Expose server to the wider web for five minutes

disclaimer: i'm a huge fucking disgusting newb. sorry for retard questions

en.wikipedia.org/wiki/Iptables
They could use a VPN, but they won't bother.

use cloudflare gloyim

fuck off and die faggots

...

uh, that's pointless. I've a personal dedicated server that I got spun up, and I have the only website on it behind cloudflare. When I first logged into it, before I did anything, a Chinese IP was already trying to log into root. CloudFlare helps prevents people from attacking my server directly after my website rustles their jimmies. China's already targeting the server and isn't aware of my website.

That's what fail2ban is for. China gonna chink.

>>>/g/

i'm struggling to imagine a scenario where a hacker has access to my private key but not my password. i guess there's no harm in it but it seems like an extra inconvenience for not much benefit. if you've disabled root login, you still need to use it to sudo from the unprivileged account

hypothetically if someone got your strong password (more likely than an exploitable OpenSSH vuln), it's a targeted attack not automated malware. they'll find your SSH port with a 2 second port scan

that's a targeted attack. this would be to stop automated malware running on hacked servers trying to hack you too

cloudflare is ddos protection, that's a different thing

Well then it sounds like you're already fucked, how could they know your server's IP like that before you even logged in? Are they sitting there with a bot scanning all newly online IPs or something? I'd look into

Cloudflare does allow you to block IPs by country if you want.

Yes, they're just wardialing entire IP ranges.

Don't use fail2ban. Key the server and disable keyless login.

Lmao that's what I first thought. Just listen to the anons itt. You don't even need a password on the key, but you should probably use one tbh (I just find it easier not to have one).

It's impossible to brute force a 128-bit key. The only way to steal one is if you literally give it away or if someone gets into your computer.

why not?

yeah that's easier but if you set up ssh-agent right you only have to enter it once and it keeps the key unlocked in memory. you're right that if your desktop's secure it probably doesn't make any difference but maybe you use a shared computer. or maybe you want to ssh from your phone. depends on your circumstances

welcome to this fucking wild jungle called the Internet.
Reading the logs of my VPS is both funny and scary. I run email, ssh and a static website; and my web server is constantly being requested wordpress login pages and who knows what other widely-known vulnerable shit.

disabling SSH passwords and sticking to encrypted public-keys for non-root users is the most important thing to do before exposing an SSH service to the Internet.
Change port 22 to some upper random shit is good for keeping the logs clean.

use it in addition to

...

Even with private key login and ssh root login disabled, fail2ban has its uses. I have mine set to block any IP after more than 5 failed attempts (ever). It helps keep my auth.log smaller so it's easier to analyze for suspicious behavior.