So, I have a desktop that has a single-core/2-threads Pentium 4 CPU @ 2.4 GHz and a much newer desktop with an i7 CPU. The older desktop was one that I found on the streets in my neighborhood and that I later fixed and started to play around with it and decided to install Gentoo on it (just because). It’s CPU is also so old that it thankfully doesn’t have Intel MME. I have also put my older desktop in such a place where I could keep it on for 24/7 (without the risk of it overheating or bothering anyone even when emerging packages).

So, as I was installing Gentoo on it, I figured that I could also use it as an SSH file server and put it behind a VPN (which I could install on my newer i7 desktop (which I could install Debian onto)).

Now, since I wasn’t intending to use my Pentium desktop as a file server, I didn’t select the hardened profile (and switching profiles would probably take a very long time). So, I was wondering, would this be much of a security concern in my case?

  • donio@lemmy.world
    link
    fedilink
    English
    arrow-up
    2
    ·
    4 months ago

    For what its worth hardened wouldn’t have saved you from the recent openssh RCE. It may or may not save you from the next one.
    Staying on top of GLSAs and making sure that you don’t misconfigure your system is probably more important.

  • viking@infosec.pub
    link
    fedilink
    English
    arrow-up
    1
    ·
    4 months ago

    I doubt it’s an elevated risk, if you install updates and patches regularly. Make sure the VPN allows port forwarding only to whichever specific port you’re running SSH on (ideally you want a random, non-default port that’s not associated with a specific service).

  • Tim M@mas.to
    link
    fedilink
    arrow-up
    1
    ·
    4 months ago

    @KseniyaK I used to do this and although obscurity is no substitute for security, I ran it behind a firewall device and then behind net-misc/sslh on port 443 (fwding https to a port with no listener to make it appear the port was open but not connected) - before that when I reviewed the logs I’d see endless password dictionary attack attempts from bots on port 22