• foggy@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    8 months ago

    Setup Fail2ban

    Login only with SSH keys. MFA on SSH login. Use SSH proto 2.

    Disable passwords, x11 forwarding, root logins

    Reduce Idle timeout interval

    Limit users’ SSH access

    That should be more than enough for the average use case.

      • foggy@lemmy.world
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        Yep. Use SSH keys, not just protocol.

        On connection, it’ll ask for your SSH password (this is different from the users password).

        After that with something like authelia in place, you’ll be asked for a 2fa code.

        • MaggiWuerze@feddit.de
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          8 months ago

          So, no. SSH can’t do 2FA? I would need to set up Authelia and connect through that? I already use ssh keys instead of passwords to connect to my server

          • lemmyreader@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            It is possible to have 2FA with a security key and ssh. Been on my to do list for some time to try it.

          • foggy@lemmy.world
            link
            fedilink
            English
            arrow-up
            1
            ·
            8 months ago

            Yes it can. I literally have it set up right now.

            When I connect to my vps I am promoted for the password for my SSH key. Only works on a machine that has the ssh key.

            Then I need to use 2fa.

            • MaggiWuerze@feddit.de
              link
              fedilink
              English
              arrow-up
              1
              ·
              8 months ago

              Ah, so it the asks for the TOTP provided by Authelia? I misunderstood, sorry. That’s pretty cool. Do you maybe still have the guide you used to set that up?

    • taladar@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      1
      ·
      8 months ago

      Regular updates are definitely necessary too. Also, if you do limit SSH users to a chroot make sure you limit TCP (port) forwarding too.