git clone git://git.garbash.com/alex/www
Log | Files | Refs | README | LICENSE

commit 0e3d713181cb5cbf7ee0255b28bd59784ec0d9d0
parent 919edaa7de8337515764875c3c724be1a1570d62
Author: alex <alex@garbash.com>
Date:   Wed, 22 Sep 2021 00:23:45 -0400

notes: Add ssh-hardening

Almost forgot this one! :sweat-smile:

woulda kept me up at night, having spammers knocking down our door!

Mindex.html | 1+
Anotes/005-ssh-hardening.txt | 19+++++++++++++++++++
2 files changed, 20 insertions(+), 0 deletions(-)

diff --git a/index.html b/index.html @@ -16,6 +16,7 @@ <h2>Done:</h2> <ul> +<li><a href="notes/005-ssh-hardening.txt">SSH hardening</a></li> <li><a href="notes/004-mail-server.txt">Email (SPF, DKIM, etc)</a></li> <li><a href="notes/003-httpd.txt">HTTP(S) server</a></li> <li><a href="notes/002-install.txt">OpenBSD install on Linode</a></li> diff --git a/notes/005-ssh-hardening.txt b/notes/005-ssh-hardening.txt @@ -0,0 +1,19 @@ +005-ssh-hardening -- Tues Sept 21, 2021 + +Just a quick note/reminder that one of the FIRST things you should +ALWAYS do on a new machine is make sure: + +1. root cannot log in (PermitRootLogin no) +2. passwords are not accepted (ssh-key only -- PasswordAuthentication no) + +Both these are set under /etc/ssh/sshd_config. Make sure to upload +your ~/.ssh/id_rsa.pub first to ~/.ssh/authorized_keys (so as not +to lock yourself out!) and then make the edits and reload the daemon: + +# rcctl reload sshd + +We waited literally only 4 hrs to do this and we already had script +kiddies knocking down our /var/log/authlog :( + +If my old coworker Joe was right about one thing, it's that the +internet these days is a cesspool.