[the8472]

That's why I mentioned building a database, which essentially evaporates the cost for everyone except the one building the database. Unsalted password hashes are considered insecure due to rainbow tables.

And even if nobody built such a database, the cost still seems trivial compared to the effort it would take to compromise SSH in the first place. That is why I asked for a threat model. What are you defending against where everything is cheap except finding the host?

If your goal is to cut down on log spam, that's fine, but then just say so.

[babadaba]

> What are you defending against

You’re defending against people who wrote scripts that only check the default port. Based on numbers that some others posted, that is actually quite a sizeable number, as they reported numbers of attempted connections on the default port to be orders of magnitude higher than other ports.

[the8472]

Scripts are not magic, they must be doing something. So what are you defending against? The last openssh preauth remote exploit from 2003? Weak passwords? Those are much better addressed by other measures.

[babadaba]

> Scripts are not magic, they must be doing something

Not necessarily. Sometimes they just record potential targets for later manual probing. If the script doesn’t find what it’s looking for (in this example the default ssh port), your server is not recorded. That in itself is a win, even if it’s small.

> So what are you defending against?

It limits the number of people/processes trying to gain access to your server. Would you rather 10 people trying to get in, or 1?

> Those are much better addressed by other measures

Well, ya. Nobody is saying obscurity is the only security layer. You would need to secure it assuming the port is known. As an additional layer, only to (even slightly) reduce the number of potential threat actors, you change the port.