[deleted]

⁨0⁩ ⁨likes⁩

Submitted ⁨⁨8⁩ ⁨months⁩ ago⁩ by ⁨udc@lemmy.world⁩ to ⁨selfhosted@lemmy.world⁩

[deleted]

source

Comments

Sort:hotnew top

truthfultemporarily@feddit.org ⁨8⁩ ⁨months⁩ ago
This is mostly nonsense.

Why block outgoing? Its just going to cause issues for most people. If you’re going to do that, do it centrally (hw firewall)

Why allow http and NTP incoming, when there is no http / NTP server running.

If there is http server running no mention of ssl-config.mozilla.org and modsecurity

If you’re using ufw anyway why not go with applications instead of ports?

In a modern distro, the defaults are usually sane (maybe except TCP), most of the stuff in the SSH config is already default.

Why change the SSH port of a home server, which most likely is not reachable from the outside anyway?

Actually potentially impactful stuff like disabling services you don’t need, such as cups, is not mentioned

unattended-upgrades not mentioned

SELinux / AppArmor not mentioned

LKRG not mentioned lkrg.org

Fail2ban not mentioned

Don’t just copy random config from the internet, as annoying as it is, read the docs.
source
- RubberElectrons@lemmy.world ⁨8⁩ ⁨months⁩ ago
  Til about lkrg.
  
  source
- uranibaba@lemmy.world ⁨8⁩ ⁨months⁩ ago
  
  Why change the SSH port of a home server, which most likely is not reachable from the outside anyway?
  
  And if it is, why change it on the server and not in the fw?
  
  source
  - truthfultemporarily@feddit.org ⁨8⁩ ⁨months⁩ ago
    If you change it, definitely change it on the server so it shows up in netstat and is consistent.
    
    source
    -> View More Comments
- Mordikan@kbin.earth ⁨8⁩ ⁨months⁩ ago
  But you need that legal banner in case your spouse acts up and you need to throw their ass in prison.
  
  source
tiramichu@sh.itjust.works ⁨8⁩ ⁨months⁩ ago
This is a nice list, but for the novices it’s obviously meant for, it’s a bad learning experience.

Why? Because it doesn’t explain any of the reasoning behind what it asks you to do.

Why are we changing the deafuly SSH port, for example? Someone who is seasoned might identify this is a somewhat limited attempt to obscure our attack surface, but to a novice it’s inscrutable and meaningless.

More important than telling people what to do is explaining why, because it puts the learning in context and makes it stick by giving a reason to care.

source
Goodeye8@piefed.social ⁨8⁩ ⁨months⁩ ago
Shamelessly plugging https://linuxupskillchallenge.org/ because if you're going to set up an Ubuntu home server you might a well know how to use it.

source
emhl@feddit.org ⁨8⁩ ⁨months⁩ ago
Running SSH on a non-provileged port brings new issues. And using 2222 doesn’t bring any meaningful security by obscurity advantages.

The rest of the options look nice. It would have if there would be explanations on what the options do in the example configs

source
- Arigion@feddit.org ⁨8⁩ ⁨months⁩ ago
  Just use wireguard as VPN and bind ssh only to that interface. You loose public access but I couldn’t think of a reason why I want other devices than my own to connect anyway.
  
  source
- johannes@lemmy.jhjacobs.nl ⁨8⁩ ⁨months⁩ ago
  Which issues are you referring to?
  
  Using port 2222 may not prevent any real hackers from discovering it, but it sure does prevent a lot of them scripttkiddie attacks that use automated software.
  
  source
  - emhl@feddit.org ⁨8⁩ ⁨months⁩ ago
    Privileged ports can be used by processes that are running without root permissions. So if the sshd process would crash or stop for some other reason, any malicious user process could pretend to be the real ssh server without privilege escalation. To be fair this isn’t really a concern for single user systems. But setting up fail2ban or only making ssh accessible from a local network or VPN would probably be a more helpful hardenening step
    
    source
    -> View More Comments
  - martinb@lemmy.sdf.org ⁨8⁩ ⁨months⁩ ago
    Passwordless login only. No root login. Fail2ban. Add ufw to stop accidental open port shenanigans, and you are locked down enough
    
    source
    -> View More Comments