The only way I can think of having remote SSH is port forwarding port 22, and that seems like an awful idea.
Edit: Another possible idea is to setup a VPN into my home network and then SSH like normal. Maybe that’s a better idea.
Tailscale/zerotier/etc, a lot of options don’t require port forwarding and you’d have access from any other device with the agent running
Disable Password Auth
Don’t Permit Root Login
Don’t forward Port 22, use something else in the upper 4 digit area
Use fail2ban or at least sshguard. Or else even with other ports your auth.log is gonna get spammed with wrong logins of malicious IP adresses.
That setup should be safe.
VPN can be better, but also worse if wrong configured. SSH with pubkey auth is safe. Wireguard on a random port would be very safe, since its invisible to the outside/bruteforcers. With the first package you have to authenticate yourself, otherwise it won’t respond.
You have to explain why that should be an awful idea.
Ash with password Auth disabled… I’d risk leaving it exposed…
But the right answer is: use a VPN and secure it well (individual keys + password).
Both are safe enough, if configured correctly.
Some put the SSH port on something random, but that’s security by obscurity and i for one still have random login attempts. The best security measures for ssh i know:
- Only allow logins using keys, not passwords: PasswordAuthentication no in /etc/ssh/sshd_config
- Only allow user logins, not root logins: PermitRootLogin no in /etc/ssh/sshd_config
- Install and configure fail2ban
I feel pretty secure that way.
To get a root shell, add your user to the group sudo (usermod -a -G sudo username), then login as the user and type sudo -i
Having ssh open on port 22 is perfectly fine and best practice. I would just disable passwords and only allow key-based login. All the other suggestions are nonsense.
Also it would be worthwhile to change the port from 22 to something different, and use rsa keys rather than passwords
I do it over tailscale these days. Previously over OpenVPN with a service on my router. Authentication to ssh with only RSA or sha-256 keys.
Tailscale SSH (you can do this clientless from their web portal, which is awesome)
You could setup an SSH tunnel through a cheap VPS. Or just use a non-standard port and disable password auth (keys only).
Set up a VPN (WireGuard/OpenVPN) and access SSH through it for maximum security. If exposing SSH, use key-based auth, a non-standard port, and Fail2Ban.
Believe it or not the ssh protocol is one of the more safe protocols to expose to the Internet
VPNs are not necessarily more secure than ssh, FYI. Port forwarding ssh is fine as long as you’re not using passwords.
If your Ubuntu is up to date, then all you need to do is set up ssh keys and turn off password authentication. That’s it. You are completely safe.
A VPN for SSH is a pretty funny overkill. SSH was made for secure access from outside. Set up key authentication, disable password authentication and you’re good to go.
Sslh, stunnel if you insist.You can even do ssh over SSL (redundant, but you can avoid some corporate mim). But pure ssh with keys is fine. Fail2ban is nice.
Use the following parameters in the config file:
- AllowUsers or AllowGroups - to only specified users to login in via SSH
- DenyUsers or DenyGroups - based on your groups this may be useful too
- AuthorizedKeysFile /etc/ssh/authorized_keys/%u - this will place the authorized_keys file for each user in the /etc/ssh/authorized_keys/ directory. This ensures users can’t add public keys by themselves. Only root can.
- PermitEmptyPasswords no - should be self-explaining. Is already a default.
- PasswordAuthentication no and PubkeyAuthentication yes - This ensures login is only possible with a private key.
- AuthenticationMethods publickey - to require publickey authentication to succeed. Normally there is publickey,password or the like.
- PermitRootLogin no - Create a non-root account and use su. Or install sudo and use that.
I interrupted a brute force attack on my server a few days after I had left a port used for remote access open for a month, I decided that availability for me was also availability for hackers. So whatever my remote management I’m using, I leave the port forwarding on the gateway route off most of the time.
As for the better configuration of an SSH server exposed to the internet? Change it to use a non-common port number and configure the server AND the clients to use pre-shared keys as part of the log on process.
I changed the port, disabled password auth, created keys, and only permit 1 active session.
Another option is use something like ttyd, and set up a reverse proxy + authentication middleware (Authelia, Authentik etc). Then use Cloudflare to set up IP and/or geo blocking.
I use both of those options (mostly because my work laptop doesn’t allow external SSH or client software like tailscale).
I’ll look into those, Tailscale sounds like exactly what I need.