this post was submitted on 20 Apr 2024
137 points (98.6% liked)

Selfhosted

40296 readers
213 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] foggy@lemmy.world 53 points 7 months ago (3 children)

Setup Fail2ban

Login only with SSH keys. MFA on SSH login. Use SSH proto 2.

Disable passwords, x11 forwarding, root logins

Reduce Idle timeout interval

Limit users' SSH access

That should be more than enough for the average use case.

[–] taladar@sh.itjust.works 12 points 7 months ago

Regular updates are definitely necessary too. Also, if you do limit SSH users to a chroot make sure you limit TCP (port) forwarding too.

[–] possiblylinux127@lemmy.zip 4 points 7 months ago

Containers can help lock services down if you do it right.

[–] MaggiWuerze@feddit.de 3 points 7 months ago (1 children)
[–] foggy@lemmy.world 1 points 7 months ago (1 children)

Yep. Use SSH keys, not just protocol.

On connection, it'll ask for your SSH password (this is different from the users password).

After that with something like authelia in place, you'll be asked for a 2fa code.

[–] MaggiWuerze@feddit.de 0 points 7 months ago (2 children)

So, no. SSH can't do 2FA? I would need to set up Authelia and connect through that? I already use ssh keys instead of passwords to connect to my server

[–] foggy@lemmy.world 1 points 7 months ago (1 children)

Yes it can. I literally have it set up right now.

When I connect to my vps I am promoted for the password for my SSH key. Only works on a machine that has the ssh key.

Then I need to use 2fa.

[–] MaggiWuerze@feddit.de 1 points 7 months ago

Ah, so it the asks for the TOTP provided by Authelia? I misunderstood, sorry. That's pretty cool. Do you maybe still have the guide you used to set that up?

[–] lemmyreader@lemmy.ml 1 points 7 months ago

It is possible to have 2FA with a security key and ssh. Been on my to do list for some time to try it.