aspdaddy - 11:35 am on Jan 21, 2011 (gmt 0)
Closing all your unused ports is the best route, but it takles a while to get right because of dependencies and your own requirements i.e Ping,Monitoring.
If you do need insecure ports open like FTP, SMTP then limit the risk with IP range and web filters.
Make sure you implement an outbound policy too because when, not if, you are hacked, they will need outbound ports.
Reassigning port 22 to another number
Security by obscurity can help guard against non-automated ameteur hacking i.e the ex employee, and can reduce errors so is sometimes useful.