Beginner question luci-firewall

Undoubtedly true!
Maybe better that ssh daemon is listening on some other port...

I understand now that there is no "short answer" and will
find out the right solution for me.

Thank you again for help!

Robert

This is not advised for a myriad of reasons:

  • Excess WAN side firewall traffic, of which can top several thousand requests a day to WAN side port 22.
    • Use a non-standard WAN side port that is not on the nmap list I linked to, the higher the better, as port scanners will not scan all 65,535 ports.
      • While security through obscurity doesn't offer much protection, it does offer some.

  • Standard port numbers for system level daemons (SSH, OpenVPN, etc.) should be avoided, as it creates less of a headache for the user and prevents the kernel and system logs from being filled with blocked access attempts.
    • This is turn makes troubleshooting an actual issue even more difficult, as crucial log entries may be over-written.

Password authentication should never be allowed over SSH, most especially for root, with PKI exclusively used

  • ECDSA, ED25519, and RSA 2048 should be the only ones utilized
    • Both ECDSA & ED25519 are uncrackable and will remain so until at least 2030ish.
    • RSA 2048 will also remain uncrackable until 2030, and while nothing lower than 2048 should be utilized, it's not necessary to utilize a key larger that 2048, unless an individual is a target of a nation state.
      • Even if a target of a nation state, there's more efficient ways of handling that without compromising throughput (such as lowering the re-keying time to something like 15min