blog-contributions/opsec/anonaccess/index.html

277 lines
10 KiB
HTML

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="">
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
<title>Remote anonymous access setup (cockpit + ssh through tor)</title>
<!-- Bootstrap core CSS -->
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
<link href="../../assets/css/xt256.css" rel="stylesheet">
<!-- Custom styles for this template -->
<link href="../../assets/css/main.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
<![endif]-->
</head>
<body>
<!-- Static navbar -->
<div class="navbar navbar-inverse-anon navbar-static-top">
<div class="container">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a class="navbar-brand-anon" href="\index.html">nihilist`s Blog</a>
</div>
<div class="navbar-collapse collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="/about.html">About</a></li>
<li><a href="/blog.html">Categories</a></li>
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
<li><a href="/contact.html">Contact</a></li>
</ul>
</div><!--/.nav-collapse -->
</div>
</div>
<!-- +++++ Posts Lists +++++ -->
<!-- +++++ First Post +++++ -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-05-02</ba></p>
<h1>Remote anonymous access setup (cockpit + ssh through tor) </h1>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /grey -->
<!-- +++++ Second Post +++++ -->
<div id="anon3">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Initial Setup </b></h2>
<p>On your server, edit the torrc file like so:</p>
<pre><code class="nim">
[ Datura ] [ /dev/pts/9 ] [~]
→ cat /etc/tor/torrc
HiddenServiceDir /var/lib/tor/onions/daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion/
HiddenServicePort 22 127.0.0.1:22
HiddenServicePort 80 127.0.0.1:4443
</code></pre>
<p>Then just edit your local .ssh config to access it:</p>
<pre><code class="nim">
[ mainpc ] [ /dev/pts/7 ] [~]
→ cat .ssh/config
Host web-gw2024-dedi
User root
hostname 37.27.32.233
IdentityFile ~/.ssh/torified
Host tortura
User root
hostname daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion
IdentityFile ~/.ssh/torified
proxyCommand ncat --proxy 127.0.0.1:9050 --proxy-type socks5 %h %p
Host datura
User root
hostname 65.109.30.253
IdentityFile ~/.ssh/torified
</code></pre>
<p>Then connect to the host via SSH:</p>
<pre><code class="nim">
[ mainpc ] [ /dev/pts/5 ] [~]
→ systemctl restart tor@default
[ mainpc ] [ /dev/pts/5 ] [~]
→ ssh tortura
The authenticity of host 'daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion (<<b></b>no hostip for proxy command>)' can't be established.
ED25519 key fingerprint is SHA256:A0CFTeUixGoK96VenBQ7Z2U8kX5olDCqBvBNeJUfs6I.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:144: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'daturab6drmkhyeia4ch5gvfc2f3wgo6bhjrv3pz6n7kxmvoznlkq4yd.onion' (ED25519) to the list of known hosts.
Enter passphrase for key '/home/nihilist/.ssh/torified':
Linux Datura 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May 2 14:47:23 2024 from 178.255.149.178
[ Datura ] [ /dev/pts/11 ] [~]
</code></pre>
<p>So <b>that's how you do it if you cannot access the server via a public IP directly</b>, but keep in mind that the latency is most likely unbearable due to the 6 hops circuit (since we're doing it via the .onion link, rather than connecting to the IP directly)</p>
<p> so you're probably better off just connecting to the IP directly but <b>forcing the SSH connection through tor using torsocks, which greatly reduces the latency (3 hops instead of 6)</b>:</p>
<pre><code class="nim">
[ mainpc ] [ /dev/pts/7 ] [~]
→ torsocks ssh datura
Enter passphrase for key '/home/nihilist/.ssh/torified':
Linux Datura 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu May 2 15:48:08 2024 from 127.0.0.1
[ Datura ] [ /dev/pts/12 ] [~]
→ id
uid=0(root) gid=0(root) groups=0(root)
</code></pre>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<div id="anon2">
<div class="container">
<div class="row">
<div class="col-lg-8 col-lg-offset-2">
<h2><b>Cockpit .onion setup</b></h2> </br> </br>
<p>Let's install cockpit from the apt repositories: </p>
<pre><code class="nim">
[ Datura ] [ /dev/pts/11 ] [~]
→ apt install cockpit -y
[ Datura ] [ /dev/pts/11 ] [~]
→ systemctl status cockpit
● cockpit.service - Cockpit Web Service
Loaded: loaded (/lib/systemd/system/cockpit.service; static)
Active: active (running) since Fri 2024-05-03 13:30:51 CEST; 2min 5s ago
TriggeredBy: ● cockpit.socket
Docs: man:cockpit-ws(8)
Process: 3563910 ExecStartPre=/usr/lib/cockpit/cockpit-certificate-ensure --for-cockpit-tls (code=exited, status=0/SUCCESS)
Main PID: 3563926 (cockpit-tls)
Tasks: 1 (limit: 77002)
Memory: 2.4M
CPU: 355ms
CGroup: /system.slice/cockpit.service
└─3563926 /usr/lib/cockpit/cockpit-tls
May 03 13:30:51 Datura systemd[1]: Starting cockpit.service - Cockpit Web Service...
