James B. Byrne wrote: > > I am not a fan of security through obscurity. You're diluting a useful phrase. It originally referred to practices where obscurity was the _only_ source of security. As soon as you saw through the obscurity, there was no security. Of course, this means that there was no real security to begin with. Hiding telnet by changing its listening port would be security through obscurity. Changing ssh's service port is not at all the same thing. If you get past this bit of obscurity, security remains. To employ another popular phrase, it's defense in depth. The more walls you can throw up, the less stress on the final wall that stops the attack. If you don't like those arguments, the CPU usage difference should matter to you. Your system can reject (or ignore) a connection to an unused port with a lot less CPU power than it takes to reject a login attempt, especially to a cryptographically protected service. And, the post that started this says there's a 96% chance that the port rejection runs the attacker off completely, whereas a password rejection just invites another attempt. So, one TCP RST packet vs. several thousand login attempts. Which would you rather allocate CPU resources for?