How to secure SSH access to your server using TORʼs hidden service ?

Tags: Server Management

Published on: January 22, 2019 by Daniel Wren

How to secure SSH access to your server using TORʼs hidden service ?


TOR in a first glance, is used to browse the darknet or to by-pass the firewall restriction. i.e if your firewall blocks certain website you can use TOR browsers to access them. Its really tough to block access to TOR network when your users are using TOR bridges. I know of a few firewalls which will block known TOR relays, but I am yet to discover a firewall which could block even the TOR Bridge relays.

Good part is that TOR can be used to secure or access any service on a server where the TOR server is installed. So lets see how you can secure your SSH service using TOR. By securing using TOR, it does not mean that we are using TOR to secure the server. We are disabling the SSH access for the public by making it listen only on port localhost and then access it using TOR. This method is not highly recommended though, and is here for academic interest (I don’t have a specific reason other than that TOR is generally considered as bad).

Steps to follow

  • Install TOR

  • Setup and change the /etc/ssh/sshd_config to listen only on

  • Open /etc/tor/torrc. Please change the value

       HiddenServiceDir /var/lib/tor/sagesssh

       HiddenServicePort 22
  • Create a folder by the name /var/lib/tor/sagesssh and change the ownership to the same user who runs the tor server.

  • Restart the tor daemon and make sure that you see two files in that folder: hostname and private_key. If not, check the log files for error messages. Most probably it could be because of the permissions / ownership issues. In hostname you’ll find your public onion address and you have to use to access your service like 32rfckwuorlf4dlv.onion

  • You can use the below SSH command to access the above ssh server like

        ssh -o ProxyCommand=’nc -x localhost:9150 %h %p’ 


       (xxxxxxxxxx.onion like 32rfckwuorlf4dlv.onion)
  • To ease the SSH command instead of entering the above command, you can enter the below snippet in your $HOME/.ssh/config (with necessary changes. You may use nc or socat depending on whichever you have installed)

         Host this-server

         HostName xxxxxxxxxx.onion

         ProxyCommand socat STDIO


Now you just have to enter “ssh this-server” and you should be inside your server through the TOR network. You are done with securing SSH using TOR…

Get rid of all the hassles of server management. Let us take care of it. 

Category : Linux

Daniel Wren

Daniel Wren

An innovative and dedicated IT professional who is very curious to solve and find solutions to seemingly difficult tasks.

You may also read:


Add new commentSIGN IN

Let's Connect

Get new updates


$0.000 items