Today I explored ssh-audit, a tool designed to audit SSH configurations. Although it’s an excellent tool, I found the hardening guides somewhat lacking. Hence, I decided to write a detailed walkthrough, ensuring the ssh/sshd configurations are easily readable.
Personally I made sure SSH is only accessible when connected through a VPN setup for that purpose. As in, that same machine hosts a Wireguard setup (through Tailscale) and you need to connect to that first before SSH is available. And then SSH also only accepts key-based authentication. I don’t think I need more than that?
What if wireguard has issues? Then you cant ssh in to fix
that really just depends on your scenario
Couldn’t you just use ssh port forwarding?
If they use the VPN for other things too, it’s simpler this way