Secure SSH Without Exposing Public Port 22
SSH is one of the most common entry points for development and operations, but public port 22 is also one of the most scanned surfaces on the internet.
Larktun brings the server management entry point into a private network. Public service ports can remain open when needed, while SSH does not have to face the internet directly. Only authorized devices inside the Larktun network can reach it.
Problems with public SSH exposure
Opening public port 22 can cause several issues:
- Continuous internet scanning and brute-force attempts.
- Home and mobile IP addresses change, making allowlists hard to maintain.
- Multi-user operations scatter permissions across cloud security groups, server accounts, and local keys.
- Temporary access can remain after collaboration ends.
Larktun uses device identity and ACLs to make the access boundary clear: who can access which server and which port.
Recommended practice
- Install and sign in to the Larktun client on the server.
- Sign in to the same tenant on your computer or phone.
- Use ACLs to allow only the required account, device, or group to SSH.
- Keep public port
22closed in the cloud security group. - SSH using the Larktun device name or private address.
The server remains reachable, but SSH is visible only to authorized Larktun devices.
Good fit for
- Individual developers accessing cloud servers, Oracle Cloud instances, lightweight servers, or home mini PCs.
- Teams operating production servers without public SSH exposure.
- Temporary server access for members, with ACL removal after the task.
- AI Agents that need controlled access to logs, development machines, or test environments.