[Twirrim]

Anecdotally, I have a machine with an exposed SSH, on a high number port. I get brute force attempts on a regular basis against it, just way less than when I run it on the standard port number. Security by obscurity is just one part of the steps I take with that machine. Using a high port number is dead simple and easily handled client side too, so I just do it.

[cheschire]

> just one part of the steps I take with that machine.

You may be interested to know this is called "Defense in depth".

https://en.wikipedia.org/wiki/Defense_in_depth_%28computing%...

[sllabres]

The articles summarizes

> It’s where you keep the mechanism secret, not the key.

I think this can be, as you write, defense in depth if the secret of the mechanism is not the only defense.

As example the block cipher for the Common Scrambling Algorithm https://en.wikipedia.org/wiki/Common_Scrambling_Algorithm has been secret. As it seems that has delayed the analysis of the system for about 8 years, but not damaged the procedure.

[babadaba]

Or you could say, security by obscurity is one of the layers of their defence in depth strategy.

Edit: I believe you are implying that they used “security by obscurity” incorrecty, which I don’t believe they did. If I read that wrong, my bad!

[a1369209993]

Technically defense in depth refers to multiple effective security measures (like cryptographic login), so security by obscurity isn't actually part of it.

(Moving SSH port plus something like fail2ban could be considered defense-in-depth against the incidental DDOS-like issues, though.)

[huhtenberg]

Also anecdotally, I've been running SSH on the same 30xxx port since ~2004, including a cluster, which ran a public-facing service that was a popular target for various forms of abuse.

There was not a single brute force attempt. None.