Comment by nobunaga
12 hours ago
Sure, but have you heard of reducing the attack surface? If you need to have to be able to log in at all times then youre probably at a scale that you have oncall processes and multiple people that can respond to incidents at a moments notice and having pub key auth enabled only makes sense. If you dont need that then youre probably small enough that that enablig only public key auth or putting it behind a vpn suffices. And having something like wireguard is much better than having something like password login enabled.
Anyone who sacrifices security for convenience is asking for trouble.
The nastiest break in I ever had worked because I installed wget on that server for convenience.
It exploited a known Drupal vulnerability to drop in a PHP script that in turn executed wget to download a payload.
So I agree about the importance of reducing the attack surface.
Now, ssh with password authenticated on a tightly controlled server, without fail2ban, port knocking and other tricky setups is exactly it. A setup with reduced attack surface.
> Anyone who sacrifices security for convenience is asking for trouble.
The you should switch off your mobile devices, destroy the sim cards and never connect again.