obfs4 Bridge Server Security Hardening: A Complete Guide

Disable root login via SSH (PermitRootLogin no in sshd_config), use key-based authentication only (PasswordAuthentication no, ChallengeResponseAuthentication no), change SSH port from 22 to a non-standard port (reduces automated scanning noise), configure SSH to listen only on the server's management interface (not on all interfaces), enable strict host key checking, set LoginGraceTime 20 (reduces window for authentication attempts), configure MaxAuthTries 3 and MaxSessions 5, enable verbose logging (LogLevel VERBOSE), configure an SSH allowed users list (AllowUsers bridgeadmin), use SSH config to restrict ciphers to strong algorithms only (Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com). Rotate SSH keys periodically and remove any keys no longer in use.

Configure ufw or iptables to allow only required ports: the obfs4 port (configurable, typically 443 or a high port) for Tor bridge traffic, the SSH management port (your non-standard port), and ICMP for ping. Block all other inbound traffic. Set default policies to DROP for INPUT and FORWARD chains. Allow RELATED,ESTABLISHED for return traffic. For ORPort (the internal Tor relay port), ensure it is not exposed to the public internet - only the obfs4 port should be publicly accessible. Rate-limit connection attempts to the SSH port (iptables -A INPUT -p tcp --dport $SSHPORT -m conntrack --ctstate NEW -m recent --set --name sshatt; iptables -A INPUT -p tcp --dport $SSHPORT -m conntrack --ctstate NEW -m recent --rcheck --seconds 60 --hitcount 4 -j DROP). Log rejected traffic for review.

Install and configure fail2ban to monitor logs and block IP addresses that trigger too many failed authentication attempts. Configure jail.local with an SSH jail (maxretry 3, bantime 3600 seconds for first offense, progressive banning for repeat offenders). Add a custom jail for your obfs4 port if you see connection flooding from specific IPs. Install AIDE (Advanced Intrusion Detection Environment) or Tripwire for file integrity monitoring - detects if system files are modified after compromise. Configure AIDE daily scans and alert on unexpected changes. RKHunter (rootkit hunter) periodically scans for known rootkits and backdoors - run weekly with email alerts for findings.

Enable automatic security updates (unattended-upgrades package on Debian/Ubuntu, dnf-automatic on RHEL-based). Configure unattended-upgrades to apply security updates daily and send email reports. Disable unused services (disable Apache/nginx if not needed, disable cups, avahi, bluetooth services). Remove unnecessary packages (apt autoremove). Configure kernel security parameters in /etc/sysctl.conf: disable IP forwarding if not needed (net.ipv4.ip_forward = 0), enable syn cookie protection (net.ipv4.tcp_syncookies = 1), disable ICMP redirects (net.ipv4.conf.all.accept_redirects = 0), enable reverse path filtering (net.ipv4.conf.all.rp_filter = 1). Consider AppArmor or SELinux profiles for the Tor process to limit what files and system calls it can access.

Set up monitoring to detect when your bridge goes offline or behaves abnormally. Prometheus + Grafana provides metrics visualization (tor_process_monitor exports Tor metrics). Uptime monitoring (UptimeRobot free tier or self-hosted) alerts when the server or obfs4 port becomes unreachable. Logwatch or similar log summarizers send daily reports of authentication attempts, service restarts, and errors. Configure email alerts for: SSH login (success and failure), service restart, disk full warnings, high CPU sustained periods, and security tool alerts. Store logs centrally on a separate server if possible (logs on compromised server are untrusted). Review logs weekly for suspicious patterns even when no alerts trigger.