{"id":32698940,"url":"https://github.com/potter3/ssh-over-tor-hidden-service","last_synced_at":"2026-05-01T23:39:22.268Z","repository":{"id":320138139,"uuid":"1075581142","full_name":"potter3/ssh-over-tor-hidden-service","owner":"potter3","description":"Secure guide for setting up SSH over a Tor Hidden Service on Parrot OS, kali linux and Debian-based systems with Fail2Ban, Anonsurf, and latency testing providing full anonymity and global access without port forwarding.","archived":false,"fork":false,"pushed_at":"2026-04-09T22:44:50.000Z","size":53,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-01T23:38:59.842Z","etag":null,"topics":["debian","linux","shell","ssh-server","tor-hidden-services"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/potter3.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-10-13T17:38:44.000Z","updated_at":"2026-04-21T09:54:00.000Z","dependencies_parsed_at":"2025-10-22T06:37:01.988Z","dependency_job_id":"9e11ee1f-9bce-4068-8766-0c2acd94710f","html_url":"https://github.com/potter3/ssh-over-tor-hidden-service","commit_stats":null,"previous_names":["potter3/ssh-over-tor-hidden-service"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/potter3/ssh-over-tor-hidden-service","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/potter3%2Fssh-over-tor-hidden-service","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/potter3%2Fssh-over-tor-hidden-service/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/potter3%2Fssh-over-tor-hidden-service/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/potter3%2Fssh-over-tor-hidden-service/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/potter3","download_url":"https://codeload.github.com/potter3/ssh-over-tor-hidden-service/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/potter3%2Fssh-over-tor-hidden-service/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32517232,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-30T13:12:12.517Z","status":"online","status_checked_at":"2026-05-01T02:00:05.856Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["debian","linux","shell","ssh-server","tor-hidden-services"],"created_at":"2025-11-01T21:01:19.283Z","updated_at":"2026-05-01T23:39:22.253Z","avatar_url":"https://github.com/potter3.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n\n\n\u003cimg width=\"1536\" height=\"1024\" alt=\"ChatGPT Image Oct 13, 2025, 02_01_03 PM\" src=\"https://github.com/user-attachments/assets/b90eb4c8-ec11-41ee-bcb7-e5cf6cee7bc4\" /\u003e\n\n\n\n\n\n# ssh-over-tor-hidden-service\nSecure guide for setting up SSH over a Tor Hidden Service on Parrot OS, Kali Linux, and Debian-based systems with Fail2Ban, Anonsurf, and latency testing, providing full anonymity and global access without port forwarding.\n\n\n\n\n---\n\n## 🔒 Overview\nThis guide explains how to host an SSH server **entirely inside the Tor network** using **Parrot OS**, accessible securely from **anywhere in the world** even behind NAT or dynamic IPs.  \nIt also includes optional hardening with **Fail2Ban**, **Anonsurf**, and latency testing.\n\n\nThis setup allows you to:\n- Run SSH entirely inside the Tor network (`.onion`)\n- Access it from any device or network (no port forwarding)\n- Stay anonymous with Anonsurf (This is integrated with Parrot os)\n- Protect logins using Fail2Ban\n- Measure latency and throughput easily\n\n\n\n---\n\n## 🧱 Server Setup (Parrot OS, Kali or any Debian-based systems)\n\n### 1️⃣ Install dependencies\n```bash\nsudo apt update\nsudo apt install -y tor openssh-server fail2ban torsocks micro pv\n#This is to Install Fail2ban\n```\n\n\n### 2️⃣ Backup current configs (safe practice)\n```bash\nsudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak\nsudo cp /etc/tor/torrc /etc/tor/torrc.bak\nsudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.conf.bak || true\n```\n\n\n### 3️⃣ Configure SSH\nConfigure SSH to listen on your custom port and only on localhost. By doing this, you won't be able to use your IP address to SSH. Doing this will increase privacy and security.\n```bash\nsudo micro /etc/ssh/sshd_config\n```\n\n🍂 If Micro is not installed\n\n\n```bash\nsudo apt install micro\n```\n\n\n✏️ Uncomment \"remove the '#' \" or add these lines (replace the port number with your custom port if you have one )\n\n```nginx\nPort 22\n#here you can change it to a port number you want, \"your custom port.\"\nListenAddress 127.0.0.1\n# this_is_the_localhost_ssh_will_listen_to\nPermitRootLogin no\nPasswordAuthentication yes\nPubkeyAuthentication yes\nUseDNS no\nGSSAPIAuthentication no\n```\nSave (Ctrl+S) and quit (Ctrl+Q).\n\n\n🔥Validate and restart:\n\n```bash\nsudo sshd -t   # no output = OK\nsudo systemctl restart ssh\nsudo ss -tlnp | grep ssh\n# Expect output showing 127.0.0.1:\u003cyour_custom_ssh_port if you don't have one, it will be 22 by default \u003e\n```\n\n🍂If you don’t have Tor installed (quick install commands)\nDebian-family (Parrot/Kali/Ubuntu)\n```bash\nsudo apt update\nsudo apt install -y tor\n# optionally make sure tor user exists and directory permissions are right\nsudo mkdir -p /var/lib/tor/ssh_service\nsudo chown -R debian-tor:debian-tor /var/lib/tor/ssh_service\nsudo systemctl enable --now tor\nsudo systemctl status tor --no-pager  #this will check tor status\n```\n\n\n### 4️⃣ Configure Tor Hidden Service\nEdit the Tor configuration:\n```bash\nsudo micro /etc/tor/torrc\n```\n✏️ Scroll to the bottom and add:\n```nginx\n# SSH Hidden Service\nHiddenServiceDir /var/lib/tor/ssh_service/\nHiddenServicePort 22 127.0.0.1:22 \n#\u003cif you have a custom port for SSH, change that 22 \"the last one\" to your custom port number\u003e\n```\nSave (Ctrl+S) and quit (Ctrl+Q).\n\n🛻 Save \u0026 quit. Then set ownership (important on Debian family):\n```bash\n# ensure directory ownership (Debian/Ubuntu/Parrot/Kali)\nsudo mkdir -p /var/lib/tor/ssh_service\nsudo chown -R debian-tor:debian-tor /var/lib/tor/ssh_service || sudo chown -R toranon:toranon /var/lib/tor/ssh_service || true\n```\n\n🔥Restart Tor:\n```bash\nsudo systemctl restart tor\nsudo systemctl status tor --no-pager\n```\n\n### 5️⃣ Check Tor hidden service exists\n```bash\nsudo cat /var/lib/tor/ssh_service/hostname\n# copy the printed string -\u003e this is \u003cyour_onion\u003e.onion\nsudo cat /var/lib/tor/ssh_service/hostname \u003e ssh.txt\n# This line is used to write the hostname in a file, \"the hostname is too long\" \n\n```\n\n### 6️⃣ Configure Fail2Ban (explain below \u0026 commands)\n\n**What Fail2Ban does (short)**\n\nFail2Ban watches logs (e.g. /var/log/auth.log) for failed login attempts; when a source hits maxretry within findtime, it bans that IP (iptables or nftables) for bantime. With Tor hidden service, attackers must know your onion to try brute force Fail2Ban adds an extra layer if they do.\n\nCreate local jail:\n```bash\nsudo micro /etc/fail2ban/jail.local\n```\n✏️paste\n```ini\n[DEFAULT]\nbantime  = 3600 # will lock for 1hr\nfindtime = 600\nmaxretry = 3  # enter wrong password 3 times \n\n[sshd]\nenabled  = true\nport     = 22 #it is 22 unless you have a custom port\nfilter   = sshd\nlogpath  = /var/log/auth.log\nmaxretry = 3\n```\n\n🔥Save \u0026 quit, then enable/start:\n```bash\nsudo systemctl enable --now fail2ban\nsudo systemctl restart fail2ban\nsudo fail2ban-client status          # list all jails\nsudo fail2ban-client status sshd     # You should see a banned IP in the Banned IP list\n```\n---\nSimulate failed logins to test\n\nFrom another machine (or WSL), attempt wrong password repeatedly (replace with your onion and username)\n\n\n\n🏁 Enable services at boot\n```bash\nsudo systemctl enable ssh\nsudo systemctl enable tor\n```\n- Check Tor hidden service exists\n```bash\nsudo ls -l /var/lib/tor/ssh_service/\n# private_key is inside — keep it secret\n\n```\n\n- Test SSH locally via Tor (from server itself)\n```bash\nsudo apt install -y torsocks  # if not present\ntorsocks ssh -p 22 \u003cUSERNAME\u003e@\u003cyour_onion\u003e.onion exit\n#username is that of your Linux and your_onion is what you found in your hostname\n# it is -p 22 unless you have a custom port \n```\n\nIf it connects asks for password it’s working.....\n\n---\n### Installing WSL (Debian) on Windows / Connecting to SSH over Tor (WSL) \nConnecting to an SSH server over Tor is different from regular SSH.\nInstead of using a public IP address, you connect to a private .onion domain that exists entirely inside the Tor network.\nThis keeps both your client and server completely anonymous, no IPs are exposed, and no port forwarding is needed.\n\nTo make things easier on Windows, we’ll use WSL (Windows Subsystem for Linux) with the Debian distribution.\nWSL lets you run a full Linux environment directly inside Windows, no virtual machine, no dual boot, and it’s simpler to set up than using CMD or PowerShell for Tor connections.\n\n\n### Option 1: Download from Microsoft store\n\n\u003cimg width=\"1488\" height=\"1163\" alt=\"image\" src=\"https://github.com/user-attachments/assets/23004987-787b-4b8c-9dd4-ea0c81df028a\" /\u003e\n\n\n### Option 2: \n1. Open PowerShell as Administrator\nPress **Win + X** → select Windows PowerShell (Admin) or Terminal (Admin).\n\n2. Run this command to install WSL with Debian\n``` bash\nwsl --install -d Debian\n```\n3. Restart your computer when prompted.\n4. **Launch Debian**\n\nAfter restart, open the Start Menu → search for Debian → run it.\nIt will initialize the system and ask you to create a Linux username and password.\n\n5. Update packages (inside Debian terminal):\n```bash\nsudo apt update \u0026\u0026 sudo apt upgrade -y\n```\n6. Install required tools\n```bash\nsudo apt install -y torsocks openssh-client\nsudo apt install ssh\n```\n\n### Once that’s done, your Windows system is ready to connect securely to your .onion SSH service using:\n\n```bash\ntorsocks ssh -p 22 \u003cusername\u003e@\u003cyour_onion\u003e.onion\n```\n\n### With a Tor hidden service, Fail2Ban won’t really help.\nSSH sees all logins as coming from 127.0.0.1 (Tor connects locally), so Fail2Ban either won’t trigger or would try to ban localhost (which is ignored by default, and banning it would lock everyone out).\n## What to do instead (works reliably with Tor)\nHarden SSH itself:\n```bash\nsudo micro /etc/ssh/sshd_config\n```\nAdd/ensure:\n```nginx\nListenAddress 127.0.0.1\nPermitRootLogin no\nPasswordAuthentication yes\nMaxAuthTries 3\nLoginGraceTime 30\nMaxStartups 3:30:10\nAllowUsers your_usernames_here\nUseDNS no\nGSSAPIAuthentication no\n```\n\nThen \n```bash\nsudo sshd -t \u0026\u0026 sudo systemctl restart ssh\n```\n\n### 🔒 Security Notes\n\nSSH listens only on localhost → invisible to LAN/WAN.\n\nTor Hidden Service → hides your IP completely.\n\nFail2Ban → limits brute-force attempts.\n\nUse strong passwords or SSH keys.\n\nWorks anywhere — no need for port forwarding or static IP.\n\n\n\n\n### NB: There are still issues with fail2ban i will fix it in the nearest future or find alternatives\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpotter3%2Fssh-over-tor-hidden-service","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpotter3%2Fssh-over-tor-hidden-service","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpotter3%2Fssh-over-tor-hidden-service/lists"}