How to secure an open port for SSH

ssh security networking file-transfer port-forwarding

Solution 1:

i understand that I need to port forward in order to be able to access it, but then I have an open port and it is my understanding that it is more or less like an open door in the network, is this the case and do I need to worry about such a thing or is it more like assign the port and tell no one

Ports are assigned to individual processes--a process will listen on an IP and port, and any traffic received on that IP+port (that combination is called a socket) will go to that process.

So a port is an "open door" to a process.

It's not an open door into the network unless the process allows that access or gets tricked into allowing that access.

In your case, the process is (probably OpenSSH's) sshd - which does allow remote login, remote file access, and can potentially grant an attacker a lot of power over your system.

Ways to prevent your processes from doing more than they should if an attacker does something bad:

  • Is the process running with the least privilege possible? (sshd has to run as root because it allows login - so unfortunately you can't do much there)

  • Are you running the latest version/applying all security patches (make sure OpenSSH is updated and enable automatic updates)

  • Is the process configured securely? (for example, you should disallow root login from sshd.conf and consider using keys instead of passwords)

  • Are you monitoring the process to check for unusual activity (keep an eye on /var/log/auth.log and consider learning about and setting up fail2ban).

  • Are your passwords to login to the system secure and regularly changed?

Furthermore for sshd the following is a good idea:

  • Both SSH, as well as the common implementation OpenSSH, have been around a while and are extensively used. OpenSSH is developed by the OpenBSD project which has an excellent reputation for security. You can totally make it insecure if you don't configure it right, so study the configuration options.

  • Disable X forwarding and other features if not needed. You'll need to study all the options in the sshd.conf file.

  • Disable root login via password - it's best to disable root login entirely.

  • If you leave it running on the default port 22, you'll get a lot of automated password guesses by random IPs. Use a different port. If someone says this is "security by obscurity" - that's normally good advice but you're still better off using a different port.

  • Use keys instead of passwords. Most if not all SFTP/SCP clients will support keys.

Related

How to use Node packages without internet connection?
How does Windows News & Interests still work if Location services are turned off?
'ls' output doesn't show color anymore in macOS High Sierra
I'm on Linux and [application] isn't outputting any sound!!! I have my speakers connected, [other application] works fine, but not this one
Permission Denied on my raspberry pi transmission
NTP server, port not open
Vim keeps freezing/hanging when scrolling out of bounds
How to configure an IPP-driverless printer with static IP address in CUPS?
Why doesn't the option 'No auto-restart for scheduled Automatic Update installation' work?
Emacs : Jump to the next line with same indentation
Run missed cronjobs when computer turns on
Veracrypt encrypted file - how to expand the Volume