I keep a Raspberry Pi at a relative's house which backs up my cloud storage to a Time Machine on their network. Previously I had port 22 NAT'd to the Raspberry Pi so that I could ssh in for occasional admin. However, I found that even with iptables/fail2ban installed, there were daily attempts at getting hacked. As I only infrequently need to access the server, I decided to set up sshd as a Tor hidden service which did not require port 22 to be exposed to the wider internet.
Setup sshd as a hidden service
The first step is to install tor:
# apt-get install tor
Add the following lines to /etc/tor/torrc:
HiddenServiceDir /var/lib/tor/sshd/
HiddenServicePort 22 127.0.0.1:22
Restart tor and print the *.onion address:
# /etc/init.d/tor restart
# cat /var/lib/tor/sshd/hostname
If you are using debian, it is helpful to install the OpenBSD version of netcat:
# apt-get install netcat-openbsd
Then add the following lines to your ssh_config file:
Host *.onion
ProxyCommand netcat -x localhost:9050 -X 5 %h %p
Finally, test it using the hostname from above:
% ssh hostname.onion
I like to setup iptables so that it only accepts SSH connections from either Tor or the local network. Connections to the tor hidden service come from 127.0.0.1. Here are the iptables rules. I use iptables-persistent to preserve them between potential restarts.
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT
-A OUTPUT -j ACCEPT
-A FORWARD -j REJECT
COMMIT
This is really nice but if I understand correctly, nothing is preventing your hidden service from being discovered and enumerated by those probes you're trying to hide from. A simple mitigation for this is to add
HiddenServiceAuthorizeClientto your server'storrcand reciprocalHidServAuthdirective to your client's Tor. This makes sure your Tor Hidden Service is no longer available to any other Tor client.