[CentOS] One approach to dealing with SSH brute force attacks.

Thu Jan 31 21:17:32 UTC 2008
Warren Young <warren at etr-usa.com>

James B. Byrne wrote:
> 
> I am not a fan of security through obscurity.  

You're diluting a useful phrase.

It originally referred to practices where obscurity was the _only_ 
source of security.  As soon as you saw through the obscurity, there was 
no security.  Of course, this means that there was no real security to 
begin with.  Hiding telnet by changing its listening port would be 
security through obscurity.

Changing ssh's service port is not at all the same thing.  If you get 
past this bit of obscurity, security remains.  To employ another popular 
phrase, it's defense in depth.  The more walls you can throw up, the 
less stress on the final wall that stops the attack.

If you don't like those arguments, the CPU usage difference should 
matter to you.  Your system can reject (or ignore) a connection to an 
unused port with a lot less CPU power than it takes to reject a login 
attempt, especially to a cryptographically protected service.  And, the 
post that started this says there's a 96% chance that the port rejection 
runs the attacker off completely, whereas a password rejection just 
invites another attempt.  So, one TCP RST packet vs. several thousand 
login attempts.  Which would you rather allocate CPU resources for?