i want to remotely ssh to my home server, and I was wondering if I could just forward port 22 with disabling password login and use pubkey authentication will be safe enough?

  • SamSausages@alien.topBEnglish
    1·
    10 months ago

    Yes and no.

    Yes if you have the resources to monitor and update. Companies have entire teams dedicated to this.

    No if you don’t have the resources/time to keep up with it regularly.

    IMO, no need to take this risk when you have services like Tailscale available today.

  • marbonmb@alien.topBEnglish
    1·
    10 months ago

    I know that some VPN are able to create private networks for devices logged with your account. For exemple nordvpn is able to connect your devices into their “mesh network” and make your devices available through the VPN. I think it’s better than exposing a ssh service on Internet, even with a lot of protections!

      • ayoungblood84@alien.topBEnglish
        1·
        10 months ago

        With a VPN there’s no need to change the port. Unless you change all of your ssh ports to another set pretty across all of your hosts, you’re just asking for a headache at scale.

        • Sekhen@alien.topBEnglish
          1·
          10 months ago

          I have a “prep script” that takes care of everything.

          It takes less than 2 minutes to run on a fresh install and does all kind of fun things.

  • brandontaylor1@alien.topBEnglish
    0·
    10 months ago

    As long as password auth is disabled you’re fine. No one is cracking your RSA key. You can add Fail2Ban to reduce the log noise, but security wise it’s fine.

      • upofadown@alien.topBEnglish
        0·
        10 months ago

        RSA is fine. It isn’t like you will have to worry about the length of the keys for SSH.

        • Beastmind@alien.topBEnglish
          1·
          10 months ago

          It is but if you’re going to use something security related, use the current recommendation unless you stricly can’t for legacy reason or something.

  • kaipee@alien.topBEnglish
    0·
    10 months ago

    Disable password auth.

    Enable key only auth.

    Add in TOTP 2FA (google authenticator).

    Randomize the port (reduce bots) that forwards to 22.

    Configure lockout to block upon 3 failed attempts, for a long duration like 1 year. (Have a backup access on LAN).

    Ensure only the highest encryption ciphers are accepted.

    Ensure upgrades are applied to sshd at least monthly.