[freebsd-questions] Breakin attempt
Chad Perrin
perrin at apotheon.com
Sat Oct 22 16:29:34 UTC 2011
On Sat, Oct 22, 2011 at 03:58:20PM +0100, Howard Jones wrote:
> On 22/10/2011 15:37, Bruce Cran wrote:
> > If you run some sort of shell server, or where many people need to
> > login using ssh, you'll have a bit of a support problem telling people
> > to select the non-default port. Also, some might consider it security
> > through obscurity, which is often said to be a bad thing.
> Security through obscurity is only really a bad thing if it's your ONLY
> security. It doesn't hurt to make things harder for someone in addition
> to your other measures (strong passwords, large keys, limited network
> ranges etc)....
Actually, "security through obscurity" is always bad. The fact, however,
is that something that could be used for security through obscurity is
not automatically always a security through obscurity measure. Are you
using a nonstandard port assignment for security, or just to make your
logs cleaner? If you realize that moving SSH to a nonstandard port will
not in any way protect you from a targeted attack, and only do so to
clean up logs and reduce local SSH daemon activity from pointless
low-hanging fruit attacks, while using other (better) techniques to
actually properly secure the box, you aren't using employing a security
through obscurity plan at all.
"Security through obscurity" isn't the technique; it's the purpose to
which a technique is directed. If what you're doing isn't intended as a
security measure, it's "something other than security through obscurity",
and you shouldn't beat yourself up over it.
If you have no specific need to keep SSH on 22, definitely move a
public-facing SSH server to a nonstandard port, for reasons unrelated to
actual intrusion security.
--
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20111022/bb92c4ab/attachment.pgp
More information about the freebsd-questions
mailing list