cross-posted from: https://infosec.pub/post/10908807

TLDR:

If I use SSH as a Tor hidden service and do not share the public hostname of that service, do I need any more hardening?

Full Post:

I am planning to setup a clearnet service on a server where my normal “in bound” management will be over SSH tunneled through Wireguard. I also want “out of bound” management in case the incoming ports I am using get blocked and I cannot access my Wireguard tunnel. This is selfhosted on a home network.

I was thinking that I could have an SSH bastion host as a virtual machine, which will expose SSH as a a hidden service. I would SSH into this VM over Tor and then proxy SSH into the host OS from there. As I would only be using this rarely as a backup connection, I do not care about speed or convenience of connecting to it, only that it is always available and secure. Also, I would treat the public hostname like any other secret, as only I need access to it.

Other than setting up secure configs for SSH and Tor themselves, is it worth doing other hardening like running Wireguard over Tor? I know that extra layers of security can’t hurt, but I want this backup connection to be as reliable as possible so I want to avoid unneeded complexity.

  • The Bard in Green
    link
    fedilink
    English
    38 months ago

    Easy. I have servers that are only available on my local network and lots of different devices that I MIGHT want to use to access those servers. I haven’t bothered to make sure my key is on EVERY SINGLE DEVICE and some of them, I might not actually even WANT my key on as they’re not terribly well secured and they might leave my house (my Windows gaming laptop I haven’t used in six months comes to mind).

    But for cloud accessible servers… yeah.

    • @EarMaster
      link
      English
      28 months ago

      You know you’re allowed (some might even say supposed) to have different keys for different machines. They’re basically free to generate and take up to no space.

      • @[email protected]
        link
        fedilink
        English
        28 months ago

        I use a different key for every device I need to connect to.

        So my phone has separate keys for each SSH server and so does my desktop and laptop.

        It’s not the most convenient thing in the world but it’s not too bad.

        Most of the keys are without passphrase but the keys I use to connect to my VPS for example absolutely have a passphrase.