• catloaf@lemm.ee
    link
    fedilink
    English
    arrow-up
    33
    ·
    edit-2
    7 months ago

    Don’t expose anything to the Internet that you don’t absolutely have to. If you can, put everything behind a VPN gateway.

    Make backups. Follow the 3-2-1 rule.

      • taaz@biglemmowski.win
        link
        fedilink
        English
        arrow-up
        11
        arrow-down
        2
        ·
        edit-2
        7 months ago

        I wouldn’t recommend putting ssh behind any vpn connection unles you have a secondary access to the machine (for example virtual tty/terminal from your provider or local network ssh). At best, ssh should be the only publicly accessible service (unless hosting other services that need to be public accessible).

        I usually move the ssh port to some higher number just to get rid of the basic scanners/skiddies.

        Also disable password login (only keys) and no root login.

        And for extra hardening, explicitly allow ssh for only users that need it (in sshd config).

        • Poutinetown@lemmy.ca
          link
          fedilink
          English
          arrow-up
          8
          ·
          7 months ago

          Ssh behind a wire guard VPN server is technically more secure if you don’t have a key-only login, but a pain if the container goes down or if you need to access the server without access to wireguards VPN client on your device.

          • Lem453@lemmy.ca
            link
            fedilink
            English
            arrow-up
            10
            ·
            edit-2
            7 months ago

            Highly recommend getting a router that can accept wireguard connections. If the router goes down you’re not accessing anything anyways.

            Then always put ssh behind the wireguard connections.

            For a homelab, there is rarely a need to expose ssh directly so best practice will always be to have multi layered security when possible.

            • Poutinetown@lemmy.ca
              link
              fedilink
              English
              arrow-up
              4
              ·
              7 months ago

              Yeah it’s good to have a system separate from the main server. It’s always so frustrating having to debug wireguard issues cause there’s some problem with docker