Port scanners don't try to ssh into my server with various username/password combinations.

I prefer to hide my port instead of using F2B for a few reasons.

1. Log spam. Looking in my audit logs for anything suspicious is horrendous when there's just megs of login attempts for days.

2. F2B has banned me in the past due to various oopsies on my part. Which is not good when I'm out of town and really need to get into my server.

3. Zero days may be incredibly rare in ssh, but maybe not so much in Immich or any other relatively new software stack being exposed. I'd prefer not to risk it when simple alternatives exist.

Besides the above, using Tailscale gives me other options, such as locking down cloud servers (or other devices I may not have hardware control over) so that they can only be connected to, but not out of.