To mitigate the effort to maintain my personal server, I am considering to only expose ssh port to the outside and use its socks proxy to reach other services. is Portknocking enough to reduce surface of attack to the minimum?

  • tinsukE@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    1
    ·
    1 year ago

    Sounds like security through obscurity to me.

    Highly susceptible to replay and man in the middle attacks.

    If you’re gonna combine that with another authentication method (and you should), then I see little advantage over just going with the other auth method.

    • aksdb@feddit.de
      link
      fedilink
      English
      arrow-up
      2
      ·
      1 year ago

      Sure? It certainly detracts bots that now don’t discover the SSH port anymore. Against a targeted attack it’s less useful, but that is a very hard problem in any case. If someone is out to get you specifically, it will be a tough battle.

      • zaphod@lemmy.ca
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        If you’re worried about bots just use a non-standard port and move on. I did that on my own VPS just to cut down on log chatter and I get absolutely zero ssh attack attempts after the change.

      • ShortN0te@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        arrow-down
        1
        ·
        1 year ago

        Bots do not matter. They try just common know exploits. If your root password is not root you are fine.

        • SheeEttin@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          1 year ago

          Root login should be disabled, and ideally remote user auth should be key only, not password. And you should have a passphrase on your key.

          • ShortN0te@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            arrow-down
            2
            ·
            1 year ago

            Should be

            Why? Dont recite a blogpost to me explain it. Following blindly security practices you do not understqnd can be very dangerous.

            Disableing the root login gains nothing in regarding security. If you have a secure key or a passwordthey attacker will not get in no matter what. And once a account is compromised it ia trivial to extract the sudo passwors with simple aliases.

            Passwords can be as secure as keys. Yes be default a weak key is still more secure then a weak passwors. But if you have a strong password policy in place it does not matter. Most valid argument for keys is the ease of you

            Having a passphrase on the key is for example for my usecase irrelevant. I run full disk encryption on every device. A passphrase on those keys would not gain me much security only more inconvenience.

            • 486@kbin.social
              link
              fedilink
              arrow-up
              3
              ·
              edit-2
              1 year ago

              Disableing the root login gains nothing in regarding security.

              This is usually not the reason people recommend disabling root login. Since root is an anonymous account not tied to an actual person, in a corporate setting, you do not really know who used that account if you allow root login. If this is relevant for a personal home network is for you to decide. I would say there is not such a strong argument for it to be made in that setting.

              • ShortN0te@lemmy.ml
                link
                fedilink
                English
                arrow-up
                1
                arrow-down
                1
                ·
                1 year ago

                I absolutely agree with your. It can makes sence the disable it for access control, loging, auditing, etc. .

                But when you look online or just in the comment section here lots of ppl actually recommend it as a security meassure against attackers. “Need to brute force the username as well”

    • 486@kbin.social
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Highly susceptible to replay and man in the middle attacks.

      fwknop isn’t susceptible to either.