James B. Byrne wrote:
I am not a fan of security through obscurity.
You're diluting a useful phrase.
It originally referred to practices where obscurity was the _only_
source of security. As soon as you saw through the obscurity, there was
no security. Of course, this means that there was no real security to
begin with. Hiding telnet by changing its listening port would be
security through obscurity.
Changing ssh's service port is not at all the same thing. If you get
past this bit of obscurity, security remains. To employ another popular
phrase, it's defense in depth. The more walls you can throw up, the
less stress on the final wall that stops the attack.
If you don't like those arguments, the CPU usage difference should
matter to you. Your system can reject (or ignore) a connection to an
unused port with a lot less CPU power than it takes to reject a login
attempt, especially to a cryptographically protected service. And, the
post that started this says there's a 96% chance that the port rejection
runs the attacker off completely, whereas a password rejection just
invites another attempt. So, one TCP RST packet vs. several thousand
login attempts. Which would you rather allocate CPU resources for?
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
