z3bra

A VPN is easy to setup (and I have it setup by the way), but no VPN is even easier. SSH by itself is sufficiently secure if you keep it up to date with a sane configuration. Bots poking at my ssh port is not something that bother me at all, and not part of any attack vector I want to be secure against.

Out of all the services I expose to the clear web, SSH is probably the one I trust the most.

Yeah I know, I just don’t really care about that traffic to bother changing it :) Also, I’m talking about a server hosted on Hetzner, so I feel like it’s scanned a lot.

I get what you say, and you’re definitely not wrong to do it. But as I see it, you only saved ~80Kib of ingress and a few lines of logs in the end. From my monitoring I get ~5000 failed auth per day, which account for less than 1Mbps average bandwidth for the day.

It’s not like it’s consuming my 1Gbps bandwidth or threatening me as I enforce ssh key login. I like to keep things simple, and ssh on port 22 over internet makes it easy to access my boxes from anywhere.

Congratulations! A mail server is quite demanding in terms of initial setup, but it’s also very rewarding !

Here are a few pointers I can give you:

• Using a good domain is important, some provider block entire TLDs for cheap domains (eg. .tk or .pw). I learnt it the hard way…
• Set your MX records to A records, not CNAME
• Ensure your PTR records match your A records for the mail server
• Learn about SPF and DKIM
• Set them up, and verify with mxtoolbox
• Use the ip4:<ipv4> and/or ip6:<ipv6> selectors for SPF
• Setup a spamfilter (I like spamassassin)
• Leave it all running for a few weeks/months
• Publish a DMARC policy on your DNS, and verify with mxtoolbox

This should limit a lot your likeliness to end up in spam folders (which is usually the hardest part about running your mail server)