4

Pretend I have a Tor hidden service.

For ultimate security I would firewall the internet entirely, except for Tor, to try to reduce IP address leakage and other security risks.

My problem is how could I then connect to the box via SSH?

My question is how can you keep all ports closed for security reasons, but still access VPS with SSH? I can't think of a secure way of doing this, which keeps server secure.

k1308517
  • 1,272
  • 14
  • 27
  • 3
    Port knocking is a common way to go, if you want to keep ports closed. Some might argue though, that it's a security through obscurity pattern. – Arminius May 19 '16 at 10:55
  • @Arminius It's a good idea (I have included a description), however hopefully there are other ways with proper security, not obscurity stuff. "Port knocking is a stealth method to externally open ports that, by default, the firewall keeps closed. It works by requiring connection attempts to a series of predefined closed ports" – k1308517 May 19 '16 at 11:59
  • 1
    You could use cryptographic port knocking in order to avoid the "security through obscurity" method. But in the end, you might as well use properly locked down SSH with a non-standard port and obtain a result that is more or less equivalent. – Stephane May 19 '16 at 12:37
  • Is having the box connect to you via reverse shell through Tor an option ? Maybe from an external Jump Box in another country ? If so then you don't need to have any ports open outside of Tor. – Trey Blalock May 19 '16 at 18:41
  • 1
    Why not require SSH connections to originate within Tor? There are plenty of guides on [SSHing within Tor](https://duckduckgo.com/?q=ssh+tor+onion), including [this one on tor.SE](https://tor.stackexchange.com/questions/123/how-can-i-anonymize-my-ssh-traffic-using-the-tor-network). – Adam Katz May 19 '16 at 22:36
  • @TreyBlalock So have two VPSs: one with the hidden service, another VPS which the hidden service connects to and I can SSH into? – k1308517 May 20 '16 at 08:34
  • @AdamKatz The problem is that would be extremely slow. Also, if someone performs a hidden service DDoS I think I would still be able to SSH over clearnet? – k1308517 May 20 '16 at 08:34
  • A reverse shell is different, no need for a dedicated port listening on the server at all. It acts as a client network-wise and "calls home" to another system you control (possibly using dynamic DNS) where you can then establish a shell connection. You still get access but no one can see a listening port to attack. A dedicated jump box also works great for this too. – Trey Blalock May 20 '16 at 15:04

1 Answers1

1

A lot of what I discussed in this answer about alternate SSH ports is applicable to this question.

Since your goal is to be as invisible as possible*, I think your best bet is secure port knocking with a tool like fwknop (as noted in this crypto.SE question) or perhaps a custom one-time password scheme for sufficiently complicated port knocks (to help protect against replay attacks).

Another idea is to port knock through Tor; there may be latency within Tor, but port knocking doesn't consume much bandwidth and can be configured to tolerate more latency. Once you've knocked on the .onion address, the end of your knock could be an encrypted (or plaintext, depending on your sensitivity) form of your client public IP address, which would then be able to access the server's public IP address for a short time window.

You'll also want a system like Fail2ban, which can recognize failed logins and ban the IP that attempted them (by default, Fail2ban blocks an IP for ten minutes after ten failed logins within ten minutes, but this is all configurable). This will help protect you against attacks coming from systems that share your public IP address (e.g. by being behind the same NAT or by claiming your IP when you disconnect).

I'd still recommend using Tor for your everyday access and only fail over to the public internet when Tor becomes too slow (which hopefully isn't that often; much of Tor's slow speed comes from being starved for exit nodes, but a hidden service doesn't need an exit node).

*Since Tor runs atop the internet, it still needs some ports exposed to the public internet. You won't be completely invisible and any adversary should be able to easily determine that your server runs Tor. You might be able to do some kind of reverse port-knocking (upon detecting a port scan, drop all packets to and from that IP), but some port scans are hard to detect (and an attacker might start with the port in question).

Adam Katz
  • 9,718
  • 2
  • 22
  • 44