(no title)
anjbe | 3 years ago
But I contest both of those things. Common obscurity methods provide low benefit for the amount of work put in, relative to methods with a better foundation.
One of the best examples of this is port knocking, a resurging fad in self‐hosting circles, that is completely beaten both in simplicity and in actual protection by putting your SSH server behind WireGuard.
Even the example in the article seems ridiculous. I always advocate disabling SSH passwords and using FIDO‐backed SSH keys instead, but of course people will complain that they lose the ability to log in from arbitrary machines (well worth it in my opinion, but fine). So rather than using SSH with a weak password on a non‐default port, why not use SSH with a strong password on a default port, which provides more entropy and also some protection against attacks by a local user, without having to remember weird port numbers?
bogantech|3 years ago
Really the only thing you get by changing the port is less log spam. If your system is so poorly configured that an automated drive-by attack by a bot would be successful then you're gonna get owned anyway if someone decides to target you.
hospadar|3 years ago
I think reducing log spam is actually a great security outcome, if the only thing normally present in the log are my real logins, an attacker's attempt world stick out like a sore thumb.
unknown|3 years ago
[deleted]
marcosdumay|3 years ago
It's derogatory by definition, so it can not be underrated. One can disagree about the evaluation of some specific practice, but the people that insist on doing that usually have a horrible track record and even completely wrong mental models (like using the Swiss cheese model for security, when it's only useful against Nature, not humans).