Recent searches
Search options
@wesmason Non standard port, plus no password login allowed, only keys.
@wesmason But also: check out Tailscale.
@ben I just finished setting up WireGuard. I use UniFi at home and it was built in. I tried their 'Teleport' option, but I use site-to-site with another UniFi router and because Teleport's VPN address range is not configurable, you can't access sites over the site-to-site.
@wesmason Ironically, I have the same complaint about Tailscale, and was thinking of shutting that down and using plain WG instead.
@wesmason On Tailscale, the non-configurable address range means you can't join two tailnets at once.
@ben @wesmason I keep wondering about https://headscale.net/stable/about/faq/ (not that I use Tailscale)
@ben @mWare @wesmason Better handling of multiple Tailnets is on Tailscale's radar, but I don't know how high up their priority list it is (and it's not something that's been done in the ~year ish since we talked to them about it).
(We're looking at Tailscale at work and one of the issues for a university-wide usage, including departmental private networking, is this sort of multi-Tailnet stuff.)
@ben WG's client on Windows and Android aren't bad. UniFi's interface does not let you use all the features preconfigured in the client config files, but they are text so you can add them as needed. The Linux client had me flipping tables in Linux Mint until I realized there was an applet I could enable to get it on the desktop. I haven't tried OSX or iPhone.
Also figured out that the client's pre-name the VPN cased off the imported config file. So a long descriptive filename looks awful once imported.
@wesmason I disable password authentication, set inbound rules, only use SSH keys that are securely stored, disable root login, etc. That’s plenty for most people. Honestly, changing the default port is just security-through-obscurity.
@srfaudio @wesmason And yet, it is found to work. A high majority of the scanning is port-based, and therefore if you're on a different port, it will not be found by the stupid script kiddies. If someone truly competent wants to get in, they will be scanning in a different way, and obfuscation will not work. But how often are you targeted by anyone truly competent?
@wesmason @wpeckham right. I guess my main point is:
The context of the question was SSH at home. If the only way you can SSH in is with securely-stored keys, and only from specific IP's (i.e. TailScale/WireGuard), what am I really gaining by changing the port at that point?
Public-facing web server? Sure, change the port, as one of many other things you'll do to layer security. But that's largely just to cut down on some of the scan traffic.
@wesmason the advice I’ve heard is that it’s not really worth putting it on a non-standard port. If you have key-based authentication only, no passwords, then there’s no real risk of unauthorised logins even on the standard port. And passwords wouldn’t be safe even on a non-standard port.
@benjamineskola I've had SSH open on the standard port for 25 years. I've had so many failed login attempts. Only one successful unauthorized one and that was my own stupidity / learning moment.
@wesmason
On my externally hosted server: non-standard port + no password allowed (only keys).
Accessing my home requires wireguard. I wrote this ansible role to manage the config: https://codeberg.org/etam/ansible-role-wireguard
