> Most attacks are just scripts that constantly scan everything looking for services on well known ports.
Why do you think port scans represent the majority of attacks? From watching my servers, I don't think that's true. Port scans take a ton of time, and they're easier to detect and block before a single auth attempt. Legitimate services usually have to wait until after a couple auth attempts before blocking.
I can verify the author's experience across multiple services, not just ssh. I'd bet he got 5 attacks on port 24 mostly because it's a 2-digit port number. I've moved my ssh port to a 5 digit number before, and it went from thousands of attempts per day to 0 over many months.
Why do you think port scans represent the majority of attacks? From watching my servers, I don't think that's true. Port scans take a ton of time, and they're easier to detect and block before a single auth attempt. Legitimate services usually have to wait until after a couple auth attempts before blocking.
I can verify the author's experience across multiple services, not just ssh. I'd bet he got 5 attacks on port 24 mostly because it's a 2-digit port number. I've moved my ssh port to a 5 digit number before, and it went from thousands of attempts per day to 0 over many months.