Port knocking - Wikipedia
en.m.wikipedia.org

To mitigate the effort to maintain my personal server, I am considering to only expose ssh port to the outside and use its socks proxy to reach other services. is Portknocking enough to reduce surface of attack to the minimum?

  • NeoNachtwaechter@lemmy.worldEnglish
    12·
    2 years ago

    In your SSH config, you should disallow root login and password authentication.

    It is more secure than these tommyknockers :-) but you can do that additionally, if you feel like it.

    • dalz@fedi.alsd.eu
      1·
      2 years ago

      Why disallow root login? I always need root when I connect, and stealing the password by aliasing sudo/doas is trivial. It seems to me it would just make life harder for no benefit.

      • this_is_router@feddit.deEnglish
        3·
        2 years ago

        Because then:

        • you also need to know the correct username
        • audits and logging shows which user used sudo to gain root access
        • ShortN0te@lemmy.mlEnglish
          0·
          2 years ago
          • you also need to know the correct username

          Use a secure password or key. Security by obscurity is no security.

          • audits and logging shows which user used sudo to gain root access

          That is not the point that was made. Once access to sudo or root you already have lost.