# Secure Remote Access with TailScale + Hardened SSH ### STEP 1: Install TailScale 1. SSH into your server or use its console. 2. Run the TailScale install script: ```bash curl -fsSL https://tailscale.com/install.sh | sh ``` 3. Authenticate the server with your TailScale account: ```bash sudo tailscale up ``` * Open the provided URL in your browser to log in. *** ### STEP 2: Enable MagicDNS 1. **Log in to your TailScale Admin Console** at [login.tailscale.com](https://login.tailscale.com/). 2. Go to **"DNS"** settings in the menu and enable **MagicDNS**. 3. With MagicDNS enabled, you can access your server via a hostname like `server-name.tailnet-name.ts.net`. *** ### STEP 3: Harden SSH Access #### A. Set Up SSH Key Authentication 1. On your **local machine**, generate an SSH key pair (if needed): ```bash ssh-keygen -t rsa -b 4096 ``` 2. Copy your **public key** to the server: ```bash ssh-copy-id user@server-ip ``` #### B. Disable Password Authentication 1. Edit SSH config: ```bash sudo nano /etc/ssh/sshd_config ``` 2. Set: ``` PasswordAuthentication no ``` 3. Restart SSH: ```bash sudo systemctl restart sshd ``` #### C. Change Default SSH Port (Optional) 1. In `/etc/ssh/sshd_config`, change: ``` Port 2222 ``` 2. Restart SSH: ```bash sudo systemctl restart sshd ``` 3. Update your firewall rules (e.g., UFW): ```bash sudo ufw allow 2222/tcp sudo ufw delete allow 22/tcp ``` *** ### STEP 4: Install and Configure fail2ban 1. Install fail2ban: ```bash sudo apt update sudo apt install fail2ban ``` 2. Create a config file: ```bash sudo nano /etc/fail2ban/jail.local ``` Example config: ```ini [sshd] enabled = true port = 2222 logpath = /var/log/auth.log maxretry = 3 bantime = 600 findtime = 600 ``` 3. Restart fail2ban: ```bash sudo systemctl restart fail2ban ``` *** ### STEP 5: SSH Tunnel to Access Server Web UI (Optional) To securely access a web interface (e.g., Proxmox UI) via SSH: ```bash ssh -L 8006:localhost:8006 user@server-ip -p 2222 ``` Then open in your browser: ``` https://localhost:8006 ``` *** ### (Optional) Restrict SSH to TailScale IPs Only To limit SSH access to only TailScale-connected devices: ```bash sudo ufw allow from 100.64.0.0/10 to any port 2222 proto tcp ``` *** ### Summary Table | Feature | Configured? | | --------------------------- | ------------ | | TailScale VPN | ✅ Yes | | MagicDNS | ✅ Yes | | SSH Key Authentication | ✅ Yes | | Password Login Disabled | ✅ Yes | | Custom SSH Port | ✅ Yes (2222) | | fail2ban Protection | ✅ Yes | | SSH Tunnel to Web UI | ✅ Optional | | SSH Access via TailScale IP | ✅ Optional | --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://martian1337.gitbook.io/notes/digital-privacy/self-hosting/secure-remote-access-with-tailscale-+-hardened-ssh.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.