I just setup a new VPS
I made all configuration required
I reboot the server

I forgot which port I set for ssh 😭

Luckily I have console to access from 😅

*sad trombone*

Ol' number 22 is so reliable tho.

you coulda just nmappped it if you had no access.

@SortOfTested and predictable 🤔

@Parzi can you explain more plz?

@gitpush
That's why you whitelist.

@gitpush no offense but you dont know nmap and change the ssh port for „security“, im not sure you should be administering a vps on the public internet

@ebrithil ya I'm not a pro in configs unfortunately, but what I usually do change port, disable root, disable password login, and use fail2ban.

Not sure if o should be doing more tho

@gitpush nmap maps ports on a machine that are open, like a webserver, FTP, *SSH*, etc.

@gitpush the one and important setting is the no password. That makes it secure. Change port to 2222 or add firewall/fail-to-ban only to get cleaner logs

@hjk101 Thanks man, I have fail2ban, no password auth and disabled root user, anything else needed?

Also since I use docker I do not allow it be accessible from world, and put nginx infront of it.

For nginx I disable sending nginx version, anything else required?

@gitpush Well you want to make sure that you either use a ed25519 or an RSA key with at the least 4Kbit.
You could go the extra mile and add port knocking. I find it inconvenient and requires some work to set it up so you can't figure out what ports are used.

If you use containers why not containerise the nginx proxy? If they do manage to get to that attack vector they are trapped in a container. If you use linuxserver/letsencrypt you get letsencrypt as a bonus.

I would always recommend a caching CDN they come cheap (free even) and mitigate all TCP/HTTP based attacks and keep a lot of bots from reaching your server.

@hjk101 Thanks a lot man, I will switch nginx to a container, didn't think of it that way.

If you don't mind me asking, do you know of any good caching CDN? I'm only aware of CloudFlare but not sure about privacy of it

@gitpush as with anything, depends on situation. Fastly is really good but insanely expensive with TLS. So if you have a company with nice income it might be worth it.

I don't think that privacy is a big issue with cloudflare but I could be wrong never looked into it. I hate that you have to use their nameservers.

If you are already with aws cloudfront might do it for you. They also have free TLS (not letsencrypt though so there are prerequisites). The cache invalidation sucks though. Something to keep in mind depending on your application.

KeyCDN is something I would recommend. It's cheap ($4 a month on low traffic sites), fast, not one of the big data selling companies. Does letsencrypt so free TLS. No DNS takeover. You do need to pick a different subdomain for your backend though https://origin.mydomain.com for example.

@hjk101 Cool thanks a lot I will check out KeyCDN, cuz data selling is my concern, lets see what KeyCDN has to offer