A laypersons guide to SSH security

August 20, 2025 Reading time: 19 minutes

How to secure your SSH connections

A simple layperson… yes, that’s me, I'm afraid. I’m not a coder, or a network wizard, or an expert scripter. I'm a hobbyist who enjoys tinkering with computers. I’m just a guy who hosts his own stuff from home using a tool that makes that journey so easy. The tool I use is Yunohost. They have put together a nice system that, for people like me, is easy to deploy, use and maintain. They have an excellent catalogue of applications, which are all packaged for use on their platform. This means that the security of the apps is already taken into account, allowing you to install with peace of mind. There are other systems around that do similar, but I have found the Yunohost system to be the better one (FWIW). I make a monthly contribution because it's worth it. You can see my system and what's in it here.

That's the advert done with, now to the reason for this article.

Despite the excellent YNH offer, the excellent catalogue of apps, and ease of use, sometimes you do have to get your hands dirty, and when I say that, I mean using a terminal application and something called SSH to log in to your system and do admin 'stuff' or even more terrifying, fixes... Gulp!

What does SSH mean?

It means Secure SHell (or Secure Socket Shell). It is a collection of utilities that provides encryption, key authentication and strong passwords. SSH is used by us users (admins) to manage our systems and applications remotely, enabling us to log in over a network, remotely or locally, to execute commands and to fix and add things, move files from one place to another, and so on. It's a bit more technical than that, obviously, but that's the basics of it.

Something you should probably do first... Maybe. If you want. I would!

Once you have successfully installed and tested your new Yunohsot system, change the SSH port number. SSH is one of the most scanned ports used by hackers to get into your system. The default port is 22, so change it to something else; anything above 1024 should do the trick. So, using terminal and log in to your system with:

ssh username@123.123.123.123 (the username you used to install YNH, the numbers are your server's IP address).

Hit return and enter your password; this is the one you set when you installed YNH in the first place.

Now type in, or copy:

yunohost settings set security.ssh.ssh_port -v 1234

The 1234 should be your chosen port number above 1024 that you want to use. If you really fancy getting your hands really dirty, you could do the following in terminal:

sudo nano /etc/ssh/sshd_config

This will open up a Linux editor called Nano, and you will have the SSH configuration file in front of you. Scroll down to the line that says #port 22. Delete the hash symbol (the comment) and enter a new port number so it will now say port 1234, the number of the port that you want to use. This method will require a restart of the SSH service, which you can do in the YNH GUI under Services, or while you are here in terminal type:

sudo systemctl restart ssh

However, if you want to keep things nice and simple, use the command yunohost settings set security.ssh.ssh_port -v 1234, which will keep things in order for you.

Some folk will probably say don't bother changing the port number if SSH is not forwarded on your router to your server, but whatever, I'd change it. You do have to remember the port number, though, when entering some commands that require SSH access, like logging in using terminal in the future. You will need to enter the port number prefixed with a -p. We shall see that later.

So once you have changed your port number and restarted the SSH service, instead of logging in with:

ssh username@123.123.123.123, you will now need, ssh -p1234 username@123.123.123.123

To be or not to be...

Ask yourself this question. Do I want to access my system via SSH inside my local network, outside or both? Don't be afraid to access your system outside of your network; you just have to think about a few extra things to stay secure.

Here is a little cut-out and keep table of your options and what you should consider.

ACCESS PORT FORWARDING ADVANTAGE DISADVANTAGE
Internal only Not required Your SSH port won't be found when scanned by hackers. If you are away and need to fix something, you can't. Sorry.
External Only Required You can do some work on your server. Excellent. Your SSH port number (22) is exposed. Good job, you changed it!

Personally, I want both. So I have a Raspberry Pi with a VPN server installed on it. Many places on the internet tell you how to install a vpn on a Pi and how to include it in your network. Once you have installed the vpn server, you only need a vpn client on your device(s). I use WireGuard on all my devices. If I need to do anything, I just fire up Wireguard, make the connection and open a terminal app and log in using my username and password. Everything appears to me as local, as if I am in my living room or kitchen with a cup of tea by using: ssh -p1234 username@123.123.123.123 (Yes, I changed my port number, so I need to remember the -p switch and use -p1234.

Can I be even more secure?

So far, we have been using SSH using a username and password for authentication, whether we are local or remote. (IP address when local, domain names when we are remote, unless you are using a vpn, then it's local.) There is another level of security I have recently tried called Key Authentication. This is a process of generating encrypted public and private keys, one on the server and one on a device that you will use to access your server. When you attempt to log in, if the keys match, you get in; if they don't match, you can't. If you lose your device or it gets corrupted, then you are effectively locked out of your server, but there are backdoor ways to get back in and reset. You'll need a monitor and keyboard connected to your server. More on that later.

