Ok, research is going to be in person again soon. My home workstation often does things faster than my groups cluster. I want to be able to ssh into it while at in the office. Tips on making sure my home network is secure while opening it up to accept my ssh requests?
My current thought is to set up a cloud VPN server and let my router accept only that IP address, and use the cloud server to access my home network. (Note this workstation is just for running code. There’s not really any important documents stored on it.) Any other thoughts appreciated.
Sounds alright. Turn off password authentication completely and use a key file on a thumb drive.
@kholdang I tend to assume that everything will work as intended, and it sounds like you may be doing the same. But router & SSH configurations have errors, router firmware has errors, VPNs have errors, and serious errors have been found even in SSH implementations.
The setup you describe will invite attacks from the Internet. If you follow @orbit 's good advice, attacks should be unsuccessful as long as everything works as intended, but… see above.
I would recommend another, stronger layer of defense at your home site before getting access to the SSH port. Perhaps a VPN running on pfSense or on another router. Put your Black Hat on, and think it over.
I’m not really paranoid, it’s just that - Oops, gotta go, the nice attendants at my asylum are headed this way. Good luck!
Well, this is why I ask the forum before doing things like this. I’m a bit of a newbie when it comes to networking, can you elaborate this point?
I honestly believe SSH is fine as long as it’s:
a) configured correctly
b) patched
Keeping things up to date is easier, for major distros as long as you ensure you update once a week you’re generally fine.
Keeping things configured correctly starts with disabling password auth. You can then run: GitHub - jtesta/ssh-audit: SSH server & client auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc) which will point out any glaringly weird things.
Yubikey even better if possible.
pfSense is well-regarded open source router software, often run on dedicated hardware which can be a re-purposed PC or something like the following, which is low-power and should be fast enough for home use. (And, whoops! it’s rather more expensive than I remembered.)
You can find a lot of discussion re pfSense on these forums. Many folks, including me, trust its security more than a typical home router (and yet, errors have been found - and promptly fixed). pfSense, as well as many routers, allows setting up a VPN to provide quite secure access to a LAN from the Internet.
It might be something of a challenge for a newbie to get such a VPN working. Probably depends on how readily you take to the topic, and the instructions available. I like Lawrence Systems videos on pfSense and other topics; this might be a good place to get started (I haven’t watched this specific video, though):
Uhm, this is a bit of a hobby for me. I may be letting my enthusiasm run a bit wild; several folks have suggested that SSH meets the need, and I don’t disagree strongly.
Just for clarity, do you mean to set up a VPS, as a jump server? And then have a dedicated box in your home network, to send all traffic to the local box from the jump server?
Like through a wireguard tunnel?
The jump host/server would still need to be secured, and you would have to punch a hole in your network to connect to the jump host anyway, so why not just skip the jump host, and create a wireguard connection between your work computer and the box in your local network?
I presume you would use something like port forwarding at a router level, so any traffic hitting your router from a certain port, like 44444 or whatever, all gets routed to the box you want to ssh into? Then you just need to set up key access (yubikey/ssh key file/ whatever)
And probably want to make sure you have enabled firewall on the ssh target, and your home router?
Just some food for thought
Additionally, if/when setting up ssh:
- U2F dongles are a good choice - you can unplug them as soon as you’re logged in.
- you can setup ssh such that you require more than one public key - or both a public key and a password
- you can use ControlPath to reuse pre-existing ssh sessions for new things, for example if you want a second terminal window or you want to additionally forward a port or additionally mount sftp
- if you wanted to, you could maybe even use Duo or crypt.ko or google authenticator or similar that pop up notifications on your phone or display qr codes with URLs that you’re forced to visit e.g. with your phone in order to log in — it’s really incredibly flexible; u2f is generally fine
- wireguard / tailscale are a good choice to get stable endpoint IPs, but plain old dynamic DNS can work well too.
I was thinking of having OpenVPN running on a VPS. Then port forwarding would just occur at the router level. There’s only one computer that I need to access from the office, so traffic would just get directed to that machine.
From these responses, there’s clearly more I need to think about to really make sure my home network is secure while setting up ssh.
So in this case, you’re proposing internet → modem → pfSense router → my router → LAN?
I’m not an expert, just food for consideration.
The pfsense box looks a good idea.
And the jump host would be a great idea if you wanted to share a tunnel into your home, for like a multiplayer server/whatever, but might not be needed if it’s just yourself.
Actually I would only propose either the pfSense router or your existing router. If your router has VPN capability and you have confidence in it, that is an option. As I’ve said, I have much more confidence in pfSense. (Why, yes, I’ve been hurt by my home router vendor…)
But, you may need a switch if you have multiple devices on your LAN, and your existing router could serve that purpose along with a pfSense router.
Also, your home router might be useful as a WiFi access point, placed behind the pfSense router (if you go that route).
Thanks everyone for the input. I’ll think I’ll check out adding a pfsense router. Probably will still restrict access to a single incoming IP address which would be an OpenVPN VPS with appropriate hardening (fail2ban, public key authentication only, no remote root, etc.)
If your work IP address is stable, you could add it to the permit list and connect directly to your home address (if you have a relatively stable IP address at home).
Regardless of how you get to your server, you can:
-
disable passwords and only use key access
-
set up fail2ban to biock IPs after x unsuccessful attempts
-
set up MFA/TOTP authentication
-
make sure your firewall/router blocks ssh to all other hosts on your network.
-
first post on leve1!
Thanks. These are good general points to keep in mind. And welcome!