With respect to our resident grinch, I'm not convinced that having SSH open, even on port 22, is such a terrible thing (as long as you're using public-key authentication rather than passwords),
"That's right, because you can totally trust that there aren't any security vulnerabilities in well-audited encryption packages." <sarcasm />
https://www.theregister.co.uk/2017/..._brthis_week_unpatched_bug_in_openvpn_server/
http://www.securityfocus.com/bid/95814
https://www.openssh.com/txt/x11fwd.adv
OpenVPN, OpenSSL, OpenSSH. Not limiting ourselves to encryption, let's move on to the what-we-thought-was-well-understood area of stack vulnerabilities,
https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
Linux, FreeBSD, NetBSD, etc.
Now here's the thing. What you really need to know is that there are Shodan style databases out there that show what's listening on what port, and so when inevitably some critical zero-day bug becomes known, the bad guys aren't probing the entire Internet to find out what nodes are running a suddenly-vulnerable version of something exposed to the Internet. They will already know where you are and what your weakness is, and they are in before you can patch it, or before you've even heard of it.
Do not port forward ssh from ${publicip}:22 to ${yournas}:22 unless you really don't care about your data. Even port forwarding a random port may be a bad idea. Some of the vulnerability search engines seem to be scanning semi-random ports, and with only 64K ports to try on your endpoint, this isn't really outside the realm of scan-ability for the bad guys, even for all four billion IP addresses on the Internet, and SSH announces what it is.
but it'd be better yet if FreeNAS would implement fail2ban or something similar.
I know the Linux community is in love with fail2ban, but sshguard is an incredibly lightweight compiled C program which can easily be run in realtime via syslogd. It doesn't suffer anywhere near as much mission creep as fail2ban, and costs really nothing to run. I would like to see everything implement sshguard, but it is really only a band-aid.
Security is all about convincing the bad guys to go bother someone else instead. A really dedicated intruder who wants into your specific network is going to be able to do that, one way or another. The rest of the time, setting up multiple layers of defense is a fairly good way to keep the bad guys out. For example, if you have to ssh into a DMZ network, where there are no tools available, it becomes much more difficult for an attacker to move further into your network using an attack on an inside machine.
Defending networks is hard.