this post was submitted on 28 Nov 2023
3 points (100.0% liked)

Self-Hosted Main

515 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
 

i want to remotely ssh to my home server, and I was wondering if I could just forward port 22 with disabling password login and use pubkey authentication will be safe enough?

you are viewing a single comment's thread
view the rest of the comments
[–] mrpink57@alien.top 2 points 11 months ago (2 children)

No. Just VPN in and SSH in.

[–] kaipee@alien.top 3 points 11 months ago (2 children)

How is a VPN service more secure than an SSH service?

Both accept login.

Both provide can be brute forced / if using password.

[–] sdR-h0m13@alien.top 1 points 11 months ago

WireGuard uses UDP and will not respond if the attacker doesn't have the correct key. So the port used by WG will appears as a closed port.

[–] Internal-Initial-835@alien.top 1 points 11 months ago (1 children)

Generally speaking. VPN is easier to setup securely out of the box for most especially with limited knowledge. You can choose a random port and then have access to any server on your network. Scanners won’t usually test all ports unless they find something that’s tempting.

Normally just the normal ports will be poked including 22. SSH can be secured well but not without jumping through a few hoops. It’s easier imho to accidentally allow access through incorrect ssh setup than vpn.

When you think vpn has been developed with this exact purpose in mind. It’s fair to assume the protection will be better out of the box. If you have a vpn then a hacker needs to get through the vpn and then also the ssh so there’s not really any disadvantage to using a vpn and then also harden ssh if you want to.

It’s about making things difficult. Nobody is going to spend days or weeks battering a vpn if they don’t think there’s anything useful behind it. A VPN also shows somewhat that you’ve given things consideration and are not an easy target.

Don’t get me wrong. If somebody is determined enough and has the resources then they will find a way but given the choice between an easy target and one that’s ever so slightly more difficult, they will almost always go for the easiest.

[–] Karyo_Ten@alien.top 1 points 11 months ago (1 children)

VPN is easier to setup securely out of the box for most especially with limited knowledge.

One of the top audit companies disagrees with you: https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/

[–] Internal-Initial-835@alien.top 1 points 11 months ago

A “top” audit company pushing their own agenda.

OpenVPN is simple and easy to deploy on any major operating system. Pfsense or similar is easy to setup and run in a VM. That does all the hard work for you and creates a profile. Then you essentially copy or download that profile to the client machine and you’re done. It’s all done via gui or web interface so is easier for a lot of people. My sister managed it. She wouldn’t have been able to handle command line stuff.

Like i said before though. Why not use a vpn and also harden your ssh. I can’t see a downside to that.

It’s just my opinion and experience from working with both. You’re welcome to dissagree and do your own thing though of course :)

[–] Scruffy-Nerd@alien.top 1 points 11 months ago

I think many ppl are missing a step here. Setup a VPN with wireguard or similar. Then in ur sshd configs only allow ssh from ur VPN local subnet. That on top of ssh key login is pretty secure. Unless one of ur other services gets compromised and they pivot to ur VPN network. Then u prob have more problems tbh