Do not open port 22 directly, but forward some random 4-integer port via router to port 22 of the DietPi machine. This is since there are many bots out there, trying to login on random IPs at port 22.
Install fail2ban via dietpi-software to as well prevent possible brute-force attacks on your random ports. There will be most likely none, but better to be on secure side.
And to finally break any non-bot hackers login attempts, use pub key authentication instead of user/password, at least for root user. You can as well add a passphrase to the key, so that for login the clients needs to key + still a password. I can add some details to the wiki about how to do this with e.g. PuTTY on Windows or openssh+dropbear on Linux clients.
You can even disable root login via SSH completely and login via another user + use password-protected sudo then. However IMO, as long as there is no very private data or things like company secrets reachable from within your network (that would attrackt hackers), with key-authenticated login on non-default port + fail2ban you should be fine.
Not sure how those two boxes work, but yeah if you want/need a Linux server to control it, I would for sure place it on control side where you have power line. DietPi is not reall read-only capable without some modifications, so power losses always mean a risk of data corruption/losses.
Another way is setting up a VPN server on your home router (Asus with Merlin firmware is good on this). Then you can use e.g. Android OpenVPN connect app to connect to your home network and access it’s internal IPs, e.g. use an Android SSH app to go into the DietPi CLI.
Is that a reverse ssh connection? The remote site connects when it comes up vs trying to connect to it remotely?
and good call on the VPN thing with an AndroidSSH app (juicessh is a GREAT one)
create an OpenVPN on the inside of the “remote site” and VPN in that way…this way all traffic/maintenance apps can act as a “local machine” at the remote site, heck could even then use a remote control app securely if needed to work on their PC’s in the home network…
You could also use Zerotier (https://www.zerotier.com) to create a private network, no matter where your device is in the world it will show up as if it was local (it creates an encrypted p2p connection between the machines). It’s similar to a VPN except it’s always on and only grants access to the machines explicitly defined in it’s network (a machine can belong to multiple Zerotier networks though).
I have this set up with a small virtual network between 4 windows boxes, my android tablet and 2 Diet-Pi servers (Pi-Hole, NAS and Jellyfin).
Don’t worry, he makes it seems overly complicated, on an Asus router with Merlin firmware it’s done in literally less than than ten clicks. Click Advanced Settings - VPN - VPN Server - ON - create a username and password - click + - click apply - export .ovpn file - email .ovpn file to yourself - open OpenVPN Connect app on your Android - open .ovpn file in the app - click connect - go to e.g. 192.168.1.100 in a web browser while you’re on the Android on a remote wifi or a mobile network and it will take you to whatever is on 192.168.1.100 on your home network.
My problem is I can’t, despite contacting Asus and Privateinternetaccess support (both useless of course) and reading a thousand websites on the topic (outdated or requiring SSH scripts I’m not running because it should be able to be done through the GUI and I’m not running Linux ssh scripts that I have no idea what means on my router) - get the router to work as both a server and a client at the same time (a VPN client on the router in this case would be the more common usage of the term VPN, i.e. a commercial provider that is “in between” you and your ISP and encrypts, unblocks (e.g. Piratebay), optionally geolocates etc. your internet traffic. I’ve researched them all and www.privateinternetaccess is by far the cheapest and best one, recommended!
I’ll check out the ZeroTier stuff, but so frustrated I can’t get the Asus Merlin VPN server and client working at the same time, I know it’s just one damn check box or setting to change but I can’t work it out despite trying for days. Anyone have any tips on that or a good updated guide ?
Jep a VPN to connect to the remote machines “local network” and then use network-internal SSH, hence not opening any SSH port to www, is the most secure solution. Depends a bid on the security-needs and client machine (VPN + SSH client required) if this is reasonable or even possible or not.