Self Hosted - Self-hosting your services.

11277 readers

170 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules

No harassment
crossposts from c/Open Source & c/docker & related may be allowed, depending on context
Video Promoting is allowed if is within the topic.
No spamming.
Stay friendly.
Follow the lemmy.ml instance rules.
Tag your post. (Read under)

Important

Beginning of January 1st 2024 this rule WILL be enforced. Posts that are not tagged will be warned and if not fixed within 24h then removed!

Lemmy doesn't have tags yet, so mark it with [Question], [Help], [Project], [Other], [Promoting] or other you may think is appropriate.

Cross-posting

!everything_git@lemmy.ml is allowed!
!docker@lemmy.ml is allowed!
!portainer@lemmy.ml is allowed!
!fediverse@lemmy.ml is allowed if topic has to do with selfhosting.
!selfhosted@lemmy.ml is allowed!

If you see a rule-breaker please DM the mods!

founded 3 years ago

MODERATORS

Zoe8338@lemmy.ml

dogmuffins@lemmy.ml

testman@lemmy.ml

132

PSA: Test Your Server SSH Access (lemmy.ml)

submitted 1 day ago* (last edited 9 hours ago) by brownmustardminion@lemmy.ml to c/selfhost@lemmy.ml

11 comments fedilink hide all child comments

I accidentally attempted to SSH into one of my servers from a device that did not contain my ssh key. I configure all of my servers to only allow authentication via cryptographic keys. Root ssh as well as password auth are disabled.

To my surprise, I was able to log in to my server with a password despite this. Baffled, I first tried some other servers. 2 of the 5 other servers I tried were accessabke via password.

After some swift investigation the culprit was found, a cloud-init ssh config in sshd_config.d/ with one line: password_authentication Yes.

So TLDR PSA....if you run a server in any type of virtualized environment, including a VPS, check your /etc/ssh/sshd_config.d/ folder. And more broadly, actually thoroughly test your ssh access to confirm everything is working as you intend it to.

top 11 comments

sorted by: hot top controversial new old

[–] Boris_NotTooBadinoff@lemmy.world 3 points 5 hours ago* (last edited 2 hours ago)

Had a similar issue with tlp recently. I just happened to notice the laptop battery was at 100%, and said it was charging. I double and triple checked the config file, but the tlp-stat -b still showed the thresholds at 90%-100%.

Turns out tlp, at some point, started ignoring /etc/tlp.conf, and was pointing to /etc/default/tlp

[–] henfredemars@infosec.pub 17 points 21 hours ago* (last edited 21 hours ago)

This is good advice in general. Think of it like penetration testing. You really should verify what you can actually access remotely on a device and not assume you have any level of protection until you’ve tried it.

Log files can also contain signs of attack like password guessing. You should review these on a regular basis.

[–] MNByChoice@midwest.social 9 points 20 hours ago

Good advice. One should always test, for correctness, not just infer.

[–] American_Jesus@lemm.ee -2 points 23 hours ago

OpenSSH right? What version?
No issues with Dropbear

[–] friend_of_satan@lemmy.world 39 points 20 hours ago

Show your effective sshd server config: sudo sshd -T

[–] TankieTanuki@hexbear.net 7 points 17 hours ago (1 children)

/etc/ssh/ssh.d/

You mean /etc/ssh/sshd_config.d?

[–] brownmustardminion@lemmy.ml 4 points 9 hours ago (1 children)

Fixed it. Thanks

[–] TankieTanuki@hexbear.net 4 points 9 hours ago* (last edited 9 hours ago) (1 children)

You for got the d!

[–] brownmustardminion@lemmy.ml 3 points 9 hours ago (1 children)

picard_facepalm.png

[–] TankieTanuki@hexbear.net 3 points 9 hours ago

picard-pointing

[–] pe1uca@lemmy.pe1uca.dev 7 points 19 hours ago

I could even go further into saying: always test every change you make, do not assume the change has been made because you updated a file.