TLDR:
If I use SSH as a Tor hidden service and do not share the public hostname of that service, do I need any more hardening?
Full Post:
I am planning to setup a clearnet service on a server where my normal "in bound" management will be over SSH tunneled through Wireguard. I also want "out of bound" management in case the incoming ports I am using get blocked and I cannot access my Wireguard tunnel.
I was thinking that I could have an SSH bastion host as a virtual machine, which will expose SSH as a a hidden service. I would SSH into this VM over Tor and then proxy SSH into the host OS from there. As I would only be using this rarely as a backup connection, I do not care about speed or convenience of connecting to it, only that it is always available and secure. Also, I would treat the public hostname like any other secret, as only I need access to it.
Other than setting up secure configs for SSH and Tor themselves, is it worth doing other hardening like running Wireguard over Tor? I know that extra layers of security can't hurt, but I want this backup connection to be as reliable as possible so I want to avoid unneeded complexity.
Security through obscurity is no security at all.
If you open up SSH to the wide world you secure the hell out of it. Full stop.
To my knowledge there is no way to index Tor v3 hostnames unless the owner of the address explicitly shares them. Therefore, even if an attacker knew that I was behind Tor, they would have no way to find out the hostname of my service and connect to it, so it is not security through obscurity. They would have to get into my password manager and steal my public key. Am I wrong about this?
Whatever the case of the hostname being public or not, do you think it is important to add another layer of security such as Wireguard in this case, or is hardening the SSH config enough?
Relying on someone "not finding something out" is by definition security through obscurity. ;)
If you open up SSH to the Internet, any of it, secure it like your life depends on it :).
Look up hardening SSH and just use the same options for Tor as you would for the regular internet.
Two things to keep in mind:
- Tor is TCP only so you can't use mosh which uses UDP.
- Only allow connection through ssh keys without a password. I know you'll probably do that anyway, but it's good to point that out.