0

I've just set up a Raspberry Pi 2 with the latest raspbian and installed some services.

For remote access I've installed tightvnc server which I set up to only allow connections from localhost. I can still access it remotely by first starting a SSH connection which opens a tunnel to the used port (e.g. via putty, or from linux with the command ssh pi@10.0.0.1 -L 5901:localhost:5901).

I only opened my firewall for SSH, (S)FTP and HTTPS to the raspberry pi but obviously can access everything within the local network either from a SSH connection or from within the VNC connection to the Pi.

I can even access my local windows machines by opening a VNC/RDP connection from within a Pi VNC session and I'm thinking about enabling wake-on-lan on local devices so that I could even boot them from everywhere.

This access to the local network is pretty convenient but actually there's no real need for it so I'm asking myself (and you...) if I just opened up a big security whole.

What I actually would like to know:

  • Is remote SSH access to the Pi considered secure? I pretty much need this so I'd really don't like to disable it. It's kind of a must have...
  • Is access of VNC services on the Pi over the SSH tunnel an additional security risk or doesn't it make any difference when I'm already opening SSH access? More or less a nice to have...
  • Is access to my local network (via SSH or VNC on the Pi) an additional security risk? How could I prevent it without completely blocking remote connections to the Pi? This is strictly a nice to have...

I'd really appreciate opinions to those questions!

Thanks & best regards

Ps: I'm talking about a private network so there's no company data at risk but I still don't want to open security vulnerabilities for some nice to have features...

suamikim
  • 103
  • 3

1 Answers1

0

The SSH access is secure provided

Then, whatever goes through that tunnel is secure

  1. from an "services visibility" perspective (= is someone able to get to my VNC?) because it is exposed only via the ssh tunnel which must first be set up
  2. and from a confidentiality one (= is someone able to snoop on my traffic?), becauise ssh encrypts the traffic

Exposing only an up-to-date ssh service, authenticating with keys and running all subsequent services only via the tunnel is a very good security setup.

Alternatively you could use a VPN (OpenVPN for instance) but this is more complicated to set up and probably not worth the added value in your case (one or two specific services).

Community
  • 1
WoJ
  • 8,968
  • 3
  • 33
  • 51
  • Thanks for the comprehensive answer. I've already tried setting up OpenVPN primarily out of interest and found it pretty hard to set up and handle afterwards, so I'm going to stick with the easy solution I already have since it's working pretty good for my use cases. Thanks! – suamikim Mar 25 '15 at 10:39
  • The ssh solution, security wise, is rock solid. It is not extremely practical when it comes to many users, PKIs, routing, etc. but for a single user and a few services it is way simpler to administer. – WoJ Mar 25 '15 at 10:41