Could you post your config for inspiration? I dont like starting with a blank canvas.

I just started using it when it launched 1.0. the stock configuration is basically perfect for me, with a few minor tweaks and a theme:

    confirm-close-surface = false
    macos-titlebar-style = tabs
    theme = IR_Black

My Ghostty config:

SSH Socks over 443 could be a solution.

So for example Shibboleth with privacyIDEA and enabled webAuthn and 2FA for AnyConnect or some other VPN?

This is what I was thinking

I bet it will happen that some apps i now use, which are in the regualar app store, will be pulled in favor of a own app store which has more tracking and maybe even cost money. So it will be a downgrade if now working apps move to an ad and tracking app store which are not privacy sensitive like iAds.

> I bet it will happen that some apps i now use, which are in the regualar app store, will be pulled in favor of a own app store which has more tracking and maybe even cost money.

Did not happen for Andorid so there is no reason to think that it will happen in this case. Also, how would an app installed from another store be able to track you more if you are using the same OS. That just sounds like bad OS design from Apple.

That's what your app creators want, you should be happy for them to have the freedom to distribute their product to you as they see fit.

HealthFit can export Workouts as .gpx or .fit files.

I just dump my default changes here. Maybe somebody finds something usefull for themself. Added the command from this thread too. :) Edit: Looks like i already did edit this before since mine was already at 8 and 12. Added the original source like its linked above.

# Defaults and other Stuff

    sudo scutil --set HostName nix
    
    # https://macos-defaults.com/
    defaults write NSGlobalDomain NSNavPanelExpandedStateForSaveMode -bool true
    defaults write NSGlobalDomain PMPrintingExpandedStateForPrint -bool true
    defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false
    defaults write com.apple.dock "autohide-delay" -float "0" && killall Dock
    defaults write com.apple.dock "autohide-time-modifier" -float "0.3" && killall Dock
    defaults write NSGlobalDomain ApplePressAndHoldEnabled -bool false
    defaults write NSGlobalDomain AppleShowScrollBars -string "Always"; killall Finder
    defaults write com.apple.screencapture "disable-shadow" -bool "true"
    defaults write com.apple.dock "tilesize" -int "38" && killall Dock
    defaults write com.apple.dock "mineffect" -string "scale" && killall Dock
    defaults write com.apple.finder "ShowExternalHardDrivesOnDesktop" -bool "false" && killall Finder
    defaults write com.apple.finder "ShowRemovableMediaOnDesktop" -bool "false" && killall Finder
    defaults write com.apple.dock "mru-spaces" -bool "false" && killall Dock
    defaults write com.apple.TimeMachine "DoNotOfferNewDisksForBackup" -bool "true"
    defaults write com.apple.dock "enable-spring-load-actions-on-all-items" -bool "true" && killall Dock
    defaults write com.apple.Music "userWantsPlaybackNotifications" -bool "false" && killall Music
    
    # https://www.jessesquires.com/blog/2023/12/16/macbook-notch-and-menu-bar-fixes/
    # https://www.reddit.com/r/MacOS/comments/16lpfg5/hidden_preference_to_alter_the_menubar_spacing/
    # https://flaky.build/native-fix-for-applications-hiding-under-the-macbook-pro-notch
    # https://news.ycombinator.com/item?id=39343919
    defaults -currentHost write -globalDomain NSStatusItemSelectionPadding -int 8
    defaults -currentHost write -globalDomain NSStatusItemSpacing -int 12

    # https://www.reddit.com/r/macgaming/comments/16ra8di/metal_hud_enabledisable_shortcut/
    # https://www.icloud.com/shortcuts/1271048e407543d391415934cad5edcd
    defaults write -g MetalForceHudEnabled -bool YES
    /bin/launchctl setenv MTL_HUD_ENABLED 1

* changing your SSH port means that you'll have to do a bunch of fuckery to get basic functionality working. you will very likely waste hours of your life. you will have to google "rsync ssh non standard port" every time you want to use rsync. you will have to remember scp flags. this is also bad. probably worse.

---

I dont need to remember non standard ports if i just use my .ssh/config.

    Host myhost.tld
      Hostname 127.0.0.1
      Port 333
      User MyUser
      IdentityFile ~/.ssh/myhost.tld

I was brand new to managing an Ubuntu Hetzner server and the moment I saw how many port 22 scans the server received i decided to try changing the port number, followed by key-only passwordless logins. My logs immediately shrank in size. I have never once had an issue having moved to non standard ports and, moreso, feel almost naked logging into port 22.

I know security through obscurity is not an answer, but judging by the reduction in port scanning i've seen after moving as many standard ports as possible to new addresses above 20000 I have to believe its a reasonable first step. How many script kiddies are scanning all 65500 ports for each IP address?

I feel similarly. Switching ports is no real defense, but it at least means you are eliminating the drive-by attacks who are only interested in the trivially exploited. Such a simple thing to do and sharply reduces the log volume.

The next trick I think of implementing is port knocking. Should drop log noise to zero unless someone starts targeting me specifically. In which case, my goose is already cooked.

> The next trick I think of implementing is port knocking.

If you're at that point, I would suggest putting it behind wireguard.

If it's not some sort of proxy/firewall remapping the port, you probably shouldn't use a port above 1000 for some services.

Consider this: an attacker (somehow) managed to get user access to your server. They can now dos the service until it crashes and then start their own service listening on that same port, maybe impersonating your service. Maybe they can use that to grab sensitive information or do something else.

If that is your worry, use net.ipv4.ip_local_reserved_ports

Indeed, although because I heavily utilized Docker I also ended up using UFW-Docker. It was fairly straightforward to incorporate into my startup scripts.

https://github.com/chaifeng/ufw-docker

Right! It's dead simple.

Normally I might put a title like this down to opinion but here, the author suffers not knowing enough about the subject to justify having an opinion, let alone publish one.

Fail2ban is a stupidly easy way to block lazy hacking scripts. It's easy to extend to handle simple honeypot services. It's no replacement for real security but it makes focussing easier.

Another solution is tailscale. Disable all admin ports (including ssh) on public IP.

This works fine until you find yourself in a shitty public Wi-Fi that blocks outgoing traffic to "non-essential ports".

But then again, SSH is often not considered essential and you need a VPN or other tunnel on TCP/443 anyway...

THIS. I use non standard port for SSH by default and my single SSH config file manages this for me with no extra effort. Seems like a common sense behavior to me.

Yeah, come on, saying that using SSH is hard in a different port is facetious

Worse case Google the commands and run them

Sure, if you use only the OpenSSH client and other software respecting its command line option paradigms or configuration files. But there's tons of other things connecting to SSH.

And even only in the OpenSSH universe, I find it quite annoying having to remember whether the `-p` can go after the hostname or has to appear before, whether SCP uses `-p` or `-P`, whether `ssh-copy-id` supports one or the other etc.

There are some protocols I wouldn't necessarily run on their default port and publicly accessible, but SSH is really not one of them, also given that sshd has been specifically hardened for that adversarial use case.

You can rsync, scp and what not using your .ssh/config alias.

    scp myfile.txt myhost.tld:~/foo

If you tap the wifi button in your controll center it just turns it off for 24 hours or when you switch locations. If you turn it off in the Settings App then it stays off.