Conversation

Notices

1. Embed this notice
   framebuffer :archlinux: :gentoo: :tuxspin: (fuzzylinuxuser@den.raccoon.quest)'s status on Thursday, 23-Nov-2023 17:16:04 JST framebuffer :archlinux: :gentoo: :tuxspin:

   it's a good practice to keep the botnets away from bruteforcing your server by banning them, restricting login to use with keys only, isolate things etc.

   • Embed this notice
     ✙ dcc :pedomustdie: :phear_slackware: (dcc@annihilation.social)'s status on Thursday, 23-Nov-2023 17:16:01 JST ✙ dcc :pedomustdie: :phear_slackware:

     in reply to

     • Dushman
     @dushman @fuzzylinuxuser Fail2ban is trash
     Either do port knocking, or hide it behind a vpn.
   • Embed this notice
     Dushman (dushman@den.raccoon.quest)'s status on Thursday, 23-Nov-2023 17:16:03 JST Dushman

     in reply to

     @fuzzylinuxuser
     Yeah always use fail2ban on ssh servers open to the public internet

   • Embed this notice
     ✙ dcc :pedomustdie: :phear_slackware: (dcc@annihilation.social)'s status on Thursday, 23-Nov-2023 17:19:35 JST ✙ dcc :pedomustdie: :phear_slackware:

     in reply to

     • Dushman
     @dushman @fuzzylinuxuser You can ban your self, port knocking is more effective anyways.
   • Embed this notice
     Dushman (dushman@den.raccoon.quest)'s status on Thursday, 23-Nov-2023 17:19:37 JST Dushman

     in reply to

     • ✙ dcc :pedomustdie: :phear_slackware:

     @dcc@annihilation.social @fuzzylinuxuser@den.raccoon.quest Fail2ban is trashit works well 🗞

   • Embed this notice
     ✙ dcc :pedomustdie: :phear_slackware: (dcc@annihilation.social)'s status on Thursday, 23-Nov-2023 17:22:53 JST ✙ dcc :pedomustdie: :phear_slackware:

     in reply to

     • Dushman
     @fuzzylinuxuser @dushman Thats almost what port knocking is.
   • Embed this notice
     framebuffer :archlinux: :gentoo: :tuxspin: (fuzzylinuxuser@den.raccoon.quest)'s status on Thursday, 23-Nov-2023 17:22:55 JST framebuffer :archlinux: :gentoo: :tuxspin:

     in reply to

     • ✙ dcc :pedomustdie: :phear_slackware:
     • Dushman

     @dcc@annihilation.social @dushman@den.raccoon.quest Would it be beneficial to automatically close ports after logging out and then re-authenticate to the server, opening the port?

   • Embed this notice
     menherahair (menherahair@eientei.org)'s status on Thursday, 23-Nov-2023 18:24:45 JST menherahair

     in reply to

     • Dushman
     @dushman @fuzzylinuxuser do this and one of these modern ciphers is gonna get pwned one day and you'll never fix the setting because you copy config lines from fediverse posts
     ✙ dcc :pedomustdie: :phear_slackware: likes this.
   • Embed this notice
     Dushman (dushman@den.raccoon.quest)'s status on Thursday, 23-Nov-2023 18:24:46 JST Dushman

     in reply to

     @fuzzylinuxuser
     Also I recommend enforcing only modern ciphers on your ssh server as well. Just slap this in sshd config. # Ciphers and keying MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256@libssh.org,curve25519-sha256,ecdh-sha2-nistp384