Is openssh-server safe on a local network? [closed]

ssh security scp

Quick description of my situation:

2 home use computers, both connected to a standard AT&T router. Both computers get a 192.168.1.x IP address from the router. I have no idea what the IP of the router is to the outside world, or how I would know how to determine it. I have a pretty standard AT&T fiber plan so I would suppose my router's IP to the outside world is DHCP, but I'm not 100% sure, and I'm not sure how I would check this. Both computers run a recent version of Ubuntu (also dual booted with Windows but I rarely use Windows).

I often need to do large file transfers from one computer to the other, and installing openssh-server and using the scp command seems to be the most efficient way so that's how I've been doing it. It's pretty straight forward to use the ifconfig command to get the local IP of one machine and then scp to move large amounts of files.

Both machines have a good sudo password, including upper case chars, lower case chars, numbers, and special symbols and I don't use the password anywhere else so nobody else would know it and it would be exceptionally difficult to guess. I do have information on both computers that could be used to fake my identity.

As a general practice, when I'm done scping stuff, I do sudo systemctl stop ssh and sudo systemctl disable ssh to turn off openssh server until the next time I need to do a transfer. I work with autonomous car datasets and they have gotten huge (the most recent Waymo and NuScenes sets are both ~500GB unzipped), so for some especially large transfers I leave ssh enabled overnight.

So my question is, with installing openssh-server (systemd process name ssh) and running as described above, am I taking any security risk? If so, what steps would be recommended to mitigate?


Solution 1:

As with all security questions the answer always depends on the threat profile you have to defend against...

But no, normally running SSH on 2 machines connected to a private LAN will not raise threat level to you as long as you have not enabled any port forwarding on the router to forward packets sent to the routers public IP address on port 22 to one of the machines.

Assuming that a modern Fibre plan also includes IPv6 support there is a slightly higher risk as it may be possible to reach machines via IPv6 depending on what the default firewall rules are on both the machines and the router.

To make things as safe as possible I would suggest the following steps.

  1. Disable password based login for ssh and generate a set of public/private keys to be used to authenticate ssh clients. This will prevent people from trying to brute force guesses at username/passwords.
  2. Enable a IPv6 Firewall to block all access that is not from a local machine (this might be either via Link-local addresses or if you get a fixed global prefix by limiting access to the prefix)
  3. Ensure that direct root access is disabled via SSH (nearly any default setup of SSH will already enforce this)

Related

Error getting the correct Python3 dependency
How to acquire a public IPv4 and apply it to ubuntu server? [closed]
Require root password when executing "sudo -s"
How to show that if $x, y, z\in\mathbb R^n$ and $\langle x, z\rangle=\langle y, z\rangle=0\implies x=\lambda y$?
Every closed set is a boundary [duplicate]
Understanding a proof of Wedderburn in Topics in algebra
Power series of $\frac{x+1}{x^2+5}$
Orthogonal projection of a point onto a line
How far can I go with the integral $\int \frac{\sin ^{n} x \cos ^{n} x}{1-\sin x \cos x} d x, $ where $n\in N$?
Calculate conditional expectation with respect to a sigma algebra
Uniformly equicontinuous sequence of functions that does not converge uniformly
Homomorphism $\psi$ from $S_3$ to $S_4$ [duplicate]