On my main network no. Don't have much choice in cloud. Ideally pubkey only, ...

npub1qdj…fqm7

2025-03-31 16:07:11

in reply to nevent1q…sugw

On my main network no. Don't have much choice in cloud. Ideally pubkey only, different port, and failt2ban. Truly not sure how effective the last two are without a honeypot, but even still that's a lot going on and more software surface area to worry about. VPN when I'm out.

No one ever bother's to explain anything besides tribal thinking or whatever school or their business demands but never shares the data or why.

If VPN access is obtained to my supervisor network it could be more devastating than hitting ssh on a machine that sits in my DMZ network. That said given the option, I would never expose ssh no matter the circumstances of any hypervisor/supervisor machine. They all live in different networks, and I try to limit access for vpn clients but it's hard when I'm away trying to manage hardware.

Something I do for cloud systems that have a managed firewall, I specify my client IP addresses manually. I sometimes also use nginx as a stream tunnel, which allows IP based white/blacklists. I think it also has an SSH tunnel module which probably has even better control. Firewall > nginx though if possible.

Wireguard. Rotate keys fairly often. Typing a portion of the key and copying the rest. Use a pre-shared symmetric key for added protection.

Author Public Key

npub1qdjn8j4gwgmkj3k5un775nq6q3q7mguv5tvajstmkdsqdja2havq03fqm7

Seen on

wss://nos.lol wss://nostr.oxtr.dev wss://relay.primal.net

Show more details

Published at

2025-03-31 16:07:11

Kind type

1 Short Text Note

Event JSON

{ "id": "fde31dfa282094a1abce22facc275213df8a176b7197eacf38e06bfd0e98a804", "pubkey": "036533caa872376946d4e4fdea4c1a0441eda38ca2d9d9417bb36006cbaabf58", "created_at": 1743437231, "kind": 1, "tags": [ [ "e", "800110b8706cba38e22d0a542a0791d7180ac92fe324529b9ce94a4e51d9beba", "nostr-idb://cache-relay", "root", "5e336907a3dda5cd58f11d162d8a4c9388f9cfb2f8dc4b469c8151e379c63bc9" ], [ "e", "800110b8706cba38e22d0a542a0791d7180ac92fe324529b9ce94a4e51d9beba", "nostr-idb://cache-relay", "reply", "5e336907a3dda5cd58f11d162d8a4c9388f9cfb2f8dc4b469c8151e379c63bc9" ], [ "p", "5e336907a3dda5cd58f11d162d8a4c9388f9cfb2f8dc4b469c8151e379c63bc9" ] ], "content": "On my main network no. Don't have much choice in cloud. Ideally pubkey only, different port, and failt2ban. Truly not sure how effective the last two are without a honeypot, but even still that's a lot going on and more software surface area to worry about. VPN when I'm out.\n\nNo one ever bother's to explain anything besides tribal thinking or whatever school or their business demands but never shares the data or why. \n\nIf VPN access is obtained to my supervisor network it could be more devastating than hitting ssh on a machine that sits in my DMZ network. That said given the option, I would never expose ssh no matter the circumstances of any hypervisor/supervisor machine. They all live in different networks, and I try to limit access for vpn clients but it's hard when I'm away trying to manage hardware. \n\nSomething I do for cloud systems that have a managed firewall, I specify my client IP addresses manually. I sometimes also use nginx as a stream tunnel, which allows IP based white/blacklists. I think it also has an SSH tunnel module which probably has even better control. Firewall \u003e nginx though if possible. \n\nWireguard. Rotate keys fairly often. Typing a portion of the key and copying the rest. Use a pre-shared symmetric key for added protection. ", "sig": "f0840eb6f565c19434b90483c0755148714b36ba3f83c81cb773c3ea4b9c53f17f2754b5cb5ef85e81d07ebb817268625ae6011b60e3699ecad57c5eda88669b" }