Github is again down, I wonder if they triggered deploy from wrong branch.

Fuck this shit, moving to selfhosted solutions:
https://gitea.io/en-us/

GitHubs CI/CD be like. Deployment failed, branch name master in sub repo is racist.

Just sayin: A lot of people bought Raspberry Pi and don't use it for anything while it is completely capable of being a git server. Don't put off the security though.

@Pyjong Can you enlighten me on how to push towards a secure instance? What steps should I take?

@Tisila e.g. you can move your SSH to some non-default port. You can set up iptables to deny IPs that have tried and failed to establish connection n times. You can use port knocking. You can use some scheme to decide when the ssh server's gonna be up and listening and close it for the rest of the time.

Or just put wireguard and push shit over VPN

@Pyjong Thank you! =) That's exactly what I was asking for.

I do already have SSH on a non default port.

Just have to search up those terms and learn about how to set them up.

@macbury I do have a Wireguard VPN setup already working, so at first, I'm gonna take this route.

Btw, there were plenty more, but this https://www.binaryedge.io/ is one of them who turned around at my RPi before I started hiding the device and blacklisting IPs. I just found it interesting someone makes a living out of this. It's proly legit business though. Back then I think the domain was 40fy.io or something.

@Pyjong I hope by "blacklisting IPs" you mean using fail2ban to automatically refuse connections after a few failed login attempts, and not manually going through logs, looking for repeat offenders and manually adding iptables rules with their ip

@endor Yes, but not fail2ban, there is a way to do this with just iptables (see --hitcount). But TBH, at first I was adding IPs manually as you say, because I thought no one really cares about my domestic IP. I thought it would stop if I ban a few. Then I added the iptables rules, which helped, but people kept trying and the banlist grew, so I installed knockd and wrote a port knocker, which is very simple and that pretty much did it. I tried a few more things, to make it a bit harder for someone who knows you use port knocking, but I don't think I needed that.

@Pyjong security through obscurity is not as secure as you think. Sure, port knocking can be a good way to camouflage a service, but it can also get in your way when something breaks.
A much safer method is to simply disable password authentication and only use ssh keys, then configure ssh to only use the most secure encryption and key exchange algorithms (see https://stribika.github.io/2015/01/... )

Oh, and if you need to ban large lists of ips or ip ranges, there's ipset

@endor I agree key based authentication is more secure.