|
|
|
|
|
|
by anjbe
1336 days ago
|
|
|
The thesis of the article, that security through obscurity is underrated, is “because it has a low implementation cost and it usually works well.” But I contest both of those things. Common obscurity methods provide low benefit for the amount of work put in, relative to methods with a better foundation. One of the best examples of this is port knocking, a resurging fad in self‐hosting circles, that is completely beaten both in simplicity and in actual protection by putting your SSH server behind WireGuard. Even the example in the article seems ridiculous. I always advocate disabling SSH passwords and using FIDO‐backed SSH keys instead, but of course people will complain that they lose the ability to log in from arbitrary machines (well worth it in my opinion, but fine). So rather than using SSH with a weak password on a non‐default port, why not use SSH with a strong password on a default port, which provides more entropy and also some protection against attacks by a local user, without having to remember weird port numbers? |
|
|
Really the only thing you get by changing the port is less log spam. If your system is so poorly configured that an automated drive-by attack by a bot would be successful then you're gonna get owned anyway if someone decides to target you.