Securing SSH, RDP, and VPN Ports Against Attack

Updated By SurfaceLoop Team 3 min read Open Ports & Services

How do you harden SSH for internet exposure?

SSH hardening checklist for /etc/ssh/sshd_config:

PasswordAuthentication no
PubkeyAuthentication yes
PermitRootLogin no
MaxAuthTries 3
AllowUsers deploy admin

Key-based authentication eliminates brute-force attacks against the password layer entirely. An attacker cannot guess a 4096-bit RSA key or an Ed25519 key.

fail2ban bans IP addresses after a configurable number of failed login attempts, reducing the volume of brute-force traffic and the associated log noise.

IP restrictions via firewall rules or AllowUsers directives limit SSH access to known source addresses. This is highly effective but requires a fallback access method (console access, out-of-band management) in case the allowed IP changes.

Keep OpenSSH updated. CVE-2024-6387 (regreSSHion) demonstrated that even mature software like OpenSSH can have critical vulnerabilities. Prompt patching is essential for any internet-facing service.

How do you secure RDP access?

RDP should not be directly internet-facing. The preferred approaches, in order:

1. VPN-only access. Users connect to a VPN first, then access RDP over the private network. This removes RDP from the public attack surface entirely.

2. RDP Gateway. Microsoft’s Remote Desktop Gateway acts as a reverse proxy for RDP connections, providing centralised authentication, logging, and access control without exposing individual RDP endpoints.

3. Zero-trust access. Solutions like Cloudflare Access or Tailscale provide authenticated, encrypted tunnels to specific resources without opening ports.

If none of these options are feasible and RDP must be internet-facing:

  • Enable Network Level Authentication (NLA) to require authentication before establishing a session
  • Enforce strong passwords and account lockout after 5 failed attempts
  • Deploy multi-factor authentication via Windows Hello, smart cards, or third-party MFA
  • Restrict source IP addresses at the firewall level
  • Keep Windows fully patched - RDP vulnerabilities are high-value targets

How do you protect VPN gateways?

VPN gateways are internet-facing by design - they must accept connections from remote users. This makes them permanent targets:

Patch immediately. VPN appliance CVEs (Fortinet, Ivanti, Citrix, Palo Alto) are among the most exploited vulnerabilities. Many organisations delay patching VPN gateways because of the service disruption involved. Attackers know this and exploit the patching gap.

Enforce MFA. Stolen VPN credentials are sold on dark web marketplaces. Multi-factor authentication prevents credential-only access even when passwords are compromised.

Monitor access patterns. Alert on logins from unusual locations, simultaneous sessions from different geographies, and off-hours access that does not match the user’s normal pattern.

Limit access scope. VPN users should only reach the resources they need, not the entire internal network. Network segmentation behind the VPN limits the blast radius of compromised VPN credentials.

How SurfaceLoop handles this

SurfaceLoop monitors your external attack surface for exposed remote access services. When SSH, RDP, VNC, or VPN management interfaces are detected on open ports, SurfaceLoop flags them with remediation guidance - including whether the service has known CVEs in its detected version.

See Open Ports & Services feature →

Frequently asked questions

Should remote access ports be exposed to the internet at all?
+
Ideally no. The most secure approach is to place remote access services behind a VPN or zero-trust access solution, making them unreachable from the public internet. When direct internet exposure is unavoidable, apply defence-in-depth: strong authentication, IP restrictions, rate limiting, and continuous monitoring.
Is changing SSH to a non-standard port effective?
+
Changing the SSH port from 22 to a non-standard port reduces automated brute-force noise (most bots only scan common ports) but provides no real security. Determined attackers perform full port scans and will find SSH on any port. Non-standard ports are a convenience measure, not a security control - always pair with key-based authentication.
How do I secure RDP if I must expose it to the internet?
+
If RDP must be internet-facing, use Network Level Authentication (NLA), enforce strong passwords with account lockout policies, deploy an RDP Gateway for centralised authentication, restrict access by source IP address where possible, enable multi-factor authentication, and keep the system fully patched. Consider Remote Desktop Gateway instead of direct RDP exposure.
What is the best alternative to exposing remote access ports?
+
Zero-trust network access (ZTNA) solutions eliminate the need to expose remote access ports entirely. Services like Cloudflare Access, Tailscale, and WireGuard-based solutions authenticate users before granting access to specific resources without opening ports to the public internet.

Get SurfaceLoop security briefings

No spam, just findings that matter. Fortnightly.

Check your open ports & services - free