3rdcoastnet wrote:There are a million ways to skin a cat, and tons of more secure strategies
[..]
I know personally I was being attacked CONSTANTLY on port 22 on a public DMZ server. Simply changing the port stopped those attacks after a short while. This isn't "Security by obscurity" (that would be just changing the port and leaving it unsecured, and if thats how we define it, then technically a password is security by obscurity), but rather this is a very simple way to protect against 99% of scanning attacks.
I agree, there are lots of strategies. But security by obscurity - this means simply changing ports, no matter if the login itself is secured or not - is the least effective of them all. You might block 99% of scanning attacks, but they are blocked by strong passwords as well because they use standard logins like ubnt/ubnt and I'm pretty sure most of them use the very same dictionary........ Scripts like denyhosts, fail2ban and similar, block failed logins on x attempts by hosts.deny file. Try a dictionary attack with 3 attempts 
The only real benefit when changing ports is a smaller log file but with denyhosts in place, you get only a fraction of the log entries than without it - a single dictionary attack can produce hundreds of entries, with denyhosts it's max 3 (depends on configuration).
Especially when talking to unexperienced users, it is kind of dangerous to recommend a port change because they tend to think "ok, now I changed the port and can leave my easy-to-remember-login admin/admin."
The very first action to take when securing a system is to make the login safe, strong password, certificates, white/black lists and stuff like that. The very last action to take is to change the port if you know what you are doing. If a tool you use doesn't support custom ports or the local firewall blocks outgoing custom ports, you're screwed..
However, we should continue the discussion about security in a new thread if desired.
Now back to topic: