[spacemule]

I would argue moving SSH to a non-standard port is security, but it's a different kind. By reducing the noise in logs, it reduces the workload on the human or agent reviewing the logs. So, you can detect an attack in progress or respond to an attack before it gets out of hand. With SSH on a standard port, the harmful malicious logs can blend in with the annoying malicious logs much better.

[i_think_so]

> By reducing the noise in logs, it reduces the workload on the human or agent reviewing the logs. So, you can detect an attack in progress or respond to an attack before it gets out of hand. With SSH on a standard port, the harmful malicious logs can blend in with the annoying malicious logs much better.

Advice like this should be at the top of the chapter in the textbook that teaches young sysmonkeys how to admin a box securely. Well stated.

[logifail]

> By reducing the noise in logs, it reduces the workload on the human or agent reviewing the logs.

Q: Why would you "review the logs" by (human/agent) hand for a service exposed to the Internet? What are you actually looking for?

[I say this as someone who has tens of thousands of failed auth attempts against services I expose to the Internet. Per day.]

[i_think_so]

Sounds like you are the poster child for moving ssh to a different port. :-)

If I were you I would do that immediately. Then, once your logs become actually useful again, look at them.

"Hmmm. There sure seem to be a lot of failed login attempts for bobsmith@server. Maybe I should call him up and see if there's something going on."