42

cross-posted from: https://infosec.pub/post/10908807

TLDR:

If I use SSH as a Tor hidden service and do not share the public hostname of that service, do I need any more hardening?

Full Post:

I am planning to setup a clearnet service on a server where my normal "in bound" management will be over SSH tunneled through Wireguard. I also want "out of bound" management in case the incoming ports I am using get blocked and I cannot access my Wireguard tunnel. This is selfhosted on a home network.

I was thinking that I could have an SSH bastion host as a virtual machine, which will expose SSH as a a hidden service. I would SSH into this VM over Tor and then proxy SSH into the host OS from there. As I would only be using this rarely as a backup connection, I do not care about speed or convenience of connecting to it, only that it is always available and secure. Also, I would treat the public hostname like any other secret, as only I need access to it.

Other than setting up secure configs for SSH and Tor themselves, is it worth doing other hardening like running Wireguard over Tor? I know that extra layers of security can't hurt, but I want this backup connection to be as reliable as possible so I want to avoid unneeded complexity.

you are viewing a single comment's thread
view the rest of the comments
[-] marcos@lemmy.world 38 points 7 months ago

If you don't have any good reason not to, always set your SSH server to only authenticate with keys.

Anything else is irrelevant.

[-] AbidanYre@lemmy.world 15 points 7 months ago* (last edited 7 months ago)

If you don't have any good reason not to

Spoiler alert: you don't.

[-] someonesmall@lemmy.ml 6 points 7 months ago

30 character password + fail2ban after one failed attempt. Why not?

[-] AbidanYre@lemmy.world 3 points 7 months ago
[-] someonesmall@lemmy.ml 0 points 7 months ago
[-] chaospatterns@lemmy.world 6 points 7 months ago

Accidentally typo your password and get blocked. And if you're tunneling over tor, you've blocked 127.0.0.1 which means now nobody can login.

[-] someonesmall@lemmy.ml 1 points 7 months ago

How would is a typo possible if one is using a password manager?

[-] baatliwala@lemmy.world 3 points 7 months ago

Not OP but I've accidentally fingered another key a split second before hitting enter a few times. It's not implausible.

[-] someonesmall@lemmy.ml 1 points 7 months ago

True, but I thought we are talking about security here...?

[-] wreckedcarzz@lemmy.world 1 points 7 months ago

30 character

You've gotta pump those numbers, those are rookie numbers. (I have a vps that has several times that figure)

[-] someonesmall@lemmy.ml 1 points 7 months ago

Did you read my message? After one failed attempt you will get banned.

[-] wreckedcarzz@lemmy.world 1 points 7 months ago

But

30 characters

:P

load more comments (16 replies)
load more comments (16 replies)
this post was submitted on 10 Apr 2024
42 points (93.8% liked)

Selfhosted

40173 readers
620 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS