mirror of
http://git.nowherejezfoltodf4jiyl6r56jnzintap5vyjlia7fkirfsnfizflqd.onion/nihilist/blog-contributions.git
synced 2025-07-02 11:56:40 +00:00
290 lines
13 KiB
HTML
290 lines
13 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="en">
|
|
<head>
|
|
<meta charset="utf-8">
|
|
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<meta name="description" content="">
|
|
<meta name="author" content="">
|
|
<link rel="shortcut icon" href="../../../../../../assets/img/favicon.png">
|
|
|
|
<title>Acquiring remote servers anonymously (non-KYC providers)</title>
|
|
|
|
<!-- Bootstrap core CSS -->
|
|
<link href="../../assets/css/bootstrap.css" rel="stylesheet">
|
|
<link href="../../assets/css/xt256.css" rel="stylesheet">
|
|
|
|
|
|
|
|
<!-- Custom styles for this template -->
|
|
<link href="../../assets/css/main.css" rel="stylesheet">
|
|
|
|
|
|
|
|
<!-- HTML5 shim and Respond.js IE8 support of HTML5 elements and media queries -->
|
|
<!--[if lt IE 9]>
|
|
<script src="https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js"></script>
|
|
<script src="https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js"></script>
|
|
<![endif]-->
|
|
</head>
|
|
|
|
<body>
|
|
|
|
<!-- Static navbar -->
|
|
<div class="navbar navbar-inverse-anon navbar-static-top">
|
|
<div class="container">
|
|
<div class="navbar-header">
|
|
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
|
|
<span class="icon-bar"></span>
|
|
<span class="icon-bar"></span>
|
|
<span class="icon-bar"></span>
|
|
</button>
|
|
<a class="navbar-brand-anon" href="\index.html">The Nihilism Blog</a>
|
|
</div>
|
|
<div class="navbar-collapse collapse">
|
|
<ul class="nav navbar-nav navbar-right">
|
|
|
|
<li><a href="/about.html">About</a></li>
|
|
<li><a href="/blog.html">Categories</a></li>
|
|
<li><a href="https://blog.nowhere.moe/donate.html">Donate</a></li>
|
|
<li><a href="/contact.html">Contact</a></li>
|
|
</ul>
|
|
</div><!--/.nav-collapse -->
|
|
|
|
</div>
|
|
</div>
|
|
|
|
<!-- +++++ Posts Lists +++++ -->
|
|
<!-- +++++ First Post +++++ -->
|
|
<div id="anon2">
|
|
<div class="container">
|
|
<div class="row">
|
|
<div class="col-lg-8 col-lg-offset-2">
|
|
<a href="../index.html">Previous Page</a></br></br><p><img src="../../assets/img/user.png" width="50px" height="50px"> <ba>nihilist@mainpc - 2024-05-02</ba></p>
|
|
<h1>Acquiring remote servers anonymously (non-KYC providers) </h1>
|
|
|
|
<img src="../hiddenservice/1.png" class="imgRz">
|
|
|
|
</div>
|
|
</div><!-- /row -->
|
|
</div> <!-- /container -->
|
|
</div><!-- /grey -->
|
|
|
|
<!-- +++++ Second Post +++++ -->
|
|
<div id="anon3">
|
|
<div class="container">
|
|
<div class="row">
|
|
<div class="col-lg-8 col-lg-offset-2">
|
|
<h2><b>Finding out a non-KYC Cloud Provider and Email Provider</b></h2>
|
|
<p>As we discussed <a href="../finances/index.html">previously</a>, KYC is out of the question if you want to remain anonymous. So you need to find <b>a cloud provider that allows you to rent servers without any KYC</b>.</p>
|
|
<p>To find one you can go on <a href="https://kycnot.me/?t=service&q=hosting">kycnot.me</a>:</p>
|
|
<img src="1.png" class="imgRz">
|
|
<p>the current one I use for my services is ServersGuru, as they can resell popular cloud providers like hetzner.</p>
|
|
