Doesn't take that to leverage an unknown vulnerability in ssh like:

https://blog.qualys.com/vulnerabilities-threat-research/2024/07/01/regresshion-remote-unauthenticated-code-execution-vulnerability-in-openssh-server

That's why it's common best practice to never expose ssh to raw internet if you can help it; but yes it's not the most risky thing ever either.

I remember that one. Those are pretty rare and usually involve a specific configuration that is often not the default, though, right? When such a vulnerability is found, is it rightly so major news.

"This race condition affects sshd in its default configuration." direct quote from the linked article, paragraph like... 3. I linked it so people could read, not speculate.

Ah, now I remember. It took a quick configuration change to mitigate this. Still, I’d call this very rare.

I’m going side with @[email protected] on this one.

Agreed, but best practices are meant to deal with the very rare. They didn't put the vulnerabilities in the software due to negligence or malice, it's just an ever evolving arms race with cracks that show up due to layer upon layer of abstraction. Again I'm not saying to never expose ssh to the net, quite the opposite, but as a best practice you should never do it unless you fully understand the risk and are prepared to deal with any potential consequences. That's just a core tenant of understanding security posture.

Sure, don’t open ports you don’t need. I said in a different here that I reject all expect IP ranges I’m in for home, mobile and work. That works for me. That blocks the vast majority of the world.

I agree with the other guy that I’m not a target for these vulnerabilities. They are rare and hard to exploit, and valuable. But the basic advice you give is good, obviously.

Don’t expose what you don’t need to expose. Still I have Immich and all of my photos on there. Good luck scamming me with threats of sending them to my family and work.

I've always disliked IT discussions for reasons like this. Everyone who comments seems to think that the mitigations, security considerations, and security compromises (IE, not caring if your images are leaked online) they've made are common knowledge... But, this is a forum advising people on how to configure their home severs for hobbiest use. Best practices should be the mantra, "just raw dog ssh on the internet with your 443/80 port mapping and you're g2g" [sic] shouldn't be an acceptable answer to you. If they'd stated that there are security considerations, but they like to implement them and expose ssh to the net for management purposes I'd have nothing to say, but to just advise people who lack that extra experience, without helping them understand why you're okay doing what you're doing and what you've done to solve for specific issues that the default configuration does not seems unhelpful at best.

Listen.

Don’t expose any port to any service if you don’t need it.

If you do, make sure it’s as secure as you can reasonably make it.

I’m not disagreeing.

My bad. I misread your previous post, specifically around "I agree with the other guy". That being said, anyone with a functional device that can compute any amount of monero hashes is a proven target, granted, not specifically.