[giobox]

> But even more simply, just setting your SSH port to something >10000 is enough to get away with a very mediocre password.

Given how easy and free tools like Wireguard are to setup now (thanks Tailscale!), I really don't understand why folks feel the need to map SSH access to a publicly exposed port at all anymore for the most part, even for throw away side projects.

[_xiaz]

I say leave it at 22 and use public key authentication. If a hacker can crack that, they deserve my server!

[giobox]

I mostly agree, but even this leaves you exposed to new bugs found in SSH in the future etc if on an unpatched/forgotten server. I still think its best (and really, really easy now with tools like tailscale) to simply never expose the software to the wide world in the first place and only access over Wireguard.

Fundamentally, it makes no sense to expose low level server access mechanisms to anyone other than yourself/team - there is no need for this to sit listening on a public port, almost ever.