There are more reasons to run a .onion "site" besides selling drugs.
For instance, in the past, I have locked down servers completely using iptables leaving open only port 443/80 and doing all maintenance over ssh using a hidden service.
Also, if you are looking for a simpler or more secure way to do "dynamic DNS" to ssh into a machine in another location, you're not going to find it.
You are going to need a machine or cloud server to run the service.
You could use a service like bitlaunch to get a cloud server without tying it to your identity, but this is obviously a less secure option than owning your own metal.
After this, you'll obviously need ssh access.
I shouldn't have to tell you, but at this point, you should have set up this server exclusively through tor or in person.
Your local machine can be most linux environments. I have tested this in Debian and cygwin.
Depending on what you're using, the default options are usually:
Assuming you have netcat installed, use the following command to connect to your server over tor from your local machine:
ssh -o ProxyCommand='nc -x localhost:9050 %h %p' root@server-ip
If you're using standalone tor, port 9050 is what you'll be using. If not, simply run the Tor Browser Bundle and use 9150 instead.
To simplify things and make connecting easier as we progress in this tutorial, edit your ~/.ssh/config file (or create it) to contain a section like this:
Host torbox HostName server-ip Port 22 ProxyCommand nc -x localhost:9050 %h %p User root
If you have publickey auth set up on the server, and your private key isn't in the default location for your ~/.ssh directory, add it to your config as well under the User directive:
IdentityFile ~/.ssh/id_algo_root
Most cloud providers set up publickey auth using a public key you enter into their site. This tutorial will go over setting up a Ed25519 keypair later.
After doing this, you can connect by simply running ssh
torbox.
Add a user and set a secure password. I use KeePassXC to generate and store passwords for things like this.
Assuming you're still using the root account, and you would like to use sudo, then:
useradd -mG sudo mark passwd mark apt-get install sudo su mark
Obviously use your own username.
If you set up ssh access using publickey auth on root, simply copy over the key to your user's home directory:
mkdir ~/.ssh sudo cp /root/.ssh/authorized_keys ~/.ssh/authorized_keys sudo chown mark /home/mark/.ssh/authorized_keys
If you still haven't setup ssh access with publickey auth on root (or it hasn't been done automatically), or you just want a separate key for your user (don't worry, we're disabling root login in a few minutes), you'll need to generate a new keypair.
This is more easily done on your local machine using the following command:
ssh-keygen -f ~/.ssh/id_ed25519_mark -t edd25519 ssh-copy-id -i ~/.ssh/id_ed25519_mark mark@torbox
Now, make sure you can login using your new account by logging out and editing your ~/.ssh/config:
Host torbox HostName server-ip Port 22 ProxyCommand nc -x localhost:9050 %h %p User mark IdentityFile ~/.ssh/id_ed25519_mark
And running ssh torbox.
If you have to type in your password, it's not configured correctly, and you'll be locked out in a minute.
We are going to disable password login and change the ssh port.
We're also going to disable root login, so make sure you were able to log in during the last step!
Edit your /etc/ssh/sshd_config file and change/uncomment the following directives:
Port 1234 ... PermitRootLogin no ... PasswordAuthentication no
The port number is obviously your choice. I suggest using a suitable tool to pick a random port number.
And restart SSH:
sudo systemctl restart ssh
Then, log out, and edit your ~/.ssh/config file to reflect the updated port.
Host torbox HostName server-ip Port 1234 ProxyCommand nc -x localhost:9050 %h %p User mark IdentityFile ~/.ssh/id_ed25519_mark
And then log back in using ssh torbox.
Now it's time to install tor and setup a hidden service for ssh access.
I recommend you create a different hidden service (.onion address) for each service on your server, i.e. one for http, one for ssh, etc.
For this tutorial, we will just be setting up the ssh one.
Self explanatory.
sudo apt-get install tor
Edit your tor configuration file at /etc/tor/torrc and uncomment and edit the lines for a hidden service using your ssh port.
HiddenServiceDir /var/lib/tor/ssh_service/ HiddenServicePort 1234 127.0.0.1:1234
Then, restart tor:
sudo systemctl restart tor
After waiting for tor to connect, get your .onion address:
sudo cat /var/lib/tor/ssh_service/hostname
Log out, and then edit your ~/.ssh/config to connect to the hidden service:
Host torbox HostName valid-onionv3-address.onion Port 1234 ProxyCommand nc -x localhost:9050 %h %p User mark IdentityFile ~/.ssh/id_ed25519_mark
Obviously, use your correct .onion address. Login
using ssh torbox.
Now, we're going to unplug from anything other than tor. tor is handy in this respect in that it can function independent of your firewall settings.
You don't need to login "in the clear" anymore, and leaving ssh open to port scanners is silly when you have the hidden service.
Edit your /etc/ssh/sshd_config and uncomment/edit the following directives.
ListenAddress 127.0.0.1 ListenAddress ::1
Then, restart ssh using sudo systemctl restart
ssh.
Install ufw using sudo apt-get install
ufw.
The neat thing about this is that you can use the most restrictive (practical) firewall settings and still be able to connect over tor:
sudo ufw default deny incmoing sudo ufw enable
Simply log out, and log back in using ssh torbox.
Did it work? Congratulations! You're done.
Well, not really. You have ssh installed. You can now do simple things like put a git repository to push/pull from or use things like rsync built on top of ssh.
Adding more services is as simple as installing the service (like nginx for http), configuring it to listen only on loopback, and then adding the two lines to your torrc and restarting tor.