I just setup a minecraft server on an old laptop, but to make it acessible i needed to open up a port. Currently, these are the ufw rules i have. when my friends want to connect, i will have them find their public ip and ill whilelist only them. is this secure enough? thanks

`Status: active

To Action From


22/tcp ALLOW Anywhere Anywhere ALLOW my.pcs.local.ip`

also, minecraft is installed under a separate user, without root privlege

You are viewing a single thread.
View all comments View context
21 points

Having SSH open to the internet is normal. Don’t use password authentication with weak passwords.

permalink
report
parent
reply
7 points

Normal for who? I wouldn’t expose SSH on 22 to the internet unless you have someone whose full time job is monitoring it for security and keeping it up to date. There are a whole lotta downsides and virtually no upsides given that more secure alternatives have almost zero overhead.

permalink
report
parent
reply
3 points

I had it open for a web server for 2.5 years because I was lazy and my IP changed a lot and I traveled and didn’t have a VPN setup and never had any issues as far as I could tell. Disabled password and root auth but was also fine with wiping that server if there were issues. It’s certainly not recommended but isn’t immediately always going to be an issue

permalink
report
parent
reply
3 points

ssh is one of the most secure servers you can run. The tailscale propaganda is crazy in this community.

permalink
report
parent
reply
11 points

Shodan reports that 35,780,216 hosts have SSH exposed to the internet.

Moving SSH to ports other than 22 is not security. The bots trying port 22 on random addresses with random passwords don’t have a chance of getting in unless you’re using password authentication with weak passwords or your SSH is very old.

SSH security updates are very infrequent and it takes practically no effort to keep SSH up to date. If you’re using a stable distribution, just enable automatic security updates.

permalink
report
parent
reply
1 point

To be fair, if something is open by default or very easy to enable without informing about the risks, tons of people will have it exposed without thinking.

It isn’t that “tons of people do it so it is normal and perfectly fine” but more “people don’t realize.” It also uses some nontrivial amount of resources to process and block those attempts, even if they never have a chance of getting in.

There is yet a reason I can find to have it forwarded for home use. Need to ssh into a machine to fix it? VPN.

There are plenty of secure web-based tools to manage your server without a VPN also.

permalink
report
parent
reply
3 points

Moving to another port isn’t a bad idea though. It gives you cleaner logs which is nice.

permalink
report
parent
reply
2 points

For public facing only use key based authentication. Passwords have too much risk associated for public facing ssh

permalink
report
parent
reply
5 points

Not for people who are asking questions about port forwarding

permalink
report
parent
reply
2 points
*
Deleted by creator
permalink
report
parent
reply
1 point

yeah no I should have considered that. didn’t lick the most secure password. will change when I get home

permalink
report
parent
reply
17 points

Don’t use passwords for public SSH in the first place. Disable password authentication and use pubkeys.

permalink
report
parent
reply
9 points

And disable ssh to root. Hell, just disable root login altogether and use sudo.

permalink
report
parent
reply
3 points

If you have ssh open to the world then it’s better to disable root logins entirely and also disable passwords, relying on ssh keys instead.

permalink
report
parent
reply

Selfhosted

!selfhosted@lemmy.world

Create post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

Community stats

  • 5.3K

    Monthly active users

  • 3.7K

    Posts

  • 81K

    Comments