SSH remote security

mt_arch_user · 2025-06-07 19:17:33

I've looked for answers and am getting conflicting answers, so I'm asking the experts.

I want to install Arch on my neighbors computer. I'll need to maintain it for some time. Rather than go to her house each time, I thought I would open SSH on her system and do it from home. If I create a pair of keys, turning off the password, will it be safe to have her system have an open port?

Bart

seth · 2025-06-07 20:02:21

https://wiki.archlinux.org/title/OpenSS … entication - stressing the "force" part.

You might still face an onslaught of attacks, resulting in effective DDOS - https://wiki.archlinux.org/title/OpenSS … ce_attacks
Since you're the only one requiring remote access (I assume) and you intend to do this "from home" (not starbucks) and you'll likely get an IP from your ISP out of a predictable pool (or a static IPv6?), you could configure the firewall (either netfilter on the destination or the LAN router, depending on its capabilities) to drop cold inbound traffic from other network segments.
Just moving it away from #22 can also silence the worst noise, but isn't raising security nor can it actually protect you against being DDOSed.

Setting up a VPN would be the next level, but is probably overkill (and is more prone to be fudged)

Out of curiosity: what is the counter-argument?
That nothing is ever really safe (true, but the consequence is suicide for being afraid of life…)
That passwords offer better protection than PPKs? (dumb, I don't even have jokes about that)
That this approach will preclude you from free coffee and cookies-of-grattitude?

ugjka · 2025-06-07 20:06:50

if you can get an open port and the isp is not doing cgnat. I use wireguard for everything so there's no attack surface

mt_arch_user · 2025-06-07 20:21:36

seth wrote:

https://wiki.archlinux.org/title/OpenSS … entication - stressing the "force" part.
You might still face an onslaught of attacks, resulting in effective DDOS - https://wiki.archlinux.org/title/OpenSS … ce_attacks
Since you're the only one requiring remote access (I assume) and you intend to do this "from home" (not starbucks) and you'll likely get an IP from your ISP out of a predictable pool (or a static IPv6?), you could configure the firewall (either netfilter on the destination or the LAN router, depending on its capabilities) to drop cold inbound traffic from other network segments.
Just moving it away from #22 can also silence the worst noise, but isn't raising security nor can it actually protect you against being DDOSed.
Setting up a VPN would be the next level, but is probably overkill (and is more prone to be fudged)
Out of curiosity: what is the counter-argument?
That nothing is ever really safe (true, but the consequence is suicide for being afraid of life…)
That passwords offer better protection than PPKs? (dumb, I don't even have jokes about that)
That this approach will preclude you from free coffee and cookies-of-grattitude?

I do have an assigned IP from my ISP. If my neighbor's ISP supplied router will allow it, I could limit access to my IP alone. And with a key pair, would that be considered acceptable?

seth · 2025-06-07 20:33:28

That's as robust as it'll get.

If you've a static IP, you can also consider https://wiki.archlinux.org/title/VPN_over_SSH if her end isn't stable or indeed behind a CGNAT.

mt_arch_user · 2025-06-07 20:45:18

seth wrote:

That's as robust as it'll get.
If you've a static IP, you can also consider https://wiki.archlinux.org/title/VPN_over_SSH if her end isn't stable or indeed behind a CGNAT.

I'll look into that. Guess I've got some studying to do. :-)

Bart

cloverskull · 2025-06-07 21:22:52

There's also the option to use software-defined routing, such as ZeroTier or TailScale, but that would require a significant amount of setup.

Whoracle · 2025-06-07 21:45:09

If you want to layer another thing on top, look into https://wiki.archlinux.org/title/Port_knocking

mt_arch_user · 2025-06-07 22:10:00

I just realized she does not have a dedicated IP. That's going to make a bunch more problems. I guess Teamviewer should work. If she can't get to the desktop, I'll have to go there anyway.

amish · 2025-06-08 05:03:55

Try if Cloudflare tunnel can work for you.

https://developers.cloudflare.com/cloud … cases/ssh/

Supports SSH, RDP

cloverskull · 2025-06-08 05:20:56

No dedicated IP = some of the software defined routers I mentioned may work for you.

ewaller · 2025-06-08 23:00:11

On my personal system, I forward ssh from my router to one computer which only accepts known public keys. It is hammered hundreds of times a day. I do use sshguard just to reduce the journal spam. I also use wireguard for access, but only if I really need to use something like a web interface to a printer or to my roll your own irrigation controller.

As to her not having a static IP, why not set up a DDNS client? I use duckdns.org. Or, do you mean something other than that -- like an IP shared between multiple households. For the latter, wireguard with keep alive on the client end is the way to go.

seth · 2025-06-08 23:20:46

If it's just a dynamic IP, you can go super-low tech, query the WAN IP and msmtp it - or use a phone to ask for it
The only real "problem" is CGNAT at which point you'll not get around a public IP, which mt_arch_user luckily already has, and therefore establishing a VPN connection from her client to his host so he can ssh into her VLAN IP.

At that point wg or badvpn become a matter of personal preference - you'll get some convenient fontends for wg (as linked by cloverskull) and for the more rustic vpn over ssh it might be irritating that there's two ssh connections (the outer to provide the VPN w/ sshd on mt_arch_user's host and the inner, administrative one w/ sshd on the neighbors one)

None of those solutions will get you cookies, though…

Arch Linux

#1 2025-06-07 19:17:33

SSH remote security

#2 2025-06-07 20:02:21

Re: SSH remote security

#3 2025-06-07 20:06:50

Re: SSH remote security

#4 2025-06-07 20:21:36

Re: SSH remote security

#5 2025-06-07 20:33:28

Re: SSH remote security

#6 2025-06-07 20:45:18

Re: SSH remote security

#7 2025-06-07 21:22:52

Re: SSH remote security

#8 2025-06-07 21:45:09

Re: SSH remote security

#9 2025-06-07 22:10:00

Re: SSH remote security

#10 2025-06-08 05:03:55

Re: SSH remote security

#11 2025-06-08 05:20:56

Re: SSH remote security

#12 2025-06-08 23:00:11

Re: SSH remote security

#13 2025-06-08 23:20:46

Re: SSH remote security

Board footer