Setup SSH server using home cable/DSL modem

I have seen some risky SSH/Remote Desktop home setup of embedded systems such as the Raspberry Pi or other devices used in remote work or hobbies. The tips below do not imply a “secure” SSH home server setup, but may be better than not taking any security measures at all. While it’s obvious that startup companies running SSH/Remote Desktop servers at home or work should be very concerned about infiltration and IP theft, the average home user with a Raspberry Pi SSH server can be hacked too. The Raspberry Pi can become a launching pad for vulnerabilities on the laptops, tablets, phones, IP cameras, etc. in the home.

VPN

If you have a standalone hardware firewall such as pfSense / opnSense that has a built-in VPN server, consider using that as a first line of defense for devices behind the firewall.

Port forwarding

Typical home internet “modems” for cable, DSL, fiber, etc. have the ability to port forward a public-facing port to a specific LAN IP and port. This doesn’t add any security, but is a way to provide a known “place” to connect to from the outside world. Even without static home IPs, many ISPs have the same client modem public IP addresses for months. On the LAN, be sure to assign a fixed IP for the device, as DHCP servers will often assign a new LAN IP to the device.

SSH hardening

SSH server hardening is an extensive topic. At the bare minimum:

  • do not allow password-based login
  • allow only public key authentication
  • make distinct remote login ID that is non-sudo enabled
  • strongly suggest using IP range allow-lists