You’re defending against people who wrote scripts that only check the default port. Based on numbers that some others posted, that is actually quite a sizeable number, as they reported numbers of attempted connections on the default port to be orders of magnitude higher than other ports.
Scripts are not magic, they must be doing something. So what are you defending against? The last openssh preauth remote exploit from 2003? Weak passwords? Those are much better addressed by other measures.
> Scripts are not magic, they must be doing something
Not necessarily. Sometimes they just record potential targets for later manual probing. If the script doesn’t find what it’s looking for (in this example the default ssh port), your server is not recorded. That in itself is a win, even if it’s small.
> So what are you defending against?
It limits the number of people/processes trying to gain access to your server. Would you rather 10 people trying to get in, or 1?
> Those are much better addressed by other measures
Well, ya. Nobody is saying obscurity is the only security layer. You would need to secure it assuming the port is known. As an additional layer, only to (even slightly) reduce the number of potential threat actors, you change the port.
You’re defending against people who wrote scripts that only check the default port. Based on numbers that some others posted, that is actually quite a sizeable number, as they reported numbers of attempted connections on the default port to be orders of magnitude higher than other ports.