As a security measure I always change the port of SSH to something else then 22, in my case I changed it to 2222.
I’m seeing an absolute drop of bans on the SSH port. Fail2ban helps, but having no one even try on the SSH port is even better. Most of the users will also not use the key login, but the plain password login.
Josh, maybe an idea to change this port by default? (and not forget to let users know the port has changed in the update script?)
I think best practices would be to do both, change the port and set it to not allow logins (only keys)
Moving the port helps of course, but to not allow password authentication (as per the setup instructions and checks) is the most inner layer IMO, changing the port would be the ouster layer of protection, but folks need to turn off the ability for anyone to log in w/o a key in order to stop the folks who know how to check for alternative ports. I have zero even on port 22 they don’t have a chance to try any passwords to get locked out.
I think it would be a bad idea to have mail-in-a-box make this change automatically.
However, if you so desired perhaps it could throw up a message to the user suggesting a non-default port be used, and perhaps provide a link with instructions on how to do it.
Then again, that might also be a bad idea, would probably just drive more people with problems and complaints to this discussion forum.