Try exposing a paswordless SSH server to outside to see what happens. It'll be tried immediately, non-stop.

Now, all the servers I run has no public SSH ports, anymore. This is also why I don't expose home-servers to internet. I don't want that chaos at my doorstep.

Expose it on port 22 on ipv6 and it might as well be invisible. Cleanest logs ever.

Yeah, I have been thinking about hosting a small internet facing service on my home server, but I’m just not willing to take the risk. I’d do it on a separate internet connection, but not on my main one.

You can always use a small Hetzner server (or a free Oracle Cloud one if you are in a pinch) and install tailscale to all of your servers to create a P2P yet invisible network between your hosts. You need to protect the internet facing one properly, and set ACLs at tailscale level if you're storing anything personal on that network, though.

I would probably just ssh into the Hetzner box and not connect it to my tailnet.

Would tailscale or cloudflare do the trick. Let them connect to the server.

Yeah no need for public ssh. Or if you do pick a random port and fail2ban or better just whitelist the one IP you are using for the duration of that session.

To avoid needing SSH just send your logs and metrics out and do something to autodeploy securely then you rarely need to be in. Or use k8s :)

Whitelisting single IP (preferably a static one) sounds plausible.

Kubernetes for personal infrastructure is akin to getting an aircraft carrier for fishing trips.

For simple systems snapshots and backups are good enough. If you're managing a thousand machine fleet, then things are of course different.

I manage both so, I don't yearn to use big-stack-software on my small hosts. :D

This is just FUD, there is nothing dangerous in having an SSH server open to the internet that only allows key authentication. Sure, scanners will keep pinging it, but nobody is ever going to burn an ssh 0day on your home server.

A few years ago a vulnerable compression library almost got pushed out that major Linux distros linked their OpenSSH implementations to. That was caught by blind luck. I'm confident there's a lot more shit out there that we don't know about.

> This is just FUD.

No, it's just opsec.

> Sure, scanners will keep pinging it, but nobody is ever going to burn an ssh 0day on your home server.

I wouldn't be so sure about it, considering the things I have seen.

I'd better be safe than sorry. You can expose your SSH if you prefer to do so. Just don't connect your server to my network.

"opsec" includes well defined things like threat modeling, risk factors, and such. "Things I have seen" and vague "better safe than sorry" is not part of that.

There are two golden rules of opsec:

    1. Never tell everything you know and seen.
    2. 

For what I do, you can refer to my profile.

this can be fixed by just using random ssh port

all my services are always exposed for convenience but never on a standard port (except http)

It reduces the noise, yes, but doesn't stop a determined attacker.

After managing a fleet for a long time, I'd never do that. Tailscale or any other VPN is mandatory for me to be able to access "login" ports.