Being a self-hoster (is that even a name?), there are times when I have to do some maintenance or updates away from home. For this there's a standard tool and protocol in the form of SSH (Secure Shell) which is a network terminal protocol that transfers data encrypted between server and client.
SSH have come long ways since its introduction in 1995 and today there are multiple ways to securely connect to a server. For my setup, I've created a container that is exposed to the internet over an obfuscated port which I use as an entrypoint for the rest of the servers as a jump server. Side note: The obfuscated port is not a security measurement but rather to mitigate any automated port sniffers out there which usually targets the standard SSH port of 22.
As for the security measure, I've forced the use of key pairs for users (that is, me, myself and I) so that there's no way for anyone to login without having their public key authorized on the server. There's also fail2ban installed in case anyone try to brute force their way in (which of course, isn't possible without a key anyways.)
I usually use SSH from the cli even though there are popular graphical implementations such as Putty, so I thought I'd share how I've setup my workstation to use my entrypoint as a jump server and to reach other servers on the network.
First off, I've generated the key pair for authorization. This I do on each workstation I want to reach my jump server from, and then copy over the public key to the server:
ssh-keygen -t ed25519 -a 256 -f $HOME/.ssh/id_ed25519
ssh-copy-id -i $HOME/.ssh/id_ed25519.pub -p <PORT> <USER>@<HOST>
Note that if you intend to connect to multiple remote servers, don't use the same keypair for all logins. Instead, create a file for each purpose, for example codeberg_ed25519, chuggybumba_ed25519, etc.
The SSH configuration is then (somewhat) hardened by disabling some default settings and forcing public key. I took a backup of the configuration file and then created my own:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
cat <<EOF | sudo tee /etc/ssh/sshd_config > /dev/null
Port <PORT>
PermitRootLogin no
AllowUsers <USER> <USER> <etc>
AllowGroups ssh
MaxAuthTries 3
MaxSessions 2
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding no
ClientAliveInterval 300
ClientAliveCountMax 2
EOF
Some of these settings might be too restrictive for some (especially the TTL and session count), but I'm usually multitasking using screen and thus session is handled directly on the server. If you're curious about what all these settings do, I suggest you read the manual.
After the configuration file is saved, make sure you have a SSH session logged in so that you can troubleshoot in case needed, then restart the daemon:
sudo service sshd restart
That takes care of the remote part, now we'll configure the local part. I want to easily be able to logon to my destination server by a simple command without having to specify too many arguments in the commandline.
To achieve this, I configure my SSH client as such:
cat <<EOF | tee $HOME/.ssh/config > /dev/null
Host jumpserver
HostName <HOST OR IP>
Port <PORT>
User <USER>
IdentityFile <IDENTITY FILE>
Host mastodon
HostName <HOST OR IP>
Port <PORT>
User <USER>
ProxyJump jumpserver
EOF
For my own convenience, I haven't hardened any of the unexposed SSH servers in my setup, so that they can be easily reached from the jumpserver.
Now I can connect to my (internal) server mastodon from the internet, by simply running:
ssh mastodon
I hope you enjoyed this tiny tutorial, and if you've found anything to slap me on the wrists for, feel free to reach out to me on Mastodon.