this post was submitted on 28 Nov 2023
3 points (100.0% liked)

Self-Hosted Main

502 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
communick@selfhosted.forum
3
forwarding port 22 safe? (alien.top)
submitted 9 months ago by 1c34@alien.top to c/main@selfhosted.forum
91 comments fedilink hide all child comments
 

i want to remotely ssh to my home server, and I was wondering if I could just forward port 22 with disabling password login and use pubkey authentication will be safe enough?

you are viewing a single comment's thread
view the rest of the comments
[–] dev_all_the_ops@alien.top 1 points 9 months ago (2 children)

Port forwarding will work, but it has major downsides

  1. Will draw attention of bots
  2. Secure as long as there are no security holes in openssh (which is rare but has happened)
  3. You _must_ harden the ssh server by disabling password auth, putting behind fail2ban

There are far better and safer alternatives that I would recommend over exposing a raw port to the world.

  1. Tailscale
  2. Wireguard/OpenVPN
[–] warysysadmin@alien.top 1 points 9 months ago

I would also add twingate as an alternative.

[–] Innominate8@alien.top 1 points 9 months ago
  1. The bots are looking anyways.
  2. The other options being presented are various VPNs. OpenSSH has far more eyes on it, for much longer than any of the VPNs. Both generally run as root on the host and so have similar attack surfaces.
  3. Disabling password auth is less important than having good passwords, but is still a good idea since turning off passwords guarantees no bad passwords. Fail2ban provides no security.