On Sat, Oct 22, 2011 at 03:58:20PM +0100, Howard Jones wrote: > On 22/10/2011 15:37, Bruce Cran wrote: > > If you run some sort of shell server, or where many people need to > > login using ssh, you'll have a bit of a support problem telling people > > to select the non-default port. Also, some might consider it security > > through obscurity, which is often said to be a bad thing. > Security through obscurity is only really a bad thing if it's your ONLY > security. It doesn't hurt to make things harder for someone in addition > to your other measures (strong passwords, large keys, limited network > ranges etc)....
Actually, "security through obscurity" is always bad. The fact, however, is that something that could be used for security through obscurity is not automatically always a security through obscurity measure. Are you using a nonstandard port assignment for security, or just to make your logs cleaner? If you realize that moving SSH to a nonstandard port will not in any way protect you from a targeted attack, and only do so to clean up logs and reduce local SSH daemon activity from pointless low-hanging fruit attacks, while using other (better) techniques to actually properly secure the box, you aren't using employing a security through obscurity plan at all. "Security through obscurity" isn't the technique; it's the purpose to which a technique is directed. If what you're doing isn't intended as a security measure, it's "something other than security through obscurity", and you shouldn't beat yourself up over it. If you have no specific need to keep SSH on 22, definitely move a public-facing SSH server to a nonstandard port, for reasons unrelated to actual intrusion security. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
pgpwkEgeduOxT.pgp
Description: PGP signature
