Nikola Lakić :arch:  

I've set up different port than default to access remote server via SSH and also disabled password login (pubkey enabled), in /etc/hosts.deny enabled ALL: PARANOID. Anything more to increase security or is this enough?

1+
M10Q  

@nikolal 2fa? =)

1
Nikola Lakić :arch:  

@m10q
Not really needed, but worth considering

1
Rysiekúr (old account)  

@nikolal @m10q I have a nice set-up where SSH is only available on the WireGuard interface, via an Authenticated Tor Hidden Service, or using port-knocking.

Usually use the WireGuard one, the otehr two are failsafes.

1+
kravietz 🦇
Follow

@rysiek @nikolal @m10q I ended up exposing SSH on Yggdrasil network interface only; Tor is anonymous which is not what I need for SSH logins, while Yggdrasil is distributed and encrypted but not anonymous

· · Tusky · 1 · 0 · 0
Rysiekúr (old account)  

@kravietz @nikolal @m10q Tor is anonymous unless we're talking about Authenticated Tor Hidden Services. Which is what I was talking about. ;)

1
kravietz 🦇  

@rysiek @nikolal @m10q comes out Tor HidServAuth is basically a connection from an anonymous client authenticated by a static "security cookie"

1
Rysiekúr (old account)  

@kravietz @nikolal @m10q correct, but the "security cookie" is basically a pre-shared key. I.e. only the Tor client explicitly configured to have that particular "cookie" (it's Tor-client-level, not browser-level) will have it.

0
Sign in to participate in the conversation
Mastodon 🔐 privacytools.io

Fast, secure and up-to-date instance. PrivacyTools provides knowledge and tools to protect your privacy against global mass surveillance.

Website: privacytools.io
Matrix Chat: chat.privacytools.io
Support us on OpenCollective, many contributions are tax deductible!

Resources

Developers

What is Mastodon?

social.privacytools.io

More…