To mitigate the effort to maintain my personal server, I am considering to only expose ssh port to the outside and use its socks proxy to reach other services. is Portknocking enough to reduce surface of attack to the minimum?

  • ShortN0te@lemmy.ml
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago
    • you also need to know the correct username

    Use a secure password or key. Security by obscurity is no security.

    • audits and logging shows which user used sudo to gain root access

    That is not the point that was made. Once access to sudo or root you already have lost.

    • False@lemmy.world
      link
      fedilink
      English
      arrow-up
      20
      ·
      edit-2
      1 year ago

      You’re making it that much easier for someone to brute force logging in or to exploit a known vulnerability. If you have a separate root password (which you should) an attacker needs to get through two passwords to do anything privileged.

      This has been considered an accepted best practice for 20+ years and there’s little reason not to do it anyways. You shouldn’t be running things as root directly regardless.

      • ShortN0te@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        When you have secure passwords kr key auth. Brute force is not a problem. What vulnerability are you talking about? Complete auth bypass? Then the username would be no problem either since you can just brute force usernames.

    • surewhynotlem@lemmy.world
      link
      fedilink
      English
      arrow-up
      10
      ·
      1 year ago

      Security though obscurity, BY ITSELF, is not security. But it’s great at slowing attackers and thwarting automated scripts.

      It’s bad security to ignore possible mitigations to a problem just because it isn’t as full fix.