

change the default SSH port
Any port scanner — take nmap — is going to turn this up.
SSH is also trivial to fingerprint as a protocol. Here’s me running netcat to my local SSH instance:
$ nc localhost 22
SSH-2.0-OpenSSH_10.0p2 Debian-7+deb13u2
^C
$
It ain’t rocket science to identify an SSH server.
I personally think that port-knocking isn’t a great idea and just adds hassle and brittleness to something, but I’d do a port-knocking setup before I tried running sshd on a nonstandard port.
If you honestly don’t trust SSH, then okay, fine, wrap it with a VPN or something with real security so there’s another layer (of course, that raises the issue of whether you trust the VPN software not to have remote exploits). Or have one host that you can reach and bounce from there to another host or something.
There are ways that I’d say are useful to try and secure an SSH instance. Use keys rather than passwords. Whitelist user accounts that can be connected to remotely.
But anyone who is likely to be a real risk to your system is going to be able to find an ssh server running on a nonstandard port.














Paul Krugman pointed out that opaque approval processes are fertile ground for corruption.