• 0 Posts
  • 3 Comments
Joined 1 year ago
cake
Cake day: October 30th, 2023

help-circle
    1. The bots are looking anyways.
    2. The other options being presented are various VPNs. OpenSSH has far more eyes on it, for much longer than any of the VPNs. Both generally run as root on the host and so have similar attack surfaces.
    3. Disabling password auth is less important than having good passwords, but is still a good idea since turning off passwords guarantees no bad passwords. Fail2ban provides no security.

  • A tremendous amount of cargo culting going on here.

    As long as your server is aggressively kept up to date and doesn’t have any guessable passwords, exposing port 22 can be done safely. If you’re not certain about these, you shouldn’t. OpenSSH is exposed to the open internet on millions of servers, it’s meant to do this.

    Fail2ban or changing your ssh port provides no additional security and only serves to reduce log noise at the risk of blocking actual users.

    A VPN makes no practical difference. ssh uses strong encryption just like the VPN. Sure you’re hiding ssh, but the VPN provides a similar attack surface.