-
Notifications
You must be signed in to change notification settings - Fork 1
/
linux.tor.onion.ssh.blockchain.nodes.gnu.screen.howto.txt
265 lines (214 loc) · 13.4 KB
/
linux.tor.onion.ssh.blockchain.nodes.gnu.screen.howto.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
################################
# WITHOUT WARRANTY OF ANY KIND #
################################
### tutorial for Debian Linux, finding most easy and secure way how to:
# SSH over TOR stealth hidden service
# cryptocurrency nodes configuration to run in tor/onion
# cc nodes decrypt password most secured way:
# prevent password to be seen as plain-text
# prevent password to be stored in bash history
# description start with <SERVER> or <CLIENT> to know for which machine commands are for
# CC means crypto currency
### <SERVER> needs to autoconnect to network/wireless without login
# most easiest way is to use nmtui command by root
# nmtui >> edit connection >> select connection
# enable automatically autoconnect
# enable available to all users
### <SERVER> install ssh, tor service, gnu screen and joe text editor
apt install tor openssh-server screen joe basez openssl
### <SERVER> <CLIENT> on joe editor quick help
# to save file push CTRL + k + x
# to cancel file edit CTRL + c
# for more help CTRL + k + h
### <SERVER> configure tor hidden service for ssh and blockchain nodes
# Edit server tor config, Ensure following lines are (anywhere) in
joe /usr/share/tor/tor-service-defaults-torrc
# If anyone of the above lines are missing, add them using the echo command as before, for example:
ControlPort 9051
CookieAuthentication 1
CookieAuthFileGroupReadable 1
HiddenServiceDir /var/lib/tor/hidden-service-ssh/
HiddenServiceVersion 3
HiddenServicePort 22 127.0.0.1:22
# on case of hidden service version 2
HiddenServiceVersion 2
HiddenServiceAuthorizeClient stealth hidden-service-ssh
# server tor service restart is needed after config edit
service tor restart
# server tor service needs update config about authorisation system
# make directory for private authorisation
mkdir /var/lib/tor/hidden-service-ssh/authorized_clients/
cd /var/lib/tor/hidden-service-ssh/authorized_clients/
chown debian-tor:debian-tor .
chmod 700 .
# generate private key for hidden service ssh client 1
mkdir ~/private_ssl_keys
cd ~/private_ssl_keys
openssl genpkey -algorithm x25519 -out ./hssshc1.prv.pem
# convert private key to base 32 key
cat ./hssshc1.prv.pem | grep -v " PRIVATE KEY" | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g' > ./hssshc1.prv.key
# convert public key
openssl pkey -in ./hssshc1.prv.pem -pubout | grep -v " PUBLIC KEY" | base64pem -d | tail --bytes=32 | base32 | sed 's/=//g' > ./hssshc1.pub.key
# add auth authentication for client 1
cat ./hssshc1.pub.key >> /var/lib/tor/hidden-service-ssh/authorized_clients/client1.auth
# edit file
joe /var/lib/tor/hidden-service-ssh/authorized_clients/client1.auth
# format one line like
<auth-type>:<key-type>:<base32-encoded-public-key>
descriptor:x25519:01234...56
# update permissions
cd /var/lib/tor/hidden-service-ssh/authorized_clients/
chmod 700 client1.auth
chown debian-tor:debian-tor client1.auth
# restart service
service tor restart
# <SERVER> check autogenerated hidden service onion address
less /var/lib/tor/hidden-service-ssh/hostname
# <SERVER> check generated private key
less ~/private_ssl_keys/hssshc1.prv.key
# <CLIENT> in case of hidden service version 3
# add onion auth dir to config if not exits
joe /usr/share/tor/tor-service-defaults-torrc
# update file like
ClientOnionAuthDir /var/lib/tor/onion_auth
# create new client auth file and update content
mkdir /var/lib/tor/onion_auth/
cd /var/lib/tor/onion_auth/
chmod 700 .
chown debian-tor:debian-tor .
joe /var/lib/tor/onion_auth/client1.auth_private
# update file line like
<56-char-onion-addr-without-.onion-part>:descriptor:x25519:<x25519 private key in base32>
rh5d6reakhpvuxe2t3next6um6iiq4jf43m7gmdrphfhopfpnoglzcyd:descriptor:x25519:ZDUVQQ7IKBXSGR2WWOBNM3VP5ELNOYSSINDK7CAUN2WD7A3EKZWQ
# <CLIENT> in case of hidden service version 2
# on client machine update tor config from hostname output
joe /usr/share/tor/tor-service-defaults-torrc
# added lines on client should looks like this:
HidServAuth onion-address authorization-key
# <SERVER> and <CLIENT> username allow to use tor
sudo usermod -a -G debian-tor username
# now logout and login the usernames
### <SERVER> optionally configure ssh on server to be allowed only from localhost and tor
# file
joe /etc/ssh/sshd_config
# update with line
ListenAddress 127.0.0.1
# or file
joe /etc/hosts.allow
# update with line
sshd: localhost
### <CLIENT> to configure ssh on client machine and export public key to server
# <CLIENT> generate enough good client private key for sh, best to possible to enter custom password to acces private key
# <CLIENT> if you already have generated and using ssh no need for this step
ssh-keygen -t rsa -b 4096
ssh-keygen -t ed25519 -a 100
# <CLIENT> export public key from client to server machine
ssh-copy-id username@server_address.onion
# <SERVER> if previous ssh-copy-id command wont work, you can try
mkdir ~/.ssh/
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 700 ~/.ssh/authorized_keys
# <SERVER> now open auth keys file with joe and copy content of <CLIENT> files id_ed25519.pub and id_rsa.pub to <SERVER>:
joe ~/.ssh/authorized_keys
### <SERVER> enable pubkey auth on server and test if it is working
joe /etc/ssh/sshd_config
# update config about line or change line to:
PubkeyAuthentication yes
# save file ctrl + k + x
# restart ssh service
service ssh restart
### <CLIENT> now test if pubkey was copied and ssh pubkey auth configured correctly
torsocks ssh username@genratedonionaddress.onion
# if login without asking user password(asking `Enter passphrase for key` is ok) you can continue, else check previous steps...
