Run an Onion Service On Debian 10
Table of Contents
- Getting Started/Requirements
- Getting Rid of
- Connecting Over Tor
- Add a User
- Enable SSH Login
- Disable Passwords, Root Login, and Change Port
- Install Tor
and Setup SSH Hidden Service
- Install Tor
- Setup a Hidden
- Check Connection
- Unplug from the
- Set SSH to Listen Only to Localhost
- Install UFW
- Cross Your Fingers
- Adding More Services
There are more reasons to run a .onion "site" besides selling drugs.
For instance, in the past, I have locked down servers completely using iptables leaving open only port 443/80 and doing all maintenance over ssh using a hidden service.
Also, if you are looking for a simpler or more secure way to do "dynamic DNS" to ssh into a machine in another location, you're not going to find it.
You are going to need a machine or cloud server to run the service.
You could use a service like bitlaunch to get a cloud server without tying it to your identity, but this is obviously a less secure option than owning your own metal.
After this, you'll obviously need ssh access.
I shouldn't have to tell you, but at this point, you should have set up this server exclusively through tor or in person.
Your local machine can be most linux environments. I have tested this in Debian and cygwin.
Getting Rid of Default Settings
Depending on what you're using, the default options are usually:
- ssh listening on port 22
- Passwords allowed, maybe publickey auth for root
- Root access is the default/allowed
Connecting Over Tor
Assuming you have netcat installed, use the following command to connect to your server over tor from your local machine:
ssh -o ProxyCommand='nc -x localhost:9050 %h %p' root@server-ip
If you're using standalone tor, port 9050 is what you'll be using. If not, simply run the Tor Browser Bundle and use 9150 instead.
To simplify things and make connecting easier as we progress in this tutorial, edit your ~/.ssh/config file (or create it) to contain a section like this:
Host torbox HostName server-ip Port 22 ProxyCommand nc -x localhost:9050 %h %p User root
If you have publickey auth set up on the server, and your private key isn't in the default location for your ~/.ssh directory, add it to your config as well under the User directive:
Most cloud providers set up publickey auth using a public key you enter into their site. This tutorial will go over setting up a Ed25519 keypair later.
After doing this, you can connect by simply running
Add a User
Add a user and set a secure password. I use KeePassXC to generate and store passwords for things like this.
Assuming you're still using the root account, and you would like to use sudo, then:
useradd -mG sudo mark passwd mark apt-get install sudo su mark
Obviously use your own username.
Enable SSH Login
If you set up ssh access using publickey auth on root, simply copy over the key to your user's home directory:
mkdir ~/.ssh sudo cp /root/.ssh/authorized_keys ~/.ssh/authorized_keys sudo chown mark /home/mark/.ssh/authorized_keys
If you still haven't setup ssh access with publickey auth on root (or it hasn't been done automatically), or you just want a separate key for your user (don't worry, we're disabling root login in a few minutes), you'll need to generate a new keypair.
This is more easily done on your local machine using the following command:
ssh-keygen -f ~/.ssh/id_ed25519_mark -t edd25519 ssh-copy-id -i ~/.ssh/id_ed25519_mark mark@torbox
Now, make sure you can login using your new account by logging out and editing your ~/.ssh/config:
Host torbox HostName server-ip Port 22 ProxyCommand nc -x localhost:9050 %h %p User mark IdentityFile ~/.ssh/id_ed25519_mark
If you have to type in your password, it's not configured correctly, and you'll be locked out in a minute.
Disable Passwords, Root Login, and Change Port
We are going to disable password login and change the ssh port.
We're also going to disable root login, so make sure you were able to log in during the last step!
Edit your /etc/ssh/sshd_config file and change/uncomment the following directives:
Port 1234 ... PermitRootLogin no ... PasswordAuthentication no
The port number is obviously your choice. I suggest using a suitable tool to pick a random port number.
And restart SSH:
sudo systemctl restart ssh
Then, log out, and edit your ~/.ssh/config file to reflect the updated port.
Host torbox HostName server-ip Port 1234 ProxyCommand nc -x localhost:9050 %h %p User mark IdentityFile ~/.ssh/id_ed25519_mark
And then log back in using
Install Tor and Setup SSH Hidden Service
Now it's time to install tor and setup a hidden service for ssh access.
I recommend you create a different hidden service (.onion address) for each service on your server, i.e. one for http, one for ssh, etc.
For this tutorial, we will just be setting up the ssh one.
sudo apt-get install tor
Setup a Hidden Service
Edit your tor configuration file at /etc/tor/torrc and uncomment and edit the lines for a hidden service using your ssh port.
HiddenServiceDir /var/lib/tor/ssh_service/ HiddenServicePort 1234 127.0.0.1:1234
Then, restart tor:
sudo systemctl restart tor
After waiting for tor to connect, get your .onion address:
sudo cat /var/lib/tor/ssh_service/hostname
Log out, and then edit your ~/.ssh/config to connect to the hidden service:
Host torbox HostName valid-onionv3-address.onion Port 1234 ProxyCommand nc -x localhost:9050 %h %p User mark IdentityFile ~/.ssh/id_ed25519_mark
Obviously, use your correct .onion address. Login
Unplug from the WWW
Now, we're going to unplug from anything other than tor. tor is handy in this respect in that it can function independent of your firewall settings.
Set ssh to Listen Only On Loopback
You don't need to login "in the clear" anymore, and leaving ssh open to port scanners is silly when you have the hidden service.
Edit your /etc/ssh/sshd_config and uncomment/edit the following directives.
ListenAddress 127.0.0.1 ListenAddress ::1
Then, restart ssh using
sudo systemctl restart
Install ufw using
sudo apt-get install
The neat thing about this is that you can use the most restrictive (practical) firewall settings and still be able to connect over tor:
sudo ufw default deny incmoing sudo ufw enable
Cross Your Fingers
Simply log out, and log back in using
Did it work? Congratulations! You're done.
Well, not really. You have ssh installed. You can now do simple things like put a git repository to push/pull from or use things like rsync built on top of ssh.
Adding More Services
Adding more services is as simple as installing the service (like nginx for http), configuring it to listen only on loopback, and then adding the two lines to your torrc and restarting tor.