So let's assume that for this example, we want to access our server, called myserver.com, remotely. We have changed the default port number for SSH from 22 to 1234. We have configured our modem's firewall to port forward SSH 1234 to our server's IP address. When we open a terminal in the coffee shop down the road and type:

ssh -p1234 username@myserver.com

Followed by the password. We now have our server in front of us, and we can do some stuff. But what happens if we are snooped on, wifi sniffed, our credentials compromised or found, whatever...? We can set up our device or devices to use an authentication key so that only those devices can access the server. Let's just do one device for now, a MacBook Pro 16.

Open up a terminal session on your MacBook Pro 16 (other computer manufacturers and models are available!) and type the following:

ssh-keygen -t ed25519 -C device_name Here the device name will be macbook16 so:

ssh-keygen -t ed25519 -C macbook16

When you hit enter, you will be given a path name to save to. Accept it as it is, just hit return. You will then be asked for a passphrase, which is just another word for a password. You could just not bother and hit return, but I'd advise you to set one. Make it a good one, a long one, so long you need a password manager app to remember it. Again, some may say you don't need it, but what if someone gets a hold of your device? You will be asked to confirm the passphrase.

Your device will now create two keys, a private one and a public one. We need to copy the public keys to our home server with:

ssh-copy-id -i ~/.ssh/id_ed25519.pub username@myserver.com

Hit return. Oh no, you got a connection error. Hmmm. This command assumes that you are using port 22 for SSH, but we have changed it to 1234. Remember that little -p switch? So now type:

ssh-copy-id -i -p1234 ~/.ssh/id_ed25519.pub username@myserver.com

That's it. Done. Close all your terminal sessions, and log in using,

ssh -p1234 username@myserver.com 

Now you will be asked for your passphrase and not your password. Enter your passphrase. If you get the server prompt, then the key authorisation for your MacBook Pro 16 to your server works. You still have the old method of logging in using your username and password. We can turn that off so that you can only use key authentication on your MacBook Pro. To turn this off, again, whilst in terminal type:

sudo nano /etc/ssh/sshd_config

You will have probably been here before if you chose to change your SSH port using Nano, the Linux text editor. Scroll down the open file and find the lines:

PasswordAuthentication yes and edit this line by changing the yes to a... no, so now it will read:

PasswordAuthentication no

Also, change the line:

PermitRootLogin yes to no

Save the file and exit. Again, you will have to restart the SSH service through the web GUI, or while you are in terminal type:

sudo systemctl restart ssh

You are all done. Access to your server at home can only be done with your MacBook, remotely. However, can you see the problem here? Your MacBook craps out, breaks down, gets stolen, whatever... You can no longer access your server. You have turned off the username/password method of getting access in favour of key authentication. What do you do?

If you want to use key authentication only, then just repeat the above steps on other devices, iPhone, iPads, Android, and just change the "device name" to the device name you are adding. You can use one key for all, but don't, just don't do it. Create a key for each device. It's safer and easier. You will be able to get access if you lose one device by using another.

Help...! I can't log in. My server is 'bricked"

So you have lost all your devices, or the key authentication process is just not authenticating anymore. How do we get access to our server and reset back to logging in using a username and password? This is where, when you get back home, you get the keyboard and monitor out. Plug them in and log in as admin locally, and let's turn back on password authentication with:

sudo nano /etc/ssh/sshd_config and change the lines:

PasswordAuthentication yes 

PasswordAuthentication yes

Restart the SSH service with:

sudo systemctl restart ssh

Now you can reset or recopy your keys from your device as we did above. Of course, if you are using a VPS, then you will have to use the provider's console to do the above.

Basic Security Tips

These are not in any order or preference, so take your pick of either or a combination of:

  • The easiest one is to use SSH locally only, take the port off your router, so no port forwarding.
  • Change the port number for SSH.
  • Recycle passwords every few months.
  • Use key authentication on more than one device.
  • Keep your admin group small.
  • Use a VPN on a Pi to log in remotely.

There are probably more things you can do, like check that Fail2ban is working and so on.

I told you that this was a layman's guide, so I might have got one or two things wrong. Please let me know. I'm trying to make this easy for those of us who have had difficulty understanding and securing SSH and using Key Authentication.

There is, however, excellent documentation on SSH and key authentication at the Yunohost website, which, of course, should be the definitive guide rather than my 'Janet & John", ABC version. I only write from experience, trial and error.

dj

    Why self host...?
    August 11, 2025 Reading time: 8 minutes

    Why bother?

    There are many reasons. For me, it's a hobby, but it might be different for you, of course. I have also become more resistant over time to letting big corporations be responsible for my data. How many times have you heard that such and such has been hacked? Of course, that can happen to anyone self-hosting as well, but at least I will be responsible for any loss. I can also react quicker and shut it all off, and as long as I have a backup, I can rebuild and be up and running again quite quickly.