May 03 13:30:51 Datura cockpit-certificate-ensure[3563918]: /usr/lib/cockpit/cockpit-certificate-helper: line 25: sscg: command not found
May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: ......+.....+.+......+...+.........+...+..............+.+...+..+...+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...+...+++++++++++++++++++++++++++++++>
May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: .+.........+...+...+.......+........+....+..............+.........+......+.+......+..+.+..+...+....+...+.........+.....+....+.....+++++++++++++++++++++++++++++++++++++++++++++++++>
May 03 13:30:51 Datura cockpit-certificate-ensure[3563919]: -----
May 03 13:30:51 Datura systemd[1]: Started cockpit.service - Cockpit Web Service.
May 03 13:30:51 Datura cockpit-tls[3563926]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
May 03 13:30:55 Datura cockpit-tls[3563926]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
</code></pre>
<p>once it completes, just connect to it on port 9090:</p>
<img class="imgRz" src="1.png">
<p>ignore the self-signed HTTPs warning and enable javascript afterward:</p>
<img class="imgRz" src="2.png">
<p>In the Tor browser, select the "Safer" security level to be able to browse to the cockpit service with javascript:</p>
<img class="imgRz" src="3.png">
<img class="imgRz" src="4.png">
<img class="imgRz" src="5.png">
<img class="imgRz" src="6.png">
<p>if it refuses the login, make sure the user has proper sudo access like so::</p>
<pre><code class="nim">
[ Datura ] [ /dev/pts/11 ] [~]
→ useradd nihilist
[ Datura ] [ /dev/pts/11 ] [~]
→ passwd nihilist
New password:
Retype new password:
passwd: password updated successfully
[ Datura ] [ /dev/pts/11 ] [~]
→ usermod -aG sudo nihilist
[ Datura ] [ /dev/pts/11 ] [~]
→ visudo
# User privilege specification
root ALL=(ALL:ALL) ALL
nihilist ALL=(ALL:ALL) ALL
</code></pre>
</div>
</div><!-- /row -->
</div> <!-- /container -->
</div><!-- /white -->
<!-- +++++ Footer Section +++++ -->
<div id="anonb">
<div class="container">
<div class="row">
<div class="col-lg-4">
<h4>Nihilism</h4>
<p>
Until there is Nothing left.</p></br></br><p>Creative Commons Zero: No Rights Reserved</br><img src="\CC0.png">
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>My Links</h4>
<p>
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FL5jrGV2L_Bb20Oj0aE4Gn-m5AHet9XdpYDotiqpcpGc%3D%40nowhere.moe%2FH4g7zPbitSLV5tDQ51Yz-R6RgOkMEeCc%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEAkts5T5AMxHGrZCCg12aeKxWcpXaxbB_XqjrXmcFYlDQ%253D&data=%7B%22type%22%3A%22group%22%2C%22groupLinkId%22%3A%22c3Y-iDaoDCFm6RhptSDOaw%3D%3D%22%7D">SimpleX Chat</a><br/>
</p>
</div><!-- /col-lg-4 -->
<div class="col-lg-4">
<h4>About nihilist</h4>
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br><p><u>Contact:</u> nihilist@contact.nowhere.moe (<a href="https://nowhere.moe/nihilist.pubkey">PGP</a>)</p>
</div><!-- /col-lg-4 -->
</div>
</div>
</div>
<!-- Bootstrap core JavaScript
================================================== -->
<!-- Placed at the end of the document so the pages load faster -->
</body>
</html>