For example, I prefer to use a VPN instead of port forwarding. And I use SSH for anything I used to use an FTP for.

  • thisisawayoflife@lemmy.world
    link
    fedilink
    arrow-up
    11
    ·
    1 year ago

    I share services with the public, so… strong passwords on everything, MFA, host scanning, SSH MAC/KEX/ciphers tweaked to ultra modern set and exposed only with keys with f2b activating on first failure, constant backups and automatic updates and scheduled reboots. Has worked great for a decade+.

  • ASK_ME_ABOUT_LOOM@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    8
    ·
    1 year ago

    SSH key auth for terminal login, plus an nginx proxy and client cert auth on anything accessible by the outside world. I’ll expose any internal service I want because nobody is getting through the client cert auth.

  • poVoq@slrpnk.net
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    TOTP MFA highly recommended on SSH and webconsole. The so called “google-authenticator” makes it easy and despite the name does not use any external Google services.

    • splendoruranium@infosec.pub
      link
      fedilink
      English
      arrow-up
      3
      ·
      edit-2
      1 year ago

      IP whitelisting

      How do you do that? I understand how blocklisting would work but how does whitelisting work in practice? How can you know in advance from which IPs you will connect to your home network in the future? That just seems like a recipe for getting stranded in some hotel without a way into your network.

      • const_void@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        Blacklist everything then whitelist the IPs you know you’ll be connecting from (work, cell phone, etc). I don’t connect from random places usually. If I need to then I use cellular. You might be better off with a VPN if you need to connect from random places.

        • splendoruranium@infosec.pub
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          Blacklist everything then whitelist the IPs you know you’ll be connecting from (work, cell phone, etc). I don’t connect from random places usually. If I need to then I use cellular. You might be better off with a VPN if you need to connect from random places.

          I see, thanks!
          Is there any concern with whitelisting a cellular CGNAT’s public IP? Presumably that would potentially whitelist thousands or tens of thousands of other mobile devices at once, wouldn’t it?

          • const_void@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            1 year ago

            Is there any concern with whitelisting a cellular CGNAT’s public IP?

            It depends on how much you decide to whitelist. In my case I whitelist my cellular carrier’s IP block. Which does expose those services a little more broadly but I’m willing to risk it.

      • Dogeek@sh.itjust.works
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        You could host a proxy on a vps, somewhere, and use that vps ip address for the whitelisting. At this point setting up a VPN sounds more convenient though