Edit: better still how about tunnelling the workers in and shutting EVERYTHING else out?
Then people would have to foward ports and use a special client.
Why special client? Are there problems with RPC across TCP/SSH?
And how much more work is it than stopping miners etc all the time? We need to secure these pools, it is as obvious as the nose on your face. I think creighto says the enemy of the good is the perfect. Anything better than nothing.
The SSH CPU overhead of thousands of miners connected at once may be a lot. Ready to donate more?
BTW, SSH attempts can still be started and left to time out without sign-on. So, essentially the same attack vector [unintentional or intentional] still exists.