Comment on How can I keep my forwarded port secure?
just_another_person@lemmy.world 2 months ago
You cant. You can only do your best to make it as secure as possible, but given enough time, someone can break it.
Basic tips:
- don’t run any services on their defaults ports
- don’t allow password auth for any exposed service. Ever.
- run intrusion detection (fail2ban for simple ssh / Crowdsec for something a little beefier)
For ssh specifically, lock down your sshd config, make sure only key-based is enabled, and may as an extra step create a dedicated user, and jail it by only allowing it access for the commands you need to interact with.
novalex@lemmy.world 2 months ago
Mind expanding on tip #2?
just_another_person@lemmy.world 2 months ago
Not sure I can expand on it a ton more in a way that will make sense if it already doesn’t sound familiar.
Basically, there are various to authenticate yourself to most services. Password is usually the weakest and most succeptible to brute-force. There’s certificates, key pairs, RBAC…etc. You can even setup TOTP/MFA really easily for anything that supports it these days. Just don’t leave a service hanging out on the Internet to get brute-force by password though.
If you’re unfamiliar with this, start with SSH and key pairs. It’s probably the simplest intro and you can be up and running to try it out in seconds.
novalex@lemmy.world 2 months ago
Got it, I’m aware password auth can be brute forced, sadly many services don’t support more advanced auth methods so I’ve got a couple homelab apps that can only do password auth. I’m using very strong passwords and 2FA where available, and have been looking into an SSO solution like Authentik, but again not all services are supported.