[rsync]

"yeah this is a bad idea in general. If you have critical stuff you need to SSH into from the public internet, keep it all in private IP space and have an openvpn gateway (or IPSEC VPN) with a public interface, and a private interface facing inwards towards the hosts."

That's a ton of complexity when you could just run knockd on public facing sshds and make them disappear that way.

It's extremely tight, simple code - consisting of a single binary - and it never crashes or hangs.

No, I am not suggesting that you get rid of all of your keys and passwords and rely only on the knock for your security. (I have to write that because response-comment-numero-uno will strawman that to death). Keep your keys and passphrases in place and add the knock.

Port knocking is just the best thing.

[walrus01]

Port knocking, what is this, 2002? Security through obscurity is not any form of security at all. Properly implemented public / private key crypto is not rocket science anymore.

[rsync]

As predicted.

The idea is, in addition to the normal security measures you use with sshd you also hide the service with port knocking.

Nobody anywhere, at any time, has ever suggested using port knocking as the sole means of securing your sshd.

[anon263626]

Port knocking and some even obscurity are valid additional layers of defense-in-depth if combined fundamentals of A3E.

State actors can afford millions to spend on build/buying sploits for [insert technology]. For example, use different standard for OS at edges where possible to reduce attack surface. Preferably scrub network traffic at edges (not just web traffic) and really lock down traffic to remote access boxes.