Greg Felice gregfelice

## securing_public_facing_SSH_servers.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              1 star
            
          
                gregfelice
                / securing_public_facing_SSH_servers.md
            
            
              Last active
              October 12, 2025 12:44
            
              
                Securing your public-facing SSH server
              
          
    Securing your public-facing SSH server

Response to https://www.reddit.com/r/HomeServer/comments/1nvv9hv/guys_is_this_bad_1000s_of_ssh_authentication/

Use nftables to ban repeated connection attempts
Configure your ssh server with some sensible defaults

This approach uses core linux tools that ship with any distribution,
so you can avoid installing and configuring third party tools like fail2ban.
If you haven't heard of netfilter, it the usertool for configuring network

  
## easyblock-deny.txt
pihole deny youtube.com


## easyblock-allow.txt
# here we are

## # postgresql@14 - 2024-10-07_22-23-56.txt
Homebrew build logs for postgresql@14 on macOS 15.0
Build date: 2024-10-07 22:23:56

## gist:0c9796293adc7cfb6ed9fb74e121c38b
allowed_extra_ports: [ 3000, 8083, 8086 ]
disallowed_extra_ports: [ 5432, 2003, 8090, 8080, 8181 ]

## gist:d8737e6ab35bc5727943d5d85db87567
TASK: [hardened | ensure host-specific ports are opened] **********************
skipping: [minerva.random.com]
skipping: [achilles.random.com]
ok: [juno.random.com] => (item=8080)
ok: [ajax.random.com] => (item=3000)
ok: [ajax.random.com] => (item=8083)
ok: [ajax.random.com] => (item=8086)

TASK: [hardened | reload changes to firewalld if any] *************************
skipping: [achilles.random.com]

## optional_list_handling_in_ansible_loops.yaml

- name: ensure host-specific ports are opened
  firewalld: port="{{ item }}/tcp" permanent=true state=enabled
  with_items: "{{ hostvars[inventory_hostname]['allowed_extra_ports'] | default([]) }}"
  register: allowed_extra_ports

- name: reload changes to firewalld if any
  service: name=firewalld state=restarted
  when: allowed_extra_ports.changed

## Example Code
require 'release_calendar_rest_client'

class HomeController < ApplicationController

  def index
    @activities = Activity.order('created_at DESC').limit(20)
  end

  def release_calendar
    @releases = ReleaseCalendarRestClient.get_releases
	Homebrew build logs for postgresql@14 on macOS 15.0
	Build date: 2024-10-07 22:23:56
	allowed_extra_ports: [ 3000, 8083, 8086 ]
	disallowed_extra_ports: [ 5432, 2003, 8090, 8080, 8181 ]
	TASK: [hardened \| ensure host-specific ports are opened] **********************
	skipping: [minerva.random.com]
	skipping: [achilles.random.com]
	ok: [juno.random.com] => (item=8080)
	ok: [ajax.random.com] => (item=3000)
	ok: [ajax.random.com] => (item=8083)
	ok: [ajax.random.com] => (item=8086)

	TASK: [hardened \| reload changes to firewalld if any] *************************
	skipping: [achilles.random.com]

	- name: ensure host-specific ports are opened
	firewalld: port="{{ item }}/tcp" permanent=true state=enabled
	with_items: "{{ hostvars[inventory_hostname]['allowed_extra_ports'] \| default([]) }}"
	register: allowed_extra_ports

	- name: reload changes to firewalld if any
	service: name=firewalld state=restarted
	when: allowed_extra_ports.changed
	require 'release_calendar_rest_client'

	class HomeController < ApplicationController

	def index
	@activities = Activity.order('created_at DESC').limit(20)
	end

	def release_calendar
	@releases = ReleaseCalendarRestClient.get_releases