What's new

Question about locking a port forward rule to a source IP

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

road hazard

Regular Contributor
How safe and secure is it to lock a port forward rule to a source IP?

I recently moved my backup server to my brother's house and on his Asus router, I opened SSH but locked the source IP to my (static) IP address. Is this fairly safe or should I add a little more security by changing the SSH port so we're not using the default one and install fail2ban? (Using Debian 12.)

Or, is locking the rule so only SSH traffic from my IP address is allowed in good enough without fear of somebody spoofing my IP?
 
How safe and secure is it to lock a port forward rule to a source IP?

I recently moved my backup server to my brother's house and on his Asus router, I opened SSH but locked the source IP to my (static) IP address. Is this fairly safe or should I add a little more security by changing the SSH port so we're not using the default one and install fail2ban? (Using Debian 12.)

Or, is locking the rule so only SSH traffic from my IP address is allowed in good enough without fear of somebody spoofing my IP?
Since you didn't mention the SSH keys specifically, I would recommend making sure to disallow "Password Login" and use *only* strong SSH keys for authentication (2048-bit RSA or Ed25119 keys). It's good to have a more robust extra layer of security, especially when SSH is open over the WAN, even if the source IP address is locked. The more barriers set up, the better, IMO.
 
Since you didn't mention the SSH keys specifically, I would recommend making sure to disallow "Password Login" and use *only* strong SSH keys for authentication (2048-bit RSA or Ed25119 keys). It's good to have a more robust extra layer of security, especially when SSH is open over the WAN, even if the source IP address is locked. The more barriers set up, the better, IMO.

I copied my keys over and followed your advice and disabled password login and changed the key to 2048 RSA. Thanks for the info!
 

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top