You are not logged in.

#1 2025-06-07 19:17:33

mt_arch_user
Member
From: Montana, USA
Registered: 2023-01-17
Posts: 65

SSH remote security

I've looked for answers and am getting conflicting answers, so I'm asking the experts.

I want to install Arch on my neighbors computer.  I'll need to maintain it for some time.  Rather than go to her house each time, I thought I would open SSH on her system and do it from home.  If I create a pair of keys, turning off the password, will it be safe to have her system have an open port?

Bart

Offline

#2 2025-06-07 20:02:21

seth
Member
Registered: 2012-09-03
Posts: 64,524

Re: SSH remote security

https://wiki.archlinux.org/title/OpenSS … entication - stressing the "force" part.

You might still face an onslaught of attacks, resulting in effective DDOS - https://wiki.archlinux.org/title/OpenSS … ce_attacks
Since you're the only one requiring remote access (I assume) and you intend to do this "from home" (not starbucks) and you'll likely get an IP from your ISP out of a predictable pool (or a static IPv6?), you could configure the firewall (either netfilter on the destination or the LAN router, depending on its capabilities) to drop cold inbound traffic from other network segments.
Just moving it away from #22 can also silence the worst noise, but isn't raising security nor can it actually protect you against being DDOSed.

Setting up a VPN would be the next level, but is probably overkill (and is more prone to be fudged)

Out of curiosity: what is the counter-argument?
That nothing is ever really safe (true, but the consequence is suicide for being afraid of life…)
That passwords offer better protection than PPKs? (dumb, I don't even have jokes about that)
That this approach will preclude you from free coffee and cookies-of-grattitude?

Offline

#3 2025-06-07 20:06:50

ugjka
Member
From: Latvia
Registered: 2014-04-01
Posts: 1,912
Website

Re: SSH remote security

if you can get an open port and the isp is not doing cgnat. I use wireguard for everything so there's no attack surface

Offline

#4 2025-06-07 20:21:36

mt_arch_user
Member
From: Montana, USA
Registered: 2023-01-17
Posts: 65

Re: SSH remote security

seth wrote:

https://wiki.archlinux.org/title/OpenSS … entication - stressing the "force" part.

You might still face an onslaught of attacks, resulting in effective DDOS - https://wiki.archlinux.org/title/OpenSS … ce_attacks
Since you're the only one requiring remote access (I assume) and you intend to do this "from home" (not starbucks) and you'll likely get an IP from your ISP out of a predictable pool (or a static IPv6?), you could configure the firewall (either netfilter on the destination or the LAN router, depending on its capabilities) to drop cold inbound traffic from other network segments.
Just moving it away from #22 can also silence the worst noise, but isn't raising security nor can it actually protect you against being DDOSed.

Setting up a VPN would be the next level, but is probably overkill (and is more prone to be fudged)

Out of curiosity: what is the counter-argument?
That nothing is ever really safe (true, but the consequence is suicide for being afraid of life…)
That passwords offer better protection than PPKs? (dumb, I don't even have jokes about that)
That this approach will preclude you from free coffee and cookies-of-grattitude?

I do have an assigned IP from my ISP.  If my neighbor's ISP supplied router will allow it, I could limit access to my IP alone.  And with a key pair, would that be considered acceptable?

Offline

#5 2025-06-07 20:33:28

seth
Member
Registered: 2012-09-03
Posts: 64,524

Re: SSH remote security

That's as robust as it'll get.

If you've a static IP, you can also consider https://wiki.archlinux.org/title/VPN_over_SSH if her end isn't stable or indeed behind a CGNAT.

Offline

#6 2025-06-07 20:45:18

mt_arch_user
Member
From: Montana, USA
Registered: 2023-01-17
Posts: 65

Re: SSH remote security

seth wrote:

That's as robust as it'll get.

If you've a static IP, you can also consider https://wiki.archlinux.org/title/VPN_over_SSH if her end isn't stable or indeed behind a CGNAT.

I'll look into that.  Guess I've got some studying to do.  :-)

Bart

Offline

#7 2025-06-07 21:22:52

cloverskull
Member
Registered: 2018-09-30
Posts: 240

Re: SSH remote security

There's also the option to use software-defined routing, such as ZeroTier or TailScale, but that would require a significant amount of setup.

Offline

#8 2025-06-07 21:45:09

Whoracle
Member
Registered: 2010-11-02
Posts: 121

Re: SSH remote security

If you want to layer another thing on top, look into https://wiki.archlinux.org/title/Port_knocking

Offline

#9 2025-06-07 22:10:00

mt_arch_user
Member
From: Montana, USA
Registered: 2023-01-17
Posts: 65

Re: SSH remote security

I just realized she does not have a dedicated IP.  That's going to make a bunch more problems.  I guess Teamviewer should work.  If she can't get to the desktop, I'll have to go there anyway.

Offline

#10 2025-06-08 05:03:55

amish
Member
Registered: 2014-05-10
Posts: 476

Re: SSH remote security

Try if Cloudflare tunnel can work for you.

https://developers.cloudflare.com/cloud … cases/ssh/

Supports SSH, RDP

Offline

#11 2025-06-08 05:20:56

cloverskull
Member
Registered: 2018-09-30
Posts: 240

Re: SSH remote security

No dedicated IP = some of the software defined routers I mentioned may work for you.

Offline

#12 2025-06-08 23:00:11

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 20,405

Re: SSH remote security

On my personal system, I forward ssh from my router to one computer which only accepts known public keys.  It is hammered hundreds of times a day.  I do use sshguard just to reduce the journal spam.  I also use wireguard for access, but only if I really need to use something like a web interface to a printer or to my roll your own irrigation controller.   

As to her not having a static IP, why not set up a DDNS client?  I use duckdns.org.  Or, do you mean something other than that -- like an IP shared between multiple households.   For the latter, wireguard with keep alive on the client end is the way to go.


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
The shortest way to ruin a country is to give power to demagogues.— Dionysius of Halicarnassus
---
How to Ask Questions the Smart Way

Offline

#13 2025-06-08 23:20:46

seth
Member
Registered: 2012-09-03
Posts: 64,524

Re: SSH remote security

If it's just a dynamic IP, you can go super-low tech, query the WAN IP and msmtp it - or use a phone to ask for it smile
The only real "problem" is CGNAT at which point you'll not get around a public IP, which mt_arch_user luckily already has, and therefore establishing a VPN connection from her client to his host so he can ssh into her VLAN IP.

At that point wg or badvpn become a matter of personal preference - you'll get some convenient fontends for wg (as linked by cloverskull) and for the more rustic vpn over ssh it might be irritating that there's two ssh connections (the outer to provide the VPN w/ sshd on mt_arch_user's host and the inner, administrative one w/ sshd on the neighbors one)

None of those solutions will get you cookies, though…

Offline

Board footer

Powered by FluxBB