To mitigate the effort to maintain my personal server, I am considering to only expose ssh port to the outside and use its socks proxy to reach other services. is Portknocking enough to reduce surface of attack to the minimum?
In your SSH config, you should disallow root login and password authentication.
It is more secure than these tommyknockers :-) but you can do that additionally, if you feel like it.
Why disallow root login? I always need root when I connect, and stealing the password by aliasing sudo/doas is trivial. It seems to me it would just make life harder for no benefit.
Because then:
- you also need to know the correct username
- audits and logging shows which user used sudo to gain root access
- you also need to know the correct username
Use a secure password or key. Security by obscurity is no security.
- audits and logging shows which user used sudo to gain root access
That is not the point that was made. Once access to sudo or root you already have lost.
just use tailscale
I would only expose a VPN and use that to access the other services.
A VPN would give you access to a network, but not necessarily the devices on that network. It adds another layer of security as the user not only has to have SSH credentials/keys, but they also have to have the same for the VPN. SSH and VPNs would really be used in conjunction with each other.
It’s onion security.
Other then the slowly increasing log file (if you use fail2ban for example), it will take thousands of years to actually hack you through this method as long as root auth is disabled and authentication is only via SSH keys, I wouldn’t worry about it.
It is possible to tighten the security of a machine to the point it is no longer usable. It is important to secure our devices but we cannot forget about convenience, so the trick is to tighten it but also make it so you don’t have to jump through a number of hoops till you get to your destination.
I for example, wouldn’t use your method because it would make it difficult to use some services I host from my phone.
Port knockers for the most part aren’t worrying. In an ideal situation, the only ports that should be open are 22, 80, 443 and using a reverse proxy to mask headers. (Poor configuration for example, go to Shodan and type bitwarden in the search bar and see how many people expose their instances to the world carelessly without an SSL cert) and the occasional UDP for game servers/media servers.
