How Xtream Solutions Hardens SSH with Tailscale for Instant, Secure Server Access

25Oct

How Xtream Solutions Hardens SSH with Tailscale for Instant, Secure Server Access

By Debian, Linux, VPS 0 Comments

At Xtream Solutions, we automate everything — from deployments to secure remote management.
One of the most overlooked pain points in DevOps is SSH reliability after reboots or network changes.
We’ve solved that by integrating Tailscale (a zero-config private VPN) with a self-healing SSH service that waits for the network and recovers automatically.

🔒 The Problem

Traditional SSH relies on public interfaces and fixed firewalls.
After reboots, firewalls or network timing can cause:

  • “Connection refused” errors
  • SSH binding failures (Cannot assign requested address)
  • Services starting before network interfaces are up

This leads to downtime and manual intervention — unacceptable in a modern automated environment.

🚀 The Xtream Solutions Fix

Our engineers designed a universal startup patch for any Linux server using Tailscale:

  1. SSH auto-starts only after Tailscale is online
  2. The service waits for the tailscale0 interface before binding
  3. Auto-restarts if it ever crashes or loses its network socket
  4. UFW firewall only allows SSH over Tailscale
  5. Optional Slack notifications report access failures or restarts

Together, these guarantee:

“SSH just works” — even after an unexpected reboot, upgrade, or network shift.

⚙️ The Implementation

Here’s what we configure automatically when we provision a new server:

#!/bin/bash
# ======================================================================
# Xtream Solutions - Secure SSH over Tailscale with Slack Alerts
# Author: Xtream Solutions (xtreamsolutions.net)
# Description:
#   Auto-configures SSH to wait for Tailscale, auto-restart, firewall rules,
#   and sends Slack alerts when SSH restarts or fails.
# ======================================================================

set -e

# --- CONFIGURATION ----------------------------------------------------
SSH_PORT=999
SLACK_WEBHOOK_URL="https://hooks.slack.com/services/XXXX/XXXX/XXXX"  # <== Replace with your Slack webhook
SERVER_NAME=$(hostname)
# ---------------------------------------------------------------------

echo "🔧 [Xtream Solutions] Configuring secure SSH with Tailscale + Slack alerts..."
sleep 1

# --- 1. Install dependencies ------------------------------------------
sudo apt update -y
sudo apt install -y tailscale ufw openssh-server curl jq

# --- 2. Enable Tailscale ----------------------------------------------
sudo systemctl enable tailscaled
sudo systemctl start tailscaled
echo "⚙️  Make sure this node joins your tailnet:"
echo "    sudo tailscale up --ssh"

# --- 3. Configure SSH -------------------------------------------------
sudo sed -i "s/^#Port .*/Port $SSH_PORT/" /etc/ssh/sshd_config
sudo sed -i "s/^Port .*/Port $SSH_PORT/" /etc/ssh/sshd_config
sudo sed -i 's/^ListenAddress.*/#ListenAddress 0.0.0.0/' /etc/ssh/sshd_config

# --- 4. Create systemd override ---------------------------------------
sudo mkdir -p /etc/systemd/system/ssh.service.d
cat <<EOF | sudo tee /etc/systemd/system/ssh.service.d/override.conf > /dev/null
[Unit]
After=network-online.target tailscaled.service
Wants=network-online.target tailscaled.service

[Service]
ExecStartPre=/bin/sh -c 'while ! ip link show tailscale0 >/dev/null 2>&1; do sleep 1; done'
ExecStart=
ExecStart=/usr/sbin/sshd -D \$SSHD_OPTS
Restart=always
RestartSec=5
EOF

# --- 5. Reload & restart ----------------------------------------------
sudo systemctl daemon-reload
sudo systemctl enable ssh
sudo systemctl restart ssh

# --- 6. Setup UFW firewall --------------------------------------------
sudo ufw --force enable
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 80,443/tcp comment 'Public Web'
sudo ufw allow in on tailscale0 to any port $SSH_PORT proto tcp comment 'SSH via Tailscale only'
sudo ufw reload

