forked from nihilist/blog-contributions
277 lines
10 KiB
HTML
277 lines
10 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="utf-8">
|
|
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<meta name="description" content="">
|
|
<meta name="author" content="">
|
|
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
|
|
|
|
<title>Remote anonymous access setup (cockpit + ssh through tor)</title>
|
|
|
|
<!-- Bootstrap core CSS -->
|
|
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
|
|
<link href="../../assets/css/xt256.css" rel="stylesheet">
|
|
|
|
|
|
|
|
<!-- Custom styles for this template -->
|
|
<link href="../../assets/css/main.css" rel="stylesheet">
|
|
|
|
|
|
|
|
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
|
|
<!--[if lt IE 9]>
|
|
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
|
|
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
|
|
<![endif]-->
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<!-- Static navbar -->
|
|
<div class="navbar navbar-inverse-anon navbar-static-top">
|
|
<div class="container">
|
|
<div class="navbar-header">
|
|
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
|
|
<span class="icon-bar"></span>
|
|
<span class="icon-bar"></span>
|
|
<span class="icon-bar"></span>
|
|
</button>
|
|
<a class="navbar-brand-anon" href="\index.html">nihilist`s Blog</a>
|
|
</div>
|
|
<div class="navbar-collapse collapse">
|
|
<ul class="nav navbar-nav navbar-right">
|
|
|
|
<li><a href="/about.html">About</a></li>
|
|
<li><a href="/blog.html">Categories</a></li>
|
|
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
|
|
<li><a href="/contact.html">Contact</a></li>
|
|
</ul>
|
|
</div><!--/.nav-collapse -->
|
|
|
|
</div>
|
|
</div>
|
|
|
|
<!-- +++++ Posts Lists +++++ -->
|
|
<!-- +++++ First Post +++++ -->
|
|
<div id="anon2">
|
|
<div class="container">
|
|
<div class="row">
|
|
<div class="col-lg-8 col-lg-offset-2">
|
|
<a href="../anon.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-05-02</ba></p>
|
|
<h1>Remote anonymous access setup (cockpit + ssh through tor) </h1>
|
|
|
|
</div>
|
|
</div><!-- /row -->
|
|
</div> <!-- /container -->
|
|
</div><!-- /grey -->
|
|
|
|
<!-- +++++ Second Post +++++ -->
|
|
<div id="anon3">
|
|
<div class="container">
|
|
<div class="row">
|
|
<div class="col-lg-8 col-lg-offset-2">
|
|
<h2><b>Initial Setup </b></h2>
|
|
<p>On your server, edit the torrc file like so:</p>
|
|
<pre><code class="nim">
|
|
[ Datura ] [ /dev/pts/9 ] [~]
|
|
→ cat /etc/tor/torrc
|
|
|
|
HiddenServiceDir /var/lib/tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/
|
|
HiddenServicePort 22 127.0.0.1:22
|
|
HiddenServicePort 80 127.0.0.1:4443
|
|
|
|
</code></pre>
|
|
<p>Then just edit your local .ssh config to access it:</p>
|
|
<pre><code class="nim">
|
|
[ mainpc ] [ /dev/pts/7 ] [~]
|
|
→ cat .ssh/config
|
|
Host web-gw2024-dedi
|
|
User root
|
|
hostname 37.27.32.233
|
|
IdentityFile ~/.ssh/torified
|
|
|
|
Host tortura
|
|
User root
|
|
hostname daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion
|
|
IdentityFile ~/.ssh/torified
|
|
proxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p
|
|
|
|
Host datura
|
|
User root
|
|
hostname 65.109.30.253
|
|
IdentityFile ~/.ssh/torified
|
|
|
|
</code></pre>
|
|
<p>Then connect to the host via SSH:</p>
|
|
<pre><code class="nim">
|
|
[ mainpc ] [ /dev/pts/5 ] [~]
|
|
→ systemctl restart tor@default
|
|
|
|
[ mainpc ] [ /dev/pts/5 ] [~]
|
|
→ ssh tortura
|
|
The authenticity of host 'daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion (<<b></b>no hostip for proxy command>)' can't be established.
