[snowwrestler]

You could block all but whitelisted IPs at your firewall, then get a VPN and add the endpoint IP to your whitelist. This way ssh (and anything else you don't want the public to access) is protected from random drive-bys, but you can still get to it from pretty much anywhere.

VPNs are a good idea in general if you are doing anything from a public access point that involves logging in.

[lmm]

As far as I can tell, SSH is my VPN. What would I get from a VPN that I don't get with SSH? And whatever VPN solution I used would still have to offer me a way to log in to the VPN from random public IPs, on a standardized port (or via some standardized discovery mechanism) - so I don't see how it could possibly be any more secure.

[snowwrestler]

To get back to the point of the original article: ssh does not protect your server from getting hit by drive-by ssh login attempts.

In terms of security in depth, VPN provides another layer. If someone gets your VPN credentials, all they've done is given themselves a new endpoint, not gained access to any of your stuff.

VPN also protects web surfing, which ssh does not.

[lmm]

>In terms of security in depth, VPN provides another layer. If someone gets your VPN credentials, all they've done is given themselves a new endpoint, not gained access to any of your stuff.

One strong layer is better than two weak ones. If you're willing to remember 20 characters, a 20 character ssh password is much safer against these brute force attacks than 10 character VPN password + 10 character ssh password.

(as for non-bruteforce attacks, if someone compromises the VPN software they now have access to your home box without needing a second attack, so it comes down to whether the VPN software is more or less likely than SSH to have bugs - and my impression is that the SSH codebase is possibly the most thoroughly audited in the world)

>VPN also protects web surfing, which ssh does not.

Non-https traffic is going to be unencrypted over the open internet anyway, so I see no harm in it being unencrypted on the cafe network. (And if you're worried about being under surveillance, routing all your traffic via your home internet connection makes that easier than using a variety of public access points).

[snowwrestler]

I meant a commercial VPN service. I agree that if you're just VPNing into the same box that is running ssh, it's no more secure than ssh by itself.

With the commercial VPN service, you run your own server exactly the same way as before, but restrict ssh access to only your VPN endpoint IP. Now your attack surface is way way smaller. (And your ssh logs are nice and clean.)

> Non-https traffic is going to be unencrypted over the open internet anyway, so I see no harm in it being unencrypted on the cafe network.

It's just so much easier to sniff traffic on unsecured WiFi than anywhere else. Not every site you log into implements https, or implements it correctly, and there are a variety of nasty things that can be done with that.

Think of running a Wordpress blog on your own server...how many people bother to force https for that? But if someone hijacks your Wordpress admin session, they've basically got your whole server.