SomeBoyo@feddit.de to Selfhosted@lemmy.world · 7 months agoWhat are common practice's for hardening/securing your server?message-squaremessage-square59fedilinkarrow-up11arrow-down10
arrow-up11arrow-down1message-squareWhat are common practice's for hardening/securing your server?SomeBoyo@feddit.de to Selfhosted@lemmy.world · 7 months agomessage-square59fedilink
minus-squarefoggy@lemmy.worldlinkfedilinkEnglisharrow-up0·7 months agoSetup Fail2ban Login only with SSH keys. MFA on SSH login. Use SSH proto 2. Disable passwords, x11 forwarding, root logins Reduce Idle timeout interval Limit users’ SSH access That should be more than enough for the average use case.
minus-squaretaladar@sh.itjust.workslinkfedilinkEnglisharrow-up0·7 months agoRegular updates are definitely necessary too. Also, if you do limit SSH users to a chroot make sure you limit TCP (port) forwarding too.
minus-squarePossibly linux@lemmy.ziplinkfedilinkEnglisharrow-up0·7 months agoContainers can help lock services down if you do it right.
minus-squarefoggy@lemmy.worldlinkfedilinkEnglisharrow-up0·7 months agoYep. Use SSH keys, not just protocol. On connection, it’ll ask for your SSH password (this is different from the users password). After that with something like authelia in place, you’ll be asked for a 2fa code.
minus-squareMaggiWuerze@feddit.delinkfedilinkEnglisharrow-up0·7 months agoSo, no. SSH can’t do 2FA? I would need to set up Authelia and connect through that? I already use ssh keys instead of passwords to connect to my server
minus-squarefoggy@lemmy.worldlinkfedilinkEnglisharrow-up0·7 months agoYes it can. I literally have it set up right now. When I connect to my vps I am promoted for the password for my SSH key. Only works on a machine that has the ssh key. Then I need to use 2fa.
Setup Fail2ban
Login only with SSH keys. MFA on SSH login. Use SSH proto 2.
Disable passwords, x11 forwarding, root logins
Reduce Idle timeout interval
Limit users’ SSH access
That should be more than enough for the average use case.
Regular updates are definitely necessary too. Also, if you do limit SSH users to a chroot make sure you limit TCP (port) forwarding too.
Containers can help lock services down if you do it right.
You can have 2FA on ssh?
Yep. Use SSH keys, not just protocol.
On connection, it’ll ask for your SSH password (this is different from the users password).
After that with something like authelia in place, you’ll be asked for a 2fa code.
So, no. SSH can’t do 2FA? I would need to set up Authelia and connect through that? I already use ssh keys instead of passwords to connect to my server
Yes it can. I literally have it set up right now.
When I connect to my vps I am promoted for the password for my SSH key. Only works on a machine that has the ssh key.
Then I need to use 2fa.