@waltercool @CSB

> the real world you can use VPN

A VPN is nice if you need to punch through a firewall by disguising traffic as HTTPS. Though with an httpd setup for reverse proxy tunnelling, you can do that with SSH too.

Either way you're exposing a port on your server and requiring (presumably) a cryptographic key based authentication scheme. Other than the ubiquity of attacks, the actual attack surface and logistics of exploitation are functionally almost identical. Besides which, SSH tunnelling can also be used as a VPN alternative in it's own right, as well as port forwarding, and a whole bunch of other goodness. The only other difference really is if you must use UDP instead of TCP for some reason (which defeats the point of using 443).

> I get too many attempts of SSH attacks

So install fail2ban and/or change the SSH port to something other than 22. If you're super paranoid, look into port knocking. fail2ban's default settings are fine (literally just `apt install fail2ban` and forget it), but if you want to weed out the majority of attacks quickly it's easy to just tweak the maxretry and bantime values in jail.conf. Otherwise if you configure your SSH server and client properly (such as per the hardening guide) you won't have an issue.

Presumably if you're suggesting a VPN tunnel in, you'll still need to access SSHd over the VPN anyway. If you think doing that is going to prevent the need for hardening the service, you're frankly fooling yourself. You'll only eliminate the threat of random low-skill script-kiddies, but not anyone who's genuinely serious about cracking your boxen. All you're really doing by adding a VPN is increasing the admin overhead involved in maintaining your systems.