[tgeek]

I find the better pattern here is to limit and discourage SSH and then monitor and log the hell out of it. There are numerous tools out there that can centralize any actions being taken on a host and sending it to a log that can be centralized. Outright removing all SSH puts you in a rough spot if things go south with some piece of software that your system monitoring/centralized logging don't cover 100%, and makes it way hard to do things like strace on a process.

[grhmc]

Or if one of the problems of the server caused logging to not correctly start :)

[aalbertson]

Which is certainly a valid case, but I would argue that if that IS the case, and it cannot autorecover, then that is a good candidate for the instance to self terminate.

[Sanddancer]

If logging never started, then your service heartbeat script should have caught it and raised an alert. Logging being down is Kinda Important.

[sneak]

Also, make it part of the process that each time ssh is used, logging or monitoring is set up to catch what it was used for, much the same way that a test is added when a bug is discovered.