Oh no, you!

  • 0 Posts
  • 4 Comments
Joined 2 years ago
cake
Cake day: November 3rd, 2024

help-circle



  • My home servers have generally a lot smaller attack surface, as only a few ports are actually routed to them, so in theoey I could get away with a more relaxed approach. But I’m also a big believer in defense-in-depth, so I follow the same rules of thumb:

    • iptables (or equivalent) that drops anything incoming that isn’t wanted. It also rejects anything going out that isn’t planned for.
    • any public facing service (except ssh) gets its own user
    • disable root login via ssh
    • ssh login with key only on any user in sudoers