[freebsd-questions] Breakin attempt

Chad Perrin perrin at apotheon.com
Sat Oct 22 16:29:34 UTC 2011

On Sat, Oct 22, 2011 at 03:58:20PM +0100, Howard Jones wrote:
> On 22/10/2011 15:37, Bruce Cran wrote:
> > If you run some sort of shell server, or where many people need to
> > login using ssh, you'll have a bit of a support problem telling people
> > to select the non-default port. Also, some might consider it security
> > through obscurity, which is often said to be a bad thing. 
> Security through obscurity is only really a bad thing if it's your ONLY
> security. It doesn't hurt to make things harder for someone in addition
> to your other measures (strong passwords, large keys, limited network
> ranges etc)....

Actually, "security through obscurity" is always bad.  The fact, however,
is that something that could be used for security through obscurity is
not automatically always a security through obscurity measure.  Are you
using a nonstandard port assignment for security, or just to make your
logs cleaner?  If you realize that moving SSH to a nonstandard port will
not in any way protect you from a targeted attack, and only do so to
clean up logs and reduce local SSH daemon activity from pointless
low-hanging fruit attacks, while using other (better) techniques to
actually properly secure the box, you aren't using employing a security
through obscurity plan at all.

"Security through obscurity" isn't the technique; it's the purpose to
which a technique is directed.  If what you're doing isn't intended as a
security measure, it's "something other than security through obscurity",
and you shouldn't beat yourself up over it.

If you have no specific need to keep SSH on 22, definitely move a
public-facing SSH server to a nonstandard port, for reasons unrelated to
actual intrusion security.

Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20111022/bb92c4ab/attachment.pgp

More information about the freebsd-questions mailing list