<p>In our example below we'll use Cockbox. but first thing we need is a non-KYC email provider, to do so we could follow <a href="https://www.privacyguides.org/en/email/">Privacy Guides' recommendation</a> and create an account on Tuta, but for simplicity i'll use a temporary email from <a href="https://tmail.link">https://tmail.link</a> (do not use it for extended usage)</p>
|
|
<img src="2.png" class="imgRz">
|
|
<img src="3.png" class="imgRz">
|
|
<img src="4.png" class="imgRz">
|
|
<p>Now that the account is created, we can also validate if we can receive mails:</p>
|
|
</div>
|
|
</div><!-- /row -->
|
|
</div> <!-- /container -->
|
|
</div><!-- /white -->
|
|
|
|
<div id="anon2">
|
|
<div class="container">
|
|
<div class="row">
|
|
<div class="col-lg-8 col-lg-offset-2">
|
|
<h2><b>Purchasing the server anonymously (using Monero)</b></h2> </br> </br>
|
|
<img src="12.png" class="imgRz">
|
|
<img src="5.png" class="imgRz">
|
|
<img src="6.png" class="imgRz">
|
|
<p>Next we generate a SSH key to connect to the server:</p>
|
|
<pre><code class="nim">
|
|
[ mainpc ] [ /dev/pts/5 ] [~]
|
|
→ ssh-keygen -t ed25519 -C ""
|
|
Generating public/private ed25519 key pair.
|
|
Enter file in which to save the key (/home/nihilist/.ssh/id_ed25519): /home/nihilist/.ssh/ssh-key-test
|
|
/home/nihilist/.ssh/ssh-key-test already exists.
|
|
Overwrite (y/n)? y
|
|
Enter passphrase (empty for no passphrase):
|
|
Enter same passphrase again:
|
|
Your identification has been saved in /home/nihilist/.ssh/ssh-key-test
|
|
Your public key has been saved in /home/nihilist/.ssh/ssh-key-test.pub
|
|
The key fingerprint is:
|
|
SHA256:hu1aO2qMU0XuaRDTRiVHH3Jl2hNP/0prlAnpPCTGECo
|
|
The key's randomart image is:
|
|
+--[ED25519 256]--+
|
|
| o=+= o.+ .|
|
|
| o.+= + * +.|
|
|
| E .* + * o o|
|
|
| ..oo. = . +.|
|
|
| .+S. + = .|
|
|
| .o+ + o |
|
|
| + .o + |
|
|
| o oo.. . |
|
|
| oo... |
|
|
+----[SHA256]-----+
|
|
|
|
[ mainpc ] [ /dev/pts/5 ] [~]
|
|
→ cat .ssh/ssh-key-test.pub
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHqt0O2ZbRt/7ikk0PdPRcb1GRBE5YNDdBHFCMGIdeHb
|
|
|
|
</code></pre>
|
|
<img src="7.png" class="imgRz">
|
|
<p>validate the VPS purchase with the Monero option:</p>
|
|
<img src="8.png" class="imgRz">
|
|
<img src="9.png" class="imgRz">
|
|
<p>Then here we send the Monero payment:</p>
|
|
<img src="10.png" class="imgRz">
|
|
<img src="11.png" class="imgRz">
|
|
<p>then wait 10-20 minutes for the payment to be validated by the network, and then you should recieve the mail with your server accesses:</p>
|
|
<img src="13.png" class="imgRz">
|
|
<p>Now that the server is provisionned, we can connect to it:</p>
|
|
|
|
</div>
|
|
</div><!-- /row -->
|
|
</div> <!-- /container -->
|
|
</div><!-- /white -->
|
|
|
|
|
|
<!-- +++++ Second Post +++++ -->
|
|
<div id="anon1">
|
|
<div class="container">
|
|
<div class="row">
|
|
<div class="col-lg-8 col-lg-offset-2">
|
|
<h1><b>Power tools</b></h1>
|
|
|
|
Before getting started let's review our tools and reminds ourselves of the security implications of their use:
|
|
|
|
<ul>
|
|
<li>Tor: if you're reading this, you already know what it is.<br>
|
|
<b>Risks:</b>
|
|
<ul>
|
|
<li> Information leakage: if you try to resolve "mysecretillegalhostingserver.onion" against your ISP's DNS server it will leave an incriminating log: unless your server is well-known and has a lot of traffic you can't really justify knowing it's onion address </li>
|
|
</ul>
|
|
</li>
|
|
<li> SSH: Secure SHell. This tools allows you to connect to a remote server with an encrypted tunnel, this providing you with confidentiality when doing administration tasks.
