SSH Tunneling vs. Other Security

markrad

New Member
May 12, 2023
8
0
1
I set up a connection via SSH (key required, not password) and WebGUI only via SSH tunneling through Tailscale.

In this situation, when my server is not available outside the local network and Tailscale, I should add additional security measures such as changing the SSH port, setting SSL, and adding 2-factor authentication for the WebGUI.

Are these security measures necessary when my machine is not available outside?
But what else should I do?

p.s
When I lost my Timescale account, or Timescale is not working, how can I get access to my server? Is the only solution on OVH?
 
Hi,
changing the SSH port
Possibly, but if password login is disabled the chances of brute forcing over network are pretty much zero, but you'd get fewer log entries from script kiddies scanning through.
setting SSL
What do you mean here? Proxmox VE already encrypts all API (and thus Web UI) traffic by default using TLS.
adding 2-factor authentication for the WebGUI
With TOTP and WebAuthn hardware tokens it's pretty accessible and not a big overhead, but if you made the Web UI/API only accessible via Tailscale you basically got already two-factor auth, one is the access to your Tailscale network and the other is user+pass of the Proxmox VE server. Sure, setting up TFA in Proxmox VE itself in addition to that will add another layer of defense, so this basically only matters on what you can take w.r.t. overhead of a bit heightened security compared to what data is on the server and which services are hosted there.
Are these security measures necessary when my machine is not available outside?
As mentioned, depends on your paranoia vs. how much is my data or service worth factor.
But what else should I do?
Test if the protections you applied actually work, i.e., try to connect to the server's Web UI without Tailscale to see if its really inaccessible, or connect via ssh but without the key to see entering the correct password really doesn't work.
When I lost my Timescale account, or Timescale is not working, how can I get access to my server? Is the only solution on OVH?
Well, as long as ssh is available without Tailscale, then you can always connect over that, and while you could simply make the Web UI available for all (or at least your currently used public IP), you could also simply use ssh's local port forwarding, e.g.:
ssh -L 8006:127.0.0.1:8006 user@server.example.com and then connect to https://127.0.0.1:8006 (might need to accept a TLS cert exception due to accessing it from another IP).
 
another way, keeping ssh not world open, is making a self hosted vpn with openvpn or wireguard
 
another way, keeping ssh not world open, is making a self hosted vpn with openvpn or wireguard
FWIW, Tailscale is just using WireGuard but with a control server for initial connection build up, ensuring that all can work smoothly even if behind NAT'ed networks.

Also note that WireGuard is basically relying on public key crypto for authentication, so using ssh with password-login disabled (i.e., public key auth only) is bringing about the same protection w.r.t. relying on underlying security mechanisms.

But yeah, setting up stand-alone WireGuard (without Tailscale) and exposing SSH only through that or Tailscale would still add another layer of defense, an attacker would need to circumvent both WG and SSH. But making SSH access private makes the access VPNs a point of failure, if both the WG interface and tailscale, whyever, won't come up or won't work (whyever that may be) you'd locked out again.

If you got a server independent fallback (IPMI, iKVM or other remote consoles), like OP probably has as they mention being hosted on OVH, you still could troubleshoot such unlikely issues (or just temporarily make SSH access public again), so there it might be worth the extra trouble; but as said, it's always a trade-off between how much security you want and how much you can cope with, because after the basic protection stuff it gets tedious rather fast.
 
  • Like
Reactions: _gabriel

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!