I typically run an Ansible Hardening Playbook on any new Linux installation. After that, there are a few more things I do. For SSH, I'll make sure password authentication is disabled root user is denied no X11 forwarding no keyboard-interactive auth is enabled restrict SSH to a specific username If it's a VM, I'll also make sure I allow only my IP access to port 22. I also typically install Tailscale, so my ACLs will let me get in that way, too. The rest of the world has no reason to talk to my server on port 22. In addition to the host firewall running the VM, I make sure to setup nftables on each Linux box. The rules I use aren't complicated, I essentially: allow Tailscale UDP rate limit ICMP allow SSH from my IP For a VM, there aren't many firewall rules you need. I don't usually bother with fail2ban because the ports aren't exposed to the public. As for disk encryption, my VMs always run on a ZFS mirrored pool with AES encryption. Because, managing encryption keys for each VM, and…
No comments yet. Log in to reply on the Fediverse. Comments will appear here.