cross-posted from: https://infosec.pub/post/10908807

TLDR:

If I use SSH as a Tor hidden service and do not share the public hostname of that service, do I need any more hardening?

Full Post:

I am planning to setup a clearnet service on a server where my normal “in bound” management will be over SSH tunneled through Wireguard. I also want “out of bound” management in case the incoming ports I am using get blocked and I cannot access my Wireguard tunnel. This is selfhosted on a home network.

I was thinking that I could have an SSH bastion host as a virtual machine, which will expose SSH as a a hidden service. I would SSH into this VM over Tor and then proxy SSH into the host OS from there. As I would only be using this rarely as a backup connection, I do not care about speed or convenience of connecting to it, only that it is always available and secure. Also, I would treat the public hostname like any other secret, as only I need access to it.

Other than setting up secure configs for SSH and Tor themselves, is it worth doing other hardening like running Wireguard over Tor? I know that extra layers of security can’t hurt, but I want this backup connection to be as reliable as possible so I want to avoid unneeded complexity.

  • @Audalin
    link
    English
    83 months ago

    Disabling root login and password auth, using a non-standard port and updating regularly works for me for this exact use case.

    • @[email protected]
      link
      fedilink
      English
      9
      edit-2
      3 months ago

      using a non-standard port

      It’s really not that hard to find SSH servers running on a non-standard port.

      nmap or a similar port-scanning software package can find ports listening for TCP connections. There are software packages – don’t recall names off-the-cuff, but I’m sure that you could go dig one up – that connect to ports and then aim to identify the protocol from a fingerprint out of a database that they have. The SSH protocol has a very readily-identifiable fingerprint, don’t even need specialized software.

      Let me just bounce to a machine as an example:

      $ telnet tals-host.tals-domain.com 22
      Trying tals-IP...
      Connected to tals-host.tals-domain.com
      Escape character is '^]'.
      SSH-2.0-OpenSSH_9.6p1 Debian-4
      ^]
      telnet> q
      Connection closed.
      $
      

      That being said, I don’t disagree with your broader point that I wouldn’t personally bother with trying to add more layers on top of ssh, as long as you’re keeping current on updates.

      • @[email protected]
        link
        fedilink
        English
        113 months ago

        I feel like the argument for using a nonstandard ssh port these days is that you dodge the low tier automation/bots that are endlessly scanning IPs and port 22 and trying obvious usernames and passwords. I do also question how much it is worth dodging these since presumably you’d have already done the other basics like key only and no root login before this. Maybe there’s some value if you want a clean auth.log or equivalent