Shodan has been called the "hacker's search engine" because it's literally a searchable database of internet-connected devices and servers. It allows anyone to search for webcams, routers, servers, Raspberry Pis, traffic lights, point of sale systems, industrial control systems, and much more.
Keep your SSH service out of Shodan's database before hackers find new ways to bypass the password protecting the server.
Why Set Up SSH with Tor?
Any internet-connected device will inevitably be scanned by Shodan, Censys. Hackers use these databases to locate out-of-date, vulnerable servers. Even system administrators who regularly update their servers and follow the best security practices are exposed to exploits. The libSSH vuln allowed hackers to connect to SSH services without first performing authentication. Blackhat's sometimes horde and sell vulnerabilities in private communities.
Tor onion services can help mitigate exposure. Much like how onion websites can't be accessed using a standard web browser, SSH services can be configured only to allow access over Tor. It can make services entirely inaccessible for search engines like Shodan and more difficult for hackers to find.
The first thing we need to do is install Tor on the VPS and the client computer. The client can be a Debian, Ubuntu, or a Kali system to follow along.
Tor is available in many Linux repositories. In most cases, the packages aren't reliably maintained or updated.
Add the Tor Project's repository to your APT repository list:
echo -e "deb https://deb.torproject.org/torproject.org stretch main \ndeb-src https://deb.torproject.org/torproject.org stretch main" > /etc/apt/sources.list.d/tor.list
Debian:
echo -e "deb https://deb.torproject.org/torproject.org $(lsb_release -sc) main \ndeb-src https://deb.torproject.org/torproject.org $(lsb_release -sc) main" > /etc/apt/sources.list.d/tor.list
Now, download Tor Project's package signing key and import it into our APT keyring:
wget -O- https://deb.torproject.org/torproject.org/A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89.asc | sudo apt-key add -
Then, update APT: apt-get update
Install Tor: apt-get install tor deb.torproject.org-keyring torsocks
Create an Onion Service on the Server:
stop Tor the process using the systemctl command: sudo systemctl stop tor
Then, edit the configuration file with nano: sudo nano /etc/tor/torrc
Scroll down to the "This section is just for location-hidden services" section.
it shows as below:
Uncomment '#' at "HiddenServiceDir" and "HiddenServicePort" line. Result:
Save and exit. Then we restart Tor: sudo systemctl restart tor
The "hostname" file in the /var/lib/tor/other_hidden_service/ directory will hold the new onion address
Now, Use cat to read the file to which hold the new onion address:
cat /var/lib/tor/other_hidden_service/hostname
We will get the same this: sqyrsn5twzv6c6357a62cgw5mxd26q6pojpfw5kcuh3fprstiikpdmad.onion
Next step we verify the Onion service is working. We can using the torsocks
torsocks curl http://sqyrsn5twzv6c6357a62cgw5mxd26q6pojpfw5kcuh3fprstiikpdmad.onion:22
We also can use wget, or nmap to transparently Tor-ify
By default, most SSH services are listening on every IPv4 interface. While not the case for all Linux distributions, this is true for popular ones like Ubuntu and Debian.
This is usually represented as "0.0.0.0" in the /etc/ssh/sshd_config file, where SSH stores all of the service configurations.
SSH services configured this way makes it possible to access the server from any computer in the world. Which is convenient for website administrators who need to make changes to their website from different devices and networks.
First, let's have a look at SSH service running in the background. Use ss, a tool for investigating sockets, to show processes (-p) listening (-l) for TCP (-t) connections.
ss -plt
If the server has applications running in the background (e.g., Apache, Nginx, IRC software, etc.), many services may appear here. Let's focus on the Local Address:Port column which reads *:ssh. Wildcards indicate the SSH service is listening on every available IPv4 and IPv6 interface.
Shodan is able to locate this SSH service because it's available (listening) in this state. To change this, open sshd_confnig:
sudo nano /etc/ssh/sshd_confnig
find "ListenAddress" line and uncomment and change line to 127.0.0.1 from:
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
to
#Port 22
#AddressFamily any
ListenAddress 127.0.0.1
#ListenAddress ::
When every ListenAddress is commented out, SSH falls back to its default configuration to listen on every interface.
Restart SSH service: sudo systemctl restart ssh
Connect to the SSH Server Using Tor from the client e.g: laptop or remote computer, use torsocks command to connect to SSH service.
torsocks ssh -p 22 username@sqyrsn5twzv6c6357a62cgw5mxd26q6pojpfw5kcuh3fprstiikpdmad.onion
Now, make sure the SSH Service isn't visible to Shodan, use the "ss -plt" command again to view listening services
It should no longer report SSH listening on every available interface, only 127.0.0.1 like below
We can further verify this by executing a simple nmap version scan on the server.
nmap -p 22 -sV <vps ip here>
The SSH service may still appear on Shodan for days or even weeks. Configuring Tor to work with SSH services in this way hides it from Shodan but doesn't make it entirely impossible to locate by hackers. It can still be reached using Tor, which significantly minimizes its overall exposure but doesn't make it altogether impervious to attacks.
Thanks Null-byte
