Run an Onion Service On Debian 10

Table of Contents

  1. Reasons
  2. Getting Started/Requirements
  3. Getting Rid of Default Settings
    1. Connecting Over Tor
    2. Add a User
      1. Enable SSH Login
    3. Disable Passwords, Root Login, and Change Port
  4. Install Tor and Setup SSH Hidden Service
    1. Install Tor
    2. Setup a Hidden Service
      1. Check Connection
  5. Unplug from the WWW
    1. Set SSH to Listen Only to Localhost
    2. Install UFW
  6. Cross Your Fingers
  7. Adding More Services


There are more reasons to run a .onion "site" besides selling drugs.

For instance, in the past, I have locked down servers completely using iptables leaving open only port 443/80 and doing all maintenance over ssh using a hidden service.

Also, if you are looking for a simpler or more secure way to do "dynamic DNS" to ssh into a machine in another location, you're not going to find it.

Getting Started/Requirements

You are going to need a machine or cloud server to run the service.

You could use a service like bitlaunch to get a cloud server without tying it to your identity, but this is obviously a less secure option than owning your own metal.

After this, you'll obviously need ssh access.

I shouldn't have to tell you, but at this point, you should have set up this server exclusively through tor or in person.

Your local machine can be most linux environments. I have tested this in Debian and cygwin.

Getting Rid of Default Settings

Depending on what you're using, the default options are usually:

Connecting Over Tor

Assuming you have netcat installed, use the following command to connect to your server over tor from your local machine:

ssh -o ProxyCommand='nc -x localhost:9050 %h %p' root@server-ip

If you're using standalone tor, port 9050 is what you'll be using. If not, simply run the Tor Browser Bundle and use 9150 instead.

To simplify things and make connecting easier as we progress in this tutorial, edit your ~/.ssh/config file (or create it) to contain a section like this:

Host          torbox
HostName      server-ip
Port          22
ProxyCommand  nc -x localhost:9050 %h %p
User          root

If you have publickey auth set up on the server, and your private key isn't in the default location for your ~/.ssh directory, add it to your config as well under the User directive:

IdentityFile  ~/.ssh/id_algo_root

Most cloud providers set up publickey auth using a public key you enter into their site. This tutorial will go over setting up a Ed25519 keypair later.

After doing this, you can connect by simply running ssh torbox.

Add a User

Add a user and set a secure password. I use KeePassXC to generate and store passwords for things like this.

Assuming you're still using the root account, and you would like to use sudo, then:

useradd -mG sudo mark
passwd mark
apt-get install sudo
su mark

Obviously use your own username.

Enable SSH Login

If you set up ssh access using publickey auth on root, simply copy over the key to your user's home directory:

mkdir ~/.ssh
sudo cp /root/.ssh/authorized_keys ~/.ssh/authorized_keys
sudo chown mark /home/mark/.ssh/authorized_keys

If you still haven't setup ssh access with publickey auth on root (or it hasn't been done automatically), or you just want a separate key for your user (don't worry, we're disabling root login in a few minutes), you'll need to generate a new keypair.

This is more easily done on your local machine using the following command:

ssh-keygen -f ~/.ssh/id_ed25519_mark -t edd25519
ssh-copy-id -i ~/.ssh/id_ed25519_mark mark@torbox

Now, make sure you can login using your new account by logging out and editing your ~/.ssh/config:

Host          torbox
HostName      server-ip
Port          22
ProxyCommand  nc -x localhost:9050 %h %p
User          mark
IdentityFile  ~/.ssh/id_ed25519_mark

And running ssh torbox.

If you have to type in your password, it's not configured correctly, and you'll be locked out in a minute.

Disable Passwords, Root Login, and Change Port

We are going to disable password login and change the ssh port.

We're also going to disable root login, so make sure you were able to log in during the last step!

Edit your /etc/ssh/sshd_config file and change/uncomment the following directives:

Port                    1234
PermitRootLogin         no
PasswordAuthentication  no

The port number is obviously your choice. I suggest using a suitable tool to pick a random port number.

And restart SSH:

sudo systemctl restart ssh

Then, log out, and edit your ~/.ssh/config file to reflect the updated port.

Host          torbox
HostName      server-ip
Port          1234
ProxyCommand  nc -x localhost:9050 %h %p
User          mark
IdentityFile  ~/.ssh/id_ed25519_mark

And then log back in using ssh torbox.

Install Tor and Setup SSH Hidden Service

Now it's time to install tor and setup a hidden service for ssh access.

I recommend you create a different hidden service (.onion address) for each service on your server, i.e. one for http, one for ssh, etc.

For this tutorial, we will just be setting up the ssh one.

Install  tor

Self explanatory.

sudo apt-get install tor

Setup a Hidden Service

Edit your tor configuration file at /etc/tor/torrc and uncomment and edit the lines for a hidden service using your ssh port.

HiddenServiceDir /var/lib/tor/ssh_service/
HiddenServicePort 1234

Then, restart tor:

sudo systemctl restart tor

After waiting for tor to connect, get your .onion address:

sudo cat /var/lib/tor/ssh_service/hostname

Check Connection

Log out, and then edit your ~/.ssh/config to connect to the hidden service:

Host          torbox
HostName      valid-onionv3-address.onion
Port          1234
ProxyCommand  nc -x localhost:9050 %h %p
User          mark
IdentityFile  ~/.ssh/id_ed25519_mark

Obviously, use your correct .onion address. Login using ssh torbox.

Unplug from the WWW

Now, we're going to unplug from anything other than tor. tor is handy in this respect in that it can function independent of your firewall settings.

Set  ssh  to Listen Only On Loopback

You don't need to login "in the clear" anymore, and leaving ssh open to port scanners is silly when you have the hidden service.

Edit your /etc/ssh/sshd_config and uncomment/edit the following directives.

ListenAddress ::1

Then, restart ssh using sudo systemctl restart ssh.

Install  ufw

Install ufw using sudo apt-get install ufw.

The neat thing about this is that you can use the most restrictive (practical) firewall settings and still be able to connect over tor:

sudo ufw default deny incmoing
sudo ufw enable

Cross Your Fingers

Simply log out, and log back in using ssh torbox.

Did it work? Congratulations! You're done.

Well, not really. You have ssh installed. You can now do simple things like put a git repository to push/pull from or use things like rsync built on top of ssh.

Adding More Services

Adding more services is as simple as installing the service (like nginx for http), configuring it to listen only on loopback, and then adding the two lines to your torrc and restarting tor.