|
|
<br>
|
|
<b>Risks</b>
|
|
<ul>
|
|
<li>Authentication: the first time you connect to a server you should check its host key fingerprint. This is <b>NOT</b> an issue in our case since tor will provide another couple of layers of authentication. If you connect on a clearweb server through tor though you will want to check the host key fingerprint to make sure your exit node isn't trying to MITM you.</li>
|
|
<li>Password security: Nefarious operators trawl through the web on a daily basis trying credential stuffing attacks (logging into your server with weak/well known passwords), if you set up root:toor
|
|
as a login you will get compromised quickly. </li>
|
|
<li>Information leakage: instead of setting up a password you decide to do things more securely and use an ssh key as a mean of authentication. By default, the ssh client will <b>try every key it has until succeeding when connecting to a server</b>. Why is that bad? Say your cloud provider decides to log verbosely your VPS' ssh server connection. When you connect next they might get a bunch of public keys that you use on other services. If Leo decides to ask github if anyone is using any of those keys to, say, push code to repositories or deploy stuff through actions then they will have a link between your github account and your onion server. Let's hope you haven't set up a personal email with github, because if you did, you're toast.</li>
|
|
</ul>
|
|
</li>
|
|
<li>Socat: socat allows you to establish two bidirectional byte streams and transfer data between them. Anything goes, you can link unix socket to tcp sockets or whatever strikes your fancy. In this case we will use it to create a socks5-looking bridge for SSH to use when connecting to our remote server</li>
|
|
</ul>
|
|
|
|
<h2><b>Accessing the server anonymously (SSH through Tor)</b></h2> </br> </br>
|
|
|
|
<h3>Setting up your onion service</h3>
|
|
That one is easy! Connect to your server using your provider's web shell and edit your torrc so it looks like this:
|
|
<p>To access the server anonymously, you need to configure SSH to use tor and only your chosen key (modify your ~/.ssh/config so it looks like this: </p>
|
|
<pre><code class="nim">
|
|
AutomapHostsSuffixes .onion,.exit
|
|
DataDirectory /var/lib/tor
|
|
ExitPolicy reject *:*
|
|
PublishServerDescriptor 0
|
|
SOCKSPort 127.0.0.1:9050 IsolateDestAddr
|
|
HiddenServiceDir /var/lib/tor/onion/tor-ssh
|
|
HiddenServicePort 22
|
|
</code></pre>
|
|
<br><br>
|
|
Restart tor with <i>sudo systemctl restart tor</i><br>
|
|
|
|
to find your hidden service hostname:
|
|
<pre><code class="nim">
|
|
sudo cat /var/lib/tor/onion/tor-ssh/hostname
|
|
</code></pre>
|
|
|
|
|
|
Next we are going to setup and harden our client ~/.ssh/config so even if we make a mistake and try reaching our server without tor being connected we won't leak anything:
|
|
<pre><code class="nim">
|
|
Host test-server
|
|
HostName hostnamefromprevi0us5t3p.onion
|
|
ProxyCommand socat - SOCKS4A:localhost:%h:%p,socksport=9050 # tells ssh to proxy the connection through tor
|
|
IdentityFile ~/.ssh/ssh-key-test
|
|
IdentitiesOnly yes # only use the identityFile we configured and don't try any other
|
|
</code></pre>
|
|
|
|
|
|
|
|
<pre><code class="nim">
|
|
[ mainpc ] [ /dev/pts/6 ] [~]
|
|
→ cat .ssh/config| head -n5
|
|
Host test-server
|
|
HostName hostnamefromprevi0us5t3p.onion
|
|
ProxyCommand socat - SOCKS4A:localhost:%h:%p,socksport=9050 # tells ssh to proxy the connection through tor
|
|
IdentityFile ~/.ssh/ssh-key-test
|
|
IdentitiesOnly yes # only use the identityFile we configured and don't try any other
|
|
|
|
[ mainpc ] [ /dev/pts/6 ] [~]
|
|
→ ssh root@test-server
|
|
The authenticity of host 'hostnamefromprevi0us5t3p.onion' can't be established.
