On Tue, 18 Nov 2014 09:40:13 -0800, Ryan Getz ryan2@getzmail.com wrote:
As, Libertas said, pub key auth is generally best... or even for some, disabling SSH altogether may be possible. If your relay is a VPS and you have access to a (java) console or some form of IPMI/drac/iLo management, you may not even need ssh access but these could open up additional security issues (particularly old firmware for out of band management).
Another option is to install ZeroTier One and configure the SSH daemon to listen only on the zt0 device for your private network. https://www.zerotier.com/