[lmm]

The whole point of ssh is to be able to log into one's machine from elsewhere on the wide internet. I find it's precisely when I'm somewhere public (i.e. coffee shop or public transport wifi) that I want access to my home machine - on my work machine (i.e. in the office) anything I need is already there. If you don't need it to be publicly accessible, why would you be running sshd at all?

[tquai]

Before I can respond to that, I think there's a misunderstanding about what "public service" means. HTTP is a public service: you open it up to the world, and want anyone to be able to connect to it. It is intended and hoped that as many people use it as possible. If your website is slashdotted, then that's GREAT! In contrast, I don't want 100000 people to try logging in over SSH to my private server. To put it another way, SSH is only a public service in the cases of:

  * CVS over SSH
  * rsync over SSH
  * Commercial SSH tunnels

Logging into my authoritative nameserver over SSH, however, is not a public service. And since it's not a public service -- that is, intended for the public -- I don't treat it like one.

[lmm]

If you're trying to tell the rest of us something you're going to have to be more concrete. So you "don't treat it like a public service". Great. What does that actually mean? ("I don't make it accessible on a public port from the public internet" was the most obvious technical interpretation, but it sounds like you didn't mean that)

[snowwrestler]

You could block all but whitelisted IPs at your firewall, then get a VPN and add the endpoint IP to your whitelist. This way ssh (and anything else you don't want the public to access) is protected from random drive-bys, but you can still get to it from pretty much anywhere.

VPNs are a good idea in general if you are doing anything from a public access point that involves logging in.

[lmm]

As far as I can tell, SSH is my VPN. What would I get from a VPN that I don't get with SSH? And whatever VPN solution I used would still have to offer me a way to log in to the VPN from random public IPs, on a standardized port (or via some standardized discovery mechanism) - so I don't see how it could possibly be any more secure.

[snowwrestler]

To get back to the point of the original article: ssh does not protect your server from getting hit by drive-by ssh login attempts.

In terms of security in depth, VPN provides another layer. If someone gets your VPN credentials, all they've done is given themselves a new endpoint, not gained access to any of your stuff.

VPN also protects web surfing, which ssh does not.

[lmm]

>In terms of security in depth, VPN provides another layer. If someone gets your VPN credentials, all they've done is given themselves a new endpoint, not gained access to any of your stuff.

One strong layer is better than two weak ones. If you're willing to remember 20 characters, a 20 character ssh password is much safer against these brute force attacks than 10 character VPN password + 10 character ssh password.

(as for non-bruteforce attacks, if someone compromises the VPN software they now have access to your home box without needing a second attack, so it comes down to whether the VPN software is more or less likely than SSH to have bugs - and my impression is that the SSH codebase is possibly the most thoroughly audited in the world)

>VPN also protects web surfing, which ssh does not.

Non-https traffic is going to be unencrypted over the open internet anyway, so I see no harm in it being unencrypted on the cafe network. (And if you're worried about being under surveillance, routing all your traffic via your home internet connection makes that easier than using a variety of public access points).

[snowwrestler]

I meant a commercial VPN service. I agree that if you're just VPNing into the same box that is running ssh, it's no more secure than ssh by itself.

With the commercial VPN service, you run your own server exactly the same way as before, but restrict ssh access to only your VPN endpoint IP. Now your attack surface is way way smaller. (And your ssh logs are nice and clean.)

> Non-https traffic is going to be unencrypted over the open internet anyway, so I see no harm in it being unencrypted on the cafe network.

It's just so much easier to sniff traffic on unsecured WiFi than anywhere else. Not every site you log into implements https, or implements it correctly, and there are a variety of nasty things that can be done with that.

Think of running a Wordpress blog on your own server...how many people bother to force https for that? But if someone hijacks your Wordpress admin session, they've basically got your whole server.