[tptacek]

I'm sure this was fun to put together and it seems like it's fun for people to talk about, but you can put this along with fail2ban, port knocking, and nonstandard SSH ports in the back of the attic and just (1) turn off password authentication entirely and (2) put SSH behind WireGuard. Even if you don't do step (2), step (1) eliminates the rationale for all the silly stuff people do to obfuscate their SSH installs.

[teddyh]

I you put it behind WireGuard, why use SSH? Why not simply use telnet instead? And use FTP for file transfers.

[Drdrdrq]

Could you elaborate on WireGuard part? Do you mean that users must first VPN, and only then can SSH, or something else?

[tptacek]

Yes. This is how SSH access to prod works in most large companies: you have to be behind the VPN to get it.

[pvg]

You know this but I'm just throwing it in for people who don't and aren't working on large company things:

You can give yourself a WireGuard-powered, Single Sign-on, secure overlay network between, say, your phone, your laptop, a DO droplet and an AWS instance near-instantly and for (currently) free with tailscale.

By 'near-instantly' I mean it takes almost no effort to set up. It takes me longer to get my dotfiles right on a new host.

[tptacek]

It is disgusting how good Tailscale is. I mean that I am literally welling up with disgust thinking about it.