| 26 Feb 2025 |
 hexa | I don't want to trust a random community of people | 20:21:04 |
| hexa | another idea would of course be a bastion host | 20:22:11 |
| hexa | but that would make accessing the host a bit more tedious, given ssh jumps etc. | 20:22:27 |
 dgrig | It's not foolproof, but changing the default port away from 22 helps with a lot of bots | 20:22:28 |
| hexa | also a valid choice | 20:24:05 |
| hexa | so what happens is that due to too many connection requests ssh also sometimes drops my connect attempts | 20:25:54 |
| hexa | mildly annoying 🙂 | 20:26:06 |
| hexa |
sshd[1969703]: error: beginning MaxStartups throttling
| 20:26:57 |
| hexa | due to that | 20:26:58 |
| dgrig | All the things you mentioned help however. I personally change the ssh port, enable fail2ban and for a lot of hosts don't have ssh enabled over the internet since wireguard works good enough for me. Other people I know enable ssh only over tor hidden services, but I don't trust tor starting fast enough after a restart /shrug | 20:27:01 |
 magic_rb | I only allow ssh over wireguard period | 20:28:33 |
| dgrig | (waiting for a new circuit after a restart can be a bit annoying if you're trying to ssh right after a restart in my opinion) | 20:28:36 |
 Scrumplex | Another way to reduce ssh bot noise is to limit sshd to listen on IPv6 only | 20:50:50 |
 Fernando Rodrigues | In reply to @magic_rb:matrix.redalder.org
I only allow ssh over wireguard period ssh over wireguard is so nice | 21:36:06 |
| hexa | yeah, much nicer than just using ssh over internet | 21:38:07 |
| hexa | * yeah, much nicer than just using ssh over internet \s | 21:38:09 |
| hexa | to be clear, I have a wireguard/babel mesh, so I can ssh over a routed connection of private addresses | 21:38:39 |
| Fernando Rodrigues | In reply to @hexa:lossy.network
yeah, much nicer than just using ssh over internet \s i mean, unironically yes. | 21:38:43 |
| hexa | but now imagine a git host | 21:38:49 |
| Fernando Rodrigues | I don't see the issue? | 21:39:11 |
| hexa | git+ssh | 21:39:19 |
| hexa | * git+ssh:// | 21:39:30 |
| Fernando Rodrigues | Sure, just change the IP from whatever it was before to the wireguard address. | 21:39:43 |
| Fernando Rodrigues | ditto with a domain | 21:39:50 |
| hexa | a custom port is too cumbersome, means everyone needs to maintain ssh configs etc. | 21:39:50 |
| hexa | public git access over ssh | 21:40:04 |
| hexa | forgejo | 21:40:07 |
| hexa | gitlab | 21:40:09 |
| Fernando Rodrigues | ah, yes. forgejo. | 21:40:26 |
| Fernando Rodrigues | currently i use a nginx stream to proxy ssh connections over a wireguard tunnel to a forgejo host | 21:40:55 |
