I never did post anything back to an ISP. I assumed the result would be what you saw in practice. Also, if it were "state sponsored", they would ignore it. If it were somebody trying to find a portal that would circumvent the "Great Firewall of China" [which I'd be in favor of], posting back might just "out" them [to the government].
I just got sshd patched/reinstalled. I just reverified that it disallows login/pw from public IP but allows login from local LAN on accounts that have no pubkey. So, I opened the firewall for sshd [it had been firewalled for two days]. It took exactly five hours for the first script kiddie to show up.
No, you're not crazy. If you are, then I am, too. People that say that are usually uninformed/unaware of what truly constitutes good security. IMO, security is relative to what you're trying to protect. Good security should be minimally intrusive to authorized users. People who bandy about the "crazy card" are most likely to implement systems that regular users try to circumvent (e.g. mandating a 30 character password with funky chars will just cause users to put the password on post-it notes). Note that for website logins, I use a different login for each site, and different funky password. Most of the time, the browser password manager takes care of the pain.
I have [being a systems/kernel programmer] have worked on some "security" projects, and some of the people I worked with were "crazy". By that I mean, they locked down the development environment to the point where it was almost unusable and productivity suffered. In addition to genuine security, they also subscribed to the "security through obscurity" doctrine. This seems to be typical, based on my experience, and what I've read about what Linus [Torvalds] has to say about them.
OTOH, I worked on a realtime broadcast quality realtime H.264 encoder. While everybody had a personal login, the lab encoders' root password were "password". We made this decision from day one that the test encoders were "test equipment", just like an oscilloscope. This was fine, because the entire lab subnet was triple firewalled and even if somebody had logged into root on the encoder, it would let them roach it, but not get access to anything that mattered like the CVS server, etc.
Here's a different type of "crazy" ...
Ironically, the only place where we had to use high security was in product shipments to our principal customer. Updates had both software changes and firmware changes [to custom hardware], which were QA'ed as a unit. But, this customer felt that software updates were okay, but that firmware updates were too "risky" [and that they knew better than we did]. So, they would apply the software changes but not the firmware ones, and then complain to customer support that "things were broken".
We were providing "enterprise grade" customer support [including onsite visits] and even after telling the customer to update the firmware they wouldn't do it. To solve this, we [engineering] made it [had to make it] impossible to do a piecemeal upgrade [with a nearly impossible to remember root password and disabling any override to the boot process].
Also, we had a rev numbering scheme that was X.Y.Z where Z was for simple/minor bug fixes. That same customer balked, thinking any change to Z was "a major change" [based on number of "dots"]. We solved this by shipping them the revs as 1.X.Y.Z and they were happy once again [blissfully unaware].
I'm probably going to be labelled crazy for what I say below. It's a rant about selinux in "targeted" mode, so you can skip it if you want.
selinux was designed [by the NSA] to provide security for gov't systems that have multiple levels and classifications. Confidential, secret, top secret, most secret, etc. And, need to know classifications like "noforn" [no foreign], "five eyes" [US, Canada, England, Australia, ???], etc. This is useful. An example would be applying this to the FBI. Not every FBI agent has need-to-know about every ongoing investigation.
But, nobody would use that stuff outside a government. So, selinux has the targeted mode. It is supposed to prevent access to things that can't be codified in ordinary file rwx permissions [owner, group, other] or ACLs. It is proffered as "you get better protection", but the real reason is to justify its inclusion in the mainline kernel.
But, selinux in targeted mode is: dumb, annoying, useless. For example, it has a specific rule to deny /home to apache [on the assumption that a web server should not have access to user home directories]. But, on my system, /home is the mount point for a separate large disk. Some of the subdirectories are just to hold large data (e.g. /home/database). I tried doing this with /bigdisk as the mount point, with /home as a loop mount [or symlink] to /bigdisk/home, but this created even more problems. I actually put the apache directories under /home/apache and selinux complained. I had to write a script to change selinux permissions to allow this. It was arcane/insane what needed to be done.
During my recent fedora upgrade [done via "fedup"], after reboot into the "install mode", selinux was there, but it was run in "permissive" mode. It was complaining at various points, but still allowed the action. To me, this is a scathing indictment if something like fedup feels the need to tell selinux to [effectively] STFU.
Honestly, I've never [personally] seen a single targeted mode selinux denial that wasn't a false positive [and couldn't be covered just as well with standard POSIX permissions or ACLs].
How about you?