Date: Sat, 22 Oct 2011 10:27:56 -0600 From: Chad Perrin <perrin@apotheon.com> To: freebsd-questions@freebsd.org Subject: Re: [freebsd-questions] Breakin attempt Message-ID: <20111022162756.GA20964@guilt.hydra> In-Reply-To: <4EA2DA0C.1080600@thingy.com> References: <000001cc90c0$a0c16050$e24420f0$@org> <4EA2CE72.5030202@cran.org.uk> <20111022161242.11803f76.freebsd@edvax.de> <85D6B8A7-9AF6-4188-BC58-F8CBF5ED9E91@cran.org.uk> <4EA2DA0C.1080600@thingy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--n8g4imXOkfNTN/H1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Oct 22, 2011 at 03:58:20PM +0100, Howard Jones wrote: > On 22/10/2011 15:37, Bruce Cran wrote: > > If you run some sort of shell server, or where many people need to > > login using ssh, you'll have a bit of a support problem telling people > > to select the non-default port. Also, some might consider it security > > through obscurity, which is often said to be a bad thing.=20 > Security through obscurity is only really a bad thing if it's your ONLY > security. It doesn't hurt to make things harder for someone in addition > to your other measures (strong passwords, large keys, limited network > ranges etc).... Actually, "security through obscurity" is always bad. The fact, however, is that something that could be used for security through obscurity is not automatically always a security through obscurity measure. Are you using a nonstandard port assignment for security, or just to make your logs cleaner? If you realize that moving SSH to a nonstandard port will not in any way protect you from a targeted attack, and only do so to clean up logs and reduce local SSH daemon activity from pointless low-hanging fruit attacks, while using other (better) techniques to actually properly secure the box, you aren't using employing a security through obscurity plan at all. "Security through obscurity" isn't the technique; it's the purpose to which a technique is directed. If what you're doing isn't intended as a security measure, it's "something other than security through obscurity", and you shouldn't beat yourself up over it. If you have no specific need to keep SSH on 22, definitely move a public-facing SSH server to a nonstandard port, for reasons unrelated to actual intrusion security. --=20 Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] --n8g4imXOkfNTN/H1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAk6i7wwACgkQ9mn/Pj01uKWrdgCg9BMDnDoUmET/ujNc3GGUTGIu IFEAoOM619xNTxU+/OszyhQHJoRtSu9Z =i4dU -----END PGP SIGNATURE----- --n8g4imXOkfNTN/H1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111022162756.GA20964>