[CentOS] Securing SSH wiki article outdated

Fri Feb 13 20:45:21 UTC 2015
Warren Young <wyml at etr-usa.com>

> On Feb 13, 2015, at 9:03 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:
> 
> ...changing port numbers...does not really add security. Security through
> obscurity is only considered to be efficient by Windows folks.

“Security through obscurity” is an overused mantra of derision.

Originally, it was a cry against systems where obscurity was the *only* security measure taken.  You could legitimately use it today against software that uses a Caesar cipher instead of AES, or against an admin who moves a publicly-visible file to a nonstandard location to hide it instead of changing its permissions away from world-readable.

Obscurity as an addition to other forms of strength has been a useful tactic since before the Roman Empire was founded.

    “…that general…is successful in defense whose opponent does not know what to attack.”

         — Sun Tzu, approx 500 BCE

Moving the sshd listening port greatly cuts down on the amount of log spam you get from bots.  Yes, the script kiddies can still find your server.  But before you dismiss this tactic, try the experiment.  Move your sshd to a different port and see what happens to your log spam.

Another legitimate reason to move the SSH port is to cope with overly-restrictive outbound firewalls on other people’s networks.  We have one SSH server that listens on port 110 because the site that logs into it has unconditionally blocked port 22 outbound, and we can’t get the local admin to open that port up for us.

If you want to talk about naive security associated with Windows admins, let’s talk about admins who block SSH, which is almost never a *successful* attack vector, while still allowing outbound POP3 connections in a world where email is probably the #1 vector.  :facepalm: