(no title)

Run SSH behind some layer. Some people use Wireguard, and that's okay, I prefer spiped [1] because I can run it as an unprivileged user in a fully hardened systemd unit [2], and I can use ProxyCommand in my ssh_config, which makes it transparent: no need to be constantly on a VPN or to turn it on, I just ssh.

This guide recommends two-factor authentication, which IMHO is overkill and lowers your server reliability by using some random pam authentication modules. Also your spiped key (or your wireguard key) can be considered a second factor authentication.

And a second independent layer lowers the probability of being vulnerable to a 0-day vulnerability on SSH [3] or to Jia Tan [4]

fail2ban means you have a daemon running as root parsing random logs and modify your firewall rules... Yikes... [5] If you're concerned about bruteforce bots, they'll go away as soon as SSH behind something. Also with that layer, you don't need to make you firewall dynamic.

[1] https://www.tarsnap.com/spiped.html

[2] https://ruderich.org/simon/notes/systemd-service-hardening

[3] https://www.qualys.com/2024/07/01/cve-2024-6387/regresshion....

[4] https://en.wikipedia.org/wiki/XZ_Utils_backdoor

[5] Yes I know, you can use as a user, and modify the firewall rules with custom script with an SUID. But nobody does this, actually this guide doesn't do this at all, just everything as root!