Comment by bayindirh 4 hours ago
Try exposing a paswordless SSH server to outside to see what happens. It'll be tried immediately, non-stop.
Now, all the servers I run has no public SSH ports, anymore. This is also why I don't expose home-servers to internet. I don't want that chaos at my doorstep.
Whitelisting single IP (preferably a static one) sounds plausible.
Kubernetes for personal infrastructure is akin to getting an aircraft carrier for fishing trips.
For simple systems snapshots and backups are good enough. If you're managing a thousand machine fleet, then things are of course different.
I manage both so, I don't yearn to use big-stack-software on my small hosts. :D
Yeah, I have been thinking about hosting a small internet facing service on my home server, but I’m just not willing to take the risk. I’d do it on a separate internet connection, but not on my main one.
You can always use a small Hetzner server (or a free Oracle Cloud one if you are in a pinch) and install tailscale to all of your servers to create a P2P yet invisible network between your hosts. You need to protect the internet facing one properly, and set ACLs at tailscale level if you're storing anything personal on that network, though.
I would probably just ssh into the Hetzner box and not connect it to my tailnet.
Would tailscale or cloudflare do the trick. Let them connect to the server.
> This is just FUD.
No, it's just opsec.
> Sure, scanners will keep pinging it, but nobody is ever going to burn an ssh 0day on your home server.
I wouldn't be so sure about it, considering the things I have seen.
I'd better be safe than sorry. You can expose your SSH if you prefer to do so. Just don't connect your server to my network.
Yeah no need for public ssh. Or if you do pick a random port and fail2ban or better just whitelist the one IP you are using for the duration of that session.
To avoid needing SSH just send your logs and metrics out and do something to autodeploy securely then you rarely need to be in. Or use k8s :)