[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] SSH connection attempts through hidden service



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

When you have a SSH port open to the clearnet (especially if listening
on default port, 22) you get quite an amount of such failed automated
requests. Nothing to worry about here, really, if you don't use a dumb
root password which could be included in most of dictionaries. I
strongly recommend you to disable password authentication and only
allow ssh-key based authentication in sshd_config.

This is not a defect in Tor or in SSH. It's just how things work in
the wild - secure your server!

It doesn't matter you didn't share your onion hostname; it is
available and known to the HSDirs.

You can use this feature in torrc at server side (add it under
HiddenServicePort entry):
HiddenServiceAuthorizeClient basic <client name>

Tor will generate a passphrase, you can find it out from the
client_keys file created in the directory where you have your
private_key and hostname (HiddenServiceDir).

This will encrypt the descriptors published by your hidden service, so
only clients who provide the correct passphrase will be able to connect.

An additional line in torrc at client's side is needed to provide the
credential:
HidServAuth <hostname.onion> <passphrase> <optional service description>

If there are multiple users who need to connect to this hidden
service, you can add more HiddenServiceAuthorizeClient lines, for as
many users as you have - this way if you want to remove access just to
one user, you can delete the HiddenServiceAuthorizeClient line related
to his username and that passphrase won't work any more. The same
passphrase will work from multiple places (multiple clients) at the
same time.


On 8/11/2015 3:55 AM, Jens Kubieziel wrote:
> Hi,
> 
> I'm running a SSH hidden service on some machines. Recently I was
> quite surprised to find the following lines in my logs:
> 
> Aug  5 17:06:37 linux sshd[23935]: input_userauth_request: invalid
> user root [preauth] Aug  5 17:06:51 linux sshd[23935]:
> Disconnecting: Too many authentication failures for root [preauth]
> 
> Nobody besides me knowns the onion name. But the person who ran
> those tests tried user names like tor, hidden etc.
> 
> Has anyone also seen such connection attempts through hidden
> services?
> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJVygY+AAoJEIN/pSyBJlsRHwUH/3o3X7R9zCOPAEC1QLKHXMCl
jKpxXTuuHJFPxn254Scss4Gc2GyPHoDCaodzHG43Ob4XO9d9n5mFrmEzm6/MfIDB
3YOLxNyBXWEUBltJsSSRDKGFZxi+qiotNk7iuPRQuANu5GF5yQ4EtvT4IHlY+I8S
XZeDk4iVKNnSXleeXRXC31glMFRBCtLhNYKmf8KE2yTfDeRNWUtLqFVWcpIvpsZc
IcDaarD9ampkDp1JdDZuSAFvkdvZRxMlNzUgwc43C7KDzXIJUWdwfH3xdhzNtNfR
sjESttf46ot7iOdFYmJ0+rzfqxJdKnB4uHgviN1BPlgo7AythEL7d+Hg2cmtn2o=
=Ip2f
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk