Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://pl.slash.cl/objects/d3490ebc-1009-483c-90c9-8a3de9c6ab61">waltercool (waltercool@pl.slash.cl)'s status on Monday, 14-Apr-2025 15:10:05 JST</a><a href="https://pl.slash.cl/users/waltercool" title="waltercool@pl.slash.cl"><img src="https://gnusocial.jp/avatar/4066-48-20221112061515.webp" width="48" height="48" alt="waltercool" style="position: absolute; left: 0; top: 0;">waltercool</a><div><a href="https://shitposter.world/objects/8dcb5239-f529-41a0-af1d-355ecb709f2a" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/254013" title="toiletpaper@shitposter.world">⚡Lord of Misrule⚡</a></li></ul></div></section><article><a href="https://shitposter.world/users/toiletpaper">@toiletpaper</a> <a href="https://noauthority.social/@CSB">@CSB</a> <br>&gt; Either way you're exposing a port on your server and requiring (presumably) a cryptographic key based authentication scheme.<br><br>Yes, you always have to expose something, there are no free cookies.<br><br>SSH gives you tunneling or terminal. VPN gives you network access. They are different layers of whatever you want to achieve.<br><br>&gt; If you think doing that is going to prevent the need for hardening the service, you're frankly fooling yourself<br><br>This is an stupid reasoning, because your proposal let your servers open for attacks, from random IPs or VPNs, not even sshguard may fully help here.<br><br>It's lot better to have a two authentication systems instead of just one, one to "allow access to servers", then another to "ssh the servers".<br><br>So, in case a coworker gets their SSH keys exposed at internet because he is rtarded, the hackers will also need VPN access, which is harder to get accepted.</article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4891088#notice-9582298">In conversation</a><time datetime="2025-04-14T15:10:05+09:00" title="Monday, 14-Apr-2025 15:10:05 JST">about 13 days ago</time> <span>from <span><a href="https://pl.slash.cl/objects/d3490ebc-1009-483c-90c9-8a3de9c6ab61" rel="external" title="Sent from pl.slash.cl via ActivityPub">pl.slash.cl</a></span></span><a href="https://pl.slash.cl/objects/d3490ebc-1009-483c-90c9-8a3de9c6ab61">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
waltercool (waltercool@pl.slash.cl)'s status on Monday, 14-Apr-2025 15:10:05 JSTwaltercool
in reply to
- CSB ≡ Comic Strip Blogger
- ⚡Lord of Misrule⚡
@toiletpaper @CSB
> Either way you're exposing a port on your server and requiring (presumably) a cryptographic key based authentication scheme.

Yes, you always have to expose something, there are no free cookies.

SSH gives you tunneling or terminal. VPN gives you network access. They are different layers of whatever you want to achieve.

> If you think doing that is going to prevent the need for hardening the service, you're frankly fooling yourself

This is an stupid reasoning, because your proposal let your servers open for attacks, from random IPs or VPNs, not even sshguard may fully help here.

It's lot better to have a two authentication systems instead of just one, one to "allow access to servers", then another to "ssh the servers".

So, in case a coworker gets their SSH keys exposed at internet because he is rtarded, the hackers will also need VPN access, which is harder to get accepted.
In conversationabout 13 days ago from pl.slash.clpermalink

Public

Embed Notice

HTML Code

Corresponding Notice