My server runs SSH on a non-standard port. This has some advantages, e.g. less automated login attempts and thus less log spamming. Of course, this decision can be discussed, and there are good alternatives like using fail2ban, port knocking or even tarpits.
However, there are also disadvantages, like having to configure the port for several tools (
mosh etc.) or nasty firewalls. For example, the university which I'm visiting has such crappy firewall rules that block my particular SSH port. To overcome this issue, I'm using SSH over Tor.
This approach requires a small program called
connect to enable SSH connections over a SOCKS proxy which will be provided by Tor. On Debian based Linux distributions, this program is contained in the package
connect-proxy, on macOS, it can be installed via the Homebrew Formula called
connect. More information about this program can be found at the project's website: https://bitbucket.org/gotoh/connect/wiki/Home
Of course, Tor is also another requirement as well as the OpenSSH client.
As an example, it is assumed that you have running SSH on port 2222 for the host
example.com with the user
example and your SSH private key file ~/.ssh/id_rsa (both not important for this approach).
Your SSH configuration (.ssh/config) might then look like this:
Host example HostName example.com Port 2222 User example IdentityFile ~/.ssh/id_rsa
Under normal circumstances, you would log in by running the command $ ssh example but in cases where the TCP port 2222 is blocked, this does not work.
By adding following wildcard host alias to your SSH configuration, you can connect to your SSH host via Tor:
Host *-tor ProxyCommand connect -a none -S localhost:9050 $(tor-resolve %h localhost:9050) %p
In particular, you should follow these steps:
- Start Tor, e.g. by simply running
torin a terminal (will keep running in the foreground). Alternatively, you can run Tor as system service in the background.
- Connect to your SSH host by using the
This post is based on Anonymous SSH Sessions With TOR.
Update: Shortly after publishing this post, the user @NHonigdachs@norden.social pointed out on Mastodon, that this can be achieved way easier by simply prepending
torify (or the preferred
torsocks) to the SSH command. This of course requires torsocks (see project website) to be installed. The main difference is that torsocks will automatically try to determine how to wrap the socket calls of the applied command to use the SOCKS proxy of Tor instead of having to configure it manually like described above.