Also, add 2FA
Comment on How to harden against SSH brute-forcing?
30p87@feddit.org 1 week agoMove SSH to non-standard port, make endlessh use the default port. Only use SSH keys. Only allow correct users (so eg. your user and git/forgejo). Use fail2ban to aggressively ban (redirect to default port, so 22) and report to abuseipdb everything that fails to authenticate first try (wrong user, password instead of key), has non-compatible ciphers (generally, only allow TLS1.3 etc.), or fails in any other way. Just be sure that if you accidentally get banned yourself (eg. Ctrl+C-ing during authentication), you can use another IP (eg. force v4) for connecting.
bigBananas@feddit.nl 1 week ago
30p87@feddit.org 1 week ago
But remember, on a third device. Not the one where your KeePass DB is one fingerprint away, and your private SSH key too.
cron@feddit.org 1 week ago
Nice list of suggestions, but implementing all of them feels a little over-the-top.
30p87@feddit.org 1 week ago
Tbh, I myself still have SSH on port 22. Firstly, because I’m lazy, and secondly … yeah that’s it. I’m honestly just lazy. But spam bots trying office/cookie123 are not a real threat, and anyone trying to actually target me will either have somehow acquired my key + password, use one of the probably many security issues that exist in the dozen services I selfhost, social engineer me into doing something (not saying I’ve given out my (old) KeePass password once, but it could be, as love makes blind (I still love her)), or just smash my kneecaps until I give out everything.