← Back to context

Comment by jauntywundrkind

1 day ago

Ssh exposed on a non-standard port, with root disabled, using key-based auth should be pretty non-controversial.

The security through obscurity (non-standard port, no root) are both kinda silly but why not.

That said, with awesome services like TailScale, it's pretty hard to get locked out of your network. TailScale is so so good at "just working".

4 comments

jauntywundrkind

Reply
batch12  21 hours ago

> The security through obscurity (non-standard port, no root) are both kinda silly but why not

I think these are decent controls when layered with others. The effectiveness differs depending on your threat models, of course, but at the very least it helps reduce the noise seen from most automated scans reducing the effort involved in monitoring your assets.

johnmaguire  20 hours ago

Disabling root provides more than security-through-obscurity if your sudo config requires a password to elevate: it essentially means you need both your SSH private key and your password to gain root.

accrual  1 day ago

Fail2ban or rate-limiting SSH into a block table are useful layers to have as well.

cyberax  21 hours ago

Another option is port knocking. Super easy to set up and with 4 knocks it provides 64 bits of randomness.