[banana_giraffe]

I'm more familiar with AWS. There I just firewall SSH to just my IP (with a script to change it for the laptop case, or use mosh), and thus spend no CPU time responding to ssh bots.

Do VPS providers offer some sort of similar firewall service outside your instance?

[e12e]

I don't think low budget vps providers typically allow this. That said, fail2ban works OK, as does manual iptables (now nftables) - unfortunately /etc/hosts_allow is deprecated[1].

If you don't know that you'll be able to arrive from an IP or subnet - another option would be port knocking. (eg: knockd). Although, I'd try to avoid adding more code and logic to the mix - that goes for both fail2ban and knockd.

[1] ed: Note, the rationale for this is sound: the firewall (pf or nftables) is very good at filtering on IP - so better avoid introducing another layer of software that does the same thing.

[pm90]

You can't create/edit firewall rules via apis in some vps providers?

[e12e]

By "low budget" i read"cheaper than Digital Ocean". I'm not sure how many of them let you specify firewall rules outside of/"in front of" your vm.