Re: [freebsd-questions] Breakin attempt
--n8g4imXOkfNTN/H1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Oct 22, 2011 at 03:58:20PM +0100, Howard Jones wrote:
> On 22/10/2011 15:37, Bruce Cran wrote:
> > If you run some sort of shell server, or where many people need to
> > login using ssh, you'll have a bit of a support problem telling people
> > to select the non-default port. Also, some might consider it security
> > through obscurity, which is often said to be a bad thing.=20
> Security through obscurity is only really a bad thing if it's your ONLY
> security. It doesn't hurt to make things harder for someone in addition
> to your other measures (strong passwords, large keys, limited network
> ranges etc)....
Actually, "security through obscurity" is always bad. The fact, however,
is that something that could be used for security through obscurity is
not automatically always a security through obscurity measure. Are you
using a nonstandard port assignment for security, or just to make your
logs cleaner? If you realize that moving SSH to a nonstandard port will
not in any way protect you from a targeted attack, and only do so to
clean up logs and reduce local SSH daemon activity from pointless
low-hanging fruit attacks, while using other (better) techniques to
actually properly secure the box, you aren't using employing a security
through obscurity plan at all.
"Security through obscurity" isn't the technique; it's the purpose to
which a technique is directed. If what you're doing isn't intended as a
security measure, it's "something other than security through obscurity",
and you shouldn't beat yourself up over it.
If you have no specific need to keep SSH on 22, definitely move a
public-facing SSH server to a nonstandard port, for reasons unrelated to
actual intrusion security.
--=20
Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ]
--n8g4imXOkfNTN/H1
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)
iEYEARECAAYFAk6i7wwACgkQ9mn/Pj01uKWrdgCg9BMDnDoUmET/ujNc3GGUTGIu
IFEAoOM619xNTxU+/OszyhQHJoRtSu9Z
=i4dU
-----END PGP SIGNATURE-----
--n8g4imXOkfNTN/H1--
討論串 (同標題文章)