SSH is arguably the most basic service on a linux based server. It’s secure as well, when using SSH keys (and with root login and passwords disabled) but it’s still a big target for the “bad guys” (mostly automated bots). You can run SSH on a non-standard port (not port 22), but that is just security through obscurity, which really isn’t good practice.
Well, then along came Zero Trust. Cloudflare perhaps didn’t invent this, but they are the biggest proponent of it.
What is it? In my own words, it’s VPN less authentication for web and anything else you can access via the internet. Now we can authenticate down to the user, not just the entire network (like a VPN).
How does it work? You authenticate to the Zero Trust Service via a webpage and once that is done, any applications that you have been given access to are automatically authenticated or protected behind the Zero Trust Provider, in this case Cloudflare
Can you do the same for SSH? YES SECURELY and IN THE BROWSER. It’s not new, it’s free (for up to 50 applications) and it’s easy to setup. See the original blog post here.
The basic steps are:
- A domain pointed to your Cloudflare account
- Setup a Cloudflare tunnel
- Add an application, making sure you follow these specific steps
At this point you can actually login to SSH in the browser, but you will need to authenticate yourself
- Configure a short lived certificate to allow automatic login to SSH in the browser
A word of warning, the SSO identity you use to authenticate with Cloudflare access will be the username passed to your server, read this section to understand this
The possibilities are endless once you get your head around this. You could protect a Wordpress admin login page (though automatic login to Wordpress is not something I’ve explored yet). Grant secure access to a server running in another location, and as discussed here, actually login to SSH in the browser.
With this done (Zero Trust SSH) you can go ahead and close port 22 of your server. How much safer do you feel?