View Single Post
turtle
Lord of the Rant.
Formerly turtle2472
 
Join Date: Mar 2005
Location: Upstate South Carolina
 
2019-07-11, 18:03

What these guys have said really. I don't worry about port 22 being opened on my home network. I use dynamic DNS for my house and the traffic that goes through here so 22 is open to the world here. The thing is I've limited access through that target machine. In my case I have a "jump box" that is a stripped down linux server that is only there to serve as a terminal point for SSH entry on port 22 in my network. I have the ability to jump from that server to any on my local network (and work too thanks to an OpenVPN configuration).

My "important" servers I went with security through obscurity and moved the port (since I can't point port 22 to more than one host in my network) and I still get hack attempts on the alternate ports.

Just know that having the SSH port open on your router will result in hack attempts.

So what do you do? Add a key pair and a password with that if you want to be "super" secure. Or just the key pair and be sure to keep the private portion... private.

On my web hosts I use CSF for my main firewall and log monitoring to handle attacks. I do use fail2ban on some as well so I can highly recommend it too. Generally speaking though, a strong password and non-standard username is really all you need. There will be brute force attempts and your log will fill with them. Keep them at bay by making the password absurd use a username that isn't standard like "root, pi, admin, etc."

For my iOS terminal client I really like Panic's software. Prompt 2 is fantastic and well worth the money if you don't have it already.

In the end if you are REALLY worried and want to mitigate threats then set up a VPN in your home network and only forward traffic to the VPN. Then you can SSH from there to anywhere you need. I have this set up as well so I can use Remote Desktop apps to manage my Macs and PCs. VPN hardware is fairly common in packages like many NAS options or just make one with a Raspberry Pi. If you set your OVPN port to 443 this has the added benefit that most traffic will not be blocked by hotspot operators since it is the standard HTTPS port.

Louis L'Amour, “To make democracy work, we must be a nation of participants, not simply observers. One who does not vote has no right to complain.”
Visit our archived Minecraft world! | Maybe someday I'll proof read, until then deal with it.
  quote