Question about locking a port forward rule to a source IP

road hazard · Apr 28, 2024

How safe and secure is it to lock a port forward rule to a source IP?

I recently moved my backup server to my brother's house and on his Asus router, I opened SSH but locked the source IP to my (static) IP address. Is this fairly safe or should I add a little more security by changing the SSH port so we're not using the default one and install fail2ban? (Using Debian 12.)

Or, is locking the rule so only SSH traffic from my IP address is allowed in good enough without fear of somebody spoofing my IP?

ColinTaylor · Apr 28, 2024

road hazard said:
Or, is locking the rule so only SSH traffic from my IP address is allowed in good enough without fear of somebody spoofing my IP?

That's good enough.

Martinski · Apr 29, 2024

road hazard said:
How safe and secure is it to lock a port forward rule to a source IP?

I recently moved my backup server to my brother's house and on his Asus router, I opened SSH but locked the source IP to my (static) IP address. Is this fairly safe or should I add a little more security by changing the SSH port so we're not using the default one and install fail2ban? (Using Debian 12.)

Or, is locking the rule so only SSH traffic from my IP address is allowed in good enough without fear of somebody spoofing my IP?

Since you didn't mention the SSH keys specifically, I would recommend making sure to disallow "Password Login" and use *only* strong SSH keys for authentication (2048-bit RSA or Ed25119 keys). It's good to have a more robust extra layer of security, especially when SSH is open over the WAN, even if the source IP address is locked. The more barriers set up, the better, IMO.

road hazard · Apr 30, 2024

ColinTaylor said:
That's good enough.

Good to hear, thanks for the reply!

road hazard · Apr 30, 2024

Martinski said:
Since you didn't mention the SSH keys specifically, I would recommend making sure to disallow "Password Login" and use *only* strong SSH keys for authentication (2048-bit RSA or Ed25119 keys). It's good to have a more robust extra layer of security, especially when SSH is open over the WAN, even if the source IP address is locked. The more barriers set up, the better, IMO.

I copied my keys over and followed your advice and disabled password login and changed the key to 2048 RSA. Thanks for the info!

Thread starter	Title	Forum	Replies	Date
	AX11000 Pro 10g port question : how far can i connect to 10g switch using the routers 10g port	ASUS AX Routers & Adapters (Wi-Fi 6/6e)	2	Jul 22, 2024
M	AX11000 WAN Aggregation Question	ASUS AX Routers & Adapters (Wi-Fi 6/6e)	1	Jul 2, 2024
S	Silly but easy question	ASUS AX Routers & Adapters (Wi-Fi 6/6e)	2	Jun 3, 2024
R	AX11000Pro with GT6 wireless backhaul question ( MAC address)	ASUS AX Routers & Adapters (Wi-Fi 6/6e)	0	May 29, 2024
	Question/favor for the ZenWiFi users group...	ASUS AX Routers & Adapters (Wi-Fi 6/6e)	8	May 27, 2024
S	Can anyone help with a couple of problems with an XT8 Mesh system? Issues with connectivity and client list and question about SSH command line.	ASUS AX Routers & Adapters (Wi-Fi 6/6e)	9	May 9, 2024
	VLAN Question	ASUS AX Routers & Adapters (Wi-Fi 6/6e)	4	Apr 30, 2024
R	GT-AXE16000 UNII-4 Question ( wireless backhual XT8s)	ASUS AX Routers & Adapters (Wi-Fi 6/6e)	8	Apr 28, 2024
M	Yet another question about VLAN w/ RT-AX88U Pro in AP mode.	ASUS AX Routers & Adapters (Wi-Fi 6/6e)	9	Apr 24, 2024
H	Question about (normal) guest network with ASUS ROG Rapture GT-AX6000	ASUS AX Routers & Adapters (Wi-Fi 6/6e)	9	Apr 24, 2024

Search

Search

Question about locking a port forward rule to a source IP

road hazard

Regular Contributor

ColinTaylor

Part of the Furniture

Martinski

Very Senior Member

road hazard

Regular Contributor

road hazard

Regular Contributor

Similar threads

Similar threads

Latest threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest

Members online