To mitigate the effort to maintain my personal server, I am considering to only expose ssh port to the outside and use its socks proxy to reach other services. is Portknocking enough to reduce surface of attack to the minimum?

  • NeoNachtwaechter@lemmy.world
    link
    fedilink
    English
    arrow-up
    21
    ·
    1 year ago

    In your SSH config, you should disallow root login and password authentication.

    It is more secure than these tommyknockers :-) but you can do that additionally, if you feel like it.

    • dalz@fedi.alsd.eu
      link
      fedilink
      arrow-up
      3
      arrow-down
      10
      ·
      1 year ago

      Why disallow root login? I always need root when I connect, and stealing the password by aliasing sudo/doas is trivial. It seems to me it would just make life harder for no benefit.

      • this_is_router@feddit.de
        link
        fedilink
        English
        arrow-up
        29
        ·
        1 year ago

        Because then:

        • you also need to know the correct username
        • audits and logging shows which user used sudo to gain root access
        • ShortN0te@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          24
          ·
          1 year ago
          • you also need to know the correct username

          Use a secure password or key. Security by obscurity is no security.

          • audits and logging shows which user used sudo to gain root access

          That is not the point that was made. Once access to sudo or root you already have lost.

          • False@lemmy.world
            link
            fedilink
            English
            arrow-up
            19
            ·
            edit-2
            1 year ago

            You’re making it that much easier for someone to brute force logging in or to exploit a known vulnerability. If you have a separate root password (which you should) an attacker needs to get through two passwords to do anything privileged.

            This has been considered an accepted best practice for 20+ years and there’s little reason not to do it anyways. You shouldn’t be running things as root directly regardless.

            • ShortN0te@lemmy.ml
              link
              fedilink
              English
              arrow-up
              1
              arrow-down
              5
              ·
              1 year ago

              When you have secure passwords kr key auth. Brute force is not a problem. What vulnerability are you talking about? Complete auth bypass? Then the username would be no problem either since you can just brute force usernames.

          • surewhynotlem@lemmy.world
            link
            fedilink
            English
            arrow-up
            9
            ·
            1 year ago

            Security though obscurity, BY ITSELF, is not security. But it’s great at slowing attackers and thwarting automated scripts.

            It’s bad security to ignore possible mitigations to a problem just because it isn’t as full fix.

      • NeoNachtwaechter@lemmy.world
        link
        fedilink
        English
        arrow-up
        7
        ·
        1 year ago

        Why disallow root login?

        It is very easy to throw a dictionary at your port 22. It happens every few minutes. And they all try it with the username=root unless they know something better.