To mitigate the effort to maintain my personal server, I am considering to only expose ssh port to the outside and use its socks proxy to reach other services. is Portknocking enough to reduce surface of attack to the minimum?
To mitigate the effort to maintain my personal server, I am considering to only expose ssh port to the outside and use its socks proxy to reach other services. is Portknocking enough to reduce surface of attack to the minimum?
Bots do not matter. They try just common know exploits. If your root password is not root you are fine.
Root login should be disabled, and ideally remote user auth should be key only, not password. And you should have a passphrase on your key.
Why? Dont recite a blogpost to me explain it. Following blindly security practices you do not understqnd can be very dangerous.
Disableing the root login gains nothing in regarding security. If you have a secure key or a passwordthey attacker will not get in no matter what. And once a account is compromised it ia trivial to extract the sudo passwors with simple aliases.
Passwords can be as secure as keys. Yes be default a weak key is still more secure then a weak passwors. But if you have a strong password policy in place it does not matter. Most valid argument for keys is the ease of you
Having a passphrase on the key is for example for my usecase irrelevant. I run full disk encryption on every device. A passphrase on those keys would not gain me much security only more inconvenience.