For example, I prefer to use a VPN instead of port forwarding. And I use SSH for anything I used to use an FTP for.
I share services with the public, so… strong passwords on everything, MFA, host scanning, SSH MAC/KEX/ciphers tweaked to ultra modern set and exposed only with keys with f2b activating on first failure, constant backups and automatic updates and scheduled reboots. Has worked great for a decade+.
SSH key auth for terminal login, plus an nginx proxy and client cert auth on anything accessible by the outside world. I’ll expose any internal service I want because nobody is getting through the client cert auth.
I use a non standard ssh port, Fail2ban, wiregusrd vpn for some services
A padlock
TOTP MFA highly recommended on SSH and webconsole. The so called “google-authenticator” makes it easy and despite the name does not use any external Google services.
Yes, but if using an android phone, the Aegis app may be a better choice. Guaranteed to not have tracking, and secrets are encrypted
That is indeed what I am using as well. The “google-authenticator” is just an (badly named) open source software that runs on the server and is available in most Linux distro repositories.
Oh, you mean the PAM module?
It can function as that as well AFAIK.
IP whitelisting
IP whitelisting
How do you do that? I understand how blocklisting would work but how does whitelisting work in practice? How can you know in advance from which IPs you will connect to your home network in the future? That just seems like a recipe for getting stranded in some hotel without a way into your network.
Tailscale.
