cancel
Showing results for 
Search instead for 
Did you mean: 

SSH over WAN

ashgeo
Grafter
Posts: 93
Registered: 24-07-2008

SSH over WAN

Little bit of advice sought:
I am relatively new to Linux and have been messing around for some time with a RaspberryPi and an old Laptop on Mint.
I would like to be able to SSH into my pi from the WAN when I am out and about but I have concerns about opening security vulnerabilities. I have done this once by forwarding a port on my router to the Pi on the LAN (which I have now closed) and it all worked fine :-) I have read that the most secure way of doing this is with either a VPN or a 'Tunnel', both of which seem fairly complex to set up to me (as I don't entirely understand all the steps of the process but get what the end result is).
So my question really is: How secure is SSH without a VPN or Tunnel? Without either of the former what are the potential consequences of forwarding an open a port on the router to my Pi (port 22)? There is no data or anything that I am worried about being compromised on the Pi.
Many thanks in advance for any advice/help
27 REPLIES
Waldo
Grafter
Posts: 473
Registered: 01-08-2007

Re: SSH over WAN

The ssh daemon is configurable; for your case I'd suggest you change the default port 22 to something else and use public / private key authentication instead of password login.
Community Veteran
Posts: 4,976
Thanks: 1,152
Fixes: 28
Registered: 16-10-2014

Re: SSH over WAN

I agree with Waldo and thankfully SSH normally lives up to its name provided you are running the latest version and as I understand it there are, at the moment, no known issues with the current version. OpenSSH 7.1p1, OpenSSL 1.0.2d
However, having an open port, even if that port is not the default as suggested will have the effect of inviting unwanted callers. Ideally if you know the IP addresses of the locations you are wanting to access your Pi from then you can always restrict access by setting this rule in your firewall. Also ensure you have a proper password made of at least 10 characters, numbers and symbols.
On my firewall I have IP restricted access for HTTPS and SSH and my logs show me no one (so far) can get passed the IP restriction. However if I remove the IP restriction within hours there are all manner of ‘bad people’ knocking on the ports. If you do decide to do this then I'd move the Pi into a DMZ, so if the Pi is compromised there's no other hardware available to them outside the Pi.
kmilburn
Grafter
Posts: 902
Thanks: 2
Registered: 30-07-2007

Re: SSH over WAN

There's not much point using a VPN or tunneling to use SSH,  you can use SSH as a tunnel for other protocols.
I have SSH forwarded from a non-standard port on the router to the default port on the sever  (also a raspberry pi),  and (so far) don't get any unwanted traffic.
As a secondary security measure,  tools like Fail2Ban or DenyHosts can monitor the logs and block IPs with too many failures.
Moderator
Moderator
Posts: 17,353
Thanks: 981
Fixes: 114
Registered: 11-01-2008

Re: SSH over WAN

changing the default port can be a bad idea, just disable password auth and use certificates for authentication.
Will Moderate For Thanks
Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: 24-10-2013

Re: SSH over WAN

how do you do that? on a raspberry pi ?
Moderator
Moderator
Posts: 17,353
Thanks: 981
Fixes: 114
Registered: 11-01-2008

Re: SSH over WAN

same was as you do it on any platform... but here's a link https://www.raspberrypi.org/documentation/remote-access/ssh/passwordless.md
Will Moderate For Thanks
VileReynard
Seasoned Pro
Posts: 10,646
Thanks: 206
Fixes: 9
Registered: 01-09-2007

Re: SSH over WAN

But that just uses a passphrase - that's a standard way to setup ssh.
My Pi works on a (LAN only) ssh passphrase.
If your router port forwards port 22 to your Pi then it's game over.
You could at least choose a high numbered port, to make life a bit harder.

Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: 24-10-2013

Re: SSH over WAN

at the moment i have a pi
port 22 is forwarded on the router to the pi.
when i connect to it externally is asked for user/password.
in what way would that be "game over"?
changing the port to a higher number doesn't make it any more or less secure IMO.
Community Veteran
Posts: 4,976
Thanks: 1,152
Fixes: 28
Registered: 16-10-2014

Re: SSH over WAN

For me changing the port is pointless, when a port is found to be open tools like NMap can easily tell you what's at the other end.
Community Veteran
Posts: 4,939
Thanks: 357
Fixes: 16
Registered: 10-06-2010

Re: SSH over WAN

The passwordless ssh authentication doesn't just use a passphrase. You need to have a copy of the key file on the computer you're accessing the ssh server from, then the passphrase is needed to unlock the key.
I think the standard port will get probed far more than a high numbered port.
Community Veteran
Posts: 4,976
Thanks: 1,152
Fixes: 28
Registered: 16-10-2014

Re: SSH over WAN

That's a fair comment, the majority of script kiddies do tend to target the common in use ports under 1024. But anyone worth their salt, would scan the entire port range and work from there; that's how I would do it.  Tongue
Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: 24-10-2013

Re: SSH over WAN

yeah, changing the port number is the equivalent of taken the number off the front door of your house.
your house is still there and is still visible to those wanting find it.
Community Veteran
Posts: 4,939
Thanks: 357
Fixes: 16
Registered: 10-06-2010

Re: SSH over WAN

No, it's more the equivalent of having 65,535 doors, and not having the usual 22nd door unlocked.
How often does port 22 get probed? Often. Many times a day probably.
How often does a full port scan get done to you? Practically never.
Community Veteran
Posts: 3,274
Thanks: 339
Fixes: 12
Registered: 24-10-2013

Re: SSH over WAN

Quote from: dvorak
same was as you do it on any platform... but here's a link https://www.raspberrypi.org/documentation/remote-access/ssh/passwordless.md

that's all very well, but the device i am connecting from is a windows 7 system, and that document only refers to connecting from linux/unix systems.