I'm not sure if this is the right place to ask.
My goal is to establish an external connection to my home server through ssh and tunnel some ports to the laptop. For this reason, I've exposed the SSH port through my router (random 5-digit port instead of 22), and set the following config:
- Private key connections only (password connections turned off)
- Allowing only one specific user in (with sudo rights) from known IP addresses. (Ideally I would love to somehow allow access from my mobile phone's hotspot, but it seems to change IP very often..)
- Additionally, I'm thinking about creating a
guest
user with no sudo rights, which would be allowed from any IP. (This is in case I was trying to use the mobile hotspot). Theguest
would be enough for tunneling the ports, but would have no rights to files or anything otherwise.
Are these restrictions enough, or am I missing something important?
From what I've gathered, a better alternative would be to setup a VPN and connect to it instead, however, I'm not sure if it isn't a large overhead for just one user. Additionally, as I'm not an expert in this field, I feel that it would be much easier to leave something ill-configured by mistake due to the larger complexity of openvpn setup. While with sshd
it seems straightforward.
EDIT: Additional idea regarding the 22 port: from what I understand, after changing the port to some random other, they can still be discovered by a thorough nmap scan - if that's the case, is it possible to spoof them? E.g., spawn some "honeypot" ssh ports that lead nowhere (or to some empty docker container?), essentially hiding the correct port that leads to the machine? If anything, one can open thousands of empty ports, that would respond to nmap scans.