I'm trying to figure out the best way to access a remote machine from a fixed IP. Should I set up a Wireguard tunnel and then access the machine via SSH over that, or is it acceptable to keep the SSH port open with IP access control lists (ACLs)?
5 Answers
For us, we use Tailscale. It efficiently addresses both security and access in one go. Plus, it's really user-friendly.
If you're considering public access, I'd recommend setting up Wireguard at the firewall first. Once you're inside the network, you can safely use SSH with ACLs to control access.
Even with public keys and good ACLs in place, I'd lean toward having a VPN like Wireguard in front of your SSH access to maximize security.
I prefer using SSH behind a port knocking setup that opens a brief window for port 22 for the IP that succeeds in knocking. Plus, I ensure to only allow certificate-based authentication.
A solid move is to use a VPN to secure SSH access. Always treat the exposure of SSH with caution, as it opens you up to potential network attacks, even if you think you have strong ACLs. If you’re just needing temporary access from a trusted static IP, then direct SSH with ACLs could work, but only as a rare exception.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures