Comment

Comment on How to harden against SSH brute-forcing?

OP, here is what I do. It might seem overboard, and my way doesn’t make it the best, or the most right, but it seems to work for me:

Fail2ban
UFW
Reverse Proxy
IPtraf (monitor)
Lynis (Audit)
OpenVas (Audit)
Nessus (Audit)
Non standard SSH port
CrowdSec + Appsec
No root logins
SSH keys
Tailscale
RKHunter

The auditing packages, like Lynis, will scour your server, and make suggestions as to how to further harden your server. Crowdsec is very handy in that it covers a lot of ‘stuff’. It’s not the only WAF around. There is Wazuh, Bunkerweb, etc. Lots of other great comments here with great suggestions. I tend to go overboard on security because I do not like mopping up the mess after a breach.

source

Sort:hotnew top

db0@lemmy.dbzer0.com ⁨1⁩ ⁨week⁩ ago
No Port-knocking? Amateurs! /s

source
sugar_in_your_tea@sh.itjust.works ⁨1⁩ ⁨week⁩ ago
It’s absolutely overboard, and you can get 99% of the way there with this:

WireGuard config (Tailscale in your case)

Bind SSH to WireGuard IP only (so no public SSH port)

SSH keys only, and disable root login over SSH

That will require breaking WireGuard and openSSH’s key-based authentication, which just isn’t happening. The rest looks like mostly auditing. Even a firewall isn’t necessary if no ports are accessible anyway (i.e. everything only accessible over Tailscale), and you can just configure iptables to block everything on the WAN IP and call it a day.
source
- irmadlad@lemmy.world ⁨1⁩ ⁨week⁩ ago
  
  sugar_in_your_tea @sh.itjust.works
  
  It’s nice to be commented by someone famous.
  
  Open up the window, let some air into this room I think I’m almost chokin’ from the smell of stale perfume And that cigarette you’re smokin’ 'bout scare me half to death Open up the window, sucker, let me catch my breath
  
  source
  - sugar_in_your_tea@sh.itjust.works ⁨1⁩ ⁨week⁩ ago
    Mama told me not to come.
    
    Fun fact, my usernames on Reddit (I would cycle them every couple of years) were all Three Dog Night lyrics, so I continued the theme on Lemmy.
    
    source