Bad eh security advice: use an alternative ssh port. Lots of actors try port 22 and other common alternatives. Much fewer will do a full port scan looking for an ssh server then try brute forcing.
Aka csm10495 on kbin.social
- 1 Post
- 23 Comments
Joined 2 years ago
You are not logged in. If you use a Fediverse account that is able to follow users, you can follow this user.
link Englishfedilink 2arrow-up 1·arrow-down 1 month agoedit-2
link Englishfedilink 3 months ago1·arrow-up I have both but just use pihole as a local DNS server/forwarder. I bump into too many random times where sites or redirects don’t work properly since they get blocked.
link Englishfedilink 3 months ago3·arrow-up Consider using containers. I used to think this way, though now my goal is to get down to almost all containers since it’s nice to be able to spin up and down just what the one ‘thing’ needs.
link Englishfedilink 3 months ago3arrow-up 1·arrow-down If this is your fear, why not just have a will or something that specifically describes what to do and where to go?
link Englishfedilink 4 months ago24·arrow-up I’d be down for a smart watch with like a week of battery life, with a backlight on lift, and I guess NFC for paying.
I know I won’t get that combo, but I can dream.
link Englishfedilink 4 months ago3·arrow-up How does a doddle compare to a jiffie?
link Englishfedilink 1 year ago4arrow-up 1·arrow-down Exactly the same boat. But man Cloudflare is better in every way. Having an API to update/fetch records for a zone does wonders.
link Englishfedilink 1 year ago1·arrow-up deleted by creator
link Englishfedilink 2 years ago2·arrow-up In theory you could generate a wildcard to a domain then use it.
link Englishfedilink 2 years ago1arrow-up 2·arrow-down Self hosted. Though hey someone may wind up here via all and scroll and wonder what else there is.
link Englishfedilink 2 years ago2arrow-up 16·arrow-down If you have Prime and aren’t insisting on self hosting: Amazon Photos gives you unlimited full quality photo backups.
link Englishfedilink 2 years ago5·arrow-up Terrible idea of the day: You could use something like NFS and map the drive on all clients. On that drive you can have the latest keys then use symlinking to update, etc.
Something like puppet, chef, ansible are likely better choices.
link Englishfedilink 4arrow-up 2·arrow-down 2 years agoedit-2 I’ll put a recommendation out for if you’re going to open ports: use abnormal ports. Someone is likely to try to hit your port 22 for ssh, but not your port 49231.
Edit: It’s definitely some security by obscurity. Still use a strong password or keys.
link Englishfedilink 2 years ago3·arrow-up For people who don’t mind it not being self hosted: Authy is good for this. You can also set a backup password (to encrypt your tokens on their servers) and optionally use it cross device.
You can allow multi device temporarily to setup, then disable to not allow new devices, etc.
(I get you didn’t ask this specifically, but figure it could be useful to someone else).
link Englishfedilink 2 years ago1·arrow-up Yeah… but I think its overkill. The root cert would be on the same box somewhere nearby. Compromising the host has the same issue as plaintext.
link Englishfedilink 2 years ago2·arrow-up This is likely a too late, but reasonable moment to say this server happens to be Windows based.
… for backup reasons.
(The tool used for online backup only allows home versions of Windows and local drives)
One day if I build a new one, I might start with a Linux base, though that kind of requires this one to be on its last leg before I get to that point. It’s running a processor/mobo that are 14ish years old… so maybe I should think more about it.
link Englishfedilink 2 years ago1·arrow-up I think you hit the nail on the head with the true security being black box. The moment I need access, I’m making a hole.
link Englishfedilink 3·arrow-up 2 years agoedit-2 I guess at the end of the day there is also a root of trust. In an enterprise setting a system giving out certs could be compromised and give out certs to the wrong people/machines. In a home setting, the machine being compromised has a similar affect.
Funny enough, I thought of using a USB stick or something as a physical security key, using that for a vault, then having secrets in the vault… but then realized I’d have to leave it plugged into the server, making it so anyone with server access would get the password anyways.
Makes me think that everything is security by obscurity at some level. The more obscure: the more ‘secure’.
It’s kind of like how an SSH key is generally considered more secure, but if I used password authentication and had a file with a 512 character random password, it would be more/less the same thing. Either way, we have the key in a file.
link Englishfedilink 2·arrow-up 2 years agoedit-2 The problem is that would be so annoying/impractical. In an optimal world, yeah a person checking a prompt and approving could make sense, but in practice that would also mean that the MFA prompt would have to ask for the password anyways. (Or the password would be on the phone with the same problem as on the computer).
Can you imagine having to type a password on an hourly schedule or something? If the password was cached, we have the same problem again.
The UI goes in circles. I wish we stopped changing things when they aren’t broken.