Enhance SSH security documentation and update arch install notes

- ssh-setup-guide.md: Added comprehensive security hardening section with: * Non-standard port configuration (Port 2222) * Advanced SSH hardening settings (MaxAuthTries, ClientAlive, AllowUsers) * Dynamic DNS setup for remote access (DuckDNS, No-IP, Cloudflare) * fail2ban installation and VPN considerations * Additional security steps checklist - arch-install-notes.md: Updated post-installation priorities with yadm setup 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-07-30 17:05:30 +02:00
parent 80c19d6767
commit 3978d184ac
2 changed files with 34 additions and 20 deletions
--- a/ssh-setup-guide.md
+++ b/ssh-setup-guide.md
@@ -105,15 +105,31 @@ Host thinkpad
 # Edit SSH config to disable password authentication
 sudo nano /etc/ssh/sshd_config

-# Set these values:
+# Basic hardening settings:
 # PasswordAuthentication no
 # PermitEmptyPasswords no
 # ChallengeResponseAuthentication no
+# PermitRootLogin no
+# Protocol 2
+
+# Advanced hardening (optional):
+# Port 2222  # Change from default port 22
+# MaxAuthTries 3
+# ClientAliveInterval 300
+# ClientAliveCountMax 2
+# AllowUsers your-username  # Restrict to specific users

 # Restart SSH
 sudo systemctl restart sshd
 ```

+### Additional Security Steps:
+- [ ] **Change SSH port**: Edit `Port 22` to custom port (e.g., `Port 2222`)
+- [ ] **Install fail2ban**: `sudo pacman -S fail2ban && sudo systemctl enable fail2ban`
+- [ ] **Configure firewall**: Update ufw rules for new SSH port if changed
+- [ ] **Set up dynamic DNS**: For remote access (DuckDNS, No-IP, Cloudflare)
+- [ ] **Consider VPN**: For secure remote access instead of exposing SSH
+
 ## Setting Up Hostname Resolution

 ### Method 1: Using /etc/hosts (Simple, Local Only)