I'll occasionally leave SSH open on the WAN side if my client is a significant distance away just in case there's an issue with the VPN link in an area where it's difficult/expensive to get someone to plug in a laptop with a console cable and tether (e.g. I have a customer just across the border in Canada and they sometimes take issue with using a NAFTA business visit visa to cross just to fix a router). I won't ever expose the web UI (I can always SSH tunnel to it), and I always use public key authentication and add rate-limiting firewall rules to SSH.
↧