I've been running internet-exposed NetBSD servers for few years now; usually I don't mind having remote shell access to them, as it's just too convenient. As a consequence, I was forced to strengthen the default sshd_config(5) auth policies, and opted for a passphrased ed25519 pubkey, in the attempt of holding attackers (which, looking at logs, are never lacking) back. I also have a cron script which weekly exports the IPs shown in
blacklistctl dump -b to the NPF's permanent blacklist. So far so good.
Yet I'm no admin and I would love to have some feedback and hear any recommendation from a seasoned UNIX professional.
That said, my sshd_config is structured as follows:
Port [something between 1024 and 65536]
# Cryptographic policy
RekeyLimit 1G 1300
# Port Forwarding
AcceptEnv LANG LC_*
Subsystem sftp /usr/libexec/sftp-server -f AUTHPRIV -l INFO