I've worked in companies with horrendous security, where someone with just a bit of SQL injection experience could have easily carried out the data. Yet, since this was a custom in-house application and your off-the-shelve-scanners did not work, this never happened; the only times the servers were hacked was when the company decided to host an (obviously never updated) grandfathered Joomla instance for a customer.
But even more simply, just setting your SSH port to something >10000 is enough to get away with a very mediocre password. It's mostly really not about being a hard target, not being the easiest one is likely quite sufficient :)
> But even more simply, just setting your SSH port to something >10000 is enough to get away with a very mediocre password.
Given how easy and free tools like Wireguard are to setup now (thanks Tailscale!), I really don't understand why folks feel the need to map SSH access to a publicly exposed port at all anymore for the most part, even for throw away side projects.
I mostly agree, but even this leaves you exposed to new bugs found in SSH in the future etc if on an unpatched/forgotten server. I still think its best (and really, really easy now with tools like tailscale) to simply never expose the software to the wide world in the first place and only access over Wireguard.
Fundamentally, it makes no sense to expose low level server access mechanisms to anyone other than yourself/team - there is no need for this to sit listening on a public port, almost ever.
