In moving sshd to an alternate port, I've noticed two things: a greatly decreased amount of log noise from dictionary attacks, and a moderately increased amount of portscans.
It's reasonably clear to your average net malfeasant that any host running recognizable services is going to be running sshd.
So why not do both?
Put a dummy sshd on 22/tcp, deny all auth attempts, log whatever keeps you swimming in interesting data.
Then run real sshd elsewhere, possibly filtered, possibly port knocked, and hopefully permitting key-based auth only.
I've done this in the past with some pretty good results. Though, I've dropped it because I found myself constantly locking myself out of my own machines.
I can't deny, it is a cool technique though. PortSentry is a good tool to use for just this. Anytime someone came to :22 and the machine just disappears.
And use sshguard, because the only thing you should care on a secured host is power consumption. One of my boxes went to 33% on all CPU threads during a sk attack.
It's reasonably clear to your average net malfeasant that any host running recognizable services is going to be running sshd.
So why not do both?
Put a dummy sshd on 22/tcp, deny all auth attempts, log whatever keeps you swimming in interesting data.
Then run real sshd elsewhere, possibly filtered, possibly port knocked, and hopefully permitting key-based auth only.