Is openssh-server safe on a local network?

Quick description of my situation:

2 home use computers, both connected to a standard AT&T router. Both computers get a 192.168.1.x IP address from the router. I have no idea what the IP of the router is to the outside world, or how I would know how to determine it. I have a pretty standard AT&T fiber plan so I would suppose my router's IP to the outside world is DHCP, but I'm not 100% sure, and I'm not sure how I would check this. Both computers run a recent version of Ubuntu (also dual booted with Windows but I rarely use Windows).

I often need to do large file transfers from one computer to the other, and installing openssh-server and using the scp command seems to be the most efficient way so that's how I've been doing it. It's pretty straight forward to use the ifconfig command to get the local IP of one machine and then scp to move large amounts of files.

Both machines have a good sudo password, including upper case chars, lower case chars, numbers, and special symbols and I don't use the password anywhere else so nobody else would know it and it would be exceptionally difficult to guess. I do have information on both computers that could be used to fake my identity.

As a general practice, when I'm done scping stuff, I do sudo systemctl stop ssh and sudo systemctl disable ssh to turn off openssh server until the next time I need to do a transfer. I work with autonomous car datasets and they have gotten huge (the most recent Waymo and NuScenes sets are both ~500GB unzipped), so for some especially large transfers I leave ssh enabled overnight.

So my question is, with installing openssh-server (systemd process name ssh) and running as described above, am I taking any security risk? If so, what steps would be recommended to mitigate?


Solution 1:

hardillb's answer just about covers it, but as for finding public and router ips, this command should show default gateway address (router ip) after "default via": ip route show default, and this for finding public ip: curl https://ipinfo.io/ip; echo. or you could just go to whatismyip.com. Good security practices from server fault answer:

To make things as safe as possible I would suggest the following steps.

  1. Disable password based login for ssh and generate a set of public/private keys to be used to authenticate ssh clients. This will prevent people from trying to brute force guesses at username/passwords.
  2. Enable a IPv6 Firewall to block all access that is not from a local machine (this might be either via Link-local addresses or if you get a fixed global prefix by limiting access to the prefix)
  3. Ensure that direct root access is disabled via SSH (nearly any default setup of SSH will already enforce this)