Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
Pyjong10875yJust sayin: A lot of people bought Raspberry Pi and don't use it for anything while it is completely capable of being a git server. Don't put off the security though.
-
Tisila4155y@Pyjong Can you enlighten me on how to push towards a secure instance? What steps should I take?
-
Pyjong10875y@Tisila e.g. you can move your SSH to some non-default port. You can set up iptables to deny IPs that have tried and failed to establish connection n times. You can use port knocking. You can use some scheme to decide when the ssh server's gonna be up and listening and close it for the rest of the time.
-
Tisila4155y@Pyjong Thank you! =) That's exactly what I was asking for.
I do already have SSH on a non default port.
Just have to search up those terms and learn about how to set them up. -
Tisila4155y@macbury I do have a Wireguard VPN setup already working, so at first, I'm gonna take this route.
-
Pyjong10875yBtw, there were plenty more, but this https://www.binaryedge.io/ is one of them who turned around at my RPi before I started hiding the device and blacklisting IPs. I just found it interesting someone makes a living out of this. It's proly legit business though. Back then I think the domain was 40fy.io or something.
-
endor56665y@Pyjong I hope by "blacklisting IPs" you mean using fail2ban to automatically refuse connections after a few failed login attempts, and not manually going through logs, looking for repeat offenders and manually adding iptables rules with their ip
-
Pyjong10875y@endor Yes, but not fail2ban, there is a way to do this with just iptables (see --hitcount). But TBH, at first I was adding IPs manually as you say, because I thought no one really cares about my domestic IP. I thought it would stop if I ban a few. Then I added the iptables rules, which helped, but people kept trying and the banlist grew, so I installed knockd and wrote a port knocker, which is very simple and that pretty much did it. I tried a few more things, to make it a bit harder for someone who knows you use port knocking, but I don't think I needed that.
-
endor56665y@Pyjong security through obscurity is not as secure as you think. Sure, port knocking can be a good way to camouflage a service, but it can also get in your way when something breaks.
A much safer method is to simply disable password authentication and only use ssh keys, then configure ssh to only use the most secure encryption and key exchange algorithms (see https://stribika.github.io/2015/01/... )
Oh, and if you need to ban large lists of ips or ip ranges, there's ipset
Github is again down, I wonder if they triggered deploy from wrong branch.
Fuck this shit, moving to selfhosted solutions:
https://gitea.io/en-us/
rant