[ZoFreX]

If they wanted to find vulnerable ssh daemons it would be much faster and easier to scan the web than wait for people to enter their details here.

Or to put it another way: if you're worried that your SSH is vulnerable, fix it. Don't rely on not typing it into a website, because people will find it regardless.

[JorgeGT]

> because people will find it regardless

In my experience, if you have an SSH port accessible from the internet, it has been probed today by a few Chinese/Russian IPs. Unless my raspberry pi home server is somehow a high value intelligence target...

[avian]

In my experience a SSH service on a random, non-standard port gets surprisingly few probes. I look after several machines and I see less than one attempt per year (versus hundreds per day for port 22). I have yet to see somebody probe a SSH that listens on IPv6-only.

[pmoriarty]

You might want to consider using port knocking[1] to make your ssh server even less susceptible to attack.

[1] - https://en.wikipedia.org/wiki/Port_knocking

[semi-extrinsic]

No, the best solution is to only allow login by SSH keys. No passwords => brute-forcing is impossible. So your threat model for someone gaining access no longer includes someone using weak passwords.

[pmoriarty]

If your ssh port is wide open and there's a remotely exploitable vulnerability, then using keys may not save you.

But there's no reason you couldn't use both keys and port knocking at the same time.

[dithering]

Unless you have a reason to target people here, of course...