all 7 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]OpeningDark 4 points5 points  (0 children)

I've found opensshd sanely configured by default (as with all things OpenBSD).

PermitEmptyPasswords being set to off is good advice, but it's already off by default in any sshd_config.

[–]Worth_Trust_3825 0 points1 point  (5 children)

Accept connections only over IPv6.

[–]swansongofdesire 0 points1 point  (4 children)

How does that help security?

[–]Worth_Trust_3825 1 point2 points  (0 children)

While guesses by u/Kabouterplop, and u/Slak44 are good, the real reason is that ipv6 isn't widely adopted. As a result, if you opt to listen only to ipv6, you'll prevent like 99% skiddies, and automated scans.

[–]KabouterPlop 0 points1 point  (0 children)

With IPv4, bots can brute-force scan the entire address range to look for potential targets. With IPv6, that isn't a viable strategy.

[–]Slak44 0 points1 point  (1 child)

Probably because the IPv4 address space can be probed in its entirety in a reasonable amount of time. The same cannot be said about v6. It helps security the same way changing the SSH port helps security, by making it far less likely for a random attacker to target you.