|
|
ED25519 key fingerprint is SHA256:A0CFTeUixGoK96VenBQ7Z2U8kX5olDCqBvBNeJUfs6I.
|
|
This host key is known by the following other names/addresses:
|
|
~/.ssh/known_hosts:144: [hashed name]
|
|
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
|
|
Warning: Permanently added 'daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion' (ED25519) to the list of known hosts.
|
|
Enter passphrase for key '/home/nihilist/.ssh/torified':
|
|
Linux Datura 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
|
|
|
|
The programs included with the Debian GNU/Linux system are free software;
|
|
the exact distribution terms for each program are described in the
|
|
individual files in /usr/share/doc/*/copyright.
|
|
|
|
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
|
|
permitted by applicable law.
|
|
Last login: Thu May 2 14:47:23 2024 from 178.255.149.178
|
|
|
|
[ Datura ] [ /dev/pts/11 ] [~]
|
|
→
|
|
|
|
</code></pre>
|
|
|
|
<p>So <b>that's how you do it if you cannot access the server via a public IP directly</b>, but keep in mind that the latency is most likely unbearable due to the 6 hops circuit (since we're doing it via the .onion link, rather than connecting to the IP directly)</p>
|
|
<p> so you're probably better off just connecting to the IP directly but <b>forcing the SSH connection through tor using torsocks, which greatly reduces the latency (3 hops instead of 6)</b>:</p>
|
|
<pre><code class="nim">
|
|
[ mainpc ] [ /dev/pts/7 ] [~]
|
|
→ torsocks ssh datura
|
|
Enter passphrase for key '/home/nihilist/.ssh/torified':
|
|
Linux Datura 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
|
|
|
|
The programs included with the Debian GNU/Linux system are free software;
|
|
the exact distribution terms for each program are described in the
|
|
individual files in /usr/share/doc/*/copyright.
|
|
|
|
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
|
|
permitted by applicable law.
|
|
Last login: Thu May 2 15:48:08 2024 from 127.0.0.1
|
|
|
|
[ Datura ] [ /dev/pts/12 ] [~]
|
|
→ id
|
|
uid=0(root) gid=0(root) groups=0(root)
|
|
|
|
</code></pre>
|
|
</div>
|
|
</div><!-- /row -->
|
|
</div> <!-- /container -->
|
|
</div><!-- /white -->
|
|
|
|
<div id="anon2">
|
|
<div class="container">
|
|
<div class="row">
|
|
<div class="col-lg-8 col-lg-offset-2">
|
|
<h2><b>Cockpit .onion setup</b></h2> </br> </br>
|
|
<p>Let's install cockpit from the apt repositories: </p>
|
|
<pre><code class="nim">
|
|
[ Datura ] [ /dev/pts/11 ] [~]
|
|
→ apt install cockpit -y
|
|
|
|
[ Datura ] [ /dev/pts/11 ] [~]
|
|
→ systemctl status cockpit
|
|
● cockpit.service - Cockpit Web Service
|
|
Loaded: loaded (/lib/systemd/system/cockpit.service; static)
|
|
Active: active (running) since Fri 2024-05-03 13:30:51 CEST; 2min 5s ago
|
|
TriggeredBy: ● cockpit.socket
|
|
Docs: man:cockpit-ws(8)
|
|
Process: 3563910 ExecStartPre=/usr/lib/cockpit/cockpit-certificate-ensure --for-cockpit-tls (code=exited, status=0/SUCCESS)
|
|
Main PID: 3563926 (cockpit-tls)
|
|
Tasks: 1 (limit: 77002)
|
|
Memory: 2.4M
|
|
CPU: 355ms
|
|
CGroup: /system.slice/cockpit.service
|
|
└─3563926 /usr/lib/cockpit/cockpit-tls
|
|
|
|
May 03 13:30:51 Datura systemd[1]: Starting cockpit.service - Cockpit Web Service...
