I want add one more
Do InternetApe's recommendations plus
- use /etc/hosts.allow and /etc/hosts.deny for caution(if firewall is opened somehow, it will help)
(** if your home ip is dedicated or vary with in c class range).
# /etc/hosts.deny
# See 'man tcpd' and 'man 5 hosts_access' as well as /etc/hosts.allow
# for a detailed description.
sshd : all
# /etc/hosts.allow
# See 'man tcpd' and 'man 5 hosts_access' for a detailed description
# of /etc/hosts.allow and /etc/hosts.deny.
#
sshd : specific_ip
sshd : a.b.c. # allow a.b.c.0 ~ a.b.c.255
If you torify services, this becomes obsolete and the whole mess gets more secure and easier to handle. You don't need any list of allow/reject because the .onion address is what you need. Without that, they can't even brute-force it.
Think of it more like the difference between a safe you can crack the combination on, and a solid hunk of steel that just looks like a safe. They can play with that dial all they want, they're no getting inside of something that doesn't actually have an inside... It's just solid steel with fancy crap on the front waste their time.