Security

Configuring TLS ciphers used to involve copying a magic list from Mozilla SSL Configurator and moving on. In 2026 the landscape has shifted enough that revisiting is worth it. What changed TLS 1.3 is now supported by 95%+ of clients. Serving TLS 1.0 or 1.1 is an active liability. OpenSSL 3.x became the default on most modern distros. Some older ciphers are simply gone. Post-quantum hybrid key exchange (X25519-Kyber768) started rolling out in Chrome and Firefox. Perfect Forward Secrecy is universally expected. No more RSA key exchange. Recommended nginx config ssl_protocols TLSv1.2 TLSv1.3; # TLS 1.3 cipher suites (nginx picks automatically) ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'; ssl_prefer_server_ciphers off; ssl_ecdh_curve X25519:secp521r1:secp384r1; ssl_prefer_server_ciphers off is correct for modern deployments — clients know better than servers which ciphers perform well on their hardware. ...

Every public-facing server gets port-scanned within minutes of going online. Default SSH settings are decent but not great. Here is the checklist I run through on every new VPS. Disable password authentication In /etc/ssh/sshd_config: PasswordAuthentication no PubkeyAuthentication yes ChallengeResponseAuthentication no KbdInteractiveAuthentication no Restrict root login PermitRootLogin prohibit-password This allows root login with key but not password, which is fine for automation. For stricter setups, use no and sudo from an unprivileged user. ...