Delivery-Date: Tue, 11 Aug 2015 10:27:34 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD,
	URIBL_BLACK autolearn=no version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 8B92E1E039D;
	Tue, 11 Aug 2015 10:27:32 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 9F32A34AE2;
	Tue, 11 Aug 2015 14:27:25 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id DED36259AA
 for <tor-talk@lists.torproject.org>; Tue, 11 Aug 2015 14:27:21 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id ip4hmhzyHL5z for <tor-talk@lists.torproject.org>;
 Tue, 11 Aug 2015 14:27:21 +0000 (UTC)
Received: from outbound.mailhostbox.com (outbound.mailhostbox.com
 [162.222.225.25])
 by eugeni.torproject.org (Postfix) with ESMTP id C1AB12591D
 for <tor-talk@lists.torproject.org>; Tue, 11 Aug 2015 14:27:21 +0000 (UTC)
Received: from [0.0.0.0] (tor-exit-01.thehappy3.com [178.63.97.34])
 (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
 (No client certificate requested)
 (Authenticated sender: s7r@sky-ip.org)
 by outbound.mailhostbox.com (Postfix) with ESMTPSA id B7E8336042F
 for <tor-talk@lists.torproject.org>; Tue, 11 Aug 2015 14:27:17 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sky-ip.org;
 s=20110108; t=1439303239;
 bh=cegFY97cuWj0vy6wWHp8GqAJTnur+noUOo1ub4ljMv8=;
 h=Reply-To:Subject:References:To:From:Date:In-Reply-To;
 b=AOr0IYaLuI4RHjvNRjdZpY8noYlo7YSfCxASVP+1en4jtu5uuwHPq0onLX/SiP1kd
 lPppJ5axuAhg/KgOLYdKs74GXo/Bt6pjlfS2lPQHQ1s/Xd1pmst1UqrqmlfnfptI0l
 NZiw837MAKYx0T1ZfqpHmktqa5BbKuctQU6Ik7Ig=
References: <20150811005500.GO30469@kubieziel.de>
To: tor-talk@lists.torproject.org
From: s7r <s7r@sky-ip.org>
X-Enigmail-Draft-Status: N1110
Message-ID: <55CA063E.5000904@sky-ip.org>
Date: Tue, 11 Aug 2015 17:27:10 +0300
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <20150811005500.GO30469@kubieziel.de>
X-CTCH-RefID: str=0001.0A020203.55CA0647.0122, ss=1, re=0.000, recu=0.000,
 reip=0.000, cl=1, cld=1, fgs=0
X-CTCH-VOD: Unknown
X-CTCH-Spam: Unknown
X-CTCH-Score: 0.000
X-CTCH-Rules: 
X-CTCH-Flags: 0
X-CTCH-ScoreCust: 0.000
X-CTCH-SenderID: s7r@sky-ip.org
X-CTCH-SenderID-TotalMessages: 1
X-CTCH-SenderID-TotalSpam: 0
X-CTCH-SenderID-TotalSuspected: 0
X-CTCH-SenderID-TotalBulk: 0
X-CTCH-SenderID-TotalConfirmed: 0
X-CTCH-SenderID-TotalRecipients: 0
X-CTCH-SenderID-TotalVirus: 0
X-CTCH-SenderID-BlueWhiteFlag: 0
X-CMAE-Score: 0
X-CMAE-Analysis: v=2.1 cv=UZSsM/mN c=1 sm=1 tr=0
 a=+5kExHNcUMAPxqQgvLrAQA==:117 a=+5kExHNcUMAPxqQgvLrAQA==:17
 a=BxMnZRr2AAAA:8 a=-NIMs_s3AAAA:8 a=bvjBBkZ6AAAA:8 a=JAI3OqB5mnwA:10
 a=N659UExz7-8A:10 a=hglTH7sBGrwoVjTJWzUA:9 a=pILNOxqGKmIA:10
X-Scanned-By: MIMEDefang 2.72 on 172.18.214.93
Subject: Re: [tor-talk] SSH connection attempts through hidden service
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello,

When you have a SSH port open to the clearnet (especially if listening
on default port, 22) you get quite an amount of such failed automated
requests. Nothing to worry about here, really, if you don't use a dumb
root password which could be included in most of dictionaries. I
strongly recommend you to disable password authentication and only
allow ssh-key based authentication in sshd_config.

This is not a defect in Tor or in SSH. It's just how things work in
the wild - secure your server!

It doesn't matter you didn't share your onion hostname; it is
available and known to the HSDirs.

You can use this feature in torrc at server side (add it under
HiddenServicePort entry):
HiddenServiceAuthorizeClient basic <client name>

Tor will generate a passphrase, you can find it out from the
client_keys file created in the directory where you have your
private_key and hostname (HiddenServiceDir).

This will encrypt the descriptors published by your hidden service, so
only clients who provide the correct passphrase will be able to connect.

An additional line in torrc at client's side is needed to provide the
credential:
HidServAuth <hostname.onion> <passphrase> <optional service description>

If there are multiple users who need to connect to this hidden
service, you can add more HiddenServiceAuthorizeClient lines, for as
many users as you have - this way if you want to remove access just to
one user, you can delete the HiddenServiceAuthorizeClient line related
to his username and that passphrase won't work any more. The same
passphrase will work from multiple places (multiple clients) at the
same time.


On 8/11/2015 3:55 AM, Jens Kubieziel wrote:
> Hi,
> 
> I'm running a SSH hidden service on some machines. Recently I was
> quite surprised to find the following lines in my logs:
> 
> Aug  5 17:06:37 linux sshd[23935]: input_userauth_request: invalid
> user root [preauth] Aug  5 17:06:51 linux sshd[23935]:
> Disconnecting: Too many authentication failures for root [preauth]
> 
> Nobody besides me knowns the onion name. But the person who ran
> those tests tried user names like tor, hidden etc.
> 
> Has anyone also seen such connection attempts through hidden
> services?
> 
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBCAAGBQJVygY+AAoJEIN/pSyBJlsRHwUH/3o3X7R9zCOPAEC1QLKHXMCl
jKpxXTuuHJFPxn254Scss4Gc2GyPHoDCaodzHG43Ob4XO9d9n5mFrmEzm6/MfIDB
3YOLxNyBXWEUBltJsSSRDKGFZxi+qiotNk7iuPRQuANu5GF5yQ4EtvT4IHlY+I8S
XZeDk4iVKNnSXleeXRXC31glMFRBCtLhNYKmf8KE2yTfDeRNWUtLqFVWcpIvpsZc
IcDaarD9ampkDp1JdDZuSAFvkdvZRxMlNzUgwc43C7KDzXIJUWdwfH3xdhzNtNfR
sjESttf46ot7iOdFYmJ0+rzfqxJdKnB4uHgviN1BPlgo7AythEL7d+Hg2cmtn2o=
=Ip2f
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

