Key only authentication is your easiest and safest bet. If you want something a little more elegant, look at setting up port knocking if this is a 24/7 service exposed to the public internet. Add a brute-force monitor like fail2ban or crowdsec as an added layer of protection if you want.
Comment on Alternative to ClamAV?
Alami@lemmy.world 9 months ago
I am not a expert in Linux, and I mostly rely on very strong passwords. I also discovered recently basic stuff like changing the default SSH port. Anyone knows of implementation of 2FA on Linux?
just_another_person@lemmy.world 9 months ago
Alami@lemmy.world 9 months ago
Yes I do have fail2ban
just_another_person@lemmy.world 9 months ago
Yubikey as a more portable private key you don’t need to store on a single machine, or make unsafe by shipping it around.
PlexSheep@feddit.de 9 months ago
Changing the default porta is security through obscurity, which is not security but just a waste of time. Don’t rely on attackers “maybe not finding stuff” but rely on your stuff being secure, even if someone had all information about your network and system architecture.
For 2fa, the other commenter mentioned yubikey pam modules. Those are probably useful, but if you want to secure your ssh server, the best solution is to use ssh keys and disable password login. I can really recommend that as its one of the few things in security that improves both usability and security.
Alami@lemmy.world 9 months ago
What’s an ssh key? Nvm I’ll research
PlexSheep@feddit.de 9 months ago
Welcome to the top of cryptography.
adam@kbin.pieho.me 9 months ago
One of the first things my base ansible role does is disable password logins. All keys, all the time.
PlexSheep@feddit.de 9 months ago
Never tried Ansible, I just use git and shell scripts, any advice to get started?
adam@kbin.pieho.me 9 months ago
Depends on how you like to learn. I'm a doer so I just got stuck in building and bodging things together.
Plenty of videos about, Jeff Geerling (youtuber who does lots of Raspberry Pi stuff) has a bunch of videos and a book.
Well worth it though. I couple it with terraform to handle the infra stuff and I can have a basic VPS spun up with a locked down firewall and SSH with a single command and about 5 minutes.
ChillPill@lemmy.world 9 months ago
If at all possible, do not expose things like ssh, RDP, etc to the internet. Use traditional VPN or something like tail scale. Just because ssh is on a different port than normal doesnt mean an attacker couldn’t figure out that your running ssh on port 335.
Alami@lemmy.world 9 months ago
Well fail2ban went from very active to very quiet. It is definitely worth not leaving 22
RepulsiveDog4415@feddit.de 9 months ago
I have a yubikey and use their pam-module for 2FA on sudo and ssh. Took a bit of time to configure, but now it works like charm: wiki.archlinux.org/title/YubiKey#Linux_user_authe…
Alami@lemmy.world 9 months ago
Thanks, I’m looking into it