I am considering to set up a Raspberry Pi or similar energy efficient device to serve as a small ssh server that can be accessed over the internet.
The idea is that my NAS, desktop and laptop can be turned off when I am not at home or when they are not required to operate. When I do need to access files or services on my private LAN from the outside I can easily ssh into the Raspberry Pi. It should be possible to send wake-on-lan packages from the shell on the Raspberry Pi to the machine that needs to be powered on. Then I could use the raspberry as a hop to access the freshly powered on machine.
This idea is born out of the desire to reduce my electricity bill and improve my network security as offline machines are less prone to be attacked.
I do however like to have the ability to log in my private network when needed. That is where the Raspberry Pi comes in. This could run 24/7 without wasting electricity.
Now I would like some advice. What would be the best approach to realize this idea?
All ports are closed on my current private network. From the outside it appears to be stealth.
Scenario 1:
- Place the Raspberry Pi behind the router
- Setup SSH
- Forward port 22 to the Raspberry Pi
I create a hole in my firewall by forwarding port 22 to the Raspberry Pi. Judging by my logs there are a lot of scans and ssh attacks on our network. I could use fail2ban, but I do not know if that is enough.
Scenario 2
- Place the Raspberry Pi behind the router
- Setup SSH
- Forward non-standard SSH port to the Raspberry Pi
Some of the attacks can maybe tricked by using a different port than the standard port 22. The hole in the firewall however remains only on an different port.
It is possible to disable password log ins and use certificates instead. This should decrease the risk even more if I understood correctly?
Scenario 3
- Place the Raspberry Pi behind the router
- Setup SSH
- Forward port to the Raspberry Pi
- Disable password logins and use certificates instead
There is however also an alternative that keeps my home network stealth to the outside world.
By using a reverse SSH tunnel to an outside host I can keep all the ports on my local network closed. I can access the Raspberry Pi on my private network by SSH-ing to the remote host which will redirect me back to the Raspberry Pi in my home network.
Scenario 4
- Place the Raspberry Pi behind the router
- Setup SSH
- Use reverse SSH tunneling with external shell host
What would be the best approach? Scenario 4 is the only scenario that does not require me to open a port on my home network. The problem however is redirected to the external host so I am not sure if it really is an improvement in security?
All suggestions are appreciated!