this post was submitted on 20 Apr 2024
137 points (98.6% liked)

Selfhosted

40347 readers
340 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] taaz@biglemmowski.win 10 points 7 months ago* (last edited 7 months ago) (2 children)

I wouldn't recommend putting ssh behind any vpn connection unles you have a secondary access to the machine (for example virtual tty/terminal from your provider or local network ssh). At best, ssh should be the only publicly accessible service (unless hosting other services that need to be public accessible).

I usually move the ssh port to some higher number just to get rid of the basic scanners/skiddies.

Also disable password login (only keys) and no root login.

And for extra hardening, explicitly allow ssh for only users that need it (in sshd config).

[–] Poutinetown@lemmy.ca 8 points 7 months ago (1 children)

Ssh behind a wire guard VPN server is technically more secure if you don't have a key-only login, but a pain if the container goes down or if you need to access the server without access to wireguards VPN client on your device.

[–] Lem453@lemmy.ca 10 points 7 months ago* (last edited 7 months ago) (1 children)

Highly recommend getting a router that can accept wireguard connections. If the router goes down you're not accessing anything anyways.

Then always put ssh behind the wireguard connections.

For a homelab, there is rarely a need to expose ssh directly so best practice will always be to have multi layered security when possible.

[–] Poutinetown@lemmy.ca 4 points 7 months ago

Yeah it's good to have a system separate from the main server. It's always so frustrating having to debug wireguard issues cause there's some problem with docker

[–] Archer@lemmy.world 1 points 7 months ago

Do the secure thing and only access your Linux shell over Discord!

/s