I hate leaving port 22 open - it just invites brute force attacks and since I treat my internal network as though it's been compromised a simple router-side port mapping isn't an ideal solution for me, especially since my router doesn't support port mapping for IPv6 pinholes. However, I think this would need to be added to the UI so it doesn't break the integrated console access, and in fact modifying the Port setting in /etc/ssh/sshd_config seems to be ignored entirely.
Is there a solution for mapping SSH to another port (we'll use 2222 as an example) today? I'm not an iptables guru, but I haven't had luck with iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 2222 -j REDIRECT --to-port 22 or similar methods using socat to try to remap the ports.
Opening up ports is just an invitation to be compromised. Changing the port number does nothing to reduce that risk. You are much better off using Tailscale MESH VPN, which is already installed on GLKVM.
Tailscale has a free tier with up to 3 users and 100 devices. You only need a single instance of Tailscale running behind your firewall to access any client remotely. It does not require any open ports and will traverse any level of NAT, including CGNAT.
I personally run Tailscale on my pfSense firewall to allow me to access any device (NAS, HDHomeRun tuner, etc.) or service remotely, including embedded devices which one cannot install a VPN client. The other advantage is you can route all your traffic through your home network when connected to untrusted WiFI networks if you enable and select an exit node. A lot more secure than using one of those so called "Privacy VPNs” promoted by YouTube shills.
I agree I should probably look more into Tailscale, I was never able to get prior incarnations to work how I wanted in the past but Tailscale may be at the point where it would work for me.
But I disagree with obfuscated ports. They won't stop a targeted attack, but they do reduce nuisance attacks significantly. People scan blocks of IPs for common port numbers and launch brute force attacks or probes on them. Changing from the standard ports (or common ports like 2222, 8080, 8000, etc.) reduces this noise significantly.
Never expose a non-router device directly to the public internet via DMZ. Such devices were never designed with the assumption that they would face attacks.