    So, what do I self-host, and how did it come about?

    Back in the day, my email was hosted by FastMail and my files by SugarSync. Ah, those were the days. To be fair to them both, they were never hacked while I was with them, but I quite liked the idea of having everything under my control, files, photos and music, but how? I'd heard and seen a demo of OwnCloud. It was a file-sharing and sync server; it was in its infancy at the time and a pain to get and to keep going. 

    I invested in a QNAP NAS, a small but slow one to start with. It was quite good and did more or less what I needed. I could store and share my own files and photos, and music, but my email was still with FastMail. The slow speed of the server started to become a pain, so I upgraded to a larger, faster model. Now we were talking. It was a much better experience. I also had a slow Raspberry Pi that ran the file sharing and application suite, Nextcloud. Again, Nextcloud was a bit troublesome, but it soon made rapid improvements. It’s just that the Pi could not keep up with the demand of Nextcloud, and I found it offline more than on.

    While on a trip, I was searching the internet for self-hosting solutions and discovered, by accident, a community of people that had put together a self-hosting server called Yunohost. A bit of an odd name, but it had a good application catalogue that included Nextcloud for files, Piwigo for photos and Navidrome for music. 

    My new fast QNAP NAS came with an app called Virtualisation Station, which allowed you to install a full operating system in its own container. Interesting, I thought, and installed Yunohost into a container and set it up to speak to the outside world. It was a eureka moment. It was quick and very stable, and very soon I had Nextcloud working and usable. Next, I moved my website over, which was easy to do; all I had to do now was move my email over. A scary thought indeed. 

    With the fantastic help of the Yunohost community and some fiddling with DNS records at my domain registrar, I was off and running. Now I had everything I needed, working from a small server in my garage at home. Excellent… until… I was hacked! There were a bunch of hackers that had been targeting QNAP NAS machines online, and mine was one of them. I was locked out with ransomware. My blood turned cold when I logged into the server and saw the message. Fortunately, the container that my new test server was in was isolated from the ransomware that had changed the file name of every file on the system, but the isolated server within the server was still clean, and I had a backup, but everything else was gone; the backup was 4 weeks out of date. No way was I going to pay £530 in bitcoin to release my files. Instead, I wiped the QNAP NAS clean and sold it. I couldn’t wait to get it out of the house; never again will I buy a QNAP product.

    The next day, I bought a small form factor desktop computer on Amazon, installed Yunohost and restored from my backup. Since that day, five years ago, I have had a flawless system; only once was I hacked with some porn on my photo server, and that was my fault and was quickly fixed.

    Pros and Cons

    So what are the pros of self-hosting?

    • The obvious one is that you are in control of your data.
    • If you do the right thing, your data will be safe.
    • Cheaper. Online service providers are charging more and more each year to host your stuff. Sure, there are free services, but they are not really free.

    ...and the cons?

    • Power outages that are out of your control. UPS? Backup?
    • You must keep the system up to date to avoid security breaches.
    • Keep the server apps up to date.
    • Don’t forget to backup.
      • If the system fails, you will need to recover from it.
      • If you are hacked, you will need to recover from it. Make sure that the apps are set up correctly and understand permissions. Again, porn was dumped on my photo server due to bad permissions. I’ve learnt since!!!
    • You’ll need an understanding of how the internet works; things like DNS and DNS records will suddenly become a new thing for you to learn and understand.

    Is it really worth it?

    If you have the time, do some preliminary research and try a bit of trial and error work, then yes, it is worth it. My server runs smoothly, is backed up every day, and is updated weekly. I have several websites on my server, including photo galleries, file storage and sharing, as well as a large music library. Sure, I have faced a few ups and downs, but with some reading and help from the community, I have been up and running within a couple of hours. You will also gain a good understanding of how networks and the internet work. It's very rewarding to know that everything is under your control and knowledge. You don't need to know too much, but the more you learn, the more beneficial it is to keep your homelab server running.

    My Yunohost Homelab

    Have a look at my set-up at digitalcarnage.co.uk, and if you have any questions, do reach out 

    dj

    Personal Knowledge Management
    August 11, 2025 Reading time: 17 minutes

    Taking notes, good old pen and paper, or electronic?

    PKM - Personal Knowledge Management, can mean anything from how we take notes to how we sort them out and file them with supporting documents and objects. Are you a pen and paper person, a notebook person with bits of paper shoved in between pages, stapled items to pages, folded pages or paper with a pen and a highlighter? It's all PKM. These days, we all seem to have more and more information and notes that we need to consolidate in one place, and be able to access at a moment's notice.