|
|
May 03 13:30:51 Datura cockpit-certificate-ensure[3563918]: /usr/lib/cockpit/cockpit-certificate-helper: line 25: sscg: command not found
|
|
May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: ......+.....+.+......+...+.........+...+..............+.+...+..+...+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...+++++++++++++++++++++++++++++++>
|
|
May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: .+.........+...+...+.......+........+....+..............+.........+......+.+......+..+.+..+...+....+...+.........+.....+....+.....+++++++++++++++++++++++++++++++++++++++++++++++++>
|
|
May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: -----
|
|
May 03 13:30:51 Datura systemd[1]: Started cockpit.service - Cockpit Web Service.
|
|
May 03 13:30:51 Datura cockpit-tls[3563926]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
|
|
May 03 13:30:55 Datura cockpit-tls[3563926]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
|
|
|
|
</code></pre>
|
|
|
|
<p>once it completes, just connect to it on port 9090:</p>
|
|
<img class="imgRz" src="1.png">
|
|
<p>ignore the self-signed HTTPs warning and enable javascript afterward:</p>
|
|
<img class="imgRz" src="2.png">
|
|
<p>In the Tor browser, select the "Safer" security level to be able to browse to the cockpit service with javascript:</p>
|
|
<img class="imgRz" src="3.png">
|
|
<img class="imgRz" src="4.png">
|
|
<img class="imgRz" src="5.png">
|
|
<img class="imgRz" src="6.png">
|
|
|
|
<p>if it refuses the login, make sure the user has proper sudo access like so::</p>
|
|
<pre><code class="nim">
|
|
[ Datura ] [ /dev/pts/11 ] [~]
|
|
→ useradd nihilist
|
|
|
|
[ Datura ] [ /dev/pts/11 ] [~]
|
|
→ passwd nihilist
|
|
New password:
|
|
Retype new password:
|
|
passwd: password updated successfully
|
|
|
|
[ Datura ] [ /dev/pts/11 ] [~]
|
|
→ usermod -aG sudo nihilist
|
|
|
|
[ Datura ] [ /dev/pts/11 ] [~]
|
|
→ visudo
|
|
|
|
# User privilege specification
|
|
root ALL=(ALL:ALL) ALL
|
|
nihilist ALL=(ALL:ALL) ALL
|
|
|
|
</code></pre>
|
|
|
|
</div>
|
|
</div><!-- /row -->
|
|
</div> <!-- /container -->
|
|
</div><!-- /white -->
|
|
|
|
|
|
<!-- +++++ Footer Section +++++ -->
|
|
|
|
<div id="anonb">
|
|
<div class="container">
|
|
<div class="row">
|
|
<div class="col-lg-4">
|
|
<h4>Nihilism</h4>
|
|
<p>
|
|
Until there is Nothing left.
|
|
|
|
</p>
|
|
</div><!-- /col-lg-4 -->
|
|
|
|
<div class="col-lg-4">
|
|
<h4>My Links</h4>
|
|
<p>
|
|
|
|
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://matrix.to/#/#nowheremoe:nowhere.moe">Matrix Chat</a><br/>
|
|
|
|
</p>
|
|
</div><!-- /col-lg-4 -->
|
|
|
|
<div class="col-lg-4">
|
|
<h4>About nihilist</h4>
|
|
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br><p><u>Contact:</u> nihilist@nowhere.moe (<a href="https://nowhere.moe/nihilist.pubkey">PGP</a>)</p>
|
|
</div><!-- /col-lg-4 -->
|
|
|
|
</div>
|
|
|
|
</div>
|
|
</div>
|
|
|
|
|
|
<!-- Bootstrap core JavaScript
|
|
================================================== -->
|
|
<!-- Placed at the end of the document so the pages load faster -->
|
|
|
|
</body>
|
|
</html>
|