(no title)

It's indeed a large amount of traffic. But it's not scary. None of it will get through if your SSH software is up to date, you have it configured properly, and user accounts are managed sanely. The attacks to be scared of are those that are actually targeted at you. And they will find the port SSH is running on either way.

If you think someone could get in thru the ssh port (exploiting an undisclosed vulnerability or with brute force password cracking) moving it elsewhere is not a long term solution. fail2ban is good to avoid brute force attacks, but portknocking with i.e. fwknop will be safer in more situations. If a service is not meant for the public then they shouldn't be able to even notice that is there.

Or perhaps firewall your server properly so only people who are meant to connect to port 22 can connect to it?

If you're worried about that, it probably shouldn't be publicly accessible in the first place.

Yes, moving ports helps, but it's not a real defense. It just lowers bandwidth costs and prevents some not-so-harmful attacks (from people who don't know whether what they've compromised has any value.)

At the very least, use public-key authentication instead of password authentication for SSH.

Not scary if you disable password logins, implement PKI, and limit logins to specific addresses.

I get a kick out of viewing all the failed attempts in /var/log/auth

Added bonus is adding all those bad guy addresses to my blacklists.

Every time somebody suggests this, you should not say it's for security purposes, but to reduce the load on a server.

passive port knocking should be standard.