The only thing you really need to do with SSH is to use keys with it, not passwords. That should be secure enough for almost all cases.
Another layer on top is useful to remove the noise from the logs. And if you have anything aside from SSH on the server that doesn't need to be public, restricting it via a VPN or something like that is useful anyway. Most other software that listens on your server has likely much more attack surface than SSH.
You can always reset stuff from the Hetzner dashboard. But yes, rather than locking it down to some dynamic residential IP, it would be better to set up something like Tailscale, or to have a VPN with a dedicated static IP.
Yea agreed. Its dangerous. Lot of people have dynamic IPs at their home. Once you have setup ssh keys and disabled root login, you should be good to go.
Agreed. You should assume you have a dynamic IP unless you’ve specifically arranged for a static one. It’s a “business” feature where I live at least, so personal internet connections will be dynamic.
The only thing you really need to do with SSH is to use keys with it, not passwords. That should be secure enough for almost all cases.
Another layer on top is useful to remove the noise from the logs. And if you have anything aside from SSH on the server that doesn't need to be public, restricting it via a VPN or something like that is useful anyway. Most other software that listens on your server has likely much more attack surface than SSH.
Also, change the port sshd listens to from 22 to something else. Cuts down on the noise considerably.
You can always reset stuff from the Hetzner dashboard. But yes, rather than locking it down to some dynamic residential IP, it would be better to set up something like Tailscale, or to have a VPN with a dedicated static IP.
Yea agreed. Its dangerous. Lot of people have dynamic IPs at their home. Once you have setup ssh keys and disabled root login, you should be good to go.
And change the port from 22. I tend to use the 400 range for SSH ports.
You'll be surprised how many bots get thwarted by just changing the port.
Agreed. You should assume you have a dynamic IP unless you’ve specifically arranged for a static one. It’s a “business” feature where I live at least, so personal internet connections will be dynamic.