Comment by rafram
1 day ago
The downside is that if you’re on a two-week vacation and your home network/server goes down on day two, there’s probably nothing you can do until you get home. If it’s hosted online, you can count on that 99.99…% uptime and SSH access no matter what.
I think what they meant is that if it's hosted online / home-network, only allow access to all services through a VPN. Wireguard is relatively easy to setup, and you can configure all your services to only be available through wireguard.
Ever since ssh almost got backdoor-ed, the only thing "exposed" on my servers is Wireguard, which is UDP based and therefore harder to know if it's running. SSH also goes over wireguard.
> ... Wireguard, which is UDP based and therefore harder to know if it's running.
Isn't it basically impossible to know if it's running unless you have an authorize key? I thought it didn't respond at all unless you ping a valid entry key off it.
Although not perfect, I added a couple features to help ensure uptime:
* LAN components are on a UPS, helps keep continuity between power blips and breaker flips
* Dynamic DNS, cron runs a script 4x per day to ensure a DNS name points to my IP, even if issued a new one by the ISP
* Rebooting everything occasionally to ensure the network and services come back up on their own and I didn't make a mistake with some config that loads at boot, etc.
I run Tailscale on an Apple TV which is on a UPS. The thing uses very little power so the UPS lasts a long, long time.
Do you have to hack the Apple TV to run tailscale on it or how does that work?
Ssh exposed on a non-standard port, with root disabled, using key-based auth should be pretty non-controversial.
The security through obscurity (non-standard port, no root) are both kinda silly but why not.
That said, with awesome services like TailScale, it's pretty hard to get locked out of your network. TailScale is so so good at "just working".
> The security through obscurity (non-standard port, no root) are both kinda silly but why not
I think these are decent controls when layered with others. The effectiveness differs depending on your threat models, of course, but at the very least it helps reduce the noise seen from most automated scans reducing the effort involved in monitoring your assets.
Disabling root provides more than security-through-obscurity if your sudo config requires a password to elevate: it essentially means you need both your SSH private key and your password to gain root.
Fail2ban or rate-limiting SSH into a block table are useful layers to have as well.
Another option is port knocking. Super easy to set up and with 4 knocks it provides 64 bits of randomness.
These solutions are composable. Just run it on a VPS over a VPN.
But what if your home hypervisor goes down?
Nothing. You probably though I said "VPN over a VPS", which would just be the same as a VPN, which isn't composing the solutions.
2 replies →
If you trust someone in your neighborhood/family, you can ask them to power cycle your host and water your plants
That’s a good point.
You can also enjoy your vacation instead :)