i want to remotely ssh to my home server, and I was wondering if I could just forward port 22 with disabling password login and use pubkey authentication will be safe enough?
Yes and no.
Yes if you have the resources to monitor and update. Companies have entire teams dedicated to this.
No if you don’t have the resources/time to keep up with it regularly.
IMO, no need to take this risk when you have services like Tailscale available today.
I know that some VPN are able to create private networks for devices logged with your account. For exemple nordvpn is able to connect your devices into their “mesh network” and make your devices available through the VPN. I think it’s better than exposing a ssh service on Internet, even with a lot of protections!
I wouldn’t open up 22 to the world. I would change the port at a minimum or use a VPN.
Why not both?
With a VPN there’s no need to change the port. Unless you change all of your ssh ports to another set pretty across all of your hosts, you’re just asking for a headache at scale.
I have a “prep script” that takes care of everything.
It takes less than 2 minutes to run on a fresh install and does all kind of fun things.
As long as password auth is disabled you’re fine. No one is cracking your RSA key. You can add Fail2Ban to reduce the log noise, but security wise it’s fine.
Also don’t use rsa, use Ed25519 nowadays
RSA is fine. It isn’t like you will have to worry about the length of the keys for SSH.
It is but if you’re going to use something security related, use the current recommendation unless you stricly can’t for legacy reason or something.
Disable password auth.
Enable key only auth.
Add in TOTP 2FA (google authenticator).
Randomize the port (reduce bots) that forwards to 22.
Configure lockout to block upon 3 failed attempts, for a long duration like 1 year. (Have a backup access on LAN).
Ensure only the highest encryption ciphers are accepted.
Ensure upgrades are applied to sshd at least monthly.
Configure lockout to block upon 3 failed attempts
fail2ban