udc@lemmy.world to Selfhosted@lemmy.worldEnglish · 1 day agoHow to Setup a Secure Ubuntu Home Server: A Complete Guidewww.davidma.coexternal-linkmessage-square19linkfedilinkarrow-up11arrow-down10
arrow-up11arrow-down1external-linkHow to Setup a Secure Ubuntu Home Server: A Complete Guidewww.davidma.coudc@lemmy.world to Selfhosted@lemmy.worldEnglish · 1 day agomessage-square19linkfedilink
minus-squaremartinb@lemmy.sdf.orglinkfedilinkEnglisharrow-up0·1 day agoPasswordless login only. No root login. Fail2ban. Add ufw to stop accidental open port shenanigans, and you are locked down enough
minus-squareBotzo@lemmy.worldlinkfedilinkEnglisharrow-up0·edit-224 hours agoWe can go harder: port knock to open the port to a cert-only VPN (on top of all that) https://wiki.archlinux.org/title/Port_knocking
minus-squaremartinb@lemmy.sdf.orglinkfedilinkEnglisharrow-up0·21 hours agoFelt a bit like a faff to me, so I never bothered. Does depend upon your threat model though
minus-squareStrixUralensis@tarte.nuage-libre.frlinkfedilinkEnglisharrow-up0·1 day ago Passwordless login only Never understood this I don’t think that anyone or anyrhing, computer or mentalist, will guess my 40+ characters long password
minus-squarenon_burglar@lemmy.worldlinkfedilinkEnglisharrow-up0·22 hours agoWith ssh, over 90% of the vulnerabilities are abusing the password mechanism. If you setup pre-shared keys, you are preventing the most common abuses, including in the realm of zero days.
minus-squaresurph_ninja@lemmy.worldlinkfedilinkEnglisharrow-up0·24 hours agoEspecially paired with Fail2Ban preventing any brute force attempts. But with a WireGuard setup, you need not have the port exposed at all.
minus-squareetchinghillside@reddthat.comlinkfedilinkEnglisharrow-up0·1 day agoAre you setting and managing other’s passwords?
Passwordless login only. No root login. Fail2ban. Add ufw to stop accidental open port shenanigans, and you are locked down enough
We can go harder: port knock to open the port to a cert-only VPN (on top of all that)
https://wiki.archlinux.org/title/Port_knocking
Felt a bit like a faff to me, so I never bothered. Does depend upon your threat model though
Never understood this
I don’t think that anyone or anyrhing, computer or mentalist, will guess my 40+ characters long password
With ssh, over 90% of the vulnerabilities are abusing the password mechanism. If you setup pre-shared keys, you are preventing the most common abuses, including in the realm of zero days.
Especially paired with Fail2Ban preventing any brute force attempts.
But with a WireGuard setup, you need not have the port exposed at all.
Are you setting and managing other’s passwords?