sshd is equally susceptible, where ever you run it, sure.
With jumphosts, though, you can run denyhosts, redirect to tarpits, or other clever things, and not effect performance on your other servers.
I think the motivation to use jumphosts is to minimize the surface area of your other servers as much as possible. Each daemon on each server listening for incoming connections is a liability. If an sshd exploit is found (unlikely as that is), bots that mass scan and find my ssh ports and connect won't be able to delete any production files (right away, at least) if all they gain access to is my jumphost and not one of the prod db servers.
Thanks. I didn't consider that the mere act of having sshd deny attempts is a performance cost. I guess one could potentially dos a server by flooding the sshd with bogus attempts?
well, sshd denying requests isn't a performance cost, in itself.
But having a script like denyhosts or fail2ban that analyzes auth logs for IPs to block requires memory for the interpreter running the script, as well as however much of the log gets read into memory.
Blocking external ssh connections can avoid that performance hit, however large or small it ends up being.
With jumphosts, though, you can run denyhosts, redirect to tarpits, or other clever things, and not effect performance on your other servers.
I think the motivation to use jumphosts is to minimize the surface area of your other servers as much as possible. Each daemon on each server listening for incoming connections is a liability. If an sshd exploit is found (unlikely as that is), bots that mass scan and find my ssh ports and connect won't be able to delete any production files (right away, at least) if all they gain access to is my jumphost and not one of the prod db servers.