[abound]

Or alternatively, block port 22 entirely on your firewall and use something like Tailscale to access the machine.

Of course, now your attack surface includes Tailscale, which has had it's own vulns in the past, but I think blocking all public traffic ends up being much stronger than any weaknesses Tailscale may introduce.

[kimixa]

Isn't that just the same thing in different clothes? Just a different protocol offering the same features of authentication and encryption - often using exactly the same primitives?

Is it "Security through obscurity" assuming fewer people are attacking vpn protocols that than ssh? And I'm not sure that's even true

[walterbell]

Plus a centralized identity provider, which is a plus or minus depending on your threat model, https://tailscale.com/kb/1013/sso-providers

[yau8edq12i]

Introducing obscurity to the process doesn't make it insecure. Criticism of "security through obscurity" is that security shouldn't rely on obscurity. The system should remain secure even if the attacker knows every detail of your system. Here the point of the "obscurity" (if you can call it that) is to avoid blowing up your logs and wasting compute cycles and energy on attempts that will fail anyway.

[dotancohen]

It allow SSH on another port. There are considerations when deciding to allow SSH on unprivileged ports.

Also, it's a bit tricky to set up but port knocking is a very effective solution, and you can keep the SSH on port 22 if you like.