From owner-freebsd-questions@FreeBSD.ORG Sat Oct 22 16:29:33 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C17DC1065690 for ; Sat, 22 Oct 2011 16:29:33 +0000 (UTC) (envelope-from perrin@apotheon.com) Received: from oproxy1-pub.bluehost.com (oproxy1.bluehost.com [IPv6:2605:dc00:100:2::a1]) by mx1.freebsd.org (Postfix) with SMTP id 8176B8FC14 for ; Sat, 22 Oct 2011 16:29:33 +0000 (UTC) Received: (qmail 22034 invoked by uid 0); 22 Oct 2011 16:29:33 -0000 Received: from unknown (HELO box543.bluehost.com) (74.220.219.143) by oproxy1.bluehost.com with SMTP; 22 Oct 2011 16:29:33 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=apotheon.com; s=default; h=In-Reply-To:Content-Type:Mime-Version:References:Message-ID:Subject:To:From:Date; bh=Kfo6IuA7mcKVlT3DrFnV5ethzgZNO75S+YJAKOdj0DA=; b=ldQHvYJnlEFlsMPn6z6IHKkA8hrNWYEcKrxxm/Zj6sf+Qt2EoNiIVNWkzATQIgCxqeaFn+9ClDSti+L8g98TliqsB1N6eLJKrNQTZScwHd6wkNTsXB6j7Qf/d1q6AKyc; Received: from c-24-8-180-234.hsd1.co.comcast.net ([24.8.180.234] helo=kukaburra.hydra) by box543.bluehost.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.76) (envelope-from ) id 1RHeRw-0001sr-3Q for freebsd-questions@freebsd.org; Sat, 22 Oct 2011 10:29:33 -0600 Received: by kukaburra.hydra (sSMTP sendmail emulation); Sat, 22 Oct 2011 10:27:56 -0600 Date: Sat, 22 Oct 2011 10:27:56 -0600 From: Chad Perrin To: freebsd-questions@freebsd.org Message-ID: <20111022162756.GA20964@guilt.hydra> Mail-Followup-To: freebsd-questions@freebsd.org References: <000001cc90c0$a0c16050$e24420f0$@org> <4EA2CE72.5030202@cran.org.uk> <20111022161242.11803f76.freebsd@edvax.de> <85D6B8A7-9AF6-4188-BC58-F8CBF5ED9E91@cran.org.uk> <4EA2DA0C.1080600@thingy.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="n8g4imXOkfNTN/H1" Content-Disposition: inline In-Reply-To: <4EA2DA0C.1080600@thingy.com> User-Agent: Mutt/1.4.2.3i X-Identified-User: {2737:box543.bluehost.com:apotheon:apotheon.org} {sentby:smtp auth 24.8.180.234 authed with ren@apotheon.org} Subject: Re: [freebsd-questions] Breakin attempt X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Oct 2011 16:29:34 -0000 --n8g4imXOkfNTN/H1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Oct 22, 2011 at 03:58:20PM +0100, Howard Jones wrote: > On 22/10/2011 15:37, Bruce Cran wrote: > > If you run some sort of shell server, or where many people need to > > login using ssh, you'll have a bit of a support problem telling people > > to select the non-default port. Also, some might consider it security > > through obscurity, which is often said to be a bad thing.=20 > Security through obscurity is only really a bad thing if it's your ONLY > security. It doesn't hurt to make things harder for someone in addition > to your other measures (strong passwords, large keys, limited network > ranges etc).... Actually, "security through obscurity" is always bad. The fact, however, is that something that could be used for security through obscurity is not automatically always a security through obscurity measure. Are you using a nonstandard port assignment for security, or just to make your logs cleaner? If you realize that moving SSH to a nonstandard port will not in any way protect you from a targeted attack, and only do so to clean up logs and reduce local SSH daemon activity from pointless low-hanging fruit attacks, while using other (better) techniques to actually properly secure the box, you aren't using employing a security through obscurity plan at all. "Security through obscurity" isn't the technique; it's the purpose to which a technique is directed. If what you're doing isn't intended as a security measure, it's "something other than security through obscurity", and you shouldn't beat yourself up over it. If you have no specific need to keep SSH on 22, definitely move a public-facing SSH server to a nonstandard port, for reasons unrelated to actual intrusion security. --=20 Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] --n8g4imXOkfNTN/H1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAk6i7wwACgkQ9mn/Pj01uKWrdgCg9BMDnDoUmET/ujNc3GGUTGIu IFEAoOM619xNTxU+/OszyhQHJoRtSu9Z =i4dU -----END PGP SIGNATURE----- --n8g4imXOkfNTN/H1--