Is openssh-server safe on a local network? [closed]
Quick description of my situation:
2 home use computers, both connected to a standard AT&T router. Both computers get a 192.168.1.x
IP address from the router. I have no idea what the IP of the router is to the outside world, or how I would know how to determine it. I have a pretty standard AT&T fiber plan so I would suppose my router's IP to the outside world is DHCP, but I'm not 100% sure, and I'm not sure how I would check this. Both computers run a recent version of Ubuntu (also dual booted with Windows but I rarely use Windows).
I often need to do large file transfers from one computer to the other, and installing openssh-server
and using the scp
command seems to be the most efficient way so that's how I've been doing it. It's pretty straight forward to use the ifconfig
command to get the local IP of one machine and then scp
to move large amounts of files.
Both machines have a good sudo
password, including upper case chars, lower case chars, numbers, and special symbols and I don't use the password anywhere else so nobody else would know it and it would be exceptionally difficult to guess. I do have information on both computers that could be used to fake my identity.
As a general practice, when I'm done scp
ing stuff, I do sudo systemctl stop ssh
and sudo systemctl disable ssh
to turn off openssh server until the next time I need to do a transfer. I work with autonomous car datasets and they have gotten huge (the most recent Waymo and NuScenes sets are both ~500GB unzipped), so for some especially large transfers I leave ssh
enabled overnight.
So my question is, with installing openssh-server
(systemd
process name ssh
) and running as described above, am I taking any security risk? If so, what steps would be recommended to mitigate?
Solution 1:
As with all security questions the answer always depends on the threat profile you have to defend against...
But no, normally running SSH on 2 machines connected to a private LAN will not raise threat level to you as long as you have not enabled any port forwarding on the router to forward packets sent to the routers public IP address on port 22 to one of the machines.
Assuming that a modern Fibre plan also includes IPv6 support there is a slightly higher risk as it may be possible to reach machines via IPv6 depending on what the default firewall rules are on both the machines and the router.
To make things as safe as possible I would suggest the following steps.
- Disable password based login for ssh and generate a set of public/private keys to be used to authenticate ssh clients. This will prevent people from trying to brute force guesses at username/passwords.
- Enable a IPv6 Firewall to block all access that is not from a local machine (this might be either via Link-local addresses or if you get a fixed global prefix by limiting access to the prefix)
- Ensure that direct root access is disabled via SSH (nearly any default setup of SSH will already enforce this)