My SSH Entry Should Not Be the Weakest Link

All of this infra sits behind one obvious entry point: SSH to the VPS.

So I want SSH to be:

  • key-based only,
  • ideally bound to my VPN IP(s),
  • wrapped in sensible firewall rules.

SSH Hardening Goals

For SSH itself:

  • no password login,
  • public-key authentication only,
  • possibly restrict which users can log in directly (e.g. AllowUsers),
  • strong ciphers and MACs (reasonably modern defaults).

On top of that, use firewalld/nftables to:

  • allow SSH only from specific IP ranges (e.g. my VPN),
  • log failed connection attempts,
  • separate SSH from app traffic.

Matching the Overall Design

SSH is how I:

  • deploy configs,
  • manage system packages,
  • debug when containers or Vault won’t start.

So it deserves as much thought as Vault or the proxies. If SSH is weak, all the pretty PKI design doesn’t matter.