babadaba's comments

babadaba · on Sept 21, 2020

Or you could say, security by obscurity is one of the layers of their defence in depth strategy.

Edit: I believe you are implying that they used “security by obscurity” incorrecty, which I don’t believe they did. If I read that wrong, my bad!

babadaba · on Sept 21, 2020

Do you see how the complexity of the attack increased though? Now the attacker has to buy multiple hosts to stage their attack from. Like anything in life, when things get hard, a percentage of people give up.

the8472 · on Sept 21, 2020

That's why I mentioned building a database, which essentially evaporates the cost for everyone except the one building the database. Unsalted password hashes are considered insecure due to rainbow tables.

And even if nobody built such a database, the cost still seems trivial compared to the effort it would take to compromise SSH in the first place. That is why I asked for a threat model. What are you defending against where everything is cheap except finding the host?

If your goal is to cut down on log spam, that's fine, but then just say so.

babadaba · on Sept 21, 2020

> What are you defending against

You’re defending against people who wrote scripts that only check the default port. Based on numbers that some others posted, that is actually quite a sizeable number, as they reported numbers of attempted connections on the default port to be orders of magnitude higher than other ports.

the8472 · on Sept 21, 2020

Scripts are not magic, they must be doing something. So what are you defending against? The last openssh preauth remote exploit from 2003? Weak passwords? Those are much better addressed by other measures.

babadaba · on Sept 21, 2020

> Scripts are not magic, they must be doing something

Not necessarily. Sometimes they just record potential targets for later manual probing. If the script doesn’t find what it’s looking for (in this example the default ssh port), your server is not recorded. That in itself is a win, even if it’s small.

> So what are you defending against?

It limits the number of people/processes trying to gain access to your server. Would you rather 10 people trying to get in, or 1?

> Those are much better addressed by other measures

Well, ya. Nobody is saying obscurity is the only security layer. You would need to secure it assuming the port is known. As an additional layer, only to (even slightly) reduce the number of potential threat actors, you change the port.