8
rstular
12d

Question for sysadmins:
I'm setting up a physical server for hosting my website(s) at my home. Do you recommend putting SSH service behind a VPN (essentially the SSH server would listen on 192.168.1.0/24)?

Comments
  • 3
    Sounds like a good idea to me, you wouldn't only defeat the average script kiddy but also stop their scanners from flooding your log with shit.
    On the other hand, the VPN is only necessary if you need outside access to the SSH at all. Don't know if you do,but if not, just have your server listen to 192.168/16 and be done with it.
  • 3
    It's not quite necessary (as long as you don't use the password 'Pw123') but it won't harm you and is to be recommended.
  • 2
    it's told to be the good practice to set up any maintenance access points behind vpn. However I don't bother setting up VPN for ssh :) I don't care of logs being flooded and I use at least 2k long keys for login rather than password. Haven't had any breaches yet
  • 2
    It's usually fine to just change to a other-than-default port for SSH and apply even the basic security hardening for it. A quick google with "SSH Hardening guide" will be enough to cover it with the first 1-3 results as the general practices usually are the same unless you have to set up really draconian security.

    However, having a VPN in-place may provide other benefits ... like even if your IP at home suddenly changes or you suddenly move the PC to a completely different location, having it connected to a static, external VPN server as a client can ensure you that your targets in your proxy or other application/server configs won't have to change each time. Like always being able to access (as long as the internet connection or the home server hasn't gone down completely) the home server without setting up some finnicky Dynamic DNS which relies on some external service provider (nothing wrong if you already have something like this set up and working).
  • 1
    Please. For the sake of god.

    Don't use passwords.

    Generate a safe PW protected key.

    And then harden the SSH config.

    Disallow any interactive login except from the internal network.
    Disallow anything unneeded ...
    SSH has a lot of options - if configured most of unsecure requests die in pre auth.
Your Job Suck?
Get a Better Job
Add Comment