[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] SSH connection attempts through hidden service

Hash: SHA256


When you have a SSH port open to the clearnet (especially if listening
on default port, 22) you get quite an amount of such failed automated
requests. Nothing to worry about here, really, if you don't use a dumb
root password which could be included in most of dictionaries. I
strongly recommend you to disable password authentication and only
allow ssh-key based authentication in sshd_config.

This is not a defect in Tor or in SSH. It's just how things work in
the wild - secure your server!

It doesn't matter you didn't share your onion hostname; it is
available and known to the HSDirs.

You can use this feature in torrc at server side (add it under
HiddenServicePort entry):
HiddenServiceAuthorizeClient basic <client name>

Tor will generate a passphrase, you can find it out from the
client_keys file created in the directory where you have your
private_key and hostname (HiddenServiceDir).

This will encrypt the descriptors published by your hidden service, so
only clients who provide the correct passphrase will be able to connect.

An additional line in torrc at client's side is needed to provide the
HidServAuth <hostname.onion> <passphrase> <optional service description>

If there are multiple users who need to connect to this hidden
service, you can add more HiddenServiceAuthorizeClient lines, for as
many users as you have - this way if you want to remove access just to
one user, you can delete the HiddenServiceAuthorizeClient line related
to his username and that passphrase won't work any more. The same
passphrase will work from multiple places (multiple clients) at the
same time.

On 8/11/2015 3:55 AM, Jens Kubieziel wrote:
> Hi,
> I'm running a SSH hidden service on some machines. Recently I was
> quite surprised to find the following lines in my logs:
> Aug  5 17:06:37 linux sshd[23935]: input_userauth_request: invalid
> user root [preauth] Aug  5 17:06:51 linux sshd[23935]:
> Disconnecting: Too many authentication failures for root [preauth]
> Nobody besides me knowns the onion name. But the person who ran
> those tests tried user names like tor, hidden etc.
> Has anyone also seen such connection attempts through hidden
> services?
Version: GnuPG v2.0.22 (MingW32)

tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to