4·
1 day agoYou may not want root login.
ssh-keygen -t ed25519
For that new key hotness
- 0 Posts
- 17 Comments
Joined 5 months ago
Cake day: September 25th, 2024
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
The TLDR is here : https://www.digitalocean.com/community/tutorials/recommended-security-measures-to-protect-your-servers
You won’t be protected from a dedicated, knowledgeable attacker until you do the rest of what the other poster said, and then some,
You’re right I didn’t even get to ACME and PKI or TOTP
https://letsencrypt.org/getting-started/
https://openbao.org/docs/secrets/pki/
https://openbao.org/docs/secrets/totp/
And for bonus points build your own certificate authority to sign it all.
https://smallstep.com/blog/build-a-tiny-ca-with-raspberry-pi-yubikey/
Oooof, I know that feeling.
I couldn’t justify putting correct in my username on Lemmy. But I loved the reference too much not to use it, so here I am, a less secure truncated version of a better password.
My condolences
Lol! Honeypot or just bored?
Yeah just like that. Ask more questions
Paranoid external security. I’m assuming you already have a domain name. I’m also assuming you have some ICANN anonymization setup.
This is your local reverse Proxy. You can manage all this with a container called nginx proxy manager, but it could benefit you to know it’s inner workings first. https://www.howtogeek.com/devops/what-is-a-reverse-proxy-and-how-does-it-work/
https://cloud9sc.com/nginx-proxy-manager-hardening/
https://github.com/NginxProxyManager/nginx-proxy-manager
Next you’ll want to proxy your IP address as you don’t want that pointing to your home address
https://developers.cloudflare.com/learning-paths/get-started-free/onboarding/proxy-dns-records/
Remote access is next. I would suggest setting up wireguard on a machine that’s not your webserver, but you can also set that up in a container as well. Either way you’ll need to punch another hole in your router to point to your wire guard bastion host on your local network. It has many clients for windows and linux and android and IOS
https://github.com/angristan/wireguard-install
https://www.wireguard.com/quickstart/
https://github.com/linuxserver/docker-wireguard
Now internally, I’m assuming you’re using Linux. In that case I’d suggest securing your ssh on all machines that you log into. On the machines you’re running you should also install fail2ban, UFW, git, and some monitoring if you have the overhead but the monitoring part is outside of the purview of this comment. If you’re using UFW your very first command should be
sudo ufw allow sshhttps://www.howtogeek.com/443156/the-best-ways-to-secure-your-ssh-server/
https://github.com/fail2ban/fail2ban
https://www.digitalocean.com/community/tutorials/ufw-essentials-common-firewall-rules-and-commands
Now for securing internal linux harden the kernel and remove root user. If you do this you should have a password manager setup. keepassx or bitwarden are ones I like. If those suck I’m sure someone will suggest something better. The password manager will have the root password for all of your Linux machines and they should be different passwords.
https://www.makeuseof.com/ways-improve-linux-user-account-security/
https://bitwarden.com/help/self-host-an-organization/
Finally you can harden the kernel
https://codezup.com/the-ultimate-guide-to-hardening-your-linux-system-with-kernel-parameters/
TLDR: it takes research but a good place to start is here
2·1 day agoFORTRAN could be said to be security through obscurity though /s
Yep, but we’ve got at least a decade to do it, and when new systems are stood up they “should” be in compliance.
Known and vetted systems are always the most secure. Until RSA is broken, and then they’ll need to update to a quantum resilient standard. Which we’ve had in the wild for 6 years already and the NIST has officially approved for 2 years.
We’re still at least a decade away from a machine with enough qbits to do it. So i feel like we should be fine.
It’s the fucking Credit Bureaus, Telecoms, and Energy Companies I worry about. They keep fucking up.
1·2 days agoThanks for the suggestion
What would you suggest instead?
Install fresh tomato to this and you’ll get a much better AP with very good firewall and QOS and traffic inspection. Also good SNMP for monitoring
Hahahaha you said linux users in the same breath of marginalized folk.
The cloud is linux. I don’t think social media is where we’re marginalized.
I agree with everything else you’ve said.
Yes, because wages are being suppressed by CEOs. Statistically if you are in the USA you’ve got a roughly 30% chance to earn a million dollars in your lifetime. You cannot physically earn a billion dollars. At the dollar’s current rate. You don’t have enough lifetimes. You’re more likely to win the powerball 4 times in a row than have a trillion dollars.
Good luck on your journey.
I would suggest having two servers one to test and one to expose to the Internet. That way if you make a mistake hopefully you’ll find it before you expose it to the Internet.