i want to remotely ssh to my home server, and I was wondering if I could just forward port 22 with disabling password login and use pubkey authentication will be safe enough?

  • kaipee@alien.topB
    link
    fedilink
    English
    arrow-up
    3
    ·
    11 months ago

    Disable password auth.

    Enable key only auth.

    Add in TOTP 2FA (google authenticator).

    Randomize the port (reduce bots) that forwards to 22.

    Configure lockout to block upon 3 failed attempts, for a long duration like 1 year. (Have a backup access on LAN).

    Ensure only the highest encryption ciphers are accepted.

    Ensure upgrades are applied to sshd at least monthly.

      • kaipee@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        11 months ago

        Easy to do with known internal networks.

        Difficult to manage when roaming.

        • gnordli@alien.topB
          link
          fedilink
          English
          arrow-up
          1
          ·
          11 months ago

          Absolutely, just sometimes people forget those tools even exist. Of course, you can easily do the same thing with firewall rules as well.

          Also, that was a great tidbit about the pam email notification on successful logon. I haven’t seen that one before, thank you!!

    • ennova2005@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      11 months ago

      Good summaries. How does the TOTP 2FA article handle drop/reconnects? TOTP needed for each reconnect attempt?