In a previous article I talked about how I safely opened an ssh port into my home network and server. This is one of those thing you better get right, if you don’t then you’ve opened yourself up to all sorts of breaches and hacks. The fact is that most homes don’t have strong networks and separation. If an intruder gets on to the network then there is little to stop them.
I have spare Raspberry Pi sitting around and the idea came to me last weekend. Why don’t I use that as my SSH server that is open to Internet? If someone breaks onto it then no harm no foul.
- Choose a port other than 22 for SSH traffic.
- On the Raspberry Pi set it up to receive SSH traffic
- Installed Google Authenticator
- Required Google Authenticator Code before Password
- Enable SSH key override
- On the Raspberry Pi set it up to communicate to other servers
- The “other” servers should only accept traffic with SSH keys
- On the Raspberry Pi encrypt the key so you have to use a password to use it
- Make sure no other servers, laptops, desktops, etc allow remote access in your network.
This whole effort is based on create a small/single access point that is hard to get into and still requires more security to talk to other distinct points on your network. If someone was able to gain access to my Raspberry Pi they would still have to do the following to get to my main server:
- Provide an encrypted password to use the SSH key
- Provide a password for the my account
- Provide two-factor authentication with my Google Authenticator
It’s an entry courtyard with another full set of securities. And to top it off, I’ve got the Raspberry Pi being monitored so if there are any successful or failed attempts to access, it messages me on my phone.
If this all sounds complicated, it is. My skills in this area are not novice but definitely not at the expert level. If you don’t have to open your home network then don’t. This is only because there are things I want to be able to get to.