key / restart RESTART_SSHD="" while [ "$RESTART_SSHD" != "y" ]; do echo "restart of sshd required" read -p "you need to reconnect ssh at port ${SSH_PORT} [y/STRG+C]: " RESTART_SSHD done systemctl restart sshd } # check root, ask for root, run setup as root WHOAMI=$(whoami) if [ "$WHOAMI" != "root" ]; then su -c "$(declare -f setup); setup" else setup fi

Buzzwords

@gist | Shell | SSH

Comments Off

Linux: SSH Port ändern

25 May 2015

Den SSH Port unter Linux zu ändern bringt zusätzliche Sicherheit, neben Überwachung der Login Voränge mit fail2ban. Sobald der standard SSH Port geändert ist werden die fehlgeschlagenen Login-Versuche, die inzwischen beinnahe jeder Server in den Log Dateien (siehe /var/log/auth.log) hat, abnehmen.

Der Port des SSH Servers wird in der Datei /etc/ssh/sshd_config hinterlegt. Das Kommando zum öffnen:
nano /etc/ssh/sshd_config
nano /etc/ssh/sshd_config
Im oberen Bereich der Datei findet sich direkt der Port. Dieser kann beliebig ersetzt werden.
# What ports, IPs and protocols we listen for Port 22
# What ports, IPs and protocols we listen for Port 22

Wichtig!

Bevor die Änderungen übernommen werden sollte geprüft werden ob der Port eventuell blockiert oder durch eine Firewall gesperrt ist und entsprechende Anpassungen an weiteren Diensten vorgenommen werden müssen. Bei einer minimalen Debian Installation wird es beispielsweise keine Konflikte geben.

Um die Einstellungen zu übernehmen muss der SSH Server neu gestartet werden.
systemctl restart sshd
systemctl restart sshd
Das Kommando zum Service Neustart ist distributionsabhängig. Es könnte bei dir also auch ein anderes sein.

Buzzwords

Administration | Linux | Security | SSH

no comments »

oliver: Hallo Leute, ich habe ebenfalls eine veranstalltung besucht und komme nach langen...
Humberto Gregorio: Schon etwas älterer Artikel, aber mir hat es sehr geholfen. Vielen Dank!
Loaden: “Hilfsnetzwerk für Lyoness Geschädigte Daten und Fakten über Lyoness und...
Loaden: Sollte eigentlich. Müsste getestet werden.
Uli: Geht das auch noch mit der 1.9.1?
Loaden: I’m not sure about why Magento ignore the file in /local/. It’s long ago I...