> On Feb 13, 2015, at 9:03 AM, Valeri Galtsev <[email protected]> wrote:
>
> ...changing port numbers...does not really add security. Security through
> obscurity is only considered to be efficient by Windows folks.
“Security through obscurity” is an overused mantra of derision.
Originally, it was a cry against systems where obscurity was the *only*
security measure taken. You could legitimately use it today against software
that uses a Caesar cipher instead of AES, or against an admin who moves a
publicly-visible file to a nonstandard location to hide it instead of changing
its permissions away from world-readable.
Obscurity as an addition to other forms of strength has been a useful tactic
since before the Roman Empire was founded.
“…that general…is successful in defense whose opponent does not know what
to attack.”
— Sun Tzu, approx 500 BCE
Moving the sshd listening port greatly cuts down on the amount of log spam you
get from bots. Yes, the script kiddies can still find your server. But before
you dismiss this tactic, try the experiment. Move your sshd to a different
port and see what happens to your log spam.
Another legitimate reason to move the SSH port is to cope with
overly-restrictive outbound firewalls on other people’s networks. We have one
SSH server that listens on port 110 because the site that logs into it has
unconditionally blocked port 22 outbound, and we can’t get the local admin to
open that port up for us.
If you want to talk about naive security associated with Windows admins, let’s
talk about admins who block SSH, which is almost never a *successful* attack
vector, while still allowing outbound POP3 connections in a world where email
is probably the #1 vector. :facepalm:
_______________________________________________
CentOS mailing list
[email protected]
http://lists.centos.org/mailman/listinfo/centos
