Open SSH is a common tool on most Linux distributions that can be leveraged to accomplish just that.
Install/Setup/Enable the Uncomplicated Firewall (UFW)
- sudo apt-get -y install ufw
- sudo ufw default deny incoming
- sudo ufw default allow outgoing
- sudo ufw allow ssh # Open Default SSH Port
- sudo ufw --force enable # Enable Firewall @ Boot and Start it now!
- sudo apt-get -y install ssh # Make sure ssh is installed
- sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config # Disable password login
- sudo sed -i 's/X11Forwarding yes/#X11Forwarding no/g' /etc/ssh/sshd_config # Disable X11Forwarding (default value)
- sudo sed -i 's/#AllowTcpForwarding yes/AllowTcpForwarding Local/g' /etc/ssh/sshd_config # Only allow local port forwarding
- sudo sed -i 's/#.*StrictHostKeyChecking ask/\ \ \ \ StrictHostKeyChecking yes/g' /etc/ssh/ssh_config # Enable strict host verification
- # Limit all accounts (except p2p, stratum, root, and satoshi) from being used to gain ssh access
- echo -e "\nMatch User *,"'!'"p2p,"'!'"stratum,"'!'"root,"'!'"satoshi" | sudo tee -a /etc/ssh/sshd_config
- echo -e "\tAllowTCPForwarding no" | sudo tee -a /etc/ssh/sshd_config
- echo -e "\tPermitTTY no" | sudo tee -a /etc/ssh/sshd_config
- echo -e "\tForceCommand /usr/sbin/nologin" | sudo tee -a /etc/ssh/sshd_config
- # Limit local port forwarding for the user "p2p" to port 19333 (bitcoind)
- echo -e "\nMatch User p2p" | sudo tee -a /etc/ssh/sshd_config
- echo -e "\tPermitTTY no" | sudo tee -a /etc/ssh/sshd_config
- echo -e "\tPermitOpen localhost:19333 localhost:3333" | sudo tee -a /etc/ssh/sshd_config
- # Limit local port forwarding for the user "stratum" to port 3333 (ckpool/ckproxy)
- echo -e "\nMatch User stratum" | sudo tee -a /etc/ssh/sshd_config
- echo -e "\tPermitTTY no" | sudo tee -a /etc/ssh/sshd_config
- echo -e "\tPermitOpen localhost:3333" | sudo tee -a /etc/ssh/sshd_config
- sudo useradd -s /bin/false -m -d /home/p2p p2p
- sudo mkdir -p /home/p2p/.ssh
- sudo touch /home/p2p/.ssh/authorized_keys
- sudo chown -R p2p:p2p /home/p2p/.ssh
- sudo chmod 700 /home/p2p/.ssh
- sudo chmod 600 /home/p2p/.ssh/authorized_keys
- sudo useradd -s /bin/false -m -d /home/stratum stratum
- sudo mkdir -p /home/stratum/.ssh
- sudo touch /home/stratum/.ssh/authorized_keys
- sudo chown -R stratum:stratum /home/stratum/.ssh
- sudo chmod 700 /home/stratum/.ssh
- sudo chmod 600 /home/stratum/.ssh/authorized_keys
- sudo ssh-keygen -t ed25519 -f /root/.ssh/p2pkey -N "" -C ""
- sudo mkdir -p /home/satoshi/.ssh
- sudo touch /home/satoshi/.ssh/authorized_keys
- sudo chown -R satoshi:satoshi /home/satoshi/.ssh
- sudo chmod 700 /home/satoshi/.ssh
- sudo chmod 600 /home/satoshi/.ssh/authorized_keys
- sudo nano /home/satoshi/.ssh/authorized_keys
- # Type in the YubiKey (FIDO2) public key
- sudo touch /root/.ssh/known_hosts
- sudo systemctl stop ssh
- sudo systemctl enable ssh --now # Enable the ssh service on boot (if not already) and start it now
- sudo apt-get -y install autossh
- cat << EOF | sudo tee /etc/systemd/system/p2pssh@.service
[Unit]
Description=AutoSSH %I Tunnel Service
Before=bitcoind.service
After=network-online.target
[Service]
Environment="AUTOSSH_GATETIME=0"
EnvironmentFile=/etc/default/p2pssh@%i
ExecStart=/usr/bin/autossh -M 0 -NT -o ServerAliveInterval=30 -o ExitOnForwardFailure=yes -o "ServerAliveCountMax 3" -i /root/.ssh/p2pkey -L \${LOCAL_PORT}:localhost:19333 -p \${TARGET_PORT} p2p@\${TARGET}
RestartSec=5
Restart=always
[Install]
WantedBy=multi-user.target
EOF
- sudo systemctl daemon-reload # Reload the new service configuration
- sudo systemctl disable ssh # Disable the ssh service on boot
- sudo systemctl restart ssh # Restart (stop the start) the ssh service
- sudo systemctl stop ssh # Stop the ssh service
- sudo systemctl status ssh # Check the status of the SSH
- sudo nano /etc/ssh/ssh_config # Make edits to ssh client configuration
- sudo nano /etc/ssh/sshd_config # Make edits to ssh server configuration