# --- 7. Create Slack notification service ------------------------------
echo "📡 Configuring Slack alerts for SSH restarts..."
cat <<'SCRIPT' | sudo tee /usr/local/bin/slack-ssh-alert.sh > /dev/null
#!/bin/bash
SLACK_WEBHOOK_URL=$(grep -m1 'SLACK_WEBHOOK_URL' /etc/xtream.conf | cut -d'"' -f2)
SERVER_NAME=$(hostname)
EVENT="$1"
MESSAGE="🔔 *${SERVER_NAME}* - SSH Service ${EVENT}"

if [ -n "$SLACK_WEBHOOK_URL" ]; then
    curl -X POST -H 'Content-type: application/json' \
         --data "{\"text\":\"${MESSAGE}\"}" \
         "$SLACK_WEBHOOK_URL" >/dev/null 2>&1
fi
SCRIPT

sudo chmod +x /usr/local/bin/slack-ssh-alert.sh

# --- 8. Store Slack webhook -------------------------------------------
sudo bash -c "echo 'SLACK_WEBHOOK_URL=\"$SLACK_WEBHOOK_URL\"' > /etc/xtream.conf"

# --- 9. Add systemd hooks for alerts ----------------------------------
sudo mkdir -p /etc/systemd/system/ssh.service.d
cat <<'EOF' | sudo tee /etc/systemd/system/ssh.service.d/99-slack-alert.conf > /dev/null
[Service]
ExecStartPost=/usr/local/bin/slack-ssh-alert.sh "✅ started successfully"
ExecStopPost=/usr/local/bin/slack-ssh-alert.sh "⚠️ stopped or failed"
EOF

sudo systemctl daemon-reload
sudo systemctl restart ssh

# --- 10. Send initial startup alert -----------------------------------
/usr/local/bin/slack-ssh-alert.sh "🚀 boot completed and SSH online"

echo ""
echo "✅ [Xtream Solutions] SSH hardened successfully!"
echo "   - Port: $SSH_PORT"
echo "   - Firewall: Tailscale-only access"
echo "   - Slack alerts: Enabled"
echo ""
echo "📡 Connect via: ssh <user>@${SERVER_NAME}.tailnet.ts.net -p $SSH_PORT"

Save it as xtream-ssh-tailscale-setup.sh
Make it executable:

chmod +x xtream-ssh-tailscale-setup.sh

Then run it on any new VPS:

sudo ./xtream-ssh-tailscale-setup.sh

🧠 Why This Matters

This script ensures:

  • SSH never binds before networking is ready
  • The service automatically heals itself
  • Only devices in your Tailscale network can reach it
  • Every new server you spin up instantly joins your secure mesh

At Xtream Solutions, this forms part of our Zero-Trust Infrastructure Stack — minimizing exposure while maximizing reliability.

🏁 Conclusion

Server security shouldn’t come at the cost of availability.
By combining Tailscale’s simplicity with Xtream’s automation philosophy, we’ve made SSH rock-solid — no more “connection refused” surprises after reboots.

If your organization wants to modernize its DevOps stack with self-healing network access and zero-trust automation, reach out to the Xtream Solutions team today.

🔗 Click here to schedule a consult and learn how we can secure and automate your infrastructure from the ground up.

Share this post

Author

Leave a Reply

Your email address will not be published. Required fields are marked *


Related Posts

04Aug

How to Set Up DKIM Email Signing with OpenDKIM and Postfix on Debian 12

Ensure email authenticity and improve deliverability by properly setting up DKIM (DomainKeys... read more

28Oct

Solving an SSH Failure Loop with Smarter Auto-Upgrades Scripts on Debian Servers

Xtream Solutions shares how we resolved recurring SSH service failures on Debian... read more

03Aug

How to Fix n8n Schedule Triggers Not Running After Docker Restart

n8n is a powerful open-source workflow automation tool, perfect for teams looking... read more

12Jul

Complete Email Server Setup Tutorial with Dovecot, Postfix, and Virtual Users (Debian)

This guide walks you through a complete setup of a self-hosted email... read more