SSH is designed to be exposed to the Internet. I mean, fine, if people want to use weak security-through-obscurity stuff on top of it, it probably isn’t going to actively hurt anything, but there are a few people on here who I would say really seem excessively worried about SSH relative to anything else.

Keep your system up-to-date. Use key-based authentication. There are a lot of eyeballs on sshd’s authentication stuff. If someone finds a zero-day exploit in sshd, they are probably not going to be expending it on you and risking having it discovered unless you are some kind of specially-valuable target. Anyone of the sort who is going to be in possession of a zero-day exploit in sshd is very, very unlikely to be stymied by you moving your service to another port.

But people are trying to brute force passwords.

Okay. So? They’re looking for poorly-configured or never-configured devices using password authentication that are exposed to the Internet with default passwords, which you aren’t doing, right?

There are 65,536 ports to test. Something like nmap can scan these for open ports at a pretty good clip in parallel. There is protocol-fingerprint software that, given an open port, can recognize a service running on it via a service fingerprint. SSH has an extremely obvious fingerprint, so you don’t even need any fancy software to identify the service, given a port, and anything that does even the slightest investigation is going to know that, yes, that port has sshd connected to it.

$ nc localhost 22
SSH-2.0-OpenSSH_9.7p1 Debian-7

Someone building a database of what’s out there on the Internet is going to have no difficulty at all in finding your nonstandard-port sshd. There are probably many databases out there that list your server already. Hell, I bet that there are people who track how frequently people update their sshds.

Now, let’s go back to the password-brute-forcing crowd doing their scans for systems with password auth enabled and “root” and a blank password or whatever.

If you’re using pubkeys, password auth isn’t an issue in the first place. And the effort required to brute-force even a very bad, single-English-word password, much less a pubkey is a whole lot larger than the effort required to brute-force find an sshd running on an unusual port. The likelihood that someone is going to brute-force even a good password by just hammering at an sshd with their bot is not high. The vast bulk of what I see is people looking for “didn’t bother to set a password or used one of about three passwords” systems.

Like, healthy caution, sure, but I have a long list of things that I’d be vastly more-concerned about from a system compromise standpoint than some random person out there bashing their way through my sshd instance. What software do you run on your computer? Do you trust the eyes on any open-source software to be sufficient to catch insertion of bad software? I have about 4,400 packages installed on my desktop. I know even a little bit about the developers on maybe 10 of them. Do you run any closed-source software? I have a huge Steam library, virtually all of which are closed source. Do you trust the providers of that software? Do you trust them not only not to compromise your system but to have secured their systems against compromise? What about mods for those games? What about the systems used by the people who write those? What about your browser? What about your video drivers that some random website might touch in your browser via WebGL?