SSH over WAN

ashgeo · ‎24-07-2008

Little bit of advice sought:
I am relatively new to Linux and have been messing around for some time with a RaspberryPi and an old Laptop on Mint.
I would like to be able to SSH into my pi from the WAN when I am out and about but I have concerns about opening security vulnerabilities. I have done this once by forwarding a port on my router to the Pi on the LAN (which I have now closed) and it all worked fine 🙂 I have read that the most secure way of doing this is with either a VPN or a 'Tunnel', both of which seem fairly complex to set up to me (as I don't entirely understand all the steps of the process but get what the end result is).
So my question really is: How secure is SSH without a VPN or Tunnel? Without either of the former what are the potential consequences of forwarding an open a port on the router to my Pi (port 22)? There is no data or anything that I am worried about being compromised on the Pi.
Many thanks in advance for any advice/help

Waldo · ‎01-08-2007

The ssh daemon is configurable; for your case I'd suggest you change the default port 22 to something else and use public / private key authentication instead of password login.

Anonymous · ‎03-09-2015

I agree with Waldo and thankfully SSH normally lives up to its name provided you are running the latest version and as I understand it there are, at the moment, no known issues with the current version. OpenSSH 7.1p1, OpenSSL 1.0.2d
However, having an open port, even if that port is not the default as suggested will have the effect of inviting unwanted callers. Ideally if you know the IP addresses of the locations you are wanting to access your Pi from then you can always restrict access by setting this rule in your firewall. Also ensure you have a proper password made of at least 10 characters, numbers and symbols.
On my firewall I have IP restricted access for HTTPS and SSH and my logs show me no one (so far) can get passed the IP restriction. However if I remove the IP restriction within hours there are all manner of ‘bad people’ knocking on the ports. If you do decide to do this then I'd move the Pi into a DMZ, so if the Pi is compromised there's no other hardware available to them outside the Pi.

kmilburn · ‎30-07-2007

There's not much point using a VPN or tunneling to use SSH, you can use SSH as a tunnel for other protocols.
I have SSH forwarded from a non-standard port on the router to the default port on the sever (also a raspberry pi), and (so far) don't get any unwanted traffic.
As a secondary security measure, tools like Fail2Ban or DenyHosts can monitor the logs and block IPs with too many failures.

dvorak · ‎11-01-2008

changing the default port can be a bad idea, just disable password auth and use certificates for authentication.

Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'

chenks76 · ‎24-10-2013

how do you do that? on a raspberry pi ?

dvorak · ‎11-01-2008

same was as you do it on any platform... but here's a link https://www.raspberrypi.org/documentation/remote-access/ssh/passwordless.md

Customer / Moderator
If it helped click the thumb
If it fixed it click 'This fixed my problem'

VileReynard · ‎01-09-2007

But that just uses a passphrase - that's a standard way to setup ssh.
My Pi works on a (LAN only) ssh passphrase.
If your router port forwards port 22 to your Pi then it's game over.
You could at least choose a high numbered port, to make life a bit harder.

"In The Beginning Was The Word, And The Word Was Aardvark."

chenks76 · ‎24-10-2013

at the moment i have a pi
port 22 is forwarded on the router to the pi.
when i connect to it externally is asked for user/password.
in what way would that be "game over"?
changing the port to a higher number doesn't make it any more or less secure IMO.

Anonymous · ‎03-09-2015

For me changing the port is pointless, when a port is found to be open tools like NMap can easily tell you what's at the other end.

ejs · ‎10-06-2010

The passwordless ssh authentication doesn't just use a passphrase. You need to have a copy of the key file on the computer you're accessing the ssh server from, then the passphrase is needed to unlock the key.
I think the standard port will get probed far more than a high numbered port.

Anonymous · ‎03-09-2015

That's a fair comment, the majority of script kiddies do tend to target the common in use ports under 1024. But anyone worth their salt, would scan the entire port range and work from there; that's how I would do it.

chenks76 · ‎24-10-2013

yeah, changing the port number is the equivalent of taken the number off the front door of your house.
your house is still there and is still visible to those wanting find it.

ejs · ‎10-06-2010

No, it's more the equivalent of having 65,535 doors, and not having the usual 22nd door unlocked.
How often does port 22 get probed? Often. Many times a day probably.
How often does a full port scan get done to you? Practically never.

chenks76 · ‎24-10-2013

Quote from: dvorak
same was as you do it on any platform... but here's a link https://www.raspberrypi.org/documentation/remote-access/ssh/passwordless.md

that's all very well, but the device i am connecting from is a windows 7 system, and that document only refers to connecting from linux/unix systems.

SSH over WAN

SSH over WAN

Re: SSH over WAN

Re: SSH over WAN

Re: SSH over WAN

Re: SSH over WAN

Re: SSH over WAN

Re: SSH over WAN

Re: SSH over WAN

"In The Beginning Was The Word, And The Word Was Aardvark."

Re: SSH over WAN

Re: SSH over WAN

Re: SSH over WAN

Re: SSH over WAN

Re: SSH over WAN

Re: SSH over WAN

Re: SSH over WAN