[tuzakey]

Thats where fail2ban is useful, pick a number of failed auth attempts on any service you care to integrate, lets say 8 PAM failures, and trigger a rule that inserts an iptables rule to drop/reject the attackers IP for 5minutes. That will time out the ssh scan for all but the most patient scanners. If you shared the fail2ban database across hosts you could inject null routes for the offender into your router or block them at your firewall.

[tszming]

I think you have missed the point - you should tell why using non-standard port is less secure, not provide me an alternative, because I would also argue VPN is better fail2ban.

You cannot neglect the fact that there are vast amount of bots scanning only port 22 in the Internet. We know this because we have found the evidence in our OWN logs, not from those security experts always saying security through obscurity is bad and therefore we should do nothing.

[lotyrin]

Because moving your port has an opportunity cost.

Documenting and configuring it has a non-zero cost which could be spent doing something else more impactful.

I've never seen an infrastructure where there was a sufficiently advanced state of security such that obscuring the port numbers of services was the at top of the todo list.

Unless people recommending these things work for shadow organizations I've never heard of, I'm pretty sure it's something done without any kind of cost-benefit analysis.

What are the odds of a SSHd zero-day? Or, more specifically, what are the odds that someone with zero-day knowledge would be so stupid as to decide to risk the vulnerability being discovered by others by using it in a horizontal search of all running SSHds?

Because it has to both be more likely than any other attack that could be mitigated (and port obscurity would have to be the most effective solution) with the same effort.

Pretty sure that for virtually all infrastructures, auditing that your systems are properly isolated, users and services have the least privilege possible prevent massively more probable attacks, and that firewalling services or port knocking or really anything are more effective solutions for this attack.