How to securely ssh into a machine at home over the internet
Solution 1
Your best bet is probably to run an SSH server on a non-default port, such as 2020. This prevents most attempts at brute force attacks from the web, as these bots tend to only look on default ports.
You are also going to need to assign the server a static IP address on the LAN, as it needs to be accessible at all times. You can set this in System Settings --> Network
. To prevent IP address conflicts, it's also advisable that you tell your DHCP server (the router in most cases) that this IP address is taken. The method varies by model, but there should be an area somewhere in the router configuration that lets you reserve IP addresses.
The reason for the static IP is that you need to set up port forwarding in your router setup. This allows connections from port to you external IP to be routed to that port on your server.
If your public IP address is dynamic, which it probably is, you're going to want to set up some sort of dynamic DNS service. My recommendation for this service is No-IP. It gives you a free sub-domain that always points to your public IP. This setup does require the installation of a program on an always-on machine on your LAN (called the DUC, provided by No-IP).
Once you have the SSH server set up how you want, SSH to it by entering
ssh user@remotehostip -p XXX
or by using whatever SSH/SFTP client you prefer.
If any of these sections need more detailed instructions, comment and I'll add them in.
If anyone else has trouble following, here is a chat room that has further/more detailed steps: http://chat.stackexchange.com/rooms/37251/discussion-between-homunculus-reticulli-and-zacharee1
Solution 2
In addition to Zacharee1's answer, you should install either Fail2ban or DenyHosts (get the .deb from the Precise repos). You should not authenticate with keys if you are travelling. Use a "secure" password as well. Maybe set up a dedicated user account with reduced access for the times you don't need to be admin.
I would not touch the network settings on the Server, the static IP can be assigned from the router. The router ip address should be the "gateway" address assigned in DHCP. In the cases where it is not (!) the default address should be written underneath it somewhere. If you have changed this, you should have left the last value alone. So if you have a class C home network the address will be a.b.c.x where a.b.c matches all your other ip addresses and x is the trailing value from your router sticker. The ISP should have help pages for that in any case.
When you use a non standard port, avoid '22' as the final digits (8122, say). It leaves clues.
NB. you can access X based applications over SSH without VNC, another topic entirely.
Related videos on Youtube
Homunculus Reticulli
Updated on September 18, 2022Comments
-
Homunculus Reticulli over 1 year
I will be travelling shortly, and I have a machine that run runs a bunch of cron jobs etc. I need to log in remotely to check the results of the jobs run and to do some work on the machine.
Here are the salient facts:
- The machine to be connected (mothership) is running Ubuntu 14.0.4 LTS
- The mothership is connected to the internet via a LAN at home, so has a public facing IP address.
- The IP address is dynamically assigned.
- I will be connecting to the mothership using a Laptop running Ubuntu 15.10
I prefer to use ssh rather than VNC, because of bandwidth problems - plus, all I need is the command line anyway.
What is the best way to securely connect remotely to my machine?
-
Mostafa Ahangarha about 8 yearsSSH is secure. What is your problem with it?
-
TheWanderer about 8 yearsVNC is graphical remote control. Do you mean VPN?
-
TheWanderer about 8 years@techraf ah, I get it. I sent an approval vote
-
Braiam about 8 yearsJust read a good guide, there's a bettercrypto section dedicated to ssh out there. And disable password log in!
-
Oliphaunt about 8 yearsFrom the chat, I see you thought of authentication with passphrases instead of passwords. What you might look into is to allow private/public-key authentication only.
-
Homunculus Reticulli about 8 years+1 Thanks @Zacharee1 for the prompt response. I have registered a domain for my purpose, using no-ip. I have followed all the steps. The last step is where I'm at a loss: setting up router for port forwarding. I could do with some help in this area if possible. Thanks
-
TheWanderer about 8 years@HomunculusReticulli What's your router model?
-
Homunculus Reticulli about 8 yearsAlso, I can't see where/how to assign the static IP address. I am using Ubuntu Trusty Tahir
-
Wilf about 8 years@HomunculusReticulli - routers differ a lot in this area but genrally it should be easy to find in the router's settings (using the web interface by entering the address of the router in a browser etc)
-
Homunculus Reticulli about 8 yearsI'm based in the UK, its a router supplied by the local ISP - although I'm sure its a generic clone. The router just has the label 'Plusnet' which is the name of the ISP
-
Wilf about 8 yearsAlso are you talking about setting a static global IP or on the local network?
-
Homunculus Reticulli about 8 years@Wilf: I'm not sure, I was just following the advice from Zacharee1. I think I want a static external IP address though
-
TheWanderer about 8 years@HomunculusReticulli No, static LAN address for your server
-
TheWanderer about 8 yearsNo-IP is there because you have a dynamic external address
-
TheWanderer about 8 years@HomunculusReticulli you need to connect to the router through a browser on the local network
-
Homunculus Reticulli about 8 years@Zacharee1, I can't find the router homepage (it used to be 192.168.1.1), is there a way to find out what it is? Also, my understanding is this - I don't need to worry about a static IP address on my LAN if I use the services provided by no-ip. Is my understanding correct?
-
TheWanderer about 8 yearsNo-IP merely points to your public IP address. Your IP address for the server needs to be static, since it's a connection between the router and server, not the internet.
-
TheWanderer about 8 yearsWhat is the server's current IP address?
-
Homunculus Reticulli about 8 years@Zacharee1 you mean the public facing IP address? Is it safe/advisable to publish it on here?
-
TheWanderer about 8 yearsNo, LAN IP of your "mothership" as you call it.
-
Homunculus Reticulli about 8 yearsLet us continue this discussion in chat.
-
leftaroundabout about 8 years“prevents most attempts at brute force attacks from the web“ – yeah... I have to say it's actually somewhat entertaining to monitor thousands of futile attemps to log in as root (which of course you should never allow).
-
Homunculus Reticulli about 8 yearscould you please explain your comment: "You should not authenticate with keys if you are travelling. ", this goes against everything I have read so far. What is the reason behind you saying that?
-
Admin about 8 yearsWhy should one not authenticate with keys when travelling? Authentication does not care if you are travelling or not.
-
Admin about 8 years@Zacharee1 Is it possible to setup port forwards in
iptables
instead of the router? -
TheWanderer about 8 years@BharadwajRaju only if your computer is set up as the router (has an interface connecting to the modem and another to the LAN).
-
Admin about 8 years@Zacharee1 How do I setup that?
-
TheWanderer about 8 years@BharadwajRaju that isn't something I can explain in a comment. Look up how to set an Ubuntu computer up as a router, and you will find something
-
mckenzm about 8 yearsYou have not crossed a border lately ? Nor ever lost a phone ? Your keys will be shared. The same applies to certificates. Install one on an internet cafe machine at your risk. Keys provide instant access without a password, the client should be secured, not in your back pocket.
-
alper almost 3 yearsSeems noip.com does not open