I keep a Raspberry Pi at a relative's house which backs up my cloud storage to a Time Machine on their network. Previously I had port 22 NAT'd to the Raspberry Pi so that I could ssh in for occasional admin. However, I found that even with iptables/fail2ban installed, there were daily attempts at getting hacked. As I only infrequently need to access the server, I decided to set up sshd as a Tor hidden service which did not require port 22 to be exposed to the wider internet.
Setup sshd as a hidden service
The first step is to install tor:
# apt-get install tor
Add the following lines to /etc/tor/torrc:
HiddenServiceDir /var/lib/tor/sshd/
HiddenServicePort 22 127.0.0.1:22
Restart tor and print the *.onion address:
# /etc/init.d/tor restart
# cat /var/lib/tor/sshd/hostname
If you are using debian, it is helpful to install the OpenBSD version of netcat:
# apt-get install netcat-openbsd
Then add the following lines to your ssh_config file:
Host *.onion
ProxyCommand netcat -x localhost:9050 -X 5 %h %p
Finally, test it using the hostname from above:
% ssh hostname.onion
I like to setup iptables so that it only accepts SSH connections from either Tor or the local network. Connections to the tor hidden service come from 127.0.0.1. Here are the iptables rules. I use iptables-persistent to preserve them between potential restarts.
*filter
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -j REJECT
-A OUTPUT -j ACCEPT
-A FORWARD -j REJECT
COMMIT
Shameless plug: I've created a ~100 line shell-script that automates such a setup, but with a seperate ssh daemon, listening on a seperate interface - which avoids enumaration too.