← back home

Securing Remote Access: Best Practices for SSH and Beyond

February 13, 2026
Ssh Security Remote Access Key-Based Authentication Layered Security Vpns Bastion Hosts Ip Whitelisting Key Management Server Hardening Cybersecurity Best Practices
View original discussion on Hacker News

Concerns surrounding the security of SSH connections, particularly when viewed as a "legal risk" due to an "open port," often stem from a misunderstanding of modern cybersecurity practices. While it's true that any exposed service carries some inherent risk, SSH, when configured correctly with best practices, offers a highly secure method for remote access.

The Foundation: SSH Key Authentication

The most critical step in securing SSH is to disable password authentication entirely and rely solely on SSH keys. This eliminates the vast majority of automated brute-force and password-stuffing attacks. Modern SSH keys, such as Ed25519 or 4096-bit RSA keys, are practically impossible to guess or brute-force. Further enhancing this security is the use of a strong passphrase to protect your private key, adding another layer of defense even if the key itself is compromised.

Layered Security for Minimal Exposure

While SSH with keys is robust, professional environments often advocate for a layered security approach to minimize the attack surface:

  • Network Restriction (IP Whitelisting): Limit SSH access to specific trusted IP addresses. In cloud environments like AWS, this can be easily managed through security groups. This immediately reduces the number of potential attackers to a known, controlled set.

  • Virtual Private Networks (VPNs): Placing SSH behind a VPN is a common recommendation. Solutions like WireGuard or Tailscale create a secure tunnel, allowing SSH to only be accessible from within that trusted VPN network. This means the SSH port itself is not exposed directly to the public internet. However, it's also important to consider recovery methods if the VPN itself becomes inaccessible.

  • Bastion Hosts: For more complex setups, a bastion host (or jump server) can be used. This is a highly hardened, minimal server exposed to the internet, whose sole purpose is to forward SSH connections to internal servers. Access to the bastion host is tightly controlled.

  • Cloud-Native Solutions: Public cloud providers offer alternatives. AWS Session Manager, for example, allows connecting to instances without opening SSH ports to the world, leveraging the instance's private communication channels with the hypervisor.

  • Server-Side Hardening: Beyond authentication, good server hygiene includes disabling PermitRootLogin (always use a normal user with sudo privileges) and using strong, up-to-date SSH daemon configurations. Changing the default SSH port (port 22) is often suggested to reduce log spam from bots, though it's not a strong security measure against targeted attacks.

  • Fail2ban: This tool helps block repeated login attempts, primarily reducing log noise rather than adding significant security against sophisticated attacks on a key-only SSH server.

Key Management and Vulnerabilities

Effective key management is paramount. Public keys added to authorized_keys files should be regularly reviewed and removed if no longer in use. Private keys must be securely stored, backed up, and ideally passphrase-protected. For team environments, processes for key distribution and revocation are crucial.

Regarding vulnerabilities, OpenSSH is an incredibly battle-hardened piece of software, rigorously audited and maintained, making critical pre-authentication zero-day exploits rare. However, no software is entirely immune to vulnerabilities. This is where the layered security approach comes in. While a theoretical zero-day in OpenSSH could be a concern, the same could be said for VPN software or any other component in the security stack. Some argue that simpler protocols, like WireGuard with its smaller codebase, might present a smaller attack surface, though both OpenSSH and WireGuard are among the most highly audited software globally.

Communicating with Clients

When clients express concerns about "legal risks" or "open ports," it's essential to understand the root of their apprehension. Often, it's a lack of technical understanding. Educating them on the robust security measures implemented—such as key-based authentication, network restrictions, and regular patching—can transform a perceived risk into a demonstration of best practices. Politely asking for their suggested alternatives can also highlight that SSH, when done correctly, is by far the most secure and practical method for remote server administration.

Get the most insightful discussions and trending stories delivered to your inbox, every Wednesday.