[vgeek]

Disallow password logins, change ssh port, change/hide sshd identity information or configure port knocking.

[dx034]

Is changing SSH port really necessary? If your SSH is vulnerable, attackers will find the Port for it.

[freeqaz]

Surprisingly, just changing the port is highly effective. Scanning every ipv4 address still chews bandwidth even for just a handful of ports.

Add ipv6 into the mix and it's straight up infeasible to scan for even ONE port on every host!

Port knocking + key auth + non-default port is pretty damn good security, even against zero days in SSH.

[dx034]

So the solution is just to use IPV6 only SSH? I'm serious, you could use an ip just for SSH, making it very hard for anyone even to get the server address. And it's not that hard to be able to access ipv6 addresses.