No matter what port-number you choose, a simple port-scan will quickly find whatever is the new one.
If you want to
actually close your system from such attacks, you must use an entirely different strategy. I suggest that you should run OpenVPN with digital certificates and
tls-auth protection, as I describe in my blog-post
How to Build a 'Dwarvish Door' With OpenVPN.
The only way to access any of the services such as
ssh is to successfully pass through OpenVPN
first, and the only way to do that is to
possess two digital certificates. The first is needed to cause OpenVPN to even
respond to you: any port-scan will say that OpenVPN is not even there. The second, which is one-of-a-kind and issued only to
you, is needed to actually pass through the gantlet.
There are no "passwords"
(nee "PSKs = Pre-Shared Keys"). Only 1,024 or 4,096 bits of pure randomness. You either
possess it, or you don't. (And, your uniquely-assigned key must not have been "revoked.")
Once you are "inside," you can use
ssh and avail yourself of other services. (And these, too, should be using one-of-a-kind digital certificates. There's not a password in sight.)
To an outsider, your system is a smooth, featureless wall. The secret door and secret drawbridge is completely hid.
Authorized users pass through quickly and easily. Intruders can't even begin. With these protections in place, the number of access-attempts drops to ...
... zero. And stays there.
