I’m happy with my NanoKVMs

I have no servers that accept external password-login. All use SSH keys.

If you mean the apps you run on the servers, many can use an OAUTH server that you then host for SSO.

Agree, this is exactly what I went with recently in the same situation.

All services are dockerized, updated nightly.

Server OS runs a kernel-patch service for real time exploit patching.

All other updates as soon as they appear.

Yeah, sometimes I’ll need to go in a repair - but that’s way better than having to clean up after having been exploited due to not keeping up on security patches.

Will Nextcloud run apps not marked as compatible with that version?

So? Pubkey login only and fail2ban to take care of resource abuse.

I went from Seafile to Nextcloud with family file sharing as the primary usage. I’m using the AIO docker installation without issues.

This might not help, but I never experienced the issues you had.

(I moved away from Seafile due to - in my opinion - it dying a slow death with less and less support)

Still no. Here’s the reasoning: A well known SSHd is the most secure codebase you’ll find out there. With key-based login only, it’s not possible to brute force entry. Thus, changing port or running fail2ban doesn’t add anything to the security of your system, it just gets rid of bot login log entries and some - very minimal - resource usage.

If there’s a public SSHd exploit out, attackers will portscan and and find your SSHd anyway. If there’s a 0-day out it’s the same.

(your points 4 and 5 are outside the scope of the SSH discussion)

Feel free to argue with facts. Hardening systems is my job.

This is not “the correct answer”. There’s absolutely nothing wrong with “exposing” SSH.

A few replies here give the correct advice. Others are just way off.

To those of you who wrote anything else than “disable passwords, use key based login only and you’re good” - please spend more time learning the subject before offering up advice to others.

(fail2ban is nice to run in addition, I do so myself, but it’s more for to stop wasting resources than having to do with security since no one is bruteforcing keys)

I went from Emby to Jellyfin as they started their enshittification journey. I don’t really notice it being less polished.

Ollama as a general LLM server and then LLaVa as model

I host a SearXNG instance and follow the Matrix channel. Haven’t seen anything along those lines.

It’s not. It’s bog standard legalese licensing.

The AI support doesn’t hurt you if you don’t use it - and they’ve done the right thing by making sure you can do things locally instead of cloud.

Here’s what AI does for me (self-hosted, my own scripts) on NC 9:

When our phones sync photos to Nextcloud a local LLM creates image descriptions on all the photos, as well as creating five tags for each.

It is absolutely awesome.

This is where Signal’s biggest problem shows. It’s centralized. Matrix is the better choice since it will be up to you if you decide to break the law if it’s banned, since there will still be plenty of servers you can reach.

You want Matrix. Synapse if you intend to host for others, Conduit if you just want to host for yourself. There are quite a few different clients but I do indeed use ElementX on mobile.

Many of Yandex’s employees resigned in protest, accusing the company of serving as a tool of Kremlin propaganda and actively concealing information about the war.

https://www.zois-berlin.de/en/publications/zois-spotlight/the-sad-fate-of-yandex-from-independent-tech-startup-to-kremlin-propaganda-tool

That sounds problematic. Where do they detail this?

Wikipedia:

Google Safe Browsing “conducts client-side checks. If a website looks suspicious, it sends a subset of likely phishing and social engineering terms found on the page to Google to obtain additional information available from Google’s servers on whether the website should be considered malicious”.