|
|
ED25519 key fingerprint is SHA256:Od5FT4wcALDHXXK2B4t6lM8idsDmUfhqWpDFjStgBwI.
|
|
This key is not known by any other names.
|
|
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
|
|
Warning: Permanently added 'hostnamefromprevi0us5t3p.onion'(ED25519) to the list of known hosts.
|
|
Linux cockbox 6.1.0-13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.55-1 (2023-09-29) x86_64
|
|
|
|
The programs included with the Debian GNU/Linux system are free software;
|
|
the exact distribution terms for each program are described in the
|
|
individual files in /usr/share/doc/*/copyright.
|
|
|
|
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
|
|
permitted by applicable law.
|
|
|
|
root@cockbox:~# id
|
|
uid=0(root) gid=0(root) groups=0(root)
|
|
|
|
root@cockbox:~# apt update -y ; apt upgrade -y ; apt autoremove -y
|
|
|
|
</code></pre>
|
|
|
|
<p>And that's it! We now have access to a remote server, we acquired it anonymously, and are now using it anonymously as well.</p>
|
|
|
|
</div>
|
|
</div><!-- /row -->
|
|
</div> <!-- /container -->
|
|
</div><!-- /white -->
|
|
|
|
<!-- +++++ Footer Section +++++ -->
|
|
|
|
<div id="anonb">
|
|
<div class="container">
|
|
<div class="row">
|
|
<div class="col-lg-4">
|
|
<h4>Nihilism</h4>
|
|
<p>
|
|
Until there is Nothing left.</p></br></br><p>Creative Commons Zero: <a href="../../../../opsec/runtheblog/index.html">No Rights Reserved</a></br><img src="\CC0.png">
|
|
|
|
</p>
|
|
</div><!-- /col-lg-4 -->
|
|
|
|
<div class="col-lg-4">
|
|
<h4>My Links</h4>
|
|
<p>
|
|
|
|
<a target="_blank" rel="noopener noreferrer" href="http://blog.nowhere.moe/rss/feed.xml">RSS Feed</a><br/><a target="_blank" rel="noopener noreferrer" href="https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2FBD4qkVq8lJUgjHt0kUaxeQBYsKaxDejeecxm6-2vOwI%3D%40b6geeakpwskovltbesvy3b6ah3ewxfmnhnshojndmpp7wcv2df7bnead.onion%2FdXQ3FLM5ufTNQxgXU6jm07fRXSq9Ujkt%23%2F%3Fv%3D1-3%26dh%3DMCowBQYDK2VuAyEAzABUDXe4g0bjXyPcNOU0QzWxMYMMGgR3kcOQacoEaQ0%253D&data=%7B%22groupLinkId%22%3A%22G3yklv9753AcNA7lGV3FBw%3D%3D%22%7D">SimpleX Chat</a><br/>
|
|
|
|
</p>
|
|
</div><!-- /col-lg-4 -->
|
|
|
|
<div class="col-lg-4">
|
|
<h4>About nihilist</h4>
|
|
<p style="word-wrap: break-word;"><u>Donate XMR:</u> 8AUYjhQeG3D5aodJDtqG499N5jXXM71gYKD8LgSsFB9BUV1o7muLv3DXHoydRTK4SZaaUBq4EAUqpZHLrX2VZLH71Jrd9k8</p></br><p><u>Contact:</u> nihilist@contact.nowhere.moe (<a href="https://nowhere.moe/nihilist.pubkey">PGP</a>)</p>
|
|
</div><!-- /col-lg-4 -->
|
|
|
|
</div>
|
|
|
|
</div>
|
|
</div>
|
|
|
|
|
|
<!-- Bootstrap core JavaScript
|
|
================================================== -->
|
|
<!-- Placed at the end of the document so the pages load faster -->
|
|
|
|
</body>
|
|
</html>
|