I am using several RPi's on my router, which have port forwarding for the port 22 out into the evil internet. When I connect to the RPi using openSSH (Powershell: ssh username@ip-adress -p 12345) it prompts a password for the raspberry user.

The password contains small and capital letters, numers and symbols and has 15+ characters.

Question:

How secure is that method of logging in and if it is poor, how can I secure it in the right way?

The RPi has full access to all the network devices in my home, including drives with sensitive data. That's why it is really important to be safe.


Solution 1:

That is moderately secure, but you can do much better. The limits of your current solution include requiring vigilance to protect against mitm attacks, a single layer of protection and exposure that you are running multiple ssh targets behind your box. Your security is also limited to the strength of your password - although that looks OK on the surface, there are plenty of vulnerable long passwords and if your password is compromised through any means its game over.

If you migrate from using a password to a key based setup and use a password/passphrase to secure your private key you will have a more secure setup.

If you want to further bolster security, the "gold standard" would be to run a VPN on your router, and for you to log in over VPN (again with a public/private or shared key system) before logging in on ssh across the VPN. This would eliminate the port forwarding and advertising that ssh is running to the wider world, while providing an extra layer of protection.

Adding in a firewall only allowing connections from rfc1918 (private addresses - so across the vpn) will provide another layer of security and further curtail the risk of mitm attacks.

I would comment that using port 12345 over port 22 provides only minimal protection - anyone port scanning your IP would be able to find you have multiple instances of openssh exposed.