Yup. Open ports to the world is a terrible idea for anything real. This is why SSH jumpboxes (say a roundrobin pair of OpenBSD VMs with ssh rbash &| strongswan. Add secure portknocking to the pf firewall for bonus points.)
Plus, there's already plenty of ways to AAA OpenSSH using puppet/chef, PAM, RFC 4255, google authenticator (via pam plugin). It's really easy to set up if you've done it before.
Plus, there's already plenty of ways to AAA OpenSSH using puppet/chef, PAM, RFC 4255, google authenticator (via pam plugin). It's really easy to set up if you've done it before.