|
Advise on secure remote ssh accessible 24/7 server in home network
I am considering to set up a Raspberry Pi or similar energy efficient device to serve as a small ssh server that can be accessed over the internet.
The idea is that my NAS, desktop and laptop can be turned off when I am not at home or when they are not required to operate. When I do need to access files or services on my private LAN from the outside I can easily ssh into the Raspberry Pi. It should be possible to send wake-on-lan packages from the shell on the Raspberry Pi to the machine that needs to be powered on. Then I could use the raspberry as a hop to access the freshly powered on machine. This idea is born out of the desire to reduce my electricity bill and improve my network security as offline machines are less prone to be attacked. I do however like to have the ability to log in my private network when needed. That is where the Raspberry Pi comes in. This could run 24/7 without wasting electricity. Now I would like some advice. What would be the best approach to realize this idea? All ports are closed on my current private network. From the outside it appears to be stealth. Scenario 1:
I create a hole in my firewall by forwarding port 22 to the Raspberry Pi. Judging by my logs there are a lot of scans and ssh attacks on our network. I could use fail2ban, but I do not know if that is enough. Scenario 2
Some of the attacks can maybe tricked by using a different port than the standard port 22. The hole in the firewall however remains only on an different port. It is possible to disable password log ins and use certificates instead. This should decrease the risk even more if I understood correctly? Scenario 3
There is however also an alternative that keeps my home network stealth to the outside world. By using a reverse SSH tunnel to an outside host I can keep all the ports on my local network closed. I can access the Raspberry Pi on my private network by SSH-ing to the remote host which will redirect me back to the Raspberry Pi in my home network. Scenario 4
What would be the best approach? Scenario 4 is the only scenario that does not require me to open a port on my home network. The problem however is redirected to the external host so I am not sure if it really is an improvement in security? All suggestions are appreciated! |
The concept of secure network requires 2 network devices to provide physical separation. So I'd suggest that having an open port above 4000 on the firewall that forwards ssh packets to the Rasberry Pi which is behind the router would be the most secure, from there you can tunnel to other devices. For this to be secure the router must not allow any external connections to it's configuration GUI or cmdline.
|
1 Attachment(s)
Remote access to my router has been disabled. It can only be configured from the local network.
So what you are saying is that I should go with scenario 3? Open up a port in the router and forward it to the Raspberry Pi. Why is this option better then scenario 4 with the reverse SSH tunneling? In this scenario there is no need for opening ports on my firewall. Scenario 4 is quite similar to the setup in the attached illustration, where the 'Office PC' would be my Raspberry Pi and the 'Home PC' would be my laptop on a foreign network trying to connect to my home network over the internet.
Could you please explain why this is a better solution? Thank you in advance! |
An open ssh tunnel connected to a host on the internet is not so secure this host could be exploited locally or remotely and allow anyone back down the pipe to your network. The chance of someone hacking into port 4000 or a random port above 4000 with a ssh exploit is only likely if you are a bank or have a network that has something they really want bad. Unlikely.
99.9% of the exploits out there are automated and focused on specific versions of a daemon listening on the specific port it's intended to listen on. Or software said daemon provides. IE: Apache+Wordpress. |
I would suggest setup 3 (on a port above 4000). It's fairly easy to setup. Just make sure to disable password login once your keyfiles are set up. Also, you should probably disable root login. If you need root access, then SSH in as a normal user then run "sudo su" and you're at your root prompt.
|
Or use port knocking? Open up the port dynamically for those who know the sequence.
|
Port knocking does not work in my case, because my home network is attached to a small home router that does not support port knocking.
I use keyfiles to connect to the ssh-server on an alternative port. Password logins have been disabled. Would fail2ban or a similar tool improve the security in this case? |
You could define a few random ports, forward them to the related server and it would be possible. No need for built-in support.
Yes, these kind of tools help in blocking evildoers trying to brute force and stop them while doing so. |
| All times are GMT -5. The time now is 11:03 AM. |