this post was submitted on 10 Sep 2023
20 points (83.3% liked)

Selfhosted

38769 readers
556 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
20
Any feedback from port knockers ? (en.m.wikipedia.org)
submitted 11 months ago by rzr@lemmy.sdf.org to c/selfhosted@lemmy.world
33 comments fedilink hide all child comments
 

To mitigate the effort to maintain my personal server, I am considering to only expose ssh port to the outside and use its socks proxy to reach other services. is Portknocking enough to reduce surface of attack to the minimum?

you are viewing a single comment's thread
view the rest of the comments
[–] ShortN0te@lemmy.ml -1 points 11 months ago (1 children)

Should be

Why? Dont recite a blogpost to me explain it. Following blindly security practices you do not understqnd can be very dangerous.

Disableing the root login gains nothing in regarding security. If you have a secure key or a passwordthey attacker will not get in no matter what. And once a account is compromised it ia trivial to extract the sudo passwors with simple aliases.

Passwords can be as secure as keys. Yes be default a weak key is still more secure then a weak passwors. But if you have a strong password policy in place it does not matter. Most valid argument for keys is the ease of you

Having a passphrase on the key is for example for my usecase irrelevant. I run full disk encryption on every device. A passphrase on those keys would not gain me much security only more inconvenience.

[–] 486@kbin.social 3 points 11 months ago* (last edited 11 months ago) (1 children)

Disableing the root login gains nothing in regarding security.

This is usually not the reason people recommend disabling root login. Since root is an anonymous account not tied to an actual person, in a corporate setting, you do not really know who used that account if you allow root login. If this is relevant for a personal home network is for you to decide. I would say there is not such a strong argument for it to be made in that setting.

[–] ShortN0te@lemmy.ml 0 points 11 months ago

I absolutely agree with your. It can makes sence the disable it for access control, loging, auditing, etc. .

But when you look online or just in the comment section here lots of ppl actually recommend it as a security meassure against attackers. "Need to brute force the username as well"