Presuming that nobody can steal the actual password from me myself, is it practically 99.9% impossible to use SSH to crack into my server running SSH on a standard port using very strong (24 symbols containing uppercase, lowercase numbers, parentheses, underscores, dollars, periods, etc. and no human language words) password?
SnapOverflow
Remember that YOUR password may be very strong while other users may possibly have really weak passwords. Put
AllowGroupsorAllowUsersinto/etc/ssh/sshd_configto switch off ssh access for other users.Also remember that your password may be too safe: This password will almost certainly get written down.
Having said that I think you're pretty safe; if you combine with port knocking or so you are very safe.
It all depends on how fast an attacker can hammer on your tcp/22 port for logins. If you're not using something to terminate such repeated connections, in time any password can be discovered. In this case, time will be a very long time. Months of constant hammering. In the SSH logs I've taken a stroll through I've seen little directed hammering against specific accounts, and lots of door knocking looking for weak passwords.
However, you can't assume all attackers are casual. Someone targeting you specifically will have the investment to wait several months to break in. It's for reasons like this that shared-key is preferred where possible. The password you describe is very likely to be three-nines impossible to crack (in reasonable time constraints). I wouldn't hold my breath for five-nines.
although rare, there are still 0-day exploits... so you never know. maybe you can limit access to port 22 [on firewall level] just to few hosts/networks?
or maybe you can go security-though-obscurity way and implement port knocking?
Use denyhosts. Also consider using key based login rather than a passwrod.
Moving sshd to a non-standard port would probably be trivial to add to your configuration, and it would probably eliminate 99% of the ssh bot traffic. Why expose yourself to all the brute force attacks when you can hide so easily. ;-)
I also usually recommend configuring sshd to use only SSH key pair based authentication, if it is going to be exposed to the Internet at large. As long as you keep your private key secure, it is almost impossible for the bad guys to authenticate as you with the server.
As another commentator already pointed out, this does not protect you against 0 day exploits in sshd itself. It is always a good idea to limit the traffic to just the machines that need to connect via firewall rules.