Brute-Force SSH Server Attacks Surge (InformationWeek)

Nah. We don't really disagree. I'm just nitpicking. Specifically, I'm nitpicking the claim
that a large relative reduction in risk by ITSELF is a reason to do something. Cutting a risk
by 99% sounds great, my point was merely that if the risk is miniscule already, it may be that
it's not worthwhile.

Arguably, the safest default is to install no servers, unless the user specifically requests
the install (default: not installed), but some services are probably still better left
installed. Indeed, the safest default is to install NOTHING whatsoever, but this is hardly
reasonable, despite improvements to security.

Similarily, the safest default if the user DOES explicitly install a service is to not run it
-- requiring the user to explicitly enable it if he wants it. But this is unreasonable; most
people who install say "openssh-server" also wants to run it, so defaulting to off is
unfriendly, even though sligthly more secure.

Further, the safest default config would be something like disable-root-login
disable-password-authenthication allow-login-only-from-whitelisted-hosts, but again, this
would be unfriendly because it would mean extra work for most people. So this is probably not
worth it -- despite being more secure.