Hardening is hard

A few days ago I wanted to update my blog. It turned out, that I’ve locked myself out. Not fully, but my deployment script, that builds the hugo site and loads it to the online webserver using rsync suddenly stopped working with some very cryptic ssh error message.

Of course, I still had ssh access to the server, so I didn’t investigate in that direction. What I had completely forgotten: I had just changed from the default ssh port to a more unusual one and forgot to add this line to the deployment script. If only rsync had given an error message that it couldn’t connect to the server instead of pointing to some arbitrary C library.

I’m still working on strategies to harden my webserver. I see in the logs that it’s unter permanent attack recently. Some are just trying to guess my ssh password. Come on, you Chinese ‘hacker’ with IP 61.177.173.12, known for brute forcing ssh. Don’t waste your time and mine.

But some of the attackers also cause server downtime. I’m not entirely sure what they’re even doing, but it seems to be some sort of DDoS attack that causes the server’s network stack itself to behave in a way that causes a lot of packet loss. But I don’t want to use any CDN in front of the server to protect it, there must be a better solution.