[dawson]

For those still using SSH as normal, you can setup Tailscale to accept connections only from Tailscale, and ignore any public internet traffic i.e., restrict ssh access to be only over Tailscale. For example, with UFW you could delete every rule except for the “Anywhere on tailscale0” and “41641/udp” rules.

[mfrw]

Exactly how it `turned my life around`.

I can now go to sleep without having to worry about random bots trying to mine crypto on my machines. To add to the goodness, one does not have to worry about either SSH-keys or remember cryptic passwords.

[withinboredom]

This seems like a ... strange ... comment. Do you usually worry about your ssh keys getting stolen? How do you use git?

FWIW, setting up something like tailscale is remarkably simple (I'm using PHP here to keep it simple):

In sshd_config:

    AuthorizedKeysCommand /auth_ssh %u
    AuthorizedKeysCommandUser nobody

And in auth_ssh, verify that the user is allowed to connect to that server, then look it up on github (my public keys: https://github.com/withinboredom.keys).

If you want to allow any github user you allow to connect various permissions, check out libnss-ato.

These are all 1 or 2 lines of configuration and are not hard. You just have to know they exist.

[mfrw]

Thank you for the pointers. Honestly, I had no idea about what you pointed out.

Regarding the strangeness; yes I was lazy and had password based ssh and was in constant fear that someone might pop my box.