The Computer Oracle

How risky it is to have a personal server with ssh opened to the Internet?

--------------------------------------------------
Rise to the top 3% as a developer or hire one of them at Toptal: https://topt.al/25cXVn
--------------------------------------------------

Music by Eric Matyas
https://www.soundimage.org
Track title: Over Ancient Waters Looping

--

Chapters
00:00 How Risky It Is To Have A Personal Server With Ssh Opened To The Internet?
01:33 Accepted Answer Score 20
02:31 Answer 2 Score 12
03:12 Answer 3 Score 13
03:40 Answer 4 Score 2
04:34 Thank you

--

Full question
https://superuser.com/questions/636803/h...

--

Content licensed under CC BY-SA
https://meta.stackexchange.com/help/lice...

--

Tags
#security #ssh #debian

#avk47



ACCEPTED ANSWER

Score 20


IMO SSH is one of the safest things to have listen on the open internet. If you're really concerned have it listen on a non-standard high end port. I'd still have a (device level) firewall between your box and the actual Internet and just use port forwarding for SSH but that's a precaution against other services. SSH itself is pretty damn solid.

I have had people hit my home SSH server occasionally (open to Time Warner Cable). Never had an actual impact.

Some additional things you can do to make SSH safer are prevent repeated attempts from the same IP address for a home machine something like

MaxStartups 2:30:10

in /etc/ssh/sshd_config which will restrict how many connections can be created in a row before logging in successfully.

You can increase the security with fail2ban which will help you notice and deny repeated offenders




ANSWER 2

Score 13


Setting up a public key authentication system with SSH is really trivial and takes about 5 minutes to setup.

If you force all SSH connection to use it, then it'll make your system pretty much as resilient as you can hope to without investing a LOT into security infrastructure. Frankly, it's so simple and effective (as long as you don't have 200 accounts - then it gets messy) that not using it should be a public offense.




ANSWER 3

Score 12


I also run a personal git server that's open to the world on SSH, and I also have the same brute-force issues as you, so I can sympathise with your situation.

TheFiddlerWins has already addresses the main security implications of having SSH open on a publicly-accessible IP, but best tool IMO in response to brute-force attempts is Fail2Ban - software that monitors your authentication log files, detects intrusion attempts and adds firewall rules to the machine's local iptables firewall. You can configure both how many attempts before a ban and also the length of the ban (my default is 10 days).




ANSWER 4

Score 2


Another way to handle this is to set up a VPN. Rather than connecting directly to SSH ports on your home server, you connect to the VPN first, then run all your traffic over the encrypted, secure connection.

The ideal way to handle this is with a firewall that incorporates a VPN Endpoint, but you can also set up a Windows computer to act as a VPN server.

Here's an example:

http://www.howtogeek.com/135996/

Now keep in mind that a proper security configuration would involve a public (or semi-public) computer that's isolated from your internal network. A web server, or any computer hosting publicly available services, should be outside of your home or office's secure network. You would use 2 routers to create a safe zone, or a DMZ, between you and the Internet.

This way, if your server is hacked, it can't be used as a vector to attack your other computers.

So the setup would look like this:

DMZ Configuration