Security Considerations for Torus Pro (1:1 NAT)

Understanding Torus Pro

Torus Pro provides a dedicated public IP address mapped directly to your ~~device via 1:1 NAT.~~device. This means your equipment is reachable from anywhere on the internet — exactly as if it were plugged directly into a public network.

How Pro Differs from Other Tiers

Feature	Basic/Standard	Pro
External IP	None / Shared	Dedicated
All ports accessible	No	Yes
Inbound connections	No	Yes
Outbound connections	Yes (Standard)	Yes
Use case	Private mesh, outbound only	Hosting public services

Security Considerations for Vintage Hardware

Retro and legacy systems are typically ~~used~~designed ~~by enthusiasts inside a~~for trusted ~~network.~~networks. These systems ~~predate~~often:

Predate modern network-based threats

~~and typically fail~~

Fail to meet modern encryption ~~standards,~~standards

~~are~~

Are unpatched for years if not ~~decades,~~decades

~~have~~

Have little to no protection against brute-force ~~attacks,~~attacks

~~and~~

Transmit ~~the~~credentials ~~list~~in ~~goes~~plaintext

~~on.~~

Before You Enable TorusPublic ProAccess

~~ask~~

Ask yourself:

Do I need this system reachable from the entire ~~internet,~~internet, or just from specific locations?
What services am I exposing, and do they transmit credentials in plaintext?
Would a compromise of this system affect other devices on my network?
Am I prepared to monitor logs and respond to incidents?

If you simply want to access your retro equipment remotely yourself, full public exposure may not be necessary.

Protection Consideration:
Options

SSH Tunnelling:Tunnelling

Run a small Linux box (Raspberry Pi, ~~old laptop,~~ VM) on your network that accepts SSH connections. Access legacy services by tunnelling through it. The retro systems never need direct exposure.

IP Whitelisting

Apply restrictive access controls to limit who can reach your services. The Nekotopia dashboard allows you to configure basic firewall rules for your public IP.

Teleport ZTNA

Nekotopia offers Teleport for zero-trust access. Instead of exposing services directly, users authenticate through Teleport and access your services via a secure proxy. This provides:

Authentication with 2FA
Audit logging of all access

No direct port exposure

Fine-grained access control

Bastion Host with Fail2ban:Fail2ban

If you have a Linux gateway in front of your legacy gear, deploy fail2ban to block IPs after failed authentication attempts.

~~Not~~

~~foolproof,~~

Recommendations

~~butraisesthebar.Whitelisting:Apply~~a~~restrictiveACL~~on~~your~~is~~ongoingdevelopment~~to

Risk IPLevel	Recommendation
Low	Internal ~~edge~~services ~~network~~only ~~devices.~~(Basic ~~There~~tier)
Medium	Use ~~undertake this directly through the user control panel and block it at the hub.~~ Teleport ZTNA ~~offers secure access similar to the bastion host. However, the NTZA provides an authentication plus 2FA authentication token providing port-based access to~~for remote ~~services.~~ access
High	Full public exposure with monitoring

When in doubt, start with less exposure and expand only as needed.