Port knocking - Wikipedia
en.m.wikipedia.org

To mitigate the effort to maintain my personal server, I am considering to only expose ssh port to the outside and use its socks proxy to reach other services. is Portknocking enough to reduce surface of attack to the minimum?

  • dalz
    -510 months ago

    Why disallow root login? I always need root when I connect, and stealing the password by aliasing sudo/doas is trivial. It seems to me it would just make life harder for no benefit.

    • this_is_routerEnglish
      3110 months ago

      Because then:

      • you also need to know the correct username
      • audits and logging shows which user used sudo to gain root access
      • @ShortN0te@lemmy.mlEnglish
        -2110 months ago
        • you also need to know the correct username

        Use a secure password or key. Security by obscurity is no security.

        • audits and logging shows which user used sudo to gain root access

        That is not the point that was made. Once access to sudo or root you already have lost.

        • @False@lemmy.worldEnglish
          1910 months ago

          You’re making it that much easier for someone to brute force logging in or to exploit a known vulnerability. If you have a separate root password (which you should) an attacker needs to get through two passwords to do anything privileged.

          This has been considered an accepted best practice for 20+ years and there’s little reason not to do it anyways. You shouldn’t be running things as root directly regardless.

          • @ShortN0te@lemmy.mlEnglish
            -410 months ago

            When you have secure passwords kr key auth. Brute force is not a problem. What vulnerability are you talking about? Complete auth bypass? Then the username would be no problem either since you can just brute force usernames.

        • @surewhynotlem@lemmy.worldEnglish
          910 months ago

          Security though obscurity, BY ITSELF, is not security. But it’s great at slowing attackers and thwarting automated scripts.

          It’s bad security to ignore possible mitigations to a problem just because it isn’t as full fix.

    • @NeoNachtwaechter@lemmy.worldEnglish
      610 months ago

      Why disallow root login?

      It is very easy to throw a dictionary at your port 22. It happens every few minutes. And they all try it with the username=root unless they know something better.