@wesmason I disable password authentication, set inbound rules, only use SSH keys that are securely stored, disable root login, etc. That’s plenty for most people. Honestly, changing the default port is just security-through-obscurity.
@srfaudio @wesmason And yet, it is found to work. A high majority of the scanning is port-based, and therefore if you're on a different port, it will not be found by the stupid script kiddies. If someone truly competent wants to get in, they will be scanning in a different way, and obfuscation will not work. But how often are you targeted by anyone truly competent?
@wesmason @wpeckham right. I guess my main point is:
The context of the question was SSH at home. If the only way you can SSH in is with securely-stored keys, and only from specific IP's (i.e. TailScale/WireGuard), what am I really gaining by changing the port at that point?
Public-facing web server? Sure, change the port, as one of many other things you'll do to layer security. But that's largely just to cut down on some of the scan traffic.