Quote Originally Posted by laserlight View Post
I agree that what you say holds true most of the time. However, consider: an attacker might be specifically interested in your server, i.e., this attacker might not just be looking for an easy target. Furthermore, an attacker might have inside information, e.g., he/she was an ex-employee/friend turned enemy with some knowledge of your network configuration, including the non-standard port number.

It is not a terribly good analogy, but I might liken this to ciphers: a strong cipher provides secrecy even if it is known, whereas a weak cipher might only provide some measure of secrecy as long as it remains secret. A strong cipher that is not known would make an attacker's life even more difficult, but the strength of the cipher is independent of whether it is secret. In this case, I am arguing that the security of the server is independent on whether it is a likely target, although it is obviously good to avoid being a likely target.
Laserly One: Oh make no mistake; I do have resources to put to the problem in the event that someone makes a concerted effort to attack my specific address and am not shy about going after them in retaliation if need be. The thing is, I have found it better not to "need be". However the kinds of attacks that the OP refer to (and I have seen when I did use a standard port number) are NOT this kind of attack. They are coordinated zombie attacks that happen so slowly that most log scanners tend to miss the actual threat. Indeed I only noticed it when doing a manual scan of the log files and the pattern jumped out at me. This is the kind of attack I am advising that moving your port number will avoid. Directed attacks are a whole other ball of wax.

And since you brought up the analogy of ciphers I would remind you of the other aspect of ciphers that only really experienced folks should try to implement them. Bad ones are easy to crank out but good ones take time and effort. My solution to this takes neither time nor effort and if someone of mediocre experience and little time wants to stop the attack, I posit that doing what I suggest is far more effective than any hastily-enacted defense of port 22. If nothing else it *will* buy them time to work up a better defense but at worst the attack is thwarted in seconds with no additional infrastructure. I am not now nor have I ever implied that this is adequate to protect something major like a business or research facility but it is a viable defense for the average home server.