Undoubtedly true!
Maybe better that ssh daemon is listening on some other port...
I understand now that there is no "short answer" and will
find out the right solution for me.
Thank you again for help!
Robert
This is not advised for a myriad of reasons:
- Excess WAN side firewall traffic, of which can top several thousand requests a day to WAN side port 22.
- Use a non-standard WAN side port that is not on the nmap list I linked to, the higher the better, as port scanners will not scan all 65,535 ports.
- While security through obscurity doesn't offer much protection, it does offer some.
- Standard port numbers for system level daemons (SSH, OpenVPN, etc.) should be avoided, as it creates less of a headache for the user and prevents the kernel and system logs from being filled with blocked access attempts.
- This is turn makes troubleshooting an actual issue even more difficult, as crucial log entries may be over-written.
Password authentication should never be allowed over SSH, most especially for root, with PKI exclusively used
- ECDSA, ED25519, and RSA 2048 should be the only ones utilized
- Both ECDSA & ED25519 are uncrackable and will remain so until at least 2030ish.
- RSA 2048 will also remain uncrackable until 2030, and while nothing lower than 2048 should be utilized, it's not necessary to utilize a key larger that 2048, unless an individual is a target of a nation state.
- Even if a target of a nation state, there's more efficient ways of handling that without compromising throughput (such as lowering the re-keying time to something like 15min