Cockpit is great web-based GUI for Linux servers. It has a lot of neat functionality and is reasonably powerful tool for server management. However, one problem I see is that the official instructions, as well as all other tutorials, tell you to open port 9090 to access the interface.
This seems kind of insecure to me, considering that by default Cockpit authenticates using basic user credentials, including the ability to log in as root. So, any SSH keys you might have set up and/or sshd config changes you did to prevent unauthorized access are moot. Even if you're using secure passwords, bots will likely find the login form and start endlessly trying to get inside.
The documentation does mention that you can set up SSO or certificate/smart card authentication but if you don't want to mess around with Kerberos, FreeIPA, Active Directory and such, then a simple and quick way to get a more secure Cockpit access is simply to use an SSH tunnel and never open port 9090 in the first place.
On your local machine, run this:
$ ssh -N -L localhost:9090:localhost:9090 user@remote-hostThis command forwards port 9090 from the remote server to your localhost, requiring your SSH credentials (presumably an SSH key). Then you can access the Cockpit doashboard by going to localhost:9090 in your browser.
Command breakdown:
localhost:9090 is which port on your local machine will be used. It can be any port you like. I chose 9090 because it's the default for Cockpit and is easy to remember.localhost:9090 is the port on the remote machine that we will be tunneling to. It has to be 9090.remote-host is the address of the server you have Cockpit installed on. If you already went through the installation and opened port 9090 on your remote host, then you can close it like so:
# firewall-cmd --permanent --zone=public --remove-service=cockpit
# firewall-cmd --reloadMake sure the cockpit service no longer shows up in the firewall active rules:
# firewall-cmd --list-all | grep servicesIf you don't see cockpit after running this command, then it is no longer accessible to the public internet.