[16s]

Security through obscurity is useless. I have heard people repeat this for the last 20 years. They are wrong and they have no idea what they are talking about. They just parrot what others say. Like chaos it perpetuates itself.

We camouflage tanks. We build stealth fighters. If obscurity had zero value, we'd just paint the tanks bright pink with hot orange flames and drop all the stealth research too. No need to sneak around. Obscurity is useless right?

Hide from the bear and it might not find and eat you. Move your ssh port and your logs will have less idiots out there filling them up. That fact alone is worth changing ports.

Obscurity has its place along side other tactics. And when you put it all together, you'll have a more secure system.

So please cut the "Security through obscurity" crap.

[ceejayoz]

Hell, passwords and keys are just obscure strings.

Security through obscurity is only a problem if it's the only security.

[rhubarbquid]

Right, adding obscurity doesn't decrease security. It might help... worst case it does nothing.

[dionyziz]

It might actually decrease security, as it gives a false sense of security and people just take it as their only security measure in the end. Give them obscurity and they feel secure. There are countless examples of this, I don't believe I need to give some here.

[migrantgeek]

What are some examples? Like hiding a wallet in a shoe at the beach? Even that is actually successful in some cases.

Most thieves aren't career criminals in search of wallets. Perhaps a respectable working man sees a wallet of a young rich kid currently in the water. The man could use some extra cash and sees large bills protruding from the wallet and decides to take it. Why not? The man has a family and that kid probably has a trust fund.

The wallet stuffed in a shoe or buried under a towel prevents temptation. It's not actually more secure but it keeps honest people honest.

Nothing is really secure. Adding security is all about making something harder. Harder to live with, harder to access, harder to do un-detected, etc. If hiding something from plain sight makes it even slightly more troublesome of a heist, it's actually security IMO.

It shouldn't be your only form of security but to write it off completely seems silly.

[petsos]

Now imagine a million people from all over the world passing by. Would hiding the wallet in the shoe help?

[migrantgeek]

I agree. Changing the port or hiding with port knocking is useful especially for keeping logs clean.

Generally, I think it's best to avoid publicly accessible SSH but if needed, changing the port is a good idea.

I always remove password auth and direct root login however even though my machine is now secure, the logs are filled with failed login attempts.

Clean and tidy logs help spot anomalies indicative of real attacks and not someone looking for open port 22 and hoping the combo root/root somehow works.

I don't think it's wise to change the port and consider things safe. All other security advice still applies however changing the default port in addition to locking down access seems like a wise decision to me.

[danielrm26]

http://www.danielmiessler.com/study/security_and_obscurity/

[lvh]

I think you're misunderstanding where that came from, or what it means.

The idea behind security through obscurity being bad isn't about stealthiness, it's about that the idea that an attacker not privy to details of the system isn't really disadvantaged. Using a secret custom cipher is worse than using publicly vetted and analyzed ciphers like AES or ChaCha20.

Specifically, port-knocking isn't about security through obscurity. Your secret is the knocking sequence. Making the port inaccessible without that makes sense.

[laureny]

> We camouflage tanks. We build stealth fighters.

A lot of the army forces are wearing camo fatigues 100% of the time while in combat zones, I'm sure they would have a lot to learn from you.

Sarcasm aside, security through obscurity is not very useful when it's the only defense vector used but it's very important when it's part of a multi-angle defense. The more hurdles you put on the path of hackers, the more time you buy to defend against them.

[BryanB55]

Thank you. Everytime I hear someone say that I cringe. So sick of hearing it. It's useful, just not the only thing you should be doing.

[Zoomla]

this is so true... like if you use port knocking, how can that not increase security