Hacker News new | past | comments | ask | show | jobs | submit login

Alternate take is that it is security by obscurity, and that’s good as an extra layer of protection.



From a Hacker/Pentester view: Security by obscurity will only steal my time. It won't stop me from hacking you. Moving to another port is useless, I'll do a port scan anyways. Non-standard paths and domain names are different stories, but even those will be brute forced eventually.

It just costs time, makes everything more complicated and in the best case (for me) it makes it easy for you to block the wrong port.


Sometimes, as the saying goes, I don't need to outrun the bear, just the other campers.

If you're targeting me specifically, then yes, moving the port is pointless. But while I have't stopped you, I've avoided a half-dozen script kiddies running a script that takes advantage of a new 0-day.


If you're targeting me specifically, sure.

If you're not, stealing your time is all I need to do to make you move on to a different, easier target.


What's in your threat model that's simultaneously a non-targeted attack, but also sophisticated enough to get through basic security (eg. strong password or public key)?


A bot exploiting a new SSHD vuln that my autopatching hasn't caught up with yet.


Zero day exploit is the common refrain here.

I commented extensively on the other thread (cliff notes: nonstandard SSH ports induce their own security risks [if on port 1024 or above], add complexity with minimal benefit, and generally indicate you should be focused your effort elsewhere - like setting up a wireguard VPN.), but they're not entirely wrong here. Just misguided. If you are guarding against OpenSSH 0 days as an attack vector, one, there are better security measures - see VPNs - to take that provide your greater protection in general, and two, port scans are trivially cheap, so once they infect all the things listening on port 22 they'll use that compute and network capacity to scan the rest of the internet to find things listening on nonstandard ports, because botnets = money, so increasing the size is a worthwhile investment. It gains you a few hours, or you could throw up Wireguard on another host where someone then needs both a Wireguard 0 day and an SSH 0 day at the same time to compromise your system.


It can be part of defense-in-depth: Move SSH to a nonstandard port and then completely hide it from anyone who does a port scan or tries SSH on the wrong port. I'm sure that's occurred to someone, somewhere in the world.


That extra time, and the effort it takes you to get through this obscurity, all makes it easier for the blue team to find you.

It is not enough for a perfect defense, but it can help as defense in depth.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: