PINE64
Video Tut: Set Up SSH Access To Your Own Pinephone .onion (security enhancement) - Printable Version

+- PINE64 (https://forum.pine64.org)
+-- Forum: PinePhone (https://forum.pine64.org/forumdisplay.php?fid=120)
+--- Forum: PinePhone Software (https://forum.pine64.org/forumdisplay.php?fid=121)
+---- Forum: Mobian on PinePhone (https://forum.pine64.org/forumdisplay.php?fid=139)
+---- Thread: Video Tut: Set Up SSH Access To Your Own Pinephone .onion (security enhancement) (/showthread.php?tid=11925)



Video Tut: Set Up SSH Access To Your Own Pinephone .onion (security enhancement) - RTP - 10-24-2020

Many Pinephone users have ssh access open. Result being their Pinephone's ssh server shows up/is by default accessible on the open internet. This can be dangerous (especially given many undoubtedly use weak number passwords (ie: guessable numbers doubling for screen unlock pin)),

So I thought fellow Pinephone users may find this video helpful.

A quick (5min), easy video walkthrough/guide. A simple to implement security enhancement (using Mobian Pinephone as example in the video but will work on any Linux).
Make your Pinephone ssh server only accessible as a Tor .onion address (Blocking access/portscans/shodan for users on standard internet).

https://youtu.be/syKZNMVxTM4

After following the video, edit  /etc/ssh/sshd_config and uncomment/edit the line to match:

ListenAddress 127.0.0.1

Optionally (in case anything in ssh config goes wrong) block using iptables issue the following afterwards:

Code:
sudo iptables -A INPUT -p tcp -s 127.0.0.1 --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

The above iptables commands block ssh access to your Pinephone from all parties outside your Pinephone localhost address itself (used by tor locally). This means it won't show up when portscanned, won't show up on shodan, and cannot be brute forced without having your personal .onion address. Smile