> - dramatically reduce the noise associated with the fleet of password guessing bots that hit open SSH server daily.
But if you're already using fail2ban or denyhosts (as suggested in the trifecta) then you won't get that much noise anyway, and if you're only using public key auth then the noise from password guessing bots doesn't matter anyway.
> - make it reasonable to assume that a password guess attempt is specifically targeting your serve, and therefor consideration for escalation and follow up.
Unfortunately a failed authentication attempt regardless of port isn't enough to conclude that it's a targeted attack. Plenty of bots port scan common ports before running the tools to make sure they're attacking the right service. In fact some bots can do full portscans of hosts (although this is rare as it's quicker to scan for the attacks you have built in, thus you get more attack attempts in less time) - usually this is done to build a database of services, so that they can be exploited later when a new vulnerability comes out.
Regardless, as you say it doesn't improve security, there's no reason for it to be in any security-related trifecta.
But if you're already using fail2ban or denyhosts (as suggested in the trifecta) then you won't get that much noise anyway, and if you're only using public key auth then the noise from password guessing bots doesn't matter anyway.
> - make it reasonable to assume that a password guess attempt is specifically targeting your serve, and therefor consideration for escalation and follow up.
Unfortunately a failed authentication attempt regardless of port isn't enough to conclude that it's a targeted attack. Plenty of bots port scan common ports before running the tools to make sure they're attacking the right service. In fact some bots can do full portscans of hosts (although this is rare as it's quicker to scan for the attacks you have built in, thus you get more attack attempts in less time) - usually this is done to build a database of services, so that they can be exploited later when a new vulnerability comes out.
Regardless, as you say it doesn't improve security, there's no reason for it to be in any security-related trifecta.