If undirected bulk scans are a serious threat to your security, something is up.
Properly configured (AllowUsers, Disable root, no clear text passwords only keys etc), I'd say that the undirected
bulk scans pose no security risk at all, they are only a nuisance in terms of spamming your logs, which is easy
enough to deal with.
What I'm really trying to say is that each "trivial way to reduce your attack surface" has both cost and benefits.
I'm contending that moving the ssh port around gives you the benefit of less log spam with no security gain,
and costs in terms of documentation and maintenance.
When I do this Cost/Benefit analysis, I conclude that moving the port around has more costs then it does benefits,
so I don't bother.
undirected bulk scans pose no security risk at all
A future bulk-scan may leverage a new SSH-exploit before you know it exists.
To put it explicitly: You should disable passwords and change the SSH-port. That's the two measures that make sense, to reduce surface and prevent password brute-force.
The rest of your recommendations is security theatre. An attacker dedicated enough to find your SSH-port and be set back by !AllowRoot will just brute-force an allowed username - if that's even a prerequisite for the given ssh-exploit.
> A future bulk-scan may leverage a new SSH-exploit before you know it exists.
Sure, this is true. I consider this a "minor" issue, truth be told (I didn't want muddle up the conversation) I don't tend to run sshd faced towards the 'public' internet and in the cases where I do, ssh access is restricted to certain hosts/networks, and is enforced by a firewall.
> The rest of your recommendations is security theatre
Can you state why? I think they all provide measurable/real benefit, if this isn't the case I'd welcome some education.
Hm. I will give you that AllowUsers,AllowGroups is not a very good benefit in this case, I mainly enforce the usage of those directives to protect against problems such as bogus user account creations (exploit created or something simple as a admin mistake).
>An attacker dedicated enough to find your SSH-port
And Now for Something Completely Different.
Protecting against a dedicated attacker is a totally different ball game then protecting against drive-by's.
Properly configured (AllowUsers, Disable root, no clear text passwords only keys etc), I'd say that the undirected bulk scans pose no security risk at all, they are only a nuisance in terms of spamming your logs, which is easy enough to deal with.
What I'm really trying to say is that each "trivial way to reduce your attack surface" has both cost and benefits.
I'm contending that moving the ssh port around gives you the benefit of less log spam with no security gain, and costs in terms of documentation and maintenance.
When I do this Cost/Benefit analysis, I conclude that moving the port around has more costs then it does benefits, so I don't bother.