I'm not using the default port on one machine, but I do on the other. With key based login, is it really necessary?

If you don't run ssh on port 22, it's been proved that it receives a lot less outside login attempts and stops the logs filling up with login failures apart from anything else.

Logs filling up with login failures is hardly a decent reason.

Two reasons: 1. Logs filling up with login failures from drive-bys masks legitimate/focused hack attempts. 2. If there's a security vulnerability found for sshd, non-standard port choice reduces the risk of drive-by scanners.

Non-standard ports don't stop dedicated attacks, but they do reduce noise that can obfuscate a dedicated attack and can reduce your exposure to uncommitted attackers.

If there's ever a TCP-based attack against the server, the non-standard port reduces the risk a little bit.

The risk reduction is negligible if someone is doing a portscan on your host. Connection attempts to non standard ports will eventually occur. The better solution is to use single packet authorization.[1]

1. http://cipherdyne.org/fwknop/

Yeah. It depends on how persistent they are. Using DROP on all closed ports may discourage some attackers. Others may remain undeterred.

I wanted to stay away from server side settings. But I will say I have mixed feelings about both of these.

If you're using a firewall, the default port matters less. My practice is to restrict SSH to VPN connections only, or from a single bastion host. Finding networks that block odd ports starts loosing its charm after you've changed the port, and several years ago it was a pain to get some mobile ssh clients to use alternate ports.

Root login I generally believe should be turned off, and it certainly should not be allowed with passwords. I tend to think a well configured set of keys(one for each user who needs root) poses the same risk as users with sudo *, or the root password in su. As much as I hate to admit it there are some occasions where remote root access has saved the day.

On top of that, I disable all password logins on every server I run.

If for some reason I must get in and don't have access to my private key, I use a virtual console from my VPS provider to temporarily allow password logins and then immediately disable them when done.

I had a server compromised once because of a default password on the mysql account.

Why disallow root login? What's wrong with allowing root login via public key only? Or via a public key limited by command="..."?

It's good practise first login as another user and then gain root priv's. This is auditable and if your sshd won't allow root login's, the can't be brute forced directly.

Do you ever need root login?

Changing ports is useless, easily defeated by a ports scan.