this post was submitted on 22 Nov 2023
4 points (100.0% liked)
Homelab
371 readers
3 users here now
Rules
- Be Civil.
- Post about your homelab, discussion of your homelab, questions you may have, or general discussion about transition your skill from the homelab to the workplace.
- No memes or potato images.
- We love detailed homelab builds, especially network diagrams!
- Report any posts that you feel should be brought to our attention.
- Please no shitposting or blogspam.
- No Referral Linking.
- Keep piracy discussion off of this community
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Enabling unattended updates -> Hell no. Regular Patchdays
Enable only ssh login with key -> yes
Create user with sudo privileges -> yes
Disable root login -> no
Enable ufw with necessary ports -> Basic iptables, but not on all hosts. But fail2ban
Disable ping -> nope
Change ssh default port 21 to something else. -> nope
Remember to configure fail2ban, the defaults are silly.
Also, these days I prefer crowdsec to fail2ban.
Can you give me ressources on how to configure f2b?
I usually leave the defaults, or maybe tweak the times a bit.
One could only enter my network thru vpn or nginx on 443 anyway, so I am not that worried
The majority of the default fail2ban installations only bans an IP for 10 minutes and uses a 10 minute findtime, e.g. slow brute forcing is not at all banned.
Before I switched to crowdsec (which I really recommend you do, its quite easy) I changed my bantime and findtime in /etc/fail2ban/jail.conf (I think I made a local file... read the file it should say) to something like 8 hours (e.g. change 10m to 640m for both those variables).
Well if you are using strong passwords or no passwords from outside at all, but key auth only, i think you are pretty in the safe side. As i said, i have no ssh port open to the internet. Raising the ban time could only lead to banning myself. 😀
But for ports open to the outside, yes. I ppbly would do that too. Plus hardening the ssh config a bit
I have an open ssh port and I use key auth with password as well as crowdsec. Even if people get my ssh key they would still need to know the password.