    Your pen and paper may work perfectly well for you, so why should you change? There are a few computer applications that can help, but are they just a hammer to crack a nut? Are they necessary?  Here is a personal reflection on my work. Remember, there is no right or wrong way to take and file notes; it's like telling someone whether their shirt should be tucked in or not. The shirt is on, that's it. A poor analogy, but you get the idea. Here are a few examples, not in any order, you understand:

    I'm a stage lighting designer, so I have different clients with different needs, crew lists, kit lists and venues all different, some cross over to and from different jobs, so I need to be able to keep track of them, and sometimes they link together. This conversation can be cut short now if you have a look at my article about Devonthink. I'm a big, big fan of this application. I dipped in and out of it for a while, but I have committed to it now and find it almost indispensable for the work I do.

    Having said that, I have recently come across a new application called Capacities. It's very similar to Devonthink, though not as powerful, but it looks better and is easier to navigate than Devonthink.

    Here is a non-exhaustive list of their key differences:

    Feature / Mindset

    Capacities 🧠

    DEVONthink 📚

    Purpose

     Grow and connect ideas

      Store, organise, and search documents

    Data Type Focus

    Notes, images, links, concepts

    PDFs, scans, documents, email, media

    Core Strength

    Linking concepts into a network

    Advanced search, tagging, OCR

    Where Data Lives

    Cloud only

    Local-first with optional sync

    Access

    Cross-platform (web, Mac, win, iOS, Android)

    macOS + iOS only

    Offline Use

    Yes

    Yes

    AI Use

    Summarisation, idea linking

    Smart classification & search

    Best For

    Creative thinkers, writers, and content planners

    Researchers, archivists, lawyers, academics

    Metaphor

    Digital “second brain”

    Private “personal library”

    You can use the two in combination with each other, which I do, but really, it's a bit pointless. I need to come down to one or the other. They both have excellent AI functions, with Capacities doing the job better, I think. As a self-hoster, I sync Devonthink between my devices via my self-hosted Nextcloud instance. Capacities, however, is hosted and synced through Capacities in Germany. Despite that small detail, I think my preference is leaning more towards Capacities, if only you can sync through WebDAV. They both lack a good calendar and contact plugin. Capacites can use your Google or Office 365 contacts and calendar, but I'd like to see CalDAV/cardDAV support, again for us self-hosters!

    The other compelling reason for using Capacities is that notes or objects are linked. There are no folders, groups or hierarchy; you just create an "object" and then link them together with tags or groups as collections or queries. It all works very smoothly and efficiently.

    Here is a list of applications that do PKM and journaling.

    📒 Note-taking & Writing

    • Obsidian – Local markdown files, powerful linking, plugins, great for “second brain” setups.

    • Logseq – Local-first, outline-based, daily notes, backlinks, and graph view.

    • Roam Research – Popular for networked thought and daily notes, cloud-based.

    • Notion – Flexible database-style system with pages, embeds, and collaboration.

    • Evernote – Classic note-taking app with web clipping, tagging, and search.

    • Apple NotesSimple, synced across Apple devices.

    • Google Keep – Sticky-note style, fast and minimal.

    📚 Research & Knowledge Curation

    • DEVONthink – Mac/iOS powerhouse for storing, tagging, and searching documents.

    • Zotero – Reference manager for academics and researchers.

    • Mem – AI-driven note management and linking.

    📅 Daily Planning & Journaling

    • Day One – Rich journaling app with media support.

    • Reflect – Daily journaling with backlinks.

    • Capacities – Combines objects, notes, and tasks into one graph-based PKM system.

    • Trilium Notes - Daily journaling with backlinks.

    📂 Plain Text & Markdown Lovers

    • Joplin – Open source, cross-platform markdown notes, sync options.

    • Standard Notes – Encrypted notes with extensions.

    • TiddlyWiki – Self-contained personal wiki in a single HTML file.

    Out of the above, I have tried:

    Obsidian, Notion, Evernote, Apple Notes, Joplin, Capacities, Devonthink, Standard Notes, Trilium and TiddlyWiki.

    Comments on the above:

    Obsidian - Couldn't get my head around it. Uses markdown. Hate markdown!!! Sorry if you are a user!

    Notion - Similar to Capacities, but a bit more 'faffy'. Nice though.

    Evernote - I used to subscribe to this app when it first came on the scene. Not mad on it now.

    Apple Notes - Excellent. Use on its own or in conjunction with Devonthink and Capacities.

    Joplin - Excellent app which can host yourself. A bit boring to look at, but easy to use.

    Capacites - Love it!

    Devonthink - Love it!

    Standard Notes - Very nice, but expensive for what it does. I used to self-host this server and use the app, but the support for self-hosters stopped. Shame that.

    Trilium - A very nice PKM that you can host yourself. Very fast and responsive.

    TiddlyWiki - Very nice app that you can self-host. Uses your browser to store and secure your notes.

    Final note. I can't be doing with Markdown. What's it for...?

    Navigation - My Last 5 Posts

    Categories

    Quick Links

    Search