i want to remotely ssh to my home server, and I was wondering if I could just forward port 22 with disabling password login and use pubkey authentication will be safe enough?

  • @dev_all_the_opsBEnglish
    17 months ago

    Port forwarding will work, but it has major downsides

    1. Will draw attention of bots
    2. Secure as long as there are no security holes in openssh (which is rare but has happened)
    3. You _must_ harden the ssh server by disabling password auth, putting behind fail2ban

    There are far better and safer alternatives that I would recommend over exposing a raw port to the world.

    1. Tailscale
    2. Wireguard/OpenVPN
    • @Innominate8BEnglish
      17 months ago
      1. The bots are looking anyways.
      2. The other options being presented are various VPNs. OpenSSH has far more eyes on it, for much longer than any of the VPNs. Both generally run as root on the host and so have similar attack surfaces.
      3. Disabling password auth is less important than having good passwords, but is still a good idea since turning off passwords guarantees no bad passwords. Fail2ban provides no security.