Agreed!

Be sure to use a passphrase

I don’t agree about the point concerning cost. You have additional training, update, maintenance and config burden. This on top of the burdon of using the VPN on top of ssh.

Ok, fair point. But why stop at one vpn? I choose to trust OpenSSH, but I agree that adding a secondary layer of security actually helps here. You basically multiply two very low probabilities to get an even lower one. The trade-off is that you add complexity. You now need to keep two services up to date, and correctly configured and access/key material distributed.

I’d only recommend this setup for projects with special security requirements.

And why exactly is that more secure?

Welcome to the internet! Your system will get probed. Make sure you run as little as possible services on open ports and only high quality ones such as OpenSSH. Don’t freak out because of your logs. You’re fine as long as your system is up to date and password login disabled! Don’t listen to the fail2ban or VPN crowd. Those are only snake oil.

A VPN is probably just as (in)secure as OpenSSH. There is no gain in complicating things. OpenSSH is probably one of the most well tested code for security around.

Public ssh is completely fine as long as you use key based auth only and keep your sshd up to date. Stop spreading bullshit.

Cookie banners are not mandated by GDPR. It’s an unrelated piece of law.

They rock.I’m sometimes afraid they will be bought or change terms.

Thunder!

Learnt programming as a kid on my dads PSION. I owe my career to that device. It came with a BASIC manual on paper. That must have been the most important part of the package.

Take the train instead!

One of my first movies and I’ll never forget that adventure. I have no question though.

I beg to disagree about the disadvantages. An important one is that you cannot easily update shared libraries globally. This is a problem with things like libssl or similar. Another disadvantage is the added complexity both wrt. to operation but also in general the amount of code running. It can also be problematic that many people just run containers without doing any auditing. In general containers are pretty opaque compared to os packaged software which is usually compiled individually for the os.

This being said, systemd offers a lot of isolation features that allows similar isolation to containers but without having to deal with docker.

Not a big fan of Bezos though.

I ran an XMPP network based on prosody and used snikket on android. Can recommend!

https://sqlitebrowser.org/ is great or aSQLiteManager for android

I understand how this could be a prime target of a supply chain attack and that things are a bit fishy. On the other hand people are waaaay less picky about installing other binary blobs on their machines. I wish paranoia would be more general :)

Just use cp instead. No reason to use dd.

That’s actually a good point. Will need to think about server location and GDPR compliance.