Server SSH Security – How to Securely SSH into a Machine at Home Over the Internet

remote accessSecurityserversshvnc

I will be travelling shortly, and I have a machine that run runs a bunch of cron jobs etc. I need to log in remotely to check the results of the jobs run and to do some work on the machine.

Here are the salient facts:

  1. The machine to be connected (mothership) is running Ubuntu 14.0.4
    LTS
  2. The mothership is connected to the internet via a LAN at home, so has a public facing IP address.
  3. The IP address is dynamically assigned.
  4. I will be connecting to the mothership using a Laptop running Ubuntu 15.10

I prefer to use ssh rather than VNC, because of bandwidth problems – plus, all I need is the command line anyway.

What is the best way to securely connect remotely to my machine?

Best Answer

Your best bet is probably to run an SSH server on a non-default port, such as 2020. This prevents most attempts at brute force attacks from the web, as these bots tend to only look on default ports.

You are also going to need to assign the server a static IP address on the LAN, as it needs to be accessible at all times. You can set this in System Settings --> Network. To prevent IP address conflicts, it's also advisable that you tell your DHCP server (the router in most cases) that this IP address is taken. The method varies by model, but there should be an area somewhere in the router configuration that lets you reserve IP addresses.

The reason for the static IP is that you need to set up port forwarding in your router setup. This allows connections from port to you external IP to be routed to that port on your server.

If your public IP address is dynamic, which it probably is, you're going to want to set up some sort of dynamic DNS service. My recommendation for this service is No-IP. It gives you a free sub-domain that always points to your public IP. This setup does require the installation of a program on an always-on machine on your LAN (called the DUC, provided by No-IP).

Once you have the SSH server set up how you want, SSH to it by entering

ssh user@remotehostip -p XXX

or by using whatever SSH/SFTP client you prefer.

If any of these sections need more detailed instructions, comment and I'll add them in.

If anyone else has trouble following, here is a chat room that has further/more detailed steps: http://chat.stackexchange.com/rooms/37251/discussion-between-homunculus-reticulli-and-zacharee1

Related Question