What is the server hardening strategy when I use SSH tunneling?

[leonz]

Hello,

I am using Proxmox with SSH tunneling. I have disabled all outside ports and connections, except for access via SSH tunneling.


In this way, what is my strategy for server hardening?


My setup:
- disabled root login
- use ssh keys instead password
- do not change the default SSH port, because I do not accept connections apart from tunneling.
- use fail2ban

What should I add?

 

[LnxBil]

- disabled root login

Very bad in a cluster. All cluster communication is done via root.

Don't allow SSH access at all from the internet, only VPN or allow only static ip clients.

 

[leonz]

Very bad in a cluster. All cluster communication is done via root.

Don't allow SSH access at all from the internet, only VPN or allow only static ip clients.

I should re-enable root and set SSH access only through VPN, yes? Is there anything else?

 

[guletz]

I should re-enable root and set SSH access only through VPN, yes? Is there anything else?

Hi,

If your vpn will be broken, then you will have a big problem. So if you have a cluster, I will use 2 different vpns.

Good luck / Bafta !

 

[LnxBil]

I should re-enable root

If you have a cluster, yes. Otherwise you can add another user if that is what you want.

For my PVE internet machines, I just use access from fixed IPs and key-only login.