Also, what is there to compromise on a machine that basically runs just sshd with password authentication disabled?
it's a pain because of NAT/port forwarding, not to mention the chore of making sure every device is up to date. You can get around the NAT/port forwarding issue by having a $5 VPS, but then you're essentially storing your password database on dropbox.
>Also, what is there to compromise on a machine that basically runs just sshd with password authentication disabled?
1. Same way that dropbox can be compromised: your account gets hacked or the provider gets hacked.
2. While I agree that a server with only sshd and auto-updates enabled would be pretty hard to compromise (foregoing the above), I doubt that's the typical setup. Most people probably have a "general purpose" VPS that they use to host all sorts of stuff, which means there's lots blindly typing in "npm install ..." or even "curl ... | sh" going on.
Tailscale or zerotier. It's a solved problem. You don't need to use a vps at all.
Nope. My account on my vps is protected with a strong ssh key and password-logins disabled. Also fail2ban is set up to forever disallow ips that try failed logins. So not the same at all.
> lots blindly typing in "npm install ..." or even "curl ... | sh" going on.
Nope
>Nope. My account on my vps is protected with a strong ssh key and password-logins disabled. Also fail2ban is set up to forever disallow ips that try failed logins. So not the same at all.
By "account", I don't mean the account in /etc/passwd on your VPS, I mean the account with your hosting provider. That can be hacked/phished just like a dropbox account, not to mention the provider themselves getting hacked or social engineered.
I periodically do a "git pull" onto an encrypted HDD that's stored at the office.
Offsite and backups outside of my normal backup procedures, in case I'm suddenly really screwed.
The PGP key is on a YubiKey, and I have an encrypted offline backup of that as well.
