How to securely ssh into a machine at home over the internet

I will be travelling shortly, and I have a machine that run runs a bunch of cron jobs etc. I need to log in remotely to check the results of the jobs run and to do some work on the machine.

Here are the salient facts:

  1. The machine to be connected (mothership) is running Ubuntu 14.0.4 LTS
  2. The mothership is connected to the internet via a LAN at home, so has a public facing IP address.
  3. The IP address is dynamically assigned.
  4. I will be connecting to the mothership using a Laptop running Ubuntu 15.10

I prefer to use ssh rather than VNC, because of bandwidth problems - plus, all I need is the command line anyway.

What is the best way to securely connect remotely to my machine?


Your best bet is probably to run an SSH server on a non-default port, such as 2020. This prevents most attempts at brute force attacks from the web, as these bots tend to only look on default ports.

You are also going to need to assign the server a static IP address on the LAN, as it needs to be accessible at all times. You can set this in System Settings --> Network. To prevent IP address conflicts, it's also advisable that you tell your DHCP server (the router in most cases) that this IP address is taken. The method varies by model, but there should be an area somewhere in the router configuration that lets you reserve IP addresses.

The reason for the static IP is that you need to set up port forwarding in your router setup. This allows connections from port to you external IP to be routed to that port on your server.

If your public IP address is dynamic, which it probably is, you're going to want to set up some sort of dynamic DNS service. My recommendation for this service is No-IP. It gives you a free sub-domain that always points to your public IP. This setup does require the installation of a program on an always-on machine on your LAN (called the DUC, provided by No-IP).

Once you have the SSH server set up how you want, SSH to it by entering

ssh user@remotehostip -p XXX

or by using whatever SSH/SFTP client you prefer.

If any of these sections need more detailed instructions, comment and I'll add them in.

If anyone else has trouble following, here is a chat room that has further/more detailed steps: http://chat.stackexchange.com/rooms/37251/discussion-between-homunculus-reticulli-and-zacharee1


In addition to Zacharee1's answer, you should install either Fail2ban or DenyHosts (get the .deb from the Precise repos). You should not authenticate with keys if you are travelling. Use a "secure" password as well. Maybe set up a dedicated user account with reduced access for the times you don't need to be admin.

I would not touch the network settings on the Server, the static IP can be assigned from the router. The router ip address should be the "gateway" address assigned in DHCP. In the cases where it is not (!) the default address should be written underneath it somewhere. If you have changed this, you should have left the last value alone. So if you have a class C home network the address will be a.b.c.x where a.b.c matches all your other ip addresses and x is the trailing value from your router sticker. The ISP should have help pages for that in any case.

When you use a non standard port, avoid '22' as the final digits (8122, say). It leaves clues.

NB. you can access X based applications over SSH without VNC, another topic entirely.