No Port-knocking? Amateurs! /s
Comment on How to harden against SSH brute-forcing?
irmadlad@lemmy.world 11 months ago
OP, here is what I do. It might seem overboard, and my way doesn’t make it the best, or the most right, but it seems to work for me:
- Fail2ban
- UFW
- Reverse Proxy
- IPtraf (monitor)
- Lynis (Audit)
- OpenVas (Audit)
- Nessus (Audit)
- Non standard SSH port
- CrowdSec + Appsec
- No root logins
- SSH keys
- Tailscale
- RKHunter
The auditing packages, like Lynis, will scour your server, and make suggestions as to how to further harden your server. Crowdsec is very handy in that it covers a lot of ‘stuff’. It’s not the only WAF around. There is Wazuh, Bunkerweb, etc. Lots of other great comments here with great suggestions. I tend to go overboard on security because I do not like mopping up the mess after a breach.
db0@lemmy.dbzer0.com 11 months ago
sugar_in_your_tea@sh.itjust.works 11 months ago
It’s absolutely overboard, and you can get 99% of the way there with this:
That will require breaking WireGuard and openSSH’s key-based authentication, which just isn’t happening. The rest looks like mostly auditing. Even a firewall isn’t necessary if no ports are accessible anyway (i.e. everything only accessible over Tailscale), and you can just configure iptables to block everything on the WAN IP and call it a day.
irmadlad@lemmy.world 11 months ago
It’s nice to be commented by someone famous.
Open up the window, let some air into this room I think I’m almost chokin’ from the smell of stale perfume And that cigarette you’re smokin’ 'bout scare me half to death Open up the window, sucker, let me catch my breath
sugar_in_your_tea@sh.itjust.works 11 months ago
Mama told me not to come.
Fun fact, my usernames on Reddit (I would cycle them every couple of years) were all Three Dog Night lyrics, so I continued the theme on Lemmy.