Conversation
Notices
-
Embed this notice
kaia (kaia@brotka.st)'s status on Saturday, 06-Sep-2025 16:48:22 JST 
kaia
I installed Syncthing on a Ubuntu 24 VPS to sync files with others over internet. I'll use the encrypted at-rest functionality.
after reading up how to secure the VPS, I added ufw rules to drop all incoming traffic except SSH and syncthing, disabled root SSH access, created a dedicated user for syncthing, switched on unattended upgrades.
what other measures should I take to harden #linux and #syncthing ?-
Embed this notice
lainy (lain@lain.com)'s status on Saturday, 06-Sep-2025 17:26:35 JST 
lainy
@kaia kaia likes this. -
Embed this notice
kaia (kaia@brotka.st)'s status on Saturday, 06-Sep-2025 17:34:55 JST
kaia
@lain -
Embed this notice
Anton (antondollmaier@mastodon.social)'s status on Saturday, 06-Sep-2025 17:44:40 JST 
Anton
@kaia install fail2ban, disable password login, allow root only with key, and restrict the login to your user only.
kaia likes this. -
Embed this notice
Cheetah Meld (pingviini@pleroma.shunderdo.me)'s status on Saturday, 06-Sep-2025 18:07:46 JST 
Cheetah Meld
@kaia If the VPS has some kind of virtual console access (VNC, noVNC or similar), make sure it's turned off once you have everything set up and only ever turn it on for emergency maintenance. kaia likes this. -
Embed this notice
kc (kartoffelcheetah@social.kartoffelcheetah.eu)'s status on Saturday, 06-Sep-2025 18:13:56 JST 
kc
@kaia It may be trivial, or maybe I'm overthinking of things, but make sure you have some good resource how to set things up.
In case if you want to duplicate the setup or something goes wrong in the future you have a handy resource.
I personally use some ansible script for the basic setup. But some shell script or Readme.md file could be just as good. Even taking notes like follow this guide, plus setup this and this can be helpful.
:jelsmile:kaia likes this. -
Embed this notice
Jijicéka (jeanjack@pleroma.interhacker.space)'s status on Saturday, 06-Sep-2025 19:28:39 JST 
Jijicéka
@kaia not sure it's important to mention it, but just in case : no passwords for ssh. kaia likes this. -
Embed this notice
Bitslingers-R-Us (anachronistjohn@zia.io)'s status on Saturday, 06-Sep-2025 22:50:40 JST 
Bitslingers-R-Us
@lain @kaia The disks are all upside down. Monsters! kaia likes this. -
Embed this notice
kaia (kaia@brotka.st)'s status on Saturday, 06-Sep-2025 22:51:11 JST
kaia
@AnachronistJohn @lain huh is there a correct orientation? -
Embed this notice
kaia (kaia@brotka.st)'s status on Saturday, 06-Sep-2025 22:57:16 JST
kaia
@lain @AnachronistJohn I don't get it :kaia_dumb: -
Embed this notice
lainy (lain@lain.com)'s status on Saturday, 06-Sep-2025 22:57:17 JST
lainy
@kaia @AnachronistJohn as a catholic you should know the answer -
Embed this notice
kaia (kaia@brotka.st)'s status on Saturday, 06-Sep-2025 22:58:23 JST
kaia
@lain @AnachronistJohn oh -
Embed this notice
lainy (lain@lain.com)'s status on Saturday, 06-Sep-2025 23:00:07 JST
lainy
@AnachronistJohn @kaia i mean it makes sense but i've never seen a label that wasn't oriented towards the shutter as top kaia likes this. -
Embed this notice
Bitslingers-R-Us (anachronistjohn@zia.io)'s status on Saturday, 06-Sep-2025 23:00:15 JST
Bitslingers-R-Us
@lain @kaia Since we don't usually handle floppy disks by the shutter end, we'd have to pick them up by the shutter the way they're in the box.
There's lots of controversy about whether the labels go in one orientation or the other, depending on whether you care that they're readable when you're about to insert them versus when they're in their storage box, but that's another matter. -
Embed this notice
Sir Matthew, Black Knight (ent@noauthority.social)'s status on Saturday, 06-Sep-2025 23:36:17 JST 
Sir Matthew, Black Knight
@kaia
Fail2ban for blocking IPs that try to log in and failkaia likes this. -
Embed this notice
kaia (kaia@brotka.st)'s status on Saturday, 06-Sep-2025 23:40:29 JST
kaia
@gemelen is this an ad or did you misunderstand what syncthing does? :l_think: -
Embed this notice
gemelen (gemelen@mammut.moe)'s status on Saturday, 06-Sep-2025 23:40:30 JST 
gemelen
-
Embed this notice
kaia (kaia@brotka.st)'s status on Sunday, 07-Sep-2025 01:21:35 JST
kaia
@mangeurdenuage it's a commercial VPS, I have almost no choice in OS and no choice in how they partition it -
Embed this notice
mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius: (mangeurdenuage@shitposter.world)'s status on Sunday, 07-Sep-2025 01:21:36 JST 
mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius:
@kaia
1: ubuntu isn't recommended if you want hardened security as it already ships proprietary blobs.
2: Separate partitions and do proper mounting options -
Embed this notice
mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius: (mangeurdenuage@shitposter.world)'s status on Sunday, 07-Sep-2025 01:34:57 JST
mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius:
@kaia Dam, even ovh has better options for their vps I recall :sadge: -
Embed this notice
mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius: (mangeurdenuage@shitposter.world)'s status on Sunday, 07-Sep-2025 01:34:57 JST
mangeurdenuage :gnu: :trisquel: :gondola_head: 🌿 :abeshinzo: :ignucius:
@kaia In theory it's possible. When I lived in paris, I followed a friend of mine messing up with such issue. And he basically was able to replace the whole system with Gentoo by chrooting himself.
The other objective of that was to also have the VPS host no data, and only pull data from the house SBC he had and treat the request on the vps (basically via a network file system).kaia likes this.
-
Embed this notice
All GNU social JP content and data are available under the