If you search online or ask AI how to go about securing your SSH server, you'll typically find advice like the following:

1. Disable Password Authentication
2. Disable Root Login
3. Disable Legacy Protocols
4. Change The Default Port To Something Other Than Port 22
5. Set-up Fail2ban

At first glance, these seam like generally good advice, but from experience, they leave a little to be desired IMO.

Disable Password Authentication

This is good advice, but is usually the default. In the past, when setting up remote servers (VPS, dedicated), you might be given a temporary password to log in, but I haven't seen this in a while.

These days you'd upload your SSH public keys to the server provider's dashboard and have key-based auth setup automatically with cloud-init, etc.

Disable Root Login

Not bad advice, but it might provide a false sense of security. Your less-privileged user account already has access to any data that a hacker might be interested in. And even if it didn't, it probably has access to sudo or some other setuid binary.

If the callerhacker is already in the houseserver, all bets are off.

Disable Legacy Protocols

It's not immediately clear where this advice comes from. Unless you explicitly set the protocol in the past (why?), you don't need to do anything here - it's already secure by default.

Change The Default Port To Something Other Than Port 22

At least in the last 10+ years, this doesn't really help and even in the past, all it did was delay how long it took for the bots to find the correct port.

Set-up Fail2ban

If you're using key-based auth, there's not really anything left to brute-force so you're mostly just using it to stop your logs filling up with auth failures.

This isn't a bad thing per se, but you'll likely open your server to a DOS attack for little value.

If you receive a flood of attacks - targeted or not - it's possible to cripple your server and/network with thousands of entries being added to the firewall.

Secure SSH With This One Weird Trick

OK, so if most of the common wisdom is "wrong", what should you do? Stop exposing SSH to the internet.

No, really. In the age of easy VPN software like Wireguard®, the simplest way to secure SSH beyond what's most-likely already in the default config is to stop exposing it to the internet.

Some links:

• Instructions on how to set-up a Wireguard® tunnel: https://www.wireguard.com/quickstart/
• Tools like wg-meshconf can be used to create the config files if you only have a few servers: https://github.com/k4yt3x/wg-meshconf
• The Arch wiki has links to other useful tools, etc.: https://wiki.archlinux.org/title/WireGuard
• You can also use Tailscale to automate everything: https://tailscale.com/docs/features/tailscale-ssh