Personally I made sure SSH is only accessible when connected through a VPN setup for that purpose. As in, that same machine hosts a Wireguard setup (through Tailscale) and you need to connect to that first before SSH is available. And then SSH also only accepts key-based authentication. I don’t think I need more than that?
I have a VPS that runs the main proxy which I can always access via a console on the website of the company I’m renting it from (Hetzner). The other machines run locally in my home so I can just plug in a cable if need be.
Sure but I rather not have the SSH port open to the world, it just makes it harder for attackers to get in this way. Besides I use the VPN for more things, some self-hosted services I don’t want accessible by the whole world.
Cool,.but from the post it seems like all it does is:
Recommend disabling old algorithms, which you would have already done if you followed a modern hardening guide like infosec.mozilla.org/guidelines/openssh
Detect if you are running a known-vulnerable version of OpenSSH, which wouldn’t be an issue if you keep good patch hygiene and install your SSH server through you operating systems’ package manager
Scripting, to confirm that a large fleet of boxes are all running according to your policy. Verification that the config you want is actually the config you have.
“in the spirit of continuous improvement, I recently embarked on a quest for re-evaluation and potential enhancement.”
Oh boy, wait until you discover that Emacs can do terminal emulation, terminal multiplexing, text editing, file management, and app launching, all configurable and scriptable with a single, powerful programming language… and allows you to record keyboard macros that run across all of the above features. You’ll go down a rabbit hole from which you will never emerge.
You are both correct. I also read my RSS feeds in Emacs (which includes my YouTube subscriptions), manage my knowledge database with org-roam, use Mastodon on it, and sometimes chat on IRC or matrix with Emacs.
thoughts.greyh.at
Hot