• @[email protected]
      link
      fedilink
      01 year ago

      I see this claim all the time, and it bugs me every time. Obfuscation is a perfectly reasonable part of a defense in depth solution. That’s why you configure your error messages on production systems to give very generic error messages instead of the dev-centric messages with stack traces on lower environments, for example.

      The problem comes when obscurity is your only defense. It’s not a full remediation on its own, but it has a part in defense in depth.

      • @[email protected]
        link
        fedilink
        11 year ago

        Changing the port isn’t really much obfuscation though. It doesn’t take long to scan all ports for the entire IPv4 range (see masscan)

        • @[email protected]
          link
          fedilink
          01 year ago

          It helps against stupid automated attacks though.

          If someone has changed the port it’s likely that they have set up a great password or disabled password auth all together.

          It’s worth it for just having cleaner logs and fewer attempts.