commit 0e3d713181cb5cbf7ee0255b28bd59784ec0d9d0 (patch)
parent 919edaa7de8337515764875c3c724be1a1570d62
Author: alex <alex@garbash.com>
Date: Wed, 22 Sep 2021 00:23:45 -0400
notes: Add ssh-hardening
Almost forgot this one! :sweat-smile:
woulda kept me up at night, having spammers knocking down our door!
Diffstat:
2 files changed, 20 insertions(+), 0 deletions(-)
diff --git a/index.html b/index.html
@@ -16,6 +16,7 @@
<h2>Done:</h2>
<ul>
+<li><a href="notes/005-ssh-hardening.txt">SSH hardening</a></li>
<li><a href="notes/004-mail-server.txt">Email (SPF, DKIM, etc)</a></li>
<li><a href="notes/003-httpd.txt">HTTP(S) server</a></li>
<li><a href="notes/002-install.txt">OpenBSD install on Linode</a></li>
diff --git a/notes/005-ssh-hardening.txt b/notes/005-ssh-hardening.txt
@@ -0,0 +1,19 @@
+005-ssh-hardening -- Tues Sept 21, 2021
+
+Just a quick note/reminder that one of the FIRST things you should
+ALWAYS do on a new machine is make sure:
+
+1. root cannot log in (PermitRootLogin no)
+2. passwords are not accepted (ssh-key only -- PasswordAuthentication no)
+
+Both these are set under /etc/ssh/sshd_config. Make sure to upload
+your ~/.ssh/id_rsa.pub first to ~/.ssh/authorized_keys (so as not
+to lock yourself out!) and then make the edits and reload the daemon:
+
+# rcctl reload sshd
+
+We waited literally only 4 hrs to do this and we already had script
+kiddies knocking down our /var/log/authlog :(
+
+If my old coworker Joe was right about one thing, it's that the
+internet these days is a cesspool.