### <SERVER> if pubkey auth is working you can disable password auth to prevent server hack by weak password
joe /etc/ssh/sshd_config
# update config about lines or change lines to:
PasswordAuthentication no
# save file ctrl + k + x
# restart ssh service
service ssh restart
### <CLIENT> now test if password auth was disabled by trying another username which does not have key exported to authorized_keys
torsocks ssh anotherusername@genratedonionaddress.onion
# if this works, check previous step
### <CLIENT> now server seems to be ready for ssh connect and configure and run cc nodes
torsocks ssh username@genratedonionaddress.onion
### <SERVER> multiple opened terminals by gnu screen on one ssh session
# Some of the regularly used Linux screens commands:
# Ctrl+a c Command to create a new window (with shell)
# Ctrl+a " Command to list all window
# Ctrl+a 0 Switch to window 0 (by number )
# Ctrl+a A The command to rename the current window
# Ctrl+a S Command to split current region horizontally into two regions
# Ctrl+a | Split current region vertically into two regions
# Ctrl+a tab Command to switch the input focus to the next region
# Ctrl+a Ctrl+a Toggle between the current and previous region
# Ctrl+a Q Close all regions but the current one
# Ctrl+a X Command to close the current region
# screen session on server
# connect to server by ssh
ssh username@server_address.onion
# run first time screen session or reconnect to actually opened session
screen -R
# use ctrl + a + c to create enough screens
#use ctrl + a + <0..9> or <n p> or <"> to switch between screens
# manage your running cc nodes cli other command whatever...
# screen also support terminal output page up down... ctrl + a + escape
# onde you are done use ctrl + a + d to detach from screen session
# anytime you need something, just ssh and reconnect to running screen
### <SSH> hopefully you have all blockchain nodes downloaded or compiled by your own if not you can follow howto
linux_blocknet_blockdx_dxmakerbot_howto.txt
### <SSH> configure blockchain nodes on server to connect to network by tor
# for example edit configuration files
joe ~/.pivx/pivx.conf
joe ~/.blocknet/blocknet.conf
joe ~/.litecoin/litecoin.conf
joe ~/.bitcoin/bitcoin.conf
# with new/updated lines
server=1 #need for RPC CLI
#~ port=41416 if some wallets needs to be running multiple times is good to change port
#~ rpcport=41418 if some wallets needs to be running multiple times is good to change RPC port
listen=1
listenonion=0 # do not accept connectiond from outside on tor
#~ onlynet=ipv6
#~ onlynet=ipv4 # optionally
onlynet=onion # for connections use tor only
maxconnections=12
#~ proxy=127.0.0.1:9050
onion=127.0.0.1:9050
bind=127.0.0.1
bantime=180
### how to unlock wallet by password for your crypto currency without been exposed to screen or bash history
# run separated blocknet wallet(at direcotry ~/.blocknet_staking) used only for staking example command
cd ~/Downloads/cryptotrading/blocknet/git.source/src/ && ./blocknetd -printtoconsole -nodebuglogfile -datadir=$HOME/.blocknet_staking/ -wallet=wallet_block_staking
# securelly unlock staking wallet for staking only
./blocknet-cli -datadir=$HOME/.blocknet_staking/ walletpassphrase "$(read -sp "pwd" undo; echo $undo;undo=)" 9999999999 true
# run blocknet wallet used for DEX dxbot trading/liquidity example command
cd ~/Downloads/cryptotrading/blocknet/git.source/src/ && ./blocknetd -printtoconsole -nodebuglogfile -datadir=$HOME/.blocknet/ -wallet=wallet_block_dex
# some wallets needs workaround like this to fully unlock wallet
./blocknet-cli walletpassphrase "$(read -sp "pwd" undo; echo $undo;undo=)" 9999999999
# run bitcoin wallet used for DEX dxbot trading/liquidity example command
cd ~/Downloads/cryptotrading/bitcoin/git.source/src/ && ./bitcoind -printtoconsole -nodebuglogfile -datadir=$HOME/.bitcoin/ -wallet=wallet_btc_dex
# some wallets cli like bitcoin support new secure way to unlock wallet
./bitcoin-cli -stdinwalletpassphrase walletpassphrase 9999999999
# run litecoin wallet used for DEX dxbot trading/liquidity example command
cd ~/Downloads/cryptotrading/litecoin/git.debian/src/ && ./litecoind -printtoconsole -nodebuglogfile -datadir=$HOME/.litecoin/ -wallet=wallet_ltc_dex
# some wallets needs workaround like this to fully unlock wallet
./litecoin-cli walletpassphrase "$(read -sp "pwd" undo; echo $undo;undo=)" 9999999999
# other usefull cli RPC command examples
help
help <command> # more help and command usage
getstakingstatus
getwalletinfo
listreceivedbyaddress 0 true | grep -e address -e label # list all generated addresses, also zero balance
listunspent 0 | grep -e address -e label -e amount -e confirmations # list all utxos also 0 times confirmed
listaddressgroupings | grep -v -e "\[" -e "\]" # list already used addresses and actual balance
getconnectioncount
getpeerinfo
listbanned
clearbanned
setnetworkactive 0/1
### server summary:
# server accessible trough SSH stealth onion hidden service
# server running terminal screen session with multiple commands
# cc nodes running as anonymous onion clients