SSH na jiný port nemusíš dávat je to zbytečné, nastav si přihlašování přes klíče a pokud můžeš tak jen přes VPN /není podmínkou/ .
Neni to zbytecne. Jakmile bot najde otevreny ssh port, zacne ho bombardovat pokusy - to vede minimalne k zbytecnemu zahlceni pripojeni. Zakazovani podle IP v dnesni ere botnetu nema moc smysl - tabulka zakazanych IP bobtna a utoky pokracuji.
Pristup k ssh pres vpn je uz uplny nesmysl. Napr. OpenVPN ma stejne silnou autentizaci jako ssh, takze to zadny vyznamny narust bezpecnosti neprinasi, jenom to komplikuje pristup.
Z dokumentace k OpenVPN:
The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against:
* DoS attacks or port flooding on the OpenVPN UDP port.
* Port scanning to determine which server UDP ports are in a listening state.
* Buffer overflow vulnerabilities in the SSL/TLS implementation.
* SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).