當您需要在家庭網路上向更大的網際網路開啟某些東西時，SSH隧道是一種足夠安全的方法嗎？

今天的問答環節是由SuperUser提供的，SuperUser是Stack Exchange的一個分支，是一個由社群驅動的問答網站分組。

問題

超級使用者讀者Alfred M.想知道他在連線安全方面的做法是否正確：

I have recently set up a **all server with a low end computer running debian with the aim to use it as a personal git repository. I have enabled ssh and was quite surprised at the promptness at which it suffered from brute force attacks and the like. Then I read that this is quite common and learned about basic security measures to ward off these attacks (lots of questi*** and duplicates on serverfault deal with it, see for instance this one or this one).

But now I am wondering if all this is worth the effort. I decided to set up my own server mostly for fun : I could just rely on third party soluti*** such as those offered by gitbucket.org, bettercodes.org, etc. While part of the fun is about learning about Internet security, I have not enough time to dedicate to it to become an expert and be almost certain that I took the correct prevention measures.

In order to decide if I will continue to play with this toy project, I would like to know what I really risk in doing so. For instance, in what extent are the other computers connected to my network threaten as well? Some of these computer are used by people with even lesser knowledge than mine running Windows.

What is the probability that I get into real trouble if I follow basic guidelines such as strong password, disabled root access for ssh, non standard port for ssh and possibly disabling password login and using one of fail2ban, denyhosts or iptables rules?

Put another way, is there some big bad wolves I should fear or is it all mostly about shooing away script kiddies?

阿爾弗雷德應該堅持第三方解決方案，還是他的DIY解決方案是安全的？

答案

超級使用者撰稿人菲德勒溫向阿爾弗雷德保證，這是非常安全的：

IMO SSH is one of the safest things to have listen on the open internet. If you’re really concerned have it listen on a non-standard high end port. I’d still have a (device level) firewall between your box and the actual Internet and just use port forwarding for SSH but that’s a precaution against other services. SSH itself is pretty damn solid.

I have had people hit my home SSH server occasionally (open to Time Warner Cable). Never had an actual impact.

另一位撰稿人Stephane強調了進一步保護SSH是多麼容易：

Setting up a public key authentication system with SSH is really trivial and takes about 5 minutes to setup.

If you force all SSH connection to use it, then it’ll make your system pretty much as resilient as you can hope to without investing a LOT into security infrastructure. Frankly, it’s so simple and effective (as long as you don’t have 200 accounts – then it gets messy) that not using it should be a public offense.

最後，Craig Watson提供了另一個最小化入侵嘗試的技巧：

I also run a personal git server that’s open to the world on SSH, and I also have the same brute-force issues as you, so I can sympathise with your situation.

TheFiddlerWins has already addresses the main security implicati*** of having SSH open on a publicly-accessible IP, but best tool IMO in resp***e to brute-force attempts is Fail2Ban – software that monitors your authentication log files, detects intrusion attempts and adds firewall rules to the machine’s localiptables firewall. You can configure both how many attempts before a ban and also the length of the ban (my default is 10 days).

有什麼要補充的解釋嗎？在評論中發出聲音。想從其他精通技術的Stack Exchange使用者那裡瞭解更多答案嗎？在這裡檢視完整的討論主題。