Best practices to allow for remote login

I use my NAS to store my photographs. The NAS is also backed up to BackBlaze.

When I go on a trip, I think it is nice to be able to dump my recent photographs back to my NAS and it then updates the backup on BackBlaze. BUT… often this isn’t possible because I’m remote and the only internet I have is via my cell phone and when I’m remote, the bandwidth is pretty poor. So I am not 100% sure I actually need to be able to do this. I also take with me an external hard drive (two actually) to do backups of my laptop to them. So, the need to update to my NAS is very questionable. I could wait until I get back home.

Currently I am on Spectrum using their router. It allows me to forward a port and so I forward a port to the NAS’ port 22. This works but I also get alerts from the NAS about failed SSH login attempts. I assume someone has found the port that I forward and is attacking it. So, just now, I turned off the port forwarding. It is plausible to enable and disable this remotely by logging into spectrum.net and going to “Settings” and this give me access to the router’s settings even when I am remote. My personal problem with this is the whole router and its settings and how it works feels very fragile to me.

One example of this is the local DNS entry for the NAS. I call it “truenas” and when coming from an Apple device, truenas.local works from the browser and I can mount the shared volumes via the Finder and I can even ssh to it from the Terminal but I can’t do dig truenas nor dig truenas.local which confuses me. Why can ssh find it but dig not find it? Along with this is I have a jail on the NAS and dig my-jail works but when I query the DNS via the spectrum.net interface or the app, it isn’t listed. I feel like I’m treading on thin ice.

Thus, I think if I decide I want to or need to ssh into the NAS while remote I want to set it up and leave it so it is stable but this opens the door to attacks. Is it possible and wise to set SSH so that it does not accept passwords but just allows login via keys? Would that be more secure? Should I keep the failed login attempt alerts or turn them off? Is that even possible?

Thank you for your help

Definitely move to keys only. Brute force password attacks are a part of every script kiddie’s arsenal but they’ll move on the first time your sshd kicks back with no passwords allowed.

Something else to do - any open port is open to attack; using a default ‘known’ port for a service means a script kiddie can run the only script they know how to run and attack that service. And there are lots of script kiddies. Change your sshd config to use some other port and you’re less likely to be attacked by script kiddies. It doesn’t mean you won’t be attacked, it just reduces your attack surface to less-dumb script kiddies.

It is a good idea to only open the port forward when you need it. You could leave the port forward on but put your sshd up/down in cron entries so it is only up at known times during the day, but that does mean you only get access in that window.

I’d add it to a tailscale and ssh from “lan.” No port forwards needed…