I am no security professional, so my insight here might be limited, but I have to speak up, as your comment is rather harsh. I do not entirely disagree with any of your points, but there can be vulnerabilities in any piece of software (even firewall firmware, which could affect your VPNs), so banishing SSH seems a little short-sighted to me. There are thousands of servers on the internet running publicly accessible SSH services, be it on port 22 or a custom port. If this was a terrible practice, we would see more servers compromised I assume. But of course “all the others do it” is not a good argument.
What I am trying to say is: Every possible way of monitoring with Checkmk has up- and downsides as well as security implications. You want to consider those before configuring anything.
Or even simpler: Don’t drink and root. 