SSH is a secure protocol used to communicate between computers. It is used to connect to servers and protect them from unauthorized access. SSH is also used to connect to devices such as routers and printers. SSH is a great security protocol because it uses cryptography to protect the communication. SSH also uses public-key cryptography to ensure that the communication is safe.
When you need to open something on your home network to the greater internet, is an SSH tunnel a secure enough way to to do it?
Today’s Question & Answer session comes to us courtesy of SuperUser—a subdivision of Stack Exchange, a community-driven grouping of Q&A web sites.
The Question
SuperUser reader Alfred M. wants to know if he’s on the right track with connection security:
Should Alfred stick to third-party solutions, or is his DIY solution secure?
But now I am wondering if all this is worth the effort. I decided to set up my own server mostly for fun : I could just rely on third party solutions such as those offered by gitbucket.org, bettercodes.org, etc. While part of the fun is about learning about Internet security, I have not enough time to dedicate to it to become an expert and be almost certain that I took the correct prevention measures.
In order to decide if I will continue to play with this toy project, I would like to know what I really risk in doing so. For instance, in what extent are the other computers connected to my network threaten as well? Some of these computer are used by people with even lesser knowledge than mine running Windows.
What is the probability that I get into real trouble if I follow basic guidelines such as strong password, disabled root access for ssh, non standard port for ssh and possibly disabling password login and using one of fail2ban, denyhosts or iptables rules?
Put another way, is there some big bad wolves I should fear or is it all mostly about shooing away script kiddies?
The Answer
SuperUser contributor TheFiddlerWins reassures Alfred that it’s quite safe:
Another contributor, Stephane, highlights how easy it is to further secure SSH:
I have had people hit my home SSH server occasionally (open to Time Warner Cable). Never had an actual impact.
Finally, Craig Watson offers another tip to minimize attempts at intrusion:
If you force all SSH connection to use it, then it’ll make your system pretty much as resilient as you can hope to without investing a LOT into security infrastructure. Frankly, it’s so simple and effective (as long as you don’t have 200 accounts – then it gets messy) that not using it should be a public offense.
Have something to add to the explanation? Sound off in the the comments. Want to read more answers from other tech-savvy Stack Exchange users? Check out the full discussion thread here.
TheFiddlerWins has already addresses the main security implications of having SSH open on a publicly-accessible IP, but best tool IMO in response to brute-force attempts is Fail2Ban – software that monitors your authentication log files, detects intrusion attempts and adds firewall rules to the machine’s localiptables firewall. You can configure both how many attempts before a ban and also the length of the ban (my default is 10 days).