this post was submitted on 28 Nov 2023
3 points (100.0% liked)

Self-Hosted Main

582 readers
16 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 2 years ago
MODERATORS
 

i want to remotely ssh to my home server, and I was wondering if I could just forward port 22 with disabling password login and use pubkey authentication will be safe enough?

top 50 comments
sorted by: hot top controversial new old
[–] kaipee@alien.top 3 points 2 years ago (4 children)

Disable password auth.

Enable key only auth.

Add in TOTP 2FA (google authenticator).

Randomize the port (reduce bots) that forwards to 22.

Configure lockout to block upon 3 failed attempts, for a long duration like 1 year. (Have a backup access on LAN).

Ensure only the highest encryption ciphers are accepted.

Ensure upgrades are applied to sshd at least monthly.

[–] gnordli@alien.top 2 points 2 years ago (2 children)

If you are going all out, may as well add hosts.deny and hosts.allow.

[–] Kazer67@alien.top 1 points 2 years ago

Add port knocking, if we go all out, let's go all out!

[–] kaipee@alien.top 1 points 2 years ago (1 children)

Easy to do with known internal networks.

Difficult to manage when roaming.

[–] gnordli@alien.top 1 points 2 years ago

Absolutely, just sometimes people forget those tools even exist. Of course, you can easily do the same thing with firewall rules as well.

Also, that was a great tidbit about the pam email notification on successful logon. I haven't seen that one before, thank you!!

load more comments (3 replies)
[–] chaplin2@alien.top 3 points 2 years ago

If you disable password authentication, and use public key authentication, yes.

[–] brandontaylor1@alien.top 3 points 2 years ago (5 children)

As long as password auth is disabled you’re fine. No one is cracking your RSA key. You can add Fail2Ban to reduce the log noise, but security wise it’s fine.

[–] Beastmind@alien.top 1 points 2 years ago (7 children)

Also don't use rsa, use Ed25519 nowadays

load more comments (7 replies)
[–] Hatta00@alien.top 1 points 2 years ago (1 children)

Change your port.

No one's cracking a proper implementation of RSA, but not every implementation is proper. A little obscurity can't hurt.

[–] pentesticals@alien.top 1 points 2 years ago (6 children)

Just waiting for everyone to come in saying you shouldn’t do this lol. Yes, changing the port is a nice little bonus. It doesn’t any extra security, but it moves you out of the way from the automated bots that scan the internet trying recent 0days. You’ll probably see a reduction of 99% traffic hitting the service and the only logs will be real people.

load more comments (6 replies)
load more comments (2 replies)
[–] AnApexBread@alien.top 3 points 2 years ago

disabling password login and use pubkey authentication will be safe enough?

Just make sure you actually disable password login. Simply enabling key doesn't disable password. So as long as the password is disabled then you're fine.

[–] Both-Following9917@alien.top 2 points 2 years ago

Get fail2ban setup at a minimum

[–] Bloodrose_GW2@alien.top 2 points 2 years ago

Better use some kind of VPN and only open the SSH port over the VPN interface.

[–] mrpink57@alien.top 2 points 2 years ago (2 children)

No. Just VPN in and SSH in.

[–] kaipee@alien.top 3 points 2 years ago (4 children)

How is a VPN service more secure than an SSH service?

Both accept login.

Both provide can be brute forced / if using password.

[–] sdR-h0m13@alien.top 1 points 2 years ago

WireGuard uses UDP and will not respond if the attacker doesn't have the correct key. So the port used by WG will appears as a closed port.

load more comments (3 replies)
load more comments (1 replies)
[–] no_step@alien.top 2 points 2 years ago

I run this on port 22 and ssh with keys on a different port

[–] speculatrix@alien.top 1 points 2 years ago

I've opened port 22 to specific IPv4 addresses, like my employer's, friends and family.

For any other IPv4 origin, its best to set up a VPN. It's trivial to set up wireguard.

You're probably safe to open port 22 for IPv6, as the address space is unfeasibly large to be scanned, but still, the secops in me doesn't like security by obscurity, so I don't. Also, there's evidence that hackers use things like IPv6 access logs on NTP to find accessible devices to target.

[–] Gabe_Isko@alien.top 1 points 2 years ago

Honestly? Would not recommend it. Probably no one breaking in soon, but there are just constantly tons of botnets portscanning 22 over the whole IP range. You should at least think of switching ports, but I usually recommend at least having a vpn for ssh.

[–] eirsik@alien.top 1 points 2 years ago

SSH exposed with key auth and not password is fine. It is the exact purpose of SSH after all. Also there are milions of web servers out there with exposed SSH because a lot of their users prefer to work with SSH and CLI instead of a web UI. Big hosts such as GoDaddy, BlueHost, Hostgate and so on, all expose their SSH. You don't see their servers crash and burn every week.

[–] betahost@alien.top 1 points 2 years ago

Or use something like Tailscale.com, secure private mesh vpn. No need to expose any ports.

Added feature that comes with it: https://tailscale.com/tailscale-ssh/

It’s also 100% free

[–] Prof-Mmaa@alien.top 1 points 2 years ago

I keep ssh on port 80, multiplexed with usual HTTP traffic thanks to sslh. Basically it's a protocol switchboard what detects what kind of traffic reaches your server and forwards it to appropriate service. It can distinguish between SSH/HTTP/OpenVPN and a few more.

Pros? Security wise probably nothing more that SSH already offers, but port 80 is rarely (if ever) blocked on other networks and having SSH on port that is non-standard and obscured, cuts way down on random attempts to guess the user/password combination.

[–] blackstar2043@alien.top 1 points 2 years ago

This is my current hardened sshd configuration.

ssh/sshd_config: https://pastebin.com/7tH36TdJ

  • Public key authentication and 2fa using oathtool are used to authenticate.
  • Logging in is only possible for members of the 'ssh-user' group.
  • "root" login is disabled through "PermitRootLogin", "DenyGroups", and "DenyUsers".
  • "restricted" has the ability to log in from any host.
  • "user" is limited to using the internal network to log in.
  • 'admin' can only log in when connected via WireGuard.
  • "sftp" may login, but only uses the sftp server. There is no shell available.

pam.d/sshd: https://pastebin.com/eqkisf4F

  • All successful pre-2FA logins will trigger the 'ssh-login-alert', which sends an NTFY alert containing the time, date, user, and host IP.
  • The use of /etc/users.deny prevents root login.
  • The use of /etc/users.allowed permits login by "restricted", "user", "admin" and "sftp".
  • 2FA and ssh-login-alert trigger do not apply to "sftp"
[–] SamSausages@alien.top 1 points 2 years ago

Yes and no.

Yes if you have the resources to monitor and update. Companies have entire teams dedicated to this.

No if you don't have the resources/time to keep up with it regularly.

IMO, no need to take this risk when you have services like Tailscale available today.

[–] gentooxativa@alien.top 1 points 2 years ago (1 children)

Is always better to randomize your ssh port, you will be safe from some scans

[–] foomatic999@alien.top 1 points 2 years ago

Using a non-standard port for SSH doesn't make it safer but it greatly reduces noise in your logs. If you only use it yourself, change the port.

[–] InevitableArm3462@alien.top 1 points 2 years ago

I recommend implementing a VPN (wireguard is working very well for me) and through that do ssh

[–] mshorey81@alien.top 1 points 2 years ago (5 children)

Most likely it's fine. Though it's not terribly difficult to set up some flavor of VPN so you're not exposing 22 at all outside your network. Personally I use Wireguard.

load more comments (5 replies)
[–] Swanners@alien.top 1 points 2 years ago (1 children)

I would not do this, people port scan all the time and thats an easy one to look for. Try using an at home vpn like openvpn or in the very least change the ssh port to something odd like 6854 or whatever.

[–] astronautcytoma@alien.top 1 points 2 years ago (2 children)

I have a port 22 ssh process that denies everything, and a separate ssh process on a different port that accepts logins as normal. So someone could obviously find the hidden one, but it won't be the apparently-functional one that they can hit day and night and never get any results from.

load more comments (2 replies)
[–] billiarddaddy@alien.top 1 points 2 years ago

Move it to a four digit port on your router and port for to 22 internally.

[–] InfaSyn@alien.top 1 points 2 years ago

With PubKey and Fail2Ban its probably ok but wouldnt chance it personally. Can you use a different port too?

[–] ripnetuk@alien.top 1 points 2 years ago

I would risk it. After all, it's the only thing protecting my entire gitlab account. If someone could break my ssh, they could do what they want to my gitlab presence,and I'm guessing someone at gitlab is paid and qualified to make that call.

[–] dev_all_the_ops@alien.top 1 points 2 years ago (2 children)

Port forwarding will work, but it has major downsides

  1. Will draw attention of bots
  2. Secure as long as there are no security holes in openssh (which is rare but has happened)
  3. You _must_ harden the ssh server by disabling password auth, putting behind fail2ban

There are far better and safer alternatives that I would recommend over exposing a raw port to the world.

  1. Tailscale
  2. Wireguard/OpenVPN
load more comments (2 replies)
[–] Ok_Size1748@alien.top 1 points 2 years ago

Port knocking could be useful here

[–] returnofblank@alien.top 1 points 2 years ago

A VPN will always be better for this purpose, but as long as you properly secure your SSH server, shouldn't be a problem

[–] Cylian91460@alien.top 1 points 2 years ago

Yes, but you should change the port

load more comments
view more: next ›