Remote access with SSH

[jerabaul29]

I would like to enable full remote access through SSH on my Nextbox (in my case, the motivation is to allow automatically backup to - or rather, from - a remote server; I will also need it if I put some Nextbox at the home of some non tech savvy family members).

• is all well safe and ready for that?
• what would be the procedure? I guess forwarding port 22 on my router? Anything more to do? What SSH command would need to be issued then? Should I use some IP or host name provided by the DeSEC server?
• any way to harden? I guess a simple weak hardening would be to forward a non usual port number to port 22 to confuse people doing 'simple' scans? Anything else that may be doable?

[daringer]

Surely the NextBox is ready, to open ssh into the wild (Internetz), I see no big issue here, just as with every exposed machine, just follow some basic rules:

• stick to single port-forwarding, avoid opening ranges and avoid any unneeded open port
• don't set a password for any user, neither for the nextuser nor for root (even though root-login is not permitted by config afair)
• using key-based authentication essentially makes you invulnerable to brute-force attacks
• obfuscating the port away from port 22 to some other port is often done, no problem with that, but also no real added security
• overall ssh is pretty safe, every exposed ssh server gets (10+)thousands of hits every day, it's already pretty hard, there are some mechanisms to throttle logins, for an easy way to also avoid getting (accidently) DoS-ed

[daringer]

cleaning up, feel free to re-open