Running SSH on a non-provileged port brings new issues. And using 2222 doesn't bring any meaningful security by obscurity advantages.
The rest of the options look nice. It would have if there would be explanations on what the options do in the example configs
Which issues are you referring to?
Using port 2222 may not prevent any real hackers from discovering it, but it sure does prevent a lot of them scripttkiddie attacks that use automated software.
Privileged ports can be used by processes that are running without root permissions. So if the sshd process would crash or stop for some other reason, any malicious user process could pretend to be the real ssh server without privilege escalation. To be fair this isn't really a concern for single user systems. But setting up fail2ban or only making ssh accessible from a local network or VPN would probably be a more helpful hardenening step
And regarding port 2222 it is the most popular non-provileged port used for SSH according to shodan.io So you ain't gaining much obscurity
Passwordless login only. No root login. Fail2ban. Add ufw to stop accidental open port shenanigans, and you are locked down enough
Just use wireguard as VPN and bind ssh only to that interface. You loose public access but I couldn't think of a reason why I want other devices than my own to connect anyway. You have to make sure that ssh starts after wireguard though or it can't bind the port.
Shamelessly plugging https://linuxupskillchallenge.org/ because if you're going to set up an Ubuntu home server you might a well know how to use it.
This is a nice list, but for the novices it's obviously meant for, it's a bad learning experience.
Why? Because it doesn't explain any of the reasoning behind what it asks you to do.
Why are we changing the default SSH port, for example? Someone who is seasoned might identify this is a somewhat limited attempt to obscure our attack surface, but to a novice it's inscrutable and meaningless.
More important than telling people what to do is explaining why, because it puts the learning in context and makes it stick by giving a reason to care.
This is mostly nonsense.
Don't just copy random config from the internet, as annoying as it is, read